Supported Platforms and Environments
Management Capability: Firepower Management Center
New Features and Functionality
Features and Functionality Introduced in Previous Versions
Previously Changed Functionality
Previously Deprecated Functionality
Integrated Product Compatibility
Screen Resolution Compatibility
Updating vs. Reimaging vs. Deploying
Update Paths to Version 6.1.0.3
PreUpdate System Readiness Checks
Run a Readiness Check via the Shell
Run a Readiness Check via the Firepower Management Center Web Interface
Pre-Update Configuration and Event Backups
Traffic Flow and Inspection During the Update
Additional Memory Requirements
Time and Disk Space Requirements
Update Firepower Management Centers and Firepower Management Centers Virtual
Update Firepower Threat Defense Devices using the Firepower Management Center
Update 7000 and 8000 Series Devices, Firepower NGIPSv, and ASA FirePOWER modules
Update Firepower Threat Defense Device with the Firepower Device Manager
Update ASA FirePOWER Modules Managed via ASDM
Uninstall from 7000 and 8000 Series Managed Devices
Uninstall from Firepower NGIPSv
Uninstall from ASA FirePOWER Modules Managed by Firepower Management Centers
Uninstall from Firepower Management Centers
Uninstall from ASA FirePOWER Modules Managed via ASDM
Uninstall from Firepower Threat Defense Devices on Firepower Device Manager
First Published: April 26, 2017
Last Updated: January 30, 2019
These release notes are valid for the Firepower update.
Even if you are familiar with the update and reimage process, make sure you thoroughly read and understand these release notes, which describe supported platforms, and product and web browser compatibility. They also contain detailed information on prerequisites, warnings, and installation.
Warning: Devices configured for Threat Grid integration may be unable to pull reports from Threat Grid or submit files manually for analysis, per CSCvj07038. See Hotfix EM for more information..
Warning: Do not update to FXOS Version 2.3.1.56 if you are running an instance of Firepower Threat Defense that has been updated from Version 6.0.1.x of the Firepower System. Doing so may disable your Firepower Threat Defense application, which could interrupt traffic on your network. For more information, see CSCvh64138 in the Cisco Bug Search Tool.
Note: To access the full documentation for Firepower environments, see the documentation roadmap at https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html.
For more information about the Version 6.1.0.3 update, see the following sections:
You can run Version 6.1.0.3 on the platforms and environments in the following table. See Compatibility for more information.
The table below includes supported environments at the time of publication. As new versions of the ASA software become available, compatibility may be added to Firepower 6.1.0.x versions. See the Firepower Compatibility Matrix for most up-to-date ASA or FXOS versions.
Firepower Management Centers: MC750, MC1500, MC2000, MC3500, and MC4000 |
|
7000 and 8000 Series devices: 7010, 7020, 7030, 7050, 7110, 7115, 7120, 7125, 8120, 8130, 8140, 8250, 8260, 8270, 8290, 8350, 8360, 8370, 8390, AMP7150, AMP8050, AMP8150, AMP8350, AMP8360, AMP8370, AMP8390 |
|
ASA with FirePOWER Services: ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X Note: You can also configure the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, and ASA 5585-X using ASDM instead of the Firepower Management Center. |
The ASA 5506-X, ASA 5508-X, and ASA 5516-X require ROMMON Version 1.1.8 or later. |
ASA with Firepower Threat Defense: ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X Note: You can also configure these devices as Firepower Threat Defense devices managed by Firepower Device Manager. |
The ASA 5506-X, ASA 5508-X, and ASA 5516-X require ROMMON Version 1.1.8 or later. |
Firepower 4110, Firepower 4120, and Firepower 4140, Firepower 9300 Appliance with Firepower Threat Defense |
Warning: Do not update to FXOS Version 2.3.1.56 if you are running an instance of Firepower Threat Defense that has been updated from Version 6.0.1.x of the Firepower System. Doing so may disable your Firepower Threat Defense application, which could interrupt traffic on your network. For more information, see CSCvh64138 in the Cisco Bug Search Tool. The Firepower 9300 Appliance requires ROMMON Version 1.0.10 or later |
See the following sections for information about the management options in Version 6.1.0.3:
You can use the Firepower Management Center web interface to configure and manage the Firepower Management Center and its managed devices. Alternatively, you can use the user interface on specific device platforms to configure and manage those specific device platforms (see Note that while a Firepower Management Center running Version 6.1.0.3 can manage devices running at least Version 5.4.0.2, you may not be able to execute functionality specific to Version 6.1.0 and later. for more information).
If a managed device is running Version 6.1.0.3, you must use at least Version 6.1.0 of the Firepower Management Center to manage the device. If a Firepower Management Center is running Version 6.1.0.3, it can manage devices running the versions specified in the table below.
Note that while a Firepower Management Center running Version 6.1.0.3 can manage devices running at least Version 5.4.0.2, you may not be able to execute functionality specific to Version 6.1.0 and later.
You can use these local management options on specific device platforms to configure and manage those specific device platforms. Alternatively, you can use the Firepower Management Center web interface to configure and manage the Firepower Management Center and its managed devices (see Management Capability: Firepower Management Center for more information).
ASA FirePOWER module managed by ASDM
Supported Platforms: ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5516-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X-SSP-10, ASA 5585-X-SSP-20, ASA 5585-X-SSP-40, ASA 5585-X-SSP-60
You can use ASDM to manage and configure ASA FirePOWER modules running Version 6.1.0 on these ASA devices. See the Cisco ASA with FirePOWER Services Local Management Configuration Guide for more information.
Firepower Threat Defense managed by Firepower Device Manager
Supported Platforms: ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X
You can use the Firepower Device Manager web interface to configure and manage these devices running Version 6.1.0.3 of Firepower Threat Defense. See the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for more information.
Supported Platforms: 7010, 7020, 7030, 7050, 7110, 7115, 7120, 7125, 8120, 8130, 8140, 8250, 8260, 8270, 8290, 8350, 8360, 8370, 8390, AMP7150, AMP8050, AMP8150, AMP8350, AMP8360, AMP8370, and AMP8390
You can use the web interface for an 7000 and 8000 Series running Version 6.1.0.3 to manage limited configurations on those individual devices. You must use the Firepower Management Center to manage the majority of the policies and configuration items not accessible from the 7000 and 8000 Series web interface. See the Firepower Management Center Configuration Guide for more information.
This section of the release notes summarizes the new and updated features and functionality included in Version 6.1.0.3.
The following features have changed functionality in Version 6.1.0.3:
Features and functionality introduced in previous versions may be superseded by new features and functionality in later versions.
The following features have changed functionality in Version 6.1.0.2:
The following features have changed functionality in Version 6.1.0:
However, Firepower does not display a response page for encrypted connections blocked by access control rules (or any other configuration). Access control rules evaluate encrypted connections if you did not configure an SSL policy, or your SSL policy passes encrypted traffic.
For example, Firepower cannot decrypt HTTP/2 or SPDY sessions. If web traffic encrypted using one of these protocols reaches access control rule evaluation, Firepower does not display a response page if the session is blocked.You can now force Firepower 8000 Series stacked devices into maintenance mode when any member of the stack fails. For more information, contact TAC Support.
The following features have deprecated functionality in Version 6.1:
The terminology and branding used in Version 6.1.0.3 may differ from the terminology used in previous releases, as summarized in the following table. See the Firepower System Compatibility Guide for more information about terminology and branding changes.
See the documents in the Cisco Firepower System Documentation Roadmap for more information about updating and configuring your Firepower environment: https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html. The following documents were updated for Version 6.1.0.3 to reflect the addition of new features and functionality and to address reported documentation issues:
In addition, the following documentation known issues are reported in Version 6.1.0.3:
For the ASA documentation roadmap and release notes (including known issues) for parallel ASA versions, see http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asaroadmap.html.
For the FXOS documentation roadmap and release notes (including known issues) for parallel FXOS versions, see http://www.cisco.com/c/en/us/td/docs/security/firepower/9300/roadmap/firepower-roadmap.html.
See the following sections for information about product compatibility with the Version 6.1.0.3 web interface:
The required versions for the following integrated products vary by Firepower version:
See the Firepower System Compatibility Guide for more information about the required versions : https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html.
The Firepower web interface for Version 6.1.0.3 has been tested on the browsers listed in the following table.
Note: The Chrome browser does not cache static content, such as images, CSS, or Javascript, with the Firepower-provided self-signed certificate. This may cause Firepower to redownload static content when you refresh. To avoid this, add a self-signed certificate to the trust store of the browser/OS or use another web browser.
JavaScript, cookies, Transport Layer Security (TLS) v1.1 or v1.2. Note: If you use a self-signed certificate on the Firepower Management Center and the Login screen takes a long time to load, enter about:support in a Firefox web browser search bar and click Refresh Firefox. Note that you may lose existing Firefox settings when you refresh Firefox. See https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings for more information. The Firepower Management Center uses a self-signed certificate by default; we recommend you replace that certificate with a certificate signed by a trusted certificate authority. See the section on system configuration in the Firepower Management Center Configuration Guide for your version for more information on replacing server certificates. |
|
JavaScript, cookies, Transport Layer Security (TLS) v1.1 or v1.2, 128-bit encryption, Active scripting security setting, Compatibility View, set Check for newer versions of stored pages to Automatically. Note: If you use Microsoft Internet Explorer 11, you must disable the Include local directory path when uploading files to server option in your Internet Explorer settings via Tools > Internet Options > Security > Custom level. Note: If you want to use TLS with Internet Explorer 10, you must first enable TLS v1.2 option in your Internet Explorer advanced settings via Tools > Internet Options > Security. |
|
Note: Many browsers use Transport Layer Security (TLS) v1.3 by default. If you have an active SSL policy and your browser uses TLSv1.3, websites that support TLSv1.3 fail to load As a workaround, configure your managed device to remove extension 43 (TLS 1.3) from ClientHello negotiation. See this software advisory for more information.
In most cases, it is best to perform a traditional update from Version 6.0.1.X to Version 6.1.0.3 as described in Important Update Notes and Update to Version 6.1.0.3.
However, the following cases require you to reimage and/or deploy your appliance:
New installations of Version 6.1.0 and later do not require a reimage.
See the installation and quick start guides linked from the documentation roadmap for more information about the reimage and deploy processes: https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html.
Before you begin the update process to Version 6.1.0.3, you should familiarize yourself with the behavior during the update process, as well as with any compatibility issues or required pre- or post-update configuration changes.
Note: Do not reboot or shut down your appliance during the update until you see the login prompt. Appliances may appear inactive during the pre-checks; this is expected behavior and does not require you to reboot or shut down your appliance.
Note: Updating an ASA FirePOWER module to Version 6.1.0 or later fails when the ASA REST API is enabled. Prior to updating the Firepower version of the ASA FirePOWER module, execute the no rest-api agent CLI command to disable the ASA REST API. To reenable ASA REST API, execute the rest-api agent CLI command.
For more information, see the following sections:
Appliances must run a specific minimum version to update to Version 6.1.0.3. If your appliance is running a version earlier than Version 6.1.0, you must perform the following updates before updating to Version 6.1.0.3:
See the Firepower System Release Notes for the destination version for more information about those individual updates: http://www.cisco.com/c/en/us/support/security/defense-center/products-release-notes-list.html.
If you are locally managing the ASA FirePOWER module via ASDM, use the ASDM user interface to perform the update. To configure the ASA FirePOWER module via ASDM, see the Cisco ASA with FirePOWER Services Local Management Configuration Guide.
Version 6.1.0 introduced support for local management of Firepower Threat Defense devices using the Firepower Device Manager. If you want to switch management of a Firepower Threat Defense device from the Firepower Management Center to the Firepower Device Manager, you must reimage the device to Version 6.1. See the Reimage the Cisco ASA or Firepower Threat Defense Device for more information and to configure the Firepower Device Manager, and the Firepower Threat Defense listing page for additional documentation: http://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-guides-list.html.
Otherwise, use the Firepower Management Center’s web interface to update the Firepower Management Center and the devices it manages. See the Firepower Management Center Configuration Guide to configure the Firepower Management Center or its managed devices.
See Management Capability for more information about management in Version 6.1.0.3.
Update your Firepower Management Center before updating the devices it manages. Then, use your Version 6.1.0.3 Firepower Management Center to redeploy policies to all managed devices before updating those devices to Version 6.1.0.3.
Note the following update sequence complications when you have high availability or device stacking configured:
Firepower Management Centers in a High Availability Pair
1. Before updating to Version 6.1.0.3, pause the synchronization of the primary Firepower Management Center of the high availability pair via the High Availability tab of the Integration page ( System > Integration).
2. Update the secondary Firepower Management Center in the high availability pair first. The Firepower Management Center switches from secondary to primary so both Firepower Management Centers in the high availability pair are active.
3. Once the upgrade successfully completes, upgrade the other Firepower Management Center within the pair.
4. Once both Firepower Management Centers are successfully updated to Version 6.1.0.3, click Make-Me-Active on the High Availability tab of one of the Firepower Management Center web interfaces.
The Firepower Management Center you do not make active automatically switches to secondary mode.
This procedure explains how to upgrade the Firepower software on Firepower Management Centers in a high availability pair.
You upgrade peers one at a time. With synchronization paused, first upgrade the standby (or secondary), then the active (or primary). When the standby Firepower Management Center starts prechecks, its status switches from standby to active, so that both peers are active. This temporary state is called split-brain and is not supported except during upgrade. Do not make or deploy configuration changes while the pair is split-brain. Your changes will be lost after you upgrade the Firepower Management Centers and restart synchronization.
Firepower Threat Defense Devices in a High Availability Pair Managed by Firepower Management Center
Note: For Firepower Threat Defense high availability in Version 6.2.0 169.254.0.0/16 and fd00:0:0:*::/64 are internally used subnets and cannot be used for the failover or state links. If you currently use IP addresses in this range, then you must change them to different IP addresses before you upgrade.
1. Before you install an update on Firepower Threat Defense devices in a high availability pair, update the FXOS chassis manager to the most recent version.
2. Update the FXOS version of the secondary Firepower Threat Defense device, then switch failover so the secondary Firepower Threat Defense device is now the active device.
3. Update the FXOS version of the secondary Firepower Threat Defense device and then update the pair to Version 6.1.0.3.
You must always update the FXOS version on the secondary device of a Firepower Threat Defense high availability pair. Do not update the FXOS version of the primary device.
When you install the Firepower update on Firepower Threat Defense devices in a high availability pair, Firepower updates the devices one at a time. When the update starts, Firepower first applies it to the secondary device, which goes into maintenance mode until any necessary processes restart. While the secondary device is updating, the primary device processes incoming traffic. Firepower then updates the primary device, which follows the same process.
Firepower Threat Defense Devices in a High Availability Pair Managed by Firepower Device Manager
High availability mode for Firepower Threat Defense managed by Firepower Device Manager is not supported in Version 6.1.0 or later. If you established a Firepower Threat Defense high availability pair using a Firepower Management Center, you must break the high availability configuration prior to switching the Firepower Threat Defense devices to Firepower Device Manager management.
Firepower Threat Defense Device Clustering
When you update clustered Firepower 9300 Appliances running Firepower Threat Defense, Firepower updates the security modules one at a time—first secondary modules, then the primary module. Modules operate in maintenance mode while they update.
During the primary module update, although traffic inspection and handling continues normally, Firepower stops logging events. Event logging resumes after the full update completes.
Events for traffic processed during the logging downtime appear with out-of-sync timestamps after the update completes. However, if the logging downtime was significant, Firepower may prune the oldest events before they can be logged.
Note: Upgrading FXOS reboots the Firepower 9300 Appliance chassis, dropping traffic until at least one module comes back online.
7000 and 8000 Series Devices in a High Availability Pair
When you install an update on 7000 and 8000 Series devices in a high availability pair, Firepower updates the devices one at a time. When the update starts, Firepower first applies it to the secondary device, which goes into maintenance mode until any necessary processes restart and the device is processing traffic again. Firepower then updates the primary device, which follows the same process.
Firepower 8000 Series Stacked Devices
When you install an update on Firepower 8000 Series stacked devices, Firepower updates the stacked devices simultaneously. Each device resumes normal operation when the update completes. Note that:
System update readiness checks contain a series of robustness checks that assess the preparedness of the system for an update. The readiness check identifies issues with the system, including issues with the integrity of the database, version inconsistencies, and device registration.
Note: Time requirements—The time required to run the readiness check varies depending on your appliance model and database size. You may find it expedient to forgo readiness checks if your deployment is large (for example, if your Firepower Management Center manages more than 100 devices).
Note: Web interface vs shell—You can use the Firepower Management Center web interface to perform the readiness check on itself and its standalone managed devices only. For clustered devices, stacked devices, and devices in high availability pairs, run the readiness check from each device's shell.
Note: The readiness check cannot assess your preparedness for VDB, SRU, or GeoDB updates; the readiness check is a system update readiness check.
Caution: Do not reboot or shut down your appliance during the readiness check.
Caution: If you encounter issues with the readiness check that you cannot resolve, do not begin the update. Instead, contact Support.
You can run a readiness check via the shell on any appliance. The time to run the readiness check varies depending on your appliance model and database size.
To run a readiness check via the shell:
4. Download the Version 6.1.0.3 update from the Support site.
Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
5. Log into the shell as a user with administrator privileges.
6. Make sure the upgrade package is on the appliance in the correct place:
–Firepower Threat Defense devices: /ngfw/var/sf/updates
–All other Firepower appliances: /var/sf/updates
–Firepower Management Centers: use SCP to copy the upgrade package to the appliance. Initiate from the Firepower side.
7. Run this command as the root user: sudo install_update.pl --detach --readiness-check full_path_to_update_package
Unless you are running the readiness check from the console, use the --detach option to ensure the check does not stop if your user session times out. Otherwise, the readiness check runs as a child process of the user shell. If your connection is terminated, the process is killed, the check is disrupted, and the appliance may be left in an unstable state.
8. (Optional) Monitor the readiness check.
If you use the --detach option (or begin another shell session), you can use the tail or tailf command to display logs, for example:
–Firepower Threat Defense devices: tail /ngfw/var/log/sf/ update_package_name /status.log
–All other Firepower appliances: t ail /var/log/sf/ update_package_name /status.log
If you use tailf to display log entries as they occur, you must cancel (Ctrl+C) to return to the command prompt.
9. When the readiness check completes, access the full readiness check report.
–Firepower Threat Defense devices: /ngfw/var/log/sf/ $rpm_name / upgrade_readiness
–All other Firepower appliances: /var/log/sf/ $rpm_name /upgrade_readiness
You can use the Firepower Management Center web interface to perform readiness checks on itself and its standalone managed devices.
The time to run the readiness check varies depending on your appliance model and database size.
Note: The readiness check does not assess your preparedness for VDB, intrusion rule, or GeoDB; the readiness check is a system update readiness check.
To run a readiness check via the web interface:
1. Update the Firepower Management Center to Version 6.1, as described in Update Firepower Management Centers and Firepower Management Centers Virtual.
2. Download the Version 6.1.0.3 update from the Support site.
Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
3. On the Firepower Management Center web interface, choose System > Updates.
4. Click the Install icon next to the upgrade you want the readiness check to evaluate.
5. Click Launch Readiness Check.
6. Monitor the progress of the readiness check in the Readiness Check Status window. When the readiness check completes, the system reports the success or failure.
7. Access the full readiness check report in /var/log/sf/$rpm_name/upgrade_readiness.
Before you begin the update, we strongly recommend that you back up current event and configuration data to an external location.
Use the Firepower Management Center to back up event and configuration data for itself and the devices it manages. See the Firepower Management Center Configuration Guide for more information on the backup and restore feature.
Note: The Firepower Management Center purges locally stored backups from previous updates. To retain archived backups, store the backups externally.
When you update your sensing devices, traffic either drops throughout the update or traverses the network without inspection depending on how your devices are configured and deployed: routed or transparent, inline vs passive, bypass mode settings, and so on. We strongly recommend performing the update in a maintenance window or at a time when the interruptions will have the least impact on your deployment.
Note: When you update devices in a high availability pair, the system performs the update one device at a time to avoid traffic interruption.
This section discusses traffic behavior during the following update stages:
Traffic Behavior During the Update
The following table describes how updates, including related device reboots, affect traffic flow for different deployments. Note that appliances do not perform switching, routing, NAT, and VPN during the update process, regardless of how you configure any inline sets.
Warning: Do not update to FXOS Version 2.3.1.56 if you are running an instance of Firepower Threat Defense that has been updated from Version 6.0.1.x of the Firepower System. Doing so may disable your Firepower Threat Defense application, which could interrupt traffic on your network. For more information, see CSCvh64138 in the Cisco Bug Search Tool.
Traffic Behavior When Updating FXOS on Clustered Firepower Threat Defense Devices
Updating FXOS reboots the chassis, which drops traffic in a clustered environment until at least one module comes online, regardless of whether the cluster uses an optional hardware bypass (fail-to-wire) module or if bypass is enabled or disabled.
Traffic Behavior During Configuration Deployment
During the upgrade process, you deploy configurations either twice (standalone devices) or three times (devices managed by the Firepower Management Center). When you deploy, resource demands may result in a small number of packets dropping without inspection. In most cases, the deployment immediately after the upgrade restarts the Snort process. During subsequent deployments, the Snort process restarts only if, before deploying, you modify specific policy or device configurations that always restart the process when deployed.
The following table describes how different devices handle traffic during Snort process restarts.
Firepower Version 6.0.0 and later requires more memory than the previous versions for some Firepower Management Center models (previously referred to as the FireSIGHT Management Center or the Defense Center). To be specific, MC750 requires two 4GB dual in-line memory modules (DIMM). Similarly, MC1500 with 6GB of memory also requires additional memory.
Because the increase in memory was driven by Cisco product requirements, Cisco is making memory upgrade kits available for customers with these models. These kits can be ordered at no cost by customers who are entitled to run Version 6.0.0 and later on a qualifying MC750 or MC1500 Firepower Management Center model.
See http://www.cisco.com/c/en/us/support/docs/field-notices/640/fn64077.html for more information on ordering memory kits. See “Memory Upgrade Instructions for Firepower Management Centers” in the Firepower Management Center Installation Guide for instructions on replacing the memory after you receive the kit.
The table below provides disk space and time guidelines for the Version 6.1.0.3 update. Note that when you use the Firepower Management Center to update a managed device, the Firepower Management Center requires additional disk space on its /Volume partition.
The further your appliance’s current version is from Version 6.1.0.3, the longer the update takes.
Note: Do not reboot or shut down your appliance during the update until you see the login prompt. Appliances may appear inactive during the pre-checks; this is expected behavior and does not require you to reboot or shut down your appliance.
Note: The guidelines below do not include the time required to complete the readiness check. See Pre-Update System Readiness Checks for more information about the readiness check.
If you encounter issues with the progress of your update, contact TAC Support.
After you perform the update on the Firepower Management Center or managed devices, deploy configuration changes to the devices.
Note: You must deploy configuration changes first after updating the Firepower Management Center and a second time after updating its managed devices.
When you deploy configuration changes, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations requires the Snort process to restart, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the managed device handles traffic. See the Firepower Management Center Configuration Guide for more information.
There are several additional post-update steps you should take to ensure that your deployment is performing properly. These include:
Before you begin the update, you must thoroughly read and understand these release notes, especially Important Update Notes and Pre-Update System Readiness Checks.
If you are unsure whether you should perform a traditional Version 6.1.0.3 installation or a reimage to Version 6.1.0.3, see Updating vs. Reimaging vs. Deploying.
For more information about updating appliances to Version 6.1.0.3, see:
Use the procedure in this section to update your Firepower Management Centers and Firepower Management Centers Virtual. For the Version 6.1.0.3 update, all devices reboot.
If your appliance is in a high availability configuration, see Update Sequence Guidelines.
Note: Some Firepower Management Centers and the Firepower Management Center Virtual require additional memory to update to Version 6.1.0.3. See Additional Memory Requirements for more information.
Note: Do not reboot or shut down your appliance during the update until you see the login prompt. Appliances may appear inactive during the pre-checks; this is expected behavior and does not require you to reboot or shut down your appliance.
To update a Firepower Management Center:
1. Update to the minimum version as described in Update Paths to Version 6.1.0.3.
2. Read these release notes and complete any pre-update tasks. For more information, see:
–Updating vs. Reimaging vs. Deploying
3. Download the update from the Support site:
–for Firepower Management Center and Firepower Management Center Virtual:
Sourcefire_3D_Defense_Center_S3_Patch-6.1.0.3-57.sh
Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
4. Log into the Firepower Management Center UI as admin.
5. To upload the update to the Firepower Management Center select System > Updates, then click Upload Update on the Product Updates tab. Browse to the update and click Upload.
The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated.
6. Redeploy configuration changes to any managed devices. Otherwise, the eventual update of the managed devices may fail.
7. Optionally, run a readiness check on the Firepower Management Center as described in Run a Readiness Check via the Shell.
Note: If you encounter issues with the readiness check that you cannot resolve, do not begin the update. Instead, contact TAC Support.
8. Make sure that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
9. Click the system status icon and view the Tasks tab in the Message Center to make sure that there are no tasks in progress.
10. On the System > Updates page, click the install icon next to the update you are installing.
11. Select the Firepower Management Center and click Install. Confirm that you want to install the update and reboot the Firepower Management Center.
The update process begins. You can begin monitoring the update’s progress in the Tasks tab of the Message Center.
If the update fails for any reason, the page displays an error message indicating the time and date of the failure, which script was running when the update failed, and instructions on how to contact TAC Support. Do not restart the update.
Note: If you encounter any other issue with the update (for example, if a manual refresh of the Update Status page shows no progress for several minutes), do not restart the update. Instead, contact TAC Support.
When the update completes, the Firepower Management Center displays a success message and reboots.
12. After the update finishes, clear your browser cache and re-launch the browser. Otherwise, the user interface may exhibit unexpected behavior.
13. Log into the Firepower Management Center.
14. Select Help > About and confirm that the software version is listed correctly: Version 6.1.0.3. Also note the versions of the intrusion rule update and VDB on the Firepower Management Center; you will need this information later.
15. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
16. If the intrusion rule update available on the Support site is newer than the rule set on your Firepower Management Center, import the newer rule set. Do not auto-apply the imported rules when working with Version 6.1.0.3.
For information on intrusion rule updates, see the Firepower Management Center Configuration Guide.
17. If the VDB available on the Support site is newer than the VDB installed during the update, install the latest VDB. Do not auto-deploy VDB updates when working with Version 6.1.0.3.
Installing a VDB update restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the managed device handles traffic. See the Firepower Management Center Configuration Guide for more information.
18. Redeploy policies to all managed devices.
Click the Deploy button and select all available devices, then click Deploy.
Note: You must redeploy configuration changes before updating any managed devices or you may have to reimage your appliances.
19. If a later patch is available on the Support site, update to the latest patch as described in the Firepower System Release Notes for that version. You must update to the latest patch to take advantage of product enhancements and security fixes.
A Firepower Management Center must be running at least Version 6.1.0 to update Firepower Threat Defense devices to Version 6.1.0.3. You can update multiple devices at once but only if they use the same update file.
If your appliance is in a high availability or clustered configuration, see Update Sequence Guidelines.
Note: You cannot update an ASA with FirePOWER Services device directly to Firepower Threat Defense. See Updating vs. Reimaging vs. Deploying for more information.
Note: Do not reboot or shut down your appliance during the update until you see the login prompt. Appliances may appear inactive during the pre-checks; this is expected behavior and does not require you to reboot or shut down your appliance.
Note: High availability mode for Firepower Threat Defense managed by Firepower Device Manager is not supported in Version 6.1.0 or later. If you established a Firepower Threat Defense high availability pair using a Firepower Management Center, you must break the high availability configuration prior to switching the Firepower Threat Defense devices to Firepower Device Manager management.
To update Firepower Threat Defense devices:
1. Update to the minimum version as described in Update Paths to Version 6.1.0.3.
2. Read these release notes and complete any pre-update tasks. For more information, see:
–Updating vs. Reimaging vs. Deploying
3. Update the software on the devices’ managing Firepower Management Center; see Update Firepower Management Centers and Firepower Management Centers Virtual.
4. Use the managing Firepower Management Center to deploy configuration changes to the managed Firepower Threat Defense devices. Otherwise, the eventual update may fail.
5. If you are updating a Firepower 9300 Appliance or a Firepower 4100 series device, update to FXOS Version 2.0.1 as described in the Cisco FXOS 2.0(1) Release Notes. If a Firepower 9300 Appliance or a Firepower 4100 series device is in a high availability pair, you must update the secondary device’s FXOS chassis manager prior to updating the Firepower software. See Firepower Threat Defense Devices in a High Availability Pair Managed by Firepower Management Center for more information.
Note: Updating the Firepower 9300 Security Appliance or a Firepower 4100 series device to FXOS Version 2.0.1 or later causes a disruption in traffic. This is expected.
Note: Upgrading FXOS reboots the Firepower 9300 Appliance chassis, dropping traffic on clustered Firepower Threat Defense blades until at least one module comes back online.
6. Log into the managing Firepower Management Center UI as admin.
7. Download the Version 6.1.0.3 update from the Support site:
–for Firepower Threat Defense running on the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, VMware, AWS, and KVM:
–for Firepower Threat Defense running on the Firepower 9300 appliance, Firepower 4110 device, Firepower 4120 device, and Firepower 4140 device:
Cisco_FTD_SSP_Patch-6.1.0.3-57.sh
Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
8. Upload the update to the Firepower Management Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload.
The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated. The page also indicates whether a reboot is required as part of the update.
9. Optionally, run a readiness check on the Firepower Threat Defense device as described in Run a Readiness Check via the Shell or Run a Readiness Check via the Firepower Management Center Web Interface.
Note: If you encounter issues with the readiness check that you cannot resolve, do not begin the update. Instead, contact TAC Support.
10. Make sure that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
11. Click the install icon next to the update you are installing.
12. Select the devices where you want to install the update.
13. Click Install. Confirm that you want to install the update and reboot the devices.
14. The update process begins. You can monitor the update's progress on the Tasks tab of the Message Center.
Note that managed devices may reboot twice during the update; this is expected behavior.
Note: If you encounter issues with the update (for example, if messages in the Tasks tab of the Message Center show no progress for several minutes or indicate that the update has failed), do not restart the update. Instead, contact TAC Support.
15. Select Devices > Device Management and confirm that the devices you updated have the correct software version: 6.1.0.3.
16. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
17. Redeploy policies to all managed devices.
Click the Deploy button and select all available devices, then Click Deploy.
18. If a later patch is available on the Support site, update to the latest patch as described in the Firepower System Release Notes for that version. You must update to the latest patch to take advantage of product enhancements and security fixes.
If you need to switch the management of a Firepower Threat Defense device from a Firepower Management Center to Firepower Device Manager, unregister the Firepower Threat Defense device from the Firepower Management Center and execute the configure manager local CLI command.
Note: Switching the management of a Firepower Threat Defense device resets device configuration to default settings.
A Firepower Management Center must be running at least Version 6.1.0 to update these devices to Version 6.1.0.3. You can update multiple devices at once but only if they use the same update file.
If your appliance is in a high availability or stacked configuration, see Update Sequence Guidelines.
Note: If you are locally managing the ASA FirePOWER module through ASDM, do not update the ASA FirePOWER module using the Firepower Management Center. See Update ASA FirePOWER Modules Managed via ASDM for more information.
For the Version 6.1.0.3 update, all devices reboot. 7000 and 8000 Series devices do not perform traffic inspection, switching, routing, NAT, VPN, or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow and link state. See Traffic Flow and Inspection During the Update for more information.
Note: Do not reboot or shut down your appliance during the update until you see the login prompt. Appliances may appear inactive during the pre-checks; this is expected behavior and does not require you to reboot or shut down your appliance.
Note: Updating an ASA FirePOWER module to Version 6.1.0 or later fails when the ASA REST API is enabled. Prior to updating the Firepower version of the ASA FirePOWER module, execute the no rest-api agent CLI command to disable the ASA REST API. To reenable ASA REST API, execute the rest-api agent CLI command.
To update managed devices, NGIPSv devices, and ASA FirePOWER modules:
1. Update to the minimum version as described in Update Paths to Version 6.1.0.3.
2. Read these release notes and complete any pre-update tasks. For more information, see:
–Updating vs. Reimaging vs. Deploying
3. Update the software on the managing Firepower Management Center and redeploy all policies from the Firepower Management Center to the device. See Update Firepower Management Centers and Firepower Management Centers Virtual for more information.
4. Use the managing Firepower Management Center to deploy configuration changes to the managed 7000 and 8000 Series devices, managed devices, and ASA FirePOWER modules. Otherwise, the eventual update may fail.
5. If you are updating an ASA device, update to ASA Version 9.5(2) and later, Version 9.6(x), Version 9.7(x), or Version 9.8(x), or Version 9.9(x) as described in the ASA/ASDM Release Notes.
Note: The ASA 5506-X appliance does not support ASA Version 9.5(2) or ASA Version 9.5(3).
6. Download the update from the Support site:
–for 7000 and 8000 Series managed devices:
Sourcefire_3D_Device_S3_Patch-6.1.0.3-57.sh
Sourcefire_3D_Device_Virtual64_VMware_Patch-6.1.0.3-57.sh
–for ASA with FirePOWER Services running on the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X-SSP-10, ASA 5585-X-SSP-20, ASA 5585-X-SSP-40, and ASA 5585-X-SSP-60:
Cisco_Network_Sensor_Patch-6.1.0.3-57.sh
Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
7. Log into the managing Firepower Management Center UI as admin.
8. To upload the update to the Firepower Management Center select System > Updates, then click Upload Update on the Product Updates tab. Browse to the update and click Upload.
The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated. The page also indicates whether a reboot is required as part of the update.
9. Optionally, run a readiness check on the device as described in Run a Readiness Check via the Shell or Run a Readiness Check via the Firepower Management Center Web Interface.
Note: If you encounter issues with the readiness check that you cannot resolve, do not begin the update. Instead, contact TAC Support.
10. Make sure that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
11. On the System > Updates page, click the install icon next to the update you are installing.
12. Select the devices where you want to install the update.
If you are updating stacked Firepower 8000 Series devices, selecting one member of the stack automatically selects the other devices in the stack. You must update members of a stack together.
13. Click Install. Confirm that you want to install the update and reboot the devices. The update process begins.
Note that rebooting the ASA FirePOWER module on an ASA 5585-X platform, including a reboot that occurs during a module upgrade, causes traffic to drop for up to thirty seconds on the interfaces on the ASA FirePOWER module while the module reboots.
14. You can monitor the update's progress on the Tasks tab in the Firepower Management Center’s Message Center.
Note that managed devices may reboot twice during the update; this is expected behavior.
Note: If you encounter issues with the update (for example, if the Tasks tab indicates that the update has failed or if it shows no progress for several minutes), do not restart the update. Instead, contact TAC Support.
15. Select Devices > Device Management and confirm that the devices you updated have the correct software version: Version 6.1.0.3.
16. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
17. Redeploy policies to all managed devices.
Click the Deploy button and select all available devices, then click Deploy.
18. If a later patch is available on the Support site, update to the latest patch as described in the Firepower System Release Notes for that version. You must update to the latest patch to take advantage of product enhancements and security fixes.
To switch management of a Firepower Threat Defense device running a version earlier than Version 6.1.0 from the Firepower Management Center to the Firepower Device Manager, you must reimage the device to Version 6.1.0 or later. See the Reimage the Cisco ASA or Firepower Threat Defense Device and the Firepower Threat Defense listing page for additional documentation: http://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-guides-list.html.
Note: High availability mode for Firepower Threat Defense managed by Firepower Device Manager is not supported in Version 6.1.0 or later. If you established a Firepower Threat Defense high availability pair using a Firepower Management Center, you must break the high availability configuration prior to switching the Firepower Threat Defense devices to Firepower Device Manager management.
Use the following procedure to update Firepower Threat Defense devices running Version 6.1.0 or later managed by the Firepower Device Manager.
To update a Firepower Threat Defense device managed by the Firepower Device Manager:
1. Update to the minimum version as described in Update Paths to Version 6.1.0.3.
2. Read these release notes and complete any pre-update tasks. For more information, see:
–Updating vs. Reimaging vs. Deploying
3. If you are updating a Firepower Threat Defense high availability pair, you must update the secondary device’s FXOS chassis manager prior to updating the Firepower software. See Firepower Threat Defense Devices in a High Availability Pair Managed by Firepower Management Center for more information.
4. Download the update from the Support site:
–for Firepower Threat Defense running on the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X, or on VMware or AWS, or KVM:
Cisco_FTD_Upgrade-6.1.0.3-57.sh
Note: Download the update from the Support site. Put the update where the device can access it from its management interface. You can use a HTTP, TFTP, or SCP server. Do not transfer updates by email.
5. Use an SSH client to log into the management IP address using the admin user account and password.
Alternatively, you can connect to the Console port.
6. Enter the expert command to access expert mode.
7. Change the working directory ( cd) to /var/sf/updates/.
8. Download the upgrade file from your HTTP, TFTP, or SCP server. For example, if you put the update on an HTTP server, enter sudo wget URL, where URL is the location where you put the update.
Because the sudo command operates under root user, you see a stock warning, and you must re enter the admin password before the command executes. Wait for the download to complete.
You must include the full path to the upgrade file in the command
When the update completes, the Firepower Threat Defense device reboots.
10. Verify the installation successfully completed.
Use an SSH client to log into the management IP address using the admin user account and password. The banner information includes a line shows the new build number: 6.1.0.3(build 57)
To switch management of a Firepower Threat Defense device running a version earlier than Version 6.1.0.2 from the Firepower Management Center to the Firepower Device Manager, you must reimage the device to Version 6.1 or later. See the Reimage the Cisco ASA or Firepower Threat Defense Device and the Firepower Threat Defense listing page for additional documentation: http://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-guides-list.html.
Note: High availability mode for Firepower Threat Defense managed by Firepower Device Manager is not supported in Version 6.1.0.2 or later. If you established a Firepower Threat Defense high availability pair using the Firepower Management Center, you must break the high availability configuration prior to switching the Firepower Threat Defense devices’ management from Firepower Management Center to Firepower Device Manager management.
Locally managed ASA FirePOWER modules managed by ASDM do not require Firepower Management Centers to update. For the Version 6.1.0.3 update, all devices reboot.
To update ASA FirePOWER module managed by ASDM:
1. Update to the minimum version as described in Update Paths to Version 6.1.0.3.
2. Read these release notes and complete any pre-update tasks. For more information, see:
–Updating vs. Reimaging vs. Deploying
3. If you are updating an ASA device, update to ASA Version 9.5(2) and later, Version 9.6(x), Version 9.7(x), or Version 9.8(x), or Version 9.9(x) as described in the ASA/ASDM Release Notes.
Note: The ASA 5506-X appliance does not support ASA Version 9.5(2) or ASA Version 9.5(3).
4. Download the update from the Support site:
Cisco_Network_Sensor_Upgrade-6.1.0.3-57.sh
Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
6. Deploy configuration changes. Otherwise, the eventual update may fail.
7. Select Configuration > ASA FirePOWER Configuration > Updates.
9. Click Choose File to navigate to and select the update.
11. Optionally, run a readiness check on the ASA FirePOWER module as described in Run a Readiness Check via the Shell.
Note: If you encounter issues with the readiness check that you cannot resolve, do not begin the update. Instead, contact TAC Support.
12. Select Monitoring > ASA FirePOWER Monitoring > Task Status to view the task queue and make sure that there are no jobs in process.
13. Select Configuration > ASA FirePOWER Configuration > Updates.
14. Click the install icon next to the update you uploaded.
The update process begins. You can begin monitoring the update’s progress in the task queue.
15. After the update finishes, reconnect ASDM to the ASA device as described in the ASA Firepower Module Quick Start Guide.
16. Access the ASA FirePOWER module interface and refresh the page. Otherwise, the interface may exhibit unexpected behavior. If you are the first user to access the interface after a major update, the End User License Agreement (EULA) may appear. You must review and accept the EULA to continue.
17. If the intrusion rule update available on the Support site is newer than the rule set on your ASA FirePOWER module, import the newer rule set. Do not auto-apply the imported rules when working with Version 6.1.0.3.
See the ASA with FirePOWER Services Local Management Configuration Guide for more information.
18. If the VDB available on the Support site is newer than the VDB installed during the update, install the latest VDB. Do not auto-deploy VDB updates when working with Version 6.1.0.3.
Installing a VDB update restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the managed device handles traffic. See the ASA with FirePOWER Services Local Management Configuration Guide for more information.
19. Deploy configuration changes.
When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations requires the Snort process to restart, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the managed device handles traffic. See the ASA with FirePOWER Services Local Management Configuration Guide for more information.
If a later patch is available on the Support site, update to the latest patch as described in the Firepower System Release Notes for that version. You must update to the latest patch to take advantage of product enhancements and security fixes.
For more information about uninstalling Version 6.1.0.3 from your appliances, see:
Before you uninstall the update, you must thoroughly read and understand the following sections.
You must uninstall updates locally. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstall the update in the reverse order that you installed it. That is, first uninstall the update from managed devices, then from Firepower Management Centers.
Uninstall the Update from Clustered or High Availability Appliances
Clustered devices, devices in high availability pairs and Firepower Management Centers in high availability pairs must run the same Firepower version. Although the uninstallation process triggers an automatic failover, appliances in mismatched pairs or clusters do not share configuration information, nor do they install or uninstall updates as part of their synchronization. If you need to uninstall an update from redundant appliances, plan to perform the uninstallations in immediate succession.
To ensure continuity of operations, uninstall the update from clustered devices and paired Firepower Management Centers one at a time. First, uninstall the update from the secondary appliance. Wait until the uninstallation process completes, then immediately uninstall the update from the primary appliance.
Note: If the uninstallation process on a clustered device, devices in a high availability pair, or paired Firepower Management Center fails, do not restart the uninstall or change configurations on its peer. Instead, contact TAC Support.
Uninstall the Update from Stacked Devices
All devices in a stack must run the same Firepower version. Uninstalling the update from any of the stacked devices causes the devices in that stack to enter a limited, mixed-version state.
To minimize impact on your deployment, Cisco recommends that you uninstall an update from stacked devices simultaneously. The stack resumes normal operation when the uninstallation completes on all devices in the stack.
Uninstall the Update from Devices Deployed Inline
Managed devices do not perform traffic inspection, switching, routing, or related functions while the update is being uninstalled. Depending on how your devices are configured and deployed, the uninstallation process may also affect traffic flow and link state. See Pre-Update Configuration and Event Backups for more information..
Uninstall the Update and Online Help
Uninstalling the Version 6.1.0.3 update does not revert the online help to its previous version. If the version of your online help does not match that of your Firepower software, your online help may contain documentation for unavailable features and may have problems with context sensitivity and link functionality.
After you uninstall the update, there are several steps you should take to ensure that your deployment is performing properly. These include verifying that the uninstall succeeded and that all appliances in your deployment are communicating successfully.
The next sections include detailed instructions not only on performing the uninstalltion, but also on completing any post-update steps. Make sure you complete all of the listed tasks.
The following procedure explains how to use the local web interface to uninstall the Version 6.1.0.3 update from managed devices. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstalling the Version 6.1.0.3 update results in a device running Version 6.1.0.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
Uninstalling the Version 6.1.0.3 update reboots the device. Managed devices do not perform traffic inspection, switching, routing, or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow and link state. See Pre-Update Configuration and Event Backups for more information.
To uninstall the update from a managed device:
1. Read and understand Order of Uninstallation.
2. On the managing Firepower Management Center, make sure that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
3. On the managed device, click the system status icon and view the Tasks tab in the Message Center to make sure there are no tasks in progress.
Tasks that are running when the uninstallation begins are stopped, become failed tasks, and cannot be resumed; you must manually delete them from the Tasks tab after the uninstallation completes.
5. Click the install icon next to the uninstaller that matches the update you want to remove, then confirm that you want to uninstall the update and reboot the device.
You can monitor the uninstallation progress in the Tasks tab of the Message Center.
Note: Do not use the web interface to perform any other tasks until the uninstallation has completed and the device reboots. Before the uninstallation completes, the web interface may become unavailable and the device may log you out. This is expected behavior; log in again to view the Tasks tab. If the uninstallation is still running, do not use the web interface until the uninstallation has completed. If you encounter issues with the uninstallation (for example, if the Tasks tab indicates that the update has failed or if the Tasks tab shows no progress for several minutes), do not restart the uninstallation. Instead, contact TAC Support.
6. After the uninstallation finishes, the device reboots.
7. Clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.
9. Select Help > About and confirm that the software version is listed correctly: Version 6.1.0.2.
10. On the managing Firepower Management Center, verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
The following procedure explains how to uninstall the Version 6.1.0.3 update from Firepower NGIPSv devices. You cannot use a Firepower Management Center to uninstall the update from a vritually managed device.
Uninstalling the Version 6.1.0.3 update results in a device running Version 6.1.0.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
Uninstalling the Version 6.1.0.3 update reboots the device. Firepower NGIPSv devices do not perform traffic inspection or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. See Pre-Update Configuration and Event Backups for more information.
To uninstall the update from a Firepower NGIPSv device:
1. Read and understand Order of Uninstallation.
2. Log into the device CLI as admin, via SSH or through the virtual console.
3. At the CLI prompt, type expert to access the bash shell.
4. At the bash shell prompt, type sudo su -.
5. Type the admin password to continue the process with root privileges.
6. At the prompt, enter the following on a single line:
/var/sf/updates/Sourcefire_3D_Device_Virtual64_VMware_Patch_Uninstaller-6.1.0.3-xxx.sh
The uninstallation process begins.
Note: If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact TAC Support.
7. After the uninstallation finishes, the device reboots.
8. Log into the managing Firepower Management Center and select Devices > Device Management. Confirm that the device where you uninstalled the update has the correct software version: Version 6.1.0.2.
9. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
The following procedure explains how to uninstall the Version 6.1.0.3 update from ASA FirePOWER modules. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstalling the Version 6.1.0.3 update results in a device running Version 6.1.0.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
Uninstalling the Version 6.1.0.3 update reboots the device. ASA FirePOWER modules do not perform traffic inspection or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. See Pre-Update Configuration and Event Backups for more information.
To uninstall the update from a virtual managed device:
1. Read and understand Order of Uninstallation.
2. Log into the device CLI as admin, via SSH or through the virtual console.
3. At the CLI prompt, type session sfr console.
4. At the CLI prompt, type expert to access the bash shell.
5. At the bash shell prompt, type sudo su -.
6. Type the admin password to continue the process with root privileges.
7. At the prompt, enter the following on a single line:
The uninstallation process begins.
Note: If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact TAC Support.
8. After the uninstallation finishes, the device reboots.
9. Log into the managing Firepower Management Center and select Devices > Device Management. Confirm that the device where you uninstalled the update has the correct software version: Version 6.1.0.2.
10. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
The following procedure explains how to uninstall the Version 6.1.0.3 update from Firepower Threat Defense devices managed by the Firepower Management Center. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstalling the Version 6.1.0.3 update results in a device running Version 6.1.0.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
Uninstalling the Version 6.1.0.3 update reboots the device. Firepower Threat Defense devices and Firepower Threat Defense virtual devices do not perform traffic inspection or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. See Pre-Update Configuration and Event Backups for more information.
To uninstall the update from a Firepower Threat Defense device and Firepower Threat Defense Virtual devices:
1. Read and understand Order of Uninstallation.
2. Log into the device CLI as admin, via SSH or through the device console.
3. For Firepower 4100 Series devices and Firepower 9300 Security Appliances, type connect module <slot number> console and then connect ftd.
4. At the CLI prompt, type expert to access the bash shell.
5. At the bash shell prompt, type sudo su -.
6. Type the admin password to continue the process with root privileges.
7. At the prompt, enter the following on a single line:
The uninstallation process begins.
Note: If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact TAC Support.
8. After the uninstallation finishes, the device reboots.
9. Log into the managing Firepower Management Center and select Devices > Device Management. Confirm that the device where you uninstalled the update has the correct software version: Version 6.1.0.2.
10. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
You cannot uninstall Firepower Threat Defense devices with the Firepower Device Manager. You must reimage the appliance or uninstall through the CLI.
Uninstalling the Version 6.1.0.3 update results in a Firepower Management Center running Version 6.1.0.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
To uninstall the update from a Firepower Management Center:
1. Read and understand Order of Uninstallation.
2. Log into the Firepower Management Center as admin and make sure that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
3. Click the system status icon and view the Tasks tab in the Message Center to make sure that there are no tasks in progress.
The Product Updates tab appears.
5. Click the install icon next to the uninstaller that matches the update you want to remove.
The Install Update page appears.
6. Select the Firepower Management Center and click Install, then confirm that you want to uninstall the update and reboot the device.
You can monitor the uninstallation progress in the Tasks tab of the Message Center.
Note: Do not use the web interface to perform any other tasks until the uninstallation has completed and the Firepower Management Center reboots. Before the uninstallation completes, the web interface may become unavailable and the Firepower Management Center may log you out. This is expected behavior; log in again to view the Tasks tab. If the uninstallation is still running, do not use the web interface until the uninstallation has completed. If you encounter issues with the uninstallation (for example, if the Tasks tab indicates that the update has failed or if the Tasks tab shows no progress for several minutes), do not restart the uninstallation. Instead, contact TAC Support.
7. After the uninstall finishes, the appliance reboots.
8. Clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.
9. Log in to the Firepower Management Center.
10. Select Help > About and confirm that the software version is listed correctly: Version 6.1.0.2.
11. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
The following procedure explains how to uninstall the Version 6.1.0.3 update from ASA FirePOWER modules managed by ASDM.
Uninstalling the Version 6.1.0.3 update results in a device running Version 6.1.0.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
Uninstalling the Version 6.1.0.3 update reboots the device. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. See Pre-Update Configuration and Event Backups for more information.
To uninstall the update from an ASA FirePOWER module managed by ASDM:
1. Read and understand Order of Uninstallation.
2. Log into the device CLi as admin, via SSH or through the virtual console.
3. At the CLI prompt, type expert to access the bash shell.
4. At the bash shell prompt, type sudo su -.
5. Type the admin password to continue the process with root privileges.
6. At the prompt, enter the following on a single line:
The uninstallation process begins.
Note: If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact TAC Support.
7. After the uninstallation finishes, the device reboots.
8. Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
If you have a Cisco account, you can view defects resolved in this release using the Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/.
The following defects are resolved in Version 6.1.0.3:
The following defects were resolved in Version 6.1.0.2:
The following defects were resolved in Version 6.1.0.1:
The following defects were resolved in Version 6.1.0:
If you have a Cisco account, you can view known issues reported in this release using the Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/.
The following defects are reported in Version 6.1.0.3:
The following defects were reported in previous versions:
Thank you for choosing the Firepower.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about Cisco ASA devices, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
If you have any questions about installing or running Version 6.1.0.3, contact Cisco Support: