By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Upgrading my Cisco Firewall

0

I have been asked for the correct method to 1 ) patch and 2)full upgrade of a Cisco firewall AMI when we put one into service. I assume patching is the same as normal, just apply the patch to the device If you're doing a full upgrade do you need to build a brand new AMI and migrate your configuration, or do you upgrade as you would normal device? New to AWS, Thanks or your help. Mike

Topics
Compute
Tags
Amazon Machine Images (AMI)
Language
English
rePost-User-3172596
asked 2 years ago350 views
1 Answer
0

Hi Mike,

AMIs from Marketplace are owned and supported by respective product owners, it is best to contact the vendor for specific patch/upgrade instructions; generally speaking regular (for example) Cisco vASA upgrade procedure would be similar to what is mentioned in the links below:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-aws.html

General points to consider before upgrading any 3rd party virtual appliances:

  • Write configuration to the device memory and take configuration file backup
  • Recommend to take a snapshot before proceeding with the upgrade, also in general periodic recurring snapshots should be taken, in case something goes wrong with the virtual appliance you can restore last known good state from the snapshots
  • If possible try the upgrade in a Test environment first
  • Pay attention to the licensing pre and post upgrade, AWS does not provide any third party product license and it needs to be directly purchased from the third party vendors
  • If you have implemented HA pair you may want to look at AWS GWLB service (Gateway LoadBalancer) - with this you can take 1 FW instance OOLB, upgrade it, verify, put it back in the Pool then upgrade the other instance, this way the upgrade would be least impacting

Hope this helps.

profile pictureAWS
EXPERT
Tushar_J
answered 2 years ago
  • rePost-User-3172596
    2 years ago

    Thanks for your detailed help. "HA pair you may want to look at AWS GWLB service" yes thats exactly what we're doing. My first venture into AWS so huge learning curve.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content