FTD FirePower Direct Upgrade in HA

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
six point four then do I have a direct path upgrade from six point two to six point four so I need to first determine that that is there enough weight path possible there is a great part possible then I would be able to do it so you can see that this one is showing me the current version option and this one is they're targeted from there to where I'm going so if my current version is six point two point two on the manager device I can upgrade to six point four but I will not be able to update 26.5 directly okay so - in order to determine the third direct part is there we would have to check the release note and accordingly you would have to make a decision whether I should be doing what they record what I would be doing a clean installation clean installation would require a backup but chances are that with did I complain if everything is done properly then there is no there is no hit to your configuration the configuration will still keep a clear understood so you can always come to this a great guide document in order to understand whether I have a direct upgrade or indirect upgrade which I have to do so we have where to what break up for update will we download the update file for the actually through the F&C so we need to manually push after updates to manually do it but if you want you can create a schedule to do that it would require a manual process in order to push the update so this Cisco are pretty path this has been downloaded means in past so how do you lose the bad to a pretty box you click on I have not pushed it but you click on this install button and you push it and it will ask for it will ask that on which real devices you want to use for this yes if you click on this install button so currently we have two active nature of the same version so it will show up for the device so there is that we would also required after this updates yes ok now let's look at the upgrade so as I said we will do it 26.4 from six point two the other thing is there are a couple of checks which you might want to do before one is a definitely to backup your configuration even if let's say they say that it would be done but it's always good to go ahead and make sure that you back it up the other thing is that if in case you are doing an oblate of your 20 power 40 190 300 which are architectural be different than your 55 on the tech series or your 2100 then you want also want to check if I require an upgrade of my FX OS so first we'll do enough weight on my FX OS and then I will do an upgrade of my fire power because compatibility needs to always be checked for a particular fire power this version of FX OS will work or not so this thinks you might have to take into consideration but because we are not using any 4100 or 9300 we don't have to worry about that okay but yeah it also tells you based on the appliance how do you want to do an upgrade so come 4190 300 would always have a different option to do an upgrade because you need to verify to make sure that you have the right version of the fix of s so it will tell you the version of FX OS which is compatible with the version of upgrade which you're trying to do okay for the high availability part let's look at the high availability in case if you have a device in high available mode then what will happen so this is a very important point which you need to take into consideration only when it is high available so it seems that the standby device in a high availability upgrade path fair is upgraded first if you have active and a standby against the upgrade on the standby once the upgrade is successful understand by the device will switch roles which means that the standby wait with the new upgrade upgrade version will become active and the old active which is with the old version is going to become standby then the new standby upgrades when the upgrade completes the device role remains switched which means that it will not switch over automatically you would have to go ahead and do it manually so what it means is that the current active one is this non network so this is my active device this is my standby device so when I will begin the upgrade it will be the standby device which will be upgraded to 6.3 and it will become active then this active will go in the standby and it will begin the upgrade on this standby which is 6.3 and it will remain standby it will not change again you would have to manually do it okay so in case if let's say you want that this device should always remain active then before you begin the upgrade process you switch it over so that once the upgrade process gets completed you have to retain your device such a placement okay so it will not automatically switch it back to the previous state which was there so let's see how that is done so currently we are going to start a blade on this H a pair so first a stamp I will do it and then it will switch over he will become the standby which is currently active and then it will upgrade that standby box and both would have the same motion and during this a blade because it's a hitless upgrade it will go ahead and not do any traffic disruption traffic will continuously keep flowing when they upgrade is taking place all right so let's look at it so in order to do a major upgrade you would have to download the file from the cisco's website so from mechanize download that file i will have to go to software toward cisco.com software or security next generation 5-1 and let's say I'm doing an applet on the virtual device click on virtual I will look at FTD software and then let's say if I want to upgrade to 6.4 is the right version which I am of a being it'll at six point three so I'll go to six point four and I would see an upgrade five which is with not Shah Baba sorry not sh-shan format so I would be downloading that file right so depending on which version to mature so if it's already two point two point two and this one if it there is anything from six point one or six point two point zero then this one depending on which current version you are useful but it will always be in a dot SH format so you will download that and once you have downloaded that file you will upload it inside FMC so I'll click on the upload Update button Brow's that i'll choose that file which i want to put it you can see I'm not sure if you can see on the bottom left-hand side above the start button they're showing you that how much upload is completed you you and that the upgrade is taking place I'm going to keep my telnet session active to just show you that during clear plate the traffic will not be stopped and let me just change the timer my VT by nine so that it does not timeout and also simultaneously to work thing you you you you you you you you you you you you you you you you you so it takes a little time let's wait for it to upload the file and install it okay till look I'm exploring this if you have any questions you can keep asking okay so my question is can be export the fireball confirmation from the FMC because we have a process we have to arrange a document where we are modifying the whole month changes fireball rate reaches and it has to be submit after after a month so is there any process where we can export the fireball configuration see the de Conti so they again when you call talking about configuration you are talking about device con fake or you are talking about the policy policy confirmation so policy you can do that from a fancy once you go inside your policy you have enough option to export it okay it is exporting only the policy or interface and hotels will so that's what that's device configuration so that would be you can also do that yep but you would have to go inside systems and then export that configuration the both would be separate policies would be separate device configuration will be it will not be in one try okay enter your access control configuration and then for the device so you're all your intrusion not configuration you would have to select if you want to export it and for the device specific you would have to do it from backup Kim not be able to export it but it would be like a backup which you will be doing so I'll show you that option but yeah you can do that but it would be two separate things which would be they can be generated comprehensive report as well where we can see the changes over the devices suppose we have multiple players in a fancy and we want to have a comprehensive report every month that how much changes we have done I am not sure about that but we need to check it in the reporting part that if is there any option to create such reports so you have to generate your own report it has an option to define different parameters what type of the ports you want to generate but it does not have any predefined the port which was we doing it for the changes which we are making on the device in return port and specified what parameters you want in the report so it should be a one-time build you can make it as a recurring report also you want it so you can generate a log report it will show you if any changes which you are making the high power configuration change count on whatever you want you would have to build your own reporting options whatever you want ok so now you can see that this file they have to be up to a six point four point zero is being applied uploaded so now if I want to do this installation I would first have to do push so have to put that file to the device okay I'll click on push and then it will give me the devices which are eligible for push me and select all my devices and then I will push this file to the device I'll not begin the installation I'll simply put this file in bigger white so that it can then be used for installation so first step we always think the configuration to FTD be one and then to FTD we do [Music] oh okay you you one more question related to logs so how we can define the log is based in FNC suppose we have a multiple equity boxes and we want to have define the particular space and retention period of the logs how we can consider it so there is no retention period till the time the disk is not full the logs will be there but once the just starts getting full then it will start overlapping your logs with that the old logs will be removed okay can you show me because as discussed with other person he made he told me that there is a dependency of mb space then there could you please clarify oh that's what I said that the space matters so you don't specify it is the space if you have a disk space the logs will be stored for long time you don't have dissipate then it will start crunching the log then you would have to go ahead and do a data purge to delete the old logs so that the new logs can be added to it it might mean is is of as well for particular table so yeah in case you want to see the FMC if this space you would have to go inside the health and where you can see that 37% is getting utilized by click on my FMC then i would have to go inside my disk usage so this is a disk usage this is that so depending on how much space you have given so by default in your FM see if currently the FMC which I'm using as around 200 300 GB of space which is there so it is using this including this one this one is going to be your knob painter logs are stored there is no timer for that which you can change from your retention all about this okay so you can see on the FP DV 2 which is the active one the push has complete now it's trying to push it on v1 so once it gets pushed on the other one we can start with the upgrade so later I will show you with which all location inside the disk you can clean up like the upgrade files and all by default it does not get 3 so I can show you the space from there you can clean up those old files so that you get more space in your disk so when we are doing this like we will not do it practically but I will show you the commands which you can use in order to go ahead and clear out those spaces one more question related to new iOS when we are trying to update it is there any chance to on to have a corrupt to corrupt the existing iOS means have 2d configuration yeah so when you're doing the upgrade it could be possible that the upgrade might get corrupted or doing the upgrade process it does not do the upgrade properly so there could be rancid it's always good that you backup before you begin the upgrade okay so this type of back of the head and open through the FMC it's a full or how is there different from two types of backups the whole configuration needs to be back from the device from the device for FMC on the device you are where are you upgrading the device you are upgrading what is the chances of getting cut up the device device yes okay so now the file is pushed so what do you do is you go into your system upgrades and then this time you will do the second button which is installed now you will install the upgrade and you select the H a pair if you want you can also launch the readiness check so this is also one step which you can do in order to make sure that this upgrade which are going to do is it going to affect my device or is it going to be properly done but the problem with this launch readiness check is that it is actually going to simulate the whole of unit which means that how an oblate would be done it will just not do the upgrade but it will simulate the whole upgrade so from a time perspective it is going to take double time so first you will be running the launch readiness check so it will take 45 minutes to show you whether it will be successful or not and then after that will take another 45 minutes to actually do the installation but yes this is a very good steps which you can do launch readiness check which would simply show you that if I do an upgrade on the device will it be successful or not so this is also one way to make sure that device does not get the image does not get corrupted if it's not able to do it because of let's say FX OS is not updated correctly or of any hardware limitation that this upgrade was not supposed to be done on this hardware then in that case we will still be saving your old configuration and old image so it's always good to run it but yes from a time is going to take the same amount of time which an actual update would take it will simply not be updated so what I'm going to do is I'm going to click on copy so that it can begin directly the upgrade so once I do that it begins doing their place so first it will push the upgrade to the standby device and then it would restart the standby device with the new version and then it will make them primary make him active and then we'll start with the second device and doing it process it is going to be that the traffic is not interrupted minimal chance of grappa see there okay like any
Info
Channel: H3X4FORUM IN
Views: 3,257
Rating: undefined out of 5
Keywords: Online Training, Firepower, Cisco Training, User Id, SDWAN, Palo Alto, Cisco FTD, NGFW
Id: QV8eqnE8Xyc
Channel Id: undefined
Length: 26min 39sec (1599 seconds)
Published: Wed Apr 22 2020
Related Videos
Firepower Management Center - FMC 101
Cisco
104K
Fundamentals of SD-WAN
Kevin Wallace Training, LLC
126K
Node.js Tutorial for Beginners: Learn Node in 1 Hour
Programming with Mosh
3.8M
Authentication Basics
Zscaler Inc.
27K
Ultimate Guide to Hi-Hat Setup | Season Two, Episode 27
Sounds Like A Drum
35K
Cisco Firepower Management Center Upgrade v6.4 to v6.7 | vFMC Upgrade | Steps to Upgrade Cisco FMC
SecGuru
4.5K
Firepower IPS Tuning
Katherine McNamara
16K
Chrysler Hemi FirePower V8 Engine Rebuild Time-Lapse | Redline Rebuild - S1E3
Hagerty
14M
Configure AAA Authentication | Cisco CCNA 200-301
Keith Barker
21K
ISE and Firepower Integration and Rapid Threat Containment
Katherine McNamara
12K
Cisco: Security - Firepower 4100 FXOS & Firmware Update
Nathan Stapp
5.1K
FortiGate Cookbook - High Availability Setup (5.6)
Fortinet
81K
Copying, Backing Up, and Restoring FTD Device Configuration
Katherine McNamara
13K
ASA Firewalls | High Availability with Clustering
Network Direction
14K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.