Time Estimate for PIX Operating System Upgrade.

It depends on which version you are upgrading to and from.

If you are jumping a major release then you need to watch for commands that get changed through the upgrade. Cisco has changed some commands. There is always a document on their site with these details.

As for actual time to upgrade it is usually over within a matter of 5 mins. Reload and your done.

Another thing to watch out for is that you have enough memory on board to do the trick. Check the requirements.

Scotty

darkmoo wrote:

In article , Scotty top-posted:

[Please do not top-post, Scotty. It is easier to follow conversations that are mid-posted.]

I agree. If you jump to a new edition (e.g., 5.x to 6.x, or 6.2 to 6.3), there is a -possibility- that one of the command changes will alter functionality that you depend on; if you haven't prepared for that in advance, it could leave you scrambling. Going to 7.x from 6.x in particular involves a -lot- of command rewriting, and the resulting configuration needs careful study before you rely on it.

My usual upgrade cycle was to:

1) tftp off a copy of the current [active] configuration; 2) compare that configuration to my master configuration in case -somehow- an unrecorded change to the master configuration had crept in; 3) if necessary, change the master configuration, generate a new target configuration (my master configurations were parameterized), load in the new command set, and cycle back to comparing the resulting active configuration to the master configuration.

Eventually at some point I will have an active configuration and master configuration that agree. 5) *Then* I can start the upload of the new software to the PIX. 6) reboot the PIX; 7) copy the new active configuration off; 8) compare the active upgraded configuration to the previous and use it to create a new master configuration; 9) new master in hand, generate a new target configuration, load that in; 10) loop back to loading the now active configuration... until eventually the new master configuration generates the same configuration that the upgraded PIX is willing to hold.

If I did not go through the pre-upgrade reconciliation then I wouldn't be sure which changes to the active configuration were due to the upgrade and which were lurking from previous sessions where one of the firewall admins had changed the active configuration but not recorded it in the master configuration.

The actual software installation was almost always the fastest part of all of this: verifying the configurations can take a fair while (my master configurations were full of comments, which get stripped out by the PIX and so not there to be loaded back for the reconciliation cycle, so the active configuration is always missing a lot of lines relative to the master configuration; if one is not careful, one can easily overlook a missing command or two along the way.)