topic Re: FMC Version Suggestions for Upgrade in Network Security

FMC Version Suggestions for Upgrade

rsharp001 — Mon, 08 Aug 2022 17:05:48 GMT

Hi all -

I am beginning a project to migrate from 6.6.5, that is controlling an old AMP8150 and a pair of FTD1100s. The Migration is away from the 8150 and a pair of ASA5500 to the Secure Firewall 3100 series, I have been reading the documentation I'll have to stand up a FMC 7.1 or above to control the new units (they shipped with 7.1 installed). My understanding is that the older unit cannot be managed by a version above 6.6.5 so I'm looking at running 2 FMCs during the process. I want to migrate my objects and current rules to minimize some of the hand configuration, I plan to run a test import of the current backup. Eventually I will move the 1100s over to the new install, but that will be planned for after since it'll have some downtime.

- I'm looking to see what version of FMC you all are using 7.1 or 2?

- Any landmines you all may have stepped on that I could avoid?

- Better way you all may have done this?

Thank you!

Re: FMC Version Suggestions for Upgrade

balaji.bandi — Mon, 08 Aug 2022 18:32:31 GMT

FMC 7.1 is a good go, if you looking to 7.2 look at release notes and caveats.

i suggest offline build in parallel with exiting setup and test if you can offline all rules are migrated as expected. some offline testing. and making small downtime window to cutover to new environment is best option I see.

also make sure to keep the old kit still live and not connected, in case required to fallback plan.

Re: FMC Version Suggestions for Upgrade

Marvin Rhoads — Tue, 09 Aug 2022 02:23:34 GMT

7.2 will be a longer term release than 7.1. Of course 7.1 is the minimum required for Firepower 3100. Personally I would go with FMC 7.2 and 7.2 on the 3100 as well. I'm not running 7.2 on any firewalls yet but have it on a couple of FMCs without any problem. As far as Gold Star, it will likely be moved to 7.0.4 (out very soon but a moot point for your situation) and then eventually move next to 7.2.x.

You cannot restore an older backup onto a new system. You could restore onto a freshly built FMC 6.6.5 and then upgrade it to 7.1/7.2 directly.

Re: FMC Version Suggestions for Upgrade

Massimo Baschieri — Tue, 09 Aug 2022 07:38:18 GMT

@Marvin Rhoads

Do you know why 7.0.4 will be relesed only few weeks after 7.0.3 despite 7.0.3, according to bug tool doesn't have any relevant but?

Re: FMC Version Suggestions for Upgrade

Sheraz.Salim — Tue, 09 Aug 2022 08:32:33 GMT

we hit bug in 7.0.3 where the deployment the the FTD/Sensors keep failing the bug ID CSCwc34590.

Re: FMC Version Suggestions for Upgrade

rsharp001 — Tue, 09 Aug 2022 12:19:09 GMT

Thank you Marvin. On a restore, does it bring all the underlying OS settings over, like IP/hostname, or is it just going to be the application settings?

When moving the 1100 boxes, 2 in HA, can I simply just point them at the new manager from the CLI or am I going to need to break their HA and migrate individual and then rebuild? Downtime will be scheduled either way, more curious if I must go a longer route or if there is an easy button.

Re: FMC Version Suggestions for Upgrade

Marvin Rhoads — Tue, 09 Aug 2022 13:15:55 GMT

@Sheraz.Salim the link you provided is Cisco-internal. The public link is https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc34590

Re: FMC Version Suggestions for Upgrade

Sheraz.Salim — Tue, 09 Aug 2022 13:16:30 GMT

routing tables (For example if you using static routes) They do not push in deployment from the restore backup. you have to manually define again the static routes and push the police. if you use Cert for vpn or for anyconnect or site-to-site. Just export the identity certificate and manually restore the identity cert in a fresh install FTD. rest object object group acl all good.

You still need to add your FTD (new one) in NAT section and on the platform setting doing this it will save your time.

Re: FMC Version Suggestions for Upgrade

Sheraz.Salim — Tue, 09 Aug 2022 13:18:06 GMT

Hey Marvin. hope you doing well. Oh did not notice that. Thank you for this. I was just with TAC today I asked them when the 7.0.4 is due. they could not answer this 🙂 Do you have any idea when its due to release?

Re: FMC Version Suggestions for Upgrade

Marvin Rhoads — Tue, 09 Aug 2022 13:26:35 GMT

@rsharp001 I have used the FMC model migration script along with the configure-model.sh script to fool it into allowing migration paths that are not directly allowed in the first script (i.e. same-same model). It uses a backup file as its input and brings over EVERYTHING. IP address, host name, etc. If you want to keep both online, then just change back the address of the new one after running the script.

To add the HA pair on the new FMC, it will already know about them from the restore operation. The devices themselves will need a configure manager delete / add cycle to make them sync up with the new FMC.

Regarding the timing of 7.0.4, the release notes' published bugs for 7.0.3 is not complete - it only includes public-facing bugs. So 7.0.4 will cover more than just the open caveats publicly listed for 7.0.3

Re: FMC Version Suggestions for Upgrade

Marvin Rhoads — Tue, 09 Aug 2022 13:29:15 GMT

Hi @Sheraz.Salim. A TAC engineer told me earlier this week to expect 7.0.4 on 10 August 2022. I have a customer with whom I'm hitting a bug that should be fixed in 7.0.4 so I'm hoping he's right.

As with all Cisco dates, I will believe it only after it appears on the downloads page.

Re: FMC Version Suggestions for Upgrade

Massimo Baschieri — Wed, 10 Aug 2022 07:50:40 GMT

"Regarding the timing of 7.0.4, the release notes' published bugs for 7.0.3 is not complete - it only includes public-facing bugs. So 7.0.4 will cover more than just the open caveats publicly listed for 7.0.3"

That's very annoying, apart from cisco hiding the most dangerous bugs to its customers, which is by itself a very bad habit, many bugs appear to be related to a wrong or incomplete list of releases/devices in bug tool.

How can a poor engineer be safe to upgrade his deployments?

Re: FMC Version Suggestions for Upgrade

Marvin Rhoads — Wed, 10 Aug 2022 13:48:02 GMT

@Massimo Baschieri I feel your pain. I have personally brought this up as a concern with multiple Cisco TMEs, SEs, product managers etc. over the years (>20) and seen zero progress on this practice changing. That tells me it's just not a priority with Cisco.

I get the message they would like you to purchase the premium support package like High Touch Technical Support (HTTS) and then have a designated Cisco engineer available to you to do a bug scrub from their perspective of being able to see every bug - internal and public.

Re: FMC Version Suggestions for Upgrade

rsharp001 — Wed, 10 Aug 2022 14:43:20 GMT

@Marvin RhoadsIs it safe to assume this will work for migrating the FMCv as well? I just downloaded the 6.6.5 tar and will be installing fresh, importing the backup, then upgrading. I'm not married to the IP address, more concerned with bringing over the rules, objects, settings, and hopefully just changing the management of the 2 1100 devices.

Re: FMC Version Suggestions for Upgrade

Marvin Rhoads — Wed, 10 Aug 2022 18:06:34 GMT

FYI @Massimo Baschieri 7.0.4 was just posted today.

Here are the resolved caveats: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/bugs.html#Cisco_Generic_Topic.dita_773d382f-8f55-45bb-8511-c76df5419f63

Re: FMC Version Suggestions for Upgrade

Marvin Rhoads — Wed, 10 Aug 2022 18:07:11 GMT

@rsharp001 yes that will work for FMCv