Upgrade the ASA FirePOWER Module

This document describes how to upgrade the ASA FirePOWER module using ASDM or the management center, depending on your management choice. Refer to Upgrade the ASA to determine when you should perform the FirePOWER upgrade in a standalone, failover, or clustering scenario.

Traffic Flow and Inspection

Interruptions in traffic flow and inspection can occur when you:

  • Reboot a device.

  • Upgrade the device software, operating system, or virtual hosting environment.

  • Uninstall or revert the device software.

  • Move a device between domains.

  • Deploy configuration changes (Snort process restarts).

Device type, high availability/scalibility configurations, and interface configurations determine the nature of the interruptions. We strongly recommend performing these tasks in a maintenance window or at a time when any interruption will have the least impact on your deployment.

Upgrade an ASA FirePOWER Module with ASDM

Use the following procedure to upgrade ASA FirePOWER modules managed by ASDM.


Caution

Do not make configuration changes, manually reboot, or shut down an upgrading module. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Procedure

Step 1

Make sure you are running a supported version of ASA.

There is wide compatibility between ASA and ASA FirePOWER versions. However, even if an ASA upgrade is not strictly required, resolving issues may require an upgrade to the latest supported version.

See the ASA upgrade procedures for standalone, failover, and clustering scenarios for when to upgrade the ASA FirePOWER module in the sequence. Even if you are not upgrading the ASA software, you should still refer to the ASA failover and clustering upgrade procedures so you can perform a failover or disable clustering on a unit before the module upgrade to avoid traffic loss. For example, in a cluster, you should upgrade each secondary unit serially (which involves disabling clustering, upgrading the module, then reenabling clustering), and then upgrade the primary unit.

Step 2

Download the upgrade package from Cisco.com.

For major versions:

  • Upgrading to Version 6.0 through 6.2.2 — Cisco_Network_Sensor_Upgrade-[version]-[build].sh

  • Upgrading to Version 6.2.3+ — Cisco_Network_Sensor_Upgrade-[version]-[build].sh.REL.tar

For patches:

  • Upgrading to 5.4.1.x through 6.2.1.x — Cisco_Network_Sensor_Patch-[version]-[build].sh

  • Upgrading to Version 6.2.2.1+ — Cisco_Network_Sensor_Patch-[version]-[build].sh.REL.tar

Download directly from the Cisco Support & Download site. If you transfer a package by email, it may become corrupted. Note that upgrade packages from Version 6.2.2+ are signed, and terminate in .sh.REL.tar instead of just .sh. Do not untar signed upgrade packages.

Step 3

Connect to the ASA with ASDM and upload the upgrade package.

  1. Choose Configuration > ASA FirePOWER Configuration > Updates.

  2. Click Upload Update.

  3. Click Choose File to navigate to and choose the update.

  4. Click Upload.

Step 4

Deploy pending configuration changes. Otherwise, the upgrade may fail.

When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations restarts Snort, which interrupts traffic inspection and, depending on how your device handles traffic, may interrupt traffic until the restart completes. For more information, see Traffic Flow and Inspection.

Step 5

(Upgrading to Version 6.1.0 through 6.3.0.x) Disable the ASA REST API.

If you do not disable the REST API, the upgrade will fail. Note that ASA 5506-X series devices do not support the ASA REST API if you are also running Version 6.0+ of the ASA FirePOWER module.

Use the CLI on the ASA to disable the REST API:

no rest-api agent

You can reenable it after the upgrade:

rest-api agent

Step 6

Choose Monitoring > ASA FirePOWER Monitoring > Task Status to make sure essential tasks are complete.

Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed status messages later.

Step 7

Choose Configuration > ASA FirePOWER Configuration > Updates.

Step 8

Click the Install icon next to the upgrade package you uploaded, then confirm that you want to upgrade and reboot the module.

Traffic either drops throughout the upgrade or traverses the network without inspection, depending on how the module is configured. For more information, see Traffic Flow and Inspection.

Step 9

Monitor upgrade progress on the Task Status page.

Do not make configuration changes to the module while it is upgrading. Even if the upgrade status shows no progress for several minutes or indicates that the upgrade has failed, do not restart the upgrade or reboot the module. Instead, contact Cisco TAC.

Step 10

After the upgrade finishes, reconnect ASDM to the ASA.

Step 11

Choose Configuration > ASA FirePOWER Configuration and click Refresh. Otherwise, the interface may exhibit unexpected behavior.

Step 12

Choose Configuration > ASA FirePOWER Configuration > System Information and confirm that the module has the correct software version.

Step 13

If the intrusion rule update or the vulnerability database (VDB) available on the Support site is newer than the version currently running, install the newer version.

Step 14

Complete any post-upgrade configuration changes described in the release notes.

Step 15

Redeploy configurations.

Upgrade the Firepower Management Center

If you manage the ASA FirePOWER module using the Firepower Management Center, then you need to upgrade the Management Center before you upgrade the module.

Upgrade a Standalone Secure Firewall Management Center

Use this procedure to upgrade a standalone Secure Firewall Management Center, including Secure Firewall Management Center Virtual.


Caution

Do not make or deploy configuration changes, manually reboot, or shut down while you are upgrading the FMC. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Complete the pre-upgrade checklist. Make sure the appliances in your deployment are healthy and successfully communicating.

Procedure

Step 1

Choose System > Updates.

Step 2

Click the Install icon next to the upgrade package you want to use, then choose the FMC.

Step 3

Click Install to begin the upgrade.

Confirm that you want to upgrade and reboot.

Step 4

Monitor precheck progress until you are logged out. Do not make configuration changes during this time.

Step 5

Log back in when you can.

  • Minor upgrades (patches and hotfixes): You can log in after the upgrade and reboot are completed.

  • Major and maintenance upgrades: You can log in before the upgrade is completed. The system displays a page you can use to monitor the upgrade's progress and view the upgrade log and any error messages. You are logged out again when the upgrade is completed and the system reboots. After the reboot, log back in again.

Step 6

If prompted, review and accept the End User License Agreement (EULA).

Step 7

Verify upgrade success.

If the system does not notify you of the upgrade's success when you log in, choose Help > About to display current software version information.

Step 8

Update intrusion rules (SRU/LSP) and the vulnerability database (VDB).

If the component available on the Cisco Support & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 9

Complete any post-upgrade configuration changes described in the release notes.

Step 10

Redeploy configurations.

Redeploy to all managed devices. If you do not deploy to a device, its eventual upgrade may fail and you may have to reimage it.

Upgrade High Availability Firepower Management Centers

Use this procedure to upgrade the Firepower software on FMCs in a high availability pair.

You upgrade peers one at a time. With synchronization paused, first upgrade the standby, then the active. When the standby starts prechecks, its status switches from standby to active, so that both peers are active. This temporary state is called split-brain and is not supported except during upgrade. Do not make or deploy configuration changes while the pair is split-brain. Your changes will be lost after you restart synchronization.


Caution

Do not make or deploy configuration changes, manually reboot, or shut down while you are upgrading the FMC. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Complete the pre-upgrade checklist for both peers. Make sure the appliances in your deployment are healthy and successfully communicating.

Procedure

Step 1

Pause synchronization.

  1. Choose System > Integration.

  2. On the High Availability tab, click Pause Synchronization.

Step 2

Upload the upgrade package to the standby.

In FMC high availability deployments, you must upload the FMC upgrade package to both peers, pausing synchronization before you transfer the package to the standby. To limit interruptions to HA synchronization, you can transfer the package to the active peer during the preparation stage of the upgrade, and to the standby peer as part of the actual upgrade process, after you pause synchronization.

Step 3

Upgrade peers one at a time — first the standby, then the active.

Follow the instructions in Upgrade a Standalone Secure Firewall Management Center, stopping after you verify update success on each peer. In summary, for each peer:

  1. On the System > Updates page, install the upgrade.

  2. Monitor progress until you are logged out, then log back in when you can (this happens twice for major upgrades).

  3. Verify upgrade success.

Do not make or deploy configuration changes while the pair is split-brain.

Step 4

Restart synchronization.

  1. Log into the FMC that you want to make the active peer.

  2. Choose System > Integration.

  3. On the High Availability tab, click Make-Me-Active.

  4. Wait until synchronization restarts and the other FMC switches to standby mode.

Step 5

Update intrusion rules (SRU/LSP) and the vulnerability database (VDB).

If the component available on the Cisco Support & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 6

Complete any post-upgrade configuration changes described in the release notes.

Step 7

Redeploy configurations.

Redeploy to all managed devices. If you do not deploy to a device, its eventual upgrade may fail and you may have to reimage it.

Upgrade an ASA FirePOWER Module with FMC

Use this procedure to upgrade an ASA FirePOWER module managed by an FMC. When you upgrade the module depends on whether you are upgrading ASA, and on your ASA deployment.

  • Standalone ASA devices: If you are also upgrading ASA, upgrade the ASA FirePOWER module just after you upgrade ASA and reload.

  • ASA clusters and failover pairs: To avoid interruptions in traffic flow and inspection, fully upgrade these devices one at a time. If you are also upgrading ASA, upgrade the ASA FirePOWER module just before you reload each unit to upgrade ASA.

For more information, see Upgrade Path: ASA FirePOWER with FMC and the ASA upgrade procedures.

Before you begin

Complete the pre-upgrade checklist. Make sure the appliances in your deployment are healthy and successfully communicating.

Procedure

Step 1

Choose System > Updates.

Step 2

Click the Install icon next to the upgrade package you want to use and choose the devices to upgrade.

If the devices you want to upgrade are not listed, you chose the wrong upgrade package.

Note

 

We strongly recommend upgrading no more than five devices simultaneously from the System Update page. You cannot stop the upgrade until all selected devices complete the process. If there is an issue with any one device upgrade, all devices must finish upgrading before you can resolve the issue.

Step 3

Click Install, then confirm that you want to upgrade and reboot the devices.

Traffic either drops throughout the upgrade or traverses the network without inspection depending on how your devices are configured and deployed. For more information, see the Upgrade the Software chapter in the Cisco Firepower Release Notes for your target version.

Step 4

Monitor upgrade progress.

Caution

 

Do not deploy changes to, manually reboot, or shut down an upgrading device. Do not restart a device upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Step 5

Verify upgrade success.

After the upgrade completes, choose Devices > Device Management and confirm that the devices you upgraded have the correct software version.

Step 6

Update intrusion rules (SRU/LSP) and the vulnerability database (VDB).

If the component available on the Cisco Support & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 7

Complete any post-upgrade configuration changes described in the release notes.

Step 8

Redeploy configurations to the devices you just upgraded.