Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
30
Helpful
2
Replies

Update Firepower Module from FMC

matt22
Level 1
Level 1

‎03-01-2022 06:52 AM

We have an active/standby pair and need to update the ASA FirePower module from FMC. How does this work? Does it update one firewall at a time? I assume it's fair to expect that there will be no downtime while updating. Is that correct?

2 Replies 2

rcullum
Level 1
Level 1

‎03-01-2022 08:38 AM - edited ‎03-01-2022 08:39 AM

If you running an ASA HA pair with a FirePower module (for IPS) on top, then only the IPS modules are managed via FMC. Regardless of the ASA state (standby/active), the IPS module on each ASA is managed individually in FMC and both FirePower modules are considered 'active'.  You probably want to check the state of your firewall pair, determine, which one is standby, and then upgrade the Firepower module on that one. Then after completion and policy push, do a controlled ASA firewall failover and then proceed to upgrade the IPS module on the new standby firewall. In theory, there should be no downtime.

As always, read the release notes for any caveats and check the upgrades guide. They do explain how to do this.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-02-2022 08:22 AM

Correct as @rcullum explained.

For users running FTD HA pairs (or clusters), FMC will take care of upgrading the members one at a time and gracefully failing each member as it upgrades.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card