Solved: Re: Update VDB on FMC HA

LuigiDiFronzo9542 · ‎06-16-2023

Hello,

I'd like to know the recommended procedure for the VDB updates on FMC in HA, and the deploy to a pair of FTD in HA too.

Is secure to do it automaticaly? First we must install the updates to both FMC and then a diferent task (push) to both FTD?

Thanks.

Marvin Rhoads · ‎06-19-2023

You're welcome @LuigiDiFronzo9542 .

The task "Push Latest Updates" stages the software on the eligible managed devices for later use. Some customers prefer to do this if they have environments where the bandwidth is limited between sites and they don't want to wait for the copying of the upgrade files (can be > 1 GB) during their actual time-limited upgrade change window.

View solution in original post

plwalsh · ‎06-16-2023

In my experience, its very safe to automate the installation of the latest VDB to FMC. Use the Scheduler to create a weekly task to check for VDB updates and install to FMC if an update is available. Use an email alert to notify you of the tasks.

Personally, I don't automate the deployment of the VDB to my FTD HA pair. I prefer to do the Deploy myself if FMC is running a new VDB. There can be a brief interruption to services when a Deploy task contains a new VDB, but its typically a couple of seconds.

LuigiDiFronzo9542 · ‎06-16-2023

Thanks for the response,

Do you prefer to deploy the FTD manually because the interruption or these is another reason? If we automate the VDB updates push to both FTD in out office hours woul be safe?

Thanks

plwalsh · ‎06-19-2023

I prefer to do it manually because sometimes there is a brief interruption. I checked my recurring task in FMC 6.6.5.2 which installs the latest VDB to FMC, I get this notification:
'After you update the VDB, you must also deploy configuration changes, which might interrupt traffic inspection and flow.'

To update VDB on a HA pair or a standalone FTD, a Deploy task is required after FMC has had the latest VDB installed. There is no task in the Scheduler to create a Deploy task. That is why after my VDB update check and VDB install tasks have run, I login to FMC to check if a Deploy is needed.

If your FTD devices operate as a active-standby HA pair, a single Deploy is required.

Marvin Rhoads · ‎06-19-2023

In addition to what @plwalsh correctly noted, the potential downside with automatic deployments is that if there is any possibility that anyone was working on a future change it would deploy along with the new VDB. Depending on your environment, that may be a non-issue; but for some folks it could be a very big deal.

LuigiDiFronzo9542 · ‎06-19-2023

Thank you @plwalsh and @Marvin Rhoads

I could see that the installation of the new VDB in FMC was sucesfull, and now I have a deployment pending for the FPR_HA for this case the VDB 366. So accordindg to the recomendation I'll apply this deploy after office hours.

I have a question related to the deploy automatically. If the fact of there is no task in the Scheduler to create a Deploy task for the ftd, makes sense to me, I see an option in the scheduler that tells "Push Latest Updates".

What is used this task "Push Latest Updates" for?

Thanks.

Marvin Rhoads · ‎06-19-2023

You're welcome @LuigiDiFronzo9542 .

The task "Push Latest Updates" stages the software on the eligible managed devices for later use. Some customers prefer to do this if they have environments where the bandwidth is limited between sites and they don't want to wait for the copying of the upgrade files (can be > 1 GB) during their actual time-limited upgrade change window.