cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

857
Views
0
Helpful
6
Replies
Highlighted
Beginner

Sourcefire Upgrade Question

I am after some advice here.

I have two sourcefire management centres (MC2000 appliances) running 5.4.1.7 as an HA Pair. They would have been on version 6 but 6 didn't support HA.

Now 6.1 has been released it does support HA for the management centres.

However the upgrade path from 5.4.1.7 is....

Version 5.4.1.x > Version 6.0 Pre-Installation Package > Version 6.0 > Version 6.0.1.x > Version 6.1
or
Version 5.4.1.x > Version 6.0 Pre-Installation Package > Version 6.0 > Version 6.0.1. > Version 6.1 Pre-Installation Package > Version 6.1

So does this mean I have to break the HA pair, upgrade the appliances and then reform the HA.

Or would you break the HA pair, upgrade one appliance and re-image the second appliance then rejoin the HA.

Finally is there an option to reimage the appliance and restore the database to the new box.

I am trying to figure out the best method to do this.

Giles

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Hall of Fame Guru

Your first method will work.

Your first method will work.

There is an iso image "Sourcefire_Defense_Center_S3-6.1.0-330-Restore.iso" available at https://software.cisco.com/download/release.html?mdfid=286290710&flowid=77262&softwareid=286271056&release=Rules%20Updates&relind=AVAILABLE&rellifecycle=&reltype=latest

Unfortunately you cannot restore the earlier version backup onto the newer version.

View solution in original post

Highlighted
Hall of Fame Guru

Under the covers FirePOWER

Under the covers FirePOWER Management Center runs a database and, like most database-based products, versions upgrades change the schemas, tables etc. Thus the restore process needs the backup to have been done from the same version.

A version 6.1 FMC can manage sensors at 5.4.0.6 or later. So if any of your sensors are earlier than that, they should be upgraded first.

Please see table 2 here for details: 

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Version_610.html#26828

View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

Hello Team,

Hello Team,

HA started supporting from 6.1 . To know how to start with the upgrade of HA pair please refer the following release notes and check the section "Firepower Management Centers in a High Availability Pair" .

You cannot update Firepower Management Centers in a high availability pair directly to Version 6.1. You must break the high availability configuration before beginning the update path to Version 6.1.

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Version_610.html#pgfId-564967

Rate and mark the answers and post which are helpful.

Regards

Jetsy 

Highlighted
Beginner

Ok I will accept I need to

Ok I will accept I need to break the HA pair first.

In this case would the following make sense.

  1. Break HA
  2. Upgrade one node through to 6.1
  3. Re-image second node to 6.1 (assuming there is an ISO or similar I can use for this).
  4. Restore the HA configuration

Unless I can restore the 5.4 database onto 6.1 and this would be quicker... i.e.

  1. Break HA
  2. reimage node to 6.1
  3. backup original node
  4. restore this to the new 6.1 box
  5. reimage second node
  6. restore HA configuration
Highlighted
Hall of Fame Guru

Your first method will work.

Your first method will work.

There is an iso image "Sourcefire_Defense_Center_S3-6.1.0-330-Restore.iso" available at https://software.cisco.com/download/release.html?mdfid=286290710&flowid=77262&softwareid=286271056&release=Rules%20Updates&relind=AVAILABLE&rellifecycle=&reltype=latest

Unfortunately you cannot restore the earlier version backup onto the newer version.

View solution in original post

Highlighted
Beginner

Pity I can't do the backup

Pity I can't do the backup and restore but at least I know what to plan for now...

Will I have to upgrade the sensors during the main path or will 6.1 be able to operate a 5.4 agent?

Highlighted
Hall of Fame Guru

Under the covers FirePOWER

Under the covers FirePOWER Management Center runs a database and, like most database-based products, versions upgrades change the schemas, tables etc. Thus the restore process needs the backup to have been done from the same version.

A version 6.1 FMC can manage sensors at 5.4.0.6 or later. So if any of your sensors are earlier than that, they should be upgraded first.

Please see table 2 here for details: 

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Version_610.html#26828

View solution in original post

Highlighted
Beginner

Thanks for that - I did have

Thanks for that - I did have a faint hope that the restore procedure may have worked but it looks like a long day to upgrade the appliance... All my sensors are running 5.4.0.8 so at least I can schedule the upgrade of them at a later date.

Thanks again

Giles