Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2159
Views
0
Helpful
7
Replies

Software Upgrades - FTD/ASA_with FirePower

Fantas
Level 1
Level 1

‎10-08-2019 08:20 PM - edited ‎02-21-2020 09:34 AM

Hi,

 

I have upcoming software upgrade and have below questions and needs answers please.

 

Upgrading

1 - vFMC

2 - ASA 5516 with firepower module (Active/Standby)

3 - FTD2100 (Active/Standby)

4 - FTD Standalone

5 - ASA5516 Standalone

 

Questions :

1 - Can I do software upgrade on FTD2100 nodes through vFMC and not going to cli and how much will be the traffic interruption and how this will work like FMC will switchover firewalls to minimize interruption/outage

2 - Can I do software upgrade on ASA with firePower module through vFMC and not going to cli and how much will be the traffic interruption/outage

3 - As far as I know vFMC will be done first and then FTD/ASA with firepower

4 - Best Practice of software upgrade to avoid outage for production traffic

5 - current versions on vFMC and FTD are 6.4.1 and upgrading to 6.4.5

6 - I think upgrade of standalone FTD and ASA with firepower will be more straight forward through vFMC,

 

 

0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-09-2019 08:48 AM

@Fantas ,

1 - Can I do software upgrade on FTD2100 nodes through vFMC and not going to cli and how much will be the traffic interruption and how this will work like FMC will switchover firewalls to minimize interruption/outage

Yes, that is the preferred and recommended method. With HA pairs, it works much like ASA HA upgrades except FMC takes care of doing both units for you (standby first and then it takes on active role and upgrades former active unit).

2 - Can I do software upgrade on ASA with firePower module through vFMC and not going to cli and how much will be the traffic interruption/outage

Yes that is preferred. For HA pair there is no outage. Just a failover when the Active unit's Firepower module goes down for upgrade. For single units if your service policy is set for fail-open (by far the most common option) there is no outage as well.

3 - As far as I know vFMC will be done first and then FTD/ASA with firepower

Correct

4 - Best Practice of software upgrade to avoid outage for production traffic

Read the release notes and follow the upgrade guide.

5 - current versions on vFMC and FTD are 6.4.1 and upgrading to 6.4.5

I think you mean 6.4.0.1 to 6.4.0.5

6 - I think upgrade of standalone FTD and ASA with firepower will be more straight forward through vFMC,

Yes

0 Helpful

Fantas
Level 1
Level 1
In response to Marvin Rhoads

‎10-09-2019 05:01 PM

Many Thanks,

 

I am going to attempt this soon.

For ASA with Firepower service module, how this will work like

FMC will upgrade ASA Software version and then FirePower service module version.

Do we really needs to upgrade ASA Software version or can do just Firepower service module upgrade through FMC

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Fantas

‎10-09-2019 05:41 PM

Ok.

The FMC does not interact with the ASA software at all. It only interacts with the Firepower service module which is analogous to a VM running on the ASA hardware alongside the ASA software.

You should check the compatibility guide to see whether an ASA software upgrade is necessary or recommended for your target Firepower service module software version.

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_60529

0 Helpful

Fantas
Level 1
Level 1
In response to Marvin Rhoads

‎10-10-2019 09:09 PM

great.

 

So I can upgrade Cisco ASA with firepower service module with below steps

 

1 - upgrade ASA part through normal way like we upgrade other ASAs

2-Once ASA upgraded as above then upgrade its Firepower service module through FMC

 

and If we have cluster active/standby ASA with firepower service module, FMC will upgrade both service modules active/standby and will reboot one by one.

 

Is FXOS Cli is for firepower service module, I have seen some cli commands in upgrade processes

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Fantas

‎10-11-2019 01:20 AM - edited ‎10-11-2019 01:30 AM

1. Yes. as usual for ASAs.

2. When upgrading an FTD HA pair from FMC the FMC takes care of the order of upgrades and ensuring one unit succeeds before upgrading the second one. That's because the FTD units are aware of each other.

If you have ASAs with Firepower service modules they are independent modules with no state communications between them as that is not inherited from their associated ASAs. So FMC can upgrade them but doesn't take care of the failing over and checking bits. That's up to each respective ASA.

Depending on the environment's sensitivity to loss of Firepower services I either:

a. upgrade both target modules as a group (letting the failover happen as it may between the respective ASAs when they detect a service module failure during once the first one in the pair enters maintenance mode) or

b. upgrade one and then the other separately taking care to manually failover the ASAs in between so that there is continuous availability of Firepower services.

On FTD devices the is an cli known as clish. There's also an FXOS cli for the hardware on Firepower appliances as well as a LINA cli ("system support diagnostic-cli") which is the classic ASA code ported onto the new system. It's a pretty complicated set of pieces. There are only a few commands for changing system configuration- the vast majority must be done via the management interface - FMC (which communicates via sftunnel) or Firepower Device Manager (via API) or Cisco Defense Orchestrator cloud-based product (also via API). For the very adventurous you can also manage using your own orchestration toolset via API.

I would recommend you a book if you want to understand those better vs. here in a forum posting. See Nazmul Rajib's Cisco Press book (also available via O'Reilly / Safari):

http://www.ciscopress.com/store/cisco-firepower-threat-defense-ftd-configuration-and-9780134679518

0 Helpful

Ciscosianer
Level 1
Level 1
In response to Marvin Rhoads

‎08-16-2021 03:10 AM

Hallo Marvin,

 

to your answer:

 

2 - Can I do software upgrade on ASA with firePower module through vFMC and not going to cli and how much will be the traffic interruption/outage

Yes that is preferred. For HA pair there is no outage. Just a failover when the Active unit's Firepower module goes down for upgrade. For single units if your service policy is set for fail-open (by far the most common option) there is no outage as well.

 

Unfortunately, I can't find any official instructions on how to upgrade the Firepower modules.
Nowhere is it described which module I should start with.

Do I start the upgrade with the active module first or with the secondary.
Do you know an official manual.

Thanks a lot

 

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ciscosianer

‎08-16-2021 05:06 AM

Upgrade the one not handling traffic first (i.e., the module in the standby ASA). After it shows as up/up from the ASA cli ("show module sfr"), verify the ASA is in Standby Ready state switch the ASA to Active role ("failover active").

There are detailed upgrade instructions in the following guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/upgrade_asa_firepower.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card