HA and Cluster Upgrade Workflow

Cisco Secure Firewall HA and Cluster Upgrade Workflow

Introduction

Cisco Secure firewall introduces an improved upgrade workflow for clusters and high-availability devices. The upgrade wizard displays cluster and high availability units as groups, rather than as individual devices. You can specify the data unit upgrade order in a cluster, the control unit always gets upgraded last. This guide reviews the steps for upgrading an HA firewall pair using the new workflow.

The Secure Firewall Management Center (FMC) is at Release 7.2, and the devices are on Release 7.1 and will be upgraded to 7.1.0.1-28. However, the workflow and steps to upgrade any firewall device remain the same.

Configuration

Step 1: Login to Cisco Secure Firewall Management Center (FMC) and navigate to Devices > Device Management and click on the checkbox of HA pair. Click Select Action and click Upgrade Firepower Software

Figure 1: Device Management Page

Figure 1: Device Management Page

๐Ÿ“˜

๏ธ Note

You may navigate by clicking Devices, and click Device Upgrade

Step 2: Click Select a version to select the desired version to upgrade.

Figure 2: Copy Upgrade Packages to the device page

Figure 2: Copy Upgrade Packages to the device page

๐Ÿ“˜

๏ธ Note

If the upgrade package is not present you will need to upload the upgrade package by clicking System (gear icon on the upper right corner of FMC) and clicking Updates

Step 3: Click Copy Upgrade Package and click Continue

Figure 3: Copy Upgrade Packages

Figure 3: Copy Upgrade Packages

Step 4 (optional): You can monitor the file copy progress from Tasks

Figure 4: Monitoring upgrade copy progress

Figure 4: Monitoring upgrade copy progress

Step 5: Once the Warning sign changes to a Green tick, click Next

Figure 5: Update package uploaded successfully

Figure 5: Update package uploaded successfully

Step 6: Click Run Readiness Check and click Continue

Figure 6: Run Readiness Check

Figure 6: Run Readiness Check

Step 7 (optional): You can check the status of the Readiness Check by going to Tasks

Figure 7: Monitoring Readiness Check via tasks

Figure 7: Monitoring Readiness Check via tasks

Step 8: Once the readiness check completes successfully. Select Next

Figure 8: Readiness Check completed successfully

Figure 8: Readiness Check completed successfully

๐Ÿ“˜

๏ธ Note

In-case of HA secondary unit always upgrades first. For Cluster units order can be changed for data units, control unit always upgrades last.

Step 9: Click Start Upgrade and then click Upgrade

Figure 9: Starting the upgrade

Figure 9: Starting the upgrade

Step 10: Click Finish to complete the wizard.

Figure 10: Upgrade wizard completed

Figure 10: Upgrade wizard completed

Step 11 (optional): You can check the status of the upgrade by going to Tasks

Figure 11: Monitoring Upgrade Status via Tasks

Figure 11: Monitoring Upgrade Status via Tasks

Verification

Step 1: Navigate to Devices and click Device Management. Both HA units should have a version as per the upgrade.

Figure 12: Device management page post upgrade.

Figure 12: Device management page post upgrade.

Step 2: Login to both the devices via SSH to the management IP of the respective device and run the command show version to verify the version matches the FMC UI.

Figure 13: show version via CLI

Figure 13: show version via CLI

Summary:

This document provided an overview of the Cisco Secure Firewall HA upgrade to help administrators use the new wizard to apply upgrades.

๐Ÿ“š Additional Resources


Title of the document The current suggested release is 7.6.2 Release 7.7 is live! Reminder that 7.7 firewalls are Snort 3 only