Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
249
Views
1
Helpful
1
Replies

Fmc and ftd update order

Go to solution
Denis Negik
Level 1
Level 1

‎06-04-2025 03:03 AM

At the moment, the FMC and the connected FTD are the same version. If I want to update in the future, what is the order of actions? Do I update the FMC first, and then the FTD? I tried to connect another FTD device of an older version to the FMC and the FMC could not connect it, indicating that the FTD has an old version. Will it turn out that if I update the FMC, it will disconnect the already connected device?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Royalty
Level 1
Level 1

‎06-04-2025 05:00 AM - edited ‎06-04-2025 05:10 AM

Hi @Denis Negik,

The FMCs can generally only manage FTD devices that are on a lower or equal version to itself. There are some exceptions, however. So, most of the time you must upgrade the FMC first and then the FTDs after. It is strongly recommended you read through the configuration and upgrade guides. The upgrade process will differ based on if your devices are virtual or not, which may require a host environment upgrade in addition to the standard upgrades. Likewise, some FTDs may require FXOS upgrades to be compatible with the Threat Defense version upgrades. Similarly complicated, patch releases (4th digit) require the associated maintenance release to be installed first, so you'd have to install the maintenance release and then do another upgrade to install the patch afterwards if you were wanting to jump maintenance release versions. Another note on this is that your managed devices (FTDs) can be on a patch release whilst the FMC is on the same major and maintenance release but without the patch. So, this is just one example where it is not always the case that you need to upgrade the FMC first, but unless instructed otherwise, upgrade the FMC first and then the FTDs/managed devices. In general, they should always be on the same version ultimately even if you can mismatch the operating versions, because there is enhanced testing performed by Cisco for FMCs and FTDs of which the versions are matched. Also, not all platforms support a given patch. This is a bit of an information overload and ramble but the gist I want to get across is that you need to read the documentation as it will be vastly different based on your deployment.

 

Will it turn out that if I update the FMC, it will disconnect the already connected device?

If the correct upgrade path is followed it should not disconnect any connected devices. You would need to view the documentation for your given current release.

If you read the Compatibility Guide of the FTDs, it will explain what the oldest version of device is that can be managed by a given FMC version, however you should check the specific release notes first. This would be the general guidance though:
Cisco Secure Firewall Threat Defense Compatibility Guide - Cisco

I have put some links below. I would suggest primarily viewing the Compatibility Guides and Install and Upgrade Guides for your relevant versions as well as the release notes for your current and target versions. The documentation should provide you with all the information you need, but there are good third-party resources too. 

General documentation for FTD / Secure Firewall:
Cisco Secure Firewall Threat Defense - Cisco

General documentation for FTDv / Secure Firewall Virtual:
Cisco Secure Firewall Threat Defense Virtual - Cisco

General documentation for FMCv
Cisco Secure Firewall Management Center Virtual - Cisco

General documentation for FMC:
Cisco Secure Firewall Management Center - Cisco

Hopefully that is helpful to you, but please ask further if anything is confusing

 

View solution in original post

1 Reply 1

Go to solution
Royalty
Level 1
Level 1

‎06-04-2025 05:00 AM - edited ‎06-04-2025 05:10 AM

Hi @Denis Negik,

The FMCs can generally only manage FTD devices that are on a lower or equal version to itself. There are some exceptions, however. So, most of the time you must upgrade the FMC first and then the FTDs after. It is strongly recommended you read through the configuration and upgrade guides. The upgrade process will differ based on if your devices are virtual or not, which may require a host environment upgrade in addition to the standard upgrades. Likewise, some FTDs may require FXOS upgrades to be compatible with the Threat Defense version upgrades. Similarly complicated, patch releases (4th digit) require the associated maintenance release to be installed first, so you'd have to install the maintenance release and then do another upgrade to install the patch afterwards if you were wanting to jump maintenance release versions. Another note on this is that your managed devices (FTDs) can be on a patch release whilst the FMC is on the same major and maintenance release but without the patch. So, this is just one example where it is not always the case that you need to upgrade the FMC first, but unless instructed otherwise, upgrade the FMC first and then the FTDs/managed devices. In general, they should always be on the same version ultimately even if you can mismatch the operating versions, because there is enhanced testing performed by Cisco for FMCs and FTDs of which the versions are matched. Also, not all platforms support a given patch. This is a bit of an information overload and ramble but the gist I want to get across is that you need to read the documentation as it will be vastly different based on your deployment.

 

Will it turn out that if I update the FMC, it will disconnect the already connected device?

If the correct upgrade path is followed it should not disconnect any connected devices. You would need to view the documentation for your given current release.

If you read the Compatibility Guide of the FTDs, it will explain what the oldest version of device is that can be managed by a given FMC version, however you should check the specific release notes first. This would be the general guidance though:
Cisco Secure Firewall Threat Defense Compatibility Guide - Cisco

I have put some links below. I would suggest primarily viewing the Compatibility Guides and Install and Upgrade Guides for your relevant versions as well as the release notes for your current and target versions. The documentation should provide you with all the information you need, but there are good third-party resources too. 

General documentation for FTD / Secure Firewall:
Cisco Secure Firewall Threat Defense - Cisco

General documentation for FTDv / Secure Firewall Virtual:
Cisco Secure Firewall Threat Defense Virtual - Cisco

General documentation for FMCv
Cisco Secure Firewall Management Center Virtual - Cisco

General documentation for FMC:
Cisco Secure Firewall Management Center - Cisco

Hopefully that is helpful to you, but please ask further if anything is confusing

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card