This information in this article applies to SourceFire 3D appliances, Cisco FirePOWER products and the next generation firewall product family, ASA 5508-X, 5516-X and 5585-X with FirePOWER service enabled. We’ll cover step-by-step process how to upgrade SourceFire FirePOWER FireSIGHT Management Center here.
First you need to find out what software versions your system is running and what new version you are upgrading to. The latest FirePOWER 6.0 has come out with a lot of shinning new features.
However I must caution you against it. Cisco Firepower 6.0 doesn’t support FireSIGHT high availability. This means if you have two managers configured in a HA cluster, you should stay on 5.4 and wait for the 6.01 patch scheduled to be released. Besides it still has a lot of bugs unfixed. At time of this article was written, I upgraded to the latest 5.4.x code train for greatest stability. The general process of upgrading applies to any future code releases as well. Let’s get started and upgrade SourceFire FirePOWER FireSIGHT Management Center.
Most Popular Product Family
Cisco ASA5506-X with FirePOWER integrated
FirePOWER Appliance 7010
FirePOWER Appliance 8130
FirePOWER Appliance 8350
How to Upgrade SourceFire FirePOWER FireSIGHT Management Center
Before we proceed to upgrade, it is always a good idea to clean up the disk space and make enough room for the new code to be installed. You are probably reading this article because you received a warning message that the disk is getting full. The information here applies to you and you can follow the same instruction to clean up the disk space.
Local backups will not get pruned by the pruning process. They must be deleted by the user manually.
There is feature to configure remote backups, which is recommended. You can configure it by following the instruction at Help > Online
Prune 3D SourceFire FirePOWER Sensor local disk
Patches for old software versions can be deleted. If you are managing the FirePOWER sensors through the FireSIGHT Management Center, formally called Defense Center, you’ll need to login to each sensor and delete the backup files and patches. Go to Devices > Device Management, you’ll find a list of FirePOWER sensor IPs.
You can login each individual box by going to https://IP/ .
On 3D Software Version 5.x, navigate to System > Updates, and click the Delete button to the right of any old patches you would like to delete.
- Local Backups
Backups which have been copied to another device can be safely deleted.
On 3D Software Version 5.x, navigate to System > Tools > Backup/Restore, check any old backup files and click the Delete button.
- Software Updates
Backup SourceFire Defense Center Firepower Management Center
It is always a good idea to obtain a backup of your FirePOWER Management Center (FMC) because all the policies and rules are configured and pushed through the FMC. It is the brain of the whole operation. You can always recover a sensor through the FMC if one ever crashes.
I covered this topic in greater details here: How to Backup and Restore SourceFire Defense Center Firepower Management Center
Sequential Upgrade is Important
The FireSIGHT Management Center can only manage one version older than the version it is running. If your FirePOWER version was 5.3 or lower, it would no longer be able to manage any FirePOWER sensor 5.4 and greater. Once again, it is important to read the release notes, which states to upgrade all FirePOWER appliances to 5.3 before taking your FMC to 5.4 and newer. To save your time, I have compiled an upgrade path after I’ve read all the lengthy release notes.
- Step 1: Upgrade FirePOWER sensors to 5.2.0.3, then 5.3.0 then 5.3.0.2
- Step 2: Upgrade FireSIGHT Management Center (FMC) to 5.3.0.2 then5.3.1 then 5.4.0 then 5.4.1.5
- Step 3: Upgrade FirePOWER sensors to 5.3.0.2 then 5.4.0 then 5.4.0.6
If you want to go to the latest 6.0.x code, you have two more steps:
- Step 4: Upgrade FirePOWER sensors to 6.0.0.0 then 6.0.0.1
- Step 5: Upgrade FireSIGHT Management Center (FMC) to 6.0.0.0 then 6.0.0.1
It is crucial to follow the sequence while upgrade. Failing to do so you may lose the connectivity to the remote sensors or even cause production outage.
Note: If you are upgrading from one major release to another, the “download updates” feature on management console will not pull major releases. You must download the code directly from Cisco.com and upload it through the management console.
Download updates from Cisco.com
To upgrade SourceFire FirePOWER FireSIGHT Management Center, we cannot download different major release updates within the FirePOWER management console itself. We need to download the files from Cisco.com manually. To download upgrades and patches for the sensors and FirePOWER Management Center, use keyword “FirePOWER” to search for download on Cisco.com/go/support. Find the appropriate downloads to match the product you have.
For the FirePOWER 3D 7110 appliances and the Management Center I have, here are my download options.
Files downloaded for FirePOWER sensors
Files downloaded for FirePOWER Management Center
When I tried to upgrade the Management Center from 5.3.0.2 to 5.4.0, it gave me this error message. I had to download and install the 5.3.1 upgrade package first.
Please note you need the “Upgrade” package instead of “Patch” when jumping to a different major release.
Start Upgrading FirePOWER sensors and the Management Center
Important: You must follow the correct order mentioned in the previous session. The sequence is important, or you either unable to upgrade or lose connectivity to one or more devices.
Click on install icon in Updates page. If no other issues present, the upgrade will start and you can view the status in the job queue. The device will need to reboot when upgrading to major releases. I witnessed about 30 seconds of network connectivity loss while the sensor reboots, even they are configured “fail-open”. FirePOWER Management Center reboot does not cause network outage.
The upgrade job will go through file integrity checks, DB verification and etc. The entire process per major release upgrade took me about 30-40 minutes to complete. If you were upgrading to the latest code and have to go through a few intermediate major releases, make sure you plan at least 2 to 4 hours of maintenance window.
If you are using ASDM to upgrade the sensors, the process is the same. You’ll find the UI is the same as well. I recommend upgrading the sensors by going to its own browser based management console directly at https://IP/ The ASDM is just a nice wrapper around it and can add delay and potential issues.
In this session I walked though how to upgrade SourceFire FirePOWER FireSIGHT Management Center and the sensors. As you have seen, the key is to follow the correct order upgrading to one or more intermediate major releases and work towards the final version you want to get to. You cannot jump across major releases.
Continue reading:
Configure and Manage ASA FirePOWER Module using ASDM
Configure and Manage ASA FirePOWER Module using Management Center
How to Backup and Restore FirePOWER Management Center
I have written a quick start guide setting up Cisco’s next-generation ASA-X with FirePOWER service. You can download the configuration template and modify to your needs in matter of minutes.
Cisco ASA 5506-X FirePOWER Configuration Example
vary nice information ..!!
Jack can you please share your idea on deploying physical firepower 8000 series . Eventually i have fair idea with ASA only need to know if there are any extra over head of configuration or any new different requirement when using physical appliance . I will glad talking to you in this context .
Thanks
Surjeet
Hi Surjeet,
Deploying physical FirePower appliances would follow the same concept as deploying on ASA or VM. It only gets easier in my opinion because you’ll have dedicated management NIC and data port groups to deal with. Instead of using “service-policy” to route traffic internally to the FirePower module on the ASA for inspection, you use Ethernet cables! I would recommend configuring the physical appliance in L2 mode, and it does not participate in your network routing. You may also configure “fail-open” in case the hardware fails.
If you have additional question, please send me a message using the contact page and I’ll be happy to walk you through the process. cheers.
Hello Sir,
I have two Firesight Management Centers installed in our production environment. FMC-01 has Malware and URL filtering licenses, but FMC-02 does not. I also have SFR 6.2.3 installed in ASA 5525-X firewall. The point is that I want to register the firepower device in FMC-01, but it’s version is 6.2.2. Could you please tell me how to upgrade?
I uploaded the 6.2.3 Sourcefire DC upgrade file to the FMC-01, while installing, it gives me an error as following:
No valid appliances available for Sourcefire 3D Defense Center S3 Patch 6.2.3.13-53
This update is intended for software versions greater than or equal to 6.2.3 and less than 6.2.3.13-53
Need your help, please
Esmatullah,
Your FMC must have greater code version than the Firepower appliances. I’d recommend you upgrading the FMC to code 6.3.x first. Then you’ll follow the steps to push the code updates to the Firepower devices. The upgrade may be incremental, that means you may need to upgrade the Firepower devices through multiple smaller code updates before get them to the latest. Cisco’s release note has the information.
Hi Jack,
Thank you for your knowledge sharing, i have some questions related to FirePower and FireSight Upgrading.
Target: Upgrade both Firepower and FireSight to 6.0.1.2(5.3.1->6.0.0->6.0.1.2)
Background:
Product:5585-X with FirePOWER service
FirePower Version: v5.3.1
FireSight Virtual Appliance: Waiting the VM to install
In order to upgrade from 5.3.1 to 6.0.0
Step 1: upgrade the firepower, the following cmds show “Requires reboot: Yes”
Will this reboot cause ASA production outage?
Reimage SFR on ASA will cause ASA reboot and production outage.
===================================================================
asasfr-boot> system install file.pkg
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-FirePOWER xxxxx System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
===================================================================
Step2: Install FireSight Virtual 6.0.0 on VM Server.
Can i monitor Firepower v5.3.1 on firesight 6.0.0? and then use firesight Mgmt Centre 6.0.0 to upgrade FirePower from 5.3.1 to 6.0.0?
Step 3: upgrading FirePower 6.0.0 to 6.0.1.2, and then FireSight 6.0.0 to 6.0.1.2
do you have any (more quick & safety) procedures to suggest?
3.1 upgrade FirePower 6.0.0 to 6.0.1.2 by using console CLI on SFR
3.2 Upgrade FireSight 6.0.0 to 6.0.1.2 by using GUI
i am wondering, is it possible to upgrade FirePower 6.0.0 to 6.0.1.2 on Mgmt Centre?
many questions, i hope you are available to answer my questions, Many thanks.
Best wishes,
Pat
Step 1: Will this reboot cause ASA production outage?
This process only reboots the FirePower engine running on top of the ASA code. In theory it should not cause service interruption. However, it is recommended that you always do the major code update inside a maintenance window to avoid accidental outages.
Step2: Can i monitor Firepower v5.3.1 on firesight 6.0.0?
No. The FMC can only manage one version older than the version it is running on. Follow the sequential update process outlined in this article and you’ll be fine.
Step 3: upgrading FirePower 6.0.0 to 6.0.1.2, and then FireSight 6.0.0 to 6.0.1.2
do you have any (more quick & safety) procedures to suggest?
No, you need upgrade in small steps to ensure the database structor is updated.
Is it possible to upgrade FirePower 6.0.0 to 6.0.1.2 on Mgmt Centre?
Yes. One of the benefits of using the FMC is that you can manage all the remote Firepower instances centrally, without having to touch individual Firepower sensors every time.
Hope it is helpful.
really appreciate your help, Jack!!!
After understanding your information.
step1. upgrade Firepower v5.3.1 -> v6.0.0
Reboot SFR
step2. upgrade Firepower v6.0.0 -> v6.0.1.2
Reboot SFR
step3. install FireSight 6.0.0 Virtual Appliance on VM
Reboot FS
step4. upgrade FireSight 6.0.0 ->6.0.1.2
Reboot FS
Step5. Add Firepower appliances on FireSight
Best Wishes,
Patrick
Dear Jack,
I have another question about firepower module upgrade (from 5.3->5.4->6.0->6.0.1)
I’ve just installed 6.0.1 FireSight and good status.
But my firepower is still in 5.3.1 version (Under production ASA network)
After checking Cisco website,
On ASA:( the reimage progress will cause ASA reload)
So Do you have any reference to guide me upgrade firepower module without asdm-FMC/firesight/asa-reimage reboot?
———————————————————-
ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall
ciscoasa# reload
ciscoasa# sw-module module sfr uninstall
ciscoasa# copy http:///asasfr-5500x-boot-5.3.1-152.img
disk0:/asasfr-5500x-boot-5.3.1-152.img
ciscoasa# sw-module module sfr recover configure image disk0:/file_path
———————————————————————————————–
==========================================================
At the moment, i can use console to login firepower(ASA-5585X) as follows,
===========================================================
Sourcefire Linux OS v5.3.1 (build 60)
Sourcefire ASA5585-SSP-10 v5.3.1 (build 155)
>
configure Change to Configuration mode
end Return to the default mode
exit Exit this CLI session
expert Invoke a shell
help Display an overview of the CLI syntax
history Display the current session’s command line history
logout Logout of the current CLI session
show Change to Show Mode
system Change to System Mode
============================================================
But i cannot find cmd “Systme install XXXXX”
There is cmd “system file copy”
——————————————
system file ? // i hope “system file copy” is the way to copy upgrade file from ftp.
copy Transfer files via FTP
delete Delete file(s)
list List file(s)
secure-copy Transfer files via SCP
———————————————-
cmds from Cisco
———————————————-
asasfr-boot >system install http:///asasfr-sys-5.3.1-152.pkg
Verifying
Downloading
Extracting……………….
Many Thanks,
Patrick
Pat,
To upgrade the FirePower code, I recommend doing it in GUI mode. Ideally it should be done through the Management Center in incremental order specified in this article. You have mentioned that you have upgraded the Management Center to 6.x code. It may not support working with the much lower version (5.3.x) FirePower. You’ll need to use FirePower’s standalone management UI under ASDM to upgrade. Make sure you update the ASA image and ASDM to more recent revisions to support latest 6.x FirePower code first. Regardless it will be a major update to your ASA. Multiple reboots are expected so a maintenance window will be required.
Thanks for your kind and useful response.