FDM FTD HA Upgrade

To upgrade an HA pair of Firepower firewalls managed by FDM, use the following procedure: 

1. Deploy any pending changes
2. Log into standby unit, upload the upgrade and install 
3. After the reboot and copmleted upgrade, on teh standby unit, go High Availability and Switch Mode. This will force failover. 
4. Log into new standby unit, upgrade that unit. 
5. Resume HA (if it does not automatically resume) 
6. Deploy policy if needed 

Restart FDM WebUI

Sometimes, the FDM Web UI stops responding. I’ve found this especially on 6.5 code. To restart tomcat, go into expert mode and disable/enable: 

 

> expert
admin@fp:~$ sudo su -
Password:
root@fp:~# cd /ngfw/var/cisco/ngfwWebUi/
## delete this file if it exists
root@fp:ngfwWebUi# rm .bootstrap-failed
root@fp:ngfwWebUi# pmtool disablebyid tomcat
root@fp:ngfwWebUi# pmtool enablebyid tomcat

 

The web service takes a while (10+ minutes) to come back online. 

h/t to Pieter-Jan Nefkens at https://www.nefkens.net/fdm-application-fails-after-upgrade/