cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
201
Views
1
Helpful
8
Replies

3100 reimage package

ahmedFawzy
Level 1
Level 1

Hello

Which package should i download from cisco to reimage firepower 3140.

firepower 3140 download packages.PNG

 

1 Accepted Solution

Accepted Solutions

Enes Simnica
Level 3
Level 3

hello @ahmedFawzy To reimage a Cisco Firepower 3140, u should download the FTD (Firepower Threat Defense) install and upgrade package, not a patch or hotfix. Based on your screenshot, the correct file is:

Cisco_FTD_SSP_FP3K_Upgrade-7.4.2-172.sh.REL.tar
  • Release Date: 31-Jul-2024 & 
  • Size: 1473.50 MB

Also G, this package is a full system image, intended for fresh installs or reimaging. The message “Do not untar” means u should use the file as-is with FXOS or Firepower Chassis Manager, but don’t extract it manually.

Avoid using the patch or hotfix files (Patch or Hotfix_BR), those are only for existing FTD installations and won't work for a reimage. and hope it helps G...

EnesSimnica_0-1752993793670.png

-Enes

more Cisco?!
more Gym?!

View solution in original post

8 Replies 8

Enes Simnica
Level 3
Level 3

hello @ahmedFawzy To reimage a Cisco Firepower 3140, u should download the FTD (Firepower Threat Defense) install and upgrade package, not a patch or hotfix. Based on your screenshot, the correct file is:

Cisco_FTD_SSP_FP3K_Upgrade-7.4.2-172.sh.REL.tar
  • Release Date: 31-Jul-2024 & 
  • Size: 1473.50 MB

Also G, this package is a full system image, intended for fresh installs or reimaging. The message “Do not untar” means u should use the file as-is with FXOS or Firepower Chassis Manager, but don’t extract it manually.

Avoid using the patch or hotfix files (Patch or Hotfix_BR), those are only for existing FTD installations and won't work for a reimage. and hope it helps G...

EnesSimnica_0-1752993793670.png

-Enes

more Cisco?!
more Gym?!

ahmedFawzy
Level 1
Level 1

i noticed in the reimage documnet that i should use .spa file to boot the device first then use the same file for the reimage itself.

you said that i should use the tar file for the reimage but how about the boot process.

 

the upgrade package contains these files :

cisco-ftd-fp3k.7.4.2.172.SPA.csp

fxos-k9-fp3k.7.4.2.172.SPAimage.png

Sorry, I missed that part earlier, and u're absolutely right to point it out. (I blame the lack of sleep and the complex scenarios I've been dealing with lately LOOOL)

For reimaging a Firepower 3140 from scratch, u're actually going to use both the .SPA and the .sh.REL.tar files, but at different stages of the process.

The .SPA file (cisco-ftd-fp3k.7.4.2.172.SPA) is the boot image, and it’s required to bring the appliance into recovery mode, especially if u're starting from ROMMON or doing a USB or TFTP-based recovery. This step prepares the device to accept a new software image.

Now about the .sh.REL.tarfile, what I mentioned earlier: Cisco_FTD_SSP_FP3K_Upgrade-7.4.2-172.sh.REL.tar

That file is the correct image to install FTD. So no, what I said before wasn’t wrong, but it was incomplete. The .tar file can’t be used until the device is already in a recoverable or install-ready state, which is exactly what the .SPA file is for.

So in short, the .SPA boots the system into recovery, and the .sh.REL.tar does the actual reimage.

and man I really appreciate you catching that, and let me know if you’re using USB, TFTP, or chassis manager for the install and I can help with those steps too.

– Enes

more Cisco?!
more Gym?!

ahmedFawzy
Level 1
Level 1

Hello Enes,

I'm appreciating your help so much.

so do you mean with SPA file this file i mentioned before -> cisco-ftd-fp3k.7.4.2.172.SPA.csp , because here https://www.cisco.com/c/en/us/support/docs/security/firepower-1000-series/220642-reimage-a-secure-firewall-threat-defense.html the extension was only .SPA without CSP.

i will appreciate if you list the reimage steps with USP here. it's a new device 3100 running 7.2.8 with no configuration yet, i need to go to 7.4.2  

@ahmedFawzy G. U're absolutely right to question that, and great eye for detail. and YES, the file u have:  cisco-ftd-fp3k.7.4.2.172.SPA.csp is the correct one.

The difference in extension (.SPA.csp vs .SPA) just reflects how Cisco now signs and packages newer images for added integrity checks. The .csp version is the modern secure format, and it's fully compatible with the USB reimage process, so no worries there, u’re on the right track.

Now, since u’re doing this on a fresh Firepower 3100 running 7.2.8 with no config, and you're upgrading to 7.4.2 using USB, here’s your step-by-step guide:

USB Reimage – Firepower 3100 (FTD 7.4.2)

  1. Format your USB drive to FAT32.
  2. Copy both files to the root of the USB:
  • cisco-ftd-fp3k.7.4.2.172.SPA.csp
  • Cisco_FTD_SSP_FP3K_Upgrade-7.4.2-172.sh.REL.tar

3. Plug the USB into the Firepower 3100.

4. Connect to the console port and reboot the appliance. Interrupt the boot to enter ROMMON (press ctrl+c when prompted..)

5. In ROMMON, boot from USB using:

boot usb0:/cisco-ftd-fp3k.7.4.2.172.SPA.csp

6. This boots into the Installer CLI (INSTALLER> prompt). From here, install the full FTD image:

install usb0:/Cisco_FTD_SSP_FP3K_Upgrade-7.4.2-172.sh.REL.tar

7. and for sure the process will format the system and install FTD 7.4.2 cleanly. Once complete, the device will reboot into the new image.....

check these links also: 

hope it helps G.........

 

-Enes

 

more Cisco?!
more Gym?!
In this Cisco Tech Talk, we walk through the process of completely reimaging Cisco Firepower Threat Defense (FTD) devices in the 1000, 2100, and 3100 Series. Learn when and why to reimage, how to prepare, and how to recover configurations for a smooth re-deployment. Related links: Cisco Secure ...
Perform a Complete Reimage of Firepower 1000/2100 and Secure Firewall 3100 with Firepower Threat Defense
To reimage the threat defense to ASA software, you must access the ROMMON prompt. In ROMMON, you must erase the disks, and then use TFTP on the Management interface to download the ASA image; only TFTP is supported. After you reload the ASA, you can configure basic settings and then load the ...

Enes Simnica
Level 3
Level 3

@ahmedFawzy. sorry bro, I’ve hit the limit for private messages today, so I can’t send any more right now. Would u like me to answer ur question here, or should I get back to u privately tomorrow?

more Cisco?!
more Gym?!

ahmedFawzy
Level 1
Level 1

balaji.bandi
Hall of Fame
Hall of Fame