09-17-2021 01:04 PM
I am planing upgrade ASA sfr module 6.1.0 to 6.7.0.
The ASA version is 9.6(2).
During the planning, the following questions arose:
I need help with this to avoid interruption of operations and have a great planning.
Regards
Solved! Go to Solution.
09-17-2021 01:48 PM
Hi @ali.rodriguez,
Just a quick one for start - what is your hardware? Since you are using ASA with Firepower services, I can assume you are using some of the 5500-X devices, and, from the top of my mind, I believe v6.6 is the last supported version for this hardware, but please double check.
Yes, reimage of the module is quite different than upgrade. This means you are deleting module completelly and installing it again, and you won't have any configuration on top. If you proceed with an upgrade, in theory, you would keep your existing configuration on the module. In reality, you have to many major versions in between, and, based on experience, your upgrade will fail at some point, so practicatly, you don't have other option but to reimage modules.
Yes, you can reimege module as many times as you want. Each time you'll need to go through initial setup.
Reimaging of modules is an easier task, as all of your configuration is stored on FMC (hopefully, as you didn't mentioned this part). In this case, for FMC you also have 2 options:
Once FMC is upgraded, you'll reimage modules directly to target version, and register them to updated FMC.
Regarding patching, for intermediate steps, yes, it is advised to install latest patch before proceeding with upgrade. For final version, again it is required to install latest patch.
Regarding service interruption, with ASA w/ Firepower, you can remove traffic redirection from the ASA config, thus making Firepower module without any usage. This would also decrease your security (no more NGFW) fr the time of upgrade, but it won't affect your production traffic.
BR,
Milos
09-17-2021 01:06 PM - edited 09-17-2021 01:07 PM
In addition, im planing to perform this upgrade via CLI
09-17-2021 01:48 PM
Hi @ali.rodriguez,
Just a quick one for start - what is your hardware? Since you are using ASA with Firepower services, I can assume you are using some of the 5500-X devices, and, from the top of my mind, I believe v6.6 is the last supported version for this hardware, but please double check.
Yes, reimage of the module is quite different than upgrade. This means you are deleting module completelly and installing it again, and you won't have any configuration on top. If you proceed with an upgrade, in theory, you would keep your existing configuration on the module. In reality, you have to many major versions in between, and, based on experience, your upgrade will fail at some point, so practicatly, you don't have other option but to reimage modules.
Yes, you can reimege module as many times as you want. Each time you'll need to go through initial setup.
Reimaging of modules is an easier task, as all of your configuration is stored on FMC (hopefully, as you didn't mentioned this part). In this case, for FMC you also have 2 options:
Once FMC is upgraded, you'll reimage modules directly to target version, and register them to updated FMC.
Regarding patching, for intermediate steps, yes, it is advised to install latest patch before proceeding with upgrade. For final version, again it is required to install latest patch.
Regarding service interruption, with ASA w/ Firepower, you can remove traffic redirection from the ASA config, thus making Firepower module without any usage. This would also decrease your security (no more NGFW) fr the time of upgrade, but it won't affect your production traffic.
BR,
Milos
09-17-2021 02:32 PM
Yes is a 5508 asa with firepower services. Im planing to reimage to 7.0 because i going to use a clean install of FMC 7.0 instead of upgrading process.
In theory if I need to return the module to version 6.1 again and I do it through a re-image. Would it be possible to restore the backup and let it work again with the FMC that I am currently using (FMC 6.1)?
Or would these backups no longer serve to restore? Would you have to configure it manually? Or is it better that I configure it manually if I need to?
Thanks
09-19-2021 03:39 AM
Backups are for FTD-imaged devices, not for ASA Firepower service modules. So the questions about backups are moot.
In the case of using FMC to manage your Firepower service module, the majority of the configuration is in the Access Control Policy and associated child policies (IPS, Network Discovery, etc.) . Those all remain intact on FMC and can be reassociated and deployed to a reimaged device once it is newly managed.
If you want to revert for some reason (by reimaging) you could reassociate the policies from FMC just like is done in the case of reimaging to 7.0 (or 6.7 as you originally indicated was your plan).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: