Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Firepower Management Center Upgrade Guide

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Firepower Management Center Upgrade Guide

Chapter Title

Plan Your Upgrade Path

Results

Updated:
November 10, 2020

Chapter: Plan Your Upgrade Path

Plan Your Upgrade Path

Use these guidelines to help you build your upgrade path.

About Upgrade Paths: Can I Upgrade?

Your upgrade path is a detailed plan for what you will upgrade and when. In general, you upgrade the Firepower Management Center, then its managed devices. However, in some cases you may need to upgrade devices first. If you have assessed your deployment—that is, you know what you have and what you want—you are ready to build your upgrade path.


Tip

Upgrade paths that require intermediate versions can be time consuming. Especially in larger deployments where you must alternate FMC and device upgrades, consider reimaging older devices instead of upgrading. First, remove the devices from the FMC. Then, upgrade the FMC, reimage the devices, and re-add them to the FMC.

Answer 'Yes' to Two Important Questions

You must answer 'yes' to both of these questions, every time you upgrade either an FMC or a device:

If the answer to either question is 'no,' your upgrade path is invalid.

Is Direct Upgrade Possible?

You can often upgrade from several versions back. However, if you are far "behind," you may require intermediate upgrades or strategic reimaging. These tables summarize upgrade capabilites for Firepower Management Centers and their managed devices. For more detailed upgrade paths for each appliance type, see the upgrade chapters: Upgrade Firepower Appliances.


Note

Patches change the fourth digit only. For example, you must be running Version 6.4.0 to patch to Version 6.4.0.1. You cannot jump directly to a patch level from any earlier major or maintenance release.

Direct Upgrades from Version 6.2.3 through 6.6.0

This table summarizes valid upgrade targets if you are currently running Version 6.2.3 or later.

Table 1. Direct Upgrades from Version 6.2.3 through 6.6.0

Current Version

Target Version: Direct Upgrade Supported

to 6.7.0/6.7.x

6.6.0/6.6.x

6.5.0

6.4.0

6.3.0

from 6.6.0/6.6.x

YES

6.5.0

YES

YES

6.4.0

YES

YES

YES

6.3.0

YES

YES

YES

YES

6.2.3

YES

YES

YES

YES

Direct Upgrades from Version 5.4 through 6.2.2

This table summarizes valid upgrade targets if you are currently running Version 5.4 through 6.2.2.

Table 2. Direct Upgrades from Version 5.4 through 6.2.2

Current Version

Target Version: Direct Upgrade Supported

to 6.4.0

6.3.0

6.2.3

6.2.2

6.2.1

6.2.0

6.1.0

6.0.1

6.0.0

from 6.2.2

YES

YES

YES

6.2.1

YES

YES

YES

YES

6.2.0

YES

YES

YES

YES

6.1.0

YES

YES

YES

YES

6.0.1

YES

6.0.0

YES

5.4.x

YES *

Direct Upgrades by Minimum Version to Upgrade

To put it another way, to directly upgrade to the target version in the left column, you must be running at least the version in the right column.

Table 3. Direct Upgrades by Minimum Version to Upgrade

Target Version

Minimum Current Version for Direct Upgrade

6.7.0 or any 6.7.x maintenance release

6.3.0

6.6.0 or any 6.6.x maintenance release

6.2.3

6.5.0

6.2.3

6.4.0

6.1.0 †

6.3.0

6.1.0 †

6.2.3

6.1.0

6.2.2

6.2.0

6.2.1

Upgrades to Version 6.2.1 are not supported.

6.2.0

6.1.0

6.1.0

 6.0.1

6.0.1

 6.0.0

6.0.0

 5.4.0.2 or 5.4.1.1

* You must be running at least Version 5.4.0.2/5.4.1.1 to upgrade to Version 6.0.

† Due to operating system incompatibilies, you cannot upgrade directly from Version 6.1 → 6.4 on a Firepower 4100/9300 series device. For similar reasons, we recommend that you not upgrade from Version 6.1 → 6.3. If you are running Version 6.1, we recommend upgrading to Version 6.2.3 on FXOS 2.3.1, and proceeding from there.

Can I Maintain FMC-Device Version Compatibility?

A Firepower Management Center must run the same or newer version as its managed devices. This means:

  • You can manage older devices with a newer FMC, usually a few major versions back.

    For example, a Version 6.7.0 FMC can manage a Version 6.3.0 device.

  • You cannot upgrade a device past the FMC.

    Before you upgrade an FMC, make sure the upgraded FMC will be able to manage its current devices. For example, a Version 6.7.1 FMC could manage a Version 6.7.0 device, but not a Version 6.7.2 device.

Below, we list FMC versions and the devices they can manage. Find your current version in the first column, then read across to determine which devices you can manage. Remember, within a major version, the FMC must be running the same or newer maintenance (third-digit) release as its managed devices.

Table 4. FMC Management Capability: Versions 6.2.3+

FMC Version

Can Manage: Device Version

6.7.x

6.6.x

6.5.0

6.4.0

6.3.0

6.2.3

6.2.2

6.2.1

6.2.0

6.1.0

6.7.x

YES

YES

YES

YES

YES

6.6.x

YES

YES

YES

YES

YES

6.5.0

YES

YES

YES

YES

6.4.0

YES

YES

YES

YES

YES

YES

YES

6.3.0

YES

YES

YES

YES

YES

YES

6.2.3

YES

YES

YES

YES

YES
Table 5. FMC Management Capability: Version 5.4.0 through 6.2.2

FMC Version

Can Manage: Device Version

6.2.2

6.2.1

6.2.0

6.1.0

6.0.1

6.0.0

5.4.1

5.4.0

6.2.2

YES

YES

YES

YES

6.2.1

YES

YES

 YES

6.2.0

YES

YES

6.1.0

YES

YES

YES

YES *

YES *

6.0.1

YES

YES

YES *

YES *

6.0.0

YES

YES *

YES *

5.4.1

YES

YES

5.4.0

YES

* A device must be running at least Version 5.4.0.2/5.4.1.1 to be managed by a Version 6.0, 6.0.1, or 6.1 FMC.

Note that technically you can manage a patched device (fourth-digit release) with an unpatched FMC. However, we strongly recommend against it. You should always update your entire deployment. New features and resolved issues often require the latest release on both the FMC and its managed devices.

Where Do I Begin?

In most cases, you will upgrade the FMC first. You should upgrade as far as possible while still being able to maintain FMC-device compatibility. However, if the devices are too old, your first step is to upgrade the devices to the same major version as the FMC.

If you still do not know where to begin, refer to your deployment assessment and find your current FMC-device version combination below. These recommendations take into account direct upgrade capability as well as FMC-device compatibility.

This table assumes you want to upgrade to the latest major/maintenance release, which is currently Version 6.7.0/6.7.x.

Table 6. Beginning a Firepower Upgrade to Version 6.7.x

Your Current Deployment

Recommended First Step

FMC

Devices

Upgrade

To

6.7.x

6.3.0 through 6.7.x

 FMC

Any later 6.7.x maintenance release.

6.6.x

6.3.0 through 6.6.x

FMC

6.7.x

6.2.3

Devices

6.6.x

6.5.0

6.3.0 through 6.5.0

FMC

6.7.x

6.2.3

Devices

6.5.0

6.4.0

6.3.0 through 6.4.0

FMC

6.7.x

6.1.0 through 6.2.3

Devices

6.4.0

6.3.0

6.3.0

FMC

6.7.x

6.1.0 through 6.2.3

Devices

6.3.0

6.2.3

6.2.3

FMC

6.6.x

6.1.0 through 6.2.2

Devices

6.2.3

6.2.2

6.1.0 through 6.2.2

FMC

6.4.0

6.2.1

6.1.0 through 6.2.1

FMC

6.4.0

6.2.0

6.1.0 through 6.2.0

FMC

6.4.0

6.1.0

6.1.0

FMC

6.4.0

5.4.0 through 6.0.1

 Devices

6.1.0

6.0.1

5.4.0 through 6.0.1

FMC

6.1.0

6.0.0

5.4.0 through 6.0.0

FMC

6.0.1

5.4.x

5.4.x

FMC

6.0.0

Release Types

We provide three levels of release: major, maintenance, and patch.


Note

Maintenance releases were introducted with Version 6.6.x. Versions 6.0.1, 6.2.1, 6.2.2, and 6.2.3 are considered major releases even though they are third-digit changes.

For more information, see the Cisco NGFW Product Line Software Release and Sustaining Bulletin.

Major Releases

Major releases contain new features, functionality, and enhancements. They may include infrastructure or architectural changes.

Table 7. Major Releases

Characteristic

Details

Numbering scheme

Changes the first or second digit:

  • 5.0, 6.0, 7.0 ...

  • 5.3, 5.4 ...

  • 6.1, 6.2 ...

Upgrade path

You can upgrade major releases from several versions back. If you are far "behind," you may require intermediate upgrades.

For example:

  • 6.1 → 6.7 is not supported.

  • 6.3 → 6.7 is supported.

For details, refer to the supported upgrade path for your platform.

Note 

Before Version 6.1, you always had to go one at a time: 5.4 → 6.0 → 6.0.1 → 6.1.

Operating system upgrades

For the Firepower 4100/9300 chassis, FXOS upgrades are required.

For ASA FirePOWER, resolving issues may require an ASA upgrade.

FMC direct download

No.

Direct download is not supported for major upgrades. You must download from the Cisco Support & Download site.

Fresh installs (reimaging)

 Yes.

You can reimage to a major release.

Uninstalling

No.

You cannot uninstall a major release. If you want to return to an earlier version, you must reimage. This is one reason why we strongly recommend you back up before upgrade.

Maintenance Releases

Maintenance release contain general bug and security related fixes. Behavior changes are rare, and are related to those fixes.

Table 8. Maintenance Releases

Characteristic

Details

Numbering scheme

Changes the third digit:

  • 6.6.1, 6.6.2 ...

  • 6.7.1, 6.7.2 ...

Upgrade path

You can upgrade to maintenance releases from several versions back. If you are far "behind," you may require intermediate upgrades.

For example:

  • 6.1 → 6.6.1 is not supported.

  • 6.2.3 → 6.6.1 is supported.

For details, refer to the supported upgrade path for your platform.

Note 

Before Version 6.1, you always had to go one at a time: 5.4 → 6.0 → 6.0.1 → 6.1.

Operating system upgrades

Resolving issues may require that you patch the operating system.

FMC direct download

Yes, after a delay.

The FMC can directly download a maintenance release about two weeks after it is available for manual download.

Fresh installs (reimaging)

 Yes.

You can reimage to a maintenance release.

Uninstalling

No.

You cannot uninstall a maintenance release. If you want to return to an earlier version, you must reimage. This is one reason why we strongly recommend you back up before upgrade.

Patches

Patches are on-demand updates limited to critical fixes with time urgency.


Note

Before Version 6.6, most patches were not as specifically targeted.
Table 9. Patches

Characteristic

Details

Numbering scheme

Changes the fourth digit:

  • 6.6.0.1, 6.6.0.2 ...

  • 6.6.1.1, 6.6.1.2 ...

Upgrade path

Patches can change the fourth digit only.

For example:

  • 6.4.0 → 6.4.0.10 is supported.

    Patches are cumulative. You can always install the latest patch to a major release or maintenance releases.

  • 6.4.0 → 6.5.0.4 is not supported.

    In this case, you must upgrade to 6.5.0 before you can patch.

Operating system upgrades

Resolving issues may require that you patch the operating system.

FMC direct download

Version dependent:

  • 6.6.0 and later, no.

    Special exceptions may be made.

  • 6.5.0 and earlier, yes.

    However, after mid-2020, we have implemented the same two-week delay as maintenance releases have.

Fresh installs (reimaging)

No.

You cannot reimage directly to a patch level.

Uninstalling

Yes.

When you uninstall patches from:

  • 6.2.3 and later, you return to the patch level you upgraded from.

  • 6.2.2 and earlier, you return to the previously released patch, regardless of where started.

Identify Preinstallation Packages (Versions 6.0, 6.0.1, 6.1)

For some upgrades on some platforms, we provide a preinstallation package or hotfix that optimizes the upgrade, enables specific upgrade functions, or fixes upgrade issues.

Preinstallation packages and hotfixes are available on the Cisco Support & Download site in the same location as the upgrade and installation packages. Just as with regular upgrade packages, use the System > Updates page on the FMC to run a preinstall or hotfix. We recommend you do this just before you upgrade.

Table 10. Firepower Preinstallation Packages

Target Version

Platforms

Severity

Details

6.1.0

FMC & FMCv

All devices

Optional

Allows readiness checks for the Version 6.1.0 upgrade.

After Version 6.1.0, the readiness check is included with upgrade packages.

See: Firepower System Release Notes Version 6.1.0 Preinstallation Package

6.1.0

FTD devices in HA pairs

Optional

Allows hitless upgrades of FTD HA pairs.

Without the preinstall, you must break high availability before you upgrade to Version 6.1.0.

See: Firepower System Release Notes Version 6.1.0 Preinstallation Package

6.0.1

FMC & FMCv

Required

Optimizes the upgrade.

See: Firepower System Release Notes Version 6.0.1 Preinstallation

6.0.0

FMC & FMCv

All devices

Required from:

  • 5.4.0.2 through 5.4.0.6

  • 5.4.1.1 through 5.4.1.5

Recommended from:

  • 5.4.0.7+

  • 5.4.1.6+

Optimizes the upgrade. Allows you to upgrade appliances in STIG mode.

See: FireSIGHT System Release Notes Version 6.0.0 Preinstallation

Identify When to Add New Devices

If your upgrade path includes adding a new device, when you add it depends on the device type:

  • Physical device: Determine which Firepower version the device is currently running. Add the device as soon as you can, then use the Firepower Management Center to upgrade the new device with the rest of your deployment. Do not upgrade your FMC past the point where it can no longer manage the out-of-the-box device.

  • Virtual device: Create after you upgrade the FMC to its target version. When you add a new virtual device, you should never have to perform a major upgrade, only patches.

Identify Interruptions in Traffic Flow and Inspection

You must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur:

  • When a device is rebooted.

  • When you upgrade the operating system or virtual hosting environment on a device.

  • When you upgrade the Firepower software on a device, or uninstall a patch.

  • When you deploy configuration changes as part of the upgrade or uninstall process (Snort process restarts).

Device type, deployment type (standalone, high availability, clustered), and interface configurations (passive, IPS, firewall, and so on) determine the nature of the interruptions. We strongly recommend performing any upgrade or uninstall in a maintenance window or at a time when any interruption will have the least impact on your deployment.

For more information, see Traffic Flow, Inspection, and Device Behavior.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us