Skip to main content



Cisco Defense Orchestrator

Firepower Software Upgrade Path

How Should You Upgrade?

Firepower devices are capable of executing direct upgrades from one major release to another, such as from Version 6.4.0 > 6.5.0. If a direct upgrade from your current to your target version is not possible, your upgrade path must include either intermediate versions, such as from Version > 6.5.0. To patch Firepower, you must be running the base major version.

You cannot upgrade directly from a patch of one version to a patch of another version, such as from Version > You must upgrade to the major release first, and then to a subsequent patch of that release: from Version > 6.5.0 >

Firepower support starts with Version 6.4.0. See the following table for the supported upgrade paths:


Currently Running Version X Direct Upgrade To 6.4.0.x Direct Upgrade To 6.5.0 Direct Upgrade To 6.5.0.x Direct Upgrade to 6.6.0 Direct Upgrade to 6.7.0
6.7.0-xx - - - - -
6.6.0-90 - - - - yes
6.5.0.x patch - - - yes yes
6.5.0-115 - - yes yes yes
6.4.0.x patch yes yes no yes yes
6.4.0-102 yes yes yes yes yes


Major Upgrade vs Patch 

Note: You cannot use CDO to uninstall or downgrade from a major release. You must reimage the device to revert to a previous version. 

Major upgrades may include new features and functionality and entail large-scale changes to the product. Major upgrades will take longer to complete than a patch. 

Patch upgrades may contain a limited range of fixes and minor feature updates or enhancements. Patch upgrades will take less time to complete than a major upgrade. 

Snort Upgrade

Snort is the main inspection engine for the product and is packaged into the Firepower software for your convenience. Version 6.7 introduces an update to the package that you can upgrade to, or revert from, at any time. Although you can switch Snort versions freely, some intrusion rules in Snort2.0 might not exist in Snort 3.0, and vice versa. We strongly recommend reading about the differences in the Firepower Device Manager Configuration Guide for Version 6.7.0 for more information. 

To proceed with upgrading your FTD system to use Snort 3 or to revert from Snort 3 back to Snort 2 from the CDO UI, see Upgrade to Snort 3.0 and Revert From Snort 3.0 for FTD respectively.

Other Upgrade Limitations

2100 Series Devices

CDO can upgrade Firepower 2100 series devices only if they are running appliance mode. 

  • Firepower Threat Defense devices are always in appliance mode.
  • ASA devices are appliance mode by default. 

To confirm that your  Firepower 2100 running ASA is in appliance mode:

  1. Connect your management computer to the console port or connect to the device using SSH.
  2. Enter global configuration mode.
  3. Run the show fxos mode command,
ciscoasa(config)# show fxos mode
Mode is currently set to appliance

See the "Cisco Firepower 2100 Getting Started Guide" for a more detailed discussion of these commands. 

4100 and 9300 Series Devices

CDO does not support the upgrade for the 4100 or 9300 series devices. You must upgrade these devices outside of CDO. 


Related Articles:

  • Was this article helpful?