Upgrade the Firepower 4100/9300 Chassis

For the Firepower 4100/9300, major versions require a FXOS upgrade.

Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the chassis, then devices again. Or, perform a full reimage. In high availability deployments, upgrade one chassis at a time.

Upgrade FXOS with Chassis Manager

Upgrade FXOS for Standalone FTD Logical Devices Using Firepower Chassis Manager

This section describes how to upgrade the FXOS platform bundle for a standalone Firepower 4100/9300 chassis.

The section describes the upgrade process for the following types of devices:

  • A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair.

  • A Firepower 9300 chassis that is configured with one or more standalone FTD logical devices that are not part of a failover pair.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure

Step 1

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 2

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 3

After the new platform bundle image has been successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 4

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 5

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 6

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Upgrade FXOS on an FTD High Availability Pair Using Firepower Chassis Manager

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

Procedure

Step 1

Connect to Firepower Chassis Manager on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:

Step 2

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 3

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 4

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 5

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 6

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 7

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 8

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Step 9

Connect to Firepower Chassis Manager on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:

Step 10

In Firepower Chassis Manager, choose System > Updates.

The Available Updates page shows a list of the FXOS platform bundle images and application images that are available on the chassis.

Step 11

Upload the new platform bundle image:

  1. Click Upload Image to open the Upload Image dialog box.

  2. Click Choose File to navigate to and select the image that you want to upload.

  3. Click Upload.

    The selected image is uploaded to the Firepower 4100/9300 chassis.

  4. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

Step 12

After the new platform bundle image has successfully uploaded, click Upgrade for the FXOS platform bundle to which you want to upgrade.

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Step 13

Click Yes to confirm that you want to proceed with installation, or click No to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components. The upgrade process can take up to 30 minutes to complete.

Step 14

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Step 15

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 16

Make the unit that you just upgraded the active unit as it was before the upgrade:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Upgrade FXOS on the Firepower 4100/9300 with the CLI

Upgrade FXOS for Standalone FTD Logical Devices Using the FXOS CLI

This section describes how to upgrade the FXOS platform bundle for a standalone Firepower 4100/9300 chassis.

The section describes the FXOS upgrade process for the following types of devices:

  • A Firepower 4100 series chassis that is configured with a FTD logical device and is not part of a failover pair.

  • A Firepower 9300 chassis that is configured with one or more standalone FTD devices that are not part of a failover pair.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure

Step 1

Connect to the FXOS CLI.

Step 2

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 4

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 5

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

Step 6

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 7

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 8

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 9

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Upgrade FXOS on an FTD High Availability Pair Using the FXOS CLI

If you have Firepower 9300 or Firepower 4100 series security appliances that have FTD logical devices configured as a high availability pair, use the following procedure to update the FXOS platform bundle on your Firepower 9300 or Firepower 4100 series security appliances:

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

  • Download the FXOS platform bundle software package to which you are upgrading.

  • Back up your FXOS and FTD configurations.

  • Collect the following information that you will need to download the software image to the Firepower 4100/9300 chassis:

    • IP address and authentication credentials for the server from which you are copying the image.

    • Fully qualified name of the image file.

Procedure

Step 1

Connect to FXOS CLI on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:

Step 2

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 4

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 5

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58).

Step 6

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 7

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 8

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 9

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 10

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.

Step 11

Connect to FXOS CLI on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:

Step 12

Download the new platform bundle image to the Firepower 4100/9300 chassis:

  1. Enter firmware mode:

    Firepower-chassis-a # scope firmware

  2. Download the FXOS platform bundle software image:

    Firepower-chassis-a /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis-a /firmware # scope download-task image_name

    Firepower-chassis-a /firmware/download-task # show detail

Example:

The following example copies an image using the SCP protocol: 

Firepower-chassis-a # scope firmware
Firepower-chassis-a /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis-a /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 13

If necessary, return to firmware mode:

Firepower-chassis-a /firmware/download-task # up

Step 14

Enter auto-install mode:

Firepower-chassis-a /firmware # scope auto-install

Step 15

Install the FXOS platform bundle:

Firepower-chassis-a /firmware/auto-install # install platform platform-vers version_number

version_number is the version number of the FXOS platform bundle you are installing; for example, 2.3(1.58).

Step 16

The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade.

Enter yes to confirm that you want to proceed with verification.

Step 17

Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

The system unpacks the bundle and upgrades/reloads the components.

Step 18

To monitor the upgrade process:

  1. Enter scope system .

  2. Enter show firmware monitor .

  3. Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

    Note

     

    After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example:

FP9300-A# scope system
FP9300-A /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

FP9300-A /system #

Step 19

After all components have successfully upgraded, enter the following commands to verify the status of the security modules/security engine and any installed applications:

  1. Enter top .

  2. Enter scope ssa .

  3. Enter show slot .

  4. Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance.

  5. Enter show app-instance .

  6. Verify that the Oper State is Online for any logical devices installed on the chassis.

Step 20

Make the unit that you just upgraded the active unit as it was before the upgrade:

  1. Connect to Firepower Management Center.

  2. Choose Devices > Device Management.

  3. Next to the high availability pair where you want to change the active peer, click the Switch Active Peer icon ().

  4. Click Yes to immediately make the standby device the active device in the high availability pair.