Getting Started with Image Manager
Image Manager contains sections that are used for managing your images, working with the devices that you will need to update, and performing image installations on those devices.
For more information on these areas of Image Manager, see the following topics:
Before working with Image Manager, you should review the sections that follow:
-
the platforms that are supported by this feature,
-
the configuration settings you can change to control how the feature works, and
-
the steps that are necessary to ensure your devices are configured to work with Image Manager.
This section contains the following topics:
Image Manager Supported Platforms and Versions
Caution |
From version 4.18, Cisco Security Manager does not support SFR from ASA 9.10(1) onwards for ASA 5512, ASA 5506, ASA 5506H and ASA 5506W models. Therefore, if you upgrade to 9.10(1) through Image Manager, the exiting SFR configuration will be lost. |
Image Manager is available only for ASA devices. The following devices support Image Manager:
-
All legacy ASA models—ASA 5505/10/20/40/50/80
-
ASA 5585
-
ASA 5515/25/35/45/55
-
ASA-SM module for Catalyst 6K
-
5516-X
-
Adaptive Security Virtual Appliance (ASAv)
Beginning with Cisco Security Manager 4.20, Image Manager supports the following Firepower devices, that operate in Appliance Mode, running on ASA 9.13(1) and higher devices:
-
Cisco Firepower 1140 Security Appliance
-
Cisco Firepower 1150 Security Appliance
-
Cisco Firepower 1010 Security Appliance
-
Cisco Firepower 2140 Security Appliance
-
Cisco Firepower 2120 Security Appliance
-
Cisco Firepower 1120 Security Appliance
-
Cisco Firepower 2110 Security Appliance
-
Cisco Firepower 2130 Security Appliance
The following devices are not supported and are filtered out in the devices tab of the Image Manager unified view:
-
PIX firewall
-
FWSM blade
-
ASA device managed by AUS
-
Devices unmanaged in Security Manager
-
Other device types—IPS and Routers
Image Manager supports image upgrade for ASA device version from 7.x onwards. The target image version that can be used to upgrade is not restricted. Image upgrade to the highest ASA version supported in Security Manager 4.4, that is ASA version 9.0(1) and 9.1(1), has been tested.
Prior to version 4.9, the Image Manager application listed all the images of the supported device type. You could select and download any image that you required. Beginning with version 4.9, the Image Manager application lists only the specific versions of images.
The latest images of ASDM, †Remote Access Plugin and Host scan are listed in Image Manager. For AnyConnect version 3.x and 4.x, the latest images are listed.
For ASA devices, the following images are listed:
ASA Device Model |
ASA Images listed in Image Manager |
---|---|
5512-x,5515-x,5525-x,5545-x,5585x |
9.4.1 9.3.3 9.3.2 9.3.1.SMP 9.2.3.SMP 9.2.2.4.SMP 9.2.1.SMP.ED 9.1.4.SMP.ED 9.1.5.SMP.ED 9.1.6.SMP.ED 9.1.2.SMP.ED 9.0.4.SMP.ED 8.4.6.SMP.ED |
5580-x |
9.1.6.SMP 9.1.5.SMP.ED 9.1.4.SMP.ED 9.1.2.SMP.ED 9.0.4.SMP.ED 8.4.6.SMP.ED |
5555-x |
9.4.1 9.3.3 9.3.2 9.3.1.SMP 9.2.3.SMP 9.2.2.4.SMP 9.2.1.SMP.ED 9.1.2.SMP.ED 9.0.4.SMP.ED |
5505,5510,5520,5540,5550 |
9.1.6 9.1.5.ED 9.1.4.ED 9.1.2.ED 9.0.4.ED 8.4.6.ED |
5506-X |
9.4.1, 9.3.3, 9.3.2 |
5506H-X |
9.4.1 |
5506W-X |
9.4.1 |
5516-X |
9.4.1 |
Adaptive Security Virtual Appliance (ASAv) |
9.3.1, 9.3.2, 9.4.1 |
Note |
Image manager ASA image upgrade will be supported for Appliance mode devices for firepower series. |
DANGER |
Image downgrade is not restricted, but is done at your own risk. Image Manager does not validate downgrade cases. |
Device Configurations supported by Image Manager
In addition to supporting image updates on standalone ASA devices, Image Manager manages the filesystem and supports seamless image update for ASA devices specially configured for high availability and scalability. Following configurations are supported:
-
Multiple context mode—ASA in multiple context mode where a single ASA can be partitioned into multiple virtual devices/firewalls. Refer to http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_contexts.html . Each of these virtual firewalls are represented in Security Manager as independent devices. When Image Manager updates the image on the physical unit hosting these virtual devices, it updates device properties of all virtual devices with the new image information.
-
Failover configuration—Two identical ASA devices configured to failover for high availability. They can be configured to be in Active/Active or Active/Standby failover. Refer to http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_overview.html . Image update on an Active/Active failover pair is not supported in Image Manager. In order to use Image Manager to update the images on an Active/Active failover pair, the Active/Active failover pair has to temporarily be converted to Active/Standby by making all the failover groups active on one unit, and the corresponding failover groups standby on the other unit. After upgrade, you can convert the failover pair back to Active/Active.
-
Cluster configuration—Multiple ASAs (up to 8 ASAs) can be grouped together as a single logical unit called a cluster for achieving increased throughput and redundancy. The purpose of clustering devices is to simplify manageability and to increase processing speed. By using clusters you are able to scale to a multitude of simultaneous connections that work together to load balance the connections. Clustering feature has been introduced starting from ASA version 9.0(1). For more information see http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_cluster.html .
Note |
Clustering is only supported on ASA 5580 and ASA 5585. |
Starting from release 4.4, Security Manager supports Clustering. In Configuration manager and Image Manager, all the devices/members in a cluster or a failover pair are managed as a single device. That is, when you change the configuration on a control unit, the change is automatically made to all the devices in the cluster. Similarly, Image Manager updates image on each of the physical unit that is part of failover or cluster in a single operation.
Image Management for Multi-Context ASA
Beginning with version 4.12, the Image Manager Device Tree view displays all the user contexts (Admin and User contexts) of the multi-context firewall devices running the ASA software version 9.6(2) or later.
You can select a User context and view the storage-url information of the selected context on the Storage tab.
On the Compatible Images tab, you can view only the AnyConnect images for the selected User Context. However, all image types are displayed for the System Contexts.
Image Manager Supported Image Types
Image Manager supports the following types of images:
-
ASA System software
-
ASDM image
-
VPN images [includes Cisco Secure Desktop (CSD), AnyConnect, and Hostscan]
-
SSLVPN Plug-in images (For example: RDP, SSH, ICA, and others)
Image Manager completely manages the ASA system software and the ASDM images on the ASA devices, i.e., it performs loading of the image, activating the image by modifying configuration, and even reloading the device if required to complete the image upgrade process.
For the User Context devices Security Manager supports only AnyConnect images for copying and installation.
Image Manager does not support the ASA–CX images. This includes both the system images, for example asacx-sys-9.1.1-1.pkg, and also the boot images, for example asacx-5500x-boot-9.1.1-1.img. Using Image Manager, you cannot add any CX images to the Image Manager repository and cannot push any CX images to the device .
Handling of SSL VPN Images
Image Manager only reliably copies SSL VPN images to the ASA device. No configuration or activation commands are added for SSL VPN images by Image Manager. The configuration of the images must still be done using Configuration Manager.
The following files are not managed in Image Manager and have to be configured and deployed from Configuration Manager as in earlier versions of Security Manager:
-
CSD Configuration XML
-
AnyConnect Client Profile files
-
DAP Configuration XML
-
Full Customization XML files
After the SSL VPN images have been copied to the device using Image Manager, the remote access VPN policies must be configured in Configuration Manager to make use of these images. The Remote Access VPN policies that must be configured are located at the following paths in Configuration Manager:
-
CSD Package—Remote Access VPN > Dynamic Access > Cisco Secure Desktop group box
-
HostScan Package—Remote Access VPN > Dynamic Access > Cisco Secure Desktop group box
-
Anyconnect Image—Remote Access VPN > SSL VPN > Other Settings > Client Settings tab
-
Plug-ins—Remote Access VPN > SSL VPN > Other Settings > Plug-in tab
The SSL VPN binary files must be present on the device flash before you reference them in VPN policy. If not, Security Manager will present an activity validation warning informing the user of the preference to use Image Manager to push these files reliably to the device before deploying the configuration. If the user ignores the activation warning and goes ahead, Configuration Manager defaults to the old behavior and pushes the images or files as was done in the earlier versions of Security Manager before deploying the configuration referring to these files. But the user cannot leverage the following advantages of using Image Manager for copying these files:
-
Capability to use external disks like disk1 to copy the files. Configuration Manager only copies the files to disk0 and does not recognize or support external disks.
-
Image Manager preempts errors during the image copy by validating that there is enough free space on the disk to copy the selected images and does not allow creation of a job unless there is sufficient space is to copy the images. User can make space by using the Image Manager to delete unwanted images.
Note |
Image Manager does not validate the compatibility of the SSL VPN files that are pushed to the ASA. But Configuration Manager will complain when incompatible files are referenced in the Remote Access VPN policies. |
Administrative Settings for Image Manager
Image Manager introduces new administrative settings. These administrative settings must be configured as part of Configuration Manager.
Configuring Cisco.com Certificates
Beginning with version 4.4, Security Manager has a certificate trust management feature. This feature helps you with improved handling of Cisco.com certificates. For detailed documentation of this feature, refer to Certificate Trust Management.
To configure administrative settings for Image Manager, do the following:
Procedure
Step 1 |
Go to Configuration Manager > Tools > Security Manager Administration. The Cisco Security Manager - Administration page appears. |
||
Step 2 |
Configure workflow settings:
|
||
Step 3 |
Configure debug settings: |
||
Step 4 |
Configure Cisco.com credentials: |
||
Step 5 |
Configure Purge Interval for Image Install Jobs |
||
Step 6 |
Configure Image Backup Settings |
||
Step 7 |
Click Close to close the Administration window. |
Bootstrapping Devices for Image Manager
The bootstrapping in Image Manager is essentially the same as that which you perform in Configuration Manager for ASA devices.
To bootstrap a device for Image Management, do the following:
Procedure
Step 1 |
Configure HTTPS on the device(s) to manage ASA in Security Manager.
|
||
Step 2 |
Ensure that the configuration register setting is set to boot with the image list in the running configuration. |
||
Step 3 |
In Security Manager, go to Tools > Security Manager Administration > Device Communication > SSL Certificate Parameters. In the SSL Certificate Parameters area, set PIX/ASA/FWSM Device Authentication Certificates to Do not use certificate authentication. |
||
Step 4 |
Ensure that there is sufficient space in the flash memory of the device(s) to hold the images you intend to load.
|
||
Step 5 |
We recommend that you unmanage the Boot-Image/Configuration policy for ASA, as follows: |
||
Step 6 |
We recommend that the device not be set as a priority monitored device in HPM. |
||
Step 7 |
Ensure that all configuration changes on the device are submitted and deployed. |