Update Sequence Guidelines

The Version 6.1 Pre-Installation Package includes fixes that allow you to take advantage of specific Version 6.1 update functionality.

■You must apply the Version 6.1 Pre-Installation Package to your Firepower Management Center and devices if you want to use shell commands to perform a pre-update readiness check before beginning the Version 6.1 update. If you do not install the Version 6.1 Pre-Install, you will not be able to perform readiness checks before updating to Version 6.1.

■You must apply the Version 6.1 Pre-Installation Package to your Firepower Threat Defense devices in a high availability configuration if you want to perform the Version 6.1 update without breaking the pair (a hitless update). If you do not install the Version 6.1 Pre-Install, you must break the pair before updating to Version 6.1.

For more information about the Version 6.1 readiness check and update, see the Firepower System Release Notes for Version 6.1. See the following section for special update considerations when you have high availability configured.

Device Functionality During the Update

For the Version 6.1 Pre-Installation Package, only the Firepower Threat Defense devices reboot. 7000 and 8000 Series devices do not perform traffic inspection, switching, routing, NAT, VPN, or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow and link state.

Installing the Pre-Installation Package on a Firepower Management Center

Note: Appliances must be running at least Version 6.0.1 or later to apply the Version 6.1 Pre-Installation Package.

1. On the system that will be used to upload the pre-installation file to the Defense Center, download the file:

–for Series 3 and virtual Defense Center:

Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.

2. Upload the update to the Firepower Management Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload.

The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated.

3. Redeploy configuration changes to any managed devices. Otherwise, the eventual update of the managed devices may fail.

4. Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.

5. Click the system status icon and view the Tasks tab in the Message Center to make sure that there are no tasks in progress.

You must wait until any long-running tasks are complete before you begin the update. Tasks that are running when the update begins are stopped, become failed tasks, and cannot be resumed; you must manually delete them from the task queue after the update completes. The task queue automatically refreshes every 10 seconds.

6. On the System > Updates page, click the install icon next to the update you are installing.

7. Select the Firepower Management Center and click Install. Confirm that you want to install the update.

Caution: If you encounter any other issue with the update (for example, if a manual refresh of the Message Center shows no progress for several minutes), do not restart the installation process. Instead, contact Support.

When the update completes, the Firepower Management Center displays a success message.

Installing the Pre-Installation Package to 7000 and 8000 Series Devices, Firepower NGIPSv, and ASA FirePOWER modules

You can update multiple devices at once but only if they use the same update file.

Note: If you are locally managing the ASA FirePOWER module through ASDM, do not update the ASA FirePOWER module using the Firepower Management Center.

For the Version 6.1 Pre-Installation Package, the 7000 and 8000 Series devices, Firepower NGIPSv devices, and ASA FirePOWER modules do not reboot.

Caution: Do not reboot or shut down your appliance during the update until you see the login prompt. The system may appear inactive during the pre-checks; this is expected behavior and does not require you to reboot or shut down your appliance.

Note: Appliances must be running at least Version 6.0.1 or later to apply the Version 6.1 Pre-Installation Package.

To update managed devices, NGIPSv devices, and ASA FirePOWER modules:

1. Use the managing Firepower Management Center to deploy configuration changes to the managed 7000 and 8000 Series devices, Firepower NGIPSv managed devices, and ASA FirePOWER modules. Otherwise, the eventual update may fail.

2. If you are updating an ASA device, update to ASA Version 9.6.1 or later as described in the ASA/ASDM Release Notes.

3. Download the update from the Support site:

–for 7000 and 8000 Series managed devices:

–for Firepower NGIPSv:

–for ASA with FirePOWER Services running on the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X-SSP-10, ASA 5585-X-SSP-20, ASA 5585-X-SSP-40, and ASA 5585-X-SSP-60

Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.

4. Upload the update to the Firepower Management Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload.

The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated.

5. Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.

6. On the System > Updates page, click the install icon next to the update you are installing.

7. Select the devices where you want to install the update.

If you are updating stacked 7000 and 8000 Series devices, selecting one member of the stack automatically selects the other devices in the stack. You must update members of a stack together.

8. Click Install. Confirm that you want to install the update. The update process begins.

9. You can monitor the update's progress on the Tasks tab in the Firepower Management Center’s Message Center.

Caution: If you encounter issues with the update (for example, if the Tasks tab indicates that the update has failed or if it shows no progress for several minutes), do not restart the update. Instead, contact Support.

10. Select Devices > Device Management and confirm that the devices you updated have the correct software version: Version 6.0.1.

11. Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.

12. Redeploy policies to all managed devices.

Click the Deploy button and select all available devices, then click Deploy.

Installing the Pre-Installation Package to ASA FirePOWER module managed via ASDM

For the Version 6.1 Pre-Installation Package, the 7000 and 8000 Series devices, Firepower NGIPSv devices, and ASA FirePOWER modules do not reboot.

To update ASA FirePOWER modules locally from the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X-SSP-10, ASA 5585-X-SSP-20, ASA 5585-X-SSP-40, or ASA 5585-X-SSP-50:

1. Update to ASA Version 9.6.1 and ASDM Version 7.6.1 as described in the ASA/ASDM Release Notes.

2. Download the update from the Support site:

3. Select Monitoring > ASA FirePOWER Monitoring > Task Status to view the task queue and make sure that there are no jobs in process.

Tasks that are running when the update begins are stopped and cannot be resumed; you must manually delete them from the task queue after the update completes. The task queue automatically refreshes every 10 seconds. You must wait until any long-running tasks are complete before you begin the update.

4. Select Configuration > ASA FirePOWER Configuration > Updates.

5. Click the install icon next to the update you uploaded.

The update process begins. You can begin monitoring the update’s progress in the task queue.

6. After the update finishes, reconnect ASDM to the ASA device as described in the ASA Firepower Module Quick Start Guide.

7. Access the ASA FirePOWER module interface and refresh the page. Otherwise, the interface may exhibit unexpected behavior. If you are the first user to access the interface after a major update, the End User License Agreement (EULA) may appear. You must review and accept the EULA to continue.

Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.

8. Deploy configuration changes. Otherwise, the eventual update may fail.

9. Select Configuration > ASA FirePOWER Configuration > Updates.

10. Click Upload Update.

11. Click Choose File to navigate to and select the update.

12. Click Upload.

13. If the VDB available on the Support site is newer than the VDB installed during the update, install the latest VDB. Do not auto-deploy VDB updates when working with Version 6.0.1.

Installing a VDB update restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles traffic. For more information, see the ASA with FirePOWER Services Local Management Configuration Guide.

Installing the Pre-Installation Package on Firepower Threat Defense devices

You can update multiple devices at once but only if they use the same update file.

If your appliance is in a high availability or clustered configuration, see Update Sequence Guidelines.

Caution: Do not reboot or shut down your appliance during the update until you see the login prompt. The system may appear inactive during the pre-checks; this is expected behavior and does not require you to reboot or shut down your appliance.

For the Version 6.1 Pre-Installation Package, only the Firepower Threat Defense devices reboot.

To update Firepower Threat Defense devices:

Read these release notes and complete any pre-update tasks.

1. Use the managing Firepower Management Center to deploy configuration changes to the managed Firepower Threat Defense devices. Otherwise, the eventual update may fail.

2. If you are updating a Firepower 9300 Security Appliance or a Firepower 41xx device, update to FXOS Version 2.0.1 as described in the Cisco FXOS 2.0(1) Release Notes.

3. Download the Version 6.1 update from the Support site:

–for Firepower Threat Defense running on the ASA5506-X, ASA5506H-X, ASA5506W-X, ASA5508-X, ASA5512-X, ASA5515-X, ASA5516-X, ASA5525-X, ASA5545-X, ASA5555-X, or on VMware or AWS:

–for Firepower Threat Defense running on the Firepower 9300 Security appliance, Firepower 4110 Security appliance, Firepower 4120 Security appliance, or Firepower 4140 Security appliance:

Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.

4. Upload the update to the Firepower Management Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload.

The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated. The page also indicates whether a reboot is required as part of the update.

5. Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.

6. Click the install icon next to the update you are installing.

7. Select the devices where you want to install the update.

8. Click Install. Confirm that you want to install the update and reboot the devices.

9. The update process begins. You can monitor the update's progress on the Tasks tab of the Message Center.

Note that managed devices may reboot twice during the update; this is expected behavior.

Caution: If you encounter issues with the update (for example, if messages in the Tasks tab of the Message Center show no progress for several minutes or indicate that the update has failed), do not restart the update. Instead, contact Support.

10. Select Devices > Device Management and confirm that the devices you updated have the correct software version: 6.0.1.

11. Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.

12. Redeploy policies to all managed devices.

Click the Deploy button and select all available devices, then Click Deploy.

Resolved Issues

You can track defects resolved in this release using the Cisco Bug Search Tool ( https://tools.cisco.com/bugsearch/). A Cisco account is required. The pre-installation package addresses the following issues:

■Resolved an issue where, if you enabled adaptive profiles in the Advanced tab of the access control policy editor page and repeatedly deploy configuration, the system did not prune expired information and experienced memory issues. (CSCuz03171)

■You can now perform a readiness check via shell on devices running Version 6.0 or later. (CSCuz59623)

■Resolved an issue where, if you enabled failover on Firepower Threat Defense device pair and a device experienced a reload, the system incorrectly disabled the failover capability due to an application synchronization. (CSCuz79013)

■Resolved an issue where, if you updated a system containing an excessive amount of table entries to Version 6.1.0, some processes timed out during the update and the update failed. (CSCvb27547)

■Resolved an issue where, if you updated a system from Version 6.0.1.1 or later to Version 6.1, the system experienced a variety of issues such as update failure or Firepower Management Center login failure. (CSCvb27923)

■Resolved an issue where, in some cases, if you updated a system from Version 6.0.1.x to Version 6.1.0, the update failed. (CSCvb35499)

■Resolved an issue where, if you modified the default dashboard for physical or virtual Firepower Management Center, Firepower 7000 Series devices, Firepower 8000 Series devices, or ASA with FirePOWER Services running Version 6.0.1 and update to Version 6.1.0, the update failed. (CSCvd11306)

■Resolved an issue where, if you updated a system from Version 6.0.1.1 or later to Version 6.1.0, Firepower experienced a variety of issues such as update failure or Firepower Management Center login failure. (CSCvb47847)

For Assistance

Thank you for choosing the Firepower System.

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about Cisco ASA devices, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.

Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

If you have any questions about installing or running Version 6.1, contact Cisco Support:

■Visit the Cisco Support site at http://support.cisco.com/.

■Email Cisco Support at tac@cisco.com.

■Call Cisco Support at 1.408.526.7209 or 1.800.553.2447.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2017 Cisco Systems, Inc. All rights reserved.

  Printed in the USA on recycled paper containing 10% postconsumer waste.