Cisco docs:
https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/upgrade_firepower_threat_defense.html#id_64765
https://software.cisco.com/download/home/286291275
https://software.cisco.com/download/home/286306503/type/286306337/release/6.7.0
Old method was sensor first then FMC.
Figure our your upgrade path (can save a lot of time):
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/upgrade/management-center/740/upgrade-management-center-741/planning.html#r_ftd-upgrade-path
7.4 (max version for 2140 hardware, will still get sec updates until EOL)
6.4 can jump to 7.0
6.6 can jump to 7.2 (user id issues + DH groups on S2S VPNS, PBR is merged in FMC)
7.0 can jump to 7.4
7.1 can jump to 7.6
7.2 can jump to 7.7
step 0
check pre-reqs and docs
Some times you may need to clear space before doing upgrades:
df -h
delete old file, leave the 2 most recent
/var/sf/SRU
/var/sf/sru
cd /var/common/
/usr/loacl/sf
New method is FMC, deploy, sensor, deploy.
Step1
Update your VDB and geolocation to the latest.
Run a backup for both FMC and FTD (tick box to bring back to FMC)
Step1
Update your VDB and geolocation to the latest.
Run a backup for both FMC and FTD (tick box to bring back to FMC)
Download those backup files
You can export the policy from policies > import/export (top right)
Good idea to also take a dump of running config from FTD's (pri and sec)
Especially if you have a stand alone FTD
You can also take a snapshot before FMC upgrade but Cisco seem to flip/flop on weather this is supported. If you take snapshot make sure to merge/delete after upgrade is completed. Don't want a snapshot growing, it will cause an issue later.
Since 6.2 you need to upgrade FMC first, then sensor.
To upgrade from the web GUI the FMC sh upgrade file can be downloaded here
Downloads Home > Products > Security > Firewalls > Firewall Management > Firepower Management Center > Virtual Appliance > FireSIGHT System Software-6.2.0
See here
Network sensor sh files available here
Downloads Home > Products > Security > Firewalls > Next-Generation Firewalls (NGFW) > ASA 5500-X with FirePOWER Services > ASA 5525-X with FirePOWER Services > FirePOWER Services Software for ASA-6.2.0
see here
In later versions you can run a readiness check first. Most logs are found in /var/log/sf
From version 6.3.0 you can upgrade direct to major versions
Lets say we are on 6.2.1 and want to go to 6.4.0.2
We can upgrade directly to 6.4.0 and then up to 6.4.0.2
Remember you need to deploy after each install.
Since 6.2 you need to upgrade FMC first, then sensor.
To upgrade from the web GUI the FMC sh upgrade file can be downloaded here
Downloads Home > Products > Security > Firewalls > Firewall Management > Firepower Management Center > Virtual Appliance > FireSIGHT System Software-6.2.0
See here
Network sensor sh files available here
Downloads Home > Products > Security > Firewalls > Next-Generation Firewalls (NGFW) > ASA 5500-X with FirePOWER Services > ASA 5525-X with FirePOWER Services > FirePOWER Services Software for ASA-6.2.0
see here
In later versions you can run a readiness check first. Most logs are found in /var/log/sf
From version 6.3.0 you can upgrade direct to major versions
Lets say we are on 6.2.1 and want to go to 6.4.0.2
We can upgrade directly to 6.4.0 and then up to 6.4.0.2
Remember you need to deploy after each install.
Other commands:
DBCheck.pl
attempt to resume an upgrade
install_update.pl --detach --resume /var/sf/updates/Cisco_Secure_FW_Mgmt_Center_Upgrade-7.2.10
update roll back
/var/log/sf/Cisco_Secure_FW_Mgmt_Center_Upgrade-7.2.10/upgrade_roll back
Dealing with flex config
When flex config is brought into FMC it can cause issues
One example I had some policy based routing (PBRs)
After upgrade it wasn't working even thought the code was there in ASA CLI.
I had to delete the flex config off FMC
Deploy
Config the PBR via the FMC
Deploy
Check the CLI so that the PBR matched what I had before in ASA CLI
This was done by doing a win merge on the config before and after so its crucial to have that show run backup for fixing flex config issues.
All was working.
The process will work the same for other flex config.
No comments:
Post a Comment