Skip to main content



Cisco Defense Orchestrator

FTD Upgrade Prerequisites

About Upgrading

Cisco Defense Orchestrator (CDO) provides a wizard that helps you upgrade the Firepower Threat Defense (FTD) images installed on an individual device or an HA pair.

The wizard guides you through the process of choosing compatible images, installs them, and reboots the device to complete the upgrade. We secure the upgrade process by validating that the images you chose on CDO are the ones copied to, and installed on, your FTD device. We strongly recommend the FTD devices you are upgrading have outbound access to the internet. 

If your FTD does not have outbound access to the internet, you can download the image you want from, store them in your own repository, provide the upgrade wizard with a custom URL to those images, and CDO performs upgrades using those images. In this case, however, you determine what images you want to upgrade to. CDO does not perform the image integrity check or disk-space check.  

Configuration Prerequisites

  • DNS needs to be enabled on the FTD device. See Configuring DNS section of the System Administration chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running for more information.
  • The FTD device should be able to reach the internet if you use upgrade images from CDO's image repository.
  • The FTD device has been successfully onboarded to CDO.
  • The FTD device is reachable.
  • The FTD device is synced.
    • If you update a device that has pending changes in CDO and you do not accept changes, pending changes are lost after the upgrade completes. Best practice is to deploy any pending changes before you upgrade. 
    • If you have staged changes in FDM and the device is not synced, the upgrade in CDO will fail at an eligibility check. 

4100 and 9300 Series Running FTD

CDO does not support the upgrade for the 4100 or 9300 series devices. You must upgrade these devices outside of CDO.

Software and Hardware Requirements

CDO is a cloud management platform. Software updates are released over time and are generally not dependent on hardware. See Software and Hardware Supported by CDO for information about supported hardware types.

Devices running FTD software have a recommended upgrade path for optimal performance. See Firepower Software Upgrade Path for more information.

Upgrade Notes

You cannot deploy changes to a device while it is upgrading.


Related Articles:

  • Was this article helpful?