cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4235
Views
0
Helpful
16
Replies

ASA/FTD Firepower Update Procedures

nevin.maurice1
Level 1
Level 1

Hello

 

We have an urgent situation to try and get our Cisco Firewalls/Firepower devices up to the latest 6.2.2.x version.

 

We currently have the following environment with devices running in HA (Active-Standby) so 2 devices of each below.

 

Firepower Management Center = 6.2.0.3

 

2 x FTD 4110 > Firepower = 6.2.0.2 , FXOS = 2.1(1.72)(1)

 

2 x ASA5516X-SFR > ASA = 9.5.3, Firepower = 6.1.0.3

 

2 x ASA5516X with FTD > Firepower = 6.2.0.2

 

 

What are the upgrade procedures (and version path) to get all these devices up to version 6.2.2.x

 Cisco's Compatibility Matrix is not the most clear.

Thanks

16 Replies 16

To start with, upgrade your FMC to 6.2.2.1. This is a requirement before
upgrading FTDs.

Next download FTD 6.2.2 and 6.2.0 images. Your 6.2.0.x can go to 6.2.2
directly. Your 6.1.x need to go to 6.2.0 then to 6.2.2.

You can use FMC to update your FTDs and FP module this way you can launch
upgrade readiness check before proceeding with upgrade.

Thank you for your quick reply.  What about the FXOS and ASA code?  From what I see in Cisco matrix, FXOS should be 2.2.2 when using Firepower 6.2.2?  And ASA should be 9.8?  Is that correct?

Rahul Govindan
VIP Alumni
VIP Alumni

I would use the Firepower 6.2.2 release notes as the starting point for looking up the upgrade paths:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/relnotes/Firepower_Release_Notes_622/Firepower_Release_Notes_622_chapter_0101.html#concept_kc4_qvb_yz

 

In general you would need to update the FMC before the FTD devices. And for the 4100 devices, you would need to have a compatible FXOS version to support 6.2.2 release (FXOS 2.2.x)

 

A Firepower Management Center running Version 6.2.2 can manage the following devices:

  • Firepower 2100 series devices—Version 6.2.1, Version 6.2.2

  • All other Firepower devices—Version 6.1.0 or later, Version 6.2.0 or later, Version 6.2.2 or later

 

So if I put this all together:

1) Upgrade FMC to 6.2.2

2) Upgrade FXOS to 2.2 on 4100 devices

3) Upgrade FTD to 6.2 on 4100 and ASA5516-x devices

 

Always check release notes for the right version numbers.

 

Hey @nevin.maurice1

You will need the file to upgrade the sensor to the new version and the FMC upgrade file for the Manager. Both the files should be with ".sh" like below:

Cisco_Network_Sensor_Upgrade-6.2.2-81.sh
Sourcefire_3D_Defense_Center_S3_Upgrade-6.2.2-81.sh


The update paths to version 6.2.2 are:

Firepower Management Center—Version 6.2.0.x
Version 6.2.0 > Version 6.2.1 > Version 6.2.2

2 x FTD 4110 > Firepower = 6.2.0.2 , FXOS = 2.1(1.72)(1)
Version 6.1.0 > Version 6.2.0 > Version 6.2.2

2 x ASA5516X-SFR > ASA = 9.5.3, Firepower = 6.1.0.3
Version 6.1.0 > Version 6.2.0 > Version 6.2.2


2 x ASA5516X with FTD > Firepower = 6.2.0.2
Version 6.1.0 > Version 6.2.0 > Version 6.2.2
 

After you verify the upgrade path you need first upgrade the FMC and then the Firepower that it manages.

Please read the Release notes below:
https://www.cisco.com/c/en/us/td/docs/security/firepower/622/relnotes/Firepower_Release_Notes_622/Firepower_Release_Notes_622_chapter_0101.html

Thank you all for your feedback.  I think I have sorted out all the versions I need to have in order to achieve this.

 

I do have 1 final question.  All Cisco documentation seems to indicate that in order to update an ASA5500X that has been re-imaged/converted to Firepower Threat Defense device, it involves reloading a boot image, a system image, and then finally the FTD software update.

 

My FMC = confirmed good to go

- Update to 6.2.2 directly from 6.2.0.3

My FTD 4100 devices = confirmed good to go

- update FXOS through Firepower Chassis Manager and update FTD v 6.2.2 through FMC

My ASA 5500X with Firepower Service module (SFR) = confirmed good to go

- update my ASA code to compatible version and FTD v6.2.2 through FMC 

 

Unclear

My ASA 5500x FTD devices (they have been converted to FTD, so no SFR) = this is where my question comes in above.  Do I need to update boot image, system image, and FTD, or can I just update the FTD version through FMC once my FMC is at 6.2.2.  It seems strange to have to do this for each update Cisco releases???

An ASA with FTD image can be upgraded directly via FMC - there's no need to re-image just to upgrade.

Thanks everyone for your guidance!!

Can I hop on this thread?  I have 2 - ASA 5525x with FireSight in active/standby. ASAs are 9.6.4.3.

VDC and Firesight are 5.4.1.8 and 5.4.0.9

The person that set this up has left the company and I will be taking this over.  I need to get to 6.2.2. 

 

Can anyone share the quickest path to get there (without re-imaging) for the VDC/FMC as well as the hardware??

 

Is this correct?

Upgrade to 6.0 pre install 5.4.0.999

Upgrade to 6.0.1213

Upgrade to 6.1 pre install 6.0.1.999

Upgrade to 6.2

Upgrade to 6.2.2

 

Can I go from 6.0 > 6.1 >6.2 without doing the patches?

Is there a FMC and FirePower matrix to go from 5.4.1.8 to 6.2.2.2?

 

Any help would be appreciated.

 

Thank you

 

AM 

@Arnold Montemayor,

 

That correct. It will be a long process to get them all on the same 6.2.2 release. (6.2.3 might be out before you finish!)  Each FMC and module upgrade will take 1 hour +. You're probably looking at about 2 working days assuming all goes well. There's no shortcut unless you re-image.

 

See the path for 6.2.2 laid out here:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/relnotes/Firepower_Release_Notes_622/Firepower_Release_Notes_622_chapter_0101.html#concept_kc4_qvb_yz

 

...and the instructions for 6.0 here if you want to see details on 5.4.1.x:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/relnote/firepower-system-release-notes-version-600.html#47316

 

Note that you will need to update the modules to 6.1 once you get FMC on 6.1. That's because FMC 6.2 cannot manager devices running any release prior to 6.1.

Thank you so much Marvin.  I have a feeling I am in for a long weekend.  If you don't mind me asking,  does this look correct?  File names are in bold.

 

Upgrade Virtual Defense Center to 5.4.1.9-53 then to 5.4.1.10-36

Upgrade FireSight to 5.4.0.11-36 (sensors)

 

Run Pre-install to 6.0

Cisco_Network_Sensor_6.0.0_Pre-install-5.4.0.999-2.

 

Upgrade Virtual Defense Center 5.4.1.8 to FirePower Management Console 6.0.0-1005

asasfr-sys-6.0.0-1005.pkg

Upgrade FireSight to FirePower (sensors)

Cisco_Network_Sensor_Upgrade-6.0.0-1005.sh

 

Run Pre-install to 6.1

Cisco_Network_Sensor_6.1.0_Pre-install-6.0.1.999-32.sh

 

Upgrade FirePower Management Console to 6.1.0-330

asasfr-sys-6.1.0-330.pkg

Upgrade FirePower to 6.1.0.6-85 (sensors)

Cisco_Network_Sensor_Upgrade-6.1.0-330.sh

 

Upgrade FirePower Management Console to 6.2.0-362 (or can I go right to 6.2.2?)

asasfr-sys-6.2.0-362.pkg

Upgrade FirePower to 6.2.0.4-85 (sensors)

Cisco_Network_Sensor_Upgrade-6.2.0-362.sh

 

Upgrade FirePower Management Console to 6.2.2 (or can I just do the incremental upgrades?).

asasfr-sys-6.2.2-81.pkg

Upgrade FirePower to 6.2.2-81 (sensors)

Cisco_Network_Sensor_Upgrade-6.2.2-81.sh

 

 

 

Sorry,  PLEASE disregard the last post.  I had some wrong information.  This is what I have for the upgrade path.

 

Run Pre-install to 6.0

Cisco_Network_Sensor_6.0.0_Pre-install-5.4.0.999-2.

 

Upgrade Virtual Defense Center 5.4.1.8 to FirePower Management Console 6.0.0-1005

asasfr-sys-6.0.0-1005.pkg

Upgrade FireSight to FirePower (sensors)

Cisco_Network_Sensor_Upgrade-6.0.0-1005.sh

 

Run Pre-install to 6.1

Cisco_Network_Sensor_6.1.0_Pre-install-6.0.1.999-32.sh

 

Upgrade FirePower Management Console to 6.1.0-330

asasfr-sys-6.1.0-330.pkg

Upgrade FirePower to 6.1.0.-330 (sensors)

Cisco_Network_Sensor_Upgrade-6.1.0-330.sh

 

Upgrade FirePower Management Console to 6.2.0-362 (Can I go right to 6.2.2?)

asasfr-sys-6.2.0-362.pkg

Upgrade FirePower to 6.2.0.362 (sensors)

Cisco_Network_Sensor_Upgrade-6.2.0-362.sh

 

Upgrade FirePower Management Console to 6.2.2 (or can I just do the incremental upgrades?).

asasfr-sys-6.2.2-81.pkg

Upgrade FirePower to 6.2.2-81 (sensors)

Cisco_Network_Sensor_Upgrade-6.2.2-81.sh

 

 

 

 

We are currently using ASDM to manage the ASA and VDC to manage FireSight.

We would like to keep things that way during the upgrade.  For now at least.

 

Can you confirm FMC is the replacement for VDC and will keep this separate and that FTD is the unified (combined) management software.

 

Thanks again,

 

 

 

 

I am glad I reached out to you.  After looking through your documentation, I have a much better understanding of the process.  I had downloaded some of the wrong files because I thought the FMC software was included in the pkg file.  I believe I finally have the correct upgrade path (see below).

Does this look correct?

 

6.0

 

Run Pre-install for FMC from 5.4.1.8 to 6.0

Sourcefire_3D_DefenseCenter_S3_6.0.0_Pre-install-5.4.1.999-21.sh

Upgrade FMC to 6.0

Sourcefire_3D_Defense_Center_S3_Upgrade-6.0.0-1010.sh

Run Pre-install to upgrade sensor to 6.0

Cisco_Network_Sensor_6.0.0_Pre-install-5.4.0.999-2.

Upgrade Network Sensor to 6.0.0-1005

Cisco_Network_Sensor_Upgrade-6.0.0-1005.sh

 

6.1

 

Run Pre-install for FMC from 6.0 to 6.1

Sourcefire_3D_Defense_Center_S3_Pre-install-6.0.1.999-1252.sh

Upgrade FMC to 6.1

Sourcefire_3D_Defense_Center_S3_Upgrade-6.1.0-337.sh

Run Pre-install to upgrade sensor to 6.1

Cisco_Network_Sensor_6.1.0_Pre-install-6.0.1.999-32.sh

Upgrade Network Sensor to 6.1.0-330

Cisco_Network_Sensor_Upgrade-6.1.0-330.sh

 

6.2

 

Upgrade FMC to 6.2

Sourcefire_3D_Defense_Center_S3_Upgrade-6.2.0-367.sh

Upgrade Network Sensor to 6.2.0-362

Cisco_Network_Sensor_Upgrade-6.2.0-362.sh

Upgrade Network sensor to 6.2.2-81

Cisco_Network_Sensor_Upgrade-6.2.2-81.sh

 

 

 

 

 

You have it mostly correct.

 

Just add update your FMC to 6.2.2 prior to updating the network sensor.

Review Cisco Networking for a $25 gift card