Upgrade the Firepower 4100/9300 Chassis

For the Firepower 4100/9300, major versions require a FXOS upgrade. You should also check for firmware upgrades.

Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the chassis, then devices again. Or, perform a full reimage. In high availability or clustered deployments, upgrade one chassis at a time.

Upgrade FXOS with Chassis Manager

Upgrade FXOS for Standalone FTD Logical Devices or an FTD Intra-chassis Cluster Using Firepower Chassis Manager

This section describes how to upgrade the FXOS platform bundle for a standalone Firepower 4100/9300 chassis.

The section describes the upgrade process for the following types of devices:

  • A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with one or more standalone FTD logical devices that are not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with FTD logical devices in an intra-chassis cluster.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure

Step 1

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 2

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 3

After the new platform bundle image has been successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 4

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 5

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 6

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Upgrade FXOS on an FTD Inter-chassis Cluster Using Firepower Chassis Manager

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as an inter-chassis cluster, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure

Step 1

Enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the control unit).

  2. Enter top .

  3. Enter scope ssa .

  4. Enter show slot .

  5. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  6. Enter show app-instance .

  7. Verify that the Oper State is Online and that the Cluster State is In Cluster for any logical devices installed on the chassis. Also verify that the correct FTD software version is shown as the Running Version.

    Important

     

    Verify that the control unit is not on this chassis. There should not be any Firepower Threat Defense instance with Cluster Role set to Master.

  8. For any security modules installed on a Firepower 9300 appliance or for the security engine on a Firepower 4100 series appliance, verify that the FXOS version is correct:

    scope server 1/slot_id , where slot_id is 1 for a Firepower 4100 series security engine.

    show version .

Step 2

Connect to Firepower Chassis Manager on Chassis #2 (this should be a chassis that does not have the control unit).

Step 3

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 4

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 5

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 6

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 7

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

  4. Enter top .

  5. Enter scope ssa .

  6. Enter show slot .

  7. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  8. Enter show app-instance .

  9. Verify that the Oper State is Online, that the Cluster State is In Cluster and that the Cluster Role is Slave for any logical devices installed on the chassis.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #
FP9300-A /system # top
FP9300-A# scope ssa
FP9300-A /ssa # show slot

Slot:
    Slot ID    Log Level Admin State  Oper State
    ---------- --------- ------------ ----------
    1          Info      Ok           Online
    2          Info      Ok           Online
    3          Info      Ok           Not Available
FP9300-A /ssa #

FP9300-A /ssa # show app-instance
App Name   Slot ID    Admin State Oper State       Running Version Startup Version Profile Name Cluster State   Cluster Role
---------- ---------- ----------- ---------------- --------------- --------------- ------------ --------------- ------------
ftd        1          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        2          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        3          Disabled    Not Available                    6.2.2.81                     Not Applicable  None
FP9300-A /ssa #

Step 8

Set one of the security modules on Chassis #2 as control.

After setting one of the security modules on Chassis #2 to control, Chassis #1 no longer contains the control unit and can now be upgraded.

Step 9

Repeat Steps 1-7 for all other Chassis in the cluster.

Step 10

To return the control role to Chassis #1, set one of the security modules on Chassis #1 as control.

Upgrade FXOS on an FTD High Availability Pair Using Firepower Chassis Manager

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure

Step 1

Connect to Firepower Chassis Manager on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:

Step 2

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 3

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 4

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 5

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 6

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 7

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 8

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Step 9

Connect to Firepower Chassis Manager on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:

Step 10

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 11

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 12

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 13

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components. The upgrade process can take up to 30 minutes to complete.

Step 14

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 15

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 16

Make the unit that you just upgraded the active unit as it was before the upgrade:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Upgrade FXOS with the CLI

Upgrade FXOS for Standalone FTD Logical Devices or an FTD Intra-chassis Cluster Using the FXOS CLI

This section describes how to upgrade the FXOS platform bundle for a standalone Firepower 4100/9300 chassis.

The section describes the FXOS upgrade process for the following types of devices:

  • A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with one or more standalone FTD devices that are not part of a failover pair or inter-chassis cluster.

  • A Firepower 9300 chassis that is configured with FTD logical devices in an intra-chassis cluster.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure

Step 1

Connect to the FXOS CLI.

Step 2

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 4

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 5

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

Step 6

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 7

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 8

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 9

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Upgrade FXOS on an FTD Inter-chassis Cluster Using the FXOS CLI

If you have Firepower 9300 or Firepower 4100 series security appliances with FTD logical devices configured as an inter-chassis cluster, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure

Step 1

Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the control unit).

Step 2

Enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online and that the Cluster State is In Cluster for any logical devices installed on the chassis. Also verify that the correct FTD software version is shown as the Running Version.

    Important

     

    Verify that the control unit is not on this chassis. There should not be any Firepower Threat Defense instance with Cluster Role set to Master.

  7. For any security modules installed on a Firepower 9300 appliance or for the security engine on a Firepower 4100 series appliance, verify that the FXOS version is correct:

    scope server 1/slot_id , where slot_id is 1 for a Firepower 4100 series security engine.

    show version .

Step 3

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter top .

  2. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  3. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  4. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 4

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 5

Enter auto-install mode:

Firepower-chassis /firmware # scope auto-install

Step 6

Install the FXOS platform bundle:

Firepower-chassis /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing—for example, 2.3(1.58).

Step 7

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 8

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 9

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

  4. Enter top .

  5. Enter scope ssa .

  6. Enter show slot .

  7. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  8. Enter show app-instance .

  9. Verify that the Oper State is Online, that the Cluster State is In Cluster and that the Cluster Role is Slave for any logical devices installed on the chassis.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #
FP9300-A /system # top
FP9300-A# scope ssa
FP9300-A /ssa # show slot

Slot:
    Slot ID    Log Level Admin State  Oper State
    ---------- --------- ------------ ----------
    1          Info      Ok           Online
    2          Info      Ok           Online
    3          Info      Ok           Not Available
FP9300-A /ssa #

FP9300-A /ssa # show app-instance
App Name   Slot ID    Admin State Oper State       Running Version Startup Version Profile Name Cluster State   Cluster Role
---------- ---------- ----------- ---------------- --------------- --------------- ------------ --------------- ------------
ftd        1          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        2          Enabled     Online           6.2.2.81        6.2.2.81                     In Cluster      Slave
ftd        3          Disabled    Not Available                    6.2.2.81                     Not Applicable  None
FP9300-A /ssa #

Step 10

Set one of the security modules on Chassis #2 as control.

After setting one of the security modules on Chassis #2 to control, Chassis #1 no longer contains the control unit and can now be upgraded.

Step 11

Repeat Steps 1-9 for all other Chassis in the cluster.

Step 12

To return the control role to Chassis #1, set one of the security modules on Chassis #1 as control.

Upgrade FXOS on an FTD High Availability Pair Using the FXOS CLI

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure

Step 1

Connect to FXOS CLI on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:

Step 2

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 4

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 5

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58).

Step 6

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 7

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 8

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 9

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 10

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Step 11

Connect to FXOS CLI on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:

Step 12

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 13

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 14

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 15

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58).

Step 16

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 17

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 18

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 19

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 20

Make the unit that you just upgraded the active unit as it was before the upgrade:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.