升級Firepower裝置上的FTD HA配對

下載選項

  • PDF     (1.1 MB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (893.7 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (832.2 KB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2023 年 5 月 8 日
文件 ID:200896

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本檔案介紹Firepower裝置上高可用性(HA)模式下Firepower威脅防禦(FTD)的升級過程。

    必要條件

    需求

    思科建議瞭解以下主題:

    • Firepower Management Center (FMC)
    • FTD
    • Firepower裝置(FXOS)

    採用元件

    • 2個FPR4150
    • 1個FS4000
    • 1台PC

    升級前的軟體映像版本:

    • FMC 6.1.0-330
    • FTD主要6.1.0-330
    • FTD輔助6.1.0-330
    • FXOS主要2.0.1-37
    • FXOS輔助2.0.1-37

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。

    設定

    網路圖表

    Network topology

    行動計畫

    任務1:驗證前提條件

    任務2:將映像上傳到FMC和SSP

    任務3:升級第一個FXOS機箱(2.0.1-37 -> 2.0.1-86)

    任務4:交換FTD故障轉移

    任務5:升級第二個FXOS機箱(2.0.1-37 -> 2.0.1-86)

    任務6:升級FMC(6.1.0-330 -> 6.1.0.1)

    任務7:升級FTD HA配對(6.1.0-330 -> 6.1.0.1)

    任務8:將策略從FMC部署到FTD HA配對

    任務1.驗證必要條件

    請參閱《FXOS相容性指南》,以確定以下各項之間的相容性:

    • 目標FTD軟體版本和FXOS軟體版本
    • Firepower硬體平台和FXOS軟體版本

    Cisco Firepower 4100/9300 FXOS相容性

    :此步驟不適用於FP21xx和更早的平台。

    檢查目標版本的FXOS發行版本註釋,以確定FXOS升級路徑:

    Cisco Firepower 4100/9300 FXOS版本說明,2.0(1)

    :此步驟不適用於FP21xx和更早的平台。

    請參閱FTD目標版本版本說明,以確定FTD升級路徑:

    Firepower 系統版本資訊,6.0.1.2 版本

    任務2.上傳軟體映像

    在兩台FCM上,上傳FXOS映像(fxos-k9.2.0.1.86.SPA)。

    在FMC上,上傳FMC和FTD升級套件:

    • 對於FMC升級:Sourcefire_3D_Defense_Center_S3_Patch-6.1.0.1-53.sh
    • 對於FTD升級:Cisco_FTD_SSP_Patch-6.1.0.1-53.sh

    任務3.升級第一個FXOS機箱

    :如果您將FXOS從1.1.4.x升級到2.x,請首先關閉FTD邏輯裝置,升級FXOS,然後重新啟用它。

    :此步驟不適用於FP21xx和更早的平台。

    升級之前:

    FPR4100-4-A /system # show firmware monitor
FPRM:
    Package-Vers: 2.0(1.37)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.0(1.37)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.0(1.37)
        Upgrade-Status: Ready

    啟動FXOS升級:

    Available Updates

    FXOS升級需要重新啟動機箱:

    Update Bundle Image

    您可以從FXOS CLI監控FXOS升級。必須升級所有三個元件(FPRM、交換矩陣互聯和機箱):

    FPR4100-4-A# scope system
FPR4100-4-A /system # show firmware monitor
FPRM:
    Package-Vers: 2.0(1.37)
    Upgrade-Status: Upgrading

Fabric Interconnect A:
    Package-Vers: 2.0(1.37)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.0(1.37)
        Upgrade-Status: Ready

    :啟動FXOS升級過程幾分鐘後,您將與FXOS CLI和GUI斷開連線。幾分鐘後必須能夠重新登入。

    大約五分鐘後,FPRM元件升級完成:

    FPR4100-4-A /system # show firmware monitor
FPRM:
    Package-Vers: 2.0(1.86)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.0(1.37)
    Upgrade-Status: Upgrading

Chassis 1:
    Server 1:
        Package-Vers: 2.0(1.37)
        Upgrade-Status: Upgrading

    大約10分鐘後,作為FXOS升級過程的一部分,Firepower裝置將重新啟動:

    Please stand by while rebooting the system...
    ...    
Restarting system.

    重新啟動後,升級過程將恢復:

    FPR4100-4-A /system # show firmware monitor
FPRM:
    Package-Vers: 2.0(1.86)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.0(1.37)
    Upgrade-Status: Upgrading

Chassis 1:
    Server 1:
        Package-Vers: 2.0(1.37)
        Upgrade-Status: Upgrading

    在總共大約30分鐘後,FXOS升級完成:

    FPR4100-4-A /system # show firmware monitor
FPRM:
    Package-Vers: 2.0(1.86)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.0(1.86)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.0(1.86),2.0(1.37)
        Upgrade-Status: Ready

    任務4.交換FTD容錯移轉狀態

    :此步驟不適用於FP21xx和更早的平台。

    交換容錯移轉狀態之前,請確保機箱上的FTD模組完全開啟:

    FPR4100-4-A# connect module 1 console
Firepower-module1>connect ftd
Connecting to ftd console... enter exit to return to bootCLI

> show high-availability config
Failover On
Failover unit Secondary
Failover LAN Interface: FOVER Ethernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.6(2), Mate 9.6(2)
Serial Number: Ours FLM2006EQFW, Mate FLM2006EN9U
Last Failover at: 15:08:47 UTC Dec 17 2016
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(2)) status (Up Sys)
                  Interface inside (192.168.75.112): Normal (Monitored)
                  Interface outside (192.168.76.112): Normal (Monitored)
                  Interface diagnostic (0.0.0.0): Normal (Waiting)
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)
        Other host: Primary - Active
                Active time: 5163 (sec)
                  Interface inside (192.168.75.111): Normal (Monitored)
                  Interface outside (192.168.76.111): Normal (Monitored)
                  Interface diagnostic (0.0.0.0): Normal (Waiting)
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)

Stateful Failover Logical Update Statistics
        Link : FOVER Ethernet1/8 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         65         0          68         4
        sys cmd         65         0          65         0
      ...

    交換FTD容錯移轉狀態。在作用中FTD CLI上:

    > no failover active
        Switching to Standby

>

    任務5.升級第二個FXOS機箱

    與任務2類似,升級安裝了新待命FTD的FXOS裝置。這可能需要大約30分鐘或更長時間才能完成。

    :此步驟不適用於FP21xx和更早的平台。

    任務6.升級FMC軟體

    在此案例中,將FMC從6.1.0-330升級到6.1.0.1。

    任務7.升級FTD HA配對

    升級之前:

    > show high-availability config
Failover On
Failover unit Primary
Failover LAN Interface: FOVER Ethernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.6(2), Mate 9.6(2)
Serial Number: Ours FLM2006EN9U, Mate FLM2006EQFW
Last Failover at: 15:51:08 UTC Dec 17 2016
        This host: Primary - Standby Ready
                Active time: 0 (sec)
                slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(2)) status (Up Sys)
                  Interface inside (192.168.75.112): Normal (Monitored)
                  Interface outside (192.168.76.112): Normal (Monitored)
                  Interface diagnostic (0.0.0.0): Normal (Waiting)
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)
        Other host: Secondary - Active
                Active time: 1724 (sec)
                  Interface inside (192.168.75.111): Normal (Monitored)
                  Interface outside (192.168.76.111): Normal (Monitored)
                  Interface diagnostic (0.0.0.0): Normal (Waiting)
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)

Stateful Failover Logical Update Statistics
        Link : FOVER Ethernet1/8 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         6          0          9          0
        sys cmd         6          0          6          0
    ...

    在FMC System > Updates 功能表上,啟動FTD HA升級程式:

    Updates

    Updates

    首先,升級主/備用FTD:

    System

    待命FTD模組會使用新映像重新開機:

    Remote Install

    您可以從FXOS BootCLI模式驗證FTD狀態:

    FPR4100-3-A# connect module 1 console
Firepower-module1> show services status
Services currently running:
Feature   | Instance ID    |     State  |          Up Since
-----------------------------------------------------------
ftd     | 001_JAD201200R4WLYCWO6 |   RUNNING  | :00:00:33

    由於FTD模組之間的軟體版本不相符,Secondary/Active FTD CLI顯示警告訊息:

    firepower#
************WARNING****WARNING****WARNING********************************
Mate version 9.6(2) is not identical with ours 9.6(2)4
************WARNING****WARNING****WARNING********************************
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate

    FMC顯示FTD裝置已成功升級:

    Remote Install

    第二個FTD模組的升級開始:

    Remote Install

    程式結束時,FTD會使用新映像啟動:

    Remote Install

    在後台,FMC使用內部使用者enable_1、交換FTD容錯移轉狀態,並暫時從FTD移除容錯移轉組態:

    firepower# show logging
Dec 17 2016 16:40:14: %ASA-5-111008: User 'enable_1' executed the 'no failover active' command.
Dec 17 2016 16:40:14: %ASA-5-111010: User 'enable_1', running 'N/A' from IP 0.0.0.0, executed 'no failover active'
Dec 17 2016 16:41:19: %ASA-5-111008: User 'enable_1' executed the 'clear configure failover' command.
Dec 17 2016 16:41:19: %ASA-5-111010: User 'enable_1', running 'N/A' from IP 0.0.0.0, executed 'clear configure failover'
Dec 17 2016 16:41:19: %ASA-5-111008: User 'enable_1' executed the 'copy /noconfirm running-config disk0:/modified-config.cfg' command.
Dec 17 2016 16:41:19: %ASA-5-111010: User 'enable_1', running 'N/A' from IP 0.0.0.0, executed 'copy /noconfirm running-config
     disk0:/modified-config.cfg'
        
firepower#
        Switching to Standby

firepower#

    在此案例中,整個FTD升級(兩個裝置)耗時約30分鐘。

    驗證

    此範例顯示來自主FTD裝置的FTD CLI驗證:

    > show high-availability config
Failover On
Failover unit Primary
Failover LAN Interface: FOVER Ethernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.6(2)4, Mate 9.6(2)4
Serial Number: Ours FLM2006EN9U, Mate FLM2006EQFW
Last Failover at: 16:40:14 UTC Dec 17 2016
        This host: Primary - Active
                Active time: 1159 (sec)
                slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(2)4) status (Up Sys)
                  Interface inside (192.168.75.111): Normal (Monitored)
                  Interface outside (192.168.76.111): Normal (Monitored)
                  Interface diagnostic (0.0.0.0): Normal (Waiting)
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(2)4) status (Up Sys)
                  Interface inside (192.168.75.112): Normal (Monitored)
                  Interface outside (192.168.76.112): Normal (Monitored)
                  Interface diagnostic (0.0.0.0): Normal (Waiting)
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)

Stateful Failover Logical Update Statistics
        Link : FOVER Ethernet1/8 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         68         0          67         0
...
>

    此範例顯示從輔助/待命FTD裝置進行的FTD CLI驗證:

    > show high-availability config
Failover On
Failover unit Secondary
Failover LAN Interface: FOVER Ethernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.6(2)4, Mate 9.6(2)4
Serial Number: Ours FLM2006EQFW, Mate FLM2006EN9U
Last Failover at: 16:52:43 UTC Dec 17 2016
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(2)4) status (Up Sys)
                  Interface inside (192.168.75.112): Normal (Monitored)
                  Interface outside (192.168.76.112): Normal (Monitored)
                  Interface diagnostic (0.0.0.0): Normal (Waiting)
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)
        Other host: Primary - Active
                Active time: 1169 (sec)
                  Interface inside (192.168.75.111): Normal (Monitored)
                  Interface outside (192.168.76.111): Normal (Monitored)
                  Interface diagnostic (0.0.0.0): Normal (Waiting)
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)

Stateful Failover Logical Update Statistics
        Link : FOVER Ethernet1/8 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         38         0          41         0
    ...
>

    任務8.將原則部署到FTD HA配對

    升級完成後,您需要將原則部署到HA配對。以下內容顯示在FMC UI中:

    Apply Update

    部署策略:

    Deploy Policies

    驗證

    從FMC UI中看到的已升級FTD HA配對:

    Device Management

    從FCM UI看到的已升級FTD HA配對:

    Logical Devices

    相關資訊

    修訂記錄

    修訂 發佈日期 意見
    2.0
    08-May-2023
    重新認證
    1.0
    17-Dec-2016
    初始版本
    TAC Authored

    由思科工程師貢獻

    • Mikis Zafeiroudis
      Cisco TAC Engineer
    • Dinkar Sharma
      Cisco TAC Engineer
    • Edited by Olha Yakovenko
      Cisco TAC Engineer

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您

    本文件適用於這些產品