Cisco FTD upgrade - Best practices

Recently I was tasked with upgrading the client's 1150 FTD Firewalls.

Although the upgrade went pretty smooth but I would like to share some important lessons that I learnt from the upgrade.

Since the target version of the FTD was higher than the current version of the FMC, I had to upgrade the FMC as well.

The upgrade procedure is simple:

++ Create a backup of the FMC.

++ Create a backup of its managed device.

++ Upload the FMC upgrade image and run a readiness check.

++ Upload the FTD upgrade image and run a readiness check for the HA pairs.

++ Upgrade the FMC to 7.2.5

++ Deploy the post-upgrade policy to the FMC

++ Upgrade the FTD HA pair to 7.2.5

++ Deploy the post-upgrade policy to the FTD HA.

But, While deploying the post-upgrade policy to the FTD HA pair we noticed errors as seen below:

Policy Name: PVT_RALS        

Summary: Unsupported Encryptions Used in IKEv1 Policy.        

Description: DES, 3DES encryption algorithms are unsupported in Firewall Threat Defense running 6.7 and above version.        

Cause: S2S VPN configuration PVT_RALS has encryption DES or 3DES in IKEv1 Policy 3DES-SHA1_DH2_Preshare-28800.        

Action: Please remove the unsupported encryption from IKEv1 Policy 3DES-SHA1_DH2_Preshare-28800        

Summary: Unsupported Diffie-Hellman Group used in IKEv1 Policy 3DES-SHA1_DH2_Preshare-28800.        

Description: Diffie-Hellman Group 2 is unsupported in Firewall Threat Defense running 6.7 and above versions        

Cause: S2S VPN configuration PVT_RALS has Diffie-Hellman Group 2 configured in IKEv1 policy 3DES-SHA1_DH2_Preshare-28800.        

Action: Please remove the unsupported Diffie-Hellman Group from IKEv1 policy 3DES-SHA1_DH2_Preshare-28800        

looking at those errors, initially, I thought that the upgrade caused the tunnel to go down but that doesn't seem to be the case.

Those errors mean that although the FTDs are configured with the now deprecated weak ciphers which the FMC with its latest code doesn't like, those can still work and the tunnel can still be formed.

It simply means that the FMC will not allow me to deploy any new policy changes until I change those ciphers to the ones FMC supports.

Few lessons learnt from the upgrade:

1. Before proceeding with any upgrade ensure that we read the new and deprecated features of the target version

2. Ensure that we keep upgrading our devices to the latest stable releases as and when they are released. This way we can avoid huge jumps in upgrades like in my case where I upgraded from 6.6 to 7.2. A lot has been deprecated/newly added in between these two versions.

3. upon further investigation, It appears that the tunnels were down even before the upgrade. And to resolve those errors we need to re-configure ALL the S2S tunnels with the latest DH groups (beyond DH5) and encryption standards (beyond 3DES) on both VPN peers.

Unless we do the reconfiguration we won’t be able to deploy ANY changes to the FTDs from the FMC.