Cisco 4110 Platform - Upgrade an HA Pair

"The What?" - In this post I am going to share how to properly upgrade a pair of 4110 units with FTD acting as an HA pair (Active/Standby). I will cover upgrading FXOS, FTD, FMC, & even firmware.


"The Why?" - It took me some time to figure out correct order of operations so I want to share a blueprint for success that has helped me learn & succeed. Plus upgrading software/firmware is critical for compliance & security reasons.


"The How?" - Let's start with a high level overview of the upgrade process. I want to breakdown the overview by providing two. One without firmware upgrade & one including firmware upgrade. It is critical to understand the order of operations. Note that all software is downloaded from Cisco & it is always important to verify/check the upgrade path.


High level overview of upgrade process (with firmware upgrade):

  • Upgrade FMC first

  • Upgrade FXOS on standby unit

  • Upgrade firmware via CLI on standby 4110 unit

  • Failover to standby unit after FXOS & firmware has been upgraded

  • Upgrade FXOS on primary (now standby) 4110 chassis

  • Upgrade firmware via CLI

  • Upgrade FTD via FMC


High level overview of upgrade process (without firmware upgrade in the mix):

  • Upgrade FMC First

  • Upgrade FXOS on standby unit

  • Force failover to secondary 4110 after FXOS has been upgraded

  • Upgrade FXOS on primary (now standby) 4110 chassis

  • Upgrade FTD via FMC

Detailed example of the upgrade process including the firmware upgrade:


Upgrading FMC:

  • Login to FMC & Navigate to Product Updates (Settings wheel (top right)->Updates->Upload FMC software via blue upload button):

  • Once Ready to install hover over the install icon in last column on the right an initiate the upgrade

  • After the upgrade you should have to re-deploy policy to FTD apps

Upgrading FXOS on 4110 Chassis:

  • Login to FCM to manage the chassis & Navigate to Updates (System->Updates)

  • Upload the new software

  • Once ready to upgrade click upgrade button in right column:


Note: After the FXOS upgrade which in my experience takes 20-25 minutes the chassis will reboot. Once it is up FTD needs to start again before proceeding further


Upgrading 4110 chassis firmware:

  • Upload firmware onto the chassis via FCM

Note: Once you upload the firmware you will not be able to see it within FCM since the upgrade must be conducted via CLI

  • SSH to the respective unit you are working on

  • Verify the firmware package is present on the unit:

#scope firmware --Enter firmware mode
#show package --confirm uploaded firmware is present

Example:

  • Now that you have confirmed the firmware is present enter the firmware install mode:

#scope firmware-install --Enters firmware install mode
#install firmware pack-version 1.0.19 --Kicks off install
  • Verify/Monitor install process:

#show detail --Monitor upgrade
  • Once the chassis upgrade the firmware & reboots you can verify the upgrade success:

#scope chassis 1
#show sup version

Example:


Note: Per Cisco the ROMMON version & the firmware version do not always lineup version wise.


Initiating 4110 chassis Failover from within FMC:

  • Login to FMC to manage the pair & Navigate to device management (Devices->Device Management)

  • Initiate failover via clicking the 'Switch Active Pair' under the HA pair within Device Management

Note prior to failover the following should be complete:

  • FMC upgrade

  • FXOS upgrade on standby unit

  • Firmware upgrade on standby unit

  • FTD is online on standby unit (Can monitor via FMC or FCM)

Repeat step: Upgrading FXOS on 4110 Chassis (for the primary now standby unit)

Repeat step: Upgrading 4110 chassis firmware (for the primary now standby unit)


Upgrade FTD:

Now that both units FXOS & firmware & FMC have been upgraded you can proceed with upgrading the FTD instances running on each unit.


The FTD upgrade will be conducted via Firepower Management Center.

  • Login to FMC & Navigate to Product Updates (Settings wheel (top right)->Updates->Upload FTD software via blue upload button)

  • Once you are ready you can initiate the FTD upgrade via the install button on the right hand column

Note: Once you begin the FTD upgrade process FMC is smart enough to not cause/create service interruptions. You can monitor the upgrade status via Tasks (top right)

  • Monitor FTD health status via FMC under Device Management or within FCM

  • Ensure devices are healthy & synced up once the upgrade is complete

  • Lastly, verify policy deployment is up-to-date on the FTD apps

That wraps this post up where I cover upgrading firmware/FXOS/FMC/FTD on Cisco's 4110 NGFW platforms. Cheers!

0 comments

Recent Posts

See All

Email Security - Breaking Down DKIM & DMARC

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it

Email Security - Breaking Down SPF

In the post I want to breakdown & cover SPF in more detail. Especially as I continue to embark on the email security journey/track. before beginning, here is another brief overview of what SPF entai

Understanding FTD Multi-Instance Capability Mode

In this post I want to cover running the multi-instance capability with Firepower Threat Detection (FTD). This capability lets you run containers that use a batch of resources of the security module/