Also in a production environment you can upgrade the FMC during the day without affecting any live services as traffic will continue to flow over the FTD or FTD's.
@@NetworkWizkid A quick question though. If I plan for all the update to fail in case I have HA then wouldnt it fail first on the standby appliance. This means, the active one would not be updated in the first place and the traffic would continue to flow. Because If i got you correctly, everything would roll back in case of failure. Still on that note, if the failure occurs in first place, it would start on the standby would never reach the active one.
Nice vid! There is no outage from upgrading the FMC right? I saw you had to re deploy managed device policies. Is there an outage on the FTD’s when you do this? I have an vFMC and 2 x 2130 FTD’s in a failover cluster on 6.3. I want to upgrade the vFMC prior to my outage window when I upgrade the FTD's if possible. Thanks
Hey Adam, thank you and thank you for watching...please subscribe if you've found this content useful. To answer your question, when upgrading the FMC, the FTD devices still continue to function. So the only downtime will be from the FMC and not the FTD's (until the FTD's are upgraded of course). When the FTD's are upgraded in your case, you shouldn't see any downtime because you have a cluster. You have to redeploy the policies when you have upgraded to ensure that everything is in sync. I hope that helps.
Hi Mate, Thanks for the video. It's clear and explained. I have two questions. Could you please clarify? Thanks, Q 1 . Why do we need to do that deployment at 18.23? Is it automatically prompted or do we need to check somewhere and do it? Q 2. Is there a link I can refer to identify FXOS(?) and FTD(6.6.04-64) compatibility for Cisco 1120 ? I'm wondering what FXOS should be there in FTD 6.6.04-64
Thank you for watching, I'm glad you found it useful. To answer Q1. Once you've upgraded, policies need to be reapplied. You need check once the upgrade is complete and can do so by clicking on the deployment tab. To answer Q2. Here is the compatibility guide: www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html. Only 4100 series and 9300's require the download of FXOS software to upgrade. 1100's and 2100's have FXOS software bundled as the above link mentions. Hope that helps. Please refer to the Cisco Firepower documentation for more information.
Any reason to push the FTD upgrade before installing it? Looks like the Cisco documentation says to push it first, but if it's not necessary I'd be happy to shorten the process.
It depends on the environment. It’s recommended to push the image to the FTD first to avoid upgrade failures that could be caused by a drop in the network between the FMC and FTD. If that happens you could face a scenario where the upgrade to the FTD hangs or in some cases (depending on versions and bugs) you could end up having to engage TAC to fix issues caused by an incomplete upgrade. Pushing the image to the FTD first won’t add on that much more time and could save you some headache throughout the whole process. I hope that helps.
I have FTD in HA mode, but I would like to know instead of updating the FTDs Firmware on the HA level, is it possible to first update the secondary and then primary FTD, individually?. I want to first update the firmware of the secondary FTD to see if that would go successfully without any issue, just like we do in classic ASA Active/backup where we always update the backup then secondary. Please advise!
Hi Khan, Thank you for watching and I hope you have liked and subscribed - that would be great! With regards to your question...this is the behaviour of the FTDs when in an HA pair anyway. The secondary device will upgrade first and then if successful the primary will proceed to upgrade once it has failed over to allow the seconday to continue passing traffic. If the secondary device upgrade fails then it will not proceed any further with the upgrade and will rollback. I hope that helps :-)
Thank you for the quick reply. I have subscribed to your channel I was a bit worried about this, if anything goes wrong during the update then rebuilding the FTD image is a painful process.
Thank you Khan, I appreciate that. You should be fine, it will not proceed with upgrading the active FTD if the secondary fails. Nevertheless it is always wise to make sure that you have backups in case of unlikely events.
Also once standby device has been upgraded , before moving to active should i make it active or through split-brain, it will be active meanwhile i do upgrade the existing active FMC ??
hello, i have an activity upgrade FDM from 6.4 to 7.0 but it shows 39% fatal error for invalid password ? is there any possibility why is this happen? the password already complete with it small and big letters, numbers and symbols..
I would check the password requirements for the newer version to make sure the password length is correct. If the issue persists it may be worth contacting Cisco support.
Hi , i need to upgrade to 7.0.1 to 7.0.1.1 .. how much time it should take to do this?? Also my FMC is in HA . so as per guide i will first pause synchronization and then upload the package to standby device …is it okk that once standby is upgraded and running .. then i login to active and upload the package ??
This is very clear and will help me with my upgrade tomorrow, my devices are currently on 6.6.1 and I will be upgrading to 7.0.x
Good luck with your upgrade and thank you for watching.
Also in a production environment you can upgrade the FMC during the day without affecting any live services as traffic will continue to flow over the FTD or FTD's.
Correct but from experience, if one chooses to do this, always plan for scenarios where upgrades fail due to bugs etc.
@@NetworkWizkid A quick question though. If I plan for all the update to fail in case I have HA then wouldnt it fail first on the standby appliance. This means, the active one would not be updated in the first place and the traffic would continue to flow. Because If i got you correctly, everything would roll back in case of failure. Still on that note, if the failure occurs in first place, it would start on the standby would never reach the active one.
Excellent video, helped me a lot in my FMC upgrade.
Glad it helped, thank you for watching.
Please subscribe for more great content.
Nice one !
No problem, thanks for watching.
great video how to do a precheck disk capacity from cli?
I read in cisco guide that we need makesure the disk space befor do the upgrade.
thanks.
Thanks for watching.
You can use the following commands from the FTD CLI:
Show disks
Show disk-manager
Hope that helps.
Nice vid! There is no outage from upgrading the FMC right? I saw you had to re deploy managed device policies. Is there an outage on the FTD’s when you do this? I have an vFMC and 2 x 2130 FTD’s in a failover cluster on 6.3. I want to upgrade the vFMC prior to my outage window when I upgrade the FTD's if possible. Thanks
Hey Adam, thank you and thank you for watching...please subscribe if you've found this content useful.
To answer your question, when upgrading the FMC, the FTD devices still continue to function. So the only downtime will be from the FMC and not the FTD's (until the FTD's are upgraded of course). When the FTD's are upgraded in your case, you shouldn't see any downtime because you have a cluster. You have to redeploy the policies when you have upgraded to ensure that everything is in sync.
I hope that helps.
Hi Mate, Thanks for the video. It's clear and explained. I have two questions. Could you please clarify? Thanks,
Q 1 .
Why do we need to do that deployment at 18.23? Is it automatically prompted or do we need to check somewhere and do it?
Q 2.
Is there a link I can refer to identify FXOS(?) and FTD(6.6.04-64) compatibility for Cisco 1120 ? I'm wondering what FXOS should be there in FTD 6.6.04-64
Thank you for watching, I'm glad you found it useful.
To answer Q1. Once you've upgraded, policies need to be reapplied. You need check once the upgrade is complete and can do so by clicking on the deployment tab.
To answer Q2. Here is the compatibility guide: www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html. Only 4100 series and 9300's require the download of FXOS software to upgrade. 1100's and 2100's have FXOS software bundled as the above link mentions.
Hope that helps. Please refer to the Cisco Firepower documentation for more information.
Any reason to push the FTD upgrade before installing it? Looks like the Cisco documentation says to push it first, but if it's not necessary I'd be happy to shorten the process.
It depends on the environment. It’s recommended to push the image to the FTD first to avoid upgrade failures that could be caused by a drop in the network between the FMC and FTD. If that happens you could face a scenario where the upgrade to the FTD hangs or in some cases (depending on versions and bugs) you could end up having to engage TAC to fix issues caused by an incomplete upgrade.
Pushing the image to the FTD first won’t add on that much more time and could save you some headache throughout the whole process.
I hope that helps.
@@NetworkWizkid That's great information. I'll just plan to push it first to avoid any potential complications. Thanks!!
@@JeffSauvageau no problem, thank you for watching and good luck with the upgrade.
Good information, thanks for the knowledge transfer
My pleasure, thank you for watching.
do you have videos upgarading 6.3.0.3 to 6.7 FTD?
I don't at the moment but some will be coming soon.
I have FTD in HA mode, but I would like to know instead of updating the FTDs Firmware on the HA level, is it possible to first update the secondary and then primary FTD, individually?.
I want to first update the firmware of the secondary FTD to see if that would go successfully without any issue, just like we do in classic ASA Active/backup where we always update the backup then secondary.
Please advise!
Hi Khan,
Thank you for watching and I hope you have liked and subscribed - that would be great!
With regards to your question...this is the behaviour of the FTDs when in an HA pair anyway. The secondary device will upgrade first and then if successful the primary will proceed to upgrade once it has failed over to allow the seconday to continue passing traffic. If the secondary device upgrade fails then it will not proceed any further with the upgrade and will rollback.
I hope that helps :-)
Thank you for the quick reply.
I have subscribed to your channel I was a bit worried about this, if anything goes wrong during the update then rebuilding the FTD image is a painful process.
Thank you Khan, I appreciate that.
You should be fine, it will not proceed with upgrading the active FTD if the secondary fails. Nevertheless it is always wise to make sure that you have backups in case of unlikely events.
Excellent video, Please Can you share the pdf file
Thank you! You can download the file from my website here: networkwizkid.com/2021/03/07/video-upgrading-cisco-firepower-devices-from-6-5-to-6-6/
Also once standby device has been upgraded , before moving to active should i make it active or through split-brain, it will be active meanwhile i do upgrade the existing active FMC ??
The switch should happen automatically as the upgrade process is automatic.
tks, me ayudo mucho
Thank you and thank you for watching
hello, i have an activity upgrade FDM from 6.4 to 7.0 but it shows 39% fatal error for invalid password ? is there any possibility why is this happen? the password already complete with it small and big letters, numbers and symbols..
I would check the password requirements for the newer version to make sure the password length is correct. If the issue persists it may be worth contacting Cisco support.
Hi , i need to upgrade to 7.0.1 to 7.0.1.1 .. how much time it should take to do this?? Also my FMC is in HA . so as per guide i will first pause synchronization and then upload the package to standby device …is it okk that once standby is upgraded and running .. then i login to active and upload the package ??
Hi, please follow the Cisco recommendations on the documentation, everything should be documented on there.
can you upgrade directly from 6.4 to 6.6.1?
Yes you can: www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/plan_upgrade_path.html
@@NetworkWizkid thank you.