Troubleshooting and Reference

Troubleshooting Upgrade Packages

Table 1. Troubleshooting Upgrade Packages

Issue

Solution

No available upgrades even after I refresh.

Direct-downloading upgrade packages to the Firewall Management Center requires internet access. You will also see a blank list if you are already running the latest version available for your deployment and you have no upgrade packages loaded/configured.

Suggested release is not marked.

The suggested release is listed only if you are eligible for it. It is not listed if you are already running the suggested release or higher, or if you cannot upgrade that far. Note that patches to suggested releases are not marked as suggested, although we do recommend you apply them.

I don't see the packages I want.

Only major, maintenance, and patch upgrades that apply to your deployment right now are listed and available for direct download. Unless you manually upload, the following are not listed:

  • Device upgrades (major and maintenance) to a particular version, unless the Firewall Management Center is running that version or higher, and you have a device that supports that version.

  • Device patches, unless you have at least one device at the appropriate maintenance release. This also applies to Firewall Management Center patches.

  • Hotfixes. You must manually upload these.

I see available, undownloaded packages that don't apply to my devices.

The system lists the downloadable upgrades that apply to all devices managed by this Firewall Management Center. In a multidomain deployment, this can include devices that you cannot access right now.

I downloaded a Firewall Management Center upgrade package from the internet, but the download to its high availability peer failed.

If the peer Firewall Management Center does not have internet access or the download fails for any other reason, you can:

  • Start the upgrade anyway. The upgrade wizard has options to retry the download, or sync the file between the peers.

  • Log into the peer and manually upload the upgrade package.

I uploaded a Firewall Management Center upgrade package, but the sync to its high availability peer failed.

If the upgrade package sync fails for any reason, you can:

  • Start the upgrade anyway. The upgrade wizard has options to attempt a download from the internet, or retry the sync.

  • Log into the peer and manually upload the upgrade package.

Copying upgrade packages from the Firewall Management Center to devices times out.

This often happens when there is limited bandwidth between the Firewall Management Center and its devices.

You can try one of:

  • Configure devices to get upgrade packages directly from an internal web server.

    To do this, delete the upgrade package from the Firewall Management Center (optional but saves disk space), then re-add the upgrade package except this time specify a pointer (URL) to its location instead. See Copying Upgrade Packages to Devices from an Internal Server.

  • Allow devices to download the upgrade package from the internet.

    Devices with internet access automatically try that first, and only fall back on the Firewall Management Center if internet download fails. See Internet Access Requirements.

Troubleshooting Threat Defense Upgrade

Table 2. Troubleshooting Threat Defense Upgrade

Issue

Solution

Upgrade button missing for my target version.

Either:

Devices not listed in the upgrade wizard.

If you accessed the wizard directly from Devices > Upgrade > Threat Defense Upgrade and therefore did not select a target version, the workflow may be blank. To begin, choose a target version from the Upgrade to menu. The system should display the devices that can be upgraded to that version.

Target version not listed in the Upgrade to menu.

The choices in the Upgrade to menu correspond to the device upgrade packages on the Firewall Management Center, plus any on the support site that apply to you. If you don't see the one you want, either:

  • The menu lists multiple versions but not the one you are looking for. You may not have any eligible devices. Or, the package may require manual upload (such as hotfixes).

  • The menu is blank/only lists versions corresponding to already uploaded packages. The Firewall Management Center does not have internet access. You must manually upload the package you want.

To upload an upgrade package, click Manage Upgrade Packages; see Managing Upgrade Packages with the Firewall Management Center.

Devices not listed in the upgrade wizard even though a target version is selected.

You have no devices that can be upgraded to that version. If you still think you should see devices here, your user role could be prohibiting you from managing (and therefore upgrading) devices. In a multidomain deployment, you could be logged into the wrong domain.

Devices locked to someone else's upgrade workflow.

If you need to reset someone else's workflow, you must have Administrator access. You can either:

  • Delete or deactivate the user.

  • Update the user's role so they no longer have permission to use System (system gear icon) > Product Upgrades.

High availability Firewall Management Center failed over while setting up upgrade.

Neither your workflow nor threat defense upgrade packages are synchronized between high availability Firewall Management Centers.

In case of failover, you must recreate your workflow on the new active Firewall Management Center, which includes downloading upgrade packages and copying them to devices. (Upgrade packages already copied to devices are not removed, but the Firewall Management Center still must have the package or a pointer to its location.)

Pruning daemon errors in the Message Center.

This most commonly happens for devices running Version 7.6.x or earlier when you do not start the upgrade within 10 minutes after the readiness check completes. Regardless, you can safely ignore these messages and proceed with the upgrade.

The full error is: Process Status - device_name. The pruning daemon exited n time(s).

Unresponsive and Failed Firewall Management Center Upgrades


Caution

Do not make or deploy configuration changes during upgrade. Even if the system appears inactive, do not manually reboot, shut down, or restart an upgrade in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

In high availability deployments, do not make or deploy configuration changes while the pair is split-brain, even if you are not actively upgrading. Your changes will be lost after synchronization restarts; deploying could place the system in an unusable state and require a reimage.

Unresponsive and Failed Firewall Threat Defense Upgrades

The following table has troubleshooting information for unresponsive and failed Firewall Threat Defense upgrades. For issues with chassis upgrades, contact Cisco TAC.


Caution

Do not reboot or shut down at any point during upgrade, even if the system appears inactive. You could place the system in an unusable state and require a reimage.

Table 3. Unresponsive and Failed Firewall Threat Defense Upgrades

Issue

Solution

Cannot reach the device.

Devices can stop passing traffic during the upgrade or if the upgrade fails. Before you upgrade, make sure traffic from your location does not have to traverse the device itself to access the device's management interface.

You should also able to access the Firewall Management Center's management interface without traversing the device.

Upgrade or patch appears hung/device appears inactive.

If device upgrade status has stopped updating on the Firewall Management Center but there is no report of upgrade failure, you can try canceling the upgrade; see below. If you cannot cancel or canceling does not work, contact Cisco TAC.

Tip: You can monitor upgrade logs on the device itself using expert mode and tail or tailf: tail /ngfw/var/log/sf/update.status.

Upgrade failed.

If an upgrade fails and:

  • The device reverted to its pre-upgrade state (auto-cancel is enabled), correct any issues and try again from the beginning.

  • The device is still in maintenance mode, correct any issues and resume the upgrade. Or, cancel and try again later.

If you cannot retry or cancel, or if you continue to have issues, contact Cisco TAC.

Patch failed.

You cannot cancel in-progress or failed patches. However, if a patch fails early, for example, during validation stages, the device may remain up and running normally. Simply correct any issues and try again.

If a patch fails after the device has entered maintenance mode, check for an uninstaller. If one exists, you can try running it to remove the failed patch; see Uninstall a Firewall Threat Defense Patch. After the uninstall finishes, you can correct any issues and try again.

If there is no uninstaller, if the uninstall fails, or if you continue to have issues, contact Cisco TAC.

Upgrade on a clustered device failed, and I want to reimage instead of retrying the upgrade.

If a cluster node upgrade fails and you choose to reimage the node, reimage it to the current version of the control node before you add it back to the cluster. Depending on when and how the upgrade failed, the current version of the control node can be the old version or the target version.

We do not support mixed-version clusters except temporarily during upgrade. Deliberately creating a mixed-version cluster can cause outages.

Tip

 

Remove the failed node from the cluster and reimage it to the target version. Upgrade the rest of the cluster to the target version, then add your reimaged node.

I want to cancel an upgrade.

Canceling reverts the device to its pre-upgrade state. You can cancel failed and in-progress upgrades on the upgrade status pop-up, accessible from the Upgrade tab on the Device Management page. You cannot cancel patches.

If you cannot cancel or canceling does not work, contact Cisco TAC.

I want to retry (resume) a failed upgrade.

You can resume an upgrade on the upgrade status pop-up, accessible from the Upgrade tab on the Device Management page.

If you continue to have issues, contact Cisco TAC.

I want to change what happens when upgrade fails.

Part of the upgrade process is choosing what happens if it fails. This is done with the Automatically cancel on upgrade failure... (auto-cancel) option:

  • Auto-cancel enabled (default): If upgrade fails, the upgrade cancels and the device automatically reverts to its pre-upgrade state. This returns you to normal operations as quickly as possible while you regroup and try again.

  • Auto-cancel disabled: If upgrade fails, the device remains as it is. This allows you to correct any issues and resume the upgrade.

For high availability and clustered devices, auto-cancel applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted.

Traffic Flow and Inspection

Schedule maintenance windows when upgrade will have the least impact, considering any effect on traffic flow and inspection.

Traffic Flow and Inspection for Firewall Threat Defense Upgrades

Software Upgrades for Standalone Devices

Devices operate in maintenance mode while they upgrade. Entering maintenance mode at the beginning of the upgrade causes a 2-3 second interruption in traffic inspection. Interface configurations determine how a standalone device handles traffic both then and during the upgrade.

Table 4. Traffic Flow and Inspection: Software Upgrades for Standalone Devices

Interface Configuration

Traffic Behavior

Firewall interfaces

Routed or switched including EtherChannel, redundant, subinterfaces.

Switched interfaces are also known as bridge group or transparent interfaces.

Dropped.

For bridge group interfaces on the ISA 3000 only, you can use a FlexConfig policy to configure hardware bypass for power failure. This causes traffic to drop during software upgrades but pass without inspection while the device completes its post-upgrade reboot.

IPS-only interfaces

Inline set, hardware bypass force-enabled: Bypass: Force

Passed without inspection until you either disable hardware bypass, or set it back to standby mode.

Inline set, hardware bypass standby mode: Bypass: Standby

Dropped during the upgrade, while the device is in maintenance mode. Then, passed without inspection while the device completes its post-upgrade reboot.

Inline set, hardware bypass disabled: Bypass: Disabled

Dropped.

Inline set, no hardware bypass module.

Dropped.

Inline set, tap mode.

Egress packet immediately, copy not inspected.

Passive, ERSPAN passive.

Uninterrupted, not inspected.

Software Upgrades for High Availability and Clustered Devices

You should not experience interruptions in traffic flow or inspection while upgrading high availability or clustered devices. For high availability pairs, the standby device upgrades first. The devices switch roles, then the new standby upgrades.

For clusters, the data security module or modules upgrade first, then the control module. During the control security module upgrade, although traffic inspection and handling continues normally, the system stops logging events. Events for traffic processed during the logging downtime appear with out-of-sync timestamps after the upgrade is completed. However, if the logging downtime is significant, the system may prune the oldest events before they can be logged.

Note that hitless upgrades are not supported for single-unit clusters. Interruptions to traffic flow and inspection depend on interface configurations of the active unit, just as with standalone devices.

Software Revert (Major/Maintenance Releases)

You should expect interruptions to traffic flow and inspection during revert, even in a high availability/scalability deployment. This is because revert is more successful when all units are reverted simultaneously. Simultaneous revert means that interruptions to traffic flow and inspection depend on interface configurations only, as if every device were standalone.

Software Uninstall (Patches)

For standalone devices, interruptions to traffic flow and inspection during patch uninstall are the same as for upgrade. In high availability/scalability deployments, you must explicitly plan an uninstall order that minimizes disruption. This is because you uninstall patches from devices individually, even those that you upgraded as a unit.

Traffic Flow and Inspection for Chassis Upgrades

Upgrading FXOS reboots the chassis. For FXOS upgrades to Version 2.14.1+ that include firmware upgrades, the chassis reboots twice—once for FXOS and once for the firmware. This includes Version 7.4.1+ chassis upgrades for the Secure Firewall 3100/4200 in multi-instance mode.

Even in high availability or clustered deployments, you upgrade FXOS on each chassis independently. To minimize disruption, upgrade one chassis at a time; see Upgrade Order.

Table 5. Traffic Flow and Inspection: FXOS Upgrades

Firewall Threat Defense Deployment

Traffic Behavior

Method

Standalone

Dropped.

—

High availability

Unaffected.

Best Practice: Update FXOS on the standby, switch active peers, upgrade the new standby.

Dropped until one peer is online.

Upgrade FXOS on the active peer before the standby is finished upgrading.

Inter-chassis cluster

Unaffected.

Best Practice: Upgrade one chassis at a time so at least one module is always online.

Dropped until at least one module is online.

Upgrade chassis at the same time, so all modules are down at some point.

Intra-chassis cluster (Firepower 9300 only)

Passed without inspection.

Hardware bypass enabled: Bypass: Standby or Bypass‑Force.

Dropped until at least one module is online.

Hardware bypass disabled: Bypass: Disabled.

Dropped until at least one module is online.

No hardware bypass module.

Traffic Flow and Inspection when Deploying Configurations

Snort typically restarts during the first deployment immediately after upgrade. This means that for Firewall Management Center upgrades, Snort could restart on all managed devices. Snort does not restart after subsequent deployments unless, before deploying, you modify specific policy or device configurations.

Restarting the Snort process briefly interrupts traffic flow and inspection on all devices, including those configured for high availability/scalability. Interface configurations determine whether traffic drops or passes without inspection during the interruption. When you deploy without restarting Snort, resource demands may result in a small number of packets dropping without inspection.

Table 6. Traffic Flow and Inspection: Deploying Configuration Changes

Interface Configuration

Traffic Behavior

Firewall interfaces

Routed or switched including EtherChannel, redundant, subinterfaces.

Switched interfaces are also known as bridge group or transparent interfaces.

Dropped.

IPS-only interfaces

Inline set, Failsafe enabled or disabled.

Passed without inspection.

A few packets might drop if Failsafe is disabled and Snort is busy but not down.

Inline set, Snort Fail Open: Down: disabled.

Dropped.

Inline set, Snort Fail Open: Down: enabled.

Passed without inspection.

Inline set, tap mode.

Egress packet immediately, copy not inspected.

Passive, ERSPAN passive.

Uninterrupted, not inspected.

Time and Disk Space

Time to Upgrade

We recommend you track and record your own upgrade times so you can use them as future benchmarks. The following table lists some things that can affect upgrade time.


Caution

Do not make or deploy configuration changes during upgrade. Even if the system appears inactive, do not manually reboot or shut down. In most cases, do not restart an upgrade in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, see Unresponsive and Failed Firewall Threat Defense Upgrades.
Table 7. Upgrade Time Considerations

Consideration

Details

Versions

Upgrade time usually increases if your upgrade skips versions.

Models

Upgrade time usually increases with lower-end models.

Virtual appliances

Upgrade time in virtual deployments is highly hardware dependent.

High availability and clustering

In a high availability or clustered configuration, devices upgrade one at a time to preserve continuity of operations, with each device operating in maintenance mode while it upgrades. Upgrading a device pair or entire cluster, therefore, takes longer than upgrading a standalone device.

Configurations

Upgrade time can increase with the complexity of your configurations, size of event databases, and whether/how they are affected by the upgrade. For example, if you use a lot of access control rules and the upgrade needs to make a backend change to how those rules are stored, the upgrade can take longer.

Components

You may need additional time to perform operating system or virtual hosting upgrades, upgrade package transfers, readiness checks, VDB and intrusion rule (SRU/LSP) updates, configuration deployment, and other related tasks.

Disk Space to Upgrade

To upgrade, the upgrade package must be on the appliance. For device upgrades where the device does not have access to the internet, you must also have enough space on the Firewall Management Center (in either /Volume or /var) for the device upgrade package. Or, you can use an internal server to store them. Readiness checks should indicate whether you have enough disk space to perform the upgrade. Without enough free disk space, the upgrade fails. For more information, see Configuration and Deployment Checks.

Internet Access Requirements

The Firewall Management Center can get device and Firewall Management Center upgrade packages from the internet. With a Version 7.6.1+ Firewall Management Center, managed devices can get their own upgrade packages.

By default, the system is configured to connect to the internet on ports 443/tcp (HTTPS) and 80/tcp (HTTP). If you do not want your appliances to have direct access to the internet, you can configure a proxy server.

Download Location

The download location depends on the Firewall Management Center's current version. Note that download capability can further depend on release type (major, maintenance, patch, hotfix) and package type (Firewall Management Center, device).

Table 8. Device Download Location for Software Upgrades

Management Center Current Version

Device Download Location

7.6.1+

https://cdo-ftd-images.s3-us-west-2.amazonaws.com/

Note that the Firewall Management Center must also have access to this resource.

7.6.0 and earlier

Managed devices must get upgrade packages from the Firewall Management Center or an internal server.

Table 9. Firewall Management Center Download Location for Software Upgrades

Management Center Current Version

Management Center Download Location

7.4.1+

https://cdo-ftd-images.s3-us-west-2.amazonaws.com/

7.4.0

7.3.x

One of:

  • https://support.sourcefire.com/

    For on-demand or scheduled downloads of applicable new releases. Used when you click the Download Upgrades button on the top right of System (system gear icon) > Updates > Product Updates. This immediately downloads the latest VDB, latest maintenance release, and the latest critical patches for your deployment. Also used by the task scheduler.

  • http://cdo-ftd-images.s3-us-west-2.amazonaws.com/

    For on-demand downloads of specific Firewall Threat Defense upgrade packages. Used when you choose packages to download, then click the Download Major Upgrades button on the Download Updates sub-tab of System (system gear icon) > Updates > Product Updates.

7.2.6 to 7.2.x

https://cdo-ftd-images.s3-us-west-2.amazonaws.com/

7.2.5 and earlier

https://support.sourcefire.com/

High Availability/Clustering Considerations

If not all appliances in your deployment have internet access, use the following table to determine what to do.

Table 10. High Availability/Clustering Considerations for Downloading Software Upgrades

Package Type

Management Center Current Version

Considerations

Firewall Management Center upgrade

7.6.0+

Downloading the package on one HA Firewall Management Center attempts the download on both. If only one peer has internet access, you can sync the package during the upgrade process.

7.4.1 to 7.4.x

7.2.6 to 7.2.x

Packages do not sync. For each HA Firewall Management Center with internet access, you can direct-download any applicable package.

7.4.0

7.3.x

7.2.5 and earlier

Packages do not sync. For each HA Firewall Management Center with internet access, you can direct-download the latest maintenance release and critical patches. You must manually upload all other packages.

Firewall Threat Defense upgrade

Any

Firewall Threat Defense upgrade packages do not sync between HA Firewall Management Centers, nor between high availability and clustered devices. Each device or unit must get its own upgrade package from the internet (with Firewall Management Center 7.6.1+), the active Firewall Management Center, or an internal server.

Upgrade Feature History

Table 11. Device Upgrade Feature History

Feature

Minimum Management Center

Minimum Threat Defense

Details

Upgrade Firewall Threat Defense or chassis without a manual readiness check.

7.7.0

7.7.0

You no longer have to run time-consuming pre-upgrade readiness checks for Firewall Threat Defense or chassis upgrades. Instead, these checks are now regularly run by the system and reported in the health monitor. This allows you to preemptively fix any issues that will block upgrade.

  • The Database module, new for devices, manages monitors database schema and configuration data (EO) integrity.

  • The FXOS Health module, new for devices, monitors the FXOS httpd service on FXOS-based devices.

  • The Disk Status module is now more robust, alerting on disk health issues reported by daily running of smartctl (a Linux utility for monitoring reliability, predicting failures, and performing other self-tests).

Version restrictions: This feature is supported for upgrades from Version 7.7+. Devices running earlier versions still require the in-upgrade readiness check.

Devices with internet access download upgrade packages from the internet.

7.6.1

7.7.0

Any

You can now begin device and chassis upgrades without the upgrade package. At the appropriate time, devices will get the package directly from the internet. This saves time and Firewall Management Center disk space.

Devices without internet access can continue to get the package from the Firewall Management Center or an internal server. Note that devices try the internal server (if configured) before either the internet or the Firewall Management Center. If the internal server download fails, newer devices with internet access try the internet then the Firewall Management Center, while older devices and devices without internet access just try the Firewall Management Center. (In this context, "newer" means Firewall Threat Defense 7.6+ or chassis 7.4.1+.)

Restrictions: Firewall Management Center and devices must be able to access the internet. There is no way to force a device with internet access to try the Firewall Management Center before it tries the internet. Not supported for hotfixes.

Download location: https://cdo-ftd-images.s3-us-west-2.amazonaws.com/

Generate and download post-upgrade configuration change reports from the Firewall Threat Defense and chassis upgrade wizards.

7.6.0

Any

You can now generate and download post-upgrade configuration change reports from the Firewall Threat Defense and chassis upgrade wizards, as long as you have not cleared your upgrade workflow.

Previously, you used the Advanced Deploy screens to generate the reports and the Message Center to download them. Note that you can still use this method, which is useful if you want to quickly generate change reports for multiple devices, or if you cleared your workflow.

New/modified screens:

  • Devices > Threat Defense Upgrade > Configuration Changes

  • Devices > Chassis Upgrade > Configuration Changes

Deprecated: Copy upgrade packages ("peer-to-peer sync") from device to device.

7.6.0

7.6.0

You can no longer use the Firewall Threat Defense CLI to copy upgrade packages between devices over the management network. If you have limited bandwidth between the Firewall Management Center and its devices, configure devices to get upgrade packages directly from an internal web server.

Deprecated CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status

Chassis upgrade for the Secure Firewall 3100 in multi-instance mode.

7.4.1

7.4.1

For the Secure Firewall 3100 in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (Firewall Threat Defense upgrade).

New/modified screens:

  • Upgrade the chassis: Devices > Chassis Upgrade

  • Upgrade Firewall Threat Defense Devices > Threat Defense Upgrade

Firmware upgrades included in FXOS upgrades.

7.4.1

Any

Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot.

For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware.

Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade.

See: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide

Choose and direct-download upgrade packages to the Firewall Management Center.

7.3.0

Any

You can now choose which Firewall Threat Defense upgrade packages you want to direct download to the Firewall Management Center. Use the new Download Updates sub-tab on > Updates > Product Updates.

Version restrictions: this feature is replaced by an improved package management system in Version 7.2.6/7.4.1.

Upload upgrade packages to the Firewall Management Center from the Firewall Threat Defense wizard.

7.3.0

Any

You now use the wizard to upload Firewall Threat Defense upgrade packages or specify their location. Previously (depending on version), you used System > Updates or System > Product Upgrades.

Version restrictions: this feature is replaced by an improved package management system in Version 7.2.6/7.4.1.

Auto-upgrade to Snort 3 after successful Firewall Threat Defense upgrade is no longer optional.

7.3.0

Any

Upgrade impact. All eligible devices upgrade to Snort 3 when you deploy.

When you upgrade Firewall Threat Defense to Version 7.3+, you can no longer disable the Upgrade Snort 2 to Snort 3 option.

After the software upgrade, all eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. Although you can switch individual devices back, Snort 2 is not supported on Firewall Threat Defense 7.7+. You should stop using it now.

For devices that are ineligible for auto-upgrade because they use custom intrusion or network analysis policies, manually upgrade to Snort 3 for improved detection and performance. For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Combined upgrade and install package for Secure Firewall 3100.

7.3.0

7.3.0

Reimage Impact.

In Version 7.3, we combined the Firewall Threat Defense install and upgrade package for the Secure Firewall 3100, as follows:

  • Version 7.1–7.2 install package: cisco-ftd-fp3k.version.SPA

  • Version 7.1–7.2 upgrade package: Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar

  • Version 7.3+ combined package: Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar

Although you can upgrade Firewall Threat Defense without issue, you cannot reimage from older Firewall Threat Defense and ASA versions directly to Firewall Threat Defense Version 7.3+. This is due to a ROMMON update required by the new image type. To reimage from those older versions, you must "go through" ASA 9.19+, which is supported with the old ROMMON but also updates to the new ROMMON. There is no separate ROMMON updater.

To get to Firewall Threat Defense Version 7.3+, your options are:

Push packages and check readiness for older ASA FirePOWER and NGPISv devices before upgrade.

7.4.3

—

With the new upgrade capabilities introduced in 7.2.6 and 7.4.1, we deprecated the ability to perform a pre-upgrade package push and readiness check for ASA FirePOWER and NGPISv. These options have returned to the Classic device upgrade workflow.

Version restrictions: These devices were last supported in Version 7.0, and the Version 7.4 Firewall Management Center is the last that can manage them.

Firewall Threat Defense and chassis upgrade wizards optimized for lower resolution screens.

7.2.10

7.4.3

7.6.0

Any

We optimized the Firewall Threat Defense and chassis upgrade wizards for lower resolution screens (and smaller browser windows). Text appears smaller and certain screen elements are hidden. If you change your resolution or window size mid-session, you may need to refresh the page for the web interface to adjust. Note that the minimum screen resolution to use the Firewall Management Center is 1280 x 720.

New/modified screens:

  • Devices > Threat Defense Upgrade

  • Devices > Chassis Upgrade

Enable revert from the Firewall Threat Defense upgrade wizard.

7.2.6

7.4.1

Any, if upgrading to 7.1+

You can now enable revert from the Firewall Threat Defense upgrade wizard.

Version restrictions: You must be upgrading Firewall Threat Defense to Version 7.1+. Not supported with Firewall Management Center Version 7.3.x or 7.4.0.

View detailed upgrade status from the Firewall Threat Defense upgrade wizard.

7.2.6

7.4.1

Any

The final page of the Firewall Threat Defense upgrade wizard now allows you to monitor upgrade progress. This is in addition to the existing monitoring capability on the Upgrade tab on the Device Management page, and on the Message Center. Note that as long as you have not started a new upgrade flow, Devices > Threat Defense Upgrade brings you back to this final wizard page, where you can view the detailed status for the current (or most recently complete) device upgrade.

Improved upgrade starting page and package management.

7.2.6

7.4.1

Any

A new upgrade page makes it easier to choose, download, manage, and apply upgrades to your entire deployment. This includes the Firewall Management Center, Firewall Threat Defense, and any older NGIPSv/ASA FirePOWER devices. The page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, as well as manually upload and delete packages.

Internet access is required to retrieve the list/direct download upgrade packages. Otherwise, you are limited to manual management. Patches are not listed unless you have at least one appliance at the appropriate maintenance release (or you manually uploaded the patch). You must manually upload hotfixes.

New/modified screens:

  • System(system gear icon) > Product Upgrades is now where you upgrade the Firewall Management Center and all managed devices, as well as manage upgrade packages.

  • System(system gear icon) > Content Updates is now where you update intrusion rules, the VDB, and the GeoDB.

  • Devices > Threat Defense Upgrade takes you directly to the Firewall Threat Defense upgrade wizard.

  • System(system gear icon) > Users > User Role > Create User Role > Menu-Based Permissions allows you to grant access to Content Updates (VDB, GeoDB, intrusion rules) without allowing access to Product Upgrades (system software).

Deprecated screens/options:

  • System(system gear icon) > Updates is deprecated. All Firewall Threat Defense upgrades now use the wizard.

  • The Add Upgrade Package button on the Firewall Threat Defense upgrade wizard has been replaced by a Manage Upgrade Packages link to the new upgrade page.

Suggested release notifications.

7.2.6

7.4.1

Any

The Firewall Management Center now notifies you when a new suggested release is available. If you don't want to upgrade right now, you can have the system remind you later, or defer reminders until the next suggested release. The new upgrade page also indicates suggested releases.

See: Cisco Secure Firewall Management Center New Features by Release

Select devices to upgrade from the Firewall Threat Defense upgrade wizard.

7.2.6

7.3.0

December 13, 2022

Any

Use the wizard to select devices to upgrade.

You can now use the Firewall Threat Defense upgrade wizard to select or refine the devices to upgrade. On the wizard, you can toggle the view between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. Previously, you could only use the Device Management page and the process was much less flexible.

Unattended Firewall Threat Defense upgrades.

7.2.6

7.3.0

December 13, 2022

Any

The Firewall Threat Defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser.

Simultaneous Firewall Threat Defense upgrade workflows by different users.

7.2.6

7.3.0

December 13, 2022

Any

We now allow simultaneous upgrade workflows by different users, as long as you are upgrading different devices. The system prevents you from upgrading devices already in someone else's workflow. Previously, only one upgrade workflow was allowed at a time across all users.

Skip pre-upgrade troubleshoot generation for Firewall Threat Defense.

7.2.6

7.3.0

December 13, 2022

Any

You can now skip the automatic generating of troubleshooting files before major and maintenance upgrades by disabling the new Generate troubleshooting files before upgrade begins option. This saves time and disk space.

To manually generate troubleshooting files for a Firewall Threat Defense device, choose System(system gear icon) > Health > Monitor, click the device in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

Copy upgrade packages ("peer-to-peer sync") from device to device.

7.2.0

7.2.0

Instead of copying upgrade packages to each device from the Firewall Management Center or internal web server, you can use the Firewall Threat Defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the Firewall Management Center. Each device can accommodate 5 package concurrent transfers.

This feature is supported for Version 7.2.x–7.4.x standalone devices managed by the same Version 7.2.x–7.4.x standalone Firewall Management Center. It is not supported for:

  • Container instances.

  • Device high availability pairs and clusters. These devices get the package from each other as part of their normal sync process. Copying the upgrade package to one group member automatically syncs it to all group members.

  • Devices managed by high availability Firewall Management Centers.

  • Devices in different domains, or devices separated by a NAT gateway.

  • Devices upgrading from Version 7.1 or earlier, regardless of Firewall Management Center version.

  • Devices running Version 7.6+.

New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status

Auto-upgrade to Snort 3 after successful Firewall Threat Defense upgrade.

7.2.0

7.0.0

When you use a Version 7.2+ Firewall Management Center to upgrade Firewall Threat Defense to Version 7.2+, you can now choose whether to Upgrade Snort 2 to Snort 3.

After the software upgrade, eligible devices upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For help, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Version restrictions: Not supported for Firewall Threat Defense upgrades to Version 7.0.x or 7.1.x.

Upgrade for single-node clusters.

7.2.0

Any

You can now use the device upgrade page (Devices > Device Upgrade) to upgrade clusters with only one active node. Any deactivated nodes are also upgraded. Previously, this type of upgrade would fail. This feature is not supported from the system updates page (System > Updates).

Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices.

Supported platforms: Firepower 4100/9300, Secure Firewall 3100

Revert Firewall Threat Defense upgrades from the CLI.

7.2.0

7.2.0

You can now revert Firewall Threat Defense upgrades from the device CLI if communications between the Firewall Management Center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.

Caution

 

Reverting from the CLI can cause configurations between the device and the Firewall Management Center to go out of sync, depending on what you changed post-upgrade. This can cause further communication and deployment issues.

New/modified CLI commands: upgrade revert , show upgrade revert-info .

Revert a successful device upgrade.

7.1.0

7.1.0

You can now revert major and maintenance upgrades to FTD. Reverting returns the software to its state just before the last upgrade, also called a snapshot. If you revert an upgrade after installing a patch, you revert the patch as well as the major and/or maintenance upgrade.

Important

 

If you think you might need to revert, you must use System > Updates to upgrade FTD. The System Updates page is the only place you can enable the Enable revert after successful upgrade option, which configures the system to save a revert snapshot when you initiate the upgrade. This is in contrast to our usual recommendation to use the wizard on the Devices > Device Upgrade page.

This feature is not supported for container instances.

Minimum FTD: 7.1

Improvements to the upgrade workflow for clustered and high availability devices.

7.1.0

Any

We made the following improvements to the upgrade workflow for clustered and high availability devices:

  • The upgrade wizard now correctly displays clustered and high availability units as groups, rather than as individual devices. The system can identify, report, and preemptively require fixes for group-related issues you might have. For example, you cannot upgrade a cluster on the Firepower 4100/9300 if you have made unsynced changes on Firepower Chassis Manager.

  • We improved the speed and efficiency of copying upgrade packages to clusters and high availability pairs. Previously, the FMC copied the package to each group member sequentially. Now, group members can get the package from each other as part of their normal sync process.

  • You can now specify the upgrade order of data units in a cluster. The control unit always upgrades last.

Improved FTD upgrade performance and status reporting.

7.0.0

7.0.0

FTD upgrades are now easier faster, more reliable, and take up less disk space. A new Upgrades tab in the Message Center provides further enhancements to upgrade status and error reporting.

Easy-to-follow upgrade workflow for FTD devices.

7.0.0

Any

A new device upgrade page (Devices > Device Upgrade) on the FMC provides an easy-to-follow wizard for upgrading Version 6.4+ FTD devices. It walks you through important pre-upgrade stages, including selecting devices to upgrade, copying the upgrade package to the devices, and compatibility and readiness checks.

To begin, use the new Upgrade Firepower Software action on the Device Management page Devices > Device Management > Selection.

As you proceed, the system displays basic information about your selected devices, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a device does not "pass" a stage in the wizard, it does not appear in the next stage.

If you navigate away from wizard, your progress is preserved, although other users with Administrator access can reset, modify, or continue the wizard.

Note

 

You must still use System > Updates to upload or specify the location of FTD upgrade packages. You must also use the System Updates page to upgrade the FMC itself, as well as all non-FTD managed devices.

Note

 

In Version 7.0, the wizard does not correctly display devices in clusters or high availability pairs. Even though you must select and upgrade these devices as a unit, the wizard displays them as standalone devices. Device status and upgrade readiness are evaluated and reported on an individual basis. This means it is possible for one unit to appear to "pass" to the next stage while the other unit or units do not. However, these devices are still grouped. Running a readiness check on one, runs it on all. Starting the upgrade on one, starts it on all.

To avoid possible time-consuming upgrade failures, manually ensure all group members are ready to move on to the next step of the wizard before you click Next.

Upgrade more FTD devices at once.

7.0.0

Any (source)

6.7.0 (target)

The number of devices you can upgrade at once is now limited by your management network bandwidth—not the system's ability to manage simultaneous upgrades. Previously, we recommended against upgrading more than five devices at a time.

Important

 

Only upgrades to FTD Version 6.7+ using the FTD upgrade wizard see this improvement. If you are upgrading devices to an older FTD release—even if you are using the new upgrade wizard—we still recommend you limit to five devices at a time.

Upgrade different device models together.

7.0.0

Any

You can now use the FTD upgrade wizard to queue and invoke upgrades for all FTD models at the same time, as long as the system has access to the appropriate upgrade packages.

Previously, you would choose an upgrade package, then choose the devices to upgrade using that package. That meant that you could upgrade multiple devices at the same time only if they shared an upgrade package. For example, you could upgrade two Firepower 2100 series devices at the same time, but not a Firepower 2100 series and a Firepower 1000 series.

Upgrades remove PCAP files to save disk space.

6.7.0

6.7.0

Upgrades now remove locally stored PCAP files. To upgrade, you must have enough free disk space or the upgrade fails.

Improved FTD upgrade status reporting and cancel/retry options.

6.7.0

6.7.0

You can now view the status of FTD device upgrades and readiness checks in progress on the Device Management page, as well as a 7-day history of upgrade success/failures. The Message Center also provides enhanced status and error messages.

A new Upgrade Status pop-up, accessible from both Device Management and the Message Center with a single click, shows detailed upgrade information, including percentage/time remaining, specific upgrade stage, success/failure data, upgrade logs, and so on.

Also on this pop-up, you can manually cancel failed or in-progress upgrades (Cancel Upgrade), or retry failed upgrades (Retry Upgrade). Canceling an upgrade reverts the device to its pre-upgrade state.

Note

 

To be able to manually cancel or retry a failed upgrade, you must disable the new auto-cancel option, which appears when you use the FMC to upgrade an FTD device: Automatically cancel on upgrade failure and roll back to the previous version. With the option enabled, the device automatically reverts to its pre-upgrade state upon upgrade failure.

Auto-cancel is not supported for patches. In an HA or clustered deployment, auto-cancel applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted.

New/modified screens:

  • System > Updates > Product Updates > Available Updates > Install icon for the FTD upgrade package

  • Devices > Device Management > Upgrade

  • Message Center > Tasks

New/modified CLI commands: show upgrade status detail , show upgrade status continuous , show upgrade status , upgrade cancel , upgrade retry

Get FTD upgrade packages from an internal web server.

6.6.0

6.6.0

FTD devices can now get upgrade packages from your own internal web server, rather than from the FMC. This is especially useful if you have limited bandwidth between the FMC and its devices. It also saves space on the FMC.

Note

 

This feature is supported only for FTD devices running Version 6.6+. It is not supported for upgrades to Version 6.6, nor is it supported for the FMC or Classic devices.

New/modified screens: We added a Specify software update source option to the page where you upload upgrade packages.

Copy upgrade packages to managed devices before the upgrade.

6.2.3

Any

You can now copy (or push) an upgrade package from the FMC to a managed device before you run the actual upgrade. This is useful because you can push during times of low bandwidth use, outside of the upgrade maintenance window.

When you push to high availability, clustered, or stacked devices, the system sends the upgrade package to the active/control/primary first. Then, it sends the package to the standby/data/secondary.

New/modified screens: System > Updates
Table 12. Firewall Management Center Upgrade Feature History

Feature

Minimum Management Center

Minimum Threat Defense

Details

Skip post-upgrade deploy for Firewall Management Center.

7.7.0

Any

In many cases, you no longer have to deploy to Snort 3 devices after you upgrade the Firewall Management Center. If deploy is required, affected devices are marked out of date (with a few exceptions).

Reasons for needing to manually deploy include:

  • The upgrade updated the LSP and scheduled LSP updates are off.

  • The upgrade updated the LSP and scheduled LSP updates are on, but automatic redeploy is off. Devices may not be marked out of date in this case. Note that if automatic redeploy is on, the redeploy will take place on schedule and you do not need to do it manually.

  • Specific configurations changed by the upgrade require a deploy.

  • You need to upgrade managed devices immediately. After Firewall Management Center upgrade, you cannot upgrade managed devices until you redeploy, even if they are not marked out of date.

SRU update moved out of Firewall Management Center upgrade.

7.7.0

Any

Upgrade impact. After Firewall Management Center upgrades to Version 7.7+, wait for SRU to install.

Instead of upgrading the SRU as part of the upgrade, the system now updates intrusion rules for Snort 2 devices (the SRU) after the upgrade completes and the Firewall Management Center reboots. Although this makes the upgrade itself faster, you cannot update intrusion rules, add devices, or deploy configuration changes while the SRU is updating. This occurs regardless of whether you are managing any Snort 2 devices.

Upgrade Firewall Management Center without a manual readiness check.

 7.7.0

Any

You no longer have to run time-consuming pre-upgrade readiness checks for Firewall Management Center upgrades. Instead, these checks are now regularly run by the system and reported in the health monitor. This allows you to preemptively fix any issues that will block upgrade.

Version restrictions: This feature is supported for upgrades from Version 7.7+.

Improved upgrade process for high availability Firewall Management Centers.

7.6.0

Any

Upgrading high availability Firewall Management Centers is now easier:

  • You no longer have to manually copy the upgrade package to both peers. Depending on your setup, you can have each peer get the package from the support site, or you can copy the package between peers.

  • You no longer have to manually run the readiness check on both peers. Running it on one runs it on both.

  • If you do not have enough disk space to run the upgrade, a new Clean Up Disk Space option can help.

  • You no longer have to manually pause synchronization before upgrade, or resolve split brain after the upgrade; the system now does this automatically. Also, your original active/standby roles are preserved.

Note that although you can complete most of the upgrade process from one peer (we recommend the standby), you do have to log into the second peer to actually initiate its upgrade.

New/modified screens: System (system gear icon) > Product Upgrades

Version restrictions: This feature applies to upgrades from Version 7.6.0 and later, not to 7.6.0.

Automatically generate configuration change reports after Firewall Management Center upgrade.

7.4.1

Any

You can automatically generate reports on configuration changes after major and maintenance Firewall Management Center upgrades. This helps you understand the changes you are about to deploy. After the system generates the reports, you can download them from the Tasks tab in the Message Center.

Version restrictions: Only supported for Firewall Management Center upgrades from Version 7.4.1+. Not supported for upgrades to Version 7.4.1 or any earlier version.

New/modified screens: System > Configuration > Upgrade Configuration > Enable Post-Upgrade Report

Hotfix high availability Firewall Management Centers without pausing synchronization.

7.2.6

7.4.1

Any

Unless otherwise indicated by the hotfix release notes or Cisco TAC, you do not have to pause synchronization to install a hotfix on high availability Firewall Management Centers.

New upgrade wizard for the Firewall Management Center.

7.2.6

7.4.1

Any

A new upgrade starting page and wizard make it easier to perform Firewall Management Center upgrades. After you use System(system gear icon) > Product Upgrades to get the appropriate upgrade package onto the Firewall Management Center, click Upgrade to begin.

Version restrictions: Only supported for Firewall Management Center upgrades from Version 7.2.6+/7.4.1+. Not supported for upgrades from Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Updated internet access requirements for direct-downloading software upgrades.

7.2.6

7.4.1

Any

Upgrade impact. The system connects to new resources.

The Firewall Management Center has changed its direct-download location for software upgrade packages from sourcefire.com to amazonaws.com.

Improved upgrade starting page and package management.

7.2.6

7.4.1

Any

See Improved upgrade starting page and package management.

Suggested release notifications.

7.2.6

7.4.1

Any

See Suggested release notifications.

Firewall Management Center upgrade does not automatically generate troubleshooting files.

7.2.0

Any

To save time and disk space, the Firewall Management Center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files.

To manually generate troubleshooting files for the Firewall Management Center, choose System(system gear icon) > Health > Monitor, click Firewall Management Center in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

Upgrades postpone scheduled tasks.

6.4.0

Any

The Firewall Management Center upgrade process now postpones scheduled tasks. Any task scheduled to begin during the upgrade will begin five minutes after the post-upgrade reboot.

Note

 

Before you begin any upgrade, you must still make sure running tasks are complete. Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed.

Note that this feature is supported for all upgrades from a supported version. This includes Version 6.4.0.10 and later patches, Version 6.6.3 and later maintenance releases, and Version 6.7.0+. This feature is not supported for upgrades to a supported version from an unsupported version.