In this post, I’ll write about my experience with Sourcefire 6.0 upgrade. Upgrade file became available on 11/11/2015 and at the time of writing it’s been out for a few month which is “theoretically” enough time to consider a cautious transition from 5.4.x into 6.0 environment.
Components:
Cisco Sourcefire Defense Center: 5.4.1
Cisco FirePower Sensor: 5.4.1
Cisco ASA: 8.3.2.2
The Very important first step is to read release notes and make sure all the prerequisites are satisfied. Check Cisco site for any patch updates and follow upgrade procedure.
As a precaution disable automatic policy deployment after Rule update. Do not apply Access Policies to Sensors running 5.4.x after DC upgrade is they are not patched because it may cause the issues described next.
Download and install 5.4.1.999 mandatory patch for DC prior to 6.0.0 upgrade. I’m surprised this patch was posted so late (1/28/16). If you do not apply the patch then you may hit several bugs after DC upgrade one of which is running at 100% CPU utilization on the Sensor and halting any connectivity through the ASA. A quick way to check on it is through CLI expert mode command – top. Look for snort process and %CPU column hitting 100%.
Once the patch is installed on DC then re-apply access policies. This will push necessary changes to Sensors. After that, you can safely proceed with Sensors upgrade.
If for some reason you did not apply the patch prior to DC upgrade it can be done individually per appliance. Cisco_Network_Sensor_6.0.0_Pre-install-5.4.0.999-1.sh needs to be uploaded to DC and applied through the Update process. The best way to verify if the patch was installed successfully is CLI. Login to Device Expert mode with elevated privileges (sudo su –), cd to /var/log/sf/. You should see Cisco_Network_Sensor_6.0.0_Pre-install-5.4.1.999 directory. Inside this directory execute tail -f status.log to verify successful installation.
Another important step is to verify ASA code version and upgrade/downgrade if necessary. Sourcefire release notes indicate supported ASA versions are 9.4(2) or 9.5(1.5). I’ve had no issues running with 9.3(2)2 but the latest 9.5(2) may cause Sensor to restart intermittently.
If your DC is running 6.0.0 but Sensors are still running 5.4.x and you’ve re-applied Access Policy then your Sensor may experience a core dump halting traffic flow for several minutes. This time, problem may be in the Application Protocol file analysis rule with Action Dynamic Analysis and Reset Connection. The fix is to not inspect files over (SMB). In the example below instead of ANY select HTTP. A separate rule will be required per protocol.
I hope with this information your transition to 6.0 environment will be less painful.
Takeaways:
- Read release notes.
- Do not delay Sensor upgrade. As soon as your DC is at 6.0 level, check policy settings, confirm connectivity to devices, verify patch level and proceed with Sensor upgrades.
- Maintenance window should be large enough to accommodate lengthy Sensor upgrade process especially if the device is remote. Also, keep in mind if the upgrade fails it must be restarted manually. I’d allocate between 1 to 2 hours for each Sensor to upgrade.