Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Firepower Management Center Upgrade Guide

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Firepower Management Center Upgrade Guide

Chapter Title

Plan Your Upgrade Path

Results

Updated:
April 24, 2019

Chapter: Plan Your Upgrade Path

Plan Your Upgrade Path

Use these guidelines to help you build your upgrade path.

About Upgrade Paths: Can I Upgrade?

Your upgrade path is a detailed plan for what you will upgrade and when. In general, you upgrade the Firepower Management Center, then its managed devices. However, in some cases you may need to upgrade devices first. If you have assessed your deployment—that is, you know what you have and what you want—you are ready to build your upgrade path.


Tip
Especially in larger deployments where you must alternate FMC and device upgrades, upgrade paths that require intermediate versions can be time consuming. To save time, you can reimage older devices instead of upgrading. First, remove the devices from the FMC. Then, upgrade the FMC, reimage the devices, and re-add them to the FMC.

Answer 'Yes' to Two Important Questions

You must answer 'yes' to both of these questions, every time you upgrade either an FMC or a device:

If the answer to either question is 'no,' your upgrade path is invalid.

Is Direct Upgrade Possible?

If a direct upgrade from your current to your target version is not possible, your upgrade path must include either intermediate versions, or strategic reimaging. To patch Firepower, you must be running the base major version. You cannot upgrade directly to a patch from an previous major version.

For major upgrades, this table summarizes upgrade capabilites for Firepower Management Centers and their managed devices. Find your current major version in the first column, then read across to determine if a direct upgrade is possible to your target version. For upgrade paths for each appliance type see the upgrade chapters: Upgrade Firepower Appliances.

Table 1. Firepower Direct Upgrade Support

Current Version

Target Version: Direct Upgrade Supported

to 6.4

6.3

6.2.3

6.2.2

6.2.1

6.2

6.1

6.0.1

6.0

from 6.3

Yes

6.2.3

Yes

Yes

6.2.2

Yes

Yes

Yes

6.2.1

Yes

Yes

Yes

Yes

6.2

Yes

Yes

Yes

Yes

6.1

Yes†

Yes

Yes

Yes

6.0.1

Yes

6.0

Yes

5.4.x

Yes*

* You must be running at least Version 5.4.0.2/5.4.1.1 to upgrade to Version 6.0.

† You cannot upgrade a Firepower 4100/9300 series device from Version 6.1 directly to Version 6.4. We recommend you use Version 6.2.3 as an intermediate version.

Can I Maintain FMC-Device Version Compatibility?

Before you upgrade the Firepower Management Center, make sure the upgraded FMC will be able to manage its current devices. If it will not be able to, upgrade the devices first. You cannot upgrade a device past the FMC's own major version.

Note that you can patch a device without patching the FMC, and vice versa. However, we strongly recommend you upgrade both. This allows you to take advantage of new features and bug fixes.

This table lists major FMC versions, and the major versions of devices they can manage. Find your current major version in the first column, then read across to determine which devices you can manage.

Table 2. FMC-Device Version Compatibility
FMC Version Device Version
6.4 6.3 6.2.3 6.2.2 6.2.1 6.2.0 6.1 6.0.1 6.0 5.4.1 5.4.0

6.4

Yes

Yes

Yes

Yes

Yes

Yes

Yes

6.3

Yes

Yes

Yes

Yes

Yes

Yes

6.2.3

Yes

Yes

Yes

Yes

Yes

6.2.2

Yes

Yes

Yes

Yes

6.2.1

Yes

Yes

 Yes

6.2.0

Yes

Yes

6.1

Yes

Yes

Yes

Yes*

Yes*

6.0.1

Yes

Yes

Yes*

Yes*

6.0

Yes

Yes*

Yes*

5.4.1

Yes

Yes

5.4.0

Yes

* A device must be running at least Version 5.4.0.2/5.4.1.1 to be managed by a Version 6.0, 6.0.1, or 6.1 FMC.

Where Do I Begin?

If you are not sure how to start planning your upgrade path, refer to your deployment assessment and find your platforms in this table.

Table 3. Beginning a Firepower Upgrade Based on Current Major Version
FMC Devices First Upgrade Details

6.3

6.1 through 6.3

FMC → 6.4

A Version 6.4 FMC can manage devices back to Version 6.1.

6.2.3

6.1 through 6.2.3

FMC → 6.3 or 6.4

These FMCs can manage devices back to Version 6.1.

6.2.2

6.1 through 6.2.2

FMC → 6.2.3 or 6.3 or 6.4

These FMCs can manage devices back to Version 6.1.

6.2.1

6.1 through 6.2.1

FMC → 6.2.2 or 6.2.3 or 6.3 or 6.4

These FMCs can manage devices back to Version 6.1.

6.2

6.1 through 6.2

FMC → 6.2.2 or 6.2.3 or 6.3 or 6.4

These FMCs can manage devices back to Version 6.1.

6.1

6.1

FMC → 6.2 or 6.2.3 or 6.3 or 6.4

These FMCs can manage devices back to Version 6.1.

5.4 through 6.0.1

Devices → 6.1

You must upgrade devices to Version 6.1 if you plan to upgrade the FMC past Version 6.1.

6.0.1

5.4 through 6.0.1

FMC → 6.1

A Version 6.1 FMC can manage devices back to Version 5.4.

6.0

 5.4 through 6.0

FMC → 6.0.1

A Version 6.0.1 FMC can manage devices back to Version 5.4.

5.4

5.4

FMC → 6.0

A 6.0 FMC can manage Version 5.4 devices.

Major Upgrades vs Patches

Major upgrades are more complex and take more time than patches.

Although we recommend you upgrade your entire deployment, you can patch a device without patching the FMC, and vice versa. Just keep in mind that you cannot fully take advantage of new features and bug fixes until you patch both.

Table 4. Characteristics of Major Upgrades vs Patches
Characteristic Major Upgrades Patches

New features and functionality

Include new features and functionality, and may entail large-scale changes to the product.

Contains a limited range of fixes. Minor feature and functionality updates only—often none at all.

Upgrade Requirements

You can always upgrade to the next major version. You do not have to be running the latest patch to upgrade.

Often, you can skip major versions when upgrading. For details, refer to the supported upgrade path for your platform.

You can only patch within a major version sequence. For example:

  • Yes: 6.2.0 → 6.2.0.3

  • No: 6.2.0 → 6.2.3.1

OS upgrades

Likely to have companion operating system upgrades, for devices where you upgrade the OS separately.

Usually do not have companion operating system upgrades, although often you can patch the OS to resolve minor issues.

Freshly Installing

Can be freshly installed/restored.

If you are unable to upgrade a Firepower appliance, or are disinclined to follow the required upgrade path, you can freshly install major Firepower releases.

Cannot be freshly installed.

Cisco does not provide installation packages for patches. To run a particular patch, install the major version, then apply the patch.

Uninstalling

Cannot be uninstalled.

If you need to revert to an earlier version, you must freshly install.

Can be uninstalled.

When you uninstall, either you:

  • Return to the previously released (but not necessarily installed) patch: Versions 5.4.x to 6.2.2.x

  • Returns to the appliance's base major version: Version 6.2.3+

Include Companion Upgrades

For some Firepower appliances, you upgrade the operating system or virtual hosting environment separately from the Firepower software. Major upgrades in particular are likely to have companion operating system upgrades.

You can also upgrade these components without upgrading the Firepower software, and the other way around. For example, an operating system patch may resolve issues unrelated to the Firepower software. Or, you may want to take advantage of new Firepower features without upgrading your hypervisor. Just make sure that the target version of the component you do want to upgrade is compatible with the components you are not upgrading.

FXOS Upgrades: Firepower 4100/9300 Chassis

Major Firepower versions have a companion FXOS version for Firepower 4100/9300 chassis. You must be running that companion version of FXOS on the chassis before you upgrade the Firepower software on the logical devices.

ASA Upgrades: ASA with FirePOWER Services

There is wide compatibility between ASA and ASA FirePOWER versions. However, even if an ASA upgrade is not strictly required, resolving issues may require an upgrade to the latest supported version.

Virtual Hosting Environment Upgrades

Virtual Firepower appliances run in a variety of hosting environments. The Firepower software must remain compatible with its hosting environment. Your upgrade path depends on compatibility:

  • Upgrade hosting environment first: For example, if you are running NGIPSv Version 5.4.x on VMware ESXi 5.0, you must upgrade VMware ESXi to Version 5.1 or Version 5.5 before you upgrade NGIPSv to Firepower 6.0.

  • Upgrade Firepower software first: For example, if you are running FTDv Version 6.1.x on VMware ESXi 6.0, upgrade the Firepower software to Version 6.2.3 before you upgrade VMware ESXi to Version 6.5.

Identify Preinstallation Packages

For some upgrades on some platforms, we provide a preinstallation package or hotfix that optimizes the upgrade, enables specific upgrade functions, or fixes upgrade issues.

Preinstallation packages and hotfixes are available on the Cisco Support & Download site in the same location as the upgrade and installation packages. Just as with regular upgrade packages, use the System > Updates page on the FMC to run a preinstall or hotfix. We recommend you do this just before you upgrade.

Table 5. Firepower Preinstallation Packages
Target Version Platforms Severity Details

6.3+

FMC: MC1000, 2500, 4500

Required

Updates RAID controller firmware.

See: Preinstallation Hotfix for MC1000, 2500, and 4500 (Required)

6.1

FMC & FMCv

All devices

Optional

Allows readiness checks for the Version 6.1 upgrade.

After Version 6.1, the readiness check is included with upgrade packages.

See: Firepower System Release Notes Version 6.1.0 Preinstallation Package

FTD devices in HA pairs

Optional

Allows hitless upgrades of FTD HA pairs.

Without the preinstall, you must break high availability before you upgrade to Version 6.1.

See: Firepower System Release Notes Version 6.1.0 Preinstallation Package

6.0.1

FMC & FMCv

Required

Optimizes the upgrade.

See: Firepower System Release Notes Version 6.0.1 Preinstallation

6.0

FMC & FMCv

All devices

Required from:

  • 5.4.0.2 through 5.4.0.6

  • 5.4.1.1 through 5.4.1.5

Recommended from:

  • 5.4.0.7+

  • 5.4.1.6+

Optimizes the upgrade. Allows you to upgrade appliances in STIG mode.

See: FireSIGHT System Release Notes Version 6.0.0 Preinstallation

Identify When to Add New Devices

If your upgrade path includes adding a new device, when you add it depends on the device type:

  • Physical device: Determine which Firepower version the device is currently running. Add the device as soon as you can, then use the Firepower Management Center to upgrade the new device with the rest of your deployment. Do not upgrade your FMC past the point where it can no longer manage the out-of-the-box device.

  • Virtual device: Create after you upgrade the FMC to its target version. When you add a new virtual device, you should never have to perform a major upgrade, only patches.

Identify Interruptions in Traffic Flow and Inspection

You must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur:

  • When a device is rebooted.

  • When you upgrade the operating system or virtual hosting environment on a device.

  • When you upgrade the Firepower software on a device, or uninstall a patch.

  • When you deploy configuration changes as part of the upgrade or uninstall process (Snort process restarts).

Device type, deployment type (standalone, high availability, clustered), and interface configurations (passive, IPS, firewall, and so on) determine the nature of the interruptions. We strongly recommend performing any upgrade or uninstall in a maintenance window or at a time when any interruption will have the least impact on your deployment.

For more information, see Traffic Flow, Inspection, and Device Behavior.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us