Recently I was tasked with upgrading some new Firepower 3D8350 sensors which would later be stacked into a 3D8360. These devices were shipped with software version 126.96.36.199 and I had a customer requirement to upgrade the sensors to version 6.2.
I would normally stack these devices and upgrade them using the FMC, however, I didn’t have this luxury with these new devices so each sensor had to be upgraded one by one. I had two ways in which I could perform the software upgrades, either upgrade each device following the upgrade path (the longest way) or system restore each device to version 6.2 (the fastest way). Just to give you an idea of the upgrade path from 188.8.131.52 I have included it below;
Version 184.108.40.206 > Version 6.0.0 PreInstallation Package > Version 6.0.0 > Version 6.0.1 Preinstall > Version 6.0.1 > Version 6.1.0 PreInstallation Package > Version 6.1.0 > Version 6.2.0
As you can imagine this particular upgrade path will require some time and it’s also worth mentioning that often you can face failures at each stage, meaning that you could end up performing this upgrade for a lot longer than anticipated. Luckily for me, these were new devices and had no current configurations meaning I could save time and system restore each device to version 6.2.
To my surprise documentation for this process wasn’t best described so I thought it would be worth putting together this article to try and clearly explain how to system restore a sensor to the latest supported version.
Note: Please consult Cisco documentation to make sure your device supports the image/configurations presented in this article.
This article is based on the following device
Firepower 3D8350 sensor
Equipment used to aid in the upgrade
Ethernet which is connected to a Laptop
Note: Typically the length of a reimage is 30/45 minutes
This article is for anybody interested in upgrading a Cisco Firepower 3D sensor by reimaging the device rather than following a specific upgrade path.
Step 1 – Verify connectivity to Firepower sensor
With the Ethernet cable connected to the sensors management port (Eth0) and one to your computer, test device reachability by accessing the GUI. Enter the following settings on the computer.
IP address: 192.168.45.2
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.45.45
Open up a web browser and enter http://192.168.45.45 – You will be presented with a notification telling you that the certificate for that device is not trusted, accept this and confirm you can access the GUI.
If you wish to log in you can enter the following default credentials
Connectivity is now confirmed via Ethernet, you will also be required to use Keyboard, Video and Mouse (KVM) for the restore process.
Step 2 – Download the following images
The restore image for the version you wish to move to, the following is the image I used: Sourcefire_3D_Device_S3_Upgrade-6.2.0-362.sh
Any relevant patch for the version you wish to install, here is a patch that I used: Sourcefire_3D_Device_S3_Patch-220.127.116.11-38.sh
The latest rule update, here is an example that I used: Sourcefire_Rule_Update-2018-03-07-001-vrt.sh
Visit www.software.cisco.com to download each file
Step 3 – Select the method of transfer for files to a sensor
So that you can restore your 3D sensor you will be asked to use one of three options;
Please select the best method for you and make sure the server is running on your computer that is connected to the sensor via Ethernet.
Step 4 – Reimage the 3D Sensor
Now we have everything set-up we can go ahead and start the reimaging process.
Using the CLI or KVM reboot the sensor using the following commands
sudo shutdown -r now
If you are connected via ssh you will lose connection – from this point on please use the KVM. When the device reboots you need to press any arrow button to stop the device from booting back into the current image. Please select “System_Restore”
When you get to the options screen you will need to give the 3Dsensor an IP address, subnet mask and default gateway. It is recommended that you configure this device so that it is on the same subnet as the computer and that the default gateway points to the computer that is running the server that will be used to transfer the files.
In step 2 you will need to choose your preferred method of transport for files, at this point the device will try and display the files that are in the directory you’ve specified. Note: I have seen instances whereby when using FTP it fails if the following isn’t entered. You need to specify the username: anonymous and password: password
In step 3 select your patches and move to Step 4 where the device will download the files from your computer. You will also be advised that you are about to repartition the disk with the new image, proceed if you are happy to continue with the reimaging process.
Note: If upgrading from one major version to another such as 5.4 to 6.2 you will need to run the above steps twice. When you have run the install once and the device has reloaded you simply just run through the IP and file transfer settings along with steps 4 & 5 again following the same process. You will notice that before the device reloads this time around, you’ll be asked if you want to keep some of the configurations or not, select the best option for you.
Note: It is important not to press any buttons while the reimaging is taking place as you may restart the system and you will need to perform the reimaging again. You will know when the re-imaging is complete when you are presented with the login prompt. I have also noticed even when you choose to keep some of the configurations, the password is reset to: Admin123
Thanks for reading.