Planning Your Upgrade

Upgrade Planning Phases

This table summarizes the upgrade planning process. For full checklists, see the upgrade procedures.

Table 1. Upgrade Planning Phases

Phase

Includes

Planning and Feasibility

Careful planning and preparation can help you avoid missteps.

Assess your deployment.

Plan your upgrade path.

Read all upgrade guidelines and plan configuration changes.

Check appliance access.

Check bandwidth.

Schedule maintenance windows.

Upgrade Packages

Upgrade packages are available on the Cisco Support & Download site.

Download upgrade packages from Cisco.

Upload upgrade packages to appliances or place them somewhere the appliances can acccess during the upgrade process.

Backups

The ability to recover from a disaster is an essential part of any system maintenance plan.

Back up logical devices.

Back up FXOS.

FXOS Upgrade

Because operating system and hosting environment upgrades can affect traffic flow and inspection, perform them in a maintenance window.

Upgrade FMC virtual hosting, if needed.

Upgrade FXOS.

Final Checks for FTD Logical Devices

A set of final checks ensures you are ready to upgrade.

Check configurations.

Check NTP synchronization.

Check disk space.

Deploy configurations.

Run readiness checks.

Check running tasks.

Check deployment health and communications.

Current Version and Model Information

Use these commands to find current version and model information for your deployment,

Table 2.

Component

Information

FXOS for Firepower 4100/9300

Firepower Chassis Manager: Choose Overview.

FXOS CLI: For the version, use the show version command. For the model, enter scope chassis 1 , and then show inventory .

Firepower Threat Defense logical device with FMC

On the FMC, choose Devices > Device Management.

Firepower Threat Defense logical device with FDM

In FDM, click Device to get to the Device Summary.

ASA logical device

ASDM: Choose Home > Device Dashboard > Device Information.

ASA CLI: Use the show version command.

Firepower Management Center

On the FMC, choose Help > About.

Upgrade Paths

Your upgrade path is a detailed plan for what you will upgrade and when, including appliance operating systems. At all times, you must maintain hardware, software, operating system, and hosting compatibility.


Tip

This guide covers Firepower 6.0.1–7.0.x or ASA 9.4(1)–9.16(x) with FXOS 1.1.1–2.10.1. See Is This Guide for You?

What Do I Have?

Before you upgrade any Firepower appliance, determine the current state of your deployment. In addition to current version and model information, determine if your devices are configured for high availability/scalability, and if they are deployed passively, as an IPS, as a firewall, and so on.

See Current Version and Model Information.

Where Am I Going?

Now that you know what you have, make sure you can get to where you want to go:

  • Can your deployment run the target Firepower version?

  • Can your deployment run the target ASA version?

  • Do your appliances require a separate operating system upgrade before they can run the target Firepower version? Can your appliances run the target OS?

For answers to all these questions, see Cisco Firepower 4100/9300 FXOS Compatibility .

How Do I Get There?

After you determine that your appliances can run the target version, make sure direct upgrade is possible:

  • Is direct Firepower software upgrade possible?

  • Is direct ASA software upgrade possible?

  • Is direct FXOS upgrade possible?

For answers to all these questions, see the upgrade paths provided in this guide.


Tip

Upgrade paths that require intermediate versions can be time consuming. Especially in larger Firepower deployments where you must alternate FMC and device upgrades, consider reimaging older devices instead of upgrading. First, remove the devices from the FMC. Then, upgrade the FMC, reimage the devices, and re-add them to the FMC.

Can I Maintain Deployment Compatibility?

At all times, you must maintain hardware, software, and operating system compatibility:

Upgrade Path: FXOS

This table provides FXOS upgrade paths for a Firepower 4100/9300 chassis without any configured logical devices.

Find your current version in the left column. You can upgrade directly to any of the versions listed in the right column. In general, we recommend the latest FXOS build in the version sequence.


Note

For early versions of FXOS, you must upgrade to all intermediate versions between the current version and the target version. Once you reach FXOS 2.2.2, your upgrade options are wider.

Table 3. Upgrade Paths: FXOS on Firepower 4100/9300

Current FXOS Version

Target FXOS Version

2.9.1

→ 2.10.1

2.8.1

Any of:

→ 2.10.1

→ 2.9.1

2.7.1

Any of:

→ 2.10.1

→ 2.9.1

→ 2.8.1

2.6.1

Any of:

→ 2.10.1

→ 2.9.1

→ 2.8.1

→ 2.7.1

2.4.1

Any of:

→ 2.10.1

→ 2.9.1

→ 2.8.1

→ 2.7.1

→ 2.6.1

2.3.1

Any of:

→ 2.10.1

→ 2.9.1

→ 2.8.1

→ 2.7.1

→ 2.6.1

→ 2.4.1

2.2.2

Any of:

→ 2.10.1

→ 2.9.1

→ 2.8.1

→ 2.7.1

→ 2.6.1

→ 2.4.1

→ 2.3.1

2.2.1

→ 2.2.2

2.1.1

→ 2.2.1

2.0.1

→ 2.1.1

1.1.4

→ 2.0.1

1.1.3

→ 1.1.4

1.1.2

→ 1.1.3

1.1.1

→ 1.1.2

Upgrade Path: ASA Logical Devices

This table provides upgrade paths for ASA logical devices on the Firepower 4100/9300.


Note

If you are upgrading a Firepower 9300 chassis with FTD and ASA logical devices running on separate modules, see Upgrade Path: FTD and ASA Logical Devices for Firepower 9300.

Find your current version combination in the left column. You can upgrade to any of the version combinations listed in the right column. This is a multi-step process: first upgrade FXOS, then upgrade the logical devices.

Note that this table lists only Cisco's specially qualified version combinations. Because you must upgrade FXOS first, you will briefly run a supported—but not recommended—combination, where FXOS is "ahead" of the logical devices. For minimum builds and other detailed compatibility information, see Cisco Firepower 4100/9300 FXOS Compatibility .


Note

For early versions of FXOS, you must upgrade to all intermediate versions between the current version and the target version. Once you reach FXOS 2.2.2, your upgrade options are wider.

Table 4. Upgrade Paths: Firepower 4100/9300 with ASA Logical Devices

Current Version

Target Version

FXOS 2.9.1 with ASA 9.15(x)

→ FXOS 2.10.1 with ASA 9.16(x)

FXOS 2.8.1 with ASA 9.14(x)

Any of:

→ FXOS 2.10.1 with ASA 9.16(x)

→ FXOS 2.9.1 with ASA 9.15(x)

FXOS 2.7.1 with ASA 9.13(x)

Any of:

→ FXOS 2.10.1 with ASA 9.16(x)

→ FXOS 2.9.1 with ASA 9.15(x)

→ FXOS 2.8.1 with ASA 9.14(x)

FXOS 2.6.1 with ASA 9.12(x)

Any of:

→ FXOS 2.10.1 with ASA 9.16(x)

→ FXOS 2.9.1 with ASA 9.15(x)

→ FXOS 2.8.1 with ASA 9.14(x)

→ FXOS 2.7.1 with ASA 9.13(x)

FXOS 2.4.1with ASA 9.10(x)

Any of:

→ FXOS 2.10.1 with ASA 9.16(x)

→ FXOS 2.9.1 with ASA 9.15(x)

→ FXOS 2.8.1 with ASA 9.14(x)

→ FXOS 2.7.1 with ASA 9.13(x)

→ FXOS 2.6.1 with ASA 9.12(x)

FXOS 2.3.1 with ASA 9.9(x)

Any of:

→ FXOS 2.10.1 with ASA 9.16(x)

→ FXOS 2.9.1 with ASA 9.15(x)

→ FXOS 2.8.1 with ASA 9.14(x)

→ FXOS 2.7.1 with ASA 9.13(x)

→ FXOS 2.6.1 with ASA 9.12(x)

→ FXOS 2.4.1 with ASA 9.10(1)

FXOS 2.2.2 with ASA 9.8(x)

Any of:

→ FXOS 2.10.1 with ASA 9.16(x)

→ FXOS 2.9.1 with ASA 9.15(x)

→ FXOS 2.8.1 with ASA 9.14(x)

→ FXOS 2.7.1 with ASA 9.13(x)

→ FXOS 2.6.1 with ASA 9.12(x)

→ FXOS 2.4.1 with ASA 9.10(x)

→ FXOS 2.3.1 with ASA 9.9(x)

FXOS 2.2.1 with ASA 9.8(1)

→ FXOS 2.2.2 with ASA 9.8(x)

FXOS 2.1.1 with ASA 9.7(x)

→ FXOS 2.2.1 with ASA 9.8(1)

FXOS 2.0.1 with ASA 9.6(2), 9.6(3), or 9.6(4)

→ FXOS 2.1.1 with ASA 9.7(x)

FXOS 1.1.4 with ASA 9.6(1)

→ FXOS 2.0.1 with ASA 9.6(2), 9.6(3), or 9.6(4)

FXOS 1.1.3 with ASA 9.5(2) or 9.5(3)

→ FXOS 1.1.4 with ASA 9.6(1)

FXOS 1.1.2 with ASA 9.4(2)

→ FXOS 1.1.3 with ASA 9.5(2) or 9.5(3)

FXOS 1.1.1 with ASA 9.4(1)

→ FXOS 1.1.2 with ASA 9.4(2)

Note on Downgrades

Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.

Upgrade Path: FTD Logical Devices and FMC

This table provides upgrade paths for the Firepower 4100/9300 with FTD logical devices, managed by a Firepower Management Center.


Note

If you are upgrading a Firepower 9300 chassis with FTD and ASA logical devices running on separate modules, see Upgrade Path: FTD and ASA Logical Devices for Firepower 9300.

Find your current version combination in the left column. You can upgrade to any of the version combinations listed in the right column. This is a multi-step process: first upgrade FXOS, then upgrade the logical devices.

Note that this table lists only Cisco's specially qualified version combinations. Because you must upgrade FXOS first, you will briefly run a supported—but not recommended—combination, where FXOS is "ahead" of the logical devices. For minimum builds and other detailed compatibility information, see Cisco Firepower 4100/9300 FXOS Compatibility .


Note

For early versions of FXOS, you must upgrade to all intermediate versions between the current version and the target version. Once you reach FXOS 2.2.2, your upgrade options are wider.

Table 5. Upgrade Paths: Firepower 4100/9300 with FTD Logical Devices

Current Versions

Target Versions

FXOS 2.9.1 with FTD 6.7.0/6.7.x

→ FXOS 2.10.1 with FTD 7.0.0/7.0.x

FXOS 2.8.1 with FTD 6.6.0/6.6.x

Any of:

→ FXOS 2.10.1 with FTD 7.0.0/7.0.x

→ FXOS 2.9.1 with FTD 6.7.x

FXOS 2.7.1 with FTD 6.5.0

First support for FDM & CDO management.

Any of:

→ FXOS 2.10.1 with FTD 7.0.0/7.0.x

→ FXOS 2.9.1 with FTD 6.7.0/6.7.x

→ FXOS 2.8.1 with FTD 6.6.0/6.6.x

FXOS 2.6.1 with FTD 6.4.0

Any of:

→ FXOS 2.10.1 with FTD 7.0.0/7.0.x

→ FXOS 2.9.1 with FTD 6.7.0/6.7.x

→ FXOS 2.8.1 with FTD 6.6.0/6.6.x

→ FXOS 2.7.1 with FTD 6.5.0

FXOS 2.4.1 with FTD 6.3.0

Any of:

→ FXOS 2.9.1 with FTD 6.7.0/6.7.x

→ FXOS 2.8.1 with FTD 6.6.0/6.6.x

→ FXOS 2.7.1 with FTD 6.5.0

→ FXOS 2.6.1 with FTD 6.4.0

FXOS 2.3.1 with FTD 6.2.3

Any of:

→ FXOS 2.8.1 with FTD 6.6.0/6.6.x

→ FXOS 2.7.1 with FTD 6.5.0

→ FXOS 2.6.1 with FTD 6.4.0

→ FXOS 2.4.1 with FTD 6.3.0

FXOS 2.2.2 with FTD 6.2.2

Any of:

→ FXOS 2.6.1 with FTD 6.4.0

→ FXOS 2.4.1 with FTD 6.3.0

→ FXOS 2.3.1 with FTD 6.2.3

FXOS 2.2.2 with FTD 6.2.0

Any of:

→ FXOS 2.6.1 with FTD 6.4.0

→ FXOS 2.4.1 with FTD 6.3.0

→ FXOS 2.3.1 with FTD 6.2.3

→ FXOS 2.2.2 with FTD 6.2.2
FXOS 2.2.1 with FTD 6.2.0

→ FXOS 2.2.2 with FTD 6.2.0 (upgrade only FXOS)

Another option is to upgrade to FXOS 2.2.2 with FTD 6.2.2, which is a recommended combination. However, if you plan to further upgrade your deployment, don't bother. Now that you are running FXOS 2.2.2, you can upgrade all the way to FXOS 2.6.1 with FTD 6.4.0.

FXOS 2.1.1 with FTD 6.2.0

→ FXOS 2.2.1 with FTD 6.2.0 (upgrade only FXOS)

FXOS 2.0.1 with FTD 6.1.0

→ FXOS 2.1.1 with FTD 6.2.0

FXOS 1.1.4 with FTD 6.0.1

→ FXOS 2.0.1 with FTD 6.1.0

Upgrading FXOS with FTD Logical Devices in Clusters or HA Pairs

In Firepower Management Center deployments, you upgrade clustered and high availability FTD logical devices as a unit. However, you upgrade FXOS on each chassis independently.

Table 6. FXOS + FTD Upgrade Order

Deployment

Upgrade Order

Standalone device

Cluster, units on the same chassis (Firepower 9300 only)

  1. Upgrade FXOS.

  2. Upgrade FTD.

High availability

To minimize disruption, always upgrade the standby.

  1. Upgrade FXOS on the standby.

  2. Switch roles.

  3. Upgrade FXOS on the new standby.

  4. Upgrade FTD.

Cluster, units on different chassis (6.2+)

To minimize disruption, always upgrade an all-data unit chassis. For example, for a two-chassis cluster:

  1. Upgrade FXOS on the all-data unit chassis.

  2. Switch the control module to the chassis you just upgraded.

  3. Upgrade FXOS on the new all-data unit chassis.

  4. Upgrade FTD.

With older versions, hitless upgrades have some additional requirements.

Table 7. Hitless Upgrades in Older Versions

Scenario

Details
Upgrading high availability or clustered devices and you are currently running any of:

  • FXOS 1.1.4.x through 2.2.1.x

  • FXOS 2.2.2.17 through FXOS 2.2.2.68

  • FXOS 2.3.1.73 through FXOS 2.3.1.111

With:

  • FTD 6.0.1 through 6.2.2.x

Due to bug fixes in the flow offload feature, some combinations of FXOS and FTD do not support flow offload; see the Cisco Firepower Compatibility Guide. Performing a hitless upgrade requires that you always run a compatible combination.

If your upgrade path includes upgrading FXOS to 2.2.2.91, 2.3.1.130, or later (including FXOS 2.4.1.x, 2.6.1.x, and so on) use this path:

1. Upgrade FTD to 6.2.2.2 or later.

2. Upgrade FXOS to 2.2.2.91, 2.3.1.130, or later.

3. Upgrade FTD to your final version.

For example, if you are running FXOS 2.2.2.17 with FTD 6.2.2.0, and you want to upgrade to FXOS 2.6.1 with FTD 6.4.0, then you can:

1. Upgrade FTD to 6.2.2.5.

2. Upgrade FXOS to 2.6.1.

3. Upgrade FTD to 6.4.0.

Upgrading high availability devices to FTD Version 6.1.0

Requires a preinstallation package. For more information, see Firepower System Release Notes Version 6.1.0 Preinstallation Package.

Note on Downgrades

Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.

Upgrade Path: FTD Logical Devices and FDM

This table provides upgrade paths for the Firepower 4100/9300 with FTD logical devices, managed by Firepower Device Manager.


Note

If you are upgrading a Firepower 9300 chassis with FTD and ASA logical devices running on separate modules, see Upgrade Path: FTD and ASA Logical Devices for Firepower 9300.

Find your current version combination in the left column. You can upgrade to any of the version combinations listed in the right column. This is a multi-step process: first upgrade FXOS, then upgrade the logical devices.

Note that this table lists only Cisco's specially qualified version combinations. Because you must upgrade FXOS first, you will briefly run a supported—but not recommended—combination, where FXOS is "ahead" of the logical devices. For minimum builds and other detailed compatibility information, see Cisco Firepower 4100/9300 FXOS Compatibility .

Table 8. Upgrade Paths: Firepower 4100/9300 with FTD Logical Devices

Current Versions

Target Versions

FXOS 2.9.1 with FTD 6.7.0/6.7.x

→ FXOS 2.10.1 with FTD 7.0.0/7.0.x

FXOS 2.8.1 with FTD 6.6.0/6.6.x

Any of:

→ FXOS 2.10.1 with FTD 7.0.0/7.0.x

→ FXOS 2.9.1 with FTD 6.7.x

FXOS 2.7.1 with FTD 6.5.0

First support for FDM & CDO management.

Any of:

→ FXOS 2.10.1 with FTD 7.0.0/7.0.x

→ FXOS 2.9.1 with FTD 6.7.0/6.7.x

→ FXOS 2.8.1 with FTD 6.6.0/6.6.x

Upgrading FXOS with FTD Logical Devices in HA Pairs

In Firepower Device Manager deployments, you upgrade the members of a high availability pair separately. In the scenarios in this table, Device A is the original active device and Device B is the original standby.

Table 9. FXOS + FTD Upgrade Order

Deployment

Upgrade Order

Standalone device

  1. Upgrade FXOS.

  2. Upgrade FTD logical device.

High availability

Upgrade FXOS on both chassis before you upgrade FTD. To minimize disruption, always upgrade the standby:

  1. Upgrade FXOS on the chassis with the standby FTD logical device (B).

  2. Switch roles.

  3. Upgrade FXOS on the chassis with the new standby logical device (A).

  4. Upgrade the new standby FTD logical device (A).

  5. Switch roles again.

  6. Upgrade the original standby FTD logical device (B).

Note on Downgrades

Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.

Upgrade Path: FTD and ASA Logical Devices for Firepower 9300

This table provides upgrade paths for a Firepower 9300 chassis with FTD and ASA logical devices running on separate modules.

Find your current version combination in the left column. You can upgrade to any of the version combinations listed in the right column. This is a multi-step process: first upgrade FXOS, then upgrade the logical devices.

Note that this table lists only Cisco's specially qualified version combinations. Because you must upgrade FXOS first, you will briefly run a supported—but not recommended—combination, where FXOS is "ahead" of the logical devices. For minimum builds and other detailed compatibility information, see Cisco Firepower 4100/9300 FXOS Compatibility .


Note

In this type of deployment, you must make sure that upgrading FXOS does not bring you out of compatibility with either type of logical device. If you need to skip multiple versions, FTD will usually be the limiter—FXOS and ASA can usually upgrade further in one hop than FTD can.

Table 10. Upgrade Paths: Firepower 9300 with FTD and ASA Logical Devices

Current Versions

Target Versions

FXOS 2.9.1 with:

  • FTD 6.7.0/6.7.x

  • ASA 9.15(x)

→ FXOS 2.10.1 with ASA 9.16(x) and FTD 7.0.0/7.0.x

FXOS 2.8.1 with:

  • FTD 6.6.0/6.6.x

  • ASA 9.14(x)

Any of:

→ FXOS 2.10.1 with ASA 9.16(x) and FTD 7.0.07.0.x

→ FXOS 2.9.1 with ASA 9.15(x) and FTD 6.7.0/6.7.x

FXOS 2.7.1 with:

  • FTD 6.5.0

  • ASA 9.13(x)

Any of:

→ FXOS 2.10.1 with ASA 9.16(x) and FTD 7.0.x

→ FXOS 2.9.1 with ASA 9.15(x) and FTD 6.7.0/6.7.x

→ FXOS 2.8.1 with ASA 9.14(x) and FTD 6.6.0/6.6.x

FXOS 2.6.1 with:

  • FTD 6.4.0

  • ASA 9.12(x)

Any of:

→ FXOS 2.10.1 with ASA 9.16(x) and FTD 7.0.x

→ FXOS 2.9.1 with ASA 9.15(x) and FTD 6.7.0/6.7.x

→ FXOS 2.8.1 with ASA 9.14(x) and FTD 6.6.0/6.6.x

→ FXOS 2.7.1 with ASA 9.13(x) and FTD 6.5.0

Upgrade Path: Firepower Management Centers

This table provides upgrade paths for the FMC, including FMCv.

Find your current version in the left column. You can upgrade directly to any of the versions listed in the right column.


Note

If your current version was released on a date after your target version, you may not be able to upgrade as listed in the table. In those cases, the upgrade quickly fails and displays an error explaining that there are data store incompatibilities between the two versions. The Cisco Firepower Release Notes for both your current and target version list any specific restrictions. The Cisco Firepower Management Center New Features by Release lists all relevant release dates.

Table 11. FMC Direct Upgrades

Current Version

Target Version

7.0.0

7.0.x

Last support for FMC 1000, 2500, and 4500

→ Any later 7.0.x maintenance release

6.7.0

6.7.x

Any of:

→ 7.0.0 or any 7.0.x maintenance release

→ Any later 6.7.x maintenance release

6.6.0

6.6.x

Last support for FMC 2000 and 4000.

Any of:

→ 7.0.0 or any 7.0.x maintenance release

→ 6.7.0 or any 6.7.x maintenance release

→ Any later 6.6.x maintenance release

6.5.0

Any of:

→ 7.0.0 or any 7.0.x maintenance release

→ 6.7.0 or any 6.7.x maintenance release

→ 6.6.0 or any 6.6.x maintenance release

6.4.0

Last support for FMC 750, 1500, and 3500.

Any of:

→ 7.0.0 or any 7.0.x maintenance release

→ 6.7.0 or any 6.7.x maintenance release

→ 6.6.0 or any 6.6.x maintenance release

→ 6.5.0

6.3.0

Any of:

→ 6.7.0 or any 6.7.x maintenance release

→ 6.6.0 or any 6.6.x maintenance release

→ 6.5.0

→ 6.4.0

6.2.3

Any of:

→ 6.6.0 or any 6.6.x maintenance release

→ 6.5.0

→ 6.4.0

→ 6.3.0

6.2.2

Any of:

→ 6.4.0

→ 6.3.0

→ 6.2.3

6.2.1

Any of:

→ 6.4.0

→ 6.3.0

→ 6.2.3

→ 6.2.2

6.2.0

Any of:

→ 6.4.0

→ 6.3.0

→ 6.2.3

→ 6.2.2

6.1.0

Any of:

→ 6.4.0

→ 6.3.0

→ 6.2.3

→ 6.2.0

6.0.1

Any of:

→ 6.1.0

6.0.0

Any of:

→ 6.0.1

Requires a preinstallation package: Firepower System Release Notes Version 6.0.1 Preinstallation.

5.4.1.1

Any of:

→ 6.0.0

Requires a preinstallation package: FireSIGHT System Release Notes Version 6.0.0 Preinstallation.

Download Upgrade Packages

Download upgrade packages from the Cisco Support & Download site before you start your upgrade. Depending on the specific upgrade, you should put the packages on either your local computer or a server that the appliance can access. The individual checklists and procedures in this guide explain your choices.


Note

Downloads require a Cisco.com login and service contract.

Firepower Software Packages

Upgrade packages are available on the Cisco Support & Download site.

To find an upgrade package, select or search for your appliance model, then browse to the software download page for your current version. Available upgrade packages are listed along with installation packages, hotfixes, and other applicable downloads.


Tip

A Firepower Management Center with internet access can download select releases directly from Cisco, some time after the release is available for manual download. The length of the delay depends on release type, release adoption, and other factors.

You use the same upgrade package for all models in a family or series. Upgrade package file names reflect the platform, package type (upgrade, patch, hotfix), and software version. Maintenance releases use the upgrade package type.

For example:

  • Package: Cisco_Firepower_Mgmt_Center_Upgrade--999.sh.REL.tar

  • Platform: Firepower Management Center

  • Package type: Upgrade

  • Version and build: -999

  • File extension: sh.REL.tar

So that the system can verify that you are using the correct files, upgrade packages from Version 6.2.1+ are signed tar archives (.tar). Do not untar signed (.tar) packages. And, do not transfer upgrade packages by email.


Note

After you upload a signed upgrade package, the Firepower Management Center GUI can take several minutes to load as the system verifies the package. To speed up the display, remove these packages after you no longer need them.

Firepower Software Upgrade Packages

Table 12.

Platform

Versions

Package

FMC/FMCv

6.3.0+

Cisco_Firepower_Mgmt_Center

5.4.0 to 6.2.3

Sourcefire_3D_Defense_Center_S3

Firepower 4100/9300

Any

Cisco_FTD_SSP

ASA Packages

ASA software for the Firepower 4100/9300 are available on the Cisco Support & Download site.

To find ASA software, select or search for your Firepower appliance model, browse to the appropriate download page, and select a version.


Note

When you upgrade the ASA bundle in FXOS, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA because they have the same name (asdm.bin). But if you manually chose a different ASDM image that you uploaded (for example, asdm-782.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should either upgrade ASDM before you upgrade the bundle, or you should reconfigure the ASA to use the bundled ASDM image (asdm.bin) just before upgrading the ASA bundle.

Table 13. ASA Software for the Firepower 4100/9300

Download Page

Software Type

Package

Adaptive Security Appliance (ASA) Software

ASA and ASDM upgrade

cisco-asa.version.SPA.csp

Adaptive Security Appliance (ASA) Device Manager

ASDM upgrade only

asdm-version.bin

Adaptive Security Appliance REST API Plugin

ASA REST API

asa-restapi-version-lfbff-k8.SPA

FXOS Packages

FXOS packages for the Firepower 4100/9300 are available on the Cisco Support & Download site.

To find FXOS packages, select or search for your Firepower appliance model, then browse to the Firepower Extensible Operating System download page for the target version.


Note

If you plan to use the CLI to upgrade FXOS, copy the upgrade package to a server that the Firepower 4100/9300 can access using SCP, SFTP, TFTP, or FTP.

Table 14. FXOS Packages for the Firepower 4100/9300

Package Type

Package

FXOS image

fxos-k9.version.SPA

Recovery (kickstart)

fxos-k9-kickstart.version.SPA

Recovery (manager)

fxos-k9-manager.version.SPA

Recovery (system)

fxos-k9-system.version.SPA

MIBs

fxos-mibs-fp9k-fp4k.version.zip

Firmware: Firepower 4100 series

fxos-k9-fpr4k-firmware.version.SPA

Firmware: Firepower 9300

fxos-k9-fpr9k-firmware.version.SPA

Upload Firepower Software Upgrade Packages with FMC

To upgrade Firepower software, the software upgrade package must be on the appliance.

Upload to the Firepower Management Center

Use this procedure to manually upload Firepower software upgrade packages to the Firepower Management Center, for itself and the devices it manages.

Before you begin

If you are upgrading the standby Firepower Management Center in a high availability pair, pause synchronization.

In FMC high availability deployments, you must upload the FMC upgrade package to both peers, pausing synchronization before you transfer the package to the standby. To limit interruptions to HA synchronization, you can transfer the package to the active peer during the preparation stage of the upgrade, and to the standby peer as part of the actual upgrade process, after you pause synchronization.

Procedure

Step 1

On the Firepower Management Center web interface, choose System > Updates.

Step 2

Click Upload Update.

Tip 

Select upgrade packages become available for direct download by the Firepower Management Center some time after the release is available for manual download. The length of the delay depends on release type, release adoption, and other factors. If your Firepower Management Center has internet access, you can instead click Download Updates to download all eligible packages for your deployment, as well as the latest VDB if needed.

Step 3

(Version 6.6.0+) For the Action, click the Upload local software update package radio button.

Step 4

Click Choose File.

Step 5

Browse to the package and click Upload.

Upload to an Internal Server (Version 6.6.0+ FTD with FMC)

Starting with Version 6.6.0, Firepower Threat Defense devices can get upgrade packages from an internal web server, rather than from the FMC. This is especially useful if you have limited bandwidth between the FMC and its devices. It also saves space on the FMC.


Note

This feature is supported only for FTD devices running Version 6.6.0+. It is not supported for upgrades to Version 6.6.0, nor is it supported for the FMC.

To configure this feature, you save a pointer (URL) to an upgrade package's location on the web server. The upgrade process will then get the upgrade package from the web server instead of the FMC. Or, you can use the FMC to copy the package before you upgrade.

Repeat this procedure for each FTD upgrade package. You can configure only one location per upgrade package.

Before you begin

  • Download the appropriate upgrade packages from the Cisco Support & Download site and copy them to an internal web server that your FTD devices can access.

  • For secure web servers (HTTPS), obtain the server's digital certificate (PEM format). You should be able to obtain the certificate from the server's administrator. You may also be able to use your browser, or a tool like OpenSSL, to view the server's certifcate details and export or copy the certificate.

Procedure

Step 1

On the FMC web interface, choose System > Updates.

Step 2

Click Upload Update.

Choose this option even though you will not upload anything. The next page will prompt you for a URL.
Step 3

For the Action, click the Specify software update source radio button.

Step 4

Enter a Source URL for the upgrade package.

Provide the protocol (HTTP/HTTPS) and full path, for example:

https://internal_web_server/upgrade_package.sh.REL.tar

Upgrade package file names reflect the platform, package type (upgrade, patch, hotfix), and the Firepower version you are upgrading to. Make sure you enter the correct file name.

Step 5

For HTTPS servers, provide a CA Certificate.

This is the server's digital certificate you obtained earlier. Copy and paste the entire block of text, including the BEGIN CERTIFICATE and END CERTIFICATE lines.

Step 6

Click Save.

You are returned to the Product Updates page. Uploaded upgrade packages and upgrade package URLs are listed togther, but are labeled distinctly.

Copy to Managed Devices

To upgrade Firepower software, the upgrade package must be on the device. When supported, we recommend you use this procedure to copy (push) packages to managed devices before you initiate the device upgrade.


Note

For the Firepower 4100/9300, we recommend (and sometimes require) you copy the Firepower Threat Defense upgrade package before you begin the required companion FXOS upgrade.

Support varies by Firepower version:

  • Version 6.2.2 and earlier do not support pre-upgrade copy.

    When you start a device upgrade, the system copies the upgrade package from the Firepower Management Center to the device as the first task.

  • Version 6.2.3 adds the ability to manually copy upgrade packages to the device from the Firepower Management Center.

    This reduces the length of your upgrade maintenance window.

  • Version 6.6.0 adds the ability to manually copy upgrade packages from an internal web server to Firepower Threat Defense devices.

    This is useful if you have limited bandwidth between the Firepower Management Center and its Firepower Threat Defense devices. It also saves space on the Firepower Management Center.

  • Version 7.0.0 introduces a new Firepower Threat Defense upgrade workflow that prompts you to copy the upgrade package to Firepower Threat Defense devices.

    If your Firepower Management Center is running Version 7.0.0+, we recommend you use the Device Upgrade page to copy the upgrade package to FTD devices; see Upgrade Firepower Threat Defense with FMC (Version 7.0.0). You must still use this procedure to copy upgrade packages in older deployments.

Note that when you copy manually, each device gets the upgrade package from the source—the system does not copy upgrade packages between cluster or HA member units.

Before you begin

Make sure your management network has the bandwidth to perform large data transfers. See Guidelines for Downloading Data from the Firepower Management Center to Managed Devices (Troubleshooting TechNote).

Procedure

Step 1

On the Firepower Management Center web interface, choose System > Updates.

Step 2

Put the upgrade package where the device can get it.

  • Firepower Management Center: Manually upload or directly retrieve the package to the FMC.

  • Internal web server (Firepower Threat Defense Version 6.6.0+): Upload to an internal web server and configure Firepower Threat Defense devices to get the package from that server.

Step 3

Click the Push (Version 6.5.0 and earlier) or Push or Stage update (Version 6.6.0+) icon next to the upgrade package you want to push, then choose destination devices.

If the devices where you want to push the upgrade package are not listed, you chose the wrong upgrade package.

Step 4

Push the package

  • Firepower Management Center: Click Push.

  • Internal web server: Click Download Update to Device from Source.

Upload Firepower Threat Defense Upgrade Packages with FDM

To upgrade Firepower Threat Defense software, the software upgrade package must be on the device.

Upload to the FTD Device (Version 6.2.0+ with FDM)

Procedure

Step 1

Select Device, then click View Configuration in the Updates summary.

The System Upgrade section shows the currently running software version and any update that you have already uploaded.

Step 2

Upload the upgrade file.

  • If you have not yet uploaded an upgrade file, click Browse and select the file. When the upload is complete, you can optionally select the Run Upgrade Immediately on Upload option to start the installation.

  • If there is already an uploaded file, but you want to upload a different one, click the Upload Another File link. You can upload one file only. If you upload a new file, it replaces the old file.

  • To remove the file, click the delete icon (delete icon).

Upload to the FTD Device (Version 6.0.1 & 6.1.0 with FDM)

Procedure

Step 1

Obtain the upgrade image and prepare it for installation.

  1. Log into Cisco.com and download the upgrade image.

    • Ensure that you obtain the appropriate upgrade file, whose file type is .sh. Do not download the system software package or the boot image.

    • Verify that you are running the required baseline image for the upgrade.

  2. Put the image on an HTTP server that you can reach from the management IP address.

    Alternatively, you can use TFTP or SCP to download the file. If you choose one of those options, place the file on a server that supports those file transfer protocols.

Step 2

Use an SSH client to log into the management IP address using the admin user account and password.

Alternatively, you can connect to the Console port.

Step 3

Enter the expert command to access expert mode. 


> expert
admin@firepower:~$
Step 4

Change the working directory (cd ) to /var/sf/updates/. 


admin@firepower:~$ cd /var/sf/updates/ 
admin@firepower:/var/sf/updates$
Step 5

Download the upgrade file from your HTTP server.

sudo wget url

For example, the following command downloads the fictitious Cisco_FTD_Upgrade-6.2.0-181.sh upgrade file from the ftd folder on the files.example.com HTTP server. Because the sudo command operates under root user, you see a stock warning, and you must re-enter the admin password before the command executes. Wait for the download to complete. 


admin@firepower:/var/sf/updates$ sudo wget 
http://files.example.com/ftd/Cisco_FTD_Upgrade-6.2.0-181.sh

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: (enter admin password)
Connecting to files.example.com 
|*************************************************
**************************************************
**************************************************
**************************************************
**********************************| 

...(remaining output omitted)

Use the tftp or scp commands instead if you are not using an HTTP server.

Firepower Software Readiness Checks with FMC

Readiness checks assess a Firepower appliance's preparedness for a software upgrade. If the appliance fails the readiness check, correct the issues and run the readiness check again. If the readiness check exposes issues that you cannot resolve, we recommend you do not begin the upgrade.

The time required to run a readiness check varies depending on appliance model and database size. Later releases also have faster readiness checks.

Run Readiness Checks with FMC (Version 7.0.0+ FTD)

If your FMC is running Version 7.0.0+, we recommend you use the Device Upgrage page to run readiness checks on FTD devices; see Upgrade Firepower Threat Defense with FMC (Version 7.0.0).

See the next topics if you are:

  • Running readiness checks on the FMC itself.

  • Running readiness checks on managed devices, and your FMC is running Version 6.7.x.

  • Running readiness checks on managed devices, and your FMC is running Version 6.6.x or earlier.

Run Readiness Checks with FMC (Version 6.7.0+)

This procedure is valid for FMCs currently running Version 6.7.0+, and their managed devices, including devices running older versions (6.3.0–6.6.x), and FTD devices in high availability and scalability deployments.


Important

If your FMC is running Version 7.0.0+, we recommend you use the Device Upgrade page to run readiness checks on FTD devices; see Upgrade Firepower Threat Defense with FMC (Version 7.0.0). You must still use this procedure to run readiness checks on the FMC and on any Classic devices.

Before you begin

  • Upgrade the FMC to at least Version 6.7.0. If your FMC is currently running an older version, see Run Readiness Checks with FMC (Version 6.0.1–6.6.x).

  • Upload the upgrade package to the FMC, for the appliance you want to check. If you want to check Version 6.6.0+ FTD devices, you can also specify the upgrade package location on an internal web server. This is required because readiness checks are included in upgrade packages.

  • (Optional) If you are upgrading an FTD device to Version 6.3.0.1–6.6.x, copy the upgrade package to the device. This can reduce the time required to run the readiness check. If you are upgrading an FTD device to Version 6.7.0+, you can skip this step. Although we still recommend you push the upgrade package to the device before you begin the upgrade itself, you no longer have to do so before you run the readiness check.

Procedure

Step 1

On the FMC web interface, choose System > Updates.

Step 2

Under Available Updates, click the Install icon next to the appropriate upgrade package.

The system displays a list of eligible appliances, along with their pre-upgrade compatibility check results. Starting with Version 6.7.0, FTD devices must pass certain basic checks before you can run the more complex readiness check. This pre-check catches issues that will cause your upgrade to fail—but we now catch them earlier and block you from proceeding.

Step 3

Select the appliances you want to check and click Check Readiness.

If you cannot select an otherwise eligible appliance, make sure it passed its compatibility checks. You may need to upgrade an operating system, or deploy configuration changes.
Step 4

Monitor the progress of the readiness check in the Message Center.

If the check fails, the Message Center provides failure logs.

What to do next

On the System > Updates page, click Readiness Checks to view readiness check status for your FTD deployment, including checks in progress and failed checks. You can also use this page to easily re-run checks after a failure.

Run Readiness Checks with FMC (Version 6.0.1–6.6.x)

This procedure is valid for FMCs currently running Version 6.0.1–6.6.x, and their standalone managed devices.


Note

For clustered devices and devices in high availability pairs, you can run the readiness check from the Linux shell, also called expert mode. To run the check, you must first push or copy the upgrade package to the correct location on each device, then use this command: sudo install_update.pl --detach --readiness-check /var/sf/updates/upgrade_package_name. For detailed instructions, contact Cisco TAC.

Before you begin

  • (Version 6.0.1) If you want to run readiness checks on a Version 6.0.1 → 6.1.0 upgrade, first install the Version 6.1 preinstallation package. You must do this for the FMC and managed devices. See the Firepower System Release Notes Version 6.1.0 Pre-Installation Package.

  • Upload the upgrade package to the FMC, for the appliance you want to check. If you want to check Version 6.6.x FTD devices, you can also specify the upgrade package location on an internal web server. This is required because readiness checks are included in upgrade packages.

  • (Optional, Version 6.2.3+) Push the upgrade package to the managed device. This can reduce the time required to run the check.

  • Deploy configurations to managed devices whose configurations are out of date. Otherwise, the readiness check may fail.

Procedure

Step 1

On the FMC web interface, choose System > Updates.

Step 2

Click the Install icon next to the appropriate upgrade package.

Step 3

Select the appliances you want to check and click Launch Readiness Check.

Step 4

Monitor the progress of the readiness check in the Message Center.

Firepower Software Readiness Checks with FDM

Readiness checks assess preparedness for a Firepower Threat Defense software upgrade. If the device fails the readiness check, correct the issues and run the readiness check again. If the readiness check exposes issues that you cannot resolve, we recommend you do not begin the upgrade.

Do not manually reboot or shut down an appliance running readiness checks.

Readiness checks are supported in Firepower Device Manager Version 7.0.0+.

Run Readiness Checks (Version 7.0.0+ with FDM)

Before the system installs an upgrade, it runs a readiness check to ensure the upgrade is valid for the system, and to check other items that sometimes prevent a successful upgrade. If the readiness check fails, you should fix the problems before trying the installation again. If the check has failed, you will be prompted about the failure the next time you try the installation, and you are given the option to force the installation if you want to.

You can also manually run the readiness check prior to initiating the upgrade, as described in this procedure.

Before you begin

Upload the upgrade package you want to check.

Procedure

Step 1

Select Device, then click View Configuration in the Updates summary.

The System Upgrade section shows the currently running software version and any update that you have already uploaded.

Step 2

Look at the Readiness Check section.

  • If the upgrade check has not been performed yet, click the Run Upgrade Readiness Check link. The progress of the check is shown in this area. It should take about 20 seconds to complete the process.

  • If the upgrade check has already been run, this section indicates whether the check succeeded or failed. For failed checks, click See Details to view more information about the readiness check. After fixing problems, run the check again.

Step 3

If the readiness check fails, you should resolve the issues before you install the upgrade. The detailed information includes help on how to fix indicated problems. For a failed script, click the Show Recovery Message link to see the information.

Following are some typical problems:

  • FXOS version incompatibility—On systems where you install FXOS upgrades separately, such as the Firepower 4100/9300, an upgrade package might require a different minimum FXOS version than the FTD software version you are currently running. In this case, you must first upgrade FXOS before you can upgrade the FTD software.

  • Unsupported device model—The upgrade package cannot be installed on this device. You might have uploaded the wrong package, or the device is an older model that is simply no longer supported in the new FTD software version. Please check device compatibility and upload a supported package, if one is available.

  • Insufficient disk space—If not enough space is available, try deleting unneeded files, such as system backups. Delete only those files you have created.