Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1687
Views
10
Helpful
4
Replies

Firepower module ASA planing upgrade

Go to solution
ali.rodriguez
Spotlight
Spotlight

‎09-17-2021 01:04 PM

I am planing upgrade ASA sfr module 6.1.0 to 6.7.0.

The ASA version is 9.6(2).

 

During the planning, the following questions arose:

 

  • Re-image and install the new version is different to perform an upgrade in ASA sfr module?
  • In case a this re-image and installing the new version fail, can i re-image again and install again the previous version? or what is recommended in case of this fail?
  • I can do this Re-image and install version directly form 6.1.0 to 6.7.0?
  • For this re-image and install the new version, Do I have to install all the patches the current version before installing the new one?

 

I need help with this to avoid interruption of operations and have a great planning.

 

Regards

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-17-2021 01:48 PM

Hi @ali.rodriguez,

Just a quick one for start - what is your hardware? Since you are using ASA with Firepower services, I can assume you are using some of the 5500-X devices, and, from the top of my mind, I believe v6.6 is the last supported version for this hardware, but please double check.

Yes, reimage of the module is quite different than upgrade. This means you are deleting module completelly and installing it again, and you won't have any configuration on top. If you proceed with an upgrade, in theory, you would keep your existing configuration on the module. In reality, you have to many major versions in between, and, based on experience, your upgrade will fail at some point, so practicatly, you don't have other option but to reimage modules.

Yes, you can reimege module as many times as you want. Each time you'll need to go through initial setup.

Reimaging of modules is an easier task, as all of your configuration is stored on FMC (hopefully, as you didn't mentioned this part). In this case, for FMC you also have 2 options:

  • Clean install of new FMC, manual migration of policies from old to new system (if doable, of course)
  • Upgrade of FMC, step by step (again, huge chances that upgrade will fail at some point)

Once FMC is upgraded, you'll reimage modules directly to target version, and register them to updated FMC.

Regarding patching, for intermediate steps, yes, it is advised to install latest patch before proceeding with upgrade. For final version, again it is required to install latest patch.

Regarding service interruption, with ASA w/ Firepower, you can remove traffic redirection from the ASA config, thus making Firepower module without any usage. This would also decrease your security (no more NGFW) fr the time of upgrade, but it won't affect your production traffic.

BR,

Milos

View solution in original post

4 Replies 4

Go to solution
ali.rodriguez
Spotlight
Spotlight

‎09-17-2021 01:06 PM - edited ‎09-17-2021 01:07 PM

In addition, im planing to perform this upgrade via CLI

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-17-2021 01:48 PM

Hi @ali.rodriguez,

Just a quick one for start - what is your hardware? Since you are using ASA with Firepower services, I can assume you are using some of the 5500-X devices, and, from the top of my mind, I believe v6.6 is the last supported version for this hardware, but please double check.

Yes, reimage of the module is quite different than upgrade. This means you are deleting module completelly and installing it again, and you won't have any configuration on top. If you proceed with an upgrade, in theory, you would keep your existing configuration on the module. In reality, you have to many major versions in between, and, based on experience, your upgrade will fail at some point, so practicatly, you don't have other option but to reimage modules.

Yes, you can reimege module as many times as you want. Each time you'll need to go through initial setup.

Reimaging of modules is an easier task, as all of your configuration is stored on FMC (hopefully, as you didn't mentioned this part). In this case, for FMC you also have 2 options:

  • Clean install of new FMC, manual migration of policies from old to new system (if doable, of course)
  • Upgrade of FMC, step by step (again, huge chances that upgrade will fail at some point)

Once FMC is upgraded, you'll reimage modules directly to target version, and register them to updated FMC.

Regarding patching, for intermediate steps, yes, it is advised to install latest patch before proceeding with upgrade. For final version, again it is required to install latest patch.

Regarding service interruption, with ASA w/ Firepower, you can remove traffic redirection from the ASA config, thus making Firepower module without any usage. This would also decrease your security (no more NGFW) fr the time of upgrade, but it won't affect your production traffic.

BR,

Milos

Go to solution
ali.rodriguez
Spotlight
Spotlight
In response to Milos_Jovanovic

‎09-17-2021 02:32 PM

Yes is a 5508 asa with firepower services. Im planing to reimage to 7.0 because i going to use a clean install of FMC 7.0 instead of upgrading process.

 

In theory if I need to return the module to version 6.1 again and I do it through a re-image. Would it be possible to restore the backup and let it work again with the FMC that I am currently using (FMC 6.1)?
Or would these backups no longer serve to restore? Would you have to configure it manually? Or is it better that I configure it manually if I need to?

 

Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ali.rodriguez

‎09-19-2021 03:39 AM

Backups are for FTD-imaged devices, not for ASA Firepower service modules. So the questions about backups are moot.

In the case of using FMC to manage your Firepower service module, the majority of the configuration is in the Access Control Policy and associated child policies (IPS, Network Discovery, etc.) . Those all remain intact on FMC and can be reassociated and deployed to a reimaged device once it is newly managed.

If you want to revert for some reason (by reimaging) you could reassociate the policies from FMC just like is done in the case of reimaging to 7.0 (or 6.7 as you originally indicated was your plan).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card