Solved: Re: Upgrading FMC

NeWGuy1109 · ‎01-02-2020

Hello,

I am looking to upgrade my FMC from 6.2.3.4 version to 6.4.0.4. As i understand i need to go to 6.4.0 major version first and then apply 6.4.0.4 patch... is this correct ?

Also, i want to confirm whether for this upgrade i have to download the file which states upgrade from 6.2.1 + or the install package for ESXI (both marked in attachment).

Thanks

Rob Ingram · ‎01-02-2020

Hi,

Yes you will have to upgrade to the major version (6.4.0) first, then apply the 6.4.0.x patch

Here is the FMC upgrade guide, it details all the steps you should consider when performing the upgrade. Make sure you backup to a remote server before the upgrade.

You would download the upgrade package, the other package is for a fresh install of FMC on Vmware.

HTH

View solution in original post

Rob Ingram · ‎01-02-2020

Hi,

Yes you will have to upgrade to the major version (6.4.0) first, then apply the 6.4.0.x patch

Here is the FMC upgrade guide, it details all the steps you should consider when performing the upgrade. Make sure you backup to a remote server before the upgrade.

You would download the upgrade package, the other package is for a fresh install of FMC on Vmware.

HTH

h.dam · ‎04-10-2020

Hello,

I've just found this subject.Sorry to discuss lately.

If I upgrade FMC, do I need to upgrade IPS, ASDM and ASA firmware? Is it mandatory?

Thanks..

Marvin Rhoads · ‎04-11-2020

It's not mandatory as long as your Firepower and managed device aren't too far apart in version numbers.

Here is a matrix showing the compatibility:

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_7CC9392196754AD38B5250A9183027C8

h.dam · ‎04-11-2020

Hi Marvin,

Thank you very much for your quick response.

I've checked the matrix. For example, it said : if upgrade FMC to 6.4, ASA will be 9.12.

My ASA is 9.8.x, ASDM 7.8.x at this time. If I understood, I can keep them unchanged since it isn't mandatory.

Are there any impacts on ASA performance?

In my mind, FMC is used to manage IPS, the SFR module in ASA. I think there won't be any interactions between the module and ASA. Am I right?

I forgot to give the details: FMC is a VM appliance on ESX. ASA is 5545-X with SFR module integrated.

Regards.

Marvin Rhoads · ‎04-11-2020

If you run your FMC at version 6.4, the managed Firepower service module can be at version 6.1.0 through 6.4. 6.4.0.8 on both FMC and Firepower service module would be the best match as of now. I expect Cisco to recommend 6.5.x soon but currently they find 6.4.0.x to be the most stable unless you have specific requirements like new features or hardware that is only supported on 6.5+.

Your ASA verion 9.8.x is compatible with Firepower service module across that range and more. Generally we recommend checking both ASA compatibility here:

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_59075

...as well as Cisco recommendations for the best current ASA release as shown on the downloads page:

https://software.cisco.com/download/home/284143130/type/280775065/release/9.8.4%20Interim

For your case, 9.8(4)20 would be a good choice.

For ASDM, we generally recommend the latest. That is is currently 7.14(1)46:

https://software.cisco.com/download/home/284143130/type/280775064/release/7.14.1.46

Updating ASDM does not affect either the ASA software of the Firepower service module.

h.dam · ‎04-13-2020

Hello Marvin,
Your answer is very clear and precise. I am totally agree following the matrix and the versions you mentionned.

Thank you once again.

Marvin Rhoads · ‎04-13-2020

Great, please rate the answer if it's helpful.