Upgrade EVE Exception Rules

On Secure Firewall version 7.7 and earlier, EVE exception rules are configured for each policy separately. From Secure Firewall version 10.0.0, the EVE exception list is part of the global domain. As a result, the EVE exception rules are configured in the global domain and applied to all the policies on which EVE is enabled to block traffic.

When you are upgrading the Management Center from version 7.7 to 10.0.0, all the EVE exception rules from the leaf domains that contain leaf domain network objects are identified and stored. After the upgrade is complete:

  • All EVE exception rules from global domain policies, as well as rules from leaf domain policies that reference global domain objects or inline IP addresses, are consolidated into a single global EVE exception list. As a result, some policies may now include EVE exception rules that were not present before the upgrade.

  • All policies that contain EVE exception rules are marked as out-of-date.

If the exception rules from leaf domains contain leaf domain network or dynamic objects, these rules are removed during the upgrade process. The upgrade script log file has a log of all the merged and deleted exception rules, along with the corresponding access control policy and domain from which each rule originated. The log file is located at /var/log/sf/Cisco_Secure_FW_Mgmt_Center_Upgrade10.0.0/800_post/1114_eve_rules.pl.log .

When you deploy the configuration for the first time after the upgrade, a warning message on the Management Center lists all the deleted EVE exception rules. The warning message also states that there could be possible traffic impact if the rules are not reconfigured in the global EVE exception list. Note that the warning message appears only when you deploy the configuration for the first time after the upgrade is complete.

For Secure Firewall devices running version 7.7 and earlier that are mapped to Management Center running version 10.0.0, only Very High threat confidence connection events are sent to the Security-Related Connection Events table. For Secure Firewall devices running version 10.0.0, EVE Blocked and Medium+ EVE threat confidence connection events are sent to the Security-Related Connection Events table.

Change Management Support during EVE Upgrade

When you upgrade the Management Center to version 10.0.0, all active change management tickets that contain access control policies on which EVE is enabled will have their EVE exception rules automatically merged with the global EVE exception list.

The merging of EVE exception rules with the global EVE exception list occurs regardless of the ticket's approval state. This ensures that no exception rules are lost during the upgrade.

EVE Ticket Preview Generation Behavior

If a change management ticket contains a policy that is locked and it contains only EVE-related modifications, such as EVE settings or exception rules, the EVE ticket preview will not be automatically regenerated after the upgrade. If the ticket contains other policy modifications in addition to EVE-related modifications, the EVE ticket preview will be generated normally.