Solved: Re: Firepower/Firesight Compatibility Matrix

Matt · ‎02-02-2018

I would like to upgrade our firepower modules as well as our firesight management console. Our modules are running 5.4.0.3-37 and our FMC is running 5.4.1.2. Is there a compatibility matrix that defines which modules are compatible with which FMC versions? I have searched the below link and it does not seem to contain this information.

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

Marvin Rhoads · ‎02-03-2018

Philip is correct about matching, generally speaking. However FMC 6.2.x (most recent is 6.2.2.1 as of this posting) requires the managed devices be at 6.1 or later.

If you upgrade sequentially you are in for a loooooooong process since your devices are very out of date.

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/622x/relnotes/Firepower_Relase_Notes_622x/Firepower_Relase_Notes_622x_chapter_01011.html#id_52977

An FMC upgrade takes 30 minutes to an hour depending on the platform and each device upgrade of the several you will need to do per device takes from 15-ish minutes (Firepower 7000 or 8000 series appliance) to as long as an hour and a half (ASA 5506 Firepower service module).

Depending on how many devices you are managing it may be easier to unregister the the devices, update your FMC to 6.2.2, re-image the sensors to 6.2.2 and then re-register / deploy policies. then finally deploy the 6.2.2.1 patch

View solution in original post

Philip D'Ath · ‎02-02-2018

You should keep the module version matching the FMC version. You are asking for trouble by not keeping them in sync.

Marvin Rhoads · ‎02-03-2018

Philip is correct about matching, generally speaking. However FMC 6.2.x (most recent is 6.2.2.1 as of this posting) requires the managed devices be at 6.1 or later.

If you upgrade sequentially you are in for a loooooooong process since your devices are very out of date.

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/622x/relnotes/Firepower_Relase_Notes_622x/Firepower_Relase_Notes_622x_chapter_01011.html#id_52977

An FMC upgrade takes 30 minutes to an hour depending on the platform and each device upgrade of the several you will need to do per device takes from 15-ish minutes (Firepower 7000 or 8000 series appliance) to as long as an hour and a half (ASA 5506 Firepower service module).

Depending on how many devices you are managing it may be easier to unregister the the devices, update your FMC to 6.2.2, re-image the sensors to 6.2.2 and then re-register / deploy policies. then finally deploy the 6.2.2.1 patch

Ajay Saini · ‎02-04-2018

Hello,

Although its recommended to keep the FMC and managed devices at parallel versions, it's unavoidable to have both at same versions since upgrade of FMC precedes the upgrade of managed devices.

To check the compatibility, you should check the release notes of the version to which you are planning to upgrade. For example, in your case, you should check the release notes for next release like FMC 6.0 version.

Now, FMC 6.0 version release notes will indicate if you can upgrade from current version and also if it can support the current managed device(till you upgrade them as well).

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/relnote/firepower-system-release-notes-version-600.html#pgfId-415774

HTH
AJ