[c-nsp] Pix FOS

Tue Jan 2 17:16:03 EST 2007

I've successfully upgraded from 6.3 to 7.2, for three different sets of 
firewalls, over the past 6 months. Yes, you can upgrade straight to 7.2.

Firstly, you'll want this link handy:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

Secondly, as is mentioned in that document, the jump to 7.x from 6.x is 
a big one. Your config will look _very_ different. Be aware specifically 
of the changes to how interfaces (both physical and logical) are 
represented, the implication of changes to the fixup command (i.e. where 
did fixup go, and what does inspect mean, and what traffic should you be 
inspecting?), and what commands have been deprecated by the 7.x train.

As for recommendations, overall, yes, I'd recommend it. Admittedly, 
there are one or two interesting bugs - inspect http, for example, will 
take out even the PIX 535's with memory utilization problems if you're 
pushing more than a modest amount of http traffic through the firewall. 
(This is covered in CSCsd72617, I believe.) There are also plenty of 
things that make more sense aesthetically - at least to me - if you're 
already used to IOS syntax. That, combined with one or two necessary 7.x 
only commands (e.g. same-security-traffic permit intra-interface) made 
the jump well worth it.

--afsheenb

Voll, Scott wrote:
> I'm currently running Pix FOS 6.3 but need to upgrade to at least 7.1.
> I also see that 7.2 is out.  
> 
>  
> 
> Two Questions:
> 
>  
> 
> I know I need to upgrade from 6.3 to 7.0 in order to upgrade to 7.1.....
> What do I need to do to upgrade to 7.2?  Can I skip 7.1?
> 
>  
> 
> Is anyone using 7.2?  if so, would you recommend it?
> 
>  
> 
> Thanks
> 
>  
> 
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 