Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco ASA Upgrade Guide

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco ASA Upgrade Guide

Chapter Title

Upgrade the ASA FirePOWER Module

Results

Updated:
November 2, 2020

Chapter: Upgrade the ASA FirePOWER Module

Upgrade the ASA FirePOWER Module

This document describes how to upgrade the ASA FirePOWER module using ASDM or the Firepower Management Center, depending on your management choice. Refer to Upgrade the ASA Appliance or ASAv to determine when you should perform the FirePOWER upgrade in a standalone, failover, or clustering scenario.

ASA FirePOWER Upgrade Behavior

Your ASA service policies for redirecting traffic to the ASA FirePOWER module determine how the module handles traffic during the Firepower software upgrade, including when you deploy certain configurations that restart the Snort process.

Table 1. Traffic Behavior During ASA FirePOWER Upgrade
Traffic Redirection Policy Traffic Behavior

Fail open (sfr fail-open )

Passed without inspection

Fail closed (sfr fail-close )

Dropped

Monitor only (sfr {fail-close}|{fail-open} monitor-only )

Egress packet immediately, copy not inspected

Traffic Behavior During ASA FirePOWER Deployment

Traffic behavior while the Snort process restarts is the same as when you upgrade the ASA FirePOWER module.

You deploy configurations multiple times during the upgrade process. Snort typically restarts during the first deployment immediately after the upgrade. It does not restart during other deployments unless, before deploying, you modify specific policy or device configurations. For more information, see Configurations that Restart the Snort Process when Deployed or Activated in the Firepower Management Center Configuration Guide.

When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, restarting the Snort process interrupts traffic inspection. Your service policies determine whether traffic drops or passes without inspection during the interruption.

Upgrade an ASA FirePOWER Module Managed by ASDM

Use the following procedure to upgrade ASA FirePOWER modules managed by ASDM.


Caution
Do not make configuration changes, manually reboot, or shut down an upgrading module. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Procedure

Step 1

Make sure you are running a supported version of ASA.

There is wide compatibility between ASA and ASA FirePOWER versions. However, even if an ASA upgrade is not strictly required, resolving issues may require an upgrade to the latest supported version.

See the ASA upgrade procedures for standalone, failover, and clustering scenarios for when to upgrade the ASA FirePOWER module in the sequence. Even if you are not upgrading the ASA software, you should still refer to the ASA failover and clustering upgrade procedures so you can perform a failover or disable clustering on a unit before the module upgrade to avoid traffic loss. For example, in a cluster, you should upgrade each secondary unit serially (which involves disabling clustering, upgrading the module, then reenabling clustering), and then upgrade the primary unit.

Step 2

Download the upgrade package from Cisco.com.

For major versions:

  • Upgrading to Version 6.0 through 6.2.2 — Cisco_Network_Sensor_Upgrade-[version]-[build].sh

  • Upgrading to Version 6.2.3+ — Cisco_Network_Sensor_Upgrade-[version]-[build].sh.REL.tar

For patches:

  • Upgrading to 5.4.1.x through 6.2.1.x — Cisco_Network_Sensor_Patch-[version]-[build].sh

  • Upgrading to Version 6.2.2.1+ — Cisco_Network_Sensor_Patch-[version]-[build].sh.REL.tar

Download directly from the Cisco Support & Download site. If you transfer a package by email, it may become corrupted. Note that upgrade packages from Version 6.2.2+ are signed, and terminate in .sh.REL.tar instead of just .sh. Do not untar signed upgrade packages.

Step 3

Connect to the ASA with ASDM and upload the upgrade package.

  1. Choose Configuration > ASA FirePOWER Configuration > Updates.

  2. Click Upload Update.

  3. Click Choose File to navigate to and choose the update.

  4. Click Upload.

Step 4

Deploy pending configuration changes. Otherwise, the upgrade may fail.

When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations restarts Snort, which interrupts traffic inspection and, depending on how your device handles traffic, may interrupt traffic until the restart completes. For more information, see ASA FirePOWER Upgrade Behavior.

Step 5

(Upgrading to Version 6.1+) Disable the ASA REST API.

If you do not disable the REST API, the upgrade will fail. Note that ASA 5506-X series devices do not support the ASA REST API if you are also running Version 6.0+ of the ASA FirePOWER module.

Use the CLI on the ASA to disable the REST API:

no rest-api agent

You can reenable it after the upgrade:

rest-api agent

Step 6

Choose Monitoring > ASA FirePOWER Monitoring > Task Status to make sure essential tasks are complete.

Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed status messages later.
Step 7

Choose Configuration > ASA FirePOWER Configuration > Updates.

Step 8

Click the Install icon next to the upgrade package you uploaded, then confirm that you want to upgrade and reboot the module.

Traffic either drops throughout the upgrade or traverses the network without inspection, depending on how the module is configured. For more information, see ASA FirePOWER Upgrade Behavior.

Step 9

Monitor upgrade progress on the Task Status page.

Do not make configuration changes to the module while it is upgrading. Even if the upgrade status shows no progress for several minutes or indicates that the upgrade has failed, do not restart the upgrade or reboot the module. Instead, contact Cisco TAC.

Step 10

After the upgrade finishes, reconnect ASDM to the ASA.
Step 11

Choose Configuration > ASA FirePOWER Configuration and click Refresh. Otherwise, the interface may exhibit unexpected behavior.

Step 12

Choose Configuration > ASA FirePOWER Configuration > System Information and confirm that the module has the correct software version.

Step 13

If the intrusion rule update or the vulnerability database (VDB) available on the Support site is newer than the version currently running, install the newer version.

Step 14

Complete any post-upgrade configuration changes described in the release notes.
Step 15

Redeploy configurations.

Upgrade the Firepower Management Center

If you manage the ASA FirePOWER module using the Firepower Management Center, then you need to upgrade the Management Center before you upgrade the module.

Upgrade a Standalone FMC

Use this procedure to upgrade a standalone Firepower Management Center, including Firepower Management Center Virtual.


Caution
Do not deploy changes to or from, manually reboot, or shut down an upgrading appliance. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Check your place in the upgrade path, including hosting environment and managed device upgrades. Make sure you have fully planned and prepared for this step.

Procedure

Step 1

Deploy to managed devices whose configurations are out of date.

On the FMC menu bar, click Deploy. Choose devices, then click Deploy again. Deploying before you upgrade reduces the chance of failure.

When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations restarts Snort, which interrupts traffic inspection and, depending on how your device handles traffic, may interrupt traffic until the restart completes. .

Step 2

Perform final preupgrade checks.

  • Check health: Use the Message Center (click the System Status icon on the menu bar). Make sure the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.

  • Running tasks: Also in the Message Center, make sure essential tasks are complete. Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed status messages later.

  • Check disk space: Perform a final disk space check. Without enough free disk space, the upgrade fails.
Step 3

Choose System > Updates.

Step 4

Click the Install icon next to the upgrade package you want to use, then choose the FMC.

Step 5

Click Install to begin the upgrade.

Confirm that you want to upgrade and reboot the FMC.

Step 6

Monitor precheck progress in the Message Center until you are logged out.

Do not make configuration changes or deploy to any device while the FMC is upgrading. Even if the Message Center shows no progress for several minutes or indicates that the upgrade has failed, do not restart the upgrade or reboot the FMC. Instead, contact Cisco TAC.

Step 7

Log back into the FMC when you can.

  • Minor upgrades (patches and hotfixes): You can log in after the upgrade completes and the FMC reboots.

  • Major upgrades: You can log in before the upgrade completes. The FMC displays a page you can use to monitor the upgrade's progress and view the upgrade log and any error messages. You are logged out again when the upgrade completes and the FMC reboots. After the reboot, log back in again.

Step 8

If prompted, review and accept the End User License Agreement (EULA).

Step 9

Verify upgrade success.

If the FMC does not notify you of the upgrade's success when you log in, choose Help > About to display current software version information.

Step 10

Use the Message Center to recheck deployment health.
Step 11

Update intrusion rules (SRU) and the vulnerability database (VDB).

If the SRU or the VDB available on the Cisco Support & Downloads site is newer than the version currently running, install the newer version. For more information, see the Firepower Management Center Configuration Guide. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 12

Complete any post-upgrade configuration changes described in the release notes.
Step 13

Redeploy configurations.

Redeploy to all managed devices. If you do not deploy to a device, its eventual upgrade may fail and you may have to reimage it.

Upgrade High Availability FMCs

Use this procedure to upgrade the Firepower software on Firepower Management Centers in a high availability pair.

You upgrade peers one at a time. With synchronization paused, first upgrade the standby, then the active. When the standby FMC starts prechecks, its status switches from standby to active, so that both peers are active. This temporary state is called split-brain and is not supported except during upgrade. Do not make or deploy configuration changes while the pair is split-brain. Your changes will be lost after you restart synchronization.


Caution
Do not deploy changes to or from, manually reboot, or shut down an upgrading appliance. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Check your place in the upgrade path, including managed device upgrades. Make sure you have fully planned and prepared for this step.

Procedure

Step 1

On the active FMC, deploy to managed devices whose configurations are out of date.

On the FMC menu bar, click Deploy. Choose devices, then click Deploy again. Deploying before you upgrade reduces the chance of failure.

When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations restarts Snort, which interrupts traffic inspection and, depending on how your device handles traffic, may interrupt traffic until the restart completes. .

Step 2

Use the Message Center to check deployment health before you pause synchronization.

Click the System Status icon on the FMC menu bar to display the Message Center. Make sure the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.

Step 3

Pause synchronization.

  1. Choose System > Integration.

  2. On the High Availability tab, click Pause Synchronization.

Step 4

Upgrade the FMCs one at a time—first the standby, then the active.

Follow the instructions in Upgrade a Standalone FMC, but omit the initial deploy, and stop after you verify update success on each FMC. In summary, for each FMC:

  1. Perform final preupgrade checks (health, running tasks, disk space).

  2. On the System > Updates page, install the upgrade.

  3. Monitor progress until you are logged out, then log back in when you can (this happens twice for major upgrades).

  4. Verify upgrade success.

Do not make or deploy configuration changes while the pair is split-brain.

Step 5

On the FMC you want to make the active peer, restart synchronization.

  1. Choose System > Integration.

  2. On the High Availability tab, click Make-Me-Active.

  3. Wait until synchronization restarts and the other FMC switches to standby mode.

Step 6

Use the Message Center to recheck deployment health.
Step 7

Update intrusion rules (SRU) and the vulnerability database (VDB).

If the SRU or the VDB available on the Cisco Support & Downloads site is newer than the version currently running, install the newer version. For more information, see the Firepower Management Center Configuration Guide. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 8

Complete any post-upgrade configuration changes described in the release notes.
Step 9

Redeploy configurations.

Redeploy to all managed devices. If you do not deploy to a device, its eventual upgrade may fail and you may have to reimage it.

Upgrade an ASA FirePOWER Module Managed by FMC

Use this procedure to upgrade an ASA FirePOWER module managed by an FMC. When you upgrade the module depends on whether you are upgrading ASA, and on your ASA deployment.

  • Upgrading standalone ASA devices: If you are also upgrading ASA, use the FMC to upgrade the ASA FirePOWER module just after you upgrade ASA and reload.

  • Upgrading ASA clusters and failover pairs: To avoid interruptions in traffic flow and inspection, fully upgrade these devices one at a time. If you are also upgrading ASA, use the FMC to upgrade the ASA FirePOWER module just before you reload each unit to upgrade ASA.

For more information, see ASA FirePOWER Upgrade Path: with FMC and the ASA upgrade procedures.


Caution
Do not deploy changes to or from, manually reboot, or shut down an upgrading appliance. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Check your place in the upgrade path, including ASA and FMC upgrades. Make sure you have fully planned and prepared for this step.

Procedure

Step 1

Deploy configurations to the devices you are about to upgrade.

On the FMC menu bar, click Deploy. Choose devices, then click Deploy again. Deploying before you upgrade reduces the chance of failure.

When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations restarts Snort, which interrupts traffic inspection and, depending on how your device handles traffic, may interrupt traffic until the restart completes. For more information, see ASA FirePOWER Upgrade Behavior.

Step 2

(Upgrading to Version 6.1+) Disable the ASA REST API.

If you do not disable the REST API, the upgrade will fail. Note that ASA 5506-X series devices do not support the ASA REST API if you are also running Version 6.0+ of the ASA FirePOWER module.

Use the CLI on the ASA to disable the REST API:

no rest-api agent

You can reenable it after the upgrade:

rest-api agent

Step 3

Perform final preupgrade checks.

  • Check health: Use the Message Center (click the System Status icon on the menu bar). Make sure the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.

  • Running tasks: Also in the Message Center, make sure essential tasks are complete. Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed status messages later.

  • Check disk space: Perform a final disk space check. Without enough free disk space, the upgrade fails.
Step 4

Choose System > Updates.

Step 5

Click the Install icon next to the upgrade package you want to use and choose the devices to upgrade.

If the devices you want to upgrade are not listed, you chose the wrong upgrade package.

Note 
We strongly recommend upgrading no more than five devices simultaneously. The FMC does not allow you stop the upgrade until all selected devices complete the process. If there is an issue with any one device upgrade, all devices must finish upgrading before you can resolve the issue.
Step 6

Click Install, then confirm that you want to upgrade and reboot the devices.

Traffic either drops throughout the upgrade or traverses the network without inspection depending on how your devices are configured and deployed. For more information, see ASA FirePOWER Upgrade Behavior.

Step 7

Monitor upgrade progress in the Message Center.

Do not deploy configurations to the device while it is upgrading. Even if the Message Center shows no progress for several minutes or indicates that the upgrade has failed, do not restart the upgrade or reboot the device. Instead, contact Cisco TAC.

Step 8

Verify success.

After the upgrade completes, choose Devices > Device Management and confirm that the devices you upgraded have the correct software version.

Step 9

Use the Message Center to recheck deployment health.
Step 10

Update intrusion rules (SRU) and the vulnerability database (VDB).

If the SRU or the VDB available on the Cisco Support & Downloads site is newer than the version currently running, install the newer version. For more information, see the Firepower Management Center Configuration Guide. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 11

Complete any post-upgrade configuration changes described in the release notes.
Step 12

Redeploy configurations to the devices you just upgraded.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us