To upgrade an HA pair of Firepower firewalls managed by FDM, use the following procedure:
1. Deploy any pending changes
2. Log into standby unit, upload the upgrade and install
3. After the reboot and copmleted upgrade, on teh standby unit, go High Availability and Switch Mode. This will force failover.
4. Log into new standby unit, upgrade that unit.
5. Resume HA (if it does not automatically resume)
6. Deploy policy if needed
Sometimes, the FDM Web UI stops responding. I’ve found this especially on 6.5 code. To restart tomcat, go into expert mode and disable/enable:
admin@fp:~$ sudo su -
root@fp:~# cd /ngfw/var/cisco/ngfwWebUi/
## delete this file if it exists
root@fp:ngfwWebUi# rm .bootstrap-failed
root@fp:ngfwWebUi# pmtool disablebyid tomcat
root@fp:ngfwWebUi# pmtool enablebyid tomcat
The web service takes a while (10+ minutes) to come back online.
h/t to Pieter-Jan Nefkens at https://www.nefkens.net/fdm-application-fails-after-upgrade/