Cisco Cisco Firepower Management Center 2000
1
Firepower System Release Notes
Important Update Notes
Firepower Management Centers in a High Availability Pair
Support for Firepower high availability returns in Version 6.1.0.
You cannot update Firepower Management Centers in a high availability pair directly to Version 6.1.0. You must break the high availability
configuration before beginning the update path to Version 6.1.0.
configuration before beginning the update path to Version 6.1.0.
Firepower Threat Defense Devices in a High Availability Pair
When you install an update on Firepower Threat Defense devices in a high availability pair, the system updates the devices one at a time. When the
update starts, the system first applies it to the secondary device, which goes into maintenance mode until any necessary processes restart and the
device is processing traffic again. The system then updates the primary device, which follows the same process.
update starts, the system first applies it to the secondary device, which goes into maintenance mode until any necessary processes restart and the
device is processing traffic again. The system then updates the primary device, which follows the same process.
Note that you must install the 6.1 Pre-Installation Package before installing Version 6.1 in order to successfully update Firepower Threat Defense
devices in a high availability pair without breaking the pair. For more information, see the
devices in a high availability pair without breaking the pair. For more information, see the
.
Firepower Threat Defense Device Clustering
When you update clustered Firepower 9300 Firepower Threat Defense devices, the system updates the security modules one at a time—first
secondary modules, then the primary module. Modules operate in maintenance mode while they update.
secondary modules, then the primary module. Modules operate in maintenance mode while they update.
During the primary module update, although traffic inspection and handling continues normally, the system stops logging events. Event logging
resumes after the full update completes.
resumes after the full update completes.
Events for traffic processed during the logging downtime appear with out-of-sync timestamps after the update completes. However, if the logging
downtime was significant, the system may prune the oldest events before they can be logged.
downtime was significant, the system may prune the oldest events before they can be logged.
NOTE:
Upgrading FXOS reboots the Firepower 9300 chassis, dropping traffic until the primary node comes back online.
7000 and 8000 Series Devices in a High Availability Pair
When you install an update on 7000 and 8000 Series devices in a high availability pair, the system updates the devices one at a time. When the
update starts, the system first applies it to the secondary device, which goes into maintenance mode until any necessary processes restart and the
device is processing traffic again. The system then updates the primary device, which follows the same process.
update starts, the system first applies it to the secondary device, which goes into maintenance mode until any necessary processes restart and the
device is processing traffic again. The system then updates the primary device, which follows the same process.
7000 and 8000 Series Stacked Devices
When you install an update on 7000 and 8000 Series stacked devices, the system updates the stacked devices simultaneously. Each device resumes
normal operation when the update completes. Note that:
normal operation when the update completes. Note that:
If the primary device completes the update before all of the secondary devices, the stack operates in a limited, mixed-version state until all
devices have completed the update.
devices have completed the update.
If the primary device completes the update after all of the secondary devices, the stack resumes normal operation when the update completes
on the primary device.
on the primary device.
Pre-Update System Readiness Checks
System update readiness checks contain a series of robustness checks that assess the preparedness of the system for an update. The readiness check
identifies issues with the system, including issues with the integrity of the database, version inconsistencies, and device registration.
identifies issues with the system, including issues with the integrity of the database, version inconsistencies, and device registration.
Note:
The readiness check cannot assess your preparedness for VDB, SRU, or GeoDB updates; the readiness check is a system update readiness
check.
Before beginning the Version 6.1 update process, install the Version 6.1 Pre-Installation update, upload the Version 6.1 package, and run the
readiness check via the shell. If your appliance fails the readiness check, correct the issues and run the readiness check again. For more information
about running a readiness check, see
readiness check via the shell. If your appliance fails the readiness check, correct the issues and run the readiness check again. For more information
about running a readiness check, see
.
Caution:
Do not reboot or shut down your appliance during the readiness check.
Caution:
If you encounter issues with the readiness check that you cannot resolve, do not begin the update. Instead, contact Support.