Since 5.3 policies are not compatible with 6.2, how do you re-import all your policies after the fresh install ?

You upgrade the FMC step-wise to the desired current version and re-deploy from there after re-imaging the target FirePOWER modules.

The inline upgrades on the FMC will convert the databases, policies etc. to match the current schemas.

There are some fine points that can be gleaned from the release notes (e.g. FMC 6.2 cannot manage a pre-6.1 device).

Thank you Marvin for your input. I understand you are talking about upgrading the FMC following the upgrade path. But what about the fresh install dennisperto and kaisero were talking about ? how do you re-import all your policies after the fresh install ?

Thank you for your help Marvin.

You do a fresh install on the sensor only. I agree with what Dennis and Oliver were saying there.

Since you upgraded the FMC inline, all policies remain intact and can be re-deployed to the re-imaged and registered sensor(s).

Ok, I understand I have to upgrade the FMC following the full path. Thank you Marvin.

Last question if I may. Could we imagine exporting the FMC configuration on a virtual machine, doing the inline upgrade on the VM following the upgrade path, then exporting the 6.2 configuration from the VM, fresh install the production FMC and finally importon it the configuration coming from the VM ? Would there be any limitations doing that ? (licences, etc...)

That export/restore wouldn't work. When you export or backup a configuration, it can only be restored onto the same version of FMC. Otherwise the database schema etc. won't match up.

As far as licenses, they are bound to the FMC's license ID which is a combination of the model number (an internal number used by Cisco - e.g., "66" for a Virtual FMC) plus the MAC address of the FMC management interface. On VMs, a given VMs MAC address is normally dynamically assigned by the hypervisor but it can be overridden.

Actually the idea would be to import first on a VM with the same current version than the production and then roll the upgrade on the VM. This is in order to minimize the downtime on the production and also to fix any bug/errors I would encounter in the upgrade path. If the upgrade succeeds on the VM, then I would fresh install the production FMC in 6.2, export the VM configuration (which is also in 6.2), and import it on the production FMC.

Can you confirm it would work ? I use this process for other migrations like firewalls and I find this process very safe and flexible.

Again I really appreciate your help Marvin.

I'm not sure that would work. A backup/restore would be the normal operation.

You do not simply export a configuration in FMC as it's multiple databases, web settings etc. under the covers. If you restored onto a system other than the one that you did the backup from I would imagine it would at the very least give you some license key issues. I'm not sure what else might crop up as well.

Realize that an offline FMC does not affect the operations of any managed devices. They will enqueue connection events and such while the FMC is offline and catchup when it returns. Only if the FMC was offline for an extended period would new events possibly be lost. Any already-applied policy would continue to be enforced indefinitely.

Ok, I see.

Many thanks for your help Marvin.

Hi All,

I am very new to SFR implementation. I have ASA 5525-X with builtin SFR.

We had some confusion on the License subscription and finally we were able to implement FMC with 5.4.0 and heard from Cisco tech that SFR in ASA 5.3.1-152 has some vulnerabilities and need to go for 6.2.

My ASA also integrated with Anyconnect 3.1.04066, RSA Web appliance & Forcepoint - Websense & ASA running at 9.4.3

Now that we have not yet integrated SFR with FMC what is the process to upgrade to 6.2 ?

Do i need to follow all the process discussed by some of our experts. 

Please guide me so that will not mess up anything. 

Krishna,

Get your FMC to release 6.2 first.  Then simply reimage the ASA FirePOWER module straight to 6.2.

Register the module with FMC, license it and then patch everything to the latest update (currently 6.2.0.2).

Then build/deploy policies. 

Hi Marvin,

Thanks for your prompt and swift response.

However, do i need to procure license again for FMC for 6.2 or the existing license which was used to build FMC on 5.4.0 will also work for the upgrade.

Kindly suggest further on this.

You're welcome. Please rate if it helped.

Your existing license can remain in effect.

Since version 6.0, FMC licenses are right-to-use (i.e., not enforced via a PAK and license key).