Vulnerability Database Update Automation

Cisco uses vulnerability database (VDB) updates to expand the list of network assets, traffic, and vulnerabilities that the system recognizes. You can use the scheduling feature to update the VDB, thereby ensuring that you are using the most up-to-date information to evaluate the hosts on your network.

When automating VDB updates, you must automate two separate steps:

  • Downloading the VDB update.

  • Installing the VDB update.

As a part of initial configuration the system downloads and installs the latest vulnerability database (VDB) update from the Cisco Support & Download site. This is a one-time operation. To keep the system up to date, if the CDO has internet access, we recommend you schedule tasks to perform automatic recurring VDB update downloads and installations as described in this section.

Caution

Installing a vulnerability database (VDB) update immediately restarts the Snort process on all managed devices. Additionally, the first deploy after installing the VDB might cause a Snort restart depending on the VDB content. In either scenario, the restart interrupts traffic inspection. Whether traffic drops during the interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information.

Caution

When a VDB update includes changes applicable to managed devices, the first manual or scheduled deploy after installing the VDB restarts the Snort process, interrupting traffic inspection. Deploy dialog messages warn you of restarts in pending deploys to FTD devices. Whether traffic drops or passes without further inspection during this interruption depends on how the targeted device handles traffic. You cannot deploy VDB updates that apply only to the CDO, and they do not cause restarts. See Snort Restart Traffic Behavior for more information.

Allow enough time between tasks for the process to complete. For example, if you schedule a task to install an update and the update has not fully downloaded, the installation task will not succeed. However, if the scheduled installation task repeats daily, it will install the downloaded VDB update when the task runs the next day.

Note:

  • You cannot schedule updates for appliances that cannot access the Support Site. If your CDO is not directly connected to the Internet, you should use management interfaces configuration to set up a proxy to allow it to download updates from the Support Site.

  • If you want to have more control over this process, you can use the Once option to download and install VDB updates during off-peak hours after you learn that an update has been released.

  • In multidomain deployments, you can only schedule VDB updates for the Global domain. The changes take effect when you redeploy policies.