Upgrade Firewall Threat Defense

Upgrade Firewall Threat Defense

Use this procedure to upgrade Firewall Threat Defense with the upgrade wizard.

As you proceed, the system displays basic information about your selected devices, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a device does not "pass" a stage, it does not appear in the next stage.

If you navigate away from the upgrade wizard, your progress is preserved and other users cannot start a new upgrade workflow for any devices you have already selected. (Exception: if you are logged in with a CAC, your progress is cleared 24 hours after you log out.) To return to your workflow, choose Devices > Upgrade > Threat Defense Upgrade.

Upgrade does not start until you complete the wizard and click Start Upgrade. All steps up to that point can be performed outside of a maintenance window, including checking readiness, copying upgrade packages, and choosing upgrade options.


Caution

Do not deploy configuration changes during upgrade. Even if the device appears inactive, do not manually reboot or shut down. In most cases, do not restart an upgrade in progress. You could place the system in an unusable state and require a reimage. Devices may reboot multiple times during the upgrade. This is expected behavior. If you encounter issues with the upgrade, including a failed upgrade or unresponsive device, see Unresponsive and Failed Firewall Threat Defense Upgrades.

Before you begin

Make sure you are ready to upgrade:

Procedure

Step 1

On the Firewall Management Center, choose System (system gear icon) > Product Upgrades.

The Product Upgrades page provides an upgrade-centered overview of your deployment—how many devices you have, when they were last upgraded, whether there is an upgrade in progress, and so on. If the Firewall Management Center has internet access, it lists upgrades that apply to you, with suggested releases specially marked.

Step 2

(Optional) Get upgrade packages onto the Firewall Management Center, or put them on an internal server.

Skip this step if your devices can get upgrade packages directly from the internet. For other options, see Managing Upgrade Packages with the Firewall Management Center.

Step 3

Launch the upgrade wizard.

Click Upgrade next to the target version. If you are given a drop-down menu, choose Threat Defense.

The Firewall Threat Defense upgrade wizard appears. It has two panes: Device Selection on the left, and Device Details on the right. Click a device link in the Device Selection pane (such as '4 devices') to show the Device Details for those devices. Your target version is pre-selected in the Upgrade to menu. The system determines which devices can be upgraded to that version and displays them in the Device Details pane.

Step 4

Select devices to upgrade.

In the Device Details pane, select the devices you want to upgrade and click Add to Selection.

You can use the device links on the Device Selection pane to toggle the Device Details pane between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. You can add and remove devices from your selection, or click Reset to clear your device selection and start over. Note that you do not have to remove ineligible devices; they are automatically excluded from upgrade. You must upgrade the members of device clusters and high availability pairs together.

Tip

 

After you select devices, you can use unattended mode to automatically prepare for and begin the upgrade. After the upgrade completes, pick up with the verification and post-upgrade tasks. For more information, see Upgrade Firewall Threat Defense in Unattended Mode.

Step 5

Copy upgrade packages.

Click Copy Upgrade Package and wait for the transfer to complete. Where the package comes from depends on your deployment and previous configurations. For more information, see Copying Upgrade Packages to Devices.

Step 6

Click Next to check upgrade readiness.

Checks are automatic, some based on current device health; see Configuration and Deployment Checks. Passing all checks greatly reduces the chance of upgrade failure. If the checks expose issues that you cannot resolve, do not begin the upgrade. Disable checks only at the direction Cisco TAC.

Note

 

Devices currently running Version 7.6.x and earlier require some manual readiness checks. To begin these, click Run Readiness Check. Do not deploy changes to, manually reboot, or shut down a device while running readiness checks.

Step 7

Click Next to choose upgrade options.

These options allow you to revert from both successful and unsuccessful upgrades and to upgrade Snort on older devices. For information on why you might disable these options, see Upgrade Options for Firewall Threat Defense.

Step 8

Click Start upgrade and confirm your choice.

Devices operate in maintenance mode while they upgrade. For information on traffic handling during the upgrade, see Traffic Flow and Inspection.

Step 9

Monitor the upgrade.

The wizard shows your overall upgrade progress. For more upgrade monitoring options, including special considerations for monitoring high availability upgrades, see Monitor Firewall Threat Defense Upgrades.

Step 10

Verify success.

After the upgrade completes, verify success on Devices > Device Management.

Step 11

(Optional) In high availability or clustered deployments, examine device roles.

The upgrade process switches device roles so that it is always upgrading a standby unit or data node. It does not return devices to the roles they had before upgrade. If you have preferred roles for specific devices, make those changes now.

Step 12

Update intrusion rules and the vulnerability database.

Although the upgrade often updates these components, there could be newer ones available. If the Cisco Support & Download site has a newer version, install it. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Note

 

The system updates intrusion rules for Snort 2 devices (SRU) after the upgrade completes and the management center reboots. While this is happening, you cannot update intrusion rules, add devices, or deploy configuration changes. This occurs regardless of whether you are managing any Snort 2 devices.

Step 13

Complete any required post-upgrade configuration changes.

Step 14

Redeploy configurations to the devices you just upgraded.

Snort typically restarts during the first deployment after upgrade. Restarting the Snort process briefly interrupts traffic flow and inspection on all devices, including those configured for high availability or clustering. For more information, see Traffic Flow and Inspection when Deploying Configurations.

Before you deploy, you may want to review the changes made by the upgrade (as well as any changes you have made since upgrade):

  • If you have not cleared your workflow, you can return to the wizard. Choose Devices > Upgrade > Threat Defense Upgrade and click Configuration Changes next to each device.

  • If you have cleared the workflow, or if you want to quickly generate change reports for multiple devices, use the Advanced Deploy page. Choose Deploy > Advanced Deploy, select the devices you upgraded, and click Pending Changes Reports. After the reports finish generating, you can download them from the Tasks tab on the Message Center.

What to do next

  • (Optional) Clear the wizard by clicking Clear upgrade information. Until you do this, the page continues to display details about the upgrade you just performed. After you clear the wizard, use the Upgrade tab on the Device Management page to see last-upgrade information, and the Advanced Deploy screens to see configuration changes.

  • Back up again: Backups

Upgrade Firewall Threat Defense in Unattended Mode

The Firewall Threat Defense upgrade wizard has an optional unattended mode. Start the wizard, select the target version and the devices you want to upgrade, choose upgrade options, and step away. You can even log out or close the browser. The system automatically copies upgrade packages to devices, checks readiness, and begins the upgrade. After the upgrade completes, pick up with the verification and post-upgrade tasks.

Table 1. Upgrade Firewall Threat Defense in Unattended Mode

To...

Do this in the wizard...

Start an unattended upgrade.

Choose Unattended mode > Start after selecting the target version and the devices you want to upgrade.

For unattended mode options, see Upgrade Options for Firewall Threat Defense.

Pause an unattended upgrade during copy and checks phases.

Choose Unattended mode > Stop.

You can pause and restart unattended mode during the copy and checks phases. However, pausing unattended mode does not stop tasks in progress. Copies and checks that have started will run to completion. Note that you must pause unattended mode to perform any manual upgrade actions.

Once the actual device upgrade begins, you cannot cancel it by stopping unattended mode. Instead, use the Upgrade Status pop-up, accessible from the Upgrade tab on the Device Management page.

Monitor an unattended upgrade during copy and checks phases.

Choose Unattended mode > View status.

Once the actual device upgrade begins, see Monitor Firewall Threat Defense Upgrades

Monitor Firewall Threat Defense Upgrades


Caution

Do not deploy configuration changes during upgrade. Even if the device appears inactive, do not manually reboot or shut down. In most cases, do not restart an upgrade in progress. You could place the system in an unusable state and require a reimage. Devices may reboot multiple times during the upgrade. This is expected behavior. If you encounter issues with the upgrade, including a failed upgrade or unresponsive device, see Unresponsive and Failed Firewall Threat Defense Upgrades.

Monitoring device and chassis upgrades

To monitor Firewall Threat Defense and chassis upgrades, you can use:

  • The Upgrade Status screen of the upgrade wizard (Devices > Threat Defense Upgrade/Chassis Upgrade), if you have not cleared your workflow or started a new one. For detailed status, click Detailed Status next to the device you want to see.

  • The Upgrade tab on the Device Management page (Devices > Device Management). For detailed status, click View Details next to the device you want to see.

  • The Upgrades tab in the Message Center.

High availability state during upgrade

For Firewall Threat Defense high availability pairs, the standby upgrades first. The devices switch roles, then the new standby upgrades. During upgrade, the system can report inconsistent states:

  • The Message Center and the upgrade wizard associate the units with their states when you clicked Start Upgrade. That is, they report upgrading the "standby" and then the "active," even though failover occurs and you are only ever upgrading the standby.

  • The Device Management page always shows the correct current states of the units, which can be different from the original states displayed by the Message Center or the wizard.

High availability upgrade success

For Firewall Threat Defense high availability pairs, the Message Center reports upgrade success for each unit in separate tasks.


Important

Regardless of what the Message Center says, do not redeploy configurations to the high availability pair until both devices have finished upgrading.

Upgrade Options for Firewall Threat Defense

These options are enabled by default.

Table 2. Firewall Threat Defense Upgrade Options

Option

When to Disable

Details

Compatibility and readiness checks

Require passing compatibility and readiness checks.

At the direction of Cisco TAC.

If you disable this option, you can begin the upgrade without passing compatibility and readiness checks. However, we recommend against it. Passing all checks greatly reduces the chance of upgrade failure. If the checks expose issues that you cannot resolve, do not begin the upgrade.

Upgrade failure

Automatically cancel on upgrade failure and roll back to the previous version.

To force manual (instead of automatic) cancel and retry of failed upgrades.

With this option enabled, the device automatically returns to its pre-upgrade state upon upgrade failure. In a high availability or clustered deployment, auto-cancel applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted.

Not supported for patches or hotfixes.

Enable revert

Enable revert after successful upgrade.

To save time and disk space.

You have 30 days to revert most Firewall Threat Defense upgrades.

Reverting returns the software to its state just before the last upgrade, also called a snapshot. If you revert an upgrade after installing a patch, you revert the patch as well as the upgrade.

Not supported for container instances, patches, or hotfixes.

Upgrade Snort

Convert eligible devices from Snort 2 to Snort 3.

To prevent Snort 3 upgrades.

With upgrades to Version 7.2–7.6, eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations.

With upgrades to Version 7.3+, you cannot disable this option. Although you can switch individual devices back, Snort 2 is deprecated in Version 7.7, which will prevent Firewall Threat Defense upgrade.

For devices that are ineligible because they use custom intrusion or network analysis policies, manually upgrade to Snort 3. For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Troubleshooting Firewall Threat Defense Upgrade

Table 3. Troubleshooting Threat Defense Upgrade

Issue

Solution

Upgrade button missing for my target version.

Either:

Devices not listed in the upgrade wizard.

If you accessed the wizard directly from Devices > Upgrade > Threat Defense Upgrade and therefore did not select a target version, the workflow may be blank. To begin, choose a target version from the Upgrade to menu. The system should display the devices that can be upgraded to that version.

Target version not listed in the Upgrade to menu.

The choices in the Upgrade to menu correspond to the device upgrade packages on the Firewall Management Center, plus any on the support site that apply to you. If you don't see the one you want, either:

  • The menu lists multiple versions but not the one you are looking for. You may not have any eligible devices. Or, the package may require manual upload (such as hotfixes).

  • The menu is blank/only lists versions corresponding to already uploaded packages. The Firewall Management Center does not have internet access. You must manually upload the package you want.

To upload an upgrade package, click Manage Upgrade Packages; see Managing Upgrade Packages with the Firewall Management Center.

Devices not listed in the upgrade wizard even though a target version is selected.

You have no devices that can be upgraded to that version. If you still think you should see devices here, your user role could be prohibiting you from managing (and therefore upgrading) devices. In a multidomain deployment, you could be logged into the wrong domain.

Devices locked to someone else's upgrade workflow.

If you need to reset someone else's workflow, you must have Administrator access. You can either:

  • Delete or deactivate the user.

  • Update the user's role so they no longer have permission to use System (system gear icon) > Product Upgrades.

High availability Firewall Management Center failed over while setting up upgrade.

Neither your workflow nor Firewall Threat Defense upgrade packages are synchronized between high availability Firewall Management Centers.

In case of failover, you must recreate your workflow on the new active Firewall Management Center, which includes downloading upgrade packages and copying them to devices. (Upgrade packages already copied to devices are not removed, but the Firewall Management Center still must have the package or a pointer to its location.)

Pruning daemon errors in the Message Center.

This most commonly happens for devices running Version 7.6.x or earlier when you do not start the upgrade within 10 minutes after the readiness check completes. Regardless, you can safely ignore these messages and proceed with the upgrade.

The full error is: Process Status - device_name. The pruning daemon exited n time(s).

Unresponsive and Failed Firewall Threat Defense Upgrades

The following table has troubleshooting information for unresponsive and failed Firewall Threat Defense upgrades. For issues with chassis upgrades, contact Cisco TAC.


Caution

Do not reboot or shut down at any point during upgrade, even if the system appears inactive. You could place the system in an unusable state and require a reimage.

Table 4. Unresponsive and Failed Firewall Threat Defense Upgrades

Issue

Solution

Cannot reach the device.

Devices can stop passing traffic during the upgrade or if the upgrade fails. Before you upgrade, make sure traffic from your location does not have to traverse the device itself to access the device's management interface.

You should also able to access the Firewall Management Center's management interface without traversing the device.

Upgrade or patch appears hung/device appears inactive.

If device upgrade status has stopped updating on the Firewall Management Center but there is no report of upgrade failure, you can try canceling the upgrade; see below. If you cannot cancel or canceling does not work, contact Cisco TAC.

Tip: You can monitor upgrade logs on the device itself using expert mode and tail or tailf: tail /ngfw/var/log/sf/update.status.

Upgrade failed.

If an upgrade fails and:

  • The device reverted to its pre-upgrade state (auto-cancel is enabled), correct any issues and try again from the beginning.

  • The device is still in maintenance mode, correct any issues and resume the upgrade. Or, cancel and try again later.

If you cannot retry or cancel, or if you continue to have issues, contact Cisco TAC.

Patch failed.

You cannot cancel in-progress or failed patches. However, if a patch fails early, for example, during validation stages, the device may remain up and running normally. Simply correct any issues and try again.

If a patch fails after the device has entered maintenance mode, check for an uninstaller. If one exists, you can try running it to remove the failed patch; see Uninstall a Firewall Threat Defense Patch. After the uninstall finishes, you can correct any issues and try again.

If there is no uninstaller, if the uninstall fails, or if you continue to have issues, contact Cisco TAC.

Upgrade on a clustered device failed, and I want to reimage instead of retrying the upgrade.

If a cluster node upgrade fails and you choose to reimage the node, reimage it to the current version of the control node before you add it back to the cluster. Depending on when and how the upgrade failed, the current version of the control node can be the old version or the target version.

We do not support mixed-version clusters except temporarily during upgrade. Deliberately creating a mixed-version cluster can cause outages.

Tip

 

Remove the failed node from the cluster and reimage it to the target version. Upgrade the rest of the cluster to the target version, then add your reimaged node.

I want to cancel an upgrade.

Canceling reverts the device to its pre-upgrade state. You can cancel failed and in-progress upgrades on the upgrade status pop-up, accessible from the Upgrade tab on the Device Management page. You cannot cancel patches.

If you cannot cancel or canceling does not work, contact Cisco TAC.

I want to retry (resume) a failed upgrade.

You can resume an upgrade on the upgrade status pop-up, accessible from the Upgrade tab on the Device Management page.

If you continue to have issues, contact Cisco TAC.

I want to change what happens when upgrade fails.

Part of the upgrade process is choosing what happens if it fails. This is done with the Automatically cancel on upgrade failure... (auto-cancel) option:

  • Auto-cancel enabled (default): If upgrade fails, the upgrade cancels and the device automatically reverts to its pre-upgrade state. This returns you to normal operations as quickly as possible while you regroup and try again.

  • Auto-cancel disabled: If upgrade fails, the device remains as it is. This allows you to correct any issues and resume the upgrade.

For high availability and clustered devices, auto-cancel applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted.