We're got quite a few FirePOWER customers now and literally several dozen 5.4 to 6.x SFR upgrades to get scheduled. Incremental upgrades can take most of a day per device to follow the insane process and customers don't want to see big labor bills for what to them should be a simple upgrade. The answer cannot be tear out ASAs for Meraki. Even complete mass reimaging can take hours per device and bomb for various reasons. There needs to be an faster way to maintain these. Any ideas?

Unfortunately re-imaging is currently the fastest method.

When I do upgrades and am on hourly rate I don't pass on the cost of every minute the device spends on the upgrade script. I figure that's only fair since I only look in on it in the background while I am engaged with other tasks. Tyically that translates to about an hour for a re-image and 2 or so for several cascaded incremental upgrades where re-imaging is not an option for one reason or another.

The Cisco business unit is aware that upgrades are a pain point and is taking steps to make them less cumbersome going forward.

However as of the current 6.2.0.1 release that's how it is.

I'm seeing from multiple sources that reimaging is the best bet vs. the insane incremental path in some cases. Granted, we've seen lighter shades of incremental headaches on WLC, ACS and other systems not running a monolithic image but this is particularly cumbersome as you say. Compared to upgrading IOS, IOS XE, NX-OS, ASA, etc., it is quite obvious to customers that FirePOWER upgrades have a disproportionate work requirement. This is not only a friction point with customers in keeping these devices up to date but makes them think twice about getting deeper into FirePOWER implementation.

Our engineers have often been billing only a portion of the time spent on these upgrades, depending on what issues they run into, but even a few hours to upgrade one FMC VM & SFRs on an ASA pair raises a customer eyebrow. Telling a customer with just a dozen firewalls that we need to put an engineer on FirePOWER upgrades alone for a couple days has created billing issues and we've had some where we incurred a lump of time we couldn't bill or had to open TAC cases for upgrades that went off the rails for no good reason. It's not good from services value, scheduling or resource consumption aspects either.

We are anxious to see Cisco bundle these upgrades better, hopefully to the point that, like on IOS XE, a bundle image of several packages self-deploys, self-verifies and upgrades whatever previous version to current in one image & reboot, even if it needs to update file system, bootloader, microcode or whatever. Until such time, we struggle to upgrade these like everyone else looking for a better faster way.

When I do re-image , I do not use Cisco Notes.  I re--image the old fashion way....if you can follow my thoughts....

It is much faster, than the release or user guide.

These Cisco Release notes re-imaging process is still convoluted after more than 10 years. 

I agree with your points. There's lots of opportunity for improvement in the FP upgrade process and time required.

If you're with a partner be sure to channel your feedback to your Cisco GSSO Security SE. It's real world experiences like ours that help prioritize and guide product development.

Coincidentally the Security SE Virtual Team event is going on in San Jose this week and we are making sure to provide whatever good feedback we have to make sure our points are heard.