Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1833
Views
7
Helpful
0
Comments

Secure Firewall Upgrade Best Practice [FTD managed by FMC]

Taisuke Nakamura
Cisco Employee
Cisco Employee

‎02-26-2023 11:58 PM - edited ‎03-01-2023 03:24 AM

This document describes the Secure Firewall upgrade demo and best practices of Firewall Threat Defense (FTD) managed by Firewall Management Center (FMC).

 

Introduction and demo Video

Eng sub is available. https://youtu.be/VqLcIqkvuxk

SecFW-Upgrade.gif

 

   

Upgrade Tips and Limitations

1. Suggested "Long-term" version is better choice

Long-term and short-term releases will be released alternately every approximately six months. Star-mark "Suggested release" is stable recommended version, and you can check latest suggested release from download software site.

TaisukeNakamura_0-1677484624627.png

detail:
https://www.cisco.com/c/en/us/products/collateral/security/firewalls/bulletin-c25-743178.html

  

2. Up to 4 generations can be upgraded at once

FMC can typically manage FTD versions up to 4 generations old, so you can upgrade FMC and FTD up to 4 generations ahead per upgrade (e.g. 6.4 --> 7.0, 6.6 --> 7.2). Please see release note about detailed upgrade path.

 

3. CLI Reasiness Check for ver 6.x FTD-HA

Because version 6.x FTD-HA does not support GUI Readiness check, so you need to perform the "Readiness Check" from FTD CLI. At first, Access FTD CLI, then issue "expert", "sudo su -" and below command.

Format
install_update.pl --detach --readiness-check /var/sf/updates/(file name)

Exmaple
install_update.pl --detach --readiness-check /var/sf/updates/Cisco_FTD_Upgrade-7.2.2-54.sh.REL.tar

"Readiness Check" result is contained in "main_upgrade_script.log", so please check whether result is "Success", or not.

File Path
/ngfw/var/log/sf/(file name)/upgrade_readiness/main_upgrade_script.log

Example
more /ngfw/var/log/sf/Cisco_FTD_Upgrade-7.2.2/upgrade_readiness/main_upgrade_script.log

 

4. How to upgrade FMC HA

- At first, stop FMC sync between FMCs before FTD upgrade
System -> Integration -> High Availability -> Pause Synchronization

TaisukeNakamura_1-1677484647746.png

- Upgrade FMC from Standby unit, then upgrade Active unit
- Restart sync by pressing "Make-Me-Active" button
Detail:
https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/upgrade_firepower_management_centers.html#id_54076

  

5. (FPR4100/9300 only) How to upgrade FXOS

- Before FTD upgrade, FXOS upgrade is needed if FPR4100/9300 is used. You should check FXOS Compatibility release note, and check compatible recommended version (bold)
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html#id_59069

TaisukeNakamura_2-1677484666837.png

- At first, upgrade FXOS of FTD stanbdy
- Switch FTD active by Devices -- Device Management "Switch Active Peer"

TaisukeNakamura_3-1677484679055.png

- Upgrade FXOS of new FTD standby (i.e. old FTD active)
- Please check FXOS release note in detais

  
6. (FPR1000 only) Limitation of FPR1000 series upgrade from 6.4
- In case of upgrading FPR1000 from 6.4 to 6.5+, manual reload is required
- Please check the below release note in detail
https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/upgrade.html

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents