Upgrade Warnings for All Releases
These important warnings apply to every upgrade.
Traffic Flow, Inspection, and Device Behavior
You must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur:
-
When you upgrade the operating system or virtual hosting environment on a managed device.
-
When you upgrade the Firepower software on a managed device.
-
When you deploy configuration changes as part of the upgrade process.
Device type, deployment type (standalone, high availability, clustered), and interface configurations (passive, IPS, firewall, and so on) determine the nature of the interruptions. We strongly recommend performing any upgrade in a maintenance window or at a time when any interruption will have the least impact on your deployment.
For details, see Traffic Flow, Inspection, and Device Behavior During Upgrade in the Firepower Management Center Upgrade Guide.
Appliance Access During Upgrade
Before you upgrade a Firepower device, make sure traffic from your location does not have to traverse the device itself to access the device's management interface. In Firepower Management Center deployments, you should also able to access the FMC management interface without traversing the device.
This is because Firepower devices can stop passing traffic during the upgrade (depending on interface configurations), or if the upgrade fails.
Unresponsive Upgrades
Do not deploy changes to or from, manually reboot, or shut down an upgrading appliance. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.
Patch or Hotfix for New Dynamic Analysis CA Certificate
Deployments: AMP for Networks (malware detection) deployments where you submit files for dynamic analysis
Upgrading from: A patched/hotfixed system with new CA certificates
Directly to: Version 6.2 through 6.2.3
On June 15, 2018, some Firepower deployments stopped being able to submit files for dynamic analysis. This occurred due to an expired CA certificate that was required for communications with the AMP Threat Grid cloud. In Version 6.1+ deployments, you can obtain a new certificate with a patch or hotfix. For earlier versions, you must upgrade to at least Version 6.1, then patch or hotfix.
If you already patched or hotfixed your deployment, upgrading to a later major version (Version 6.2 through 6.2.3) reverts to the old certificate and disables dynamic analysis. You must patch or hotfix again.
Note |
If this is your first time installing the patch or hotfix, make sure your firewall allows outbound connections to fmc.api.threatgrid.com (replacing panacea.threatgrid.com ) from both the FMC and its managed devices. Managed devices submit files to the cloud for dynamic analysis; the FMC queries for results.
|
The following table lists the patches and hotfixes that contain the new certificates, for each major version sequence and platform. Patches and hotfixes are available on the Cisco Support & Download site. For release notes, see Firepower Release Notes.
Versions with Old Cert | First Patch with New Cert | Hotfix with New Cert | |
---|---|---|---|
6.2.3 through 6.2.3.3 |
6.2.3.4 |
FTD devices |
|
FMC, NGIPS devices |
|||
6.2.2 through 6.2.2.3 |
6.2.2.4 |
All platforms |
|
6.2.1 |
None. You must upgrade. |
None. You must upgrade. |
|
6.2.0 through 6.2.0.5 |
6.2.0.6 |
FTD devices |
|
FMC, NGIPS devices |
|||
6.1.0 through 6.1.0.6 |
6.1.0.7 |
All platforms |
|
6.0.x |
None. You must upgrade. |
None. You must upgrade. |
Cisco Smart Licensing: Check Status After Upgrade
Deployments: Firepower Device Manager
In some cases, upgrading a Firepower Threat Defense device managed by Firepower Device Manager unregisters the device from the Cisco Smart Software Manager. After the upgrade completes, check your license status.
-
Click Device, then click View Configuration in the Smart License summary.
-
If the device is not registered, click Register Device.