About Firmware Upgrades

The firmware upgrade process is used to upgrade the ROMMON, FPGA and SSD firmware on the Firepower 4100/9300 chassis Supervisor and to upgrade the FPGA on installed network modules.

Before You Begin

Before upgrading the firmware on your Firepower 4100/9300 chassis, you should perform the following preparation:

  • Review all current critical and major faults.

  • Back up your configurations.

Important Notes

The Firepower 4100/9300 chassis is restarted as part of the firmware upgrade process and the system can be down from a few minutes up to 20 minutes depending on the software that is being upgraded. Please plan your upgrade activities accordingly.

You can use the install firmware pack-version version_number verify-only command in firmware mode to pre-verify the new firmware package that you are planning to install. This allows you to be aware of any unexpected results before scheduling a maintenance window to upgrade the firmware.

During upgrade, it is important that the system does not lose power. A power outage during upgrade may corrupt the system and RMA will be required.

Due to a bug in FXOS, the SSD firmware upgrade is skipped during SUP firmware upgrade. To avoid this issue, upgrade your FXOS version to any of the following versions before upgrading your firmware:

  • 2.6.1.234 or later releases of 2.6

  • 2.8.1.164 or later releases of 2.8

  • 2.9.1.155 or later releases of 2.9

  • 2.10.1.165 or later releases of 2.10

  • 2.11.1.70 or later

If you are upgrading all the firmwares, including rommon, FPGA, and SSD, it will take up to 20 minutes to complete the firmware upgrade. In addition, rebooting the chassis and bringing up the chassis, blade, and application will take 30 minutes.

If for any reason the upgrade fails, please contact Cisco TAC (https://www.cisco.com/c/en/us/support/index.html). Do NOT power cycle the unit.

Firmware Upgrade Packages

The following table lists the available firmware upgrade packages for the Firepower 4100/9300 chassis.


Note

The version numbers of the components in a firmware package do not necessarily match the version number of the firmware package itself.

Table 1. Firepower 4100/9300 Firmware Upgrade Packages

Version

Supported Models

Package File Name and Contents

Description

1.0.19

Firepower 4150

Firepower 4145

Firepower 4140

Firepower 4125

Firepower 4120

Firepower 4115

Firepower 4112

Firepower 4110

Firmware Package: fxos-k9-fpr4k-firmware.1.0.19.SPA

  • ROMMON: fxos-k9-fpr4k-rommon.1.0.15.SPA

  • Supervisor FPGA: fxos-k9-fpr4k-fpga2.0.0.SPA

  • Network Module: N/A

  • SSD:

    fxos-k9-fpr4k-ssd.MU03.SPA

    fxos-k9-fpr4k-ssd.MU04.SPA

Note

 

  • This firmware upgrade is a comprehensive system level upgrade and happens only if the device has a specific SSD type (such as, Micron_M500IT_*), upgrade takes longer to complete compared to the earlier firmware upgrades. The whole upgrade process may take up to 20 minutes.

  • If the SSD type is other than Micron_M500IT_* and the firmware and FPGA are already running on 1.0.18, the FXOS firmware upgrade will be skipped with a message No action required. This is because the ROMMON and FPGA are up to date and SSD model is not applicable.

Tip

 

For successful upgrade of ROMMON and FPGA firmware to version 1.0.19, SSD type Micron_M500IT_* is not mandatory. If SSD type is not Micron_M500IT_* and the chassis has an existing firmware package version earlier than 1.0.17, then the upgrade of ROMMON and FPGA firmware to 1.0.19 is still possible without the SSD firmware upgrade.

Note

 

The ROMMON/FPGA firmware package versions in the output of the 'show sup version' in 'scope chassis 1' will be updated if the existing ROMMON/FPGA versions are different (lower) than the target image, for example, firmware version 1.0.19 versus version 1.0.17 or earlier.

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.19.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.15.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.2.0.0.SPA

  • Network Module FPGA: fxos-k9-fpr-dnm-2x100g-epm-fpga.1.2.0.SPA

  • SSD:

    fxos-k9-fpr9k-ssd.MU03.SPA

    fxos-k9-fpr9k-ssd.MU04.SPA

1.0.18

Firepower 4150

Firepower 4145

Firepower 4140

Firepower 4125

Firepower 4120

Firepower 4115

Firepower 4112

Firepower 4110

Firmware Package: fxos-k9-fpr4k-firmware.1.0.18.SPA

  • ROMMON: fxos-k9-fpr4k-rommon.1.0.15.SPA

  • Supervisor FPGA: fxos-k9-fpr4k-fpga.2.00.SPA

  • Network Module: N/A

Note

 

This firmware upgrade is a comprehensive system level upgrade and takes longer to complete compared to the earlier firmware upgrades. The whole upgrade process may take up to 20 minutes.

When the firmware version is upgraded from 1.0.18 to 1.0.19, the ROMMON/FPGA firmware package versions in the output of the 'show sup version' in 'scope chassis 1' still remains 1.0.18 since both the firmware packages have the same ROMMON version 1.0.15 and FPGA version 2.00. In such cases, ROMMON/FPGA firmware will not be upgraded irrespective of the SSD firmware upgrade status.

Note

 

The ROMMON/FPGA firmware package versions in the output of the 'show sup version' in 'scope chassis 1' will be updated if the existing ROMMON/FPGA versions are different (lower) than the target image, for example, firmware version 1.0.19 versus version 1.0.17 or earlier.

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.18.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.15.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.2.00.SPA

  • Network Module FPGA: fxos-k9-fpr-dnm-2x100g-epm-fpga.1.2.0.SPA

1.0.17

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.17.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.14.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.1.06.SPA

  • Network Module FPGA: fxos-k9-fpr-dnm-2x100g-epm-fpga.1.2.0.SPA

Includes important fixes for the Firepower 2-port 100G Network Module. For more information, see:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-firpwr-dos

  • CSCvn57812

    - Cisco FP 9000 FP 2-Port 100G Double-Width Network Module Queue Wedge DoS Vulnerability nyshen

Note

 

The ROMMON/FPGA firmware package versions in the output of the 'show sup version' in 'scope chassis 1' will be updated if the existing ROMMON/FPGA versions are different (lower) than the target image, for example, firmware version 1.0.19 versus version 1.0.17 or earlier.

1.0.16

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4112

Firepower 4110

Firmware Package: fxos-k9-fpr4k-firmware.1.0.16.SPA

  • ROMMON: fxos-k9-fpr4k-rommon.1.0.14.SPA

  • Supervisor FPGA: fxos-k9-fpr4k-fpga.1.06.SPA

  • Network Module FPGA: N/A

Provides improvements to the Supervisor FPGA and includes a fix so that the Security Engine on the Firepower 4100 series security appliance is restarted whenever the chassis is rebooted. The 1.0.16 firmware package also includes updates to the Supervisor ROMMON to support new SPI flash parts used in manufacturing Firepower 4100/9300 security appliances. All Firepower 4100/9300 security appliances using the new SPI flash ship with updated firmware.

Required before you can use a Firepower 2-port 100G Network Module (FPR9K-NM-2X100G) or a Firepower 4-port 100G Network Module (FPR9K-NM-4X100G) with your Firepower 9300 security appliance.

Note

 

The ROMMON/FPGA firmware package versions in the output of the 'show sup version' in 'scope chassis 1' will be updated if the existing ROMMON/FPGA versions are different (lower) than the target image, for example, firmware version 1.0.19 versus version 1.0.17 or earlier.

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.16.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.14.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.1.06.SPA

  • Network Module FPGA: N/A

1.0.12

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4112

Firepower 4110

Firmware Package: fxos-k9-fpr4k-firmware.1.0.12.SPA

  • ROMMON: fxos-k9-fpr4k-rommon.1.0.12.SPA

  • Supervisor FPGA: fxos-k9-fpr4k-fpga.1.05.SPA

  • Network Module FPGA: N/A

Required before you can use the Secure Unlock feature.

Note

 

The ROMMON/FPGA firmware package versions in the output of the 'show sup version' in 'scope chassis 1' will be updated if the existing ROMMON/FPGA versions are different (lower) than the target image, for example, firmware version 1.0.19 versus version 1.0.17 or earlier.

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.12.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.12.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.1.05.SPA

  • Network Module FPGA: N/A

1.0.10

Firepower 4150

Firepower 4140

Firepower 4120

Firep

Firepower 4112

ower 4110

Firmware Package: fxos-k9-fpr4k-firmware.1.0.10.SPA

  • ROMMON: fxos-k9-fpr4k-rommon.1.0.10.SPA

  • Supervisor FPGA: fxos-k9-fpr4k-fpga.1.05.SPA

  • Network Module FPGA: N/A

Required before you can use a Firepower 2-port 100G Double-Wide Network Module (FPR9K-DNM-2X100G) with your Firepower 9300 security appliance.

Note

 

The ROMMON/FPGA firmware package versions in the output of the 'show sup version' in 'scope chassis 1' will be updated if the existing ROMMON/FPGA versions are different (lower) than the target image, for example, firmware version 1.0.19 versus version 1.0.17 or earlier.

Firepower 9300

Firmware Package: fxos-k9-fpr9k-firmware.1.0.10.SPA

  • ROMMON: fxos-k9-fpr9k-rommon.1.0.10.SPA

  • Supervisor FPGA: fxos-k9-fpr9k-fpga.1.05.SPA

  • Network Module FPGA: N/A

Note

Beginning from FXOS 2.13, the following platforms are not supported:

  • Firepower 4110

  • Firepower 4120

  • Firepower 4140

  • Firepower 4150

Download Firmware Upgrade Package from Cisco.com

Use the following procedure to download a firmware upgrade package from Cisco.com for your Firepower 4100/9300 chassis.

Procedure

Step 1

Open the Software Download page on Cisco.com for your device.

Step 2

Under Select a Software Type, click Firepower Extensible Operating System.

Step 3

Choose All Releases > firmware, and then select and download the firmware package from Cisco.com to a server that you can access from the Firepower 4100/9300 chassis.

Transfer Firmware Upgrade Package to Firepower 4100/9300 Chassis

Use the following procedure to transfer a firmware upgrade package to your Firepower 4100/9300 chassis.

Procedure

Step 1

Transfer the firmware upgrade package to the Firepower 4100/9300 chassis using either Firepower Chassis Manager or the FXOS CLI:

Firepower Chassis Manager

  1. In Firepower Chassis Manager, choose System > Updates.

  2. Click Upload Image to open the Upload Image dialog box.

  3. Click Browse to navigate to and select the firmware upgrade package that you want to upload.

  4. Click Upload.

    The selected firmware upgrade package is uploaded to the Firepower 4100/9300 chassis.

    Note

     

    Firmware upgrade packages are not shown in the Available Updates list.

FXOS CLI

  1. Enter firmware mode:

    Firepower-chassis # scope firmware

  2. Download the FXOS firmware image to the Firepower 4100/9300 chassis:

    Firepower-chassis /firmware # download image URL

    Specify the URL for the file being imported using one of the following syntax:

    • ftp://username@hostname/ path/ image_name

    • scp://username@hostname/ path/ image_name

    • sftp://username@hostname/ path/ image_name

    • tftp://hostname: port-num/ path/ image_name

  3. To monitor the download process:

    Firepower-chassis /firmware # show download-task image_name detail

Example:

Firepower-chassis# scope firmware 
Firepower-chassis /firmware # download image tftp://10.10.10.1/fxos-k9-fpr9k-firmware.1.0.10.SPA 
Firepower-chassis /firmware # show download-task fxos-k9-fpr9k-firmware.1.0.10.SPA detail

Download task:
    File Name: fxos-k9-fpr9k-firmware.1.0.10.SPA
    Protocol: Tftp
    Server: 10.10.10.1
    Port: 0
    Userid:
    Path:
    Downloaded Image Size (KB): 2104
    Time stamp: 2015-12-04T23:51:57.846
    State: Downloading
    Transfer Rate (KB/s): 263.000000
    Current Task: unpacking image fxos-k9-fpr9k-firmware.1.0.10.SPA on primary(
FSM-STAGE:sam:dme:FirmwareDownloaderDownload:UnpackLocal)

Step 2

Verify that the firmware upgrade package has been successfully uploaded to the Firepower 4100/9300 chassis:

scope firmware

show package

Example:

firepower-chassis# scope firmware
firepower-chassis /firmware # show package
Name                                          Version
--------------------------------------------- -------
fxos-k9-fpr9k-firmware.1.0.10.SPA             1.0.10
fxos-k9-fpr9k-firmware.1.0.12.SPA             1.0.12
fxos-k9-fpr9k-firmware.1.0.16.SPA             1.0.16
fxos-k9-fpr9k-firmware.1.0.17.SPA             1.0.17
fxos-k9-fpr9k-firmware.1.0.18.SPA             1.0.18
fxos-k9.2.6.1.157.SPA                         2.6(1.157)
firepower-chassis /firmware #

Step 3

You can enter the following command to view the contents of the firmware package:

show package image_name expand

Note

 

The versions numbers of the components in the firmware package do not necessarily match the version number of the firmware package itself. For more information, see Firmware Upgrade Packages.

Example:

firepower-chassis /firmware # show package fxos-k9-fpr9k-firmware.1.0.18.SPA expand
Package fxos-k9-fpr9k-firmware.1.0.18.SPA:
    Images:
        fxos-k9-fpr9k-fpga.2.00.SPA
        fxos-k9-fpr9k-rommon.1.0.15.SPA
firepower-chassis /firmware #

Install Firmware Upgrade Package

Use the FXOS CLI to upgrade the firmware on your Firepower 4100/9300 chassis.

Procedure

Step 1

On the Firepower 4100/9300 chassis, enter firmware mode:

scope firmware

Example:

firepower-chassis# scope firmware
firepower-chassis /firmware #

Step 2

Enter the following command to view the version number of the firmware package:

show package

This version number is used in the following step when installing the firmware package.

Example:

firepower-chassis /firmware # show package
Name                                          Version
--------------------------------------------- -------
fxos-k9-fpr9k-firmware.1.0.10.SPA             1.0.10
fxos-k9-fpr9k-firmware.1.0.12.SPA             1.0.12
fxos-k9-fpr9k-firmware.1.0.16.SPA             1.0.16
fxos-k9-fpr9k-firmware.1.0.17.SPA             1.0.17
fxos-k9-fpr9k-firmware.1.0.18.SPA             1.0.18
fxos-k9.2.6.1.157.SPA                         2.6(1.157)
firepower-chassis /firmware #

Step 3

To install the firmware package:

  1. Enter firmware-install mode:

    scope firmware-install

  2. Install the firmware package:

    install firmware pack-version version_number

    The system will verify the firmware package and will notify you that the verification process can take several minutes to complete.

  3. Enter yes to proceed with the verification.

    After verifying the firmware package, the system will notify you that the installation process can take several minutes to complete and that the system will reboot during the update process.

  4. Enter yes to proceed with the installation. Do not power cycle the Firepower 4100/9300 chassis during the upgrade process.

Example:

firepower-chassis /firmware # scope firmware-install
firepower-chassis /firmware/firmware-install # install firmware pack-version 1.0.18
Verifying FXOS firmware package 1.0.15. Verification could take several minutes.
Do you want to proceed? (yes/no):yes
FXOS SUP ROMMON: Upgrade from 1.0.14 to 1.0.15
FXOS SUP FPGA: Upgrade from 1.06 to 2.00
FXOS SUP NM FPGA(slot:2): NM FPGA image not part of package

This operation upgrades SUP firmware on Security Platform.
Here is the checklist of things that are recommended before starting the install operation
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
   The system will be reboot to upgrade the SUP firmware.
   The upgrade operation will take several minutes to complete.
   PLEASE DO NOT POWER RECYCLE DURING THE UPGRADE.
Do you want to proceed? (yes/no):yes

Upgrading FXOS SUP firmware software package version 1.0.18

command executed

Example:

firepower-chassis /firmware # scope firmware-install
firepower-chassis /firmware/firmware-install # install firmware pack-version 1.0.19
Verifying FXOS firmware package 1.0.19. Verification could take several minutes.
Do you want to proceed? (yes/no):yes
FXOS SUP ROMMON: Upgrade from 1.0.14 to 1.0.15
FXOS SUP FPGA: Upgrade from 1.06 to 2.00
FXOS SUP NM FPGA(slot:2): NM FPGA image not part of package
FXOS SUP SSD: Upgrade from MU02 to MU03

This operation upgrades SUP firmware on Security Platform.
Here is the checklist of things that are recommended before starting the install operation
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
   The system will be reboot to upgrade the SUP firmware.
   The upgrade operation will take several minutes to complete.
   PLEASE DO NOT POWER RECYCLE DURING THE UPGRADE.
Do you want to proceed? (yes/no):yes

Upgrading FXOS SUP firmware software package version 1.0.19
command executed

Step 4

To monitor the upgrade process:

show detail

The firmware upgrade process should show the upgrade status as Upgrade Complete Successful after the process has completed successfully.

Example:

firepower-chassis /firmware/firmware-install # show detail

Firmware Pack Install:
    Upgrade Package Version: 1.0.18
    Oper State: In Progress
    Upgrade Status:
    Current Task: Waiting for Deploy to begin(FSM-STAGE:sam:dme:FirmwareSupFirmwareDeploy:WaitForDeploy)

firepower-chassis /firmware/firmware-install # show detail

Firmware Pack Install:
    Upgrade Package Version: 1.0.18
    Oper State: Ready
    Upgrade Status: Upgrade Complete Successful
    Current Task:
firepower-chassis /firmware/firmware-install #

Step 5

After the installation has completed, you can enter the following commands to view the current firmware version:

top

scope chassis 1

show sup version

show nm-fpga-version

Example:

firepower-chassis /firmware/firmware-install # top
firepower-chassis# scope chassis 1
firepower-chassis /chassis # show sup version
SUP FIRMWARE:
    ROMMON:
        Running-Vers: 1.0.15
        Package-Vers: 1.0.18
        Activate-Status: Ready
    FPGA:
        Running-Vers: 2.00
        Package-Vers: 1.0.18
        Activate-Status: Ready
    SSD:
        Running-Vers: MU03
        Model: Micron_M500IT_MTFDDAT128MBD

firepower-chassis /chassis # show nm-fpga-version

Network Module Version:
    Network Module Slot: 2
    Running-Vers: 1.2.0
    Package-Vers: 1.0.17
    Activate-Status: Ready
firepower-chassis /chassis #