Upgrade Chassis for Threat Defense 3100/4100/4200/9300

Upgrade the Secure Firewall 3100/4200 Chassis

Use this procedure to upgrade the chassis on the Secure Firewall 3100/4200 in multi-instance mode. As you proceed, the system displays basic information about your selected chassis, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a chassis does not "pass" a stage, it does not appear in the next stage.

If you navigate away from the upgrade wizard, your progress is preserved and other users cannot start a new upgrade workflow for any chassis you have already selected. (Exception: if you are logged in with a CAC, your progress is cleared 24 hours after you log out.) To return to your workflow, choose Devices > Chassis Upgrade.

Upgrade does not start until you complete the wizard and click Start Upgrade. All steps up to that point can be performed outside of a maintenance window, including copying upgrade packages and choosing upgrade options.


Caution


Do not deploy configuration changes during upgrade. Even if the system appears inactive, do not manually reboot or shut down. Do not restart an upgrade in progress. You could place the system in an unusable state and require a reimage. The system may reboot multiple times during the upgrade. This is expected behavior. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.


Before you begin

Make sure you are ready to upgrade:

Procedure


Step 1

On the management center, choose System (system gear icon) > Product Upgrades.

The Product Upgrades page provides an upgrade-centered overview of your deployment—how many devices you have, when they were last upgraded, whether there is an upgrade in progress, and so on. The system lists upgrades that apply to you, with suggested releases specially marked (requires internet access on the management center).

Step 2

(Optional) Get upgrade packages onto the management center, or put them on an internal server.

Skip this step if your devices have internet access and can get upgrade packages directly from the internet. For other options, see Managing Upgrade Packages with the Management Center.

Step 3

Launch the upgrade wizard.

Click Upgrade next to the target version. If you are given a drop-down menu, choose Chassis.

The chassis upgrade wizard appears. It has two panes: Device Selection on the left, and Device Details on the right. Click a device link in the Device Selection pane (such as '4 devices') to show the Device Details for those chassis. Your target version is pre-selected in the Upgrade to menu. The system determines which chassis can be upgraded to that version and displays them in the Device Details pane. The Device Selection pane also displays the FXOS and firmware versions contained in the upgrade package.

Step 4

Select chassis to upgrade.

In the Device Details pane, select the devices you want to upgrade and click Add to Selection.

You can use the device links on the Device Selection pane to toggle the Device Details pane between selected chassis, remaining upgrade candidates, ineligible chassis (with reasons why), chassis that need the upgrade package, and so on. You can add and remove chassis from your selection, or click Reset to clear your selection and start over. Note that you do not have to remove ineligible chassis; they are automatically excluded from upgrade.

Step 5

(Optional) Remove unneeded upgrade packages from your selected chassis.

You must manually manage chassis upgrade packages. Right now is a good time to clean up.

  1. In the Device Selection pane, click the message that says: X devices have packages that might not be needed.

  2. In the Device Details pane, select a chassis, click Manage Upgrade Packages on Device, select the packages you want to remove and click Remove. Repeat this step for each chassis you want to clean up.

Step 6

Copy upgrade packages.

Click Copy Upgrade Package and wait for the transfer to complete. Where the package comes from depends on your deployment and previous configurations. For more information, see Copying Upgrade Packages to Devices.

Step 7

Click Next to choose upgrade options.

By default, chassis upgrades run in parallel. For serial order, select the appropriate chassis and click Move to Serial Upgrade. To change the serial upgrade order, click Change Upgrade Order.

Note

 

For chassis with high availability instances, we recommend two workflows (run the upgrade wizard twice) over either parallel or serial upgrade. For more information, see Upgrade Order.

Step 8

Reconfirm you are ready to upgrade.

We recommend revisiting the configuration and deployment health checks you performed earlier: Configuration and Deployment Checks.

Step 9

Click Start Upgrade and confirm your choice.

For information on traffic handling during the upgrade, see Traffic Flow and Inspection for Chassis Upgrades.

Step 10

Monitor the upgrade.

The wizard shows your overall upgrade progress. For more information, see Monitor Device Upgrades.

Step 11

Verify success.

After the upgrade completes, verify success on Devices > Device Management.

Step 12

(Optional) Examine configuration changes.

Before you upgrade threat defense, you may want to review the changes made by the chassis upgrade:

  • If you have not cleared your workflow, you can return to the wizard. Choose Devices > Chassis Upgrade and click Configuration Changes next to each chassis.

  • If you have cleared the workflow, or if you want to quickly generate change reports for multiple chassis, use the Advanced Deploy page. Choose Deploy > Advanced Deploy, select the chassis you upgraded, and click Pending Changes Reports. After the reports finish generating, you can download them from the Tasks tab on the Message Center.

Step 13

(Optional) In high availability deployments, examine device roles.

Depending on how you performed the upgrade, high availability instances may have switched roles. Keeping in mind that any subsequent threat defense upgrade will also switch device roles, make any desired changes.


What to do next

  • (Optional) Clear the wizard by clicking Clear Upgrade Information. Until you do this, the page continues to display details about the upgrade you just performed. After you clear the wizard, use the Upgrade tab on the Device Management page to see last-upgrade information, and the Advanced Deploy screens to see configuration changes.

  • Back up again: Backups

Upgrade FXOS on the Firepower 4100/9300 with Chassis Manager

Upgrade FXOS for Standalone FTD Logical Devices or an FTD Intra-chassis Cluster Using Firepower Chassis Manager

The section describes the upgrade process for the following types of devices:

  • A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with one or more standalone FTD logical devices that are not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with FTD logical devices in an intra-chassis cluster.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure


Step 1

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 2

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.
  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 3

After the new platform bundle image has been successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 4

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 5

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 6

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.


Upgrade FXOS on an FTD Inter-chassis Cluster Using Firepower Chassis Manager

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as an inter-chassis cluster, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure


Step 1

Enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the control unit).

  2. Enter top .

  3. Enter scope ssa .

  4. Enter show slot .

  5. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  6. Enter show app-instance .

  7. Verify that the Oper State is Online and that the Cluster State is In Cluster for any logical devices installed on the chassis. Also verify that the correct FTD software version is shown as the Running Version.

    Important

     

    Verify that the control unit is not on this chassis. There should not be any Firepower Threat Defense instance with Cluster Role set to Master.

  8. For any security modules installed on a Firepower 9300 appliance or for the security engine on a Firepower 4100 series appliance, verify that the FXOS version is correct:

    scope server 1/slot_id , where slot_id is 1 for a Firepower 4100 series security engine.

    show version .

Step 2

Connect to Firepower Chassis Manager on Chassis #2 (this should be a chassis that does not have the control unit).

Step 3

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 4

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.
  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 5

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 6

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 7

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

  4. Enter top .

  5. Enter scope ssa .

  6. Enter show slot .

  7. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  8. Enter show app-instance .

  9. Verify that the Oper State is Online, that the Cluster State is In Cluster and that the Cluster Role is Slave for any logical devices installed on the chassis.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #
FP9300-A /system # top
FP9300-A# scope ssa
FP9300-A /ssa # show slot

Slot:
    Slot ID    Log Level Admin State  Oper State
    ---------- --------- ------------ ----------
    1          Info      Ok           Online
    2          Info      Ok           Online
    3          Info      Ok           Not Available
FP9300-A /ssa #

FP9300-A /ssa # show app-instance
App Name   Slot ID    Admin State Oper State       Running Version Startup Version Profile Name Cluster State   Cluster Role
---------- ---------- ----------- ---------------- --------------- --------------- ------------ --------------- ------------
ftd        1          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        2          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        3          Disabled    Not Available                    6.2.2.81                     Not Applicable  None
FP9300-A /ssa #

Step 8

Set one of the security modules on Chassis #2 as control.

After setting one of the security modules on Chassis #2 to control, Chassis #1 no longer contains the control unit and can now be upgraded.

Step 9

Repeat Steps 1-7 for all other Chassis in the cluster.

Step 10

To return the control role to Chassis #1, set one of the security modules on Chassis #1 as control.


Upgrade FXOS on an FTD High Availability Pair Using Firepower Chassis Manager

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure


Step 1

Connect to Firepower Chassis Manager on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:

Step 2

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 3

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.
  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 4

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 5

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 6

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 7

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 8

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Step 9

Connect to Firepower Chassis Manager on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:

Step 10

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 11

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.
  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 12

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 13

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components. The upgrade process can take up to 30 minutes to complete.

Step 14

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 15

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 16

Make the unit that you just upgraded the active unit as it was before the upgrade:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.


Upgrade FXOS on the Firepower 4100/9300 with the CLI

Upgrade FXOS for Standalone FTD Logical Devices or an FTD Intra-chassis Cluster Using the FXOS CLI

The section describes the FXOS upgrade process for the following types of devices:

  • A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with one or more standalone FTD devices that are not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with FTD logical devices in an intra-chassis cluster.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure


Step 1

Connect to the FXOS CLI.

Step 2

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol:

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 4

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 5

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

Step 6

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 7

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 8

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 9

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.


Upgrade FXOS on an FTD Inter-chassis Cluster Using the FXOS CLI

If you have Firepower 9300 or Firepower 4100 series security appliances with FTD logical devices configured as an inter-chassis cluster, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure


Step 1

Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the control unit).

Step 2

Enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online and that the Cluster State is In Cluster for any logical devices installed on the chassis. Also verify that the correct FTD software version is shown as the Running Version.

    Important

     

    Verify that the control unit is not on this chassis. There should not be any Firepower Threat Defense instance with Cluster Role set to Master.

  7. For any security modules installed on a Firepower 9300 appliance or for the security engine on a Firepower 4100 series appliance, verify that the FXOS version is correct:

    scope server 1/slot_id , where slot_id is 1 for a Firepower 4100 series security engine.

    show version .

Step 3

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter top .

  2. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  3. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  4. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol:

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 4

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 5

Enter auto-install mode:

Firepower-chassis /firmware # scope auto-install

Step 6

Install the FXOS platform bundle:

Firepower-chassis /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing—for example, 2.3(1.58).

Step 7

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 8

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 9

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

  4. Enter top .

  5. Enter scope ssa .

  6. Enter show slot .

  7. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  8. Enter show app-instance .

  9. Verify that the Oper State is Online, that the Cluster State is In Cluster and that the Cluster Role is Slave for any logical devices installed on the chassis.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #
FP9300-A /system # top
FP9300-A# scope ssa
FP9300-A /ssa # show slot

Slot:
    Slot ID    Log Level Admin State  Oper State
    ---------- --------- ------------ ----------
    1          Info      Ok           Online
    2          Info      Ok           Online
    3          Info      Ok           Not Available
FP9300-A /ssa #

FP9300-A /ssa # show app-instance
App Name   Slot ID    Admin State Oper State       Running Version Startup Version Profile Name Cluster State   Cluster Role
---------- ---------- ----------- ---------------- --------------- --------------- ------------ --------------- ------------
ftd        1          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        2          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        3          Disabled    Not Available                    6.2.2.81                     Not Applicable  None
FP9300-A /ssa #

Step 10

Set one of the security modules on Chassis #2 as control.

After setting one of the security modules on Chassis #2 to control, Chassis #1 no longer contains the control unit and can now be upgraded.

Step 11

Repeat Steps 1-9 for all other Chassis in the cluster.

Step 12

To return the control role to Chassis #1, set one of the security modules on Chassis #1 as control.


Upgrade FXOS on an FTD High Availability Pair Using the FXOS CLI

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure


Step 1

Connect to FXOS CLI on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:

Step 2

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol:

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 4

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 5

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58).

Step 6

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 7

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 8

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 9

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 10

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Step 11

Connect to FXOS CLI on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:

Step 12

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol:

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 13

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 14

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 15

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58).

Step 16

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 17

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 18

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 19

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 20

Make the unit that you just upgraded the active unit as it was before the upgrade:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.