Upgrade an FDM-Managed High Availability Pair

Upgrade your HA pair without disrupting traffic; the standby device continues to handle traffic detection while the secondary device is upgraded.

When you upgrade an HA pair, Security Cloud Control executes an eligibility check and copies or identifies the image location before starting the upgrade. The secondary device in a high availability pair upgrades first, even if it is currently the active device; if the secondary device is the Security Cloud Control active device, the paired devices automatically switch roles for the upgrade process. Once the secondary devices successfully upgrade, the devices switch roles, then the new standby device upgrades. When the upgrade completes, the devices are automatically configured so the primary device is active and the secondary device is standby.

We do not recommend deploying to the HA pair during the upgrade process.

Before You Begin

• Deploy all pending changes to the active device before upgrading.

• Ensure there are no tasks running during the upgrade.

• Both devices in the HA pair are healthy.

• Confirm you are ready to upgrade; you cannot rollback to a previous version in Security Cloud Control.

• Read through the FTD Upgrade Prerequisites, Firepower Software Upgrade Path, and the Software and Hardware Supported by Security Cloud Control to review any requirements and warnings that may incur during the ugprade process.