cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2117
Views
0
Helpful
5
Replies

FMC upgrade from 6.2.3.10 to 6.4.0.7

Hi All,

I am planning to upgrade my vFMC from 6.2.3.10 to 6.4.0.7. Is it a direct upgrade path or do I need an intermediate upgrade to go this version? 

 

My exact plan to migrate the vFMC to Physical Appliance which is currently running 6.3. Do I need to upgrade the FXOS on the physical appliance before I can upgrade to 6.4.0.7? 

Thanks

 

 

1 Accepted Solution

Accepted Solutions

While ISE 2.3 isn't listed in the FMC 6.5 integrated products table:

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_FB6BAC2CFBF446D5BA2CDD0E81F51C41

I believe that's primarily because it's not tested, not because it won't work at all. In any case, the current recommend ISE release is 2.6. I'd recommend getting onto that release sooner rather than later.

That aside, I don't believe that following your method should cause any problem. The certificates (both FMC's own including its private key and the trusted external ones like ISE) should restore from backup. Falling back to the original machine should also work.

You can always open a case with TAC proactively to verify your migration plan steps.

View solution in original post

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

An FMC appliance (either physical or virtual) does not run FX-OS. 

If you first upgrade to FMC 6.5 on your FMCv (and the same on the physical appliance), you will be able to backup from the VM and restore to the physical appliance. Prior to 6.5 this featuer was not available.

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/migrate_your_fmc.html

You can upgrade from 6.2.3.10 to 6.5.0 and then patch to the latest patch version (currently 6.5.0.2).

 

Dear Mr. Marvin,

Thanks a lot for your response. 

We have ISE 2.3 integrated with vFMC which is not supported with FMC version 6.5.0.2. 

We have the following integration as well:

1) MS AD

2) Stealth Watch

3) Threat Grid

4) FireAMP( Cloud & On Prem)

5) FortiSIEM using estreamer.

I planned the migration as follows:

1) Create an additional vm with FMC version 6.2.3.10 (which same as the current vFMC)

2) Backup the current vFMC.

3) Unplug the current vFMC from network.

4) Restore the backup to the new vFMC.

5) Let the FTD devices to be associated with the new vFMC.

6) Check the services and integrations.

7) Upgrade the new vFMC to 6.4.0 then patch to 6.4.0.2 or 6.4.0.7.

8) Check the services and integrations.

9) Backup the new vFMC.

10) Upgrade the physical FMC to match the version of the new vFMC.

11) Involve TAC to execute command so that the Appliance model will be changed to vm platform for migration purpose (Confirmed by TAC). 

12) Restore the backup from the new FMC to the FMC appliance.

13) Unplug the new vFMC from the network to avoid the ip conflict. 

14) Let the FTD devices to be associated with the FMC appliance.

15) Check the services and integrations.

My concerns are:

1) Do we need to regenerate the certificates used for ISE and other integrations after the backup and restore process (every time)? 

2) Will it be okay in case of a FATAL failure I can turn on/plug the old vFMC (which is untouched)? Will be all integrations working fine in this case? 

 

Waiting for your valuable inputs

Thank You

 

 

 

 

While ISE 2.3 isn't listed in the FMC 6.5 integrated products table:

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_FB6BAC2CFBF446D5BA2CDD0E81F51C41

I believe that's primarily because it's not tested, not because it won't work at all. In any case, the current recommend ISE release is 2.6. I'd recommend getting onto that release sooner rather than later.

That aside, I don't believe that following your method should cause any problem. The certificates (both FMC's own including its private key and the trusted external ones like ISE) should restore from backup. Falling back to the original machine should also work.

You can always open a case with TAC proactively to verify your migration plan steps.

Hello Marvin,

 

Thanks a lot for the response. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: