Upgrade FXOS on a Firepower 4100/9300 with Firepower Threat Defense Logical Devices
On the Firepower 4100/9300, you upgrade FXOS on each chassis independently, even if you have Firepower inter-chassis clustering or high availability pairs configured. You can use the FXOS CLI or Firepower Chassis Manager.
Upgrading FXOS reboots the chassis. Depending on your deployment, traffic can either drop or traverse the network without inspection; see the Cisco Firepower Release Notes for your version.
Upgrade FXOS: FTD Standalone Devices and Intra-chassis Clusters
For a standalone Firepower Threat Defense logical device, or for an FTD intra-chassis cluster (units on the same chassis), first upgrade the FXOS platform bundle then upgrade FTD logical devices. Use the Firepower Management Center to upgrade clustered devices as a unit.
Upgrade FXOS for Standalone FTD Logical Devices or an FTD Intra-chassis Cluster Using Firepower Chassis Manager
This section describes how to upgrade the FXOS platform bundle for a standalone Firepower 4100/9300 chassis.
The section describes the upgrade process for the following types of devices:
-
A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair or inter-chassis cluster.
-
A Firepower 9300 chassis that is configured with one or more standalone FTD logical devices that are not part of a failover pair or inter-chassis cluster.
-
A Firepower 9300 chassis that is configured with FTD logical devices in an intra-chassis cluster.
Before you begin
Before beginning your upgrade, make sure that you have already done the following:
-
Download the FXOS platform bundle software package to which you are upgrading.
-
Back up your FXOS and FTD configurations.
Procedure
Step 1 |
In Firepower Chassis Manager, choose . |
Step 2 |
Upload the new platform bundle image: |
Step 3 |
After the new platform bundle image has been successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. |
Step 4 |
Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation. The system unpacks the bundle and upgrades/reloads the components. |
Step 5 |
Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI: Example:
|
Step 6 |
After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:
|
Upgrade FXOS for Standalone FTD Logical Devices or an FTD Intra-chassis Cluster Using the FXOS CLI
This section describes how to upgrade the FXOS platform bundle for a standalone Firepower 4100/9300 chassis.
The section describes the FXOS upgrade process for the following types of devices:
-
A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair or inter-chassis cluster.
-
A Firepower 9300 chassis that is configured with one or more standalone FTD devices that are not part of a failover pair or inter-chassis cluster.
-
A Firepower 9300 chassis that is configured with FTD logical devices in an intra-chassis cluster.
Before you begin
Before beginning your upgrade, make sure that you have already done the following:
-
Download the FXOS platform bundle software package to which you are upgrading.
-
Back up your FXOS and FTD configurations.
-
Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:
-
IP address and authentication credentials for the server from which you are copying the image.
-
Fully qualified name of the image file.
-
Procedure
Step 1 |
Connect to the FXOS CLI. |
Step 2 |
Download the new platform bundle image to the Firepower 4100/9300 chassis: Example:The following example copies an image using the SCP protocol:
|
Step 3 |
If necessary, return to firmware mode: Firepower-chassis-a /firmware/download-task # up |
Step 4 |
Enter auto-install mode: Firepower-chassis-a /firmware # scope auto-install |
Step 5 |
Install the FXOS platform bundle: Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58). |
Step 6 |
The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. Enter yes to confirm that you want to proceed with verification. |
Step 7 |
Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation. The system unpacks the bundle and upgrades/reloads the components. |
Step 8 |
To monitor the upgrade process: Example:
|
Step 9 |
After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:
|
Upgrade FXOS: FTD High Availability Pairs
In Firepower Threat Defense high availability deployments, upgrade the FXOS platform bundle on both chassis before you upgrade either FTD logical device. To minimize disruption, always upgrade the standby. In the following scenarios, Device A is the original active device and Device B is the original standby.
Firepower Management Center
In Firepower Management Center deployments, you upgrade the logical devices as a unit:
-
Upgrade FXOS on the standby (B).
-
Switch roles.
-
Upgrade FXOS on the new standby (A).
-
Upgrade FTD logical devices (A+B).
Firepower Device Manager
In Firepower Device Manager deployments, you upgrade the logical devices separately:
-
Upgrade FXOS on the chassis with the standby FTD logical device (B).
-
Switch roles.
-
Upgrade FXOS on the chassis with the new standby logical device (A).
Both chassis now have an upgraded FXOS.
-
Upgrade the new standby FTD logical device (A).
-
Switch roles again.
-
Upgrade the original standby FTD logical device (B).
Upgrade FXOS on an FTD High Availability Pair Using Firepower Chassis Manager
If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:
Before you begin
Before beginning your upgrade, make sure that you have already done the following:
-
Download the FXOS platform bundle software package to which you are upgrading.
-
Back up your FXOS and FTD configurations.
Procedure
Step 1 |
Connect to Firepower Chassis Manager on the Firepower security appliance that contains the standby Firepower Threat Defense logical device: |
Step 2 |
In Firepower Chassis Manager, choose . |
Step 3 |
Upload the new platform bundle image: |
Step 4 |
After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. |
Step 5 |
Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation. The system unpacks the bundle and upgrades/reloads the components. |
Step 6 |
Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI: Example:
|
Step 7 |
After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:
|
Step 8 |
Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:
|
Step 9 |
Connect to Firepower Chassis Manager on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device: |
Step 10 |
In Firepower Chassis Manager, choose . |
Step 11 |
Upload the new platform bundle image: |
Step 12 |
After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. |
Step 13 |
Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation. The system unpacks the bundle and upgrades/reloads the components. The upgrade process can take up to 30 minutes to complete. |
Step 14 |
Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI: Example:
|
Step 15 |
After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:
|
Step 16 |
Make the unit that you just upgraded the active unit as it was before the upgrade:
|
Upgrade FXOS on an FTD High Availability Pair Using the FXOS CLI
If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:
Before you begin
Before beginning your upgrade, make sure that you have already done the following:
-
Download the FXOS platform bundle software package to which you are upgrading.
-
Back up your FXOS and FTD configurations.
-
Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:
-
IP address and authentication credentials for the server from which you are copying the image.
-
Fully qualified name of the image file.
-
Procedure
Step 1 |
Connect to FXOS CLI on the Firepower security appliance that contains the standby Firepower Threat Defense logical device: |
Step 2 |
Download the new platform bundle image to the Firepower 4100/9300 chassis: Example:The following example copies an image using the SCP protocol:
|
Step 3 |
If necessary, return to firmware mode: Firepower-chassis-a /firmware/download-task # up |
Step 4 |
Enter auto-install mode: Firepower-chassis-a /firmware # scope auto-install |
Step 5 |
Install the FXOS platform bundle: Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58). |
Step 6 |
The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. Enter yes to confirm that you want to proceed with verification. |
Step 7 |
Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation. The system unpacks the bundle and upgrades/reloads the components. |
Step 8 |
To monitor the upgrade process: Example:
|
Step 9 |
After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:
|
Step 10 |
Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:
|
Step 11 |
Connect to FXOS CLI on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device: |
Step 12 |
Download the new platform bundle image to the Firepower 4100/9300 chassis: Example:The following example copies an image using the SCP protocol:
|
Step 13 |
If necessary, return to firmware mode: Firepower-chassis-a /firmware/download-task # up |
Step 14 |
Enter auto-install mode: Firepower-chassis-a /firmware # scope auto-install |
Step 15 |
Install the FXOS platform bundle: Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58). |
Step 16 |
The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. Enter yes to confirm that you want to proceed with verification. |
Step 17 |
Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation. The system unpacks the bundle and upgrades/reloads the components. |
Step 18 |
To monitor the upgrade process: Example:
|
Step 19 |
After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:
|
Step 20 |
Make the unit that you just upgraded the active unit as it was before the upgrade:
|
Upgrade FXOS: FTD Inter-chassis Clusters
For Firepower Threat Defense inter-chassis clusters (units on different chassis), upgrade the FXOS platform bundle on all chassis before you upgrade the FTD logical devices. To minimize disruption, always upgrade FXOS on an all-data unit chassis. Then, use the Firepower Management Center to upgrade the logical devices as a unit.
For example, for a two-chassis cluster:
-
Upgrade FXOS on the all-data unit chassis.
-
Switch the control module to the chassis you just upgraded.
-
Upgrade FXOS on the new all-data unit chassis.
-
Upgrade FTD logical devices.
Upgrade FXOS on an FTD Inter-chassis Cluster Using Firepower Chassis Manager
If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as an inter-chassis cluster, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:
Before you begin
Before beginning your upgrade, make sure that you have already done the following:
-
Download the FXOS platform bundle software package to which you are upgrading.
-
Back up your FXOS and FTD configurations.
Procedure
Step 1 |
Enter the following commands to verify the status of the security modules/security engine and any installed applications: |
Step 2 |
Connect to Firepower Chassis Manager on Chassis #2 (this should be a chassis that does not have the control unit). |
Step 3 |
In Firepower Chassis Manager, choose . |
Step 4 |
Upload the new platform bundle image: |
Step 5 |
After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. |
Step 6 |
Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation. The system unpacks the bundle and upgrades/reloads the components. |
Step 7 |
Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI: Example:
|
Step 8 |
Set one of the security modules on Chassis #2 as control. After setting one of the security modules on Chassis #2 to control, Chassis #1 no longer contains the control unit and can now be upgraded. |
Step 9 |
Repeat Steps 1-7 for all other Chassis in the cluster. |
Step 10 |
To return the control role to Chassis #1, set one of the security modules on Chassis #1 as control. |
Upgrade FXOS on an FTD Inter-chassis Cluster Using the FXOS CLI
If you have Firepower 9300 or Firepower 4100 series security appliances with FTD logical devices configured as an inter-chassis cluster, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:
Before you begin
Before beginning your upgrade, make sure that you have already done the following:
-
Download the FXOS platform bundle software package to which you are upgrading.
-
Back up your FXOS and FTD configurations.
-
Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:
-
IP address and authentication credentials for the server from which you are copying the image.
-
Fully qualified name of the image file.
-
Procedure
Step 1 |
Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the control unit). |
Step 2 |
Enter the following commands to verify the status of the security modules/security engine and any installed applications: |
Step 3 |
Download the new platform bundle image to the Firepower 4100/9300 chassis: Example:The following example copies an image using the SCP protocol:
|
Step 4 |
If necessary, return to firmware mode: Firepower-chassis-a /firmware/download-task # up |
Step 5 |
Enter auto-install mode: Firepower-chassis /firmware # scope auto-install |
Step 6 |
Install the FXOS platform bundle: Firepower-chassis /firmware/auto-install # install platform platform-vers version_number version_number is the version number of the FXOS platform bundle you are installing—for example, 2.3(1.58). |
Step 7 |
The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. Enter yes to confirm that you want to proceed with verification. |
Step 8 |
Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation. The system unpacks the bundle and upgrades/reloads the components. |
Step 9 |
To monitor the upgrade process: Example:
|
Step 10 |
Set one of the security modules on Chassis #2 as control. After setting one of the security modules on Chassis #2 to control, Chassis #1 no longer contains the control unit and can now be upgraded. |
Step 11 |
Repeat Steps 1-9 for all other Chassis in the cluster. |
Step 12 |
To return the control role to Chassis #1, set one of the security modules on Chassis #1 as control. |