About Firmware Upgrades

The firmware upgrade process is used to upgrade the ROMMON and FPGA on the Firepower 4100/9300 chassis Supervisor and to upgrade the FPGA on installed network modules.

Before You Begin

Before upgrading the firmware on your Firepower 4100/9300 chassis, you should perform the following preparation:

  • Review all current critical and major faults.

  • Back up your configurations.

Important Notes

The Firepower 4100/9300 chassis is restarted as part of the firmware upgrade process and the system can be down from a few minutes up to 20 minutes depending on the software that is being upgraded. Please plan your upgrade activities accordingly.

During upgrade, it is important that the system does not lose power. A power outage during upgrade may corrupt the system and RMA will be required.

If for any reason the upgrade fails, please contact Cisco TAC (https://www.cisco.com/c/en/us/support/index.html). Do NOT power cycle the unit.

Firmware Upgrade Packages

The following table lists the available firmware upgrade packages for the Firepower 4100/9300 chassis.


Note

The version numbers of the components in a firmware package do not necessarily match the version number of the firmware package itself.


Table 1. Firepower 4100/9300 Firmware Upgrade Packages

Version

Supported Models

Package File Name and Contents

Description

1.0.18

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

Firmware Package: fxos-k9-fpr4k-firmware.1.0.18.SPA

  • ROMMON: fxos-k9-fpr4k-rommon.1.0.15.SPA

  • Supervisor FPGA: fxos-k9-fpr4k-fpga.2.00.SPA

  • Network Module FPGA: N/A

Includes important fixes to resolve PSIRT issue outlined in:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

Note 

This firmware upgrade is a comprehensive system level upgrade and will take longer to complete compared to earlier firmware upgrades. The whole upgrade process may take up to 20 minutes.

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.18.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.15.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.2.00.SPA

  • Network Module FPGA: fxos-k9-fpr-dnm-2x100g-epm-fpga.1.2.0.SPA

1.0.17

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.17.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.14.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.1.06.SPA

  • Network Module FPGA: fxos-k9-fpr-dnm-2x100g-epm-fpga.1.2.0.SPA

Includes important fixes for the Firepower 2-port 100G Network Module. For more information, see:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-firpwr-dos

1.0.16

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

Firmware Package: fxos-k9-fpr4k-firmware.1.0.16.SPA

  • ROMMON: fxos-k9-fpr4k-rommon.1.0.14.SPA

  • Supervisor FPGA: fxos-k9-fpr4k-fpga.1.06.SPA

  • Network Module FPGA: N/A

Provides improvements to the Supervisor FPGA and includes a fix so that the Security Engine on the Firepower 4100 series security appliance is restarted whenever the chassis is rebooted. The 1.0.16 firmware package also includes updates to the Supervisor ROMMON to support new SPI flash parts used in manufacturing Firepower 4100/9300 security appliances. All Firepower 4100/9300 security appliances using the new SPI flash ship with updated firmware.

Required before you can use a Firepower 2-port 100G Network Module (FPR9K-NM-2X100G) or a Firepower 4-port 100G Network Module (FPR9K-NM-4X100G) with your Firepower 9300 security appliance.

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.16.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.14.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.1.06.SPA

  • Network Module FPGA: N/A

1.0.12

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

Firmware Package: fxos-k9-fpr4k-firmware.1.0.12.SPA

  • ROMMON: fxos-k9-fpr4k-rommon.1.0.12.SPA

  • Supervisor FPGA: fxos-k9-fpr4k-fpga.1.05.SPA

  • Network Module FPGA: N/A

Required before you can use the Secure Unlock feature.

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.12.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.12.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.1.05.SPA

  • Network Module FPGA: N/A

1.0.10

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

Firmware Package: fxos-k9-fpr4k-firmware.1.0.10.SPA

  • ROMMON: fxos-k9-fpr4k-rommon.1.0.10.SPA

  • Supervisor FPGA: fxos-k9-fpr4k-fpga.1.05.SPA

  • Network Module FPGA: N/A

Required before you can use a Firepower 2-port 100G Double-Wide Network Module (FPR9K-DNM-2X100G) with your Firepower 9300 security appliance.

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.10.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.10.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.1.05.SPA

  • Network Module FPGA: N/A

Download Firmware Upgrade Package from Cisco.com

Use the following procedure to download a firmware upgrade package from Cisco.com for your Firepower 4100/9300 chassis.

Procedure


Step 1

Open the Software Download page on Cisco.com for your device.

Step 2

Under Select a Software Type, click Firepower Extensible Operating System.

Step 3

Choose All Releases > firmware, and then select and download the firmware package from Cisco.com to a server that you can access from the Firepower 4100/9300 chassis.


Transfer Firmware Upgrade Package to Firepower 4100/9300 Chassis

Use the following procedure to transfer a firmware upgrade package to your Firepower 4100/9300 chassis.

Procedure


Step 1

Transfer the firmware upgrade package to the Firepower 4100/9300 chassis using either Firepower Chassis Manager or the FXOS CLI:

Firepower Chassis Manager

  1. In Firepower Chassis Manager, choose System > Updates.

  2. Click Upload Image to open the Upload Image dialog box.

  3. Click Browse to navigate to and select the firmware upgrade package that you want to upload.

  4. Click Upload.

    The selected firmware upgrade package is uploaded to the Firepower 4100/9300 chassis.
    Note 

    Firmware upgrade packages are not shown in the Available Updates list.

FXOS CLI

  1. Enter firmware mode:

    Firepower-chassis # scope firmware

  2. Download the FXOS firmware image to the Firepower 4100/9300 chassis:

    Firepower-chassis /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp ://username@hostname/ path/ image_name

    • scp ://username@hostname/ path/ image_name

    • sftp ://username@hostname/ path/ image_name

    • tftp ://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis /firmware # show download-task image_name detail

Example:

Firepower-chassis# scope firmware 
Firepower-chassis /firmware # download image tftp://10.10.10.1/fxos-k9-fpr9k-firmware.1.0.10.SPA 
Firepower-chassis /firmware # show download-task fxos-k9-fpr9k-firmware.1.0.10.SPA detail

Download task:
    File Name: fxos-k9-fpr9k-firmware.1.0.10.SPA
    Protocol: Tftp
    Server: 10.10.10.1
    Port: 0
    Userid:
    Path:
    Downloaded Image Size (KB): 2104
    Time stamp: 2015-12-04T23:51:57.846
    State: Downloading
    Transfer Rate (KB/s): 263.000000
    Current Task: unpacking image fxos-k9-fpr9k-firmware.1.0.10.SPA on primary(
FSM-STAGE:sam:dme:FirmwareDownloaderDownload:UnpackLocal)

Step 2

Verify that the firmware upgrade package has been successfully uploaded to the Firepower 4100/9300 chassis:

scope firmware

show package

Example:

firepower-chassis# scope firmware
firepower-chassis /firmware # show package
Name                                          Version
--------------------------------------------- -------
fxos-k9-fpr9k-firmware.1.0.10.SPA             1.0.10
fxos-k9-fpr9k-firmware.1.0.12.SPA             1.0.12
fxos-k9-fpr9k-firmware.1.0.16.SPA             1.0.16
fxos-k9-fpr9k-firmware.1.0.17.SPA             1.0.17
fxos-k9-fpr9k-firmware.1.0.18.SPA             1.0.18
fxos-k9.2.6.1.157.SPA                         2.6(1.157)
firepower-chassis /firmware #

Step 3

You can enter the following command to view the contents of the firmware package:

show package image_name expand

Note 

The versions numbers of the components in the firmware package do not necessarily match the version number of the firmware package itself. For more information, see Firmware Upgrade Packages.

Example:

firepower-chassis /firmware # show package fxos-k9-fpr9k-firmware.1.0.18.SPA expand
Package fxos-k9-fpr9k-firmware.1.0.18.SPA:
    Images:
        fxos-k9-fpr9k-fpga.2.00.SPA
        fxos-k9-fpr9k-rommon.1.0.15.SPA
firepower-chassis /firmware #


Install Firmware Upgrade Package

Use the FXOS CLI to upgrade the firmware on your Firepower 4100/9300 chassis.

Procedure


Step 1

On the Firepower 4100/9300 chassis, enter firmware mode:

scope firmware

Example:

firepower-chassis# scope firmware
firepower-chassis /firmware #

Step 2

Enter the following command to view the version number of the firmware package:

show package

This version number is used in the following step when installing the firmware package.

Example:

firepower-chassis /firmware # show package
Name                                          Version
--------------------------------------------- -------
fxos-k9-fpr9k-firmware.1.0.10.SPA             1.0.10
fxos-k9-fpr9k-firmware.1.0.12.SPA             1.0.12
fxos-k9-fpr9k-firmware.1.0.16.SPA             1.0.16
fxos-k9-fpr9k-firmware.1.0.17.SPA             1.0.17
fxos-k9-fpr9k-firmware.1.0.18.SPA             1.0.18
fxos-k9.2.6.1.157.SPA                         2.6(1.157)
firepower-chassis /firmware #

Step 3

To install the firmware package:

  1. Enter firmware-install mode:

    scope firmware-install

  2. Install the firmware package:

    install firmware pack-version version_number

    The system will verify the firmware package and will notify you that the verification process can take several minutes to complete.
  3. Enter yes to proceed with the verification.

    After verifying the firmware package, the system will notify you that the installation process can take several minutes to complete and that the system will reboot during the update process.
  4. Enter yes to proceed with the installation. Do not power cycle the Firepower 4100/9300 chassis during the upgrade process.

Example:

firepower-chassis /firmware # scope firmware-install
firepower-chassis /firmware/firmware-install # install firmware pack-version 1.0.18
Verifying FXOS firmware package 1.0.18. Verification could take several minutes.
Do you want to proceed? (yes/no):yes
FXOS SUP ROMMON: Upgrade from 1.0.14 to 1.0.15
FXOS SUP FPGA: Upgrade from 1.06 to 2.00
FXOS SUP NM FPGA(slot:2): NM FPGA image not part of package

This operation upgrades SUP firmware on Security Platform.
Here is the checklist of things that are recommended before starting the install operation
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
   The system will be reboot to upgrade the SUP firmware.
   The upgrade operation will take several minutes to complete.
   PLEASE DO NOT POWER RECYCLE DURING THE UPGRADE.
Do you want to proceed? (yes/no):yes

Upgrading FXOS SUP firmware software package version 1.0.18

command executed

Step 4

To monitor the upgrade process:

show detail

The firmware upgrade process should show the upgrade status as Upgrade Complete Successful after the process has completed successfully.

Example:

firepower-chassis /firmware/firmware-install # show detail

Firmware Pack Install:
    Upgrade Package Version: 1.0.18
    Oper State: In Progress
    Upgrade Status:
    Current Task: Waiting for Deploy to begin(FSM-STAGE:sam:dme:FirmwareSupFirmwareDeploy:WaitForDeploy)

firepower-chassis /firmware/firmware-install # show detail

Firmware Pack Install:
    Upgrade Package Version: 1.0.18
    Oper State: Ready
    Upgrade Status: Upgrade Complete Successful
    Current Task:
firepower-chassis /firmware/firmware-install #

Step 5

After the installation has completed, you can enter the following commands to view the current firmware version:

top

scope chassis 1

show sup version

show nm-fpga-version

Example:

firepower-chassis /firmware/firmware-install # top
firepower-chassis# scope chassis 1
firepower-chassis /chassis # show sup version
SUP FIRMWARE:
    ROMMON:
        Running-Vers: 1.0.15
        Package-Vers: 1.0.18
        Activate-Status: Ready
    FPGA:
        Running-Vers: 2.00
        Package-Vers: 1.0.18
        Activate-Status: Ready

firepower-chassis /chassis # show nm-fpga-version

Network Module Version:
    Network Module Slot: 2
    Running-Vers: 1.2.0
    Package-Vers: 1.0.17
    Activate-Status: Ready
firepower-chassis /chassis #