Cisco Firepower Management Center Upgrade Guide

About Upgrade Paths: Can I Upgrade?

Your upgrade path is a detailed plan for what you will upgrade and when. In general, you upgrade the Firepower Management Center, then its managed devices. However, in some cases you may need to upgrade devices first. If you have assessed your deployment—that is, you know what you have and what you want—you are ready to build your upgrade path.

Tip

Especially in larger deployments where you must alternate FMC and device upgrades, upgrade paths that require intermediate versions can be time consuming. To save time, you can reimage older devices instead of upgrading. First, remove the devices from the FMC. Then, upgrade the FMC, reimage the devices, and re-add them to the FMC.

Answer 'Yes' to Two Important Questions

You must answer 'yes' to both of these questions, every time you upgrade either an FMC or a device:

Is Direct Upgrade Possible?
Can I Maintain FMC-Device Version Compatibility?

If the answer to either question is 'no,' your upgrade path is invalid.

Is Direct Upgrade Possible?

If a direct upgrade from your current to your target version is not possible, your upgrade path must include either intermediate versions, or strategic reimaging. To patch Firepower, you must be running the base major version. You cannot upgrade directly to a patch from an previous major version.

For major upgrades, this table summarizes upgrade capabilites for Firepower Management Centers and their managed devices. Find your current major version in the first column, then read across to determine if a direct upgrade is possible to your target version. For upgrade paths for each appliance type see the upgrade chapters: Upgrade Firepower Appliances.

Table 1. Firepower Direct Upgrade Support
Current Version	Target Version: Direct Upgrade Supported
Current Version	to 6.5.0	6.4.0	6.3.0	6.2.3	6.2.2	6.2.1	6.2.0	6.1.0	6.0.1	6.0.0
from 6.4.0	Yes	—	—	—	—	—	—	—	—	—
6.3.0	Yes	Yes	—	—	—	—	—	—	—	—
6.2.3	Yes	Yes	Yes	—	—	—	—	—	—	—
6.2.2	—	Yes	Yes	Yes	—	—	—	—	—	—
6.2.1	—	Yes	Yes	Yes	Yes	—	—	—	—	—
6.2.0	—	Yes	Yes	Yes	Yes	—	—	—	—	—
6.1.0	—	Yes†	Yes	Yes	—	—	Yes	—	—	—
6.0.1	—	—	—	—	—	—	—	Yes	—	—
6.0.0	—	—	—	—	—	—	—	—	Yes	—
5.4.x	—	—	—	—	—	—	—	—	—	Yes*

* You must be running at least Version 5.4.0.2/5.4.1.1 to upgrade to Version 6.0.

† You cannot upgrade a Firepower 4100/9300 series device from Version 6.1 directly to Version 6.4. We recommend you use Version 6.2.3 as an intermediate version.

Can I Maintain FMC-Device Version Compatibility?

Before you upgrade the Firepower Management Center, make sure the upgraded FMC will be able to manage its current devices. If it will not be able to, upgrade the devices first. You cannot upgrade a device past the FMC's own major version.

Note that you can patch a device without patching the FMC, and vice versa. However, we strongly recommend you upgrade both. This allows you to take advantage of new features and bug fixes.

This table lists major FMC versions, and the major versions of devices they can manage. Find your current major version in the first column, then read across to determine which devices you can manage.

Table 2. FMC-Device Version Compatibility
FMC Version	Device Version
FMC Version	6.5.0	6.4.0	6.3.0	6.2.3	6.2.2	6.2.1	6.2.0	6.1.0	6.0.1	6.0.0	5.4.1	5.4.0
6.5.0	Yes	Yes	Yes	Yes	—	—	—	—	—	—	—	—
6.4.0	—	Yes	Yes	Yes	Yes	Yes	Yes	Yes	—	—	—	—
6.3.0	—	—	Yes	Yes	Yes	Yes	Yes	Yes	—	—	—	—
6.2.3	—	—	—	Yes	Yes	Yes	Yes	Yes	—	—	—	—
6.2.2	—	—	—	—	Yes	Yes	Yes	Yes	—	—	—	—
6.2.1	—	—	—	—	—	Yes	Yes	Yes	—	—	—	—
6.2.0	—	—	—	—	—	—	Yes	Yes	—	—	—	—
6.1.0	—	—	—	—	—	—	—	Yes	Yes	Yes	Yes*	Yes*
6.0.1	—	—	—	—	—	—	—	—	Yes	Yes	Yes*	Yes*
6.0.0	—	—	—	—	—	—	—	—	—	Yes	Yes*	Yes*
5.4.1	—	—	—	—	—	—	—	—	—	—	Yes	Yes
5.4.0	—	—	—	—	—	—	—	—	—	—	—	Yes

* A device must be running at least Version 5.4.0.2/5.4.1.1 to be managed by a Version 6.0, 6.0.1, or 6.1 FMC.

Where Do I Begin?

If you are not sure how to start planning your upgrade path, refer to your deployment assessment and find your platforms in this table.

Table 3. Beginning a Firepower Upgrade Based on Current Major Version
FMC	Devices	First Upgrade	Details
6.4	6.2.3 through 6.4	FMC → 6.5	A Version 6.5 FMC can manage devices back to Version 6.2.3.
6.4	6.1 through 6.2.2	Devices → 6.2 or 6.2.2 or 6.2.3 or 6.3 or 6.4	Upgrade devices to Version 6.2.3+ if you plan to upgrade the FMC to Version 6.5.
6.3	6.2.3 through 6.3	FMC → 6.4 or 6.5	These FMCs can manage devices back to Version 6.2.3.
6.3	6.1 through 6.2.2	Devices → 6.2 or 6.2.2 or 6.2.3 or 6.3	Upgrade devices to Version 6.2.3+ if you plan to upgrade the FMC to Version 6.5.
6.2.3	6.2.3	FMC → 6.3 or 6.4 or 6.5	These FMCs can manage devices back to Version 6.2.3.
6.2.3	6.1 through 6.2.2	Devices → 6.2 or 6.2.2 or 6.2.3	Upgrade devices to Version 6.2.3 if you plan to upgrade the FMC to 6.5.
6.2.2	6.1 through 6.2.2	FMC → 6.2.3 or 6.3 or 6.4	These FMCs can manage devices back to Version 6.1.
6.2.1	6.1 through 6.2.1	FMC → 6.2.2 or 6.2.3 or 6.3 or 6.4	These FMCs can manage devices back to Version 6.1.
6.2	6.1 through 6.2	FMC → 6.2.2 or 6.2.3 or 6.4	These FMCs can manage devices back to Version 6.1.
6.1	6.1	FMC → 6.2 or 6.2.3 or 6.3 or 6.4	These FMCs can manage devices back to Version 6.1.
6.1	5.4 through 6.0.1	Devices → 6.1	You must upgrade devices to Version 6.1 if you plan to upgrade the FMC past Version 6.1.
6.0.1	5.4 through 6.0.1	FMC → 6.1	A Version 6.1 FMC can manage devices back to Version 5.4.
6.0	5.4 through 6.0	FMC → 6.0.1	A Version 6.0.1 FMC can manage devices back to Version 5.4.
5.4	5.4	FMC → 6.0	A Version 6.0 FMC can manage Version 5.4 devices.

Major Upgrades vs Patches

Major upgrades are more complex and take more time than patches.

Although we recommend you upgrade your entire deployment, you can patch a device without patching the FMC, and vice versa. Just keep in mind that you cannot fully take advantage of new features and bug fixes until you patch both.

Table 4. Characteristics of Major Upgrades vs Patches
Characteristic	Major Upgrades	Patches
New features and functionality	Include new features and functionality, and may entail large-scale changes to the product.	Contains a limited range of fixes. Minor feature and functionality updates only — often none at all.
Upgrade Requirements	You can always upgrade to the next major version. You do not have to be running the latest patch to upgrade. Often, you can skip major versions when upgrading. For details, refer to the supported upgrade path for your platform.	You can only patch within a major version sequence. For example: Yes: 6.4.0 → 6.4.0.5 No: 6.2.3 → 6.4.0.5
OS upgrades	Likely to have companion operating system upgrades, for devices where you upgrade the OS separately.	Usually do not have companion operating system upgrades, although often you can patch the OS to resolve minor issues.
Freshly Installing	Can be freshly installed/restored. If you are unable to upgrade a Firepower appliance, or are disinclined to follow the required upgrade path, you can freshly install major Firepower releases.	Cannot be freshly installed. Cisco does not provide installation packages for patches. To run a particular patch, install the major version, then apply the patch.
Uninstalling	Cannot be uninstalled. If you need to revert to an earlier version, you must freshly install.	Can be uninstalled. When you uninstall, either you: Return to the previously released patch, regardless of where you upgraded from: Versions 5.4.x to 6.2.2.x. Return to the previously installed patch, that is, the patch you actually upgraded from: Version 6.2.3+.

Identify Preinstallation Packages

For some upgrades on some platforms, we provide a preinstallation package or hotfix that optimizes the upgrade, enables specific upgrade functions, or fixes upgrade issues.

Preinstallation packages and hotfixes are available on the Cisco Support & Download site in the same location as the upgrade and installation packages. Just as with regular upgrade packages, use the System > Updates page on the FMC to run a preinstall or hotfix. We recommend you do this just before you upgrade.

Table 5. Firepower Preinstallation Packages
Target Version	Platforms	Severity	Details
6.3+	FMC: MC1000, 2500, 4500	Required from 6.2.0 through 6.2.3.7.	Updates RAID controller firmware. See: FMC 1000/2500/4500 May Require Pre-Upgrade Hotfix
6.1	FMC & FMCv All devices	Optional	Allows readiness checks for the Version 6.1 upgrade. After Version 6.1, the readiness check is included with upgrade packages. See: Firepower System Release Notes Version 6.1.0 Preinstallation Package
6.1	FTD devices in HA pairs	Optional	Allows hitless upgrades of FTD HA pairs. Without the preinstall, you must break high availability before you upgrade to Version 6.1. See: Firepower System Release Notes Version 6.1.0 Preinstallation Package
6.0.1	FMC & FMCv	Required	Optimizes the upgrade. See: Firepower System Release Notes Version 6.0.1 Preinstallation
6.0	FMC & FMCv All devices	Required from: 5.4.0.2 through 5.4.0.6 5.4.1.1 through 5.4.1.5 Recommended from: 5.4.0.7+ 5.4.1.6+	Optimizes the upgrade. Allows you to upgrade appliances in STIG mode. See: FireSIGHT System Release Notes Version 6.0.0 Preinstallation

Identify When to Add New Devices

If your upgrade path includes adding a new device, when you add it depends on the device type:

Physical device: Determine which Firepower version the device is currently running. Add the device as soon as you can, then use the Firepower Management Center to upgrade the new device with the rest of your deployment. Do not upgrade your FMC past the point where it can no longer manage the out-of-the-box device.
Virtual device: Create after you upgrade the FMC to its target version. When you add a new virtual device, you should never have to perform a major upgrade, only patches.

Identify Interruptions in Traffic Flow and Inspection

You must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur:

When a device is rebooted.
When you upgrade the operating system or virtual hosting environment on a device.
When you upgrade the Firepower software on a device, or uninstall a patch.
When you deploy configuration changes as part of the upgrade or uninstall process (Snort process restarts).

Device type, deployment type (standalone, high availability, clustered), and interface configurations (passive, IPS, firewall, and so on) determine the nature of the interruptions. We strongly recommend performing any upgrade or uninstall in a maintenance window or at a time when any interruption will have the least impact on your deployment.

For more information, see Traffic Flow, Inspection, and Device Behavior.

Identify Other Major Tasks

Many steps in the upgrade process can take a significant amount of time. You should explicitly include these steps in your plan. These can include, but are not limited to:

Backups—Back Up Configurations and Event Data
Downloads and pushes—Obtain and Push Upgrade Packages
Readiness checks—Run Readiness Checks
Pre- and post-upgrade configuration changes—Plan Configuration Changes

Book Title

Chapter Title

Results

Chapter: Plan Your Upgrade Path

Plan Your Upgrade Path

About Upgrade Paths: Can I Upgrade?

Answer 'Yes' to Two Important Questions

Is Direct Upgrade Possible?

Can I Maintain FMC-Device Version Compatibility?

Where Do I Begin?

Major Upgrades vs Patches

Identify Preinstallation Packages

Identify When to Add New Devices

Identify Interruptions in Traffic Flow and Inspection

Identify Other Major Tasks

Was this Document Helpful?

Contact Cisco

Related Cisco Community Discussions

Cisco Firepower Management Center Upgrade Guide

Results

Chapter: Plan Your Upgrade Path

Plan Your Upgrade Path

About Upgrade Paths: Can I Upgrade?

Answer 'Yes' to Two Important Questions

Is Direct Upgrade Possible?

Can I Maintain FMC-Device Version Compatibility?

Where Do I Begin?

Major Upgrades vs Patches

Identify Preinstallation Packages

Identify When to Add New Devices

Identify Interruptions in Traffic Flow and Inspection

Identify Other Major Tasks

Was this Document Helpful?

Contact Cisco

Related Cisco Community Discussions

Share