cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1694
Views
0
Helpful
6
Replies

Sourcefire Upgrade Question

bgl-group
Level 1
Level 1

I am after some advice here.

I have two sourcefire management centres (MC2000 appliances) running 5.4.1.7 as an HA Pair. They would have been on version 6 but 6 didn't support HA.

Now 6.1 has been released it does support HA for the management centres.

However the upgrade path from 5.4.1.7 is....

Version 5.4.1.x > Version 6.0 Pre-Installation Package > Version 6.0 > Version 6.0.1.x > Version 6.1
or
Version 5.4.1.x > Version 6.0 Pre-Installation Package > Version 6.0 > Version 6.0.1. > Version 6.1 Pre-Installation Package > Version 6.1

So does this mean I have to break the HA pair, upgrade the appliances and then reform the HA.

Or would you break the HA pair, upgrade one appliance and re-image the second appliance then rejoin the HA.

Finally is there an option to reimage the appliance and restore the database to the new box.

I am trying to figure out the best method to do this.

Giles

2 Accepted Solutions

Accepted Solutions

Your first method will work.

There is an iso image "Sourcefire_Defense_Center_S3-6.1.0-330-Restore.iso" available at https://software.cisco.com/download/release.html?mdfid=286290710&flowid=77262&softwareid=286271056&release=Rules%20Updates&relind=AVAILABLE&rellifecycle=&reltype=latest

Unfortunately you cannot restore the earlier version backup onto the newer version.

View solution in original post

Under the covers FirePOWER Management Center runs a database and, like most database-based products, versions upgrades change the schemas, tables etc. Thus the restore process needs the backup to have been done from the same version.

A version 6.1 FMC can manage sensors at 5.4.0.6 or later. So if any of your sensors are earlier than that, they should be upgraded first.

Please see table 2 here for details: 

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Version_610.html#26828

View solution in original post

6 Replies 6

Jetsy Mathew
Cisco Employee
Cisco Employee

Hello Team,

HA started supporting from 6.1 . To know how to start with the upgrade of HA pair please refer the following release notes and check the section "Firepower Management Centers in a High Availability Pair" .

You cannot update Firepower Management Centers in a high availability pair directly to Version 6.1. You must break the high availability configuration before beginning the update path to Version 6.1.

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Version_610.html#pgfId-564967

Rate and mark the answers and post which are helpful.

Regards

Jetsy 

Ok I will accept I need to break the HA pair first.

In this case would the following make sense.

  1. Break HA
  2. Upgrade one node through to 6.1
  3. Re-image second node to 6.1 (assuming there is an ISO or similar I can use for this).
  4. Restore the HA configuration

Unless I can restore the 5.4 database onto 6.1 and this would be quicker... i.e.

  1. Break HA
  2. reimage node to 6.1
  3. backup original node
  4. restore this to the new 6.1 box
  5. reimage second node
  6. restore HA configuration

Your first method will work.

There is an iso image "Sourcefire_Defense_Center_S3-6.1.0-330-Restore.iso" available at https://software.cisco.com/download/release.html?mdfid=286290710&flowid=77262&softwareid=286271056&release=Rules%20Updates&relind=AVAILABLE&rellifecycle=&reltype=latest

Unfortunately you cannot restore the earlier version backup onto the newer version.

Pity I can't do the backup and restore but at least I know what to plan for now...

Will I have to upgrade the sensors during the main path or will 6.1 be able to operate a 5.4 agent?

Under the covers FirePOWER Management Center runs a database and, like most database-based products, versions upgrades change the schemas, tables etc. Thus the restore process needs the backup to have been done from the same version.

A version 6.1 FMC can manage sensors at 5.4.0.6 or later. So if any of your sensors are earlier than that, they should be upgraded first.

Please see table 2 here for details: 

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Version_610.html#26828

Thanks for that - I did have a faint hope that the restore procedure may have worked but it looks like a long day to upgrade the appliance... All my sensors are running 5.4.0.8 so at least I can schedule the upgrade of them at a later date.

Thanks again

Giles

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: