Upgrading Cisco Firepower Management Center (FMC) can significantly enhance your network security capabilities. Whether you’re looking to patch vulnerabilities, gain new features, or improve performance, here’s a simple guide to help you through the upgrade process. Careful planning and preparation can help you avoid missteps. This table summarizes the upgrade planning process.
| Planning Phase | Includes |
|---|---|
| Backups | Perform FMC and Managed FDT backup. Recommended to take before and after upgrade backup.System > Tools > Backup/Restore > Managed device backup > select device > start backup |
| Upload Packages | Upgrade packages are available on the Cisco Support & Download site. Upload the FMC upgrade image and run a readiness check.System > Updates > Upload updateIn FMC high availability deployments, you must upload the FMC upgrade package to both peers, pausing synchronization before you transfer the package to the standby. To limit interruptions to HA synchronization, you can transfer the package to the active peer during the preparation stage of the upgrade, and to the standby peer as part of the actual upgrade process, after you pause synchronization. |
| Associate Upgrades | Because operating system and hosting environment upgrades can affect traffic flow and inspection, perform them in a maintenance window. If needed, upgrade the hosting environment. If thisisrequired, it is usually because you are running an older version of VMware and are performing a major FMC upgrade. |
| Final Checks | Check Upgrade Path: https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/planning.html#id_91137 Check configurations: Make sure you have made any required pre-upgrade configuration changes, and are prepared to make required post-upgrade configuration changes. Check NTP synchronization: Make sure all appliances are synchronized with any NTP server you are using to serve time. Being out of sync can cause upgrade failure. In FMC deployments, the health monitor does alert if clocks are out of sync by more than 10 seconds, but you should still check manually. To check time: FMC: Choose System > Configuration > Time.Check disk space: Run a disk space check for the software upgrade. Without enough free disk space, the upgrade fails. System -> Monitoring -> StatisticsDeploy configurations: Deploying configurations before you upgrade reduces the chance of failure. In some deployments, you may be blocked from upgrade if you have out-of-date configurations. In FMC high availability deployments, you only need to deploy from the active peer. Deploy -> Deployment -> Select device -> DeployRun readiness checks: If your FMC is running Version 6.1.0+, we recommend compatibility and readiness checks. These checks assess your preparedness for a software upgrade. Check running tasks: Make sure essential tasks are complete before you upgrade, including the final deploy. Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed. |
➡️ Steps to upgrade High Availability Firepower Management Centers
Use this procedure to upgrade the Firepower software on FMCs in a high availability pair.
You upgrade peers one at a time. With synchronization paused, first upgrade the standby, then the active. When the standby starts prechecks, its status switches from standby to active, so that both peers are active. This temporary state is called split-brain and is not supported except during upgrade. Do not make or deploy configuration changes while the pair is split-brain. Your changes will be lost after you restart synchronization.
Step 1: Pause synchronization.
a) Choose System > Integration.
b) On the High Availability tab, click Pause Synchronization.
Step 2: Upload the upgrade package to the standby.
In FMC high availability deployments, you must upload the FMC upgrade package to both peers, pausing synchronization before you transfer the package to the standby. To limit interruptions to HA synchronization, you can transfer the package to the active peer during the preparation stage of the upgrade, and to the standby peer as part of the actual upgrade process, after you pause synchronization.
a) Download the upgrade package from the Cisco Support & Download site:https://www.cisco.com/go/firepower-software
b) On the FMC, choose System >Updates.
c) Click Upload Update.
d) For the Action, click the Upload local software update package radio button
e) Click Choose File.
f) Browse to the package and click Upload.
Step 3: Run Readiness Checks for FMC
Use this procedure to run FMC readiness checks. Readiness checks assess preparedness for major and maintenance upgrades. If you fail readiness checks, you cannot upgrade until you correct the issues. The time required to run a readiness check varies depending on model and database size. Do not manually reboot or shut down during readiness checks.
a) On FMC, choose System > Updates.
b) Under available updates, click install icon next to the upgrade package, then choose the FMC.
c) Click Check Readiness.
Step 4: Initiate Upgrade
Upgrade peers one at a time. first the standby, then the active.
a) On the System>Updates page, install the upgrade.
b) Confirm that you want to upgrade and reboot.
c) Monitor progress until you are logged out, then log back in when you can (this may happen twice).
d) Verify upgrade success.
On the FMC you want to make the active peer, restart synchronization.
a) Choose System>Integration.
b) On the High Availability tab, click Make-Me-Active.
c) Wait until synchronization restarts and the other FMC switches to standby mode.
Step 5: Update intrusion rules and vulnerability database.
Step 6: Deploy the post-upgrade policy to the FMC.
Step 7: Deploy the post-upgrade policy to the FTD HA.
Upgrading Cisco FMC is a manageable process with proper planning and execution. Following this guide ensures that you maintain network security while leveraging the latest enhancements and features Cisco has to offer. Remember, regular upgrades keep your network resilient against new threats and help you make the most of your Cisco investment.
