Solved: Cisco_FMC 4500 - Updates for BIOS and Firmware///Uptime Onsite 24x7x4

Amen · ‎07-01-2022

We are preparing for the Software upgrade path for the FMC4500 and FP8360: Version 6.4.0.14 ->7.0.1.
During the same maintenance window, we would like to install BIOS and Firmware Hotfix for FMC Hardware.

Please advise if we meet the requirements for BIOS Update Hotfix EL (Cisco_Firepower_Mgmt_Center_Upgrade-7.0.0-94.sh.REL.tar).

We are running:
RAID controller firmware (FMC 4500) - FW Package Build: 24.12.1-0110
BIOS Information
Vendor: Cisco Systems, Inc. FMC5
Version: C220M4.2.0.13d.0.0812161113
Release Date: 08/12/2016
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 9216 kB

Marvin Rhoads · ‎07-04-2022

Please refer to the details in the links I provided already.

The FMC Hardware and BIOS firmware updates provided via hotfix address the specific issues mentioned in the release notes. If you do not use the CIMC interface then the security issues would not affect you. If you do, you can mitigate them via the hotfix or via other methods such as access-lists on either the CICM itself or in the management network.

Although hotfixes to application software are generally not cumulative, CIMC firmware upgrades are cumulative.

Also please check the compatibility guide to verify compatibility between your FMC 4500 with 7.0.s software vs. what version you are running on your Firepower 8360 appliance. For example, FMC 7.0 can manage devices running software no older than 6.4.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/compatibility.html#reference_A0CAB7C28A2B440F8F901D316D6684F4

View solution in original post

Marvin Rhoads · ‎07-01-2022

While you meet the requirements for installing the BIOS update you mentioned, there's no requirement to do so. 7.x will run just fine on the hardware as-is. The updates just address some CIMC and low level hardware issues which, if you aren't experiencing any issues, have nothing to do with proper operation of the FMC appliance. Most customers don't even cable up the CIMC for their FMC hardware although it is a useful utility to have, especially for remote data centers.

References:

https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes/available-hotfixes.html

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/b_release-notes-for-cisco-ucs-rack-server-software-release-4_1_2.html

Amen · ‎07-04-2022

Do I understand well that Hotfixes provided for FMC Hardware BIOS and Firmware are cumulative? Can you please confirm that by applying Hotfix we will address only CIMC and low-level hardware issues? What about previous Hotfixes - are they addressing security vulnerabilities?

The reason I want to double-check on the abovementioned is that we received a Security Assessment recommendation, pointing to possible security issues.

I understand that we can apply Cisco_Firepower_Mgmt_Center_BIOSUPDATE_700_EL-7 with the UCS server BIOS and RAID controller firmware we currently have. Please advise if we should first do a software upgrade of FMC4500 and FP8360: Version 6.4.0.14 ->7.0.1 or the sequence does not matter?

Marvin Rhoads · ‎07-04-2022

Please refer to the details in the links I provided already.

The FMC Hardware and BIOS firmware updates provided via hotfix address the specific issues mentioned in the release notes. If you do not use the CIMC interface then the security issues would not affect you. If you do, you can mitigate them via the hotfix or via other methods such as access-lists on either the CICM itself or in the management network.

Although hotfixes to application software are generally not cumulative, CIMC firmware upgrades are cumulative.

Also please check the compatibility guide to verify compatibility between your FMC 4500 with 7.0.s software vs. what version you are running on your Firepower 8360 appliance. For example, FMC 7.0 can manage devices running software no older than 6.4.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/compatibility.html#reference_A0CAB7C28A2B440F8F901D316D6684F4