03-01-2022 06:52 AM
We have an active/standby pair and need to update the ASA FirePower module from FMC. How does this work? Does it update one firewall at a time? I assume it's fair to expect that there will be no downtime while updating. Is that correct?
03-01-2022 08:38 AM - edited 03-01-2022 08:39 AM
If you running an ASA HA pair with a FirePower module (for IPS) on top, then only the IPS modules are managed via FMC. Regardless of the ASA state (standby/active), the IPS module on each ASA is managed individually in FMC and both FirePower modules are considered 'active'. You probably want to check the state of your firewall pair, determine, which one is standby, and then upgrade the Firepower module on that one. Then after completion and policy push, do a controlled ASA firewall failover and then proceed to upgrade the IPS module on the new standby firewall. In theory, there should be no downtime.
As always, read the release notes for any caveats and check the upgrades guide. They do explain how to do this.
03-02-2022 08:22 AM
Correct as @rcullum explained.
For users running FTD HA pairs (or clusters), FMC will take care of upgrading the members one at a time and gracefully failing each member as it upgrades.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide