Upgrade Threat Defense
Use this procedure to upgrade threat defense. As you proceed, the system displays basic information about your selected devices, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a device does not "pass" a stage, it does not appear in the next stage.
If you navigate away from the upgrade wizard, your progress is preserved and other users cannot start a new upgrade workflow for any devices you have already selected. (Exception: if you are logged in with a CAC, your progress is cleared 24 hours after you log out.) To return to your workflow, choose .
Upgrade does not start until you complete the upgrade wizard and click Start Upgrade. All steps up to that point can be performed outside of a maintenance window, including downloading upgrade packages, copying them to devices, running readiness checks, and choosing upgrade options. For information on traffic handling during the upgrade and during the first post-upgrade deploy (which typically restarts Snort), see Traffic Flow and Inspection.
Caution |
Do not deploy configuration changes during upgrade. Even if the system appears inactive, do not manually reboot or shut down. In most cases, do not restart an upgrade in progress. You could place the system in an unusable state and require a reimage. Devices may reboot multiple times during the upgrade. This is expected behavior. If you encounter issues with the upgrade, including a failed upgrade or unresponsive device, see Unresponsive and Failed Threat Defense Upgrades. |
Before you begin
Make sure you are ready to upgrade:
-
Determine if you can run the target version: Compatibility
-
Plan the upgrade path: Upgrade Path
-
Review upgrade guidelines: Upgrade Guidelines
-
Check infrastructure and network: Network and Infrastructure Checks
-
Check configurations, tasks, and overall deployment health: Configuration and Deployment Checks
-
Perform backups: Backups
-
Upgrade chassis, if required: Upgrade the Secure Firewall 3100/4200 or Firepower 4100/9300 Chassis
Procedure
Step 1 |
On the management center, choose System (). The Product Upgrades page provides an upgrade-centered overview of your deployment—how many devices you have, when they were last upgraded, whether there is an upgrade in progress, and so on. |
||||
Step 2 |
Get the device upgrade packages onto the management center. Before you copy upgrade packages to managed devices, you must upload the packages to the management center, or to an internal server that the devices can access. The Product Upgrades page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. In most cases, you can just click Download next to the upgrade package or version you want. For more information, see Managing Upgrade Packages with the Management Center and Troubleshooting Upgrade Packages. |
||||
Step 3 |
Launch the upgrade wizard. Click Upgrade next to the target version. If you are given a drop-down menu, select Threat Defense. The threat defense upgrade wizard appears. It has two panes: Device Selection on the left, and Device Details on the right. Click a device link in the Device Selection pane (such as '4 devices') to show the Device Details for those devices. Your target version is pre-selected in the Upgrade to menu. The system determines which devices can be upgraded to that version and displays them in the Device Details pane. |
||||
Step 4 |
Select devices to upgrade. In the Device Details pane, select the devices you want to upgrade and click Add to Selection. You can use the device links on the Device Selection pane to toggle the Device Details pane between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. You can add and remove devices from your selection, or click Reset to clear your device selection and start over. Note that you do not have to remove ineligible devices; they are automatically excluded from upgrade. You must upgrade the members of device clusters and high availability pairs together.
|
||||
Step 5 |
Copy upgrade packages to devices. Click Copy Upgrade Package and wait for the transfer to complete. For the Secure Firewall 3100/4200 in multi-instance mode, if you upgraded the chassis, the upgrade package should already be on the device (unless you deleted it). |
||||
Step 6 |
Click Next to run compatibility and readiness checks. Compatibility and other quick prechecks are automatic. For example, the system alerts you immediately if you need to deploy configurations. Other checks take more time. To begin these, click Run Readiness Check. Do not deploy changes to, manually reboot, or shut down a device while running readiness checks. Although you can skip checks by disabling the Require passing compatibility and readiness checks option, we recommend against it. Passing all checks greatly reduces the chance of upgrade failure. If the checks expose issues that you cannot resolve, do not begin the upgrade. |
||||
Step 7 |
Click Next to choose upgrade options. These options allow you to revert from both successful and unsuccessful upgrades, to generate troubleshooting files, and to upgrade Snort. For information on why you might disable these options, see Threat Defense Upgrade Options. |
||||
Step 8 |
Reconfirm you are ready to upgrade. We recommend revisiting the configuration and deployment health checks you performed earlier: Configuration and Deployment Checks. |
||||
Step 9 |
Click Start Upgrade, then confirm that you want to upgrade and reboot the devices. The wizard shows your overall upgrade progress, which you can also monitor in the Message Center. For detailed status, click Detailed Status next to the device you want to see. This detailed status is also available from the Upgrade tab on the Device Management page. For high availability devices, note that the Message Center and the upgrade wizard associate the units with their high availability states when you clicked Start Upgrade. That is, they report upgrading the "standby" and then the "active," even though failover occurs and you are only ever upgrading the standby. The Device Management page always shows the correct current high availability states of the units, which can be different from the original states displayed by the Message Center or the wizard..
|
||||
Step 10 |
Verify success. After the upgrade completes, choose and confirm that the devices you upgraded have the correct software version. |
||||
Step 11 |
(Optional) In high availability or clustered deployments, examine device roles. The upgrade process switches device roles so that it is always upgrading a standby unit or data node. It does not return devices to the roles they had before upgrade. If you have preferred roles for specific devices, make those changes now. |
||||
Step 12 |
Update intrusion rules (SRU/LSP) and the vulnerability database (VDB). Although the upgrade often updates these components, there could be newer ones available. If the component available on the Cisco Support & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later. |
||||
Step 13 |
Complete any required post-upgrade configuration changes. |
||||
Step 14 |
Redeploy configurations to the devices you just upgraded. Before you deploy, you may want to review the changes made by the upgrade (as well as any changes you have made since upgrade):
|
What to do next
-
(Optional) Clear the wizard by clicking Clear Upgrade Information. Until you do this, the page continues to display details about the upgrade you just performed. After you clear the wizard, use the Upgrade tab on the Device Management page to see last-upgrade information for managed devices, and the Advanced Deploy screens to see configuration changes.
-
Back up again: Backups
Threat Defense Upgrade Options
Option |
When to Disable |
Details |
---|---|---|
Require passing compatibility and readiness checks. |
At the direction of Cisco TAC. |
If you disable this option, you can begin the upgrade without passing compatibility and readiness checks. However, we recommend against it. Passing all checks greatly reduces the chance of upgrade failure. If the checks expose issues that you cannot resolve, do not begin the upgrade. |
Automatically cancel on upgrade failure and roll back to the previous version. |
To force manual (instead of automatic) cancel and retry of failed upgrades. |
With this option enabled, the device automatically returns to its pre-upgrade state upon upgrade failure. In a high availability or clustered deployment, auto-cancel applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted. |
Generate troubleshooting files before upgrade begins. |
To save time and disk space. |
With upgrades to Version 7.3+, you can skip the automatic pre-upgrade generating of troubleshooting files. To manually generate troubleshooting files for a threat defense device, choose System (), click the device in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files. |
Upgrade Snort 2 to Snort 3. |
To prevent Snort 3 upgrades. |
With upgrades to Version 7.2–7.6, eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. With upgrades to Version 7.3+, you cannot disable this option. Although you can switch individual devices back, Snort 2 will be deprecated in a future release and we strongly recommend you stop using it now For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3. For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version. |
Enable revert after successful upgrade. |
To save time and disk space. |
With upgrades to 7.1+, you have 30 days to revert threat defense upgrades. Reverting returns the software to its state just before the last upgrade, also called a snapshot. If you revert an upgrade after installing a patch, you revert the patch as well as the upgrade. Not supported for container instances, patches, or hotfixes. |
Upgrade Threat Defense in Unattended Mode
The threat defense upgrade wizard has an optional unattended mode. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser.
With an unattended upgrade, the system automatically copies needed upgrade packages to devices, performs compatibility and readiness checks, and begins the upgrade. Just as happens when you manually step through the wizard, any devices that do not "pass" a stage in the upgrade (for example, failing checks) are not included in the next stage. After the upgrade completes, pick up with the verification and post-upgrade tasks.
To... |
Do This |
---|---|
Start an unattended upgrade. |
In the threat defense upgrade wizard, select the target version and the devices you want to upgrade. Choose Start again. , choose upgrade options, and click |
Pause an unattended upgrade during copy and checks phases. |
In the threat defense upgrade wizard, choose .You can pause and restart unattended mode during the copy and checks phases. However, pausing unattended mode does not stop tasks in progress. Copies and checks that have started will run to completion. Note that you must pause unattended mode to perform any manual upgrade actions. Once the actual device upgrade begins, you cannot cancel it by stopping unattended mode. Instead, use the Upgrade Status pop-up, accessible from the Upgrade tab on the Device Management page. |
Monitor an unattended upgrade. |
To monitor an unattended upgrade:
|