Guidelines and Warnings for Version 6.3.0
✓ |
Guideline |
Platforms |
Upgrading From |
Directly To |
---|---|---|---|---|
FMC Firepower 7000/8000 series NGIPSv |
Any |
6.3.0+ |
||
FMC (physical) Firepower 7000/8000 series |
Any |
6.3.0+ |
||
FMC Firepower 7000/8000 series NGIPSv |
6.2.3 through 6.2.3.4 6.2.2 through 6.2.2.4 6.2.1 6.2.0 through 6.2.0.6 6.1.0 through 6.1.0.6 |
6.3.0+ |
||
FTD with FDM |
6.2.0 through 6.2.3.x |
6.3.0 only |
||
FTD with FMC |
6.2.0 through 6.2.3.x |
6.3.0+ |
||
Firepower 2100 series Firepower 4100/9300 |
6.1.0 through 6.2.3.x |
6.3.0 only |
||
Upgrade Failure: Version 6.3.0-83 Upgrades to FMC and ASA FirePOWER |
FMC ASA FirePOWER with ASDM |
6.1.0 through 6.2.3.x |
6.3.0 only |
|
FMC deployments |
6.1.0 through 6.2.3.x |
6.3.0+ |
||
Any |
6.1.0 through 6.2.3.x |
6.3.0+ |
||
Any |
6.1.0 through 6.2.3.x |
6.3.0+ |
||
Firepower 4100/9300 |
6.1.0.x |
6.3.0 only |
To avoid upgrade failure, review these additional guidelines and warnings.
✓ |
Resource |
Details |
||
---|---|---|---|---|
Read these if your upgrade skips versions. |
||||
Read these even if you are familiar with the upgrade process, as guidelines may have changed. |
||||
Read these and be prepared to work around any bugs that affect upgrade. |
||||
Read these for additional items that may affect upgrade.
If your upgrade skips versions, you should also read the new feature documentation for the versions you skipped, in the Cisco Firepower Release Notes. |
Renamed Upgrade and Installation Packages
Deployments: FMC, 7000/8000 series, NGIPSv
Upgrading from: Version 6.1.0 through 6.2.3.x
Directly to: Version 6.3+
The naming scheme (that is, the first part of the name) for upgrade, patch, hotfix, and installation packages changed starting with Version 6.3.0, on select platforms.
![]() Note |
This change causes issues with reimaging older physical appliances: DC750, 1500, 2000, 3500, and 4000, as well as 7000/8000 series devices and AMP models. If you are currently running Version 5.x and need to freshly install Version 6.3.0 or 6.4.0 on one of these appliances, rename the installation package to the "old" name after you download it from the Cisco Support & Download site. |
Platform | Naming Schemes |
---|---|
FMC |
New: Cisco_Firepower_Mgmt_Center Old: Sourcefire_3D_Defense_Center_S3 |
Firepower 7000/8000 series |
New: Cisco_Firepower_NGIPS_Appliance Old: Sourcefire_3D_Device_S3 |
NGIPSv |
New: Cisco_Firepower_NGIPS_Virtual Old: Sourcefire_3D_Device_VMware Old: Sourcefire_3D_Device_Virtual64_VMware |
Platform | Naming Schemes |
---|---|
FMC (physical) |
New: Cisco_Firepower_Mgmt_Center Old: Sourcefire_Defense_Center_M4 Old: Sourcefire_Defense_Center_S3 |
FMCv: VMware |
New: Cisco_Firepower_Mgmt_Center_Virtual_VMware Old: Cisco_Firepower_Management_Center_Virtual_VMware |
FMCv: KVM |
New: Cisco_Firepower_Mgmt_Center_Virtual_KVM Old: Cisco_Firepower_Management_Center_Virtual |
Firepower 7000/8000 series |
New: Cisco_Firepower_NGIPS_Appliance Old: Sourcefire_3D_Device_S3 |
NGIPSv |
New: Cisco_Firepower_NGIPSv_VMware Old: Cisco_Firepower_NGIPS_VMware |
Reimaging to Version 6.3+ Disables LOM on Most Appliances
Deployments: Physical FMCs, 7000/8000 series devices
Reimaging from: Version 6.0+
Directly to: Version 6.3+
Freshly installing Version 6.3+ now automatically deletes Lights-Out Management (LOM) settings on most appliances, for security reasons. On a few older FMC models, you have the option of retaining LOM settings along with your management network settings.
If you delete network settings during a Version 6.3+ reimage, you must make sure you have physical access to the appliance to perform the initial configuration. You cannot use LOM. After you perform the initial configuration, you can reenable LOM and LOM users.
Platform | Reimage to Version 6.2.3 or earlier | Reimage to Version 6.3+ |
---|---|---|
MC1600, 2600, 4600 MC1000, 2500, 4500 MC2000, 4000 |
Never deleted |
Always deleted |
MC750, 1500, 3500 |
Deleted if you delete network settings |
Deleted if you delete network settings |
7000/8000 series |
Always deleted |
Always deleted |
Readiness Check May Fail on FMC, 7000/8000 Series, NGIPSv
Deployments: FMC, 7000/8000 series devices, NGIPSv
Upgrading from: Version 6.1.0 through 6.1.0.6, Version 6.2.0 through 6.2.0.6, Version 6.2.1, Version 6.2.2 through 6.2.2.4, and Version 6.2.3 through 6.2.3.4
Directly to: Version 6.3.0+
You cannot run the readiness check on the listed models when upgrading from one of the listed Firepower versions. This occurs because the readiness check process is incompatible with newer upgrade packages.
Readiness Check Not Supported | First Patch with Fix |
---|---|
6.1.0 through 6.1.0.6 |
6.1.0.7 |
6.2.0 through 6.2.0.6 |
6.2.0.7 |
6.2.1 |
None. Upgrade to Version 6.2.3.5+. |
6.2.2 through 6.2.2.4 |
6.2.2.5 |
6.2.3 through 6.2.3.4 |
6.2.3.5 |
Reporting Data Removed During FTD/FDM Upgrade
Deployments: Firepower Device Manager
Upgrading from: Version 6.2.x
Directly to: Version 6.3 only
Reporting data for short time periods are removed during the Version 6.3 upgrade. After the upgrade, if you try to query short time ranges on days that fall before the upgrade, the system adjusts your query to match the available data. For example, if you query 1-3 PM for a date, and the system only has 24-hour data, the system reports on the entire day.
RA VPN Default Setting Change Can Block VPN Traffic
Deployments: Firepower Threat Defense configured for remote access VPN
Upgrading from: Version 6.2.x
Directly to: Version 6.3+
Version 6.3 changes the default setting for a hidden option, sysopt connection permit-vpn . Upgrading can cause your remote access VPN to stop passing traffic. If this happens, use either of these techniques:
-
Create a FlexConfig object that configures the sysopt connection permit-vpn command. The new default for this command is no sysopt connection permit-vpn .
This is the more secure method to allow traffic in the VPN, because external users cannot spoof IP addresses in the remote access VPN address pool. The downside is that the VPN traffic will not be inspected, which means that intrusion and file protection, URL filtering, or other advanced features will not be applied to the traffic.
-
Create access control rules to allow connections from the remote access VPN address pool.
This method ensures that VPN traffic is inspected and advanced services can be applied to the connections. The downside is that it opens the possibility for external users to spoof IP addresses and thus gain access to your internal network.
TLS/SSL Hardware Acceleration Enabled on Upgrade
Deployments: Firepower 2100 series, Firepower 4100/9300 chassis
Upgrading from: Version 6.1.0 through 6.2.3.x
Directly to: Version 6.3.0 only
The upgrade process automatically enables TLS/SSL hardware acceleration (sometimes called TLS crypto acceleration) on eligible devices. When it was introduced in Version 6.2.3, this feature was disabled by default on Firepower 4100/9300 chassis, and was not available on Firepower 2100 series devices.
Using TLS/SSL hardware acceleration on a managed device that is not decrypting traffic can affect performance. In Version 6.3.0.x, we recommend you disable this feature on devices that are not decrypting traffic.
To disable, use this CLI command:
system support ssl-hw-offload disable
Upgrade Failure: Version 6.3.0-83 Upgrades to FMC and ASA FirePOWER
Deployments: Firepower Management Center, ASA FirePOWER (locally managed)
Upgrading from: Version 6.1.0 through 6.2.3.x
Directly to: Version 6.3.0-83
Some Firepower Management Centers and locally (ASDM) managed ASA FirePOWER modules experienced upgrade failures with Version 6.3.0, build 83. This issue was limited to a subset of customers who upgraded from Version 5.4.x. For more information, see CSCvn62123 in the Cisco Bug Search Tool.
A new upgrade package is now available. If you downloaded the Version 6.3.0-83 upgrade package, do not use it. If you already experienced an upgrade failure due to this issue, contact Cisco TAC.
Security Intelligence Enables Application Identification
Deployments: Firepower Management Center
Upgrading from: Version 6.1 through 6.2.3.x
Directly to: Version 6.3+
In Version 6.3, Security Intelligence configurations enable application detection and identification. If you disabled discovery in your current deployment, the upgrade process may enable it again. Disabling discovery if you don't need it (for example, in an IPS-only deployment) can improve performance.
To disable discovery you must:
-
Delete all rules from your network discovery policy.
-
Use only simple network-based conditions to perform access control: zone, IP address, VLAN tag, and port. Do not perform any kind of application, user, URL, or geolocation control.
-
(NEW) Disable network and URL-based Security Intelligence by deleting all whitelists and blacklists from your access control policy's Security Intelligence configuration, including the default Global lists.
-
(NEW) Disable DNS-based Security Intelligence by deleting or disabling all rules in the associated DNS policy, including the default Global Whitelist for DNS and Global Blacklist for DNS rules.
Update VDB after Upgrade to Enable CIP Detection
Deployments: Any
Upgrading from: Version 6.1.0 through 6.2.3.x, with VDB 299+
Directly to: Version 6.3.0+
If you upgrade while using vulnerability database (VDB) 299 or later, an issue with the upgrade process prevents you from using CIP detection post-upgrade. This includes every VDB released from June 2018 to now, even the latest VDB.
Although we always recommend you update the vulnerability database (VDB) to the latest version after you upgrade, it is especially important in this case.
To check if you are affected by this issue, try to configure an access control rule with a CIP-based application condition. If you cannot find any CIP applications in the rule editor, manually update the VDB.
Invalid Intrusion Variable Sets Can Cause Deploy Failure
Deployments: Any
Upgrading from: Version 6.1 through 6.2.3.x
Directly to: Version 6.3.0+
For network variables in an intrusion variable set, any IP addresses you exclude must be a subset of the IP addresses you include. This table shows you examples of valid and invalid configurations.
Valid | Invalid |
---|---|
Include: 10.0.0.0/8 Exclude: 10.1.0.0/16 |
Include: 10.1.0.0/16 Exclude: 172.16.0.0/12 Exclude: 10.0.0.0/8 |
Before Version 6.3.0, you could successfully save a network variable with this type of invalid configuration. Now, these configurations block deploy with the error: Variable set has invalid excluded values.
If this happens, identify and edit the incorrectly configured variable set, then redeploy. Note that you may have to edit network objects and groups referenced by your variable set.
Firepower 4100/9300 Requires FTD Push Before FXOS Upgrade
Deployments: Firepower 4100/9300 with FTD
Upgrading from: Version 6.1.x on FXOS 2.0.1, 2.1.1, or 2.3.1
Directly to: Version 6.3.0 on FXOS 2.4.1
If your Firepower Management Center is running Version 6.2.3+, we strongly recommend you push (copy) Firepower upgrade packages to managed devices before you upgrade. This helps reduce the length of your upgrade maintenance window.
For Firepower 4100/9300 with FTD, best practice is to push before you begin the required companion FXOS upgrade. And, if you are upgrading from Version 6.1 directly to Version 6.3, this push is required. You must push before you upgrade FXOS.
This is because upgrading FXOS to Version 2.4.1 while still running Firepower 6.1 causes the device management port to flap, which in turn causes intermittent communication problems between the device and the FMC. You may see 'sftunnel daemon exited' alarms, and any task that involves sustained communications—such as pushing a large upgrade package—may fail.
To upgrade Firepower 4100/9300 with FTD, always follow this sequence:
-
Upgrade the FMC to the target version.
-
Obtain the device upgrade package from the Cisco Support & Download site and upload it to the FMC.
-
Use the FMC to push the upgrade package to the device.
-
After the push completes, upgrade FXOS to the target version.
-
Immediately, use the FMC to upgrade the Firepower software on the device.
Remember, until you upgrade the Firepower software, you may continue to experience management port flaps.