Understand the Steps and Impact of FTD High Availability Upgrade Procedure

Available Languages

Download Options

  • PDF     (19.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (83.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (69.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 2, 2026
Document ID:226003

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

A firewall administrator needs to understand the recommended upgrade procedure for Firewall Threat Defense (FTD) devices configured in a High Availability (HA) pair and managed by Cisco Firewall Management Center (FMC). The specific questions include what is the recommended process for software upgrades on these units, whether the upgrades can be performed "on the fly" without downtime, and what impact to expect during the upgrade process.

Environment

  • FTD running version 7.4. Other software versions can be also affected.

  • FTD configured in High Availability (HA) pair mode.

  • FMC 7.4 managing the FTD HA. Other software versions can be also affected.

Resolution

The upgrade procedure for FTD in HA configuration uses a specific sequence to minimize downtime and maintain system integrity.

Recommended Upgrade Order

Step 1. Upgrade the FMC first

Cisco guidance requires that the FMC must run the same or newer version than the devices it manages. You cannot upgrade an FTD device past the FMC to a newer maintenance or major version.

Step 2. Upgrade the FTD HA pair from FMC

When upgrading an FTD HA pair managed by FMC, the FMC upgrades one peer at a time (Standby first, then Active) and a failover occurs as part of the process.

Downtime and Traffic Impact Expectations

  • You must plan a maintenance window. Cisco notes upgrades can include interruptions to traffic flow and inspection, and devices can stop passing traffic during upgrade or if an upgrade fails.

  • With an HA pair, the goal is to minimize impact, but you need to expect at least one failover event and possible brief interruption (for example, routing adjacency or VPN renegotiation depending on your environment).

  • Avoid policy and configuration changes during the upgrade (no deployments or changes until both HA members are fully upgraded and stable).

Pre-Upgrade Health Checks for FTD HA


Before starting the upgrade, confirm FTD HA is stable and both units agree on Active and Standby Ready states:

device# show failover state 
               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Standby Ready  Comm Failure             16:10:34 UTC Apr 13 2026

====Configuration State===
        Sync Skipped
====Communication State===
        Mac set

Cause

This is a procedural inquiry regarding best practices for upgrading FMC and FTD systems in HA configuration. The question addresses the need to understand proper upgrade sequencing, downtime expectations, and impact mitigation strategies for critical firewall infrastructure.

Related Content

Revision History

Revision Publish Date Comments
1.0
03-Jun-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Mikis Zafeiroudis
    Cisco TAC Engineer
  • Ilkin Gasimov
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products