Just a few days after we have upgraded our Sourcefire infrastructure to 5.4, Cisco released the 6.0 version. Before we do an upgrade, first let’s briefly check out what do we get with this major release:
- SSL Traffic inspection
- DNS-based Security Intelligence
- DNS Inspection and Sinkholes
- Support for OpenAppID Defined Applications
- Captive Portal Active User Authentication
- Integration with Cisco ISE via PxGrid
- Local Malware Checks
- Multiple Domain Management
If we need one or more of these features, or just want to upgrade for any other reason, this blog will briefly shows us how to do that.
The process of upgrading is the same as we saw in upgrading from 5.3 to 5.4. The same principles apply for upgrading from 5.4 to 6.0. The only differences are system requirements for the latest 6.0 version.
The requirements are as follows:
- ESXi must be running version 5.1 or 5.5
- Defense Center must be running at least version 5.4.1
- ASA FirePOWER SFR modules must be running version 126.96.36.199 or later
- ASA software must be at least at version 9.4(2) or 9.5(1.5)
- Disk requirements are as follows:
- For DC:
- 16MB on / partition
- 8GB on /Volume partition
- Additional 1.5GB on /Volume partition if we upgrade SFR modules through DC
- For SFR module:
- 32MB on / partition
- 7.7GB on /Volume partition
- For DC:
In the “Firepower System Release Notes” I did not find any memory requirements for the DC virtual machine. So, when I tried upgrading DC from 188.8.131.52, which was given 4GB of RAM (actually this amount of RAM was given to initial 5.3.1 installation), I got this error message:
Actually, the DC 6.0 requires 8GB of RAM. This info can be found in the “Cisco Firepower Management Center Virtual Quick Start Guide for VMware“, in this table:
What we have is:
The upgrade did not fail, so we don’t have to contact Cisco support. We have to shutdown the DC, add more memory and start the upgrade process again. The DC is shut down from System->Local->Configuration->Process->Shutdown Defense Center->Run Command:
After we add memory, we power on the virtual DC and, when it boots, we start the upgrade process again.
Finally, when we meet the requirements, the procedure is the same as in upgrading from 5.3 to 5.4.
If we followed that procedure, we have already met almost all requirements: the DC is running 184.108.40.206, the modules are at 220.127.116.11 and ESXi is 5.1 or 5.5. We should check the disk requirements, as they are somewhat different. And we should take care of the ASA version. This must be at least 9.4(2) or 9.5(1.5). If it’s not, here is how to upgrade the ASA software. Here is more current version of the ASA upgrade paths:
The ASA upgrade procedure remains the same as described here.
See you soon in 6.0 🙂