How Should You Upgrade?
Firepower devices are capable of executing direct upgrades from one major release to another, such as from Version 6.4.0 > 6.5.0. If a direct upgrade from your current to your target version is not possible, your upgrade path must include either intermediate versions, such as from Version 184.108.40.206 > 6.5.0. To patch Firepower, you must be running the base major version.
You cannot upgrade directly from a patch of one version to a patch of another version, such as from Version 220.127.116.11 > 18.104.22.168. You must upgrade to the major release first, and then to a subsequent patch of that release: from Version 22.214.171.124 > 6.5.0 > 126.96.36.199.
Firepower support starts with Version 6.4.0. See the following table for the supported upgrade paths:
|Currently Running Version X||Direct Upgrade To 6.4.0.x||Direct Upgrade To 6.5.0||Direct Upgrade To 6.5.0.x||Direct Upgrade to 6.6.0||Direct Upgrade to 6.7.0|
Major Upgrade vs Patch
Note: You cannot use CDO to uninstall or downgrade from a major release. You must reimage the device to revert to a previous version.
Major upgrades may include new features and functionality and entail large-scale changes to the product. Major upgrades will take longer to complete than a patch.
Patch upgrades may contain a limited range of fixes and minor feature updates or enhancements. Patch upgrades will take less time to complete than a major upgrade.
Snort is the main inspection engine for the product and is packaged into the Firepower software for your convenience. Version 6.7 introduces an update to the package that you can upgrade to, or revert from, at any time. Although you can switch Snort versions freely, some intrusion rules in Snort2.0 might not exist in Snort 3.0, and vice versa. We strongly recommend reading about the differences in the Firepower Device Manager Configuration Guide for Version 6.7.0 for more information.
Other Upgrade Limitations
2100 Series Devices
CDO can upgrade Firepower 2100 series devices only if they are running appliance mode.
- Firepower Threat Defense devices are always in appliance mode.
- ASA devices are appliance mode by default.
To confirm that your Firepower 2100 running ASA is in appliance mode:
- Connect your management computer to the console port or connect to the device using SSH.
- Enter global configuration mode.
- Run the show fxos mode command,
ciscoasa(config)# show fxos mode Mode is currently set to appliance
See the "Cisco Firepower 2100 Getting Started Guide" for a more detailed discussion of these commands.
4100 and 9300 Series Devices
CDO does not support the upgrade for the 4100 or 9300 series devices. You must upgrade these devices outside of CDO.