Update Firepower Devices - Manually

calendar Jul 12, 2017 · 3 min read · Cisco Firepower FTD Network technology  ·
Share on: linkedin copy

This is short and hopefully helpful post on how to manually update Cisco Firepower Devices. I have run into this problem a couple of times which is pushing this update with the FMC sometimes just fails and it never really seems to download the update to the Firepower sensor. On the FMC it will stay on "Initializing" for an hour and timeout so here are the steps to manually update your Firepower Sensor:

  • You can manually update this by either connecting to the console or ssh into the sensor.
  • Once in you'll need to the bash shell so type the command "expert" to get into it.
  • Next, you need to evaluate to the root account by using sudo su
  • SCP copy the update to the /var/sf/updates folder, you can either copy from the FMC or something else that has the update you are looking for.
1scp admin@192.168.1.5:/image.sh /var/sf/updates

If the update is on the FMC the path is /var/sf/updates and it would look something like this, we are pulling from the FMC and copying to the sensor to /var/sf/updates folder.

1scp admin@192.168.1.5:/var/sf/updates/Cisco/FTD/Patch-6.2.0.2-51.sh /var/sf/updates

Install the update via install_update.pl /var/sf/updates/image.sh and watch the console when the upgrade completes your sensor will reboot and no action is needed on the FMC it will automatically detect the new version.

Below is an omitted copy of the console output when upgrading Cisco Firepower devices, keep in mind this session has to stay active don't close or disconnect while updating, let's just say hitting CTRL+C during this process is an instant killjoy, and although it can be fixed I wouldn't advise it!

 1> expert
 2admin@host-172-16-1-110:~$ sudo su
 3 
 4We trust you have received the usual lecture from the local System
 5Administrator. It usually boils down to these three things:
 6 
 7    #1) Respect the privacy of others.
 8    #2) Think before you type.
 9    #3) With great power comes great responsibility.
10 
11Password:
12root@host-172-16-1-110:~#scp admin@172.16.1.15:/var/sf/updates/Cisco_FTD_Patch-6.2.0.2-51.sh /var/sf/updates
13Cisco_FTD_Patch-6.2.0.2-51.sh                 100%  319MB   6.0MB/s   00:53
14
15root@host-172-16-1-110:~#install_update.pl /var/sf/updates/Cisco_FTD_Patch-6.2.0.2-51.sh
16
17ARGV[0] = /var/sf/updates/Cisco_FTD_Patch-6.2.0.2-51.sh
18TODO:: Need to check Sybase Database is running in Standby Mode at /ngfw/usr/local/sf/bin/install_update.pl line 246.
19Verifying archive integrity... All good.
20Uncompressing Cisco FTD Patch / Fri May 26 23:33:01 UTC 2017.............
21[170621 01:01:52] #####################################
22[170621 01:01:52] # UPGRADE  STARTING
23[170621 01:01:52] #####################################
24[170621 01:01:52] BEGIN  000_start/000_check_update.sh
25[170621 01:01:53] BEGIN  000_start/100_start_messages.sh
26[170621 01:01:53] BEGIN  000_start/100_zz_verify_bundle.sh
27[170621 01:01:53] BEGIN  000_start/101_run_pruning.pl
28[170621 01:01:58] BEGIN  000_start/102_check_sru_install_running.pl
29[170621 01:01:58] BEGIN  000_start/105_check_model_number.sh
30[170621 01:01:58] BEGIN  000_start/106_check_HA_sync.pl
31[170621 01:01:59] BEGIN  000_start/106_check_HA_updates.pl
32[170621 01:01:59] BEGIN  000_start/107_version_check.sh
33[170621 01:01:59] BEGIN  000_start/108_check_sensors_ver.pl
34[170621 01:02:00] BEGIN  000_start/109_check_HA_MDC_status.pl
35[170621 01:02:00] BEGIN  000_start/110_DB_integrity_check.sh
36[170621 01:02:02] BEGIN  000_start/111_FS_integrity_check.sh
37[170621 01:02:02] BEGIN  000_start/112_CF_check.sh
38-- omitted --
39[170621 01:08:14] BEGIN 999_finish/999_y_must_be_next_to_last_to_generate_integrity_data.sh
40[170621 01:08:15] BEGIN 999_finish/999_z_must_remain_last_finalize_boot.sh
41[170621 01:08:15] BEGIN 999_finish/999_zz_install_bundle.sh
42Cleaning up.
43shutdown PM on whitebox systems except Readiness package, sample patch and RNA redhat
44about to remove upgrade lock
45removed '/ngfw/tmp/upgrade.lock/main_upgrade_script.log'
46removed '/ngfw/tmp/upgrade.lock/status_log'
47removed '/ngfw/tmp/upgrade.lock/PID'
48removed '/ngfw/tmp/upgrade.lock/LSM'
49removed directory: '/ngfw/tmp/upgrade.lock'
50[170621 01:08:48] Attempting to remove upgrade lock
51[170621 01:08:48] Success, removed upgrade lock
52Upgrade lock /ngfw/tmp/upgrade.lock removed successfully.
53[170621 01:08:48]
54[170621 01:08:48] #######################################################
55[170621 01:08:48] # UPGRADE COMPLETE #
56[170621 01:08:48] #######################################################
57Process 1061 exited.I am going away.
58RC: 0
59Update package reports success: almost finished...
60Scheduling a reboot to occur in 60 seconds...