04-30-2023 03:52 AM - edited 04-30-2023 03:53 AM
Team
Thank you for your continuous support. I have to upgrade the FTD 2110 HA to one of the customers without downtime. The customer wants us to break the HA into 2 standalone units and then upgrade the standby unit first while passing the traffic through the active unit and after the standby upgraded to new software then unit has to be switchover the active has to be standby and standby has to be active and the active unit should handle the traffic while the standby unit is being upgraded. This entire process should not impact the network traffic that means without downtime.
Note: I have performed the same with ASA HA firewall pair, but FTD pair I need your expertise on how to perform the upgrade FTD 2110 HA pair without Network downtime. please support me with your knowledge
04-30-2023 04:14 AM - edited 04-30-2023 04:32 AM
I Will make double check for fpr 2110
04-30-2023 04:25 AM
Thank you so much for your quick response with the guide but it is for 4100 series where FXOS to be upgraded. In our case, it is 2110 FTD series. Shall I consider all steps except the FXOS part of the document?
04-30-2023 09:21 AM
Thank you so much.
Rob has given valid information and I submitted the same to the customer.
04-30-2023 08:39 AM
@arumugasamy there is no need to break the HA pair into 2 standalone units, you should not experience interruptions in traffic flow or inspection while upgrading high availability or clustered devices. For high availability pairs, the standby device upgrades first. The devices switch roles, then the new standby upgrades. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/upgrade.html#Cisco_Generic_Topic.dita_f5e65f64-d2ac-4a1f-bdc5-4bd93d5d6def
The link previously provided for upgrading HA pairs states if using 2100 or earlier platforms (1000 series) that FXOS upgrade is not applicable. That is because the FXOS upgrade is builtin to the upgrade package in 1000/2100 hardware.
More information https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/upgrade_firepower_threat_defense.html
You will need to ensure the FMC is already running 7.x before upgrading the FTD HA pair.
04-30-2023 09:18 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide