I have had a few people ask me what to expect when upgrading their Cisco Firepower deployments from 5.4 to 6.0. I went ahead and upgraded both my ASA 5506x using ASDM and ASA 5512x using the FireSIGHT centralized manager. Here is a breakdown of my experience. I also posted about the new Firepower 6.0 features HERE.
First off, it is important to always read the documentation when you perform a upgrade. One major item that isn’t made clear in the release notes is the fact that Cisco Firepower 6.0 doesn’t support FireSIGHT high availability. This means if you have two managers configured in a HA cluster, you should stay on 5.4 and wait for the 6.01 patch scheduled to be released shortly.
If you decide to upgrade to 6.0, the first step is to download the appropriate upgrade file. You will not find the file under ASDM or FireSIGHT when going to the upgrade section and clicking the download updates button. That button is for minor release updates such as 5.4.0 to 5.4.1. You must download 6.0 directly from Cisco.com and upload it as I’ll be showing in this post. You will see in my ASA5506x example that I used the download updates button to go from 5.4.1 to 5.4.3 before uploading the 6.0 file I obtained from Cisco.com.
FireSIGHT Virtual Manager 5.4.1 Upgrade To 6.0
I started off upgrading my FireSIGHT manager. This means I needed the FireSIGHT 6.0 upgrade file called Sourcefire_3D_Defense_Center_S3_Upgrade-6.0.0-1005.sh. The file is pretty big so it took almost an hour to download. Once downloaded, I logged into my FireSIGHT manager, clicked updates and selected to upload this file. Once uploaded, it appeared as a upgrade option as shown in the next image.
Next I selected the package image next to the 6.0 update that states a reboot will be required followed by YES. If the file is corrupt, you will get a corrupt message when you attempt to launch the upgrade (I had that happen in the past). If the upgrade file is good, you will see the install page as shown. The first attempt I made failed because my FireSIGHT VM didn’t have enough memory. I found out by clicking the running task menu after I launched the upgrade and saw my upgrade task failed as shown. BUMMER. So I had to shutdown my FireSIGHT VM, add more memory, fire it back up and go through the launch process again.
This time it worked. After the upgrade task completed, my system rebooted. Now my manager was running FirePOWER 6.0 so I was ready to move on to my ASA 5512x running FirePOWER 5.4.1and upgrade that to 6.0 since its managed by this FirePOWER manager.
ASA5512X FirePOWER 5.4.1 to 6.0 Upgrade
Next I upgraded my 5512X that is being managed by the FireSIGHT manager.
NOTE: A FireSIGHT manager can only manage one version older than the version its running. If my FirePOWER version on the 5512x was 5.3 or lower, my FireSIGHT manager would no longer be able to manage it. Once again, it is important to read the release notes, which states to upgrade all FirePOWER appliances to 5.4 before taking your manager to 6.0. So at this point, my FireSIGHT manager is running 6.0 and my ASA 5512x is running FirePOWER 5.4.3.
To start the upgrade process, I downloaded the ASA5512x Firepower 6.0 upgrade file Cisco_Network_Sensor_Upgrade-6.0.0-1005.sh from cisco.com. Next I went under updates, and selected upload to upload this file. Once uploaded, I selected the package next to the upgrade file to start the upgrade process just like I did with the manager. It took around 40 minutes for the upgrade to complete. So at this point, my FirePOWER manager and sensor were both at 6.0. My last project was upgrading my stand alone ASA5506x to FirePOWEr 6.0.
ASA 5506 FirePOWER ASDM Upgrade
Now to switch gears, I decided to upgrade my ASA 5506X running FirePOWER 5.4.1 to FirePOWER 6.0 using ASDM verses the centralized manager. Note that I could use my centralized manager to accomplish the same thing however I decided to test the upgrade processing using ASDM. Also note that only the ASA 5506x, ASA 5508x and ASA 5516x running 5.4.1 have FirePOWER options within ASDM. All other versions of ASAx appliances will have FirePOWER options added to ASDM once they are running FirePOWER 6.0. For example, my ASA 5512x running FirePOWER 5.4.1 did not have FirePOWER management options in ASDM. I had to use a FireSIGHT manager to upgrade to 6.0. Now that the 5512x is running FirePOWER 6.0, I can log into ASDM and there are options to view the status of the FirePOWER services. NOTE though that they will not be available if the ASAx appliance has its FirePOWER stuff managed by a centralized manager. You have to disassociate it and manage the FirePOWER features by itself with ASDM to see configuration options.
So the first step is to log into ASDM and click the configuration tab. If your FirePOWER features are running, you should see the FirePOWER tab options on the left hand side. Before moving forward, I found my core ASA and ASDM were a few versions behind so I use the ASDM upgrade wizard that leverages my Cisco CCO directly from Cisco.com to upgrade both of these. That upgrade took around 15 minutes to complete. Now my ASA was on the latest core ASA code (9.5) and ASDM was on the latest version.
Next I downloaded the Cisco_Network_Sensor_Upgrade-6.0.0-1005.sh file from cisco.com. Once the file downloaded, I went in ASDM, I went under the Configure tab, selected the FirePOWER tab on the left, selected updates and upload to upload the upgrade file. This looked the same as when uploading the upgrade file to the centralized FirePOWER manager. The next screenshot shows the 6.0 upgrade file added in ASDM.
I attempted to apply the update however found I was running FirePOWER 5.4.1 on my ASA5506x. This gave me a error message asking that I first upgrade to 5.4.3. BUMMER. I clicked “download upgrades“, which automatically pulled the 5.4.3 file. I applied that upgrade and waited 40 minutes for the upgrade to complete. After a few minutes post reboot, my ASA5506x was now running FirePOWER 5.4.3. I once again attempted to apply the 6.0 upgrade and this time it moved forward. Again, it took around 40 minutes and after the reboot I had my ASA5506x running FirePOWER 6.0.
So that is all there is too it. Another option to get to FirePOWER6.0 is doing a new install as explained in this post HERE. Note if you go this route, all default passwords are user name admin and password Admin123. They removed all of the “sourcefire” passwords with 6.0. Hope this helps with your upgrade plans.