Install the Software

If you cannot or do not want to upgrade, you can freshly install major and maintenance releases.

We do not provide installation packages for patches. To run a particular patch, install the appropriate major or maintenance release, then apply the patch.

Installation Checklist and Guidelines

Reimaging returns most settings to factory defaults, including the system password. This checklist highlights actions that can prevent common reimage issues. However, this checklist is not comprehensive. See the appropriate installation guide for full instructions: Installation Instructions.

Table 1.

Action/Check

Check appliance access.

If you do not have physical access to an appliance, the reimage process lets you keep management network settings. This allows you to connect to the appliance after you reimage to perform the initial configuration. If you delete network settings, you must have physical access to the appliance. You cannot use Lights-Out Management (LOM).

Note 

Reimaging to an earlier version automatically deletes network settings. In this rare case, you must have physical access.

For devices, make sure traffic from your location does not have to traverse the device itself to access the device's management interface. In FMC deployments, you should also able to access the FMC management interface without traversing the device.

Perform backups.

Back up before reimaging, when supported.

Note that if you are reimaging so that you don't have to upgrade, due to version restrictions you cannot use a backup to import your old configurations. You must recreate your configurations manually.

Caution 

We strongly recommend you back up to a secure remote location and verify transfer success. Reimaging returns most settings to factory defaults, including the system password. It deletes any backups left on the appliance. And especially because backup files are unencrypted, do not allow unauthorized access. If backup files are modified, the restore process will fail.

Backup and restore can be a complex process. You do not want to skip any steps or ignore security or licensing concerns. For detailed information on requirements, guidelines, limitations, and best practices for backup and restore, see the configuration guide for your deployment.

Determine if you must remove devices from FMC management.

If you plan to manually configure the reimaged appliance, remove devices from remote management before you reimage:

  • If you are reimaging the FMC, remove all its devices from management.

  • If you are reimaging a single device or switching from remote to local management, remove that one device.

If you plan to restore from backup after reimaging, you do not need to remove devices from remote management.

Address licensing concerns.

Before you reimage any appliance, address licensing concerns. You may need to unregister from the Cisco Smart Software Manager (CSSM) to avoid accruing orphan entitlements, which can prevent you from reregistering. Or, you may need to contact Sales for new licenses.

For more information, see:

Reimaging Firepower 1000/2100 Series Devices to Earlier Major Versions

We recommend that you perform complete reimages of Firepower 1000/2100 series devices. If you use the erase configuration method, FXOS may not revert along with the Firepower Threat Defense software. This can cause failures, especially in high availability deployments.

For more information, see the reimage procedures in the Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 Series Running Firepower Threat Defense.

Reimaging Version 5.x Hardware to Version 6.3.0+

The renamed installation packages in Version 6.3+ cause issues with reimaging older physical appliances: FMC 2000 and 4000. If you are currently running Version 5.x and need to freshly install Version 6.5.0, rename the installation package to the "old" name after you download it; see the Renamed Upgrade and Installation Packages information in the Cisco Firepower Release Notes, Version 6.3.0.

After you reimage an FMC (Defense Center) from Version 5.x to a more recent version, it cannot manage its older devices. You should also reimage those devices, then re-add them to the FMC. Note that Series 2 devices are EOL and cannot run Firepower software past Version 5.4.0.x. You must replace them.

Unregistering Smart Licenses

Firepower Threat Defense uses Cisco Smart Licensing. To use licensed features, register with Cisco Smart Software Manager (CSSM). If you later decide to reimage or switch management, you must unregister to avoid accruing orphan entitlements. These can prevent you from reregistering.


Note

If you need to restore an FMC or FTD device from backup, do not unregister before you reimage, and do not remove devices from the FMC. Instead, revert any licensing changes made since you took the backup. After the restore completes, reconfigure licensing. If you notice licensing conflicts or orphan entitlements, contact Cisco TAC.

Unregistering removes an appliance from your virtual account, unregisters it from the cloud and cloud services, and releases associated licenses so they can be can be reassigned. When you unregister an appliance, it enters Enforcement mode. Its current configuration and policies continue to work as-is, but you cannot make or deploy any changes.

Manually unregister from CSSM before you:

  • Reimage a Firepower Management Center that manages FTD devices.

  • Shut down the source Firepower Management Center during model migration.

  • Reimage a Firepower Threat Defense device that is locally managed by FDM.

  • Switch a Firepower Threat Defense device from FDM to FMC management.

Automatically unregister from CSSM when you remove a device from the FMC so you can:

  • Reimage an Firepower Threat Defense device that is managed by an FMC.

  • Switch a Firepower Threat Defense device from FMC to FDM management.

Note that in these two cases, removing the device from the FMC is what automatically unregisters the device. You do not have to unregister manually as long as you remove the device from the FMC.


Tip

Classic licenses for NGIPS devices are associated with a specific manager (ASDM/FMC), and are not controlled using CSSM. If you are switching management of a Classic device, or if you are migrating from an NGIPS deployment to an FTD deployment, contact Sales.

Installation Instructions

Table 2. Firepower Management Center Installation Instructions

FMC

Guide

FMC 1600, 2600, 4600

Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide

FMC 1000, 2500, 4500

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

FMC 2000, 4000

Cisco Firepower Management Center 750, 1500, 2000, 3500 and 4000 Getting Started Guide

FMCv

Cisco Firepower Management Center Virtual Getting Started Guide
Table 3. Firepower Threat Defense Installation Instructions

FTD Platform

Guide

Firepower 1000/2100 series

Cisco ASA and Firepower Threat Defense Reimage Guide

Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 Series Running Firepower Threat Defense

Firepower 4100/9300

Cisco Firepower 4100/9300 FXOS Configuration Guides: Image Management chapters

Cisco Firepower 4100 Getting Started Guide

Cisco Firepower 9300 Getting Started Guide

ASA 5500-X series

Cisco ASA and Firepower Threat Defense Reimage Guide

ISA 3000

Cisco ASA and Firepower Threat Defense Reimage Guide

FTDv: AWS

Cisco Firepower Threat Defense Virtual for the AWS Cloud Getting Started Guide

FTDv: Azure

Cisco Firepower Threat Defense Virtual for the Microsoft Azure Cloud Quick Start Guide

FTDv: KVM

Cisco Firepower Threat Defense Virtual for KVM Getting Started Guide

FTDv: VMware

Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide
Table 4. NGIPSv and ASA FirePOWER Installation Instructions

NGIPS Platform

Guide

NGIPSv

Cisco Firepower NGIPSv Quick Start Guide for VMware

ASA FirePOWER

Cisco ASA and Firepower Threat Defense Reimage Guide

ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide: Managing the ASA FirePOWER Module