Re: Reimage Question

m.azlan · ‎04-07-2021

Hi,

I have some question regarding reimage FTD. We have a model Cisco 5545. The current version is 5.4.0-764 and plans to upgrade to 6.6.1. The question is can we use the backup current version after reimaging to 6.6.1? Since the path is very long, we try to consider reimage the FTD.

Another question, can we configure bypass mode to prevent interruption during upgrade/reimage? Meaning that to apply fail-open, I guess the term.

Marvin Rhoads · ‎04-08-2021

You seem to be asking about the ASA Firepower service module (not FTD).

When you reimage a Firepower service module, all configuration from the old module is lost. It cannot be migrated per se. If it was being managed by a Firepower Management Center, the Access Control Policy (and all other associated policies) can be reapplied to the newly imaged module.

You will have to re-do the bootstrap configuration of the module in either case (IP address, gateway, etc.).

If the class-map entry for sfr is fail-open then there will be no service impact when reimaging (other than loss of IPS services of course).

m.azlan · ‎04-09-2021

Hi Marvin,

Thank you for your reply. May I know if reimage, meaning that, we just need to configure the IP, gateway, etc and then establish a connection between FMC and FTD after that push the configuration (policy, etc) from FMC? it should be work right? no need to configure all the configuration right?

class-map entry for sfr is fail-open, may I know which guide to refer to this one? we need to configure before perform the upgrade.

Marvin Rhoads · ‎04-09-2021

m.azlan - that's correct.

Step 7 in the following document sets the fail-open or fail-close action using ASDM:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-150498

More details on the actual cli command:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/S/asa-command-ref-S/sa-shov-commands.html#wp3900250880