Upgrade Checklist for Management Center
Planning and Feasibility
Careful planning and preparation can help you avoid missteps.
✓ |
Action/Check |
Details |
---|---|---|
Assess your deployment. |
Understanding where you are determines how you get to where you want to go. In addition to current version and model information, determine if your deployment is configured for high availability/scalability, if your devices are deployed as an IPS or as firewalls, and so on. |
|
Plan your upgrade path. |
This is especially important for large deployments, multi-hop upgrades, and situations where you need to upgrade operating systems or hosting environments. Upgrades can be major (A.x), maintenance (A.x.y), or patch (A.x.y.z) releases. See: |
|
Read upgrade guidelines and plan configuration changes. |
Especially with major upgrades, upgrading may cause or require significant configuration changes either before or after upgrade. Start with these:
|
|
Check bandwidth. |
Make sure your management network has the bandwidth to perform large data transfers. Whenever possible, upload upgrade packages ahead of time. |
|
Schedule maintenance windows. |
Schedule maintenance windows when they will have the least impact, especially considering the time the upgrade is likely to take. Consider the tasks you must perform in the window, and those you can perform ahead of time. |
Backups
With the exception of hotfixes, upgrade deletes all backups stored on the system. We strongly recommend you back up to a secure remote location and verify transfer success, both before and after upgrade:
-
Before upgrade: If an upgrade fails catastrophically, you may have to reimage and restore. Reimaging returns most settings to factory defaults, including the system password. If you have a recent backup, you can return to normal operations more quickly.
-
After upgrade: This creates a snapshot of your freshly upgraded deployment. Back up the management center after you upgrade its managed devices, so your new management center backup file 'knows' that its devices have been upgraded.
✓ |
Action/Check |
Details |
---|---|---|
Back up configurations and events. |
See the Backup/Restore chapter in the Cisco Secure Firewall Management Center Administration Guide. |
Upgrade Packages
Uploading upgrade packages to the system before you begin upgrade can reduce the length of your maintenance window.
✓ |
Action/Check |
Details |
---|---|---|
Download the upgrade package from Cisco and upload it to the management center. |
Upgrade packages are available on the Cisco Support & Download site. You may also be able to use the management center to perform a direct download. For management center high availability, you must upload the management center upgrade package to both peers, pausing synchronization before you transfer the package to the standby. To limit interruptions to synchronization, you can transfer the package to the active peer during the preparation stage of the upgrade, and to the standby peer as part of the actual upgrade process, after you pause synchronization. |
Associated Upgrades
We recommend you perform hosting environment upgrades in a maintenance window.
✓ |
Action/Check |
Details |
---|---|---|
Upgrade virtual hosting. |
If needed, upgrade the hosting environment. If this is required, it is usually because you are running an older version of VMware and are performing a major upgrade. |
Final Checks
A set of final checks ensures you are ready to upgrade the software.
✓ |
Action/Check |
Details |
---|---|---|
Check configurations. |
Make sure you have made any required pre-upgrade configuration changes, and are prepared to make required post-upgrade configuration changes. |
|
Check NTP synchronization. |
Make sure all appliances are synchronized with any NTP server you are using to serve time. Although the health monitor alerts if clocks are out of sync by more than 10 seconds, you should still check manually. Being out of sync can cause upgrade failure. To check time:
|
|
Deploy configurations. |
Deploying configurations before you upgrade reduces the chance of failure. Deploying can affect traffic flow and inspection; see Traffic Flow and Inspection for Threat Defense Upgrades. |
|
Run readiness checks. |
Passing readiness checks reduces the chance of upgrade failure. | |
Check disk space. |
Readiness checks include a disk space check. Without enough free disk space, the upgrade fails. To check the disk space available on the management center, choose System () and select the management center. Under Disk Usage, expand the By Partition details. |
|
Check running tasks. |
Make sure essential tasks are complete, including the final deploy. Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed. Upgrades automatically postpone scheduled tasks. Any task scheduled to begin during the upgrade will begin five minutes after the post-upgrade reboot. If you do not want this to happen, check for tasks that are scheduled to run during the upgrade and cancel or postpone them. |