Friday, November 13, 2020

Upgrading from Firepower 6.2.3.15 to a current release (crosspost from r/cisco)

Hi all,

Have an environment with (3) FTD HA Pairs: One for Internet termination (VPN, DIA), and two LAN firewalls for internal segmentation.

We're be on the 6.2.3.X train, currently which has been working pretty flawless for the last 2 years. We bumped up to 6.2.3.15 earlier this year to fix some issues and no real issues since then.

Right now, we have to upgrade to remediate some vulnerabilities reported by a penetration test. No real option in avoiding this as the only fix is to upgrade past 6.2.3.15.

I did a bug scrub on the releases and had a few questions about release newer than 6.2.3:

  • 6.4.0.10 only has 1 impacting bug (CSCvv81801) -- is the snort crash really that bad? We've done deployments all day long and snort restarts have never been an issue - I have to imagine a snort crash (on HA failover) isn't that much worse
  • 6.5.0.4 seems to have a ton of bugs (nothing seems a major show stopper though) and the last release was back in March this year -- did Cisco stop development on this train?
  • 6.6.1 has only 2 impacting bugs for us (CSCvu84127 & CSCvv46490) -- I've heard other people were complaining about other issues on 6.6, has anyone had any luck with this?

Just curious to see what people are running right now and if any of the above bugs have really affected anyone.



No comments:

Post a Comment