Cisco Firepower 4100/9300 FXOS Release Notes, 2.0(1)
New Features in FXOS 2.0.1.206
New Features in FXOS 2.0.1.204
New Features in FXOS 2.0.1.203
New Features in FXOS 2.0.1.201
New Features in FXOS 2.0.1.188
New Features in FXOS 2.0.1.159
New Features in FXOS 2.0.1.153
New Features in FXOS 2.0.1.149
New Features in FXOS 2.0.1.148
New Features in FXOS 2.0.1.144
New Features in FXOS 2.0.1.141
New Features in FXOS 2.0.1.135
New Features in FXOS 2.0.1.129
Upgrade a Firepower Security Appliance with No Logical Devices Configured
Upgrading an ASA Failover Pair Using the Enhanced Zero Downtime Process
Upgrading an ASA Failover Pair
Upgrading an ASA Inter-chassis Cluster Using the Enhanced Zero Downtime Process
Upgrading an ASA Inter-chassis Cluster
Resolved Bugs in FXOS 2.0.1.206
Resolved Bugs in FXOS 2.0.1.204
Resolved Bugs in FXOS 2.0.1.203
Resolved Bugs in FXOS 2.0.1.201
Resolved Bugs in FXOS 2.0.1.188
Resolved Bugs in FXOS 2.0.1.159
Resolved Bugs in FXOS 2.0.1.153
Resolved Bugs in FXOS 2.0.1.149
Resolved Bugs in FXOS 2.0.1.148
Resolved Bugs in FXOS 2.0.1.144
Resolved Bugs in FXOS 2.0.1.141
Resolved Bugs in FXOS 2.0.1.135
Resolved Bugs in FXOS 2.0.1.129
Resolved Bugs in FXOS 2.0.1.86
Resolved Bugs in FXOS 2.0.1.68
Resolved Bugs in FXOS 2.0.1.37
Communications, Services, and Additional Information
First Published: June 23, 2016
Last Revised: June 3, 2019
This document contains release information for Cisco Firepower eXtensible Operating System 2.0(1).
Use this release note as a supplement with the other documents listed in the documentation roadmap:
http://www.cisco.com/go/firepower9300-docs
http://www.cisco.com/go/firepower4100-docs
Note: The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product.
This document contains the following sections:
–New Features in FXOS 2.0.1.206
–New Features in FXOS 2.0.1.204
–New Features in FXOS 2.0.1.203
–New Features in FXOS 2.0.1.201
–New Features in FXOS 2.0.1.188
–New Features in FXOS 2.0.1.159
–New Features in FXOS 2.0.1.153
–New Features in FXOS 2.0.1.149
–New Features in FXOS 2.0.1.148
–New Features in FXOS 2.0.1.144
–New Features in FXOS 2.0.1.141
–New Features in FXOS 2.0.1.135
–New Features in FXOS 2.0.1.129
–New Features in FXOS 2.0.1.86
–New Features in FXOS 2.0.1.68
–New Features in FXOS 2.0.1.37
–Upgrade a Firepower Security Appliance with No Logical Devices Configured
–Upgrade a Firepower Security Appliance Running Standalone Firepower Threat Defense Logical Devices or a Firepower Threat Defense Intra-Chassis Cluster
–Upgrade Firepower Security Appliances with Firepower Threat Defense Logical Devices in a Failover Configuration
–Upgrading a Firepower Security Appliance Running Standalone ASA Logical Devices or an ASA Intra-Chassis Cluster
–Upgrading an ASA Failover Pair Using the Enhanced Zero Downtime Process
–Upgrading an ASA Failover Pair
–Upgrading an ASA Inter-chassis Cluster Using the Enhanced Zero Downtime Process
–Upgrading an ASA Inter-chassis Cluster
–Resolved Bugs in FXOS 2.0.1.206
–Resolved Bugs in FXOS 2.0.1.204
–Resolved Bugs in FXOS 2.0.1.203
–Resolved Bugs in FXOS 2.0.1.201
–Resolved Bugs in FXOS 2.0.1.188
–Resolved Bugs in FXOS 2.0.1.159
–Resolved Bugs in FXOS 2.0.1.153
–Resolved Bugs in FXOS 2.0.1.149
–Resolved Bugs in FXOS 2.0.1.148
–Resolved Bugs in FXOS 2.0.1.144
–Resolved Bugs in FXOS 2.0.1.141
–Resolved Bugs in FXOS 2.0.1.135
–Resolved Bugs in FXOS 2.0.1.129
–Resolved Bugs in FXOS 2.0.1.86
–Resolved Bugs in FXOS 2.0.1.68
–Resolved Bugs in FXOS 2.0.1.37
The Cisco Firepower security appliance is a next-generation platform for network and content security solutions. The Firepower security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.
The Firepower security appliance provides the following features:
■Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.
■Firepower Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.
■FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
■FXOS REST API—Allows users to programmatically configure and manage their chassis.
Cisco Firepower eXtensible Operating System 2.0.1.206 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.206).
Cisco Firepower eXtensible Operating System 2.0.1.204 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.204).
Cisco Firepower eXtensible Operating System 2.0.1.203 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.203).
Cisco Firepower eXtensible Operating System 2.0.1.201 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.201).
Cisco Firepower eXtensible Operating System 2.0.1.188 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.188).
Cisco Firepower eXtensible Operating System 2.0.1.159 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.159).
Cisco Firepower eXtensible Operating System 2.0.1.153 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.153).
Cisco Firepower eXtensible Operating System 2.0.1.149 introduces the following new features in addition to the features included in earlier releases:
■Adds additional support for verifying security module adapters and provides CLI commands for viewing and updating the boot image for the adapter.
Note: After installing FXOS 2.0.1.149, you might receive a critical fault asking you to update the firmware for your security module adapters. For instructions, see Adapter Bootloader Upgrade.
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.149).
Cisco Firepower eXtensible Operating System 2.0.1.148 introduces the following new features in addition to the features included in earlier releases:
■Secure Unlock, also called Cisco Interactive Debug, is a new serviceability feature that implements a secure way of accessing a Linux prompt on the Supervisor Module on Firepower 9300 and Firepower 4100 Series security appliances.
Note: Before you can use the Secure Unlock feature, the security appliance must have Firmware package 1.0.12 or later installed. For instructions on how to verify your firmware package version and to upgrade the firmware if necessary, see the “Firmware Upgrade” topic in the Cisco FXOS CLI Configuration Guide, 2.0(1) or Cisco FXOS Firepower Chassis Manager Configuration Guide, 2.0(1) (http://www.cisco.com/go/firepower9300-config).
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.148).
Cisco Firepower eXtensible Operating System 2.0.1.144 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.144).
Cisco Firepower eXtensible Operating System 2.0.1.141 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.141).
Cisco Firepower eXtensible Operating System 2.0.1.135 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.135).
Cisco Firepower eXtensible Operating System 2.0.1.129 introduces the following new features in addition to the features included in earlier releases:
Note: FXOS 2.0.1.129 does not support ASA 9.6(1) or FTD 6.0.1.x. If you are running either of these applications on your Firepower security appliance, you must upgrade to FXOS 2.0.1.135 to enable the following features. If you are running ASA 9.6(2) or FTD 6.1, you do not need to upgrade from FXOS 2.0.1.129 to 2.0.1.135 unless you desire the bug fixes included in the newer build.
Note: FXOS 2.0.1.129 is no longer available on Cisco.com and has been superseded by FXOS 2.0.1.135.
■Provides required foundation for future Zero Downtime Upgrade on Firepower security appliance and ASA logical devices in a failover or clustered configuration.
■Added the option to configure the certificate revocation check mode to be either strict or relaxed for IPSec and Secure LDAP connections.
■Added the option to configure enforcement of matching cryptographic key strength between IKE and SA connections for IPSec.
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.129).
Cisco Firepower eXtensible Operating System 2.0.1.86 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.86).
Cisco Firepower eXtensible Operating System 2.0.1.68 introduces the following new features in addition to the features included in earlier releases:
■Increased maximum possible MTU value to 9216 for Jumbo Frame support on logical devices.
■Fixes for various problems (see Resolved Bugs in FXOS 2.0.1.68).
Cisco Firepower eXtensible Operating System 2.0.1.37 introduces the following new features:
■FXOS 2.0(1) contains several new features and numerous enhancements to support achieving compliance with the following certifications: FIPS (Federal Information Processing Standard) 140-2, Common Criteria, UC-APL (Unified Capabilities Approved Product List), and USGv6 (United States Government IPv6).
■You can now perform graceful shutdown for Firepower Threat Defense running on a Firepower 9300 or Firepower 4100 Series security appliance.
■You can now view the latest status for time synchronization with an NTP server.
■You can now schedule when you would like to have configuration settings exported.
■You can now customize the login banners for FXOS.
■Two new user roles are now available: Operations and AAA Administrator.
■Beginning with FXOS 2.0(1), the range of possible values for the maximum number of failed login attempts before a user is locked out of the chassis is now 0-10 (0 means no limit). Also, all types of user accounts (including account type ‘admin’) are locked out of the system after exceeding the maximum number of login attempts.
■Beginning with FXOS 2.0(1), the session timeout and refresh-period ranges have been changed to 0-600 seconds with a default value of 600 seconds.
■FXOS now supports pulling of log information from Security Modules.
■Information about inline pairs is now propagated from Firepower Threat Defense to FXOS.
You can download software images for FXOS and supported applications from one of the following URLs:
■Firepower 9300 — https://software.cisco.com/download/type.html?mdfid=286287252
■Firepower 4100 — https://software.cisco.com/download/navigator.html?mdfid=286305164
For information about the applications that are supported on a specific version FXOS, refer to the Cisco FXOS Compatibility guide at this URL:
http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
■Firmware Upgrade—We recommend upgrading your Firepower 4100/9300 security appliance with the latest firmware. For information about how to install a firmware update and the fixes included in each update, see https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html.
■If you are running FXOS 2.0(1) and have an ASA logical device that is running 9.6(2), the logical device will go offline if you downgrade FXOS to 1.1(4). To continue using your logical device, you must downgrade the ASA to 9.6(1) which will bring your logical device back online. You can then upgrade the ASA back to 9.6(2).
■Beginning with FXOS 1.1(3), the behavior for port-channels was changed. In FXOS 1.1(3) and later releases, when a port-channel is created, it is now configured as lacp cluster-detach by default and its status will show as down even if the physical link is up. The port-channel will be brought out of cluster-detach mode in the following situations:
–The port-channel's port-type is set to either cluster or mgmt
–The port-channel is added as a data port for a logical device that is part of a cluster and at least one security module has joined the cluster
If the port-channel is removed from the logical device or the logical device is deleted, the port-channel will revert to cluster-detach mode.
FXOS 2.0.1.149 and later adds additional testing to verify the security module adapters on your security appliance. After installing FXOS 2.0.1.149 or later, you might receive the following critical fault on your security appliance indicating that you should update the firmware for your security module adapter:
Critical F1715 2017-05-11T11:43:33.121 339561 Adapter 1 on Security Module 1 requires a critical firmware upgrade. Please see Adapter Bootloader Upgrade instructions in the FXOS Release Notes posted with this release.
If you receive the above message, use the following procedure to update the boot image for your adapter:
1. Connect to the FXOS CLI on your Firepower security appliance. For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
2. Enter the adapter mode for the adapter whose boot image you are updating:
3. Use the show image command to view the available adapter images and to verify that fxos-m83-8p40-cruzboot.4.0.1.62.bin is available to be installed:
--------------------------------------------- -------------------- -------
fxos-m83-8p40-cruzboot.4.0.1.62.bin Adapter Boot 4.0(1.62)
fxos-m83-8p40-vic.4.0.1.51.gbin Adapter 4.0(1.51)
4. Use the update boot-loader command to update the adapter boot image to version 4.0.1.62:
5. Use the show boot-update status command to monitor the update status:
You can access the Firepower Chassis Manager using the following browsers:
■Mozilla Firefox – Version 42 and later
■Google Chrome – Version 47 and later
Testing on FXOS 2.0(1) was performed using Mozilla Firefox version 42 and Google Chrome version 47. We anticipate that future versions of these browsers will also work. However, if you experience any browser-related issues, we suggest you revert to one of the tested versions.
Use the following tables for guidance on the upgrade path required to move from older releases to this release. For instructions on upgrading to a specific release, see the release notes document for that release:
http://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-release-notes-list.html
Refer to the FXOS Compatibility guide for release version compatibility information. Use older compatible versions of the application only in the context of upgrades. Note that for upgrade-compatible versions, you may be prompted that the application version is not compatible with the new FXOS version; in this case, indicate Yes to continue with the upgrade. You are expected to upgrade the application version as soon as possible.
|
||
|
|
||||||||
|
||||||||
|
|
|||||||
|
|
|
||||||
|
|
|
|
■FXOS 2.0(1.129) does not support ASA 9.6(1) or FTD 6.0.1.x and is no longer available for download. If you are running either of these applications on your Firepower security appliance and have already upgraded to FXOS 2.0(1.129), you must downgrade to FXOS 2.0(1.86) and then upgrade to FXOS 2.0(1.135).
■The upgrade process typically takes between 20 and 30 minutes.
If you are upgrading a Firepower 9300 or Firepower 4100 series security appliance that is running a standalone logical device or if you are upgrading a Firepower 9300 security appliance that is running an intra-chassis cluster, traffic will not traverse through the device while it is upgrading.
If you are upgrading a Firepower 9300 or a Firepower 4100 series security appliance that is part of an inter-chassis cluster, traffic will not traverse through the device being upgraded while it is upgrading. However, the other devices in the cluster will continue to pass traffic.
■When upgrading the FXOS platform bundle software and application CSP images at the same time, do not upload the application CSP images to your security appliance until after you upgrade the FXOS platform bundle software.
Refer to the upgrade instructions that apply for your device configuration:
Firepower security appliance that currently has no logical devices configured |
Upgrade a Firepower Security Appliance with No Logical Devices Configured |
Firepower security appliance that is running standalone Firepower Threat Defense logical devices or a Firepower Threat Defense intra-chassis cluster |
Upgrade a Firepower Security Appliance Running Standalone Firepower Threat Defense Logical Devices or a Firepower Threat Defense Intra-Chassis Cluster |
Firepower security appliances with Firepower Threat Defense logical devices in a failover configuration |
Upgrade Firepower Security Appliances with Firepower Threat Defense Logical Devices in a Failover Configuration |
Firepower security appliance that is running standalone ASA logical devices or an ASA intra-chassis cluster |
Upgrading a Firepower Security Appliance Running Standalone ASA Logical Devices or an ASA Intra-Chassis Cluster |
Firepower security appliances with ASA logical devices in a failover configuration |
For instructions on how to upgrade from FXOS 2.0(1.135) or later to a newer version, see Upgrading an ASA Failover Pair Using the Enhanced Zero Downtime Process. For instructions on how to upgrade from FXOS 2.0(1.86) or earlier to FXOS 2.0(1.135) or later, see Upgrading an ASA Failover Pair. |
Two or more Firepower security appliances that are configured as an ASA inter-chassis cluster |
For instructions on how to upgrade from FXOS 2.0(1.135) or later to a newer version, see Upgrading an ASA Inter-chassis Cluster Using the Enhanced Zero Downtime Process. For instructions on how to upgrade from FXOS 2.0(1.86) or earlier to FXOS 2.0(1.135) or later, see Upgrading an ASA Inter-chassis Cluster. |
If your Firepower security appliance is not yet configured with any logical devices, perform the following steps to update your system to 2.0(1):
1. Download the FXOS 2.0(1) image to your local computer (see Software Download).
2. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
3. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
Note: After upgrading FXOS, you can then upgrade the Firepower Threat Defense logical devices using the Firepower Management Center. For more information, see the Firepower System Release Notes.
1. Download the FXOS 2.0(1) image to your local computer (see Software Download).
2. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
3. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
Note: After upgrading FXOS, you can then upgrade the Firepower Threat Defense logical devices using the Firepower Management Center. For more information, see the Firepower System Release Notes.
1. Download the FXOS 2.0(1) image to your local computer (see Software Download).
2. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:
a. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
3. Wait for the chassis to reboot and upgrade successfully:
a. Enter show firmware monitor under scope system to monitor the upgrade process.
b. After the upgrade process finishes, enter show slot under scope ssa to verify that the slots have come “Online.”
c. Enter show app-instance under scope ssa to verify that the applications have come “Online.”
4. Make the Firepower Threat Defense device that you just upgraded the active unit so that traffic flows to the upgraded unit. For instructions, see the “Switch the Active Peer in a Firepower Threat Defense High Availability Pair” topic in the Firepower Management Center Configuration Guide.
5. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:
a. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
6. Wait for the chassis to reboot and upgrade successfully:
a. Enter show firmware monitor under scope system to monitor the upgrade process.
b. After the upgrade process finishes, enter show slot under scope ssa to verify that the slots have come “Online.”
c. Enter show app-instance under scope ssa to verify that the applications have come “Online.”
7. You can now make the unit that you just upgraded the active unit as it was before the upgrade.
If you are upgrading a Firepower security appliance that is running standalone ASA logical devices or an ASA intra-chassis cluster, use the following procedure to update the FXOS version on your Firepower 9300 or Firepower 4100 series security appliance and to update the ASA version on your logical devices:
1. Download the FXOS 2.0(1) image to your local machine (see Software Download).
2. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
3. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
4. Upload the ASA CSP image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower Appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide.
5. Upgrade any ASA logical devices (standalone or intra-chassis cluster) using the ASA CSP image. For instructions, see the “Updating the Image Version for a Logical Device” topic in the Cisco Firepower Chassis Manager Configuration Guide.
Note: This process is only supported when upgrading from FXOS 2.0(1.135) or later to a newer version. If you are upgrading from FXOS 2.0(1.86) or earlier, see Upgrading an ASA Failover Pair.
1. Download the FXOS 2.0(1) image to your local machine (see Software Download).
2. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the standby ASA logical device:
a. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
3. Wait for the chassis to reboot and upgrade successfully:
a. Use the show firmware monitor command under scope system to monitor the upgrade process.
b. After the upgrade process finishes, use the show slot command under scope ssa to verify that the slots have come “Online.”
c. Use the show app-instance command under scope ssa to verify that the applications have come “online”.
4. Upgrade the ASA and vDP logical device images:
a. Upload the ASA 9.6.2.x CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
e. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, upgrade them using Steps b-d.
5. After the upgrade process finishes, verify that the applications are online:
6. Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:
a. Connect to the ASA console on the Firepower security appliance that contains the standby ASA logical device.
d. Verify that the unit is active :
7. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the new standby ASA logical device:
a. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
8. Wait for the chassis to reboot and upgrade successfully:
a. Use the show firmware monitor command under scope system to monitor the upgrade process.
b. After the upgrade process finishes, use the show slot command under scope ssa to verify that the slots have come “Online.”
c. Use the show app-instance command under scope ssa to verify that the applications have come “online”.
9. Upgrade the ASA and vDP logical device images:
a. Upload the ASA 9.6.2.x CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
e. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, upgrade them using Steps b-d.
10. After the upgrade process finishes, verify that the applications are online:
11. Make the unit that you just upgraded the active unit as it was before the upgrade:
a. Connect to the ASA console on the Firepower security appliance that contains the new standby ASA logical device.
Note: This process is only supported when upgrading from FXOS 2.0(1.86) or earlier to FXOS 2.0(1.135) or later. If you are upgrading from FXOS 2.0(1.135) or later, see Upgrading an ASA Failover Pair Using the Enhanced Zero Downtime Process.
1. Download the FXOS 2.0(1) image to your local machine (see Software Download).
2. Disable applications on the standby ASA logical device:
a. Connect to the FXOS CLI on the Firepower security appliance that contains the standby ASA logical device. For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Turn off the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
disable
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, disable it. If not, proceed to Step d.
scope app-instance vdp
disable
exit
e. Verify that the applications are offline:
Note: It may take 2-5 minutes before all applications are “Offline,” as vDP begins stopping only after the security module reboots following the ASA stop. If any of the stop jobs fail, please repeat Steps b-d.
f. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, disable them and verify using Steps b-e.
3. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the standby ASA logical device:
a. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
4. Wait for the chassis to reboot and upgrade successfully:
a. Use the show firmware monitor command under scope system to monitor the upgrade process.
b. After the upgrade process finishes, use the show slot command under scope ssa to verify that the slots have come “Online.”
5. Upgrade the ASA and vDP logical device images:
a. Upload the ASA 9.6.2.x CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
e. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, upgrade them using Steps b-d.
6. After the upgrade process finishes, re-enable applications on the standby ASA logical device:
a. Use the show slot command under scope ssa to verify that every slot is “Online.”
b. Use the show app-instance command under scope ssa to verify that the application has successfully completed upgrade and is now “Offline.”
c. Turn on the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
enable
exit
d. If Radware DefensePro is configured as a decorator for this ASA application, enable it. If not, proceed to Step e.
scope app-instance vdp
enable
exit
f. Verify that the applications are online:
g. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, enable them and verify using Steps a-f.
7. Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:
a. Connect to the ASA console on the Firepower security appliance that contains the standby ASA logical device.
b. Enable failover and make active:
d. Verify that the unit is active :
8. Disable applications on the new standby ASA logical device:
a. Connect to the FXOS CLI on the Firepower security appliance that contains the new standby ASA logical device. For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Turn off the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
disable
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, disable it. If not, proceed to Step d.
scope app-instance vdp
disable
exit
e. Verify that the applications are offline:
Note: It may take 2-5 minutes before all applications are “Offline,” as vDP begins stopping only after the security module reboots following the ASA stop. If any of the stop jobs fail, please repeat Steps b-d.
f. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, disable them and verify using Steps b-e.
9. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the new standby ASA logical device:
a. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
10. Wait for the chassis to reboot and upgrade successfully:
a. Use the show firmware monitor command under scope system to monitor the upgrade process.
b. After the upgrade process finishes, use the show slot command under scope ssa to verify that the slots have come “Online.”
11. Upgrade the ASA and vDP logical device images:
a. Upload the ASA 9.6.2.x CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
e. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, upgrade them using Steps b-d.
12. After the upgrade process finishes, re-enable applications on the new standby ASA logical device:
a. Use the show slot command under scope ssa to verify that every slot is “Online.”
b. Use the show app-instance command under scope ssa to verify that the application has successfully completed upgrade and is now “Offline.”
c. Turn on the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
enable
exit
d. If Radware DefensePro is configured as a decorator for this ASA application, enable it. If not, proceed to Step e.
scope app-instance vdp
enable
exit
f. Verify that the applications are online:
g. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, enable them and verify using Steps a-f.
13. Make the unit that you just upgraded the active unit as it was before the upgrade:
a. Connect to the ASA console on the Firepower security appliance that contains the new standby ASA logical device.
b. Enable failover and make active:
Note: This process is only supported when upgrading from FXOS 2.0(1.135) or later to a newer version. If you are upgrading from FXOS 2.0(1.86) or earlier, see Upgrading an ASA Inter-chassis Cluster.
1. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the Primary unit). For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
2. Verify that all installed security modules are online:
3. Verify that all installed security modules have the correct FXOS version and ASA version installed:
scope server 1/ x
show version
scope ssa
show logical-device
4. Verify that the cluster operational state is “In-Cluster” for all security modules installed in the chassis:
5. Verify that all installed security modules are shown as part of the cluster:
connect module x console
show cluster info
6. Verify that the Primary unit is not on this chassis:
There should not be any ASA instance with Cluster Role set to “Master”.
1. Download the FXOS 2.0(1) image to your local machine (see Software Download).
2. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the Primary unit). For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
3. Upgrade the Firepower eXtensible Operating System bundle on Chassis #2:
a. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
4. Wait for the chassis to reboot and upgrade successfully (approximately 15-20 minutes):
a. Use the show firmware monitor command under scope system to monitor the upgrade process. Every component should show “Upgrade-Status: Ready.”
b. After the upgrade process finishes, verify that all installed security modules are online:
c. Verify that all ASA applications are currently online:
5. Upgrade the ASA and vDP logical device images:
a. Upload the ASA 9.6.2.x CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
d. Repeat Steps b-c for all slots of the logical device installed on this security appliance.
6. After the upgrade process finishes, verify that the applications are online:
Verify that the operational state is “Online” for all ASA and vDP applications in the chassis.
Verify that the cluster operational state is “In-Cluster” for all ASA and vDP applications in the chassis.
Verify that the cluster role is “Slave” for all ASA applications in the chassis.
7. Set one of the security modules on Chassis #2 as Primary:
connect module x console
configure terminal
cluster master
After setting one of the security modules on Chassis #2 to Primary, Chassis #1 no longer contains the Primary unit and can now be upgraded.
8. Repeat the Pre-Upgrade Checklist and Steps 1-6 for Chassis #1.
9. If there are any additional chassis included in the cluster, repeat the Pre-Upgrade Checklist and Steps 1-6 for those chassis.
10. To return the Primary role to Chassis #1, set one of the security modules on Chassis #1 as Primary:
Note: This process is only supported when upgrading from FXOS 2.0(1.86) or earlier to FXOS 2.0(1.135) or later. If you are upgrading from FXOS 2.0(1.135) or later, see Upgrading an ASA Inter-chassis Cluster Using the Enhanced Zero Downtime Process.
1. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the Primary unit). For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
2. Verify that all installed security modules are online:
3. Verify that all installed security modules have the correct FXOS version and ASA version installed:
scope server 1/ x
show version
scope ssa
show logical-device
4. Verify that the cluster operational state is “In-Cluster” for all security modules installed in the chassis:
5. Verify that all installed security modules are shown as part of the cluster:
connect module x console
show cluster info
6. Verify that the Primary unit is not on this chassis:
There should not be any ASA instance with Cluster Role set to “Master”.
1. Download the FXOS 2.0(1) image to your local machine (see Software Download).
2. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the Primary unit). For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
3. Turn off all applications on Chassis #2:
a. Turn off the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
disable
exit
b. If Radware DefensePro is configured as a decorator for this ASA application, disable it. If not, proceed to Step c.
scope app-instance vdp
disable
exit
c. Repeat Steps a-b for all slots of the logical device installed on this security appliance.
e. Verify that the applications are offline:
top (set the scope to the top level in the mode hierarchy)
scope ssa
show app-instance
Note: It may take 2-5 minutes before all applications are “Offline.” If any of the stop jobs fail, please repeat Steps a-d.
4. Upgrade the Firepower eXtensible Operating System bundle on Chassis #2:
a. Upload the FXOS 2.0(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.0(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
5. Wait for the chassis to reboot and upgrade successfully (approximately 15-20 minutes).
Use the show firmware monitor command under scope system to monitor the upgrade process. Every component should show “Upgrade-Status: Ready.”
6. Upgrade the ASA and vDP logical device images:
a. Upload the ASA 9.6.2.x CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Verify that all installed security modules are online:
c. Verify that all ASA applications are currently offline:
d. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
e. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
f. Repeat Steps d-e for all slots of the logical device installed on this security appliance.
7. After the upgrade process finishes, re-enable applications on Chassis #2:
a. Use the show slot command under scope ssa to verify that every slot is “Online.”
b. Use the show app-instance command under scope ssa to verify that all the applications have successfully completed upgrade and are now “Offline.”
c. Turn on the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
enable
exit
d. If Radware DefensePro is configured as a decorator for this ASA application, enable it. If not, proceed to Step e.
scope app-instance vdp
enable
exit
e. Repeat Steps c-d for all slots of the logical device installed on this security appliance.
ASA nodes will automatically rejoin the existing cluster after successful upgrade and re-enabling.
g. Verify that the applications are online:
Verify that the operational state is “Online” for all ASA and vDP applications in the chassis.
Verify that the cluster operational state is “In-Cluster” for all ASA and vDP applications in the chassis.
Verify that the cluster role is “Slave” for all ASA applications in the chassis.
8. Set one of the security modules on Chassis #2 as Primary:
connect module x console
configure terminal
cluster master
After setting one of the security modules on Chassis #2 to Primary, Chassis #1 no longer contains the Primary unit and can now be upgraded.
9. Repeat the Pre-Upgrade Checklist and Steps 1-7 for Chassis #1.
10. If there are any additional chassis included in the cluster, repeat the Pre-Upgrade Checklist and Steps 1-7 for those chassis.
11. To return the Primary role to Chassis #1, set one of the security modules on Chassis #1 as Primary:
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note: You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open bugs severity 3 and higher for Firepower eXtensible Operating System 2.0(1) are listed in the following table:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.206:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.204:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.203:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.201:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.188:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.159:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.153:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.149:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.148:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.144:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.141:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.135:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.129:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.86:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.0.1.68:
The following table lists the previously release-noted and customer-found defects that were resolved in Firepower eXtensible Operating System 2.0.1.37:
For additional information on the Firepower 9300 security appliance and the Firepower eXtensible Operating System, see Navigating the Cisco Firepower 9300 Documentation.
■To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
■To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
■To submit a service request, visit Cisco Support.
■To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
■To obtain general networking, training, and certification titles, visit Cisco Press.
■To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)