Upgrading Firepower1010 to 6.5

The Cisco FirePower 1010 appliance (FP1010, successor to the ASA5506 which can run FTD 6.3 and higher) has finally become available. As I am relocating to a new home, it was time to replace my trusty 5506-X with the FP1010 and get a new fresh start with FTD. Since FTD 6.5 is just out, and it enables the switchports on the FP1010, it was time to upgrade the appliance. In this post I will share my method of upgrading the FP1010 to the latest version, 6.5. 

Time to get started with the upgrade. In this blog post I assume the FP1010 appliance has never been booted and has just been unboxed. You need to have the following items

  • Laptop with FTP/SCP/SFTP server (TFTP is possible, I had issues with USB); I used my MacBookPro for this
  • Laptop connected to the management interface of the FP1010
  • The upgrade image, in my case: cisco-ftd-fp1k.6.5.0-115.SPA

Firepower architecture

Firepower appliances are really a different platform to the trusty old ASA platform. One of the architectural differences is that the appliance is running FXOS as the operating system and the security services you want to run (FTD or ASA) are installed as an instance. I think the best to compare it with is VMWare and running virtual services. FXOS looks a lot in its command set to the NFVIS operating system that runs on the ENCS series. It is based on the UCS platform and uses quite a different CLI then you are familiar with in the ASA world. 

The larger appliances (FP4100 and FP9300) FXOS and the security instances are separated, which means that you first configure FXOS and then you can load the security instance on it. The smaller Firepower appliances, such as the FP2100, FP1100 and the FP1000 series have FXOS and the security instance bundled in a single release. This means that you always run a specific FXOS system with a specific ASA or FTD version.

Once you have everything ready, the following steps can be used to upgrade the FP1010 appliance:

1.  Connect the console of the FP1010 to the laptop and power on the appliance
2.  Connect a network cable from the mgmt interface to your laptop

3.  Wait until the FP1010 is booted. Once it’s booted, the console will show:

firepower#

4.  Type the command “connect ftd” and run through the initial setup wizard. If you do not accept the EULA and run through the setup, somehow the network is not working as expected and you cannot download the software. And yes, that took me some hours to figure out…

You must accept the EULA to continue.Press <ENTER> to display the EULA: 
End User License Agreement
Effective: May 22, 2017

*** SNIP***
Please enter 'YES' or press  to AGREE to the EULA: YES

System initialization in progress.  Please stand by.
You must change the password for 'admin' to continue.
Enter new password:
Confirm new password:
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]:
Enter an IPv4 netmask for the management interface [255.255.255.0]:
Enter the IPv4 default gateway for the management interface [data-interfaces]:
Enter a fully qualified hostname for this system [firepower]:
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:
Enter a comma-separated list of search domains or 'none' []:
If your networking information has changed, you will need to reconnect.

Setting DNS servers: 208.67.222.222 208.67.220.220
No domain name specified to configure.
Setting hostname as firepower
DHCP server is enabled with pool: 192.168.45.46-192.168.45.254. You may disable with configure network ipv4 dhcp-server-disable
Setting static IPv4: 192.168.45.45 netmask: 255.255.255.0 gateway: data on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]: yes
Configuring firewall mode to routed


Update policy deployment information
    - add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.

5.  After the setup, the console will have a very empty prompt: “>” Now type exit The prompt will now look like firepower# 

6. This means you are now in FXOS , this looks like UCS CIMC software, so it is a bit different. Enter the command scope firmware , the prompt will show 
firepower /firmware
7. Check the IP address of your laptop and initiate the software download via the command structure 
download image sftp://userid@iplaptop/path/to-image/cisco-ftd-fp1k.6.5.0-115.SPA
I have used 
download image sftp://myuserid@192.168.45.46/Users/myuserid/Downloads/cisco-ftd-fp1k.6.5.0-115.SPA
The console will now prompt for your password and then it will initiate a download task:
firepower /firmware # download image scp://myuserid@192.1687.45.46:/Users/myuserid/Downloads/cisco-ftd-fp1k.6.5.0-115.SPA
Password:
Please use the command 'show download-task' or 'show download-task detail' to check download progress.

You can use the “show download-task detail” to show the details, which has output like

Download task:
File Name: cisco-ftd-fp1k.6.5.0-115.SPA
Protocol: Sftp
Server: 192.168.45.46
Port: 0
Userid: myuserId
Path: /Users/myuserId/Downloads
Downloaded Image Size (KB): 59264
Time stamp: 2019-10-07T06:48:09.268
State: Downloading
Status: Downloading the image
Transfer Rate (KB/s): 29632.000000
Current Task: downloading image cisco-ftd-fp1k.6.5.0-115.SPA from 192.168.45
.46(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

However, if there is a failure, it will only show “failed“. I found out that the command

show event provides much more information, but requires a bit decoding. The following output is from a successful download:
Creation Time            ID       Code     Description
------------------------ -------- -------- -----------
2019-10-07T06:48:09.269     27339 E4195702 [FSM:STAGE:END]: (FSM-STAGE:sam:dme:F
irmwareDownloaderDownload:begin)
2019-10-07T06:48:09.269     27340 E4195703 [FSM:STAGE:END]: checking pending man
agement network config(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:CheckPending
NetworkConfig)
2019-10-07T06:48:09.269     27341 E4195704 [FSM:STAGE:ASYNC]: downloading image
cisco-ftd-fp1k.6.5.0-115.SPA from 192.168.45.46(FSM-STAGE:sam:dme:FirmwareDownlo
aderDownload:Local)
But if there is a failure, it would look a bit more like this  
2019-10-07T06:47:40.120     27329 E4195706 [FSM:STAGE:REMOTE-ERROR]: Result: end
-point-failed Code: ERR-DNLD-no-file Message: No such file#(sam:dme:FirmwareDown
loaderDownload:DeleteLocal)
It tells you it couldn’t find the file. The show event is quite handy. Once the download is completed, the show detail command would look like this: 
Download task:
    File Name: cisco-ftd-fp1k.6.5.0-115.SPA
    Protocol: Sftp
    Server: 192.168.45.46
    Port: 0
    Userid: nefkensp
    Path: /Users/nefkensp/Downloads
    Downloaded Image Size (KB): 1031174
    Time stamp: 2019-10-07T06:48:09.268
    State: Downloading
    Status: validating and unpacking the image
    Transfer Rate (KB/s): 32224.187500
    Current Task: unpacking image cisco-ftd-fp1k.6.5.0-115.SPA on primary(FSM-ST

8.  Now that the software is downloaded, it is time to validate if the package is available. Use the command show package to check for that:

firepower /firmware # show package
Name Package-Vers
--------------------------------------------- ------------
cisco-ftd-fp1k.6.4.0-102.SPA 6.4.0-102
cisco-ftd-fp1k.6.5.0-115.SPA 6.5.0-115

9.  Now as the package is available, let’s install it. Go to the subscope auto-install:

firepower /firmware # scope auto-install
firepower /firmware/auto-install # 
 

10.  and install the package via the install security-pack version command:

firepower /firmware/auto-install # install security-pack version 6.5.0-115 
The system is currently installed with security software package 6.4.0-102, which has:
   - The platform version: 2.6.1.133
   - The CSP (ftd) version: 6.4.0.102
If you proceed with the upgrade 6.5.0-115, it will do the following:
   - upgrade to the new platform version 2.7.1.107
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Do you want to proceed? (yes/no):yes

Triggered the install of software package version 6.5.0-115
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command. 

11. Now let’s wait for the upgrade or use the “show” command to check the status:

firepower /firmware/auto-install # show

Firmware Auto-Install:
    Package-Vers Oper State                   Upgrade State
    ------------ ---------------------------- -------------
    6.5.0-115    Scheduled                    Ready
firepower /firmware/auto-install #

12.  And after waiting for some 20-30 minutes, FTD has been upgraded. Congratulations!

Share this

9 Responses

  1. Hi !

    hope you are doing great! I need to know if this can be performed via SSH and without losing its IP address or config ?

    in other words, can I ssh again the device after reboot?

    thank you!

    1. Hello Angel,

      Yes, if memory serves right, the IP address of management is saved. unless you do a clean config / factory reset that includes a reimage of FXOS

  2. Hello,
    I was wondering if you’ve had any experience upgrading the device using the Firepower Device Manager via web browser after it has been deployed and fully setup?

    I would like to avoid going back to factory settings and using your method if possible. Using the FDM I keep getting en error “You must deploy all uncommited changes before starting a system upgrade.” but there are no pending changes or tasks. There is no mention of this in the cisco forums and have found no reference to it elsewhere.

    Thanks!!

    1. Hello,

      Yes, i have also upgraded several FP’s using FDM. Have you checked when you hit the deploy? With some intelligence feeds, like the VDB, there is no direct change in config, but you need to deploy them.
      Also, are you running an HA-setup? If so, check the standby FDM if there is a deployment pending there. I hade one issue once there, had to do a failover and then the ability deploy appeared and after that I could update.

      HTH
      Pieter-Jan

      1. Hi,

        I have management network configured on ASA interface. I am migrating it to FTD 1010. How can I make data interface as management interface as well and to serve gateway for all management of inside devices.

        Also I am not able to able to see the add subinterface in FDM under devices-interfaces

        1. Hello,
          After you have run the initial setup, you can add remote ssh and https hosts that are allowed access via FDM.
          With regards to your second question, make sure the interface is a routed interface. FP1010 can have both L2 interfaces (they dont support subinterfaces but you can assign vlan interfaces) and L3/routed interfaces

      2. Hello,
        Thanks for the quick reply. I cannot find any pending changes, so the “deploy” does not appear. There are no VDB or Security feeds pending and any scheduled updates have been deleted. I am not running and HA setup.
        Any other ideas?
        Thanks again!

        1. If the deploy is not there, you can “trick” fdm. Go and add a never-hitting acl entry or change a log setting, save and deploy

          1. Hi,
            Thanks for the advice – “tricking” the FDM by forcing a deploy worked perfectly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
4 + 20 =


This site uses Akismet to reduce spam. Learn how your comment data is processed.