The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Use this guide to plan and complete threat defense upgrades. Upgrades can be major (A.x), maintenance (A.x.y), or patch (A.x.y.z) releases. We also may provide hotfixes, which are minor updates that address particular, urgent issues.
Before you upgrade or reimage, make sure the target version is compatible with your deployment. If you cannot upgrade or reimage due to incompatibility, contact your Cisco representative or partner contact for refresh information.
For compatibility information, see:
See the release notes for release-specific upgrade warnings and guidelines, and for information on features and bugs with upgrade impact. For general information on time/disk space requirements and on system behavior during upgrade, see Troubleshooting and Reference.
For release-specific upgrade warnings and guidelines, as well as features and bugs with upgrade impact, see the threat defense release notes. Check all release notes between your current and target version: http://www.cisco.com/go/ftd-notes.
In most cases, we recommend you use the latest FXOS build in each major version. For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, see the FXOS release notes. Check all release notes between your current and target version: http://www.cisco.com/go/firepower9300-rns.
For firmware upgrade guidelines (for upgrades to FXOS 2.13 and earlier), see the firmware upgrade guide: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.
Planning your upgrade path is especially important for large deployments, multi-hop upgrades, and situations where you need to coordinate chassis, hosting environment or other upgrades.
Some devices may require a chassis upgrade (FXOS and firmware) before you upgrade the software:
Secure Firewall 3100/4200 in multi-instance mode: Any upgrade can require a chassis upgrade. Although you upgrade the chassis and threat defense separately, one package contains the chassis and threat defense upgrades and you perform both from the management center. The compatibility work is done for you. It is possible to have a chassis-only upgrade or a threat defense-only upgrade.
Firepower 4100/9300: Major versions require a chassis upgrade.
Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the chassis, then devices again. Or, perform a full reimage. In high availability or clustered deployments, upgrade one chassis at a time.
This table shows the supported direct upgrades for threat defense software. Note that although you can upgrade directly to major and maintenance releases, patches change the fourth digit only. You cannot upgrade directly to a patch from a previous major or maintenance release.
For the Firepower 4100/9300, the table also lists companion FXOS versions. If a chassis upgrade is required, threat defense upgrade is blocked. In most cases we recommend the latest build in each version; for minimum builds see the Cisco Secure Firewall Threat Defense Compatibility Guide.
|
Current Version |
Target Threat Defense Version |
|||||
|---|---|---|---|---|---|---|
|
7.6 |
7.4 |
7.3 |
7.2 |
7.1 |
7.0 |
|
|
Firepower 4100/9300 FXOS Version |
||||||
|
2.16 |
2.14 |
2.13 |
2.12 |
2.11 |
2.10 |
|
|
7.6 |
YES |
— |
— |
— |
— |
— |
|
7.4 |
YES |
YES † |
— |
— |
— |
— |
|
7.3 |
YES |
YES |
YES |
— |
— |
— |
|
7.2 |
YES |
YES |
YES |
YES |
— |
— |
|
7.1 |
— |
— |
— |
— |
— |
— |
|
7.0 |
— |
YES |
YES |
YES |
— |
YES |
† You cannot upgrade threat defense to Version 7.4.0, which is available as a fresh install on the Secure Firewall 4200 only. Instead, upgrade your devices to Version 7.4.1+.
When a chassis upgrade is required in high availability or clustered deployments, upgrade one chassis at a time.
|
Threat Defense Deployment |
Upgrade Order |
|---|---|
|
Standalone |
|
|
High availability |
Upgrade both chassis before you upgrade threat defense. To minimize disruption, always upgrade the standby.
|
|
Intra-chassis cluster (units on the same chassis) |
|
|
Inter-chassis cluster (units on different chassis) |
Upgrade all chassis before you upgrade threat defense. To minimize disruption, always upgrade an all-data unit chassis.
|
|
Threat Defense Deployment |
Upgrade Order |
|---|---|
|
Standalone |
|
|
High availability |
Upgrade both chassis before you upgrade threat defense.
|
Manage upgrade packages on System (
).
The page lists all upgrade packages that apply to you, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, or upload packages you manually downloaded: Upgrade Packages on Cisco.com.
|
To... |
Do This... |
|---|---|
|
Refresh the list of available upgrade packages. |
Click Refresh ( |
|
Download an upgrade package to the management center from Cisco. |
Click Download next to the upgrade package or version you want to download. Each family of devices has its own upgrade packages, so depending on your deployment you may need to download more than one upgrade package. |
|
Manually upload an upgrade package to the management center. |
Click Add Upgrade Package at the bottom right of the page, then Choose File. |
|
Configure threat defense devices to get upgrade packages from an internal server. |
Click Add Upgrade Package at the bottom right of the page, then Specify Remote Location. See Copying Upgrade Packages to Devices from an Internal Server. |
|
Delete upgrade packages from the management center. |
Click the Ellipsis (…) next to the package or package version you want to delete and select Delete. This deletes the packages (or the pointer to the package) from the management center. It does not delete packages from any devices where you already copied them. In most cases, upgrading removes the related package from the upgraded appliance. However, for the Secure Firewall 3100/4200 in multi-instance mode, chassis upgrade packages must be removed manually; see Deleting Chassis Upgrade Packages from the Secure Firewall 3100/4200. |
To upgrade, the upgrade package must be on the device.
For threat defense and Secure Firewall 3100/4200 chassis upgrades, the easiest way to do this is to use the Product
Upgrades page (System () on the management center to download the upgrade package from Cisco, then let
the upgrade wizard prompt you to copy the package
over.
Note that for the Secure Firewall 3100/4200 in multi-instance mode, chassis upgrade packages are stored outside any application instances. This allows you to upgrade the chassis while also making the threat defense upgrade accessible to all instances. However, this means that you must manually remove unneeded chassis upgrade packages (instead of the upgrade process automatically removing them).
The following table goes into more details about this and your other options.
|
Requirements |
When to Use |
|---|---|
|
Cisco → Management Center → Devices Major, maintenance, or patch upgrade (not a hotfix) that applies to the device right now. Management center can access the Cisco Support & Download site. Adequate disk space on the management center. Adequate bandwidth between the management center and devices. |
Strongly recommended when all requirements are met. |
|
Cisco → Your Computer → Management Center → Devices Adequate disk space on the management center. Adequate bandwidth between management center and devices. |
You meet disk space and bandwidth requirements, but either the management center cannot access the Cisco Support & Download site, or you are applying a hotfix. |
|
Cisco → Your Computer → Internal Server → Devices Internal web server that devices can access. |
You do not meet disk space requirements and/or bandwidth requirements (regardless of support site access or upgrade type). The cloud-delivered Firewall Management Center in particular has limited disk space for device upgrade packages. See: Copying Upgrade Packages to Devices from an Internal Server |
For Firepower 4100/9300 chassis upgrade packages, download the upgrade package from Cisco, then use the chassis manager or CLI (FTP, SCP, SFTP, or TFTP) to copy the package to the device. See Upgrade Packages on Cisco.com and the upgrade procedure for your deployment.
You can store threat defense upgrade packages on an internal server instead of the management center. This is especially useful if you have limited bandwidth between the management center and its devices. It also saves space on the management center.
After you get the packages from Cisco and set up your server, configure pointers to
them. On the management center, start like you are uploading a a package: on the Product Upgrades page (System (), click Add Upgrade Package. But instead of choosing a file
on your computer, click Specify Remote Location and provide
the appropriate details. When it is time to get the package, the device will copy it
from the internal server.
|
Field |
Description |
|---|---|
|
URL |
The source URL, including protocol (HTTP/HTTPS) and full path to the upgrade package; for example: https://internal_web_server/upgrade_package.sh.REL.tar. |
|
CA Certificates |
For secure web servers (HTTPS), the server's digital certificate (PEM format). Copy and paste the entire block of text, including the BEGIN CERTIFICATE and END CERTIFICATE lines. You should be able to obtain the certificate from the server's administrator. You may also be able to use your browser, or a tool like OpenSSL, to view the server's certificate details and export or copy the certificate. |
Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers.
This feature is supported for Version 7.2.x–7.4.x standalone devices managed by the same management center. It is not supported for:
Container instances.
Device high availability pairs and clusters. These devices get the package from each other as part of their normal sync process. Copying the upgrade package to one group member automatically syncs it to all group members.
Devices added to an on-prem management center in analytics mode.
Devices separated by a NAT gateway.
Devices upgrading from Version 7.0.x.
Devices running Version 7.6+.
Repeat the following procedure for all devices that need the upgrade package.
Upload the threat defense upgrade package to the management center or to an internal server.
Copy the upgrade package to at least one device.
|
Step 1 |
As |
|
Step 2 |
Enable the feature. configure p2psync enable |
|
Step 3 |
If you do not already know, determine where you can get the upgrade package you need. show peers : Lists the other eligible devices that also have this feature enabled. show peer details ip_address: For the device at the IP address you specify, list the available upgrade packages and their paths. |
|
Step 4 |
Copy the package from any device that has the package you need, by specifying the IP address and path you just discovered. sync-from-peer ip_address package_path |
|
Step 5 |
Monitor transfer status from the CLI. show p2p-sync-status : Shows the sync status for the last five transfers to this device, including completed and failed transfers. show p2p-sync-status sync_status_UUID: Shows the sync status for a particular transfer to this device. |
For the Secure Firewall 3100/4200 in multi-instance mode, chassis upgrade packages are stored outside any application instances. This allows you to upgrade the chassis while also making the threat defense upgrade accessible to all instances. However, this means that you must manually remove unneeded chassis upgrade packages (instead of the upgrade process automatically removing them).
 Note |
You must remove unneeded chassis upgrade packages in the context of a chassis upgrade workflow. The best time to do this is when you are upgrading to the next version. |
Use this procedure to delete chassis upgrade packages when you are not actively upgrading the chassis.
Download (or configure a pointer to) at least one chassis upgrade package other than the one corresponding to the package you want to delete.
|
Step 1 |
Choose . |
|
Step 2 |
Select the chassis that have the unneeded packages and under Select Action or Select Bulk Action, choose Upgrade FXOS and Firmware (Chassis Only). The chassis upgrade wizard appears. |
|
Step 3 |
Choose a target version from the Upgrade to menu. Choose any version other than the one corresponding to the package you want to delete. You will not be upgrading to this version so it doesn't matter which you choose. |
|
Step 4 |
In the Device Selection pane, click the message that says: X devices have packages that might not be needed. The chassis that have unneeded packages are listed in the Device Details pane. Note that you cannot delete a package for the version the chassis is currently running, nor a package for the "target version" you selected. Only chassis with packages other than these are counted. |
|
Step 5 |
In the Device Details pane, select a chassis, click Manage Upgrade Packages on Device, select the packages you want to remove and click Remove. Repeat this step for each chassis you want to clean up. |
|
Step 6 |
Back in the chassis upgrade wizard, click Reset to reset the workflow. |
Manually download upgrade packages from Cisco when the system cannot access the Cisco Support & Download site, or when you cannot direct-download for another reason; for example, for hotfixes. You must also manually obtain upgrade packages if you plan to configure devices to get them from an internal server. And, you must manually obtain chassis upgrade packages for the Firepower 4100/9300.
Packages are available on the Cisco Support & Download site: https://www.cisco.com/go/ftd-software
You use the same upgrade package for all models in a family or series. To find the correct one, select or search for your model on the Cisco Support & Download site, then browse to the software download page for the appropriate version. Available upgrade packages are listed along with installation packages, hotfixes, and other applicable downloads. Upgrade package file names reflect the platform, software version, and build. Upgrade packages are signed, and terminate in .sh.REL.tar. Do not untar or rename them.
|
Platform |
Package |
Notes |
|---|---|---|
|
Threat Defense Packages |
||
|
Firepower 1000 |
Cisco_FTD_SSP-FP1K_Upgrade-Version-build.sh.REL.tar |
— |
|
Firepower 1200 |
Cisco_Secure_FW_TD_1200-Version-build.sh.REL.tar |
— |
|
Firepower 2100 |
Cisco_FTD_SSP-FP2K_Upgrade-Version-build.sh.REL.tar |
Cannot upgrade past Version 7.4.x. |
|
Secure Firewall 3100 |
Cisco_FTD_SSP-FP3K_Upgrade-Version-build.sh.REL.tar |
— |
|
Secure Firewall 4200 |
Cisco_Secure_FW_TD_4200-Version-build.sh.REL.tar |
— |
|
Firepower 4100/9300 |
Cisco_FTD_SSP_Upgrade-Version-build.sh.REL.tar |
— |
|
ASA 5500-X |
Cisco_FTD_Upgrade-Version-build.sh.REL.tar |
Cannot upgrade past Version 7.0.x. |
| Threat defense virtual |
Cisco_FTD_Upgrade-Version-build.sh.REL.tar |
— |
|
ISA 3000 with FTD |
Cisco_FTD_Upgrade-Version-build.sh.REL.tar |
— |
For the Secure Firewall 3100/4200 in multi-instance mode, the threat defense and chassis upgrades share a package.
To find the correct FXOS package, select or search for your device model and browse to the Firepower Extensible Operating System download page for your target FXOS version and build. The FXOS package is listed along with recovery and MIB packages. Firmware is included in FXOS upgrades to 2.14.1+.
|
Platform |
Package |
|---|---|
|
Firepower 4100/9300 |
fxos-k9.fxos_version.SPA |
Firmware is included in FXOS upgrades to 2.14.1+ (companion to threat defense 7.4.1). If you are upgrading older devices, select or search for your device model and browse to the Firepower Extensible Operating System download page. Firmware packages are under All Releases > Firmware.
|
Platform |
Package |
|---|---|
|
Firepower 4100 |
fxos-k9-fpr4k-firmware.firmware_version.SPA |
|
Firepower 9300 |
fxos-k9-fpr9k-firmware.firmware_version.SPA |
Devices can stop passing traffic during the upgrade or if the upgrade fails. Before you upgrade, make sure traffic from your location does not have to traverse the device itself to access the device's management interface. You should also able to access the management center's management interface without traversing the device.
Make sure your management network has the bandwidth to perform large data transfers. Whenever possible, upload upgrade packages ahead of time. If you transfer an upgrade package to a device at the time of upgrade, insufficient bandwidth can extend upgrade time or even cause the upgrade to time out. See Guidelines for Downloading Data from the Firepower Management Center to Managed Devices (Troubleshooting TechNote).
Make sure you have made any required pre-upgrade configuration changes, and are prepared to make required post-upgrade configuration changes. Resolve any change management workflows. Deploy configuration changes. Note that you will need to deploy again after upgrade, which typically restarts Snort); see Traffic Flow and Inspection when Deploying Configurations.
Make sure your deployment is healthy and successfully communicating. If there are any issues reported by the health monitor, resolve them before continuing. You should especially make sure all appliances are synchronized with any NTP server you are using to serve time. Although the health monitor alerts if clocks are out of sync by more than 10 seconds, you should still check manually. Being out of sync can cause upgrade failure.To check time, use the show time CLI command.
With the exception of hotfixes, upgrade deletes all backups stored on the system. We strongly recommend you back up to a secure remote location and verify transfer success, both before and after any upgrade:
Before upgrade: If an upgrade fails catastrophically, you may have to reimage and restore. Reimaging returns most settings to factory defaults, including the system password. If you have a recent backup, you can return to normal operations more quickly.
After upgrade: This creates a snapshot of your freshly upgraded deployment.
|
Backup |
Guide |
|---|---|
|
Threat defense |
Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator: Backup/Restore Note that backup is not supported in all cases, for example, for threat defense virtual in the public cloud. But if you can back up, you should. |
|
Secure Firewall 3100/4200 chassis |
Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator: Multi-Instance Mode for the Secure Firewall 3100/4200 |
|
Firepower 4100/9300 chassis |
Cisco Firepower 4100/9300 FXOS Configuration Guide: Configuration Import/Export |
|
ASA on a Firepower 9300 chassis |
Cisco ASA Series General Operations Configuration Guide: Software and Configurations For a Firepower 9300 chassis with threat defense and ASA logical devices, use ASDM or the ASA CLI to back up ASA configurations and other critical files, especially if there is an ASA configuration migration. |
Besides the checks you perform yourself, the system can also check its own upgrade readiness. The threat defense upgrade wizard prompts you to run the checks at the appropriate time. Although you can disable readiness checks, we recommend against it. Passing all checks greatly reduces the chance of upgrade failure. If the checks expose issues that you cannot resolve, do not begin the upgrade.
You can run readiness checks outside a maintenance window. The time required to run a readiness check varies depending on model and database size. Do not manually reboot or shut down during readiness checks.
)
Feedback