Upgrade Checklist: Firepower Management Center
Complete this checklist before you upgrade an FMC, including FMCv. If you are upgrading a high availability pair, complete the checklist for each peer.
 Note |
At all times during the process, make sure you maintain deployment communication and health. Do not restart an FMC upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC. |
Planning and Feasibility
Careful planning and preparation can help you avoid missteps.
|
✓ |
Action/Check |
||
|---|---|---|---|
|
Plan your upgrade path. This is especially important for multi-appliance deployments, multi-hop upgrades, or situations where you need to upgrade operating systems or hosting environments, all while maintaining deployment compatibility. Always know which upgrade you just performed and which you are performing next.
See Upgrade Paths. |
|||
|
Read all upgrade guidelines and plan configuration changes. Especially with major upgrades, upgrading may cause or require significant configuration changes either before or after upgrade. Start with the release notes, which contain critical and release-specific information, including upgrade warnings, behavior changes, new and deprecated features, and known issues. |
|||
|
Check bandwidth. Make sure your management network has the bandwidth to perform large data transfers. In FMC deployments, if you transfer an upgrade package to a managed device at the time of upgrade, insufficient bandwidth can extend upgrade time or even cause the upgrade to time out. Whenever possible, copy upgrade packages to managed devices before you initiate the device upgrade. See Guidelines for Downloading Data from the Firepower Management Center to Managed Devices (Troubleshooting TechNote). |
|||
|
Schedule maintenance windows. Schedule maintenance windows when they will have the least impact, considering any effect on traffic flow and inspection and the time the upgrade is likely to take. Also consider the tasks you must perform in the window, and those you can perform ahead of time. For example, do not wait until the maintenance window to copy upgrade packages to appliances, run readiness checks, perform backups, and so on. |
Upgrade Packages
Upgrade packages are available on the Cisco Support & Download site.
|
✓ |
Action/Check |
|---|---|
|
Upload the upgrade package. In FMC high availability deployments, you must upload the FMC upgrade package to both peers, pausing synchronization before you transfer the package to the standby. To limit interruptions to HA synchronization, you can transfer the package to the active peer during the preparation stage of the upgrade, and to the standby peer as part of the actual upgrade process, after you pause synchronization. |
Backups
The ability to recover from a disaster is an essential part of any system maintenance plan.
Backup and restore can be a complex process. You do not want to skip any steps or ignore security or licensing concerns. For detailed information on requirements, guidelines, limitations, and best practices for backup and restore, see the configuration guide for your deployment.
 Caution |
We strongly recommend you back up to a secure remote location and verify transfer success, both before and after upgrade. |
|
✓ |
Action/Check |
|---|---|
|
Back up. Back up before and after upgrade:
|
Associated Upgrades
Because operating system and hosting environment upgrades can affect traffic flow and inspection, perform them in a maintenance window.
|
✓ |
Action/Check |
|---|---|
|
Upgrade virtual hosting. If needed, upgrade the hosting environment. If this is required, it is usually because you are running an older version of VMware and are performing a major FMC upgrade. |
Final Checks
A set of final checks ensures you are ready to upgrade.
|
✓ |
Action/Check |
||
|---|---|---|---|
|
Check configurations. Make sure you have made any required pre-upgrade configuration changes, and are prepared to make required post-upgrade configuration changes. |
|||
|
Check NTP synchronization. Make sure all appliances are synchronized with any NTP server you are using to serve time. Being out of sync can cause upgrade failure. In FMC deployments, the health monitor does alert if clocks are out of sync by more than 10 seconds, but you should still check manually. To check time:
|
|||
|
Check disk space. Run a disk space check for the software upgrade. Without enough free disk space, the upgrade fails. See the Upgrade the Software chapter in the Cisco Firepower Release Notes for your target version. |
|||
|
Deploy configurations. Deploying configurations before you upgrade reduces the chance of failure. In some deployments, you may be blocked from upgrade if you have out-of-date configurations. In FMC high availability deployments, you only need to deploy from the active peer. When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations restarts Snort, which interrupts traffic inspection and, depending on how your device handles traffic, may interrupt traffic until the restart completes. See the Upgrade the Software chapter in the Cisco Firepower Release Notes for your target version. |
|||
|
Run readiness checks. If your FMC is running Version 6.1.0+, we recommend compatibility and readiness checks. These checks assess your preparedness for a software upgrade. |
|||
|
Check running tasks. Make sure essential tasks are complete before you upgrade, including the final deploy. Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed. We also recommend you check for tasks that are scheduled to run during the upgrade, and cancel or postpone them.
|
Feedback