Upgrade FXOS on the Firepower 4100/9300

For the Firepower 4100/9300, major FTD upgrades also require an FXOS upgrade.

Major FTD versions have a specially qualified and recommended companion FXOS version. Use these combinations whenever possible because we perform enhanced testing for them. Maintenance release and patches rarely require FXOS upgrades, but you may still want to upgrade to the latest FXOS build to take advantage of resolved issues.

We also recommend the latest firmware; see the Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.

Upgrade Packages for FXOS

FXOS images and firmware updates are available on the Cisco Support & Download site:

To find the correct FXOS image, select or search for your device model and browse to the Firepower Extensible Operating System download page for your target FXOS version and build. The FXOS image is listed along with recovery and MIB packages. If you need to upgrade the firmware, those packages are under All Releases > Firmware.

The packages are:

  • Firepower 4100/9300 FXOS image: fxos-k9.fxos_version.SPA

  • Firepower 4100 series firmware: fxos-k9-fpr4k-firmware.firmware_version.SPA

  • Firepower 9300 firmware: fxos-k9-fpr9k-firmware.firmware_version.SPA

Upgrade Guidelines for FXOS

For critical and release-specific upgrade guidelines, new and deprecated features, and open and resolved bugs, see the Cisco Firepower 4100/9300 FXOS Release Notes.

Minimum FXOS Version to Upgrade FTD

The minimum FXOS version to run Version 7.1 is FXOS 2.11.1.154.

Minimum FXOS Version to Upgrade FXOS

You can upgrade to any later FXOS version from as far back as FXOS 2.2.2.

Time to Upgrade FXOS

An FXOS upgrade can take up to 45 minutes and can affect traffic flow and inspection. For more information, see Traffic Flow and Inspection for FXOS Upgrades.

Upgrade Order for FXOS with FTD High Availability

In high availability deployments, you upgrade FXOS on each chassis independently. To minimize disruption, upgrade FXOS one chassis at a time. You must also upgrade the FTD devices one at a time. For more information, see Upgrade Order for FXOS with FTD High Availability.

Upgrading FXOS with FTD and ASA Logical Devices

If you have FTD and ASA logical devices configured on the Firepower 9300, use the procedures in this chapter to upgrade FXOS and FTD. Make sure that upgrading FXOS does not bring you out of compatibility with either type of logical device; see Upgrade Path for FXOS with FTD and ASA.

For ASA upgrade procedures, see the Cisco Secure Firewall ASA Upgrade Guide.

Upgrading FXOS with No Logical Devices

If you have no logical devices or container instances configured, use the procedures in this chapter for upgrading FXOS on standalone FTD devices, disregarding any instructions on logical devices. Or, perform a full reimage of the chassis to the FXOS version you need.

Traffic Flow and Inspection for FXOS Upgrades

Upgrading FXOS reboots the chassis. Even in high availability deployments, you upgrade FXOS on each chassis independently. To minimize disruption, upgrade one chassis at a time. For more information, see Upgrade Order for FXOS with FTD High Availability.

Table 1. Traffic Flow and Inspection: FXOS Upgrades

FTD Deployment

Traffic Behavior

Method

Standalone

Dropped.

High availability

Unaffected.

Best Practice: Update FXOS on the standby, switch active peers, upgrade the new standby.

Dropped until one peer is online.

Upgrade FXOS on the active peer before the standby is finished upgrading.

Upgrade Paths for FXOS

Choose the upgrade path that matches your deployment.

Upgrade Path for FXOS with FTD

This table provides the upgrade path for FTD on the Firepower 4100/9300.

Note that if your current FTD version was released on a date after your target version, you may not be able to upgrade as expected. In those cases, the upgrade quickly fails and displays an error explaining that there are datastore incompatibilities between the two versions. The release notes for both your current and target version list any specific restrictions.

The table lists our specially qualified version combinations. Because you upgrade FXOS first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of the device software. Make sure upgrading FXOS does not bring you out of compatibility with any logical devices. For minimum builds and other detailed compatibility information, see the Cisco Secure Firewall Threat Defense Compatibility Guide.

Table 2. FTD Direct Upgrades on the Firepower 4100/9300

Current Versions

Target Versions

FXOS 2.13 with threat defense 7.3

→ FXOS 2.13 with any later threat defense 7.3.x release

FXOS 2.12 with threat defense 7.2

Last support for Firepower 4110, 4120, 4140, 4150.

Last support for the Firepower 9300 with SM-24, SM-36, or SM-44 modules.

Any of:

→ FXOS 2.13 with threat defense 7.3.x

→ FXOS 2.12 with any later threat defense 7.2.x release

FXOS 2.11.1 with threat defense 7.1

Any of:

→ FXOS 2.13 with threat defense 7.3.x

→ FXOS 2.12 with threat defense 7.2.x

→ FXOS 2.11.1 with any later threat defense 7.1.x release

FXOS 2.10.1 with threat defense 7.0

Any of:

→ FXOS 2.13 with threat defense 7.3.x

→ FXOS 2.12 with threat defense 7.2.x

→ FXOS 2.11.1 with threat defense 7.1.x

→ FXOS 2.10.1 with any later threat defense 7.0.x release

Note

 

Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4+ to Version 7.1.0. We recommend you upgrade directly to Version 7.2+.

Note

 

The cloud-delivered Firewall Management Center cannot manage FTD devices running Version 7.1, or Classic devices running any version. You cannot upgrade a cloud-managed device from Version 7.0.x to Version 7.1 unless you unregister and disable cloud management. We recommend you upgrade the device directly to Version 7.2+.

FXOS 2.9.1 with threat defense 6.7

Any of:

→ FXOS 2.12 with threat defense 7.2.x

→ FXOS 2.11.1 with threat defense 7.1.x

→ FXOS 2.10.1 with threat defense 7.0.x

→ FXOS 2.9.1 with any later threat defense 6.7.x release

FXOS 2.8.1 with threat defense 6.6

Any of:

→ FXOS 2.12 with threat defense 7.2.x

→ FXOS 2.11.1 with threat defense 7.1.x

→ FXOS 2.10.1 with threat defense 7.0.x

→ FXOS 2.9.1 with threat defense 6.7.x

→ FXOS 2.8.1 with any later threat defense 6.6.x release

FXOS 2.7.1 with threat defense 6.5

Any of:

→ FXOS 2.11.1 with threat defense 7.1.x

→ FXOS 2.10.1 with threat defense 7.0.x

→ FXOS 2.9.1 with threat defense 6.7.x

→ FXOS 2.8.1 with threat defense 6.6.x

Upgrade Path for FXOS with FTD and ASA

This table provides upgrade paths for the Firepower 9300 with FTD and ASA logical devices running on separate modules.


Note


This document does not contain procedures for upgrading ASA logical devices. For those, see the Cisco Secure Firewall ASA Upgrade Guide.


Note that if your current FTD version was released on a date after your target version, you may not be able to upgrade as expected. In those cases, the upgrade quickly fails and displays an error explaining that there are datastore incompatibilities between the two versions. The release notes for both your current and target version list any specific restrictions.

The table lists our specially qualified version combinations. Because you upgrade FXOS first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of the device software. Make sure upgrading FXOS does not bring you out of compatibility with any logical devices (including ASA devices). If you need to skip multiple versions, FTD will usually be the limiter—FXOS and ASA can usually upgrade further in one hop. After you reach the target FXOS version, it does not matter which type of logical device you upgrade first. For minimum builds and other detailed compatibility information, see the Cisco Secure Firewall Threat Defense Compatibility Guide

Table 3. FTD and ASA Direct Upgrades on the Firepower 9300

Current Versions

Target Versions

FXOS 2.13 with:

  • Threat defense 7.3

  • ASA 9.19(x)

→ FXOS 2.13 with ASA 9.19(x) and any later threat defense 7.3.x release

FXOS 2.12 with:

  • Threat defense 7.2

  • ASA 9.18(x)

Last support for the Firepower 9300 with SM-24, SM-36, or SM-44 modules.

Any of:

→ FXOS 2.13 with ASA 9.19(x) and threat defense 7.3.x

→ FXOS 2.12 with ASA 9.18(x) and any later threat defense 7.2.x release

FXOS 2.11.1 with:

  • Threat defense 7.1

  • ASA 9.17(x)

→ FXOS 2.13 with ASA 9.19(x) and threat defense 7.3.x

→ FXOS 2.12 with ASA 9.18(x) and threat defense 7.2.x

→ FXOS 2.11.1 with ASA 9.17(x) and any later threat defense 7.1.x release

FXOS 2.10.1 with:

  • Threat defense 7.0

  • ASA 9.16(x)

Any of:

→ FXOS 2.13 with ASA 9.19(x) and threat defense 7.3.x

→ FXOS 2.12 with ASA 9.18(x) and threat defense 7.2.x

→ FXOS 2.11.1 with ASA 9.17(x) and threat defense 7.1.x

→ FXOS 2.10.1 with ASA 9.16(x) and any later threat defense 7.0.x release

Note

 

Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4+ to Version 7.1.0. We recommend you upgrade directly to Version 7.2+.

Note

 

The cloud-delivered Firewall Management Center cannot manage FTD devices running Version 7.1, or Classic devices running any version. You cannot upgrade a cloud-managed device from Version 7.0.x to Version 7.1 unless you unregister and disable cloud management. We recommend you upgrade the device directly to Version 7.2+.

FXOS 2.9.1 with:

  • Threat defense 6.7

  • ASA 9.15(x)

Any of:

→ FXOS 2.12 with ASA 9.18(x) and threat defense 7.2.x

→ FXOS 2.11.1 with ASA 9.17(x) and threat defense 7.1.x

→ FXOS 2.10.1 with ASA 9.16(x) and threat defense 7.0.x

→ FXOS 2.9.1 with ASA 9.15(x) and any later threat defense 6.7.x release

FXOS 2.8.1 with:

  • Threat defense 6.6

  • ASA 9.14(x)

Any of:

→ FXOS 2.12 with ASA 9.18(x) and threat defense 7.2.x

→ FXOS 2.11.1 with ASA 9.17(x) and threat defense 7.1.x

→ FXOS 2.10.1 with ASA 9.16(x) and threat defense 7.0.x

→ FXOS 2.9.1 with ASA 9.15(x) and threat defense 6.7.x

→ FXOS 2.8.1 with ASA 9.14(x) and any later threat defense 6.6.x release

FXOS 2.7.1 with:

  • Threat defense 6.5

  • ASA 9.13(x)

Any of:

→ FXOS 2.11.1 with ASA 9.17(x) and threat defense 7.1.x

→ FXOS 2.10.1 with ASA 9.16(x) and threat defense 7.0.x

→ FXOS 2.9.1 with ASA 9.15(x) and threat defense 6.7.x

→ FXOS 2.8.1 with ASA 9.14(x) and threat defense 6.6.x

Upgrade Order for FXOS with FTD High Availability

In high availability deployments, you upgrade FXOS on each chassis independently. To minimize disruption, upgrade FXOS one chassis at a time. You must also upgrade the FTD devices one at a time.

Table 4.

FTD Deployment

Upgrade Order

Standalone

  1. Upgrade FXOS.

  2. Upgrade FTD.

High availability

Upgrade FXOS on both chassis before you upgrade FTD. To minimize disruption, always upgrade the standby. In the following scenario, Device A is the original active device and Device B is the original standby.

  1. Upgrade FXOS on the chassis with the standby device (B).

  2. Switch roles.

  3. Upgrade FXOS on the chassis with the new standby device (A).

  4. Upgrade FTD on the new standby device (A).

  5. Switch roles again.

  6. Upgrade FTD on the original standby device (B).

Upgrade FXOS with Firepower Chassis Manager

Upgrade FXOS for Standalone FTD Logical Devices Using Firepower Chassis Manager

This section describes how to upgrade the FXOS platform bundle for a standalone Firepower 4100/9300 chassis.

The section describes the upgrade process for the following types of devices:

  • A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair.

  • A Firepower 9300 chassis that is configured with one or more standalone FTD logical devices that are not part of a failover pair.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure


Step 1

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 2

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.
  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 3

After the new platform bundle image has been successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 4

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 5

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 6

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.


Upgrade FXOS on an FTD High Availability Pair Using Firepower Chassis Manager

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure


Step 1

Connect to Firepower Chassis Manager on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:

Step 2

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 3

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.
  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 4

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 5

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 6

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 7

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 8

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Step 9

Connect to Firepower Chassis Manager on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:

Step 10

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 11

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.
  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 12

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 13

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components. The upgrade process can take up to 30 minutes to complete.

Step 14

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 15

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 16

Make the unit that you just upgraded the active unit as it was before the upgrade:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.


Upgrade FXOS with the CLI

Upgrade FXOS for Standalone FTD Logical Devices Using the FXOS CLI

This section describes how to upgrade the FXOS platform bundle for a standalone Firepower 4100/9300 chassis.

The section describes the FXOS upgrade process for the following types of devices:

  • A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair.

  • A Firepower 9300 chassis that is configured with one or more standalone FTD devices that are not part of a failover pair.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure


Step 1

Connect to the FXOS CLI.

Step 2

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol:

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 4

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 5

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

Step 6

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 7

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 8

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 9

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.


Upgrade FXOS on an FTD High Availability Pair Using the FXOS CLI

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure


Step 1

Connect to FXOS CLI on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:

Step 2

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol:

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 4

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 5

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58).

Step 6

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 7

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 8

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 9

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 10

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Step 11

Connect to FXOS CLI on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:

Step 12

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol:

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 13

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 14

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 15

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58).

Step 16

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 17

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 18

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 19

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 20

Make the unit that you just upgraded the active unit as it was before the upgrade:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.