Cisco FirePOWER downgrade/restore experience

Recently due to several issues I had with Sourcefire 6.0 code, I went through downgrade exercise taking it back down to version 5.4. With Sourcefire, there is no simple way to roll back from one version to another. Configuration backup helps with Defense Center however Sensors can not be rolled back to the previous version but only recovered from factory reset so expect the following caveats.

Components:
Cisco Sourcefire: 5.4 and 6.0

I started downgrade process by deploying another instance  of Virtual Defense Center (DC) version 5.4. That way I’ve continued managing my production Sensors while slowly migrating to the previous version.

Prior to deployment assign static MAC address to a virtual NIC. Otherwise in case of VMware host failover all licenses will become invalid due to MAC address change.

When you do a clean install and try to restore backup without any OS patches you may get the following error.

Sourcefire restore software version mismatch

Download and install patch version as shown on System Information field (version 5.4.1.5 in this case).

After OS verification, you will be prompted for vulnerability database check. By default DC will download the latest component. If the component version does not match you will get the following error.

Sourcefire vuln mismatch

Vulnerability database component update can not be rolled back. If you install the latest version and your restore fails due to version mismatch you will have to re-image DC.

My backup was done on version 260 and the latest was 261. I had to download the earlier version from Cisco website and install it manually on DC.

Once vulnerability database component installed and verified restore option will be available.

Sourcefire restoreTask notification will indicate when the restore is complete.

Sourcefire restore completed

It is important to perform the following tasks after successful restore:

  • License: All licenses will be installed. If your MAC address did not change they will be active. If it changed then you will need to rehost them on Cisco license portal. The process is very easy and does not take much time.
  • Sensors: There is no way to downgrade Sensors but only to recover. Since all of them are still running 6.0 version you will have to remove them from 6.0 DC and run through the recovery process. Sensors populated on 5.4 by restore process will need to be removed and re-registered otherwise communication will fail. Running two DC instances in parallel will give you more time to migrate.
  • Policies: All policies will be in place. Just need to reapply them to Sensors once they register.

2 comments On Cisco FirePOWER downgrade/restore experience

  • Backup from firepower 6.1 cannot be restored in 6.2.3. But the update guides all say one has to backup and restore config to avoid losing the config. So, there is just no way to upgrade a firepower. As far as I see, Cisco is not interested in doing a good job. This time they fail from day to day… clock signal bug, 100% CPU usage for ASDM, then this non-working-upgrade. But at least they are the most expensive on the market.

    • Yes last 12 month were tough for ASA/Firepower and then the FTD debacle. I know there was a lot of quality control effort on Cisco side and with 6.2 version I definitely see improvements. 6.3 will be out soon so we will see how well it goes.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar