Upgrade Firepower

AlexandreOppermann · ‎03-25-2019

Today we have on one customer a vFMC and 2 FTD (Primary and Secondary)

I want to update the firepower 22xx from version 6.2.3.4 to version 6.2.3.11, but I want to update only the Primary FTD and the Secondary FTD to leave it off and not update, if there is a problem raising the FMC clone and turning on the Secondary FTD in version 6.2.3.4 is it possible to do it or not? Update only one device?

I'll put the steps that will be done just below:

Steps:
Step 1 - Clone the vFMC (clone the whole virtual machine).
Step 2 - FMC Backup (Configurations - Backup / Restore and Export Configurations)
Firepower Update
Step 3 - Disconnect the FTD Secondary from the network
Step 4 - Update the FMC from version 6.2.3.4 to version 6.2.3.11
Step 5 - Upgrade the Primary FTD from version 6.2.3.4 to version 6.2.3.11
Leave only the Primary FTD on and the Secondary FTP remains off.
If a problem occurs in FTD Primary in the new 6.2.3.11 installed version, we turn off the primary FTD we will connect the FMC clone that we backed up and it is in version 6.2.3.4 and hence we connected the Secondary FTD,
Do I need to know if this will work? If the Secondary FTD will synchronize and will it work? If the FMC clone will work?

Abheesh Kumar · ‎03-25-2019

Hi,
If the FTD is on HA, you cannot upgrade a single box from the high availability cluster and also you cannot start the upgrade activity if any of the device is in failed state as well.
Once you start upgradation from FMC to FTD, then its an automated process. First it will upgrade the secondary box and after upgradation traffic will switchover to the upgraded box and then start upgrading the other one.
FMC upgradation case is different, if you face any issue with 6.2.3.11 you can able to uninstall the patch which you installed.

Hope This Helps
Abheesh