Introduction
This document describes the process to downgrade the Vulnerability Database on Secure Firewall Management Center (FMC) version 7.3 and later.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Secure Firewall Management Center version 7.3 VDB 361
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
Initial Configurations
On the FMC GUI, the VDB version is obtained under the MainMenu >.
On the CLI, the VDB version is obtained with command show version
.
> show version
-------------------[ firepower ]--------------------
Model : Secure Firewall Management Center for VMware (66) Version 7.3.0 (Build 69)
UUID : e8f4b5de-4da1-11ed-b2ce-4637a3ef82f7
Rules update version : 2023-07-12-002-vrt
LSP version : lsp-rel-20230712-1621
VDB version : 361
----------------------------------------------------
Rollback Process
If the previous VDB version is no longer stored on the FMC, navigate to System ()
Then, check the FMC checkbox and click on Install.
A warning prompt is displayed to inform you about potential traffic disruption in case you deploy changes to the managed Firewalls after the VDB rollback.
Verify
Once the rollback task is completed, the VDB version can be confirmed under the main Menu >
Finally, after the VDB is rolled back, a policy deployment is required to push the new VDB configuration to the FMC managed Firewalls.
Limitations
- The VDB rollback button is not available prior FMC 7.3.
- You are unable to rollback the VDB to a version older than 357, if a VDB version older than 357 is uploaded to the FMC, the rollback button is grayed out.
- If the VDB version is lower than the base VDB version of the FMC, the successful rollback task that is completed is displayed, however, the VDB version displayed continue showing the same as prior the rollback attempt.
From the FMC CLI you can confirm that this happened because the rollback target version is lower than the base FMC version. This can be confirmed on the FMC CLI on the status.log file.
> expert
sudo su
cd /var/log/sf/vdb-4.5.0-<vdb number>/
cat status.log
root@firepower:/var/log/sf/vdb-4.5.0-357# cat status.log
state:running
ui:The install has begun.
ui:[ 0%] Running script pre/000_start.sh...
ui:[ 4%] Running script pre/010_check_versions.sh...
ui:[ 4%] Non-Fatal error: Non-Fatal error: Cannot rollback to version(357) lower than default VDB 358
ui:[ 4%] The install completed successfully.
ui:The install has completed.
state:finished
----------------------------------------------------
Related Information