Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4616
Views
10
Helpful
10
Replies

FireSIGHT System upgrade and FirePOWER Module compatability

Go to solution
Ve Con
Level 1
Level 1

‎09-21-2016 02:34 PM

Hello,

I am being confused with all the terminologies between the versions on the ASA FirePOWER.  

And I am running into the situation that I have to upgrade to fix the cisco bugs ID:  44482, 58658, 92151, 80503 (no fix yet).

I am using cluster of ASA 5515-x:

  • FirePOWER module OS version: 5.4.0-763
  • FireSIGHT system (virtual appliance): 5.4.1.6 (build 40)
  • ASA version 9.3.2
  • ASDM 7.5.2(153)
  • AnyConnect 3.1.07021   

  1. For bug ID 44482 and 58658, i need to upgrade my FireSIGHT system from 5.4.1.6 (build 40) to 6.1
  2. For bug ID 92151, i need to upgrade my ASA from 9.3.2 to 6.1.2 (which requires ASDM 7.6.2+)

Reading this link confused me a lot more with all different terminologies:

http://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_964C63B709B24CFF83DC1BB991F68CFB

So just to be straight to the point and hopefully reduce the confusion that I already had, please anyone can tell me:

1)  If i upgrade my FireSIGHT to 6.1, will it still work with my current version FirePOWER module, ASA and ASDM?

2)  If not, which order should i upgrade first?

3) If I upgrade FireSIGHT system to 6.1, will I still need the virtual machine?  The above link just created me with more and more questions (not sure if it's even make sense to ask, but I ask anyway ...)

4) From above link, i see it says "FirePOWER system", not sure what it means, FireSIGHT system manager or the FirePOWER module or The Firepower Management Center (version 6.x)

5) Firepower Threat Defense - is it a feature automatically included in if I upgrade the FireSIGHT system manager to 6.1?  If so, no need additional license?

6) According to this, I need to upgrade my anyConnect to version 4 if I upgrade ASA to 9.6.2.  Where can i download the new version?

ASA
ASDM 1
Cisco Secure Desktop
Cisco AnyConnect

9.6

7.6

end-of-life

AnyConnect 4.x for desktop

AnyConnect 4.0 for mobile devices

Note AnyConnect 3.1.x is end of life March 1, 2016.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-21-2016 05:31 PM

Answering your questions as listed above:

1. No. You should first upgrade the ASA FirePOWER modules to at least 5.4.0.6. Reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Version_610.html#15155

2. Upgrade your ASA FirePOWER module to 5.4.0.6 using your existing FireSIGHT Management Center 5.4.1.6 first. Then upgrade your manager to 6.1. Finally, bring your ASA modules up to the same level (strongly recommended but not mandatory). 

3. You have the option of using ASDM for management as of FirePOWER 6.x but it's still recommended to use the management center as it is capable of pushing the same policies to multiple managed devices, consolidate events and reporting, etc.

4. The terminology has changed across releases. That's explained in detail in the following reference: http://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_9C7ED89DF14645BDA166E80F7BDA5FB7

5. No. FTD is a completely different image that combines traditional ASA features (though not all of them at this point) with FirePOWER features in a single running image and user interface. It requires re-imaging your ASA, migrating policies and its own distinct licenses for the IPS, URL Filtering and Advanced Malware (AMP) features.

6. No, AnyConnect 3.x will still work. It's just End of Sales so it's not listed in the reference you looked at. To upgrade to 4.x you need to purchase one of the new 4.x license types (Plus or Apex vs the old Essentials and Premium, more or less - with more low level details also applicable).

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ve Con

‎09-22-2016 02:19 PM

Yes you should use the patch file you noted. You can push to both modules at once or one at a time.

Only downside of both at once is that you might have FirePOWER module reload about the same time on both and be without the service for a few minutes.

5.4.1.x is only for the "Kenton" models (5506, 5508, 5516) only.

"Saleen" platform (all the other 5500-X models) are supported with for 5.4.0.x and 6.x+

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-21-2016 05:31 PM

Answering your questions as listed above:

1. No. You should first upgrade the ASA FirePOWER modules to at least 5.4.0.6. Reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Version_610.html#15155

2. Upgrade your ASA FirePOWER module to 5.4.0.6 using your existing FireSIGHT Management Center 5.4.1.6 first. Then upgrade your manager to 6.1. Finally, bring your ASA modules up to the same level (strongly recommended but not mandatory). 

3. You have the option of using ASDM for management as of FirePOWER 6.x but it's still recommended to use the management center as it is capable of pushing the same policies to multiple managed devices, consolidate events and reporting, etc.

4. The terminology has changed across releases. That's explained in detail in the following reference: http://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_9C7ED89DF14645BDA166E80F7BDA5FB7

5. No. FTD is a completely different image that combines traditional ASA features (though not all of them at this point) with FirePOWER features in a single running image and user interface. It requires re-imaging your ASA, migrating policies and its own distinct licenses for the IPS, URL Filtering and Advanced Malware (AMP) features.

6. No, AnyConnect 3.x will still work. It's just End of Sales so it's not listed in the reference you looked at. To upgrade to 4.x you need to purchase one of the new 4.x license types (Plus or Apex vs the old Essentials and Premium, more or less - with more low level details also applicable).

0 Helpful

Go to solution
Ve Con
Level 1
Level 1
In response to Marvin Rhoads

‎09-22-2016 02:06 PM

Thanks, Marvin for the great info.  Greatly appreciate your feedback 

1) Is this the right one to use/download?

Cisco_Network_Sensor_Patch-5.4.0.6-33.sh

Since i am using 2 ASA with active/standby (primary/secondary), when I use FireSIGHT to push the update, can i just select both FirePOWER Module at the same time when it asks me? Or I have to select one FirePOWER module at a time for the push? If one at a time, should I do the active first, or the secondary first, or it doesn't matter?

Since I have to upgrade the firePOWER module, should i just go straight to version 5.4.1.7? If so, is it possible for me to upgrade straight to 5.4.1.7 or there is a rolling upgrade path that I must follow?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ve Con

‎09-22-2016 02:19 PM

Yes you should use the patch file you noted. You can push to both modules at once or one at a time.

Only downside of both at once is that you might have FirePOWER module reload about the same time on both and be without the service for a few minutes.

5.4.1.x is only for the "Kenton" models (5506, 5508, 5516) only.

"Saleen" platform (all the other 5500-X models) are supported with for 5.4.0.x and 6.x+

0 Helpful

Go to solution
Ve Con
Level 1
Level 1
In response to Marvin Rhoads

‎09-29-2016 11:16 AM

Thanks, Marvin.  This is what I experienced when upgrading to Cisco_Network_Sensor_Patch-5.4.0.6-33.sh.  Just sharing ...

  1. I selected both firePOWER modules to upgrade at the same time
  2. At the beginning, I saw a lot of "no communication" error on the Task Status window for both firePOWER modules.  It took quite long time for it to retry multiple times and finally it successfully upgrade the 1 firePOWER module which is on the active ASA.  During the process the "script running ..." it shows % completed together with "no communication" message.  Generally, if you think the longer you wait, the higher % number you'll see, but it's not always the case here.  The % decreased as I waited and then it came back up.
  3. I had to install the patch again on the other firePOWER module.  Then the firePOWER modules rebooted automatically.
  4. Refreshed the FireSIGHT management system to see the update task status
  5. Finally, when the patching status appears as completed for both firePOWER modules, I'll need to use FireSIGHT to reapply the policies to firePOWER devices.  On the task status window, the message "Please reapply policies to your managed devices" shows up right next to each firePOWER module and the task.  Seeing this message, you'll know that you'll need to reapply the policies after the upgrade.

Here the fun part ....

6.  I thought I am done after reapplying the policies.  I logged into the ASDM and saw a lot of level 1 messages that happened during the upgrade.  


However, I keep seeing this message even after I left my office:

"(Primary) Other firewall reporting failure.  Reason: SSM card failure"

Not sure what step that I missed causing the above error ... I did the upgrade last night and the last time I saw above message showed on the ASDM syslog messages is around 8:43 pm last night.  I finished reapplying the policies at 7:19pm last night.  Don't see that error at all today.  Not sure how to check to make sure after the upgrade, the SFR modules are still working properly before I upgrade my fireSIGHT to 6.1

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ve Con

‎09-29-2016 11:48 AM

[@kha@brtrc.com]  ,

You're welcome.

The percentages going up and down is an artifact of their being multiple stages in the upgrade process. They run sequentially and each stage reports its percentage of completion independently. So when FMC (or ASDM if you're not using FMC) is querying for updates it gets the current stage's completion percentage.

If you're interested in seeing the gory details, you can "tail -f" the logs from the command line while the upgrade is happening on a module. The logs are in directories specific to the upgrade under /var/log/sf. Once you see the (literally) hundreds of steps under the covers you will understand why they take so long.

If you see the modules up and health from your device inventory in FMC and you've re-applied your policy, they are good to go. They will similarly show up on the ASDM home screen (FirePOWER tab) or - for either management method - from cli with:

show module sfr detail

Go to solution
Ve Con
Level 1
Level 1
In response to Marvin Rhoads

‎09-30-2016 02:48 PM

Thanks Marvin.  Now, I'm 1 step getting closer.  First time doing all these upgrades ... 

  1. I am scheduled to upgrade the ASA to 9.6.2 (from 9.3.2), i am being told that i can do the straight upgrade from current version to 9.6.2.  Is that correct?

  2. I am planning to upgrade my ASDM to 7.6.2+ first and see if it works.  Not sure if from my current version, I need to do the rolling upgrade or any precaution step that i should take.  Please advice.  I am concern if after upgrading the ASDM to 7.6.2, will I still able to manage the ASA with version 9.3.2? Just in case i have a hiccup, pause, or whatever that stop me from continue to next step (upgrading the ASA)

  3. I haven't had approval to upgrade the FireSIGHT to 6.1 but I've upgraded FirePOWER modules to 5.4.0.6-33 already.  If I did #1 and #2 above, don't upgrade FireSIGHT to 6.1, is that still ok? I guess "yes" as FireSIGHT only manage the FirePOWER modules (it's working ok now after the minor upgrade to 5.4.0.6).  Just want to be sure than sorry later since all these are in production.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ve Con

‎09-30-2016 03:13 PM

1. Yes. Reference.

2. No problem. See the ASA compatibility guide - as of ASA 8.0(2) and with all subsequent releases through now you can use the newest ASDM versions - as long as you meet the minimum for that hardware and software.
3. No problem. ASA 9.6(2) can co-exist with versions of FirePOWER modules from 6.1 and lower. The FirePOWER Management Center (formerly known as FireSIGHT or Defense Center before that) can be upgraded to 6.1 as long as the managed FirePOWER modules are at the 5.4.0.6-33 that you have. You cannot upgrade the modules to 6.1 until you have FirePOWER Manager at 6.1 or higher AND the ASA at 9.5(2) or later. Reference.

Go to solution
Ve Con
Level 1
Level 1
In response to Marvin Rhoads

‎12-23-2016 01:33 PM

I upgraded up to 6.0.1-1214 now and my SF modules are still using 5.4.0.6

I am seeing out-of-date 2 targeted devices.  The interface looks different now, i clicked on Policies -> Access Control - Access Control, hit generate report icon next to my Access Control Policy, the pdf generated with 0KB

I was told to push the policy to the sensor after every upgrade.  But with this version, new interface, i don't see anywhere I can push the policy to the sensor

Help please ... 

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Ve Con

‎12-23-2016 03:01 PM

There should be a 'Deploy' button on the top right corner. Click and choose the devices that you want to push the changes to.

0 Helpful

Go to solution
Ve Con
Level 1
Level 1
In response to Rahul Govindan

‎12-28-2016 09:36 AM

Thanks, Rahul.  I got that working.  

0 Helpful
Customers Also Viewed These Support Documents