Cisco Defense Orchestrator (CDO) provides a wizard that helps you upgrade the Firepower Threat Defense (FTD) images installed on an individual device or an HA pair.
The wizard guides you through the process of choosing compatible images, installs them, and reboots the device to complete the upgrade. We secure the upgrade process by validating that the images you chose on CDO are the ones copied to, and installed on, your FTD device. We strongly recommend the FTD devices you are upgrading have outbound access to the internet.
If your FTD does not have outbound access to the internet, you can download the image you want from Cisco.com, store them in your own repository, provide the upgrade wizard with a custom URL to those images, and CDO performs upgrades using those images. In this case, however, you determine what images you want to upgrade to. CDO does not perform the image integrity check or disk-space check.
- DNS needs to be enabled on the FTD device. See Configuring DNS for more information.
- The FTD device should be able to reach the internet if you use upgrade images from CDO's image repository.
- The FTD device has been successfully onboarded to CDO.
- The FTD device is reachable.
- The FTD device is synced.
- If you update a device that has pending changes in CDO and you do not accept changes, pending changes are lost after the upgrade completes. Best practice is to deploy any pending changes before you upgrade.
- If you have staged changes in FDM and the device is not synced, the upgrade in CDO will fail at an eligibility check.
Software and Hardware Requirements
FTD Version 6.4.x can be upgraded to FTD version 6.5.0. FTD version 6.5.0 can be upgraded to subsequent 6.5.0.x patches. See Software and Hardware Supported by CDO for information about supported hardware types.
Devices running FTD software have a recommended upgrade path for optimal performance. See Firepower Software Upgrade Path for more information.
You cannot deploy changes to a device while it is upgrading.