01-11-2020 12:18 AM - edited 02-21-2020 09:49 AM
Hi All,
I am planning to upgrade my vFMC from 6.2.3.10 to 6.4.0.7. Is it a direct upgrade path or do I need an intermediate upgrade to go this version?
My exact plan to migrate the vFMC to Physical Appliance which is currently running 6.3. Do I need to upgrade the FXOS on the physical appliance before I can upgrade to 6.4.0.7?
Thanks
Solved! Go to Solution.
01-21-2020 04:00 AM
While ISE 2.3 isn't listed in the FMC 6.5 integrated products table:
I believe that's primarily because it's not tested, not because it won't work at all. In any case, the current recommend ISE release is 2.6. I'd recommend getting onto that release sooner rather than later.
That aside, I don't believe that following your method should cause any problem. The certificates (both FMC's own including its private key and the trusted external ones like ISE) should restore from backup. Falling back to the original machine should also work.
You can always open a case with TAC proactively to verify your migration plan steps.
01-11-2020 03:13 AM
An FMC appliance (either physical or virtual) does not run FX-OS.
If you first upgrade to FMC 6.5 on your FMCv (and the same on the physical appliance), you will be able to backup from the VM and restore to the physical appliance. Prior to 6.5 this featuer was not available.
You can upgrade from 6.2.3.10 to 6.5.0 and then patch to the latest patch version (currently 6.5.0.2).
01-20-2020 09:31 PM - edited 01-21-2020 01:39 AM
01-21-2020 12:42 AM
Dear Mr. Marvin,
Thanks a lot for your response.
We have ISE 2.3 integrated with vFMC which is not supported with FMC version 6.5.0.2.
We have the following integration as well:
1) MS AD
2) Stealth Watch
3) Threat Grid
4) FireAMP( Cloud & On Prem)
5) FortiSIEM using estreamer.
I planned the migration as follows:
1) Create an additional vm with FMC version 6.2.3.10 (which same as the current vFMC)
2) Backup the current vFMC.
3) Unplug the current vFMC from network.
4) Restore the backup to the new vFMC.
5) Let the FTD devices to be associated with the new vFMC.
6) Check the services and integrations.
7) Upgrade the new vFMC to 6.4.0 then patch to 6.4.0.2 or 6.4.0.7.
8) Check the services and integrations.
9) Backup the new vFMC.
10) Upgrade the physical FMC to match the version of the new vFMC.
11) Involve TAC to execute command so that the Appliance model will be changed to vm platform for migration purpose (Confirmed by TAC).
12) Restore the backup from the new FMC to the FMC appliance.
13) Unplug the new vFMC from the network to avoid the ip conflict.
14) Let the FTD devices to be associated with the FMC appliance.
15) Check the services and integrations.
My concerns are:
1) Do we need to regenerate the certificates used for ISE and other integrations after the backup and restore process (every time)?
2) Will it be okay in case of a FATAL failure I can turn on/plug the old vFMC (which is untouched)? Will be all integrations working fine in this case?
Waiting for your valuable inputs
Thank You
01-21-2020 04:00 AM
While ISE 2.3 isn't listed in the FMC 6.5 integrated products table:
I believe that's primarily because it's not tested, not because it won't work at all. In any case, the current recommend ISE release is 2.6. I'd recommend getting onto that release sooner rather than later.
That aside, I don't believe that following your method should cause any problem. The certificates (both FMC's own including its private key and the trusted external ones like ISE) should restore from backup. Falling back to the original machine should also work.
You can always open a case with TAC proactively to verify your migration plan steps.
01-21-2020 05:45 AM
Hello Marvin,
Thanks a lot for the response.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide