Skip to main content

 

 

Cisco Defense Orchestrator

Upgrade a Firepower Threat Defense High Availability Pair

Upgrade your HA pair without disrupting traffic; the standby device continues to handle traffic detection while the secondary device is upgraded.

When you upgrade an HA pair, CDO executes an eligibility check and copies or identifies the image location before starting the upgrade. The secondary device in a high availability pair upgrades first, even if it is currently the active device; if the secondary device is the active device, the paired devices automatically switch roles for the upgrade process. Once the secondary devices successfully upgrade, the devices switch roles, then the new standby device upgrades. When the upgrade completes, the devices are automatically configured so the primary device is active and the secondary device is standby. 

We do not recommend deploying to the HA pair during the upgrade process. 

Before You Begin

  • Deploy all pending changes to the active device before upgrading. 
  • Ensure there are no tasks running during the upgrade. 
  • Both devices in the HA pair are healthy. 
  • Confirm you are ready to upgrade; you cannot rollback to a previous version in CDO. 
  • Read through the Firepower Threat Defense Upgrade Prerequisites and the Software and Hardware Supported by CDO to review any requirements and warnings that may incur during the ugprade process.  

Upgrade an FTD HA Pair with Images from CDO's Repository

Use the following procedure to upgrade an FTD HA pair using a software image that is stored in CDO's repository:

  1. In the navigation bar, click Devices & Services.
  2. Select the HA pair you want to upgrade.
  3. In the Device Actions pane, click Upgrade.
  4. In step 1, click Use CDO Image Repository to select the software image you want to upgrade to, and click Continue. You are only presented with choices that are compatible with the device you can upgrade.
  5. In step 2, confirm your choices and decide whether you only want to download the images to your device or copy the images, install them, and reboot the device.
  6. Click Perform Upgrade when you are ready. From the Device & Services page, devices that are upgrading have a "Upgrade in Progress" configuration status.

Warning: If you decide to cancel the upgrade while it is in progress, click Abort Upgrade from the Upgrade page. If you cancel the upgrade after it has started, CDO does not deploy or read from the device and the device does not roll back to the previous configuration. This may cause the device to enter an unhealthy state. If you experience any issues during the upgrade process, contact Cisco TAC. 

  1. Alternatively, if you want CDO to perform the upgrade later, select the Schedule Upgrade check box. Click the field to select a date and time in the future. When you are done, click the Schedule Upgrade button.
  2. Look at the notifications tab for the progress of the bulk upgrade action. If you want more information about how the actions in the bulk upgrade job succeeded or failed, click the blue Review link and you will be directed to the Jobs page
  3. Upgrade the system databases. You must do this step in FDM. See "Updating System Databases" in Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.4 in for more information. 

Upgrade an FTD HA Pair with Images from your own Repository 

Use the following procedure to upgrade an FTD HA pair using a URL protocol to locate a software image:

  1. n the navigation bar, click Devices & Services.
  2. Select the HA pair you want to upgrade.
  3. In the Device Actions pane, click Upgrade.
  4. In step 1, click  Specify Image URL  to select the software image you want to upgrade to, and click Continue. You are only presented with choices that are compatible with the device you can upgrade.
  5. In step 2, confirm your choices and decide whether you only want to download the images to your device or copy the images, install them, and reboot the device.
  6. Click Perform Upgrade when you are ready. From the Device & Services page, devices that are upgrading have a "Upgrade in Progress" configuration status.

Warning: If you decide to cancel the upgrade while it is in progress, click Abort Upgrade from the Upgrade page. If you cancel the upgrade after it has started, CDO does not deploy or read from the device and the device does not roll back to the previous configuration. This may cause the device to enter an unhealthy state. If you experience any issues during the upgrade process, contact Cisco TAC. 

  1. Alternatively, if you want CDO to perform the upgrade later, select the Schedule Upgrade check box. Click the field to select a date and time in the future. When you are done, click the Schedule Upgrade button.
  2. Look at the notifications tab for the progress of the bulk upgrade action. If you want more information about how the actions in the bulk upgrade job succeeded or failed, click the blue Review link and you will be directed to the Jobs page
  3. Upgrade the system databases. You must do this step in FDM. See "Updating System Databases" in Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.4 in for more information. 

Monitor the Upgrade Process 

You can view the progress of your single device by selecting that device on the Devices & Services page and clicking the upgrade button. CDO takes you to the Device Upgrade page for that device.

During the upgrade, the system suspends HA while updating system libraries, which includes an automatic deployment, and may not be in a healthy state for the entirety of the upgrade process. This is expected. The device is available for SSH connections during the last part of this process, so if you log in shortly after applying an upgrade, you might see HA in suspended status. If the system experiences issues during the upgrade process and the HA pair appears to be suspended, manually resume HA from the FDM console of the active device.

Note: If the upgrade fails at any point, CDO displays a message. CDO does not automatically restart the upgrade process. 

Warning: Upgrading devices that have self-signed certificates may experience issues; see New Certificate Detected for more information.

  • Was this article helpful?