How to Reinstall the VDB on the Cisco Firepower FMC/FTD devices

Be the first to comment.

In all my years of working with SourceFire and then ASA with Firepower, and now Firepower Threat Defense (FTD), I’ve never had a single problem with the VDB – until this week. Cisco put out a BAD VDB (300) that deletes the applications in your ACP. This is pretty horrible right? So let’s just delete this VDB and reinstall. This seems like it would be easy, right? No, not so much…

Here is the bug that was opened because of this: CSCvc48180 and the problem that appears in your ACP:

If you are running an earlier version than is available in your updates (System>Updates from the FMC), then you’re in luck! Just install the new version and it will probably fix the issue and start working, however, if there isn’t an update (only around once a month does Cisco send out a new VDB!), then you have to try and reinstall the current version.

If you call or open a ticket with Cisco, you can try this command:

 cd /et/sf/updates

sudo sh Sourcefire_VDB_Fingerprint_Database-4.5.0-[vdb version].sh — –force

That is a double dash followed by a double dash and then the force command.

If that doesn’t work, then you need to go though this long version:

The following is the long list of commands to fix, and you will have problems with permissions along the way. Here we go:

  1. Verify your version

root@firepower:/var/sf/updates# ls -lha | grep -i “4.5.”

  1. Via CLI remove the VDB installed

root@firepower:/var/sf/updates# rm Sourcefire_VDB_Fingerprint_Database-4.5.*.* (300.sh for me)

2. Verify again  with root@firepower:/var/sf/updates# ls -lha | grep -i “4.5.”

3. Its best at this point to download the new VDB from Cisco to your host, and then SCP the file to the /var/tmp folder on your FMC. I used WINSCP but you can do something like this if need be:

sudo scp Sourcefire_VDB_Fingerprint_Database-4.5.0-300.sh admin@1.1.1.1:/var/tmp

4. Move the file into /var/updates and then verify the file:

root@firepower:/var/sf/updates# ls -lha | grep -i “4.5.” Notice the rights and owner on the left:

-rw-r–r–  1 admin admin  42M Jul 17 14:46 Sourcefire_VDB_Fingerprint_Database-4.5.0-300.sh

5. Change the ownership of the file:

root@firepower:/var/sf/updates# chown -R www:www Sourcefire_VDB_Fingerprint_Database-4.5.0-300.sh 

6. Verify that is changed from admin to www group:

root@firepower:/var/sf/updates# ls -lha | grep -i “4.5.”

-rw-r–r–  1 www  www   42M Jul 17 14:46 Sourcefire_VDB_Fingerprint_Database-4.5.0-300.sh

7.  Make the file executable

root@firepower:/var/sf/updates# chmod +x Sourcefire_VDB_Fingerprint_Database-4.5.0-300.sh 

8. Execute the VDB file after step 7 (You probably will get permission issues here)

root@firepower:/var/sf/updates# ./Sourcefire_VDB_Fingerprint_Database-4.5.0-300.sh

This is MUCH different than what Cisco has as the solution.

 

Leave a Reply

Your email address will not be published. Required fields are marked *