Summary: Step-by-step reference for upgrading a Cisco FTD device through FMC, covering pre-upgrade checks, package upload, readiness check, upgrade execution, HA pair sequencing, and post-upgrade verification.
| Check | Detail |
|---|---|
| FMC version | FMC must be on the target version or higher before any FTD is upgraded |
| Compatibility | Verify FTD target version against the Cisco Firepower Compatibility Guide |
| Disk space | FMC and FTD must have sufficient free disk space — the readiness check will flag shortfalls |
| FMC backup | System > Backup/Restore > Back Up Now before starting |
| HA health | For HA pairs: confirm both units are in Active/Standby with no sync errors |
| Active deployments | Ensure no policy deployments are in progress |
⚠️ No Downgrade Path
FTD cannot be downgraded after a successful upgrade. Test in a non-production environment first where possible.
⚠️ Chassis-Based Platforms (FPR4100 / FPR9300)
These platforms require a separate FXOS upgrade via Firepower Chassis Manager before upgrading FTD through FMC. The FXOS and FTD upgrade packages are distinct. Consult the Cisco Firepower Compatibility Guide to confirm the correct FXOS version for your target FTD release.
.sh.REL.tar) from software.cisco.com — ensure you select the package matching your FTD hardware platform.Before starting the upgrade, run the built-in readiness check:
| Option | Recommendation |
|---|---|
| Generate troubleshooting files before upgrade | Enable — useful if the upgrade fails |
| Auto-apply policy after upgrade | Enable unless you need to review policy changes first |
| Auto-reboot device | Enable — required to complete the upgrade |
⚠️ Sequence Is Mandatory
Always upgrade the standby unit first. Upgrading the active unit first risks an outage.
| Check | Where |
|---|---|
| Confirm version | Devices > Device Management > device info panel |
| Health monitors | Devices > Device Management > Health Monitor |
| Policy deployment | Deploy pending changes if auto-apply was not selected |
| HA sync state | Devices > Device Management — both units should show Active/Standby Ready |
| Connectivity | Verify traffic passing through the device; check VPN tunnels if applicable |