{"id":125,"date":"2023-03-19T08:46:02","date_gmt":"2023-03-19T07:46:02","guid":{"rendered":"http:\/\/10.4.44.99:10084\/?p=125"},"modified":"2023-03-19T08:46:02","modified_gmt":"2023-03-19T07:46:02","slug":"cisco-esa-wsa-update-upgrade-url-host","status":"publish","type":"post","link":"https:\/\/www.winni.at\/wordpress\/?p=125","title":{"rendered":"Cisco ESA\/WSA | Update Upgrade URL Host"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>This document describes the IP address(es) and hosts needed to configure&nbsp;your Cisco Content Security appliance for use with a static host for downloads, updates, and upgrades. &nbsp;These configurations are to be used for either hardware or virtual Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), or Security Management Appliance (SMA).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Content Security Appliance Downloads, Updates or Upgrades using a Static Host<\/h2>\n\n\n\n<p>Cisco offers static hosts&nbsp;for customers&nbsp;that have strict firewall or proxy requirements. It is important to note that if you configure your appliance to use the static hosts for downloads and updates, &nbsp;same static hosts for downloads and updates must be allowed&nbsp;in the firewall and proxy on network as well.<\/p>\n\n\n\n<p>Here are the hostname(s), IP address(es), and ports that are involved in the download, update, and upgrade processes:<\/p>\n\n\n\n<p><strong>downloads-static.ironport.com<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>208.90.58.105 on port 80<\/li>\n<\/ul>\n\n\n\n<p><strong>update-manifests.ironport.com&nbsp;(hardware ESA)<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>208.90.58.5 on port 443<\/li>\n\n\n\n<li>184.94.240.102 on port 443<\/li>\n<\/ul>\n\n\n\n<p><strong>update-manifests.sco.cisco.co<\/strong><strong>m&nbsp;(virtual ESA)<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>208.90.58.6 on port 443<\/li>\n\n\n\n<li>184.94.240.125 on port 443<\/li>\n<\/ul>\n\n\n\n<p><strong>updates-static.ironport.com<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>208.90.58.25 on port 80<\/li>\n\n\n\n<li>184.94.240.106 on port 80<\/li>\n<\/ul>\n\n\n\n<p><strong>Note<\/strong>: The &#8216;update-manifests&#8217; URLs and port numbers provided are configured&nbsp;from the CLI only via the command&nbsp;<strong>updateconfig<\/strong>. From with-in this command, there is a hidden sub-command that needs to be run in order to validate the update manifest. Run&nbsp;<strong>dynamichost<\/strong>&nbsp;from the first configuration prompt once in the configuration options for&nbsp;<strong>updateconfig<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Service Update configuration via GUI<\/h2>\n\n\n\n<p>Complete these steps in order to change the download, update, or upgrade configuration&nbsp;on AsyncOS from the GUI:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to the&nbsp;<strong>Service Updates<\/strong>&nbsp;tab of the Security Services page.<\/li>\n\n\n\n<li>Click&nbsp;<strong>Edit Update Settings&#8230;<\/strong>.<\/li>\n\n\n\n<li>Select&nbsp;<em>Local Update Servers<\/em>&nbsp;from the Update Servers (images) field.<\/li>\n\n\n\n<li>For the&nbsp;<em>Base URL<\/em>&nbsp;field,&nbsp;enter in&nbsp;<strong><a href=\"http:\/\/downloads-static.ironport.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/downloads-static.ironport.com<\/a><\/strong>&nbsp;and set the&nbsp;<em>Port<\/em>&nbsp;to&nbsp;<strong>80<\/strong>.<\/li>\n\n\n\n<li>Leave the&nbsp;<em>Authentication (optional)<\/em>&nbsp;fields blank.<\/li>\n\n\n\n<li>For the&nbsp;<em>Host (McAfee Anti-Virus definitions, PXE Engine updates, Sophos Anti-Virus definitions, IronPort Anti-Spam rules, Outbreak Filters rules, DLP updates, Time zone rules and Enrollment Client (used to fetch certificates for URL Filtering)<\/em>&nbsp;field,&nbsp;enter&nbsp;<strong>updates-static.ironport.com<\/strong>. &nbsp;(Port is optional.)<\/li>\n\n\n\n<li>Leave the&nbsp;<em>Update Servers (list)<\/em>&nbsp;fields all set to Cisco IronPort Update Servers.<\/li>\n\n\n\n<li>Ensure that you have the proper interface selected, if required to communicate over a specific interface. &nbsp;Default configuration will be set to&nbsp;<strong>Auto Select<\/strong>.<\/li>\n\n\n\n<li>Verify and update the configured&nbsp;Proxy Servers, if required.<\/li>\n\n\n\n<li>Click<strong>&nbsp;Submit<\/strong>.<\/li>\n\n\n\n<li>In the upper right corner, click&nbsp;<strong>Commit Changes<\/strong>.<\/li>\n\n\n\n<li>Finally, click on&nbsp;<strong>Commit Changes<\/strong>&nbsp;again in order to confirm all configuration changes.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Configuration of updateconfig via the CLI<\/h2>\n\n\n\n<p>The same changes can be applied via the CLI on the appliance. &nbsp;Complete these steps in order to change the download, update, or upgrade configuration on AsyncOS from the CLI:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Run the CLI command&nbsp;<strong>updateconfig<\/strong><\/li>\n\n\n\n<li>Enter in the command&nbsp;<strong>SETUP<\/strong><\/li>\n\n\n\n<li>For the &#8220;Feature Key updates&#8221;, change the setting to use &#8216;2. Use own server&#8217;<\/li>\n\n\n\n<li>Enter&nbsp;<strong><a href=\"http:\/\/downloads-static.ironport.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/downloads-static.ironport.com:80\/<\/a><\/strong><\/li>\n\n\n\n<li>For the &#8220;Service (images)&#8221;, change the setting to use &#8216;2. Use own server&#8217;<\/li>\n\n\n\n<li>Enter&nbsp;<strong>updates-static.ironport.com<\/strong><\/li>\n\n\n\n<li>Leave the &#8220;McAfee Anti-Virus definitions, RSA DLP Engine Updates, PXE Engine Updates, Sophos Anti-Virus definitions, IronPort Anti-Spam rules, Outbreak Filters rules, Timezone rules, Enrollment Client Updates (used to fetch certificates for URL Filtering)&#8221; and &#8220;Cisco IronPort AsyncOS upgrades&#8221; set to default, &#8220;Use Cisco IronPort update servers&#8221;<\/li>\n\n\n\n<li>All other configuration prompts can be left set to default.<\/li>\n\n\n\n<li>Verify and update the configured Proxy Server, if required.<\/li>\n\n\n\n<li>Return out to the main CLI prompt<\/li>\n\n\n\n<li>Run the CLI command&nbsp;<strong>COMMIT<\/strong>&nbsp;to save all configuration changes.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Verify Upgrades and Updates<\/h2>\n\n\n\n<p>In order to verify that the upgrade communication is successful and completes, navigate to the&nbsp;<strong>System Upgrade<\/strong>page and click&nbsp;<strong>Available Upgrades<\/strong>. If the list of available versions displays, then your setup is complete.<\/p>\n\n\n\n<p>From the CLI, you can simply run the&nbsp;<strong>upgrade<\/strong>&nbsp;command. &nbsp;Choose the&nbsp;<strong>download<\/strong>&nbsp;option to view the upgrade manifest, if there are available upgrades.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">8.5.7-043.local&gt; <strong>upgrade<\/strong><br><br><br>Choose the operation you want to perform:<br>- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).<br>- DOWNLOAD - Downloads the upgrade image.<br>[]&gt; <strong>download<\/strong><br><br>Upgrades available.<br>1. AsyncOS 9.6.0 build 051 upgrade For Email, 2015-09-02 this release is for General Deployment<br>2. AsyncOS 9.7.0 build 125 upgrade For Email, 2015-10-15. This release is for General Deployment<br>3. AsyncOS 9.7.1 build 066 upgrade For Email, 2016-02-16. This release is for General Deployment.<br>4. cisco-sa-20150625-ironport SSH Keys Vulnerability Fix<br>[4]&gt;<\/pre>\n\n\n\n<p>For validation of updates,&nbsp;from the CLI run the command&nbsp;<strong>updatenow<\/strong>. &nbsp;This will initate the update process for all services.<\/p>\n\n\n\n<p>Next, in order to verify that the updates function correctly, run the&nbsp;CLI command&nbsp;<strong>tail<\/strong>&nbsp;and choose the log number associated to updater_logs for your appliance.<\/p>\n\n\n\n<p>For successful updates, you should see messages similar to these examples in the updater logs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For Sophos updates, monitor the updater_logs for&nbsp;<strong>sophos<\/strong>&nbsp;or monitor the antivirus log:<br><br>Wed Jun 25 19:00:24 2014 Info: sophos verifying applied files<br>Wed Jun 25 19:00:24 2014 Info: sophos updating the client manifest<br>Wed Jun 25 19:00:24 2014 Info: sophos update completed<br>Wed Jun 25 19:00:24 2014 Info: sophos waiting for new updates<\/li>\n\n\n\n<li>For McAfee updates, monitor the updater_logs for&nbsp;<strong>mcafee<\/strong>&nbsp;or monitor the antivirus log:<br><br>Wed Jun 25 19:00:40 2014 Info: mcafee verifying applied files<br>Wed Jun 25 19:00:40 2014 Info: mcafee updating the client manifest<br>Wed Jun 25 19:00:40 2014 Info: mcafee update completed<br>Wed Jun 25 19:00:40 2014 Info: mcafee waiting for new updates<\/li>\n\n\n\n<li>For CASE updates that are used by IPAS and VOF, monitor the updater_logs for&nbsp;<strong>case:<\/strong><br><br>Wed Jun 25 18:59:47 2014 Info: case verifying applied files<br>Wed Jun 25 18:59:47 2014 Info: case updating the client manifest<br>Wed Jun 25 18:59:47 2014 Info: case update completed<br>Wed Jun 25 18:59:47 2014 Info: case waiting for new updates<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Troubleshooting<\/h2>\n\n\n\n<p>The appliance sends notification alerts when the updates fail. Here is an example of the most commonly received email notification:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">The updater has been unable to communicate with the update server for at least 1h.<br><br>Last message occurred 4 times between Tue Mar 1 18:02:01 2016 and Tue Mar 1 18:32:03 2016.<br><br>Version: 9.7.1-066<br>Serial Number: 888869DFCCCC-3##CV##<br>Timestamp: 01 Mar 2016 18:52:01 -0500<\/pre>\n\n\n\n<p><strong>Source:&nbsp;<a href=\"http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security\/email-security-appliance\/117854-technote-esa-00.html\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security\/email-security-appliance\/117854-technote-esa-00.html<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction This document describes the IP address(es) and hosts needed to configure&nbsp;your Cisco Content Security appliance for use with a<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[3],"tags":[13,19,28,31,36,42,43,112,177],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-kb","tag-asyncos","tag-cisco","tag-cisco-esa","tag-cisco-esa-upgrade-url","tag-cisco-ironport","tag-cisco-upgrade-url","tag-cisco-wsa","tag-ironport-update","tag-unable-to-communicate-with-the-update-server"],"_links":{"self":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=125"}],"version-history":[{"count":0,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/125\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}