Skip to main content



Cisco Defense Orchestrator

Update FTD Security Databases

By updating the security databases on an FTD device, you are updating the following: SRUs (intrusion rules), security intelligence (SI), vulnerability databases (VDB), and geolocation databases. If you opt into updating the security databases through the CDO UI, note that all of the mentioned databases are updated; you cannot select which databases you want to update. 

Please note that security database updates cannot be reverted.

Note: When you update the security databases, some packets may be dropped or pass uninspected. We recommend you schedule your security database updates during a maintenance window. 

Update the Security Databases

Update FTD Security Database While Onboarding

When you onboard an FTD device to CDO, part of the onboarding process allows you to Enable scheduled recurring updates for databases. This option is checked by default. When enabled, CDO immediately checks for and applies any security updates as well as automatically schedules the device to check for additional updates. You are able to modify the date and time of the scheduled task after the device is onboarded. 

We recommend enabling the automatic scheduler during the onboarding process to regularly check for and apply security database updates. This way your device will always be up to date. To update the security databases while onboarding your FTD device, see Onboard an FTD with a Registration Key

Note: If you onboard your device with the registration key method, the device must not be registered with a smart license. We recommend registering a base license. As an alternative method, you can onboard your device using a username, password, and IP address.

Update FTD Security Database After Onboarding

After an FTD device is onboarded to CDO, you can configure a device to check for security database updates by scheduling an update. You can modify this scheduled task at any time by selecting the device the update is scheduled for. See Schedule a Security Database Update for more information. 



Device licenses

CDO cannot update the security databases if there is no license. We recommend that your FTD device has at least a base license. 

If you are onboarding a device that has no license, this does not inhibit CDO from onboarding the device. Instead, the device will experience a Connectivity status of "insufficient licenses".  To resolve this issue, you must apply the correct licenses through the FDM UI.

Note: If you onboard an FTD device and opt in to schedule future security database updates and the device does not have a registered license, CDO still creates the scheduled task but does not trigger the task until the appropriate licenses have been applied and the device is successfully synchronized. 

Security database updates are pending in FDM

If you update the security databases through the FDM UI, and you have conflict detection enabled on your device, CDO detects the pending update as a conflict. 

Note: If you onboard your FTD device and opt to schedule the updates, CDO automatically updates the security databases as well as any other pending changes to the stored configuration during the next deploy. does not have to be a configuration deploy

Device has OOB changes, or staged changes, during a security database update

If you schedule a security database update for an FTD device that has out of band (OOB) changes, or staged changes that have not been deployed, CDO only checks and updates the security databases. CDO does not deploy OOB or staged changes.

Device already has a scheduled task to update the security databases

Each device can only have one scheduled task. If the device already has a scheduled task to update the security databases, creating a new one overwrites it. This applies to tasks that are created in either CDO or FDM. 

No security database updates available

If there are no updates available, CDO does not deploy anything to the device.

Security database updates for FTD High Availability (HA) pair

Security database updates are applied only to the primary device of an HA pair. 


Related Articles:


  • Was this article helpful?