Obtain Firepower Software Upgrade Packages

To upgrade Firepower software, the software upgrade package must be on the appliance.

About Firepower Software Upgrade Packages

To upgrade Firepower software (or perform a readiness check), the software upgrade package must be on the appliance.

In Version 6.5.0 and earlier, FMC-managed devices must get their upgrade packages from the FMC. This means you must upload both FMC and device upgrade packages onto the FMC. Version 6.6.0 adds the ability to use your own internal web server instead of the FMC as the source for FTD upgrade packages. This means that FTD upgrade packages no longer have to 'go through' the FMC.

This table explains how to get upgrade packages onto the FMC.

Table 1. Getting Firepower Software Upgrade Packages onto the FMC

Method

Details

Manual

Download from the Cisco Support & Download site, then upload to the FMC.

See Downloading Firepower Software Upgrade Packages and Upload Firepower Software Upgrade Packages to the FMC.

Direct from Cisco

An FMC with internet access can download Version 6.2.3–6.5.0 Firepower patches and all maintenance releases (third-digit upgrades) directly from Cisco, about two weeks after they become available for manual download. Direct download from Cisco is not supported for:

  • Major releases.

  • Most patches to Version 6.6 or later.

See Download Upgrade Packages Directly from Cisco.

This table explains how to get upgrade packages onto FMC-managed devices.

Table 2. Getting Firepower Software Upgrade Packages onto FMC-Managed Devices

Method

Source

Details

Advantages

Supported Versions/Platforms

Copy (push) packages before upgrade.

Recommended.

FMC

Upload device upgrade packages to the FMC, but choose when to copy them to devices.

See Push Upgrade Packages to FMC-Managed Devices.

Reduces the length of your upgrade maintenance window.

Version 6.2.3 FMC

Internal web server

Configure an internal web server instead of the FMC as the source for FTD upgrade packages, and choose when to copy the packages to devices.

See Get FTD Upgrade Packages from an Internal Server and Push Upgrade Packages to FMC-Managed Devices.

Reduces the length of your upgrade maintenance window.

Useful if you have limited bandwidth between the FMC and its devices.

Saves space on the FMC.

Version 6.6.0+ FTD devices

Copy packages as part of upgrade.

When you start a device upgrade, the system copies the upgrade package to the device as the first task.

FMC

Upload device upgrade packages to the FMC before you upgrade the devices.

See the previous table.

Any.

If your FMC is Version 6.2.2 or earlier, this is your only choice.

Internal web server

 Upload device upgrade packages to an internal web server. Then, configure your FTD devices to get upgrade packages from the server instead of the FMC.

See Get FTD Upgrade Packages from an Internal Server.

Useful if you have limited bandwidth between the FMC and its devices.

Saves space on the FMC.

Version 6.6.0+ FTD devices

Guidelines and Limitations for Managing Upgrade Packages

The following guidelines and limitations apply to obtaining and managing upgrade packages.

High Availability FMCs

In a FMC high availability deployment, you must transfer upgrades packages to both the active/primary FMC and the standby/secondary FMC. Additionally, you must pause synchronization before you transfer the package to the standby FMC.

To limit interruptions to HA synchronization during the upgrade process, we recommend that you:

  • Active FMC: Transfer the package during the preparation stage of the upgrade.

  • Standby FMC: Transfer the package as part of the actual upgrade process, after you pause synchronization.

For more information, see Upgrade High Availability FMCs.

Push Firepower Upgrade Package Before FXOS Upgrade

For Firepower 4100/9300 with FTD, best practice is to push the Firepower upgrade package before you begin the required companion FXOS upgrade.


Note

For upgrades from Version 6.1.0 directly to Version 6.3.0 or 6.4.0, a push from the FMC is required. You must push before you upgrade FXOS.

Check Bandwidth

Firepower upgrade package sizes vary. Make sure your management network has the bandwidth to perform large data transfers. For more information, see Guidelines for Downloading Data from the Firepower Management Center to Managed Devices (Troubleshooting TechNote).

Downloading Firepower Software Upgrade Packages

Firepower software upgrade packages are available on the Cisco Support & Download site:

To find an upgrade package, select or search for your Firepower appliance model, then browse to the Firepower software download page for your current version. Available upgrade packages are listed along with installation packages, hotfixes, and other applicable downloads.

You use the same upgrade package for all Firepower models in a family or series. Upgrade package file names reflect the platform, package type (upgrade, patch, hotfix), and Firepower version. Note that maintenance releases use the upgrade package type.

For example:

  • Package: Cisco_Firepower_Mgmt_Center_Upgrade-6.6.0-90.sh.REL.tar

  • Platform: Firepower Management Center

  • Package type: Upgrade

  • Version and build: 6.6.0-90

  • File extension: sh.REL.tar

Upgrade packages from Version 6.2.1+ are signed tar archives (.tar). Do not untar. Do not transfer upgrade packages by email.

Table 3. Firepower Software Upgrade Package Naming Schemes

Platform

Versions

Package

FMC/FMCv

6.3.0+

Cisco_Firepower_Mgmt_Center

5.4.0 to 6.2.3

Sourcefire_3D_Defense_Center_S3

Firepower 1000 series

Any

Cisco_FTD_SSP-FP1K

Firepower 2100 series

Any

Cisco_FTD_SSP-FP2K

Firepower 4100/9300 chassis

Any

Cisco_FTD_SSP

ASA 5500-X series with FTD

ISA 3000 with FTD

FTDv

Any

Cisco_FTD

Firepower 7000/8000 series

AMP models

6.3.0 to 6.4.0

Cisco_Firepower_NGIPS_Appliance

5.4.0 to 6.2.3

Sourcefire_3D_Device_S3

ASA FirePOWER

Any

Cisco_Network_Sensor

NGIPSv

6.3.0+

Cisco_Firepower_NGIPS_Virtual

6.2.2 to 6.2.3

Sourcefire_3D_Device_VMware

5.4.0 to 6.2.0

Sourcefire_3D_Device_Virtual64_VMware

Operating System Upgrade Packages

For information on operating system upgrade packages, see the Planning Your Upgrade chapters in the following guides:

Download Upgrade Packages Directly from Cisco

An FMC with internet access can get selected upgrade packages directly from Cisco; see About Firepower Software Upgrade Packages.

Before you begin

If you are using the standby FMC in a high availability pair, pause synchronization. See Guidelines and Limitations for Managing Upgrade Packages.

Procedure

Step 1

On the FMC web interface, choose System > Updates.

Step 2

Click Download Updates.

The FMC downloads all eligible packages for your deployment, as well as the latest VDB if needed.

The number of upgrade packages retrieved, and therefore the time to retrieve them, depends on how up-to-date your current deployment is and how many different device types you have.

What to do next

Refer to your plan. Optionally but recommended, copy upgrade packages to managed devices. See Push Upgrade Packages to FMC-Managed Devices.

Upload Firepower Software Upgrade Packages to the FMC

Use the following procedure to manually upload upgrade packages to the FMC, for itself and the devices it manages.

Before you begin

Procedure

Step 1

On the FMC web interface, choose System > Updates.

Step 2

Click Upload Update.

Step 3

(Version 6.6.0+) For the Action, click the Upload local software update package radio button.

Step 4

Click Choose File.

Step 5

Browse to the package and click Upload.

What to do next

Refer to your plan. Optionally but recommended, copy device upgrade packages to managed devices. See Push Upgrade Packages to FMC-Managed Devices.

Get FTD Upgrade Packages from an Internal Server

Starting with Version 6.6.0, Firepower Threat Defense devices can get upgrade packages from an internal web server, rather than from the FMC. This is especially useful if you have limited bandwidth between the FMC and its devices. It also saves space on the FMC.


Note

This feature is supported only for FTD devices running Version 6.6.0+. It is not supported for upgrades to Version 6.6.0, nor is it supported for the FMC or Classic devices.

To configure this feature, you save a pointer (URL) to an upgrade package's location on the web server. The upgrade process will then get the upgrade package from the web server instead of the FMC. Or, you can use the push feature on the FMC to copy the package before you upgrade.

Repeat this procedure for each FTD upgrade package. You can configure only one location per upgrade package.

Before you begin

  • Download the appropriate upgrade packages from the Cisco Support & Download site. See Downloading Firepower Software Upgrade Packages.

  • Copy the upgrade packages to an internal web server that your FTD devices can access.

  • For secure web servers (HTTPS), obtain the server's digital certificate (PEM format). You should be able to obtain the certificate from the server's administrator. You may also be able to use your browser, or a tool like OpenSSL, to view the server's certifcate details and export or copy the certificate.

Procedure

Step 1

On the FMC web interface, choose System > Updates.

Step 2

Click Upload Update.

Choose this option even though you will not upload anything. The next page will prompt you for a URL.
Step 3

For the Action, click the Specify software update source radio button.

Step 4

Enter a Source URL for the upgrade package.

Provide the protocol (HTTP/HTTPS) and full path, for example:

https://internal_web_server/upgrade_package.sh.REL.tar

Upgrade package file names reflect the platform, package type (upgrade, patch, hotfix), and the Firepower version you are upgrading to. Make sure you enter the correct file name.

Step 5

For HTTPS servers, provide a CA Certificate.

This is the server's digital certificate you obtained earlier. Copy and paste the entire block of text, including the BEGIN CERTIFICATE and END CERTIFICATE lines.

Step 6

Click Save.

You are returned to the Product Updates page. Uploaded upgrade packages and upgrade package URLs are listed togther, but are labeled distinctly.

What to do next

Refer to your plan. Optionally but recommended, copy device upgrade packages to devices: Push Upgrade Packages to FMC-Managed Devices.

Push Upgrade Packages to FMC-Managed Devices

Starting with Version 6.2.3, you can copy (or push) upgrade packages from the FMC before the upgrade. This helps reduce the length of your upgrade maintenance window. Version 6.6.0 adds the ability to use an internal web server instead of the FMC as the source for FTD upgrade packages.

When you push, each device gets the upgrade package individually from the source—the system does not copy upgrade packages between cluster, stack, or HA member units.

If you do not push before upgrade, the device gets the upgrade package as the first step in the upgrade process.

Before you begin

Firepower upgrade package sizes vary. Make sure your management network has the bandwidth to perform large data transfers. For more information, see Guidelines for Downloading Data from the Firepower Management Center to Managed Devices (Troubleshooting TechNote).

Procedure

Step 1

On the FMC web interface, choose System > Updates.

Step 2

Put the upgrade package where the device can get it. Choose:
Step 3

Click the Push (Version 6.5.0 and earlier) or Push or Stage update (Version 6.6.0+) icon next to the upgrade package you want to push, then choose destination devices.

If the devices where you want to push the upgrade package are not listed, you chose the wrong upgrade package.

Step 4

Push the package. For:

  • FMCs, click Push.

  • Internal web servers, click Download Update to Device from Source.

What to do next

After the file transfer to the device completes, you can proceed with readiness checks and/or the actual upgrade. Refer to your plan.