These important guidelines and warnings apply to every upgrade. However, this list is not
comprehensive. For links to additional important information on the upgrade process,
which can include planning upgrade paths, OS upgrades, readiness checks, backups,
maintenance windows, and so on, see Upgrade Instructions.
Back Up Event and Configuration Data
When supported, we strongly recommend you back up both before and after upgrade:
Before upgrade: If an upgrade fails catastrophically, you may have to reimage
and restore. Reimaging returns most settings to factory defaults, including
the system password. If you have a recent backup, you can return to normal
operations more quickly.
After upgrade: This creates a snapshot of your freshly upgraded deployment.
We recommend you back up the FMC after you upgrade its managed devices, so
your new FMC backup file 'knows' that its devices have been upgraded.
You should back up to a secure remote location and verify transfer success. Upgrades
purge locally stored backups. And especially because backup files are unencrypted,
do not allow unauthorized access. If backup files are modified, the restore process
As the first step in any backup, note the appliance model and version, including
patch level. For FMCs note the VDB version. For Firepower
4100/9300 chassis, note the FXOS version. This is important because if you
need to restore the backup to a new or reimaged appliance, you may need to update
the new appliance first.
Backup and restore can be a complex
process. You do not want to skip any
steps or ignore security or licensing concerns. Careful planning and preparation
can help you avoid missteps. For detailed information on requirements,
guidelines, limitations, and best practices for backup and restore, see the
configuration guide for your Firepower product.
Verify NTP Synchronization
Before you upgrade, make sure Firepower appliances are synchronized with any NTP
server you are using to serve time. Being out of sync can cause upgrade failure. In
FMC deployments, the Time Synchronization Status health module does alert if clocks
are out of sync by more than 10 seconds, but you should still check manually.
To check time:
To upgrade a Firepower appliance (or perform a readiness check), the upgrade package
must be on the appliance. Firepower upgrade package sizes vary. Make sure your
management network has the bandwidth to perform large data transfers.
In FMC deployments, if you transfer an upgrade package to a managed device at the
time of upgrade, insufficient bandwidth can extend upgrade time or even cause the
upgrade to time out. We recommend you manually push (copy) Firepower upgrade
packages to managed devices before you upgrade. For
more information, see Guidelines for Downloading Data from the Firepower Management
Center to Managed Devices (Troubleshooting TechNote).
can stop passing traffic during the upgrade
(depending on interface configurations), or if the
upgrade fails. Before you upgrade a Firepower
device, make sure traffic from your location does
not have to traverse the device itself to access
the device's management interface. In FMC
deployments, you should also able to access the
FMC management interface without traversing the
Signed Upgrade Packages
So that Firepower can verify that you are using the correct files, upgrade
packages from (and hotfixes to) Version 6.2.1+ are signed tar archives
(.tar). Upgrades from earlier versions continue to use unsigned packages.
When you manually download upgrade packages from the Cisco Support & Download site—for example, for a major upgrade or in an air-gapped deployment—make sure you
download the correct package. Do not untar signed (.tar) packages.
After you upload a signed upgrade package, the GUI can take several minutes to
load as the system verifies the package. To speed up the display, remove signed
packages after you no longer need them.
Disable ASA REST API on ASA FirePOWER Devices
Before you upgrade an ASA FirePOWER module, make sure the ASA REST API is disabled.
Otherwise, the upgrade could fail. From the ASA CLI:
no rest api
agent. You can reenable after the uninstall:
Sharing Data with Cisco
Some features involve sharing data with Cisco.
In Version 6.2.3+, Cisco Success Network sends usage information and statistics to Cisco, which are essential to provide you with technical support. During upgrades, you may be asked to accept or decline participation. You can
also opt in or out at any time.
In Version 6.2.3+, Web analytics tracking
sends non-personally-identifiable usage data to
Cisco, including but not limited to page
interactions, browser versions, product versions,
user location, and management IP addresses or
hostnames of your FMCs. Major upgrades enable web analytics tracking, even if your current setting is to
opt out. If you do not want Cisco to collect this data, opt out after each major
Upgrades Can Import and Auto-Enable Intrusion Rules
If a newer intrusion rule uses keywords that are not supported in your current
Firepower version, that rule is not imported when you update the intrusion rule
After you upgrade the Firepower software and those keywords become supported, the new
intrusion rules are imported and, depending on your IPS configuration, can become
auto-enabled and thus start generating events and affecting traffic flow.
Supported keywords depend on the Snort version included with your Firepower
FMC: Choose Help > About.
FTD with FDM: Use the show summary CLI command.
ASA FirePOWER with ASDM: Choose ASA FirePOWER Configuration >
You can also find your Snort version on the Bundled Components section of the
Cisco Firepower Compatibility Guide.
The Snort release notes contain details on new keywords. You can read the release
notes on the Snort download page: https://www.snort.org/downloads.
deploy changes to or from, manually reboot, or
shut down an upgrading appliance. Do not
restart an upgrade in progress. The upgrade
process may appear inactive during prechecks; this
is expected. If you encounter issues with the
upgrade, including a failed upgrade or
unresponsive appliance, contact Cisco TAC.