Upgrade the Management Center

This chapter explains how to upgrade a customer-deployed management center that is currently running Version 7.3.

If you are using the cloud-delivered Firewall Management Center, you do not need this chapter because we take care of management center feature updates. Upgrade your devices using the latest released version of the Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center.

Upgrade Checklist for Management Center

Planning and Feasibility

Careful planning and preparation can help you avoid missteps.

Action/Check

Details

Assess your deployment.

Understanding where you are determines how you get to where you want to go. In addition to current version and model information, determine if your deployment is configured for high availability/scalability, if your devices are deployed as an IPS or as firewalls, and so on.

Plan your upgrade path.

This is especially important for large deployments, multi-hop upgrades, and situations where you need to upgrade operating systems or hosting environments. Upgrades can be major (A.x), maintenance (A.x.y), or patch (A.x.y.z) releases. See:

Read upgrade guidelines and plan configuration changes.

Especially with major upgrades, upgrading may cause or require significant configuration changes either before or after upgrade. Start with these:

Check bandwidth.

Make sure your management network has the bandwidth to perform large data transfers. Whenever possible, upload upgrade packages ahead of time.

Schedule maintenance windows.

Schedule maintenance windows when they will have the least impact, especially considering the time the upgrade is likely to take. Consider the tasks you must perform in the window, and those you can perform ahead of time.

SeeTime and Disk Space Tests.

Backups

With the exception of hotfixes, upgrade deletes all backups stored on the system. We strongly recommend you back up to a secure remote location and verify transfer success, both before and after upgrade:

  • Before upgrade: If an upgrade fails catastrophically, you may have to reimage and restore. Reimaging returns most settings to factory defaults, including the system password. If you have a recent backup, you can return to normal operations more quickly.

  • After upgrade: This creates a snapshot of your freshly upgraded deployment. Back up the management center after you upgrade its managed devices, so your new management center backup file 'knows' that its devices have been upgraded.

Action/Check

Details

Back up configurations and events.

See the Backup/Restore chapter in the Cisco Secure Firewall Management Center Administration Guide.

Upgrade Packages

Uploading upgrade packages to the system before you begin upgrade can reduce the length of your maintenance window.

Action/Check

Details

Download the upgrade package from Cisco and upload it to the management center.

Upgrade packages are available on the Cisco Support & Download site. You may also be able to use the management center to perform a direct download.

For management center high availability, you must upload the management center upgrade package to both peers, pausing synchronization before you transfer the package to the standby. To limit interruptions to synchronization, you can transfer the package to the active peer during the preparation stage of the upgrade, and to the standby peer as part of the actual upgrade process, after you pause synchronization.

See Upload Upgrade Packages for Management Center.

Associated Upgrades

We recommend you perform hosting environment upgrades in a maintenance window.

Action/Check

Details

Upgrade virtual hosting.

If needed, upgrade the hosting environment. If this is required, it is usually because you are running an older version of VMware and are performing a major upgrade.

Final Checks

A set of final checks ensures you are ready to upgrade the software.

Action/Check

Details

Check configurations.

Make sure you have made any required pre-upgrade configuration changes, and are prepared to make required post-upgrade configuration changes.

Check NTP synchronization.

Make sure all appliances are synchronized with any NTP server you are using to serve time. Although the health monitor alerts if clocks are out of sync by more than 10 seconds, you should still check manually. Being out of sync can cause upgrade failure.

To check time:

  • Management Center: Choose System (system gear icon) > Configuration > Time.

  • Threat Defense: Use the show time CLI command.

Deploy configurations.

Deploying configurations before you upgrade reduces the chance of failure. Deploying can affect traffic flow and inspection; see Traffic Flow and Inspection for Threat Defense Upgrades.

Run readiness checks.

 Passing readiness checks reduces the chance of upgrade failure.

See Run Readiness Checks for Management Center.

Check disk space.

Readiness checks include a disk space check. Without enough free disk space, the upgrade fails.

To check the disk space available on the management center, choose System (system gear icon) > Monitoring > Statistics and select the management center. Under Disk Usage, expand the By Partition details.

Check running tasks.

Make sure essential tasks are complete, including the final deploy. Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed.

Upgrades automatically postpone scheduled tasks. Any task scheduled to begin during the upgrade will begin five minutes after the post-upgrade reboot. If you do not want this to happen, check for tasks that are scheduled to run during the upgrade and cancel or postpone them.

Upgrade Path for Management Center

This table provides the upgrade path for customer-deployed management centers.

Remember that a customer-deployed management center must run the same or newer version as its managed devices. You cannot upgrade a device past the management center. Even for maintenance (third-digit) releases, you must upgrade the management center first.

Note that if your current threat defense/management center version was released on a date after your target version, you may not be able to upgrade as expected. In those cases, the upgrade quickly fails and displays an error explaining that there are datastore incompatibilities between the two versions. The release notes for both your current and target version list any specific restrictions.

Table 1. Management Center Direct Upgrades

Current Version

Target Version

7.4

→ Any later 7.4.x release

7.3

Any of:

→ 7.4.x

→ Any later 7.3.x release

7.2

Any of:

→ 7.4.x

→ 7.3.x

→ Any later 7.2.x release

7.1

Any of:

→ 7.4.x

→ 7.3.x

→ 7.2.x

→ Any later 7.1.x release

7.0

Last support for FMC 1000, 2500, and 4500.

Any of:

→ 7.4.x

→ 7.3.x

→ 7.2.x

→ 7.1.x

→ Any later 7.0.x release

Note

 

Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4+ to Version 7.1.0. We recommend you upgrade directly to Version 7.2+.

6.7

Any of:

→ 7.2.x

→ 7.1.x

→ 7.0.x

→ Any later 6.7.x release

6.6

Last support for FMC 2000 and 4000.

Any of:

→ 7.2.x

→ 7.1.x

→ 7.0.x

→ 6.7.x

→ Any later 6.6.x release

Note

 

Due to datastore incompatibilities, you cannot upgrade the FMC from Version 6.6.5+ to Version 6.7.0. We recommend you upgrade directly to Version 7.0+.

6.5

Any of:

→ 7.1.x

→ 7.0.x

→ 6.7.x

→ 6.6.x

6.4

Last support for FMC 750, 1500, and 3500.

Any of:

→ 7.0.x

→ 6.7.x

→ 6.6.x

→ 6.5

6.3

Any of:

→ 6.7.x

→ 6.6.x

→ 6.5

→ 6.4

6.2.3

Any of:

→ 6.6.x

→ 6.5

→ 6.4

→ 6.3

Upload Upgrade Packages for Management Center

Use this procedure to manually upload upgrade packages to the management center.


Tip

Select upgrade packages become available for direct download some time after the release is available for manual download. The length of the delay depends on release type, release adoption, and other factors. If the management center has internet access, you can click the Download Updates button to immediately download the latest VDB, latest maintenance release, and the latest critical patches for the management center and all managed devices.

Upgrade packages are signed tar archives (.tar). After you upload a signed package, the System Updates page on the management center can take extra time to load as the package is verified. To speed up the display, delete unneeded upgrade packages. Do not untar signed packages.

Before you begin

If you are upgrading the standby management center in a high availability pair, pause synchronization.

For management center high availability, you must upload the management center upgrade package to both peers, pausing synchronization before you transfer the package to the standby. To limit interruptions to synchronization, you can transfer the package to the active peer during the preparation stage of the upgrade, and to the standby peer as part of the actual upgrade process, after you pause synchronization.

Procedure

Step 1

Download the upgrade package from the Cisco Support & Download site: https://www.cisco.com/go/firepower-software.

You use the same software upgrade package for all models in a family or series. To find the correct one, select or search for your model, then browse to the software download page for the appropriate version. Available upgrade packages are listed along with installation packages, hotfixes, and other applicable downloads.

Upgrade package file names reflect the platform, package type (upgrade, patch, hotfix), software version, and build, like this:

Cisco_Secure_FW_Mgmt_Center_Upgrade-7.3-999.sh.REL.tar

Step 2

On the management center, choose System (system gear icon) > Updates.

Step 3

Click Upload Update.

Step 4

For the Action, click the Upload local software update package radio button.

Step 5

Click Choose File.

Step 6

Browse to the package and click Upload.

Run Readiness Checks for Management Center

Use this procedure to run management center readiness checks.

Readiness checks assess preparedness for major and maintenance upgrades. If you fail readiness checks, you cannot upgrade until you correct the issues. The time required to run a readiness check varies depending on model and database size. Do not manually reboot or shut down during readiness checks.

Before you begin

Upload the upgrade package to the management center.

Procedure

Step 1

On the management center, choose System (system gear icon) > Updates.

Step 2

Under Available Updates, click the Install icon next to the upgrade package, then choose the management center.

Step 3

Click Check Readiness.

You can monitor readiness check progress in the Message Center.

What to do next

On System (system gear icon) > Updates, click Readiness Checks to view readiness check status for your whole deployment, including checks in progress and failed checks. You can also use this page to easily re-run checks after a failure.

Upgrade the Management Center: Standalone

Use this procedure to upgrade a standalone management center.


Caution

Do not make or deploy configuration changes during upgrade. Even if the system appears inactive, do not manually reboot, shut down, or restart an upgrade in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Complete the pre-upgrade checklist. Make sure your deployment is healthy and successfully communicating.

Procedure

Step 1

On the management center, choose System (system gear icon) > Updates.

Step 2

Under Available Updates, click the Install icon next to the upgrade package, then choose the management center.

Step 3

Click Install, then confirm that you want to upgrade and reboot.

You can monitor precheck progress in the Message Center until you are logged out.

Step 4

Log back in when you can.

  • Major and maintenance upgrades: You can log in before the upgrade is completed. The system displays a page you can use to monitor the upgrade's progress and view the upgrade log and any error messages. You are logged out again when the upgrade is completed and the system reboots. After the reboot, log back in again.

  • Patches and hotfixes: You can log in after the upgrade and reboot are completed.

Step 5

Verify upgrade success.

If the system does not notify you of the upgrade's success when you log in, choose Help (help icon) > About to display current software version information.

Step 6

Update intrusion rules (SRU/LSP) and the vulnerability database (VDB).

If the component available on the Cisco Support & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 7

Complete any required post-upgrade configuration changes.

Step 8

Redeploy configurations to all managed devices.

Upgrade the Management Center: High Availability

Upgrade high availability management centers one at a time. With synchronization paused, first upgrade the standby, then the active. When the standby starts the upgrade, its status switches from standby to active, so that both peers are active. This temporary state is called split-brain and is not supported except during upgrade (and patch uninstall).


Caution

Do not make or deploy configuration changes while the pair is split-brain. Your changes will be lost after you restart synchronization. Do not make or deploy configuration changes during upgrade. Even if the system appears inactive, do not manually reboot, shut down, or restart an upgrade in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Complete the pre-upgrade checklist for both peers. Make sure your deployment is healthy and successfully communicating.

Procedure

Step 1

On the active management center, pause synchronization.

  1. Choose Integration > Other Integrations.

  2. On the High Availability tab, click Pause Synchronization.

Step 2

Upload the upgrade package to the standby.

For management center high availability, you must upload the management center upgrade package to both peers, pausing synchronization before you transfer the package to the standby. To limit interruptions to synchronization, you can transfer the package to the active peer during the preparation stage of the upgrade, and to the standby peer as part of the actual upgrade process, after you pause synchronization.

Step 3

Upgrade peers one at a time — first the standby, then the active.

Follow the instructions in Upgrade the Management Center: Standalone, stopping after you verify update success on each peer. In summary, for each peer:

  1. On System (system gear icon) > Updates, install the upgrade.

  2. Monitor progress until you are logged out, then log back in when you can (this may happen twice).

  3. Verify upgrade success.

Step 4

On the management center you want to make the active peer, restart synchronization.

  1. Choose Integration > Other Integrations.

  2. On the High Availability tab, click Make-Me-Active.

  3. Wait until synchronization restarts and the other management center switches to standby mode.

Step 5

Update intrusion rules (SRU/LSP) and the vulnerability database (VDB).

If the component available on the Cisco Support & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 6

Complete any required post-upgrade configuration changes.

Step 7

Redeploy configurations to all managed devices.