Cisco Secure Firewall ASA is an integrated suite specially designed for network security and traffic management products. You can deploy it on purpose-built platforms or as software solutions. Cisco ASA Firepower Module helps you manage network traffic while ensuring compliance with your organization’s security policies.
In a typical deployment, traffic-sensing managed devices on network segments monitor traffic for analysis and send reports to managers, including the Firepower Management Center, Firepower Device Manager, and Adaptive Security Device Manager (ASDM). These managers provide a centralized management console with a GUI. You use this interface to handle administrative, management, analysis and reporting tasks.
This guide will show you how to upgrade the Cisco ASA Firepower module using ASDM. This post follows the upgrade guide provided by Cisco, so you will find information based on Cisco experts’ recommendations.
In this guide, we will show you how to upgrade the Cisco ASA Firepower module using ASDM. This post follows the upgrade guide provided by Cisco, so you will find information based on Cisco experts’ recommendations.
Important Note:
Before you upgrade firewall appliances, understand the traffic flow and inspection that may happen when rebooting a device, upgrading the device software, OS, or virtual hosting environment, uninstalling/reverting the device software, moving a device between domains, or deploying configuration changes.
Therefore, upgrade your firewall module only when any interruption will have the least impact on your deployment.
The Procedure to Upgrade Firepower Module with ASDM
During the upgrade, avoid making any configuration changes, manually reboot, or shut down the module. Do not restart the upgrade process, even if it seems inactive during pre-checks. In case you encounter any issues with the upgrade or you find the appliance unresponsive, it is advised to contact Cisco TAC.
Here are the steps to upgrade the Cisco Firepower Module:
- First, ensure you run a supported version of ASA. Most ASA and ASA Firepower versions are compatible. Even if you don’t need an upgrade immediately, you might require it to resolve issues. When upgrading the ASA Firepower module, check the ASA upgrade procedures for standalone, failover, and clustering scenarios. According to Cisco experts, even if you don’t upgrade ASA software, refer to ASA failover and clustering upgrade guides. This will help you perform a failover or disable clustering on a unit before the upgrade to avoid traffic loss. For clusters, upgrade each secondary unit sequentially before upgrading the primary unit.
- Get the upgrade package; you should download it directly from the Cisco Support & Download site. Otherwise, you may get a corrupted package.
- Then, connect the ASA appliance with ASDM and upload the upgrade package by following the below instructions:
- Go to Configuration > ASA Firepower Configuration > Updates
- Click Upload Update, choose the file, and upload.
- Now, to avoid any failure, deploy pending configuration changes. During this process, you may see a small number of packets dropping without inspection due to increased resource demands. Some configuration deployments may restart Snort and interrupt traffic inspection. This may interrupt traffic until the restart completes, based on how your device handles traffic.
- When upgrading to Version 6.1.0 through 6.3.0.x, you must disable the ASA REST API. Otherwise, the upgrade will fail. You can use CLI on the ASA to disable the REST API. To disable it, you can use the no rest-API agent and re-enable it by using the command rest-API agent.
- Go to Monitoring > ASA Firepower Monitoring > Task Status to see if the task is complete. Running tasks during an upgraded stop, become failed tasks, and cannot be resumed.
- Go to Configuration > ASA Fire POWER Configuration > Updates. Click the install icon that is present beside the upgrade package you uploaded. Confirm that you want to upload and reboot the module. Depending on how the module is configured, traffic either drops or traverses the network without inspection.
- Continue to monitor the upgrade process on the Task Status page and don’t make any configuration changes to the module when the upgrade is in process. Unless it indicates that the upgrade has failed, you must not restart the upgrade or reboot the module even if the upgrade shows no progress for several minutes.
- Once the upgrade is completed, you can reconnect ASDM to the ASA.
- Go to Configuration > ASA Fire POWER Configuration. Click Refresh so that the interface does not exhibit unexpected behavior.
- Go to Configuration > ASA Fire POWER Configuration > System Information and ensure that the module has the correct software version.
- If there is a newer intrusion rule or the vulnerability database available on the Support Site, install the newer version.
- Complete any configuration changes post-upgrade and redeploy configurations.
If you manage the ASA Firepower module by using the Firepower Management Center, you should upgrade the Management Center before upgrading the module. For that, you will have two options for upgrading the module. Depending on what you use, you may need to upgrade either:
- A standalone secure firewall management center, or
- High availability of firepower management centers
Each of them has different procedures. So, upgrade accordingly. You can find the steps to upgrade both of them on the Cisco Support website.