Upgrade Threat Defense

Upgrade Threat Defense

Use this procedure to upgrade threat defense. As you proceed, the system displays basic information about your selected devices, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a device does not "pass" a stage, it does not appear in the next stage.

If you navigate away from the upgrade wizard, your progress is preserved and other users cannot start a new upgrade workflow for any devices you have already selected. (Exception: if you are logged in with a CAC, your progress is cleared 24 hours after you log out.) To return to your workflow, choose Devices > Threat Defense Upgrade.

Upgrade does not start until you complete the upgrade wizard and click Start Upgrade. All steps up to that point can be performed outside of a maintenance window, including downloading upgrade packages, copying them to devices, running readiness checks, and choosing upgrade options. For information on traffic handling during the upgrade and during the first post-upgrade deploy (which typically restarts Snort), see Traffic Flow and Inspection.


Caution


Do not deploy configuration changes during upgrade. Even if the system appears inactive, do not manually reboot or shut down. In most cases, do not restart an upgrade in progress. You could place the system in an unusable state and require a reimage. Devices may reboot multiple times during the upgrade. This is expected behavior. If you encounter issues with the upgrade, including a failed upgrade or unresponsive device, see Unresponsive and Failed Threat Defense Upgrades.


Before you begin

Make sure you are ready to upgrade:

Procedure


Step 1

On the management center, choose System (system gear icon) > Product Upgrades.

The Product Upgrades page provides an upgrade-centered overview of your deployment—how many devices you have, when they were last upgraded, whether there is an upgrade in progress, and so on.

Step 2

Get the device upgrade packages onto the management center.

Before you copy upgrade packages to managed devices, you must upload the packages to the management center, or to an internal server that the devices can access.

The Product Upgrades page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. In most cases, you can just click Download next to the upgrade package or version you want.

For more information, see Managing Upgrade Packages with the Management Center and Troubleshooting Upgrade Packages.

Step 3

Launch the upgrade wizard.

Click Upgrade next to the target version. If you are given a drop-down menu, select Threat Defense.

The threat defense upgrade wizard appears. It has two panes: Device Selection on the left, and Device Details on the right. Click a device link in the Device Selection pane (such as '4 devices') to show the Device Details for those devices. Your target version is pre-selected in the Upgrade to menu. The system determines which devices can be upgraded to that version and displays them in the Device Details pane.

Step 4

Select devices to upgrade.

In the Device Details pane, select the devices you want to upgrade and click Add to Selection.

You can use the device links on the Device Selection pane to toggle the Device Details pane between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. You can add and remove devices from your selection, or click Reset to clear your device selection and start over. Note that you do not have to remove ineligible devices; they are automatically excluded from upgrade. You must upgrade the members of device clusters and high availability pairs together.

Tip

 

After you select devices to upgrade, you can begin upgrade in unattended mode (Unattended Mode > Start). After you specify a few options, the system automatically copies needed upgrade packages to devices, performs compatibility and readiness checks, and begins the upgrade. After the upgrade completes, pick up with the verification and post-upgrade tasks. For more information, see Upgrade Threat Defense in Unattended Mode.

Step 5

Copy upgrade packages to devices.

Click Copy Upgrade Package and wait for the transfer to complete. For the Secure Firewall 3100 in multi-instance mode, if you upgraded the chassis, the upgrade package should already be on the device (unless you deleted it).

Step 6

Click Next to run compatibility and readiness checks.

Compatibility and other quick prechecks are automatic. For example, the system alerts you immediately if you need to deploy configurations. Other checks take more time. To begin these, click Run Readiness Check.

Do not deploy changes to, manually reboot, or shut down a device while running readiness checks. Although you can skip checks by disabling the Require passing compatibility and readiness checks option, we recommend against it. Passing all checks greatly reduces the chance of upgrade failure. If the checks expose issues that you cannot resolve, do not begin the upgrade.

Step 7

Click Next to choose upgrade options.

These options allow you to revert from both successful and unsuccessful upgrades, to generate troubleshooting files, and to upgrade Snort. For information on why you might disable these options, see Threat Defense Upgrade Options.

Step 8

Reconfirm you are ready to upgrade.

We recommend revisiting the configuration and deployment health checks you performed earlier: Configuration and Deployment Checks.

Step 9

Click Start Upgrade, then confirm that you want to upgrade and reboot the devices.

The wizard shows your overall upgrade progress, which you can also monitor in the Message Center. For detailed status, click View Details next to the device you want to see. This detailed status is also available from the Upgrade tab on the Device Management page.

For high availability devices, note that the Message Center and the upgrade wizard associate the units with their high availability states when you clicked Start Upgrade. That is, they report upgrading the "standby" and then the "active," even though failover occurs and you are only ever upgrading the standby. The Device Management page always shows the correct current high availability states of the units, which can be different from the original states displayed by the Message Center or the wizard..

Caution

 

For high availability devices, the Message Center reports upgrade success for each unit in separate tasks. Regardless of what the Message Center says, do not redeploy configurations to the high availability pair until both devices have finished upgrading.

Tip

 

If you need to cancel a failed or in-progress upgrade, or retry a failed upgrade, do it from the detailed status pop-up. If you have not cleared your workflow, you can view the detailed status by returning to the wizard. If you have, use the Upgrade tab on the Device Management page. You can also use the threat defense CLI.

Step 10

Verify success.

After the upgrade completes, choose Devices > Device Management and confirm that the devices you upgraded have the correct software version.

Step 11

(Optional) In high availability or clustered deployments, examine device roles.

The upgrade process switches device roles so that it is always upgrading a standby unit or data node. It does not return devices to the roles they had before upgrade. If you have preferred roles for specific devices, make those changes now.

Step 12

Update intrusion rules (SRU/LSP) and the vulnerability database (VDB).

Although the upgrade often updates these components, there could be newer ones available. If the component available on the Cisco Support & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 13

Complete any required post-upgrade configuration changes.

Step 14

Redeploy configurations to the devices you just upgraded.

Before you deploy, you may want to review the changes made by the upgrade (as well as any changes you have made since upgrade). Choose Deploy > Advanced Deploy, select the devices you just upgraded, and click Pending Changes Reports. After the reports finish generating, you can download them from the Tasks tab on the Message Center.


What to do next

  • (Optional) Clear the wizard by clicking Clear Upgrade Information. Until you do this, the page continues to display details about the upgrade you just performed. After you clear the wizard, use the Upgrade tab on the Device Management page to see last-upgrade information for managed devices.

  • Back up again: Backups

Threat Defense Upgrade Options

Table 1. Threat Defense Upgrade Options

Option

When to Disable

Details

Require passing compatibility and readiness checks.

At the direction of Cisco TAC.

If you disable this option, you can begin the upgrade without passing compatibility and readiness checks. However, we recommend against it. Passing all checks greatly reduces the chance of upgrade failure. If the checks expose issues that you cannot resolve, do not begin the upgrade.

Automatically cancel on upgrade failure and roll back to the previous version.

To force manual (instead of automatic) cancel and retry of failed upgrades.

With this option enabled, the device automatically returns to its pre-upgrade state upon upgrade failure. In a high availability or clustered deployment, auto-cancel applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted.

Generate troubleshooting files before upgrade begins.

To save time and disk space.

With upgrades to Version 7.3+, you can skip the automatic pre-upgrade generating of troubleshooting files.

To manually generate troubleshooting files for a threat defense device, choose System (system gear icon) > Health > Monitor, click the device in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

Upgrade Snort 2 to Snort 3.

To prevent Snort 3 upgrades.

With upgrades to Version 7.2–7.6, eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations.

With upgrades to Version 7.3+, you cannot disable this option. Although you can switch individual devices back, Snort 2 will be deprecated in a future release and we strongly recommend you stop using it now

For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3. For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Enable revert after successful upgrade.

To save time and disk space.

With upgrades to 7.1+, you have 30 days to revert threat defense upgrades.

Reverting returns the software to its state just before the last upgrade, also called a snapshot. If you revert an upgrade after installing a patch, you revert the patch as well as the upgrade.

Not supported for container instances, patches, or hotfixes.

Upgrade Threat Defense in Unattended Mode

The threat defense upgrade wizard has an optional unattended mode. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser.

With an unattended upgrade, the system automatically copies needed upgrade packages to devices, performs compatibility and readiness checks, and begins the upgrade. Just as happens when you manually step through the wizard, any devices that do not "pass" a stage in the upgrade (for example, failing checks) are not included in the next stage. After the upgrade completes, pick up with the verification and post-upgrade tasks.

Table 2.

To...

Do This

Start an unattended upgrade.

In the threat defense upgrade wizard, select the target version and the devices you want to upgrade. Choose Unattended Mode > Start, choose upgrade options, and click Start again.

Pause an unattended upgrade during copy and checks phases.

In the threat defense upgrade wizard, choose Unattended Mode > Stop.

You can pause and restart unattended mode during the copy and checks phases. However, pausing unattended mode does not stop tasks in progress. Copies and checks that have started will run to completion. Note that you must pause unattended mode to perform any manual upgrade actions.

Once the actual device upgrade begins, you cannot cancel it by stopping unattended mode. Instead, use the Upgrade Status pop-up, accessible from the Upgrade tab on the Device Management page.

Monitor an unattended upgrade.

To monitor an unattended upgrade:

  • Copy and check status: Unattended Mode > View Status

  • Overall upgrade status: Message Center

  • Detailed upgrade status: Upgrade Status pop-up, accessible from the Upgrade tab on the Device Management page

Upgrade Older ASA FirePOWER and NGIPSv Devices

Use this procedure to upgrade older ASA FirePOWER or NGIPSv devices, last supported in Version 7.0.

Device upgrade does not start until you click Install. All steps up to that point can be performed outside of a maintenance window, including downloading upgrade packages, copying them to devices, and running readiness checks. For information on traffic handling during the upgrade and the first post-upgrade deploy, see the release notes for your target version: Cisco Secure Firewall Threat Defense Release Notes.


Caution


Do not make or deploy configuration changes during uninstall. Even if the system appears inactive, do not manually reboot, shut down, or restart an uninstall in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the uninstall, including a failed uninstall or unresponsive appliance, contact Cisco TAC.


Before you begin

Make sure you are ready to upgrade. Note that this guide does not contain detailed checklists, planning information, or ASA upgrade instructions for these devices. For those, see the Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0.


Tip


We recommend you copy (push) upgrade packages to managed devices before you upgrade. In Version 7.4.0, you used System (system gear icon) > Updates to copy upgrade packages to ASA FirePOWER and NGIPSv. However, that page is deprecated in Version 7.4.1+. As a workaround, schedule a task to copy patches and maintenance releases to these older devices. If the package is not on the device when the upgrade begins, the system copies it for you at that time.


Procedure


Step 1

On the management center, choose System (system gear icon) > Product Upgrades.

Step 2

Get the device upgrade packages onto the management center.

The Product Upgrades page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. In most cases, you can just click Download next to the upgrade package or version you want.

For more information, see Managing Upgrade Packages with the Management Center and Troubleshooting Upgrade Packages.

Step 3

Click Upgrade next to the target version and select the type of device you want to upgrade: ASA FirePOWER or NGIPSv.

The Classic device upgrade page appears.

Step 4

Select the devices you want to upgrade.

We recommended upgrading no more than five devices at a time. You cannot stop the upgrade until all selected devices complete the process. If there is an issue with any one device upgrade, all devices must finish upgrading before you can resolve the issue.

Step 5

Click Install, then confirm that you want to upgrade and reboot the devices.

You can monitor upgrade progress in the Message Center.

Step 6

Verify success.

After the upgrade completes, choose Devices > Device Management and confirm that the devices you upgraded have the correct software version.

Step 7

Update intrusion rules (SRU/LSP) and the vulnerability database (VDB).

Although the upgrade often updates these components, there could be newer ones available. If the component available on the Cisco Support & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 8

Complete any required post-upgrade configuration changes.

Step 9

Redeploy configurations to the devices you just upgraded.