Contents hide
1 CISCO ASA 5500-X Series Upgrade The FirePOWER Module
2 Product Information
3 Product Usage Instructions
4 Traffic Flow and Inspection
5 Procedure
6 Firepower Management Center
7 Documents / Resources
7.1 References
8 Related Posts

CISCO-LOGO

CISCO ASA 5500-X Series Upgrade The FirePOWER Module

CISCO-ASA-5500-X-Series-Upgrade-The-FirePOWER-Module-PRODUCT

Product Information

  • Specifications
    • Product Name: ASA FirePOWER Module
    • Management Options: ASDM or Firepower Management Center
    • Supported Devices: ASA 5500-X series
    • Supported Versions: 6.1.0 through 6.3.0.x
    • Upgrade Package Format: .sh.REL.tar (signed)

Product Usage Instructions

  • Upgrade an ASA FirePOWER Module with ASDM
    • Download the upgrade package from Cisco.com. For major versions, download directly from the Cisco Support & Download site. Note: Do not untar signed upgrade packages.
    • (Upgrading to Version 6.1.0 through 6.3.0.x) Disable the ASA REST API using the CLI on the ASA:no rest-api agent
    • Upload the upgrade package to the ASA FirePOWER module using ASDM.
    • Choose Monitoring > ASA FirePOWER Monitoring > Task Status to ensure essential tasks are complete.
    • Go to Configuration > ASA FirePOWER Configuration > Updates.
    • Click the Install icon next to the uploaded upgrade package and confirm the upgrade and module reboot.
    • Monitor the upgrade progress on the Task Status page.
    • Do not make configuration changes or manually reboot the module during the upgrade process.
  • Upgrade the Firepower Management Center
    • Prior to upgrading the ASA FirePOWER module, upgrade the Firepower Management Center.
    • Download the upgrade package for the Management Center from Cisco.com.
    • Upload the upgrade package to the Management Center.
    • Choose Monitoring > ASA FirePOWER Monitoring > Task Status to ensure essential tasks are complete.
    • Go to Configuration > ASA FirePOWER Configuration > Updates.
    • Click the Install icon next to the uploaded upgrade package and confirm the upgrade and reboot of the Management Center.
    • Monitor the upgrade progress on the Task Status page.
    • Do not make configuration changes to the Management Center while it is upgrading.
  • Frequently Asked Questions (FAQ)
    • Q: What devices are supported by the ASA FirePOWER Module?
    • A: The ASA FirePOWER Module supports ASA 5500-X series devices.
    • Q: How should I download the upgrade package?
    • A: For major versions, download directly from the Cisco Support & Download site. Do not transfer the package by email as it may become corrupted.
    • Q: Can I restart the upgrade process if it appears inactive during prechecks?
    • A: No, do not restart the upgrade process. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.
    • Q: Can I make configuration changes to the module while it is upgrading?
    • A: No, do not make configuration changes to the module while it is upgrading. Even if the upgrade status shows no progress or indicates a failed upgrade, do not restart the upgrade or reboot the module. Instead, contact Cisco TAC.

Traffic Flow and Inspection

Interruptions in traffic flow and inspection can occur when you:

  • Reboot a device.
  • Upgrade the device software, operating system, or virtual hosting environment.
  • Uninstall or revert the device software.
  • Move a device between domains.
  • Deploy configuration changes (Snort process restarts).

Device type, high availability/scalability configurations, and interface configurations determine the nature of the interruptions. We strongly recommend performing these tasks in a maintenance window or at a time when any interruption will have the least impact on your deployment.

Upgrade an ASA FirePOWER Module with ASDM

  • Use the following procedure to upgrade ASA FirePOWER modules managed by ASDM.

Caution: Do not make configuration changes, manually reboot, or shut down an upgrading module. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Procedure

  • Step 1:
    • Make sure you are running a supported version of ASA.
      There is wide compatibility between ASA and ASA FirePOWER versions. However, even if an ASA upgrade
      is not strictly required, resolving issues may require an upgrade to the latest supported version.
      See the ASA upgrade procedures for standalone, failover, and clustering scenarios for when to upgrade the
      ASA FirePOWER module in the sequence. Even if you are not upgrading the ASA software, you should still
      refer to the ASA failover and clustering upgrade procedures so you can perform a failover or disable clustering
      on a unit before the module upgrade to avoid traffic loss. For example, in a cluster, you should upgrade each
      secondary unitserially (which involves disabling clustering, upgrading the module, then reenabling clustering),
      and then upgrade the primary unit.
  • Step 2
    • Download the upgrade package from Cisco.com.
    • For major versions:
      • Upgrading to Version 6.0 through 6.2.2 — Cisco_Network_Sensor_Upgrade-[version]-[build].sh
      • Upgrading to Version 6.2.3+ — Cisco_Network_Sensor_Upgrade-[version]-[build].sh.REL.tar
    • For patches:
      • Upgrading to 5.4.1.x through 6.2.1.x — Cisco_Network_Sensor_Patch-[version]-[build].sh
      • Upgrading to Version 6.2.2.1+ — Cisco_Network_Sensor_Patch-[version]-[build].sh.REL.tar
      • Download directly from the CiscoSupport & Download site. If you transfer a package by email, it may become corrupted. Note that upgrade packages from Version 6.2.2+ are signed, and terminate in .sh.REL.tar instead of just .sh. Do not untar signed upgrade packages.
  • Step 3
    • Connect to the ASA with ASDM and upload the upgrade package.
      • a) Choose Configuration > ASA FirePOWER Configuration > Updates.
      • b) Click Upload Update.
      • c) Click Choose File to navigate to and choose the update.
      • d) Click Upload.
  • Step 4
    • Deploy pending configuration changes. Otherwise, the upgrade may fail.
    • When you deploy, resource demands may result in a small number of packets dropping without inspection.
    • Additionally, deploying some configurationsrestartsSnort, which interruptstraffic inspection and, depending on how your device handles traffic, may interrupt traffic until the restart completes. For more information, see Traffic Flow and Inspection, on page 1.
  • Step 5
    • (Upgrading to Version 6.1.0 through 6.3.0.x) Disable the ASA REST API.
    • If you do not disable the REST API, the upgrade will fail. Note that ASA 5506-X series devices do notsupport the ASA REST API if you are also running Version 6.0+ of the ASA FirePOWER module.
    • Use the CLI on the ASA to disable the REST API: no rest-api agent You can reenable it after the upgrade: rest-apiagent
  • Step 6
    • Choose Monitoring > ASA FirePOWER Monitoring > Task Status to make sure essential tasks are complete.
    • Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed status messages later.
  • Step 7
    • Choose Configuration > ASA FirePOWER Configuration > Updates.
  • Step 8
    • Click the Install icon next to the upgrade package you uploaded, then confirm that you want to upgrade and reboot the module.
    • Traffic either drops throughout the upgrade or traverses the network without inspection, depending on how the module is configured. For more information, see Traffic Flow and Inspection, on page 1.
  • Step 9
    • Monitor upgrade progress on the Task Status page.
    • Do not make configuration changes to the module while it is upgrading.
    • Even if the upgrade status shows no progress for several minutes or indicates that the upgrade has failed, do not restart the upgrade or reboot the module. Instead, contact Cisco TAC.
  • Step 10
    • After the upgrade finishes, reconnect ASDM to the ASA
  • Step 11
    • Choose Configuration > ASA FirePOWER Configurationand click Refresh. Otherwise, the interface may exhibit unexpected behavior.
  • Step 12
    • Choose Configuration > ASA FirePOWER Configuration > System Information and confirm that the module has the correct software version.
  • Step 13
    • If the intrusion rule update or the vulnerability database (VDB) available on the Support site is newer than the version currently running, install the newer version.
  • Step 14
    • Complete any post-upgrade configuration changes described in the release notes.
  • Step 15
    • Redeploy configurations.

Firepower Management Center

Upgrade the Firepower Management Center

  • If you manage the ASA FirePOWER module using the Firepower Management Center, then you need to upgrade the Management Center before you upgrade the module.

Upgrade a Standalone Secure Firewall Management Center

  • Use this procedure to upgrade a standalone Secure Firewall Management Center, including Secure Firewall Management Center Virtual.

Caution: Do not make or deploy configuration changes, manually reboot, or shut down while you are upgrading the FMC. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC

Before you begin

Complete the pre-upgrade checklist. Make sure the appliances in your deployment are healthy and successfully communicating.

  • Step 1 Choose System > Updates.
  • Step 2 Click the Install icon next to the upgrade package you want to use, then choose the FMC.
    Step 3 Click Install to begin the upgrade. Confirm that you want to upgrade and reboot.
  • Step 4 Monitor precheck progress until you are logged out. Do not make configuration changes during this time.
  • Step 5 Log back in when you can.
    • Minor upgrades (patches and hotfixes): You can log in after the upgrade and reboot are completed.
    • Major and maintenance upgrades: You can log in before the upgrade is completed.
    • The system displays a page you can use to monitor the upgrade’s progress and view the upgrade log and any error messages.You are logged out again when the upgrade is completed and the system reboots. After the reboot, logback in again.
  • Step 6 If prompted, review and accept the End User License Agreement (EULA).
  • Step 7 Verify upgrade success.If the system does not notify you of the upgrade’s success when you log in, choose Help > About to display current software version information.
  • Step 8 Update intrusion rules (SRU/LSP) and the vulnerability database (VDB). If the component available on the CiscoSupport & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.
  • Step 9 Complete any post-upgrade configuration changes described in the release notes.
  • Step 10 Redeploy configurations. Redeploy to all managed devices. If you do not deploy to a device, its eventual upgrade may fail and you may have to reimage it.

Upgrade High Availability Firepower Management Centers

  • Use this procedure to upgrade the Firepower software on FMCs in a high-availability pair.
  • You upgrade peers one at a time. With synchronization paused, first, upgrade the standby, then the active.
  • When the standby starts prechecks, its status switches from standby to active, so that both peers are active.
  • This temporary state is called split-brain and is not supported except during upgrades.
  • Do not make or deploy configuration changes while the pair is split-brain. Your changes will be lost after you restart synchronization.

Caution: Do not make or deploy configuration changes, manually reboot, or shut down while you are upgrading the FMC. Do not restart an upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Complete the pre-upgrade checklist for both peers. Make sure the appliances in your deployment are healthy and successfully communicating.

  • Step 1 Pause synchronization.
    • a) Choose System > Integration.
    • b) On the High Availability tab, click Pause Synchronization.
  • Step 2 Upload the upgrade package to the standby.
    • In FMC high availability deployments, you must upload the FMC upgrade package to both peers, pausing synchronization before you transfer the package to the standby.
    • To limit interruptions to HA synchronization, you can transfer the package to the active peer during the preparation stage of the upgrade, and to the standby peer as part of the actual upgrade process, after you pause synchronization.
  • Step 3 Upgrade peers one at a time — first the standby, then the active.
    • Follow the instructions in Upgrade a Standalone Secure Firewall Management Center, on page 3, stopping after you verify update success on each peer. In summary, for each peer:
      • a) On the System > Updates page, install the upgrade.
      • b) Monitor progress until you are logged out, then log back in when you can (this happens twice for major upgrades).
      • c) Verify upgrade success. Do not make or deploy configuration changes while the pair is split-brain.
  • Step 4 Restart synchronization.
    • a) Log into the FMC that you want to make the active peer.
    • b) Choose System > Integration.
    • c) On the High Availability tab, click Make-Me-Active.
    • d) Wait until synchronization restarts and the other FMC switches to standby mode.
  • Step 5 Update intrusion rules (SRU/LSP) and the vulnerability database (VDB).
    • If the component available on the CiscoSupport & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.
  • Step 6 Complete any post-upgrade configuration changes described in the release notes.
  • Step 7 Redeploy configurations. Redeploy to all managed devices. If you do not deploy to a device, its eventual upgrade may fail and you may have to reimage it.

Upgrade an ASA FirePOWER Module with FMC

  • Use this procedure to upgrade an ASA FirePOWER module managed by an FMC. When you upgrade the module depends on whether you are upgrading ASA, and on your ASA deployment.
  • Standalone ASA devices: If you are also upgrading ASA, upgrade the ASA FirePOWER module just after you upgrade ASA and reload.
  • ASA clusters and failover pairs: To avoid interruptions in traffic flow and inspection, fully upgrade these devices one at a time. If you are also upgrading ASA, upgrade the ASA FirePOWER module just before you reload each unit to upgrade ASA.
  • For more information, see Upgrade Path: ASA FirePOWER with FMC and the ASA upgrade procedures.

Before you begin

Complete the pre-upgrade checklist. Make sure the appliancesin your deployment are healthy and successfully communicating.

  • Step 1 Choose System > Updates.
  • Step 2 Click the Install icon next to the upgrade package you want to use and choose the devices to upgrade. If the devices you want to upgrade are not listed, you chose the wrong upgrade package.
  • Note: We strongly recommend upgrading no more than five devices simultaneously from the System Update page. You cannot stop the upgrade until all selected devices complete the process. If there is an issue with any one device upgrade, all devices must finish upgrading before you can resolve the issue.
  • Step 3 Click Install, then confirm that you want to upgrade and reboot the devices. Traffic either drops throughout the upgrade or traverses the network without inspection depending on how your devices are configured and deployed. For more information, see the Upgrade the Software chapter in the Cisco Firepower Release Notes for your target version.
  • Step 4 Monitor upgrade progress.
  • Caution: Do not deploy changes to, manually reboot, or shut down an upgrading device. Do not restart a device upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.
  • Step 5 Verify upgrade success. After the upgrade completes, choose Devices > Device Management and confirm that the devices you upgraded have the correct software version.
  • Step 6 Update intrusion rules (SRU/LSP) and the vulnerability database (VDB). If the component available on the CiscoSupport & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.
  • Step 7 Complete any post-upgrade configuration changes described in the release notes.
  • Step 8 Redeploy configurations to the devices you just upgraded

Upgrade the ASA FirePOWER Module

This document describes how to upgrade the ASA FirePOWER module using ASDM or the management center, depending on your management choice. Refer to Upgrade the ASA to determine when you should perform the FirePOWER upgrade in a standalone, failover, or clustering scenario.

Documents / Resources

CISCO ASA 5500-X Series Upgrade The FirePOWER Module [pdf] User Guide
ASA 5500-X Series, ASA 5500-X Series Upgrade The FirePOWER Module, Upgrade The FirePOWER Module, FirePOWER Module, Module

References

Related Posts

Leave a comment

Your email address will not be published. Required fields are marked *