How to Upgrade Systems with Cisco Secure Firewall ASA (FirePOWER)
Cisco Secure Firewall ASA is an integrated suite specially designed for network security and traffic management products. It can be deployed either on purpose-built platforms or software solutions. It is engineered to help you handle network traffic while complying with your organization’s security policies.
In a typical deployment, multiple traffic-sensing managed devices installed on network segments monitor traffic for analysis and send reports to managers such as the firepower management center, firepower device manager, and adaptive security device manager (ASDM). These managers offer a centralized management console with GUI. You can use this interface to carry out administrative, management, analysis, and reporting tasks.
In this guide, we will help you upgrade the Cisco ASA Firepower module using ASDM. This post is based on the upgrade guide shared by Cisco. So, everything you will read here is stated by Cisco experts.
Important Note:
Before you upgrade firewall appliances, you must be aware of the traffic flow and inspection that can occur when you reboot a device, upgrade the device software, OS, or virtual hosting environment, uninstall/revert the device software, move a device between domains, or deploy changes in configuration.
So, it is strongly recommended to upgrade your firewall module only when any interruption will have the least impact on your deployment.
The Procedure to Upgrade Firepower Module with ASDM
When upgrading is in process, you must not make any configuration changes, manually reboot, or shut down the module. You must not restart an upgrade the process even if the upgrade process appears inactive during pre-checks. In case you encounter any issues with the upgrade or you find the appliance unresponsive, it is advised to contact Cisco TAC.
Here are the steps to upgrade Cisco Firepower Module:
- First of all, ensure that you are running a supported version of ASA. You will find most ASA and ASA Firepower versions compatible. Even if you don’t need an upgrade, you may need it to resolve issues. When upgrading the ASA Firepower module is in sequence, you should check the ASA upgrade procedures for standalone, failover, and clustering scenarios. As per Cisco experts, even if you are not upgrading ASA software, you should still refer to ASA failover and clustering upgrade guides so that you can perform a failover or disable clustering on a unit before the upgrade to avoid traffic loss. In the case of a cluster, you should upgrade each secondary unit serially and then upgrade the primary unit.
- Get the upgrade package; you should download it directly from the Cisco Support & Download site. Otherwise, you may get a corrupted package.
- Then, connect the ASA appliance with ASDM and upload the upgrade package by following the below instructions:
- Go to Configuration > ASA FirePOWER Configuration > Updates
- Click Upload Update, choose the file, and upload.
- Now, to avoid any failure, deploy pending configuration changes. During this process, you may see a small number of packets dropping without inspection due to increased resource demands. Some configuration deployment may restart Snort and interrupts traffic inspection. This may interrupt traffic until the restart completes, based on how your device handles traffic.
- When upgrading to Version 6.1.0 through 6.3.0.x, you must disable the ASA REST API. Otherwise, the upgrade will fail. You can use CLI on the ASA to disable the REST API. To disable it, you can use the no rest-API agent and re-enable it by using the command rest-API agent.
- Go to Monitoring > ASA FirePOWER Monitoring > Task Status to see if the task is complete. Running tasks during an upgraded stop, become failed tasks, and cannot be resumed.
- Go to Configuration > ASA FirePOWER Configuration > Updates. Click the install icon that is present beside the upgrade package you uploaded. Confirm that you want to upload and reboot the module. Depending on how the module is configured, traffic either drops or traverses the network without inspection.
- Continue to monitor the upgrade process on the Task Status page and don’t make any configuration changes to the module when the upgrade is in process. Unless it indicates that the upgrade has failed, you must not restart the upgrade or reboot the module even if the upgrade shows no progress for several minutes.
- Once the upgrade completes, you can reconnect ASDM to the ASA.
- Go to Configuration > ASA FirePOWER Configuration. Click Refresh so that the interface does not exhibit unexpected behavior.
- Go to Configuration > ASA FirePOWER Configuration > System Information and ensure that the module has the correct software version.
- If there is a newer intrusion rule or the vulnerability database available on the Support Site, install the newer version.
- Complete any configuration changes post-upgrade and redeploy configurations.
If you manage the ASA Firepower module by using Firepower Management Center, you should upgrade the Management Center before upgrading the module. For that, you will have two options for upgrading the module. Depending on what you use, you may need to upgrade either:
- A standalone secure firewall management center, or
- High availability firepower management centers
Each of them has different procedures. So, upgrade accordingly. You can find the steps to upgrade both of them on the Cisco Support website.
For any queries or information about the purchase of the Cisco Firepower series of firewall appliances, you can connect with us via call at +971 4 2409 998 or you can also get in touch with us via WhatsApp at +971585811786.