Upgrade the Secure Firewall 3100/4200 or Firepower 4100/9300 Chassis

Some devices may require a chassis upgrade (FXOS and firmware) before you upgrade the software:

  • Secure Firewall 3100/4200 in multi-instance mode: Any upgrade can require a chassis upgrade. Although you upgrade the chassis and threat defense separately, one package contains the chassis and threat defense upgrades and you perform both from the management center. The compatibility work is done for you. It is possible to have a chassis-only upgrade or a threat defense-only upgrade.

  • Firepower 4100/9300: Major versions require a chassis upgrade.

Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the chassis, then devices again. Or, perform a full reimage. In high availability or clustered deployments, upgrade one chassis at a time.

Upgrade the Secure Firewall 3100/4200 Chassis

Use this procedure to upgrade the chassis on the Secure Firewall 3100/4200 in multi-instance mode.

As you proceed, the chassis upgrade wizard displays basic information about your selected chassis, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a chassis does not "pass" a stage in the wizard, it does not appear in the next stage.

If you navigate away from the wizard, your progress is preserved and other users cannot start a new upgrade workflow for any chassis you have already selected. (Exception: if you are logged in with a CAC, your progress is cleared 24 hours after you log out.) To return to your workflow, choose Devices > Chassis Upgrade.

Chassis upgrade does not start until you complete the wizard and click Start Upgrade. All steps up to that point can be performed outside of a maintenance window, including downloading upgrade packages, copying them to chassis, and choosing upgrade options. For information on traffic handling during the upgrade, see Traffic Flow and Inspection for Chassis Upgrades.


Caution

Do not make or deploy configuration changes to the chassis or threat defense instances during the upgrade. Even if the system appears inactive, do not manually reboot or shut down. In most cases, do not restart an upgrade in progress. You could place the system in an unusable state and require a reimage. Chassis may reboot multiple times during the upgrade. This is expected behavior. If you encounter issues with the upgrade, including a failed upgrade or unresponsive chassis, contact Cisco TAC.

Before you begin

Make sure you are ready to upgrade:

Procedure

Step 1

On the management center, choose System (system gear icon) > Product Upgrades.

The Product Upgrades page provides an upgrade-centered overview of your deployment—how many devices you have, when they were last upgraded, whether there is an upgrade in progress, and so on.

Step 2

Get the chassis upgrade packages onto the management center.

Before you copy upgrade packages to managed chassis, you must upload the packages to the management center (or to an internal server that the chassis can access). The Product Upgrades page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. In most cases, you can just click Download next to the upgrade package or version you want. Note that you use the same package to upgrade the chassis and the threat defense software.

For more information, see Managing Upgrade Packages with the Management Center and Troubleshooting Upgrade Packages.

Step 3

Launch the upgrade wizard.

Click Upgrade next to the target version. If you are given a drop-down menu, select Chassis.

The chassis upgrade wizard appears. It has two panes: Device Selection on the left, and Device Details on the right. Click a device link in the Device Selection pane (such as '4 devices') to show the Device Details for those chassis. Your target version is pre-selected in the Upgrade to menu. The system determines which chassis can be upgraded to that version and displays them in the Device Details pane. The Device Selection pane also displays the FXOS and firmware versions contained in the upgrade package.

Step 4

Select chassis to upgrade.

In the Device Details pane, select the chassis you want to upgrade and click Add to Selection.

You can use the device links on the Device Selection pane to toggle the Device Details pane between selected chassis, remaining upgrade candidates, ineligible chassis (with reasons why), chassis that need the upgrade package, and so on. You can add and remove chassis from your selection, or click Reset to clear your chassis selection and start over. Note that you do not have to remove ineligible chassis; they are automatically excluded from upgrade.

Step 5

(Optional) Remove unneeded upgrade packages from your selected chassis.

You must manually manage chassis upgrade packages. Right now is a good time to clean up.

  1. In the Device Selection pane, click the message that says: X devices have packages that might not be needed.

  2. In the Device Details pane, select a chassis, click Manage Upgrade Packages on Device, select the packages you want to remove and click Remove.

    Repeat this step for each chassis you want to clean up.

Step 6

Copy the new upgrade package to the chassis.

Click Copy Upgrade Package and wait for the transfer to complete.

Step 7

Click Next to choose upgrade options.

By default, chassis upgrades run in parallel.

For chassis with high availability instances, we recommend serial upgrade order. Select the appropriate chassis in the Device Details pane and click Move to Serial Upgrade. We also recommend you place the chassis with the standby unit first in the upgrade order. To change serial upgrade order, click Change Upgrade Order. For more information, see Upgrade Order for Threat Defense with Chassis Upgrade and High Availability/Clusters.

Step 8

Reconfirm you are ready to upgrade.

We recommend revisiting the configuration and deployment health checks you performed earlier: Configuration and Deployment Checks.

Step 9

Click Start Upgrade, then confirm that you want to upgrade and reboot the chassis.

The wizard shows your overall upgrade progress, which you can also monitor in the Message Center. For detailed status, click Detailed Status next to the chassis you want to see. This detailed status is also available from the Upgrade tab on the Device Management page.

Step 10

Verify success.

After the upgrade completes, choose Devices > Device Management and confirm that the chassis you upgraded have the correct chassis version.

Step 11

(Optional) Examine configuration changes.

Before you upgrade threat defense, you may want to review the changes made by the chassis upgrade:

  • If you have not cleared your workflow, you can return to the wizard. Choose Devices > Chassis Upgrade and click Configuration Changes next to each chassis.

  • If you have cleared the workflow, or if you want to quickly generate change reports for multiple chassis, use the Advanced Deploy page. Choose Deploy > Advanced Deploy, select the chassis you upgraded, and click Pending Changes Reports. After the reports finish generating, you can download them from the Tasks tab on the Message Center.

Step 12

(Optional) In high availability deployments, examine device roles.

Depending on how you performed the upgrade, high availability instances may have switched roles. Keeping in mind that any subsequent threat defense upgrade will also switch device roles, make any desired changes.

What to do next

  • (Optional) Clear the wizard by clicking Clear Upgrade Information. Until you do this, the page continues to display details about the upgrade you just performed. After you clear the wizard, use the Upgrade tab on the Device Management page to see last-upgrade information for chassis, and the Advanced Deploy screens to see configuration changes.

  • Back up again: Backups

Upgrade FXOS on the Firepower 4100/9300 with Chassis Manager

Upgrade FXOS for Standalone FTD Logical Devices or an FTD Intra-chassis Cluster Using Firepower Chassis Manager

This section describes how to upgrade the FXOS platform bundle for a standalone Firepower 4100/9300 chassis.

The section describes the upgrade process for the following types of devices:

  • A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with one or more standalone FTD logical devices that are not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with FTD logical devices in an intra-chassis cluster.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure

Step 1

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 2

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 3

After the new platform bundle image has been successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 4

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 5

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 6

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Upgrade FXOS on an FTD Inter-chassis Cluster Using Firepower Chassis Manager

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as an inter-chassis cluster, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure

Step 1

Enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the control unit).

  2. Enter top .

  3. Enter scope ssa .

  4. Enter show slot .

  5. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  6. Enter show app-instance .

  7. Verify that the Oper State is Online and that the Cluster State is In Cluster for any logical devices installed on the chassis. Also verify that the correct FTD software version is shown as the Running Version.

    Important

     

    Verify that the control unit is not on this chassis. There should not be any Firepower Threat Defense instance with Cluster Role set to Master.

  8. For any security modules installed on a Firepower 9300 appliance or for the security engine on a Firepower 4100 series appliance, verify that the FXOS version is correct:

    scope server 1/slot_id , where slot_id is 1 for a Firepower 4100 series security engine.

    show version .

Step 2

Connect to Firepower Chassis Manager on Chassis #2 (this should be a chassis that does not have the control unit).

Step 3

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 4

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 5

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 6

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 7

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

  4. Enter top .

  5. Enter scope ssa .

  6. Enter show slot .

  7. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  8. Enter show app-instance .

  9. Verify that the Oper State is Online, that the Cluster State is In Cluster and that the Cluster Role is Slave for any logical devices installed on the chassis.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #
FP9300-A /system # top
FP9300-A# scope ssa
FP9300-A /ssa # show slot

Slot:
    Slot ID    Log Level Admin State  Oper State
    ---------- --------- ------------ ----------
    1          Info      Ok           Online
    2          Info      Ok           Online
    3          Info      Ok           Not Available
FP9300-A /ssa #

FP9300-A /ssa # show app-instance
App Name   Slot ID    Admin State Oper State       Running Version Startup Version Profile Name Cluster State   Cluster Role
---------- ---------- ----------- ---------------- --------------- --------------- ------------ --------------- ------------
ftd        1          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        2          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        3          Disabled    Not Available                    6.2.2.81                     Not Applicable  None
FP9300-A /ssa #

Step 8

Set one of the security modules on Chassis #2 as control.

After setting one of the security modules on Chassis #2 to control, Chassis #1 no longer contains the control unit and can now be upgraded.

Step 9

Repeat Steps 1-7 for all other Chassis in the cluster.

Step 10

To return the control role to Chassis #1, set one of the security modules on Chassis #1 as control.

Upgrade FXOS on an FTD High Availability Pair Using Firepower Chassis Manager

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure

Step 1

Connect to Firepower Chassis Manager on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:

Step 2

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 3

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 4

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 5

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 6

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 7

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 8

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Step 9

Connect to Firepower Chassis Manager on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:

Step 10

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 11

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 12

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 13

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components. The upgrade process can take up to 30 minutes to complete.

Step 14

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 15

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 16

Make the unit that you just upgraded the active unit as it was before the upgrade:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Upgrade FXOS on the Firepower 4100/9300 with the CLI

Upgrade FXOS for Standalone FTD Logical Devices or an FTD Intra-chassis Cluster Using the FXOS CLI

This section describes how to upgrade the FXOS platform bundle for a standalone Firepower 4100/9300 chassis.

The section describes the FXOS upgrade process for the following types of devices:

  • A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with one or more standalone FTD devices that are not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with FTD logical devices in an intra-chassis cluster.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure

Step 1

Connect to the FXOS CLI.

Step 2

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 4

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 5

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

Step 6

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 7

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 8

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 9

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Upgrade FXOS on an FTD Inter-chassis Cluster Using the FXOS CLI

If you have Firepower 9300 or Firepower 4100 series security appliances with FTD logical devices configured as an inter-chassis cluster, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure

Step 1

Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the control unit).

Step 2

Enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online and that the Cluster State is In Cluster for any logical devices installed on the chassis. Also verify that the correct FTD software version is shown as the Running Version.

    Important

     

    Verify that the control unit is not on this chassis. There should not be any Firepower Threat Defense instance with Cluster Role set to Master.

  7. For any security modules installed on a Firepower 9300 appliance or for the security engine on a Firepower 4100 series appliance, verify that the FXOS version is correct:

    scope server 1/slot_id , where slot_id is 1 for a Firepower 4100 series security engine.

    show version .

Step 3

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter top .

  2. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  3. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  4. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 4

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 5

Enter auto-install mode:

Firepower-chassis /firmware # scope auto-install

Step 6

Install the FXOS platform bundle:

Firepower-chassis /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing—for example, 2.3(1.58).

Step 7

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 8

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 9

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

  4. Enter top .

  5. Enter scope ssa .

  6. Enter show slot .

  7. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  8. Enter show app-instance .

  9. Verify that the Oper State is Online, that the Cluster State is In Cluster and that the Cluster Role is Slave for any logical devices installed on the chassis.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #
FP9300-A /system # top
FP9300-A# scope ssa
FP9300-A /ssa # show slot

Slot:
    Slot ID    Log Level Admin State  Oper State
    ---------- --------- ------------ ----------
    1          Info      Ok           Online
    2          Info      Ok           Online
    3          Info      Ok           Not Available
FP9300-A /ssa #

FP9300-A /ssa # show app-instance
App Name   Slot ID    Admin State Oper State       Running Version Startup Version Profile Name Cluster State   Cluster Role
---------- ---------- ----------- ---------------- --------------- --------------- ------------ --------------- ------------
ftd        1          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        2          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        3          Disabled    Not Available                    6.2.2.81                     Not Applicable  None
FP9300-A /ssa #

Step 10

Set one of the security modules on Chassis #2 as control.

After setting one of the security modules on Chassis #2 to control, Chassis #1 no longer contains the control unit and can now be upgraded.

Step 11

Repeat Steps 1-9 for all other Chassis in the cluster.

Step 12

To return the control role to Chassis #1, set one of the security modules on Chassis #1 as control.

Upgrade FXOS on an FTD High Availability Pair Using the FXOS CLI

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure

Step 1

Connect to FXOS CLI on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:

Step 2

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 4

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 5

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58).

Step 6

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 7

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 8

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 9

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 10

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Step 11

Connect to FXOS CLI on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:

Step 12

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 13

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 14

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 15

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58).

Step 16

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 17

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 18

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 19

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 20

Make the unit that you just upgraded the active unit as it was before the upgrade:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.