On
March 5th, 2022, a certificate on the update servers for Security Intelligence features of the Firepower products will change. To continue to receive updates for either Security Intelligence or Local Malware Analysis, a patch must be installed on your FMC or FDM deployments. We highly recommend that you perform this update prior to the March 5th cutover. This issue is being tracked by Field Notice 72332 (
https://www.cisco.com/c/en/us/support/docs/field-notices/723/fn72332.html)
If you do not update, the impact of the change in these certificates is that Security Intelligence feeds (DNS, IP, and URL Reputation) as well as ClamAV Signatures updates (used for Local Malware Analysis) will no longer receive the latest Talos security intelligence feeds. This will lower the security efficacy of the appliance. Please note that these features will still function, but the security posture will degrade over time due to the absence of the latest security intelligence (pre-March 5, 2022).
Below are some common questions in relation to this Field Notice. Please consult the main field notice page (
https://www.cisco.com/c/en/us/support/docs/field-notices/723/fn72332.html) for information in addition to what is mentioned below:
Q: Do I need to upgrade all of my Firepower Threat Defense (FTD) devices?
A: You only need to update the management device. Typically Firepower Threat Defense devices are centrally managed by Firepower Management Center (FMC) and in that situation only the FMC needs to be updated and not the individual FTD devices. However, if your FTD device is self-managed, in other words you access it directly and use Firepower Device Manager (FDM) to configure and monitor the security policy, you will need to upgrade that FTD itself.
Q: How do I know if my device is managed by FMC or managed locally with FDM?
A: To determine if the device is locally managed or managed by FMC, you can log into the Firepower CLI and issue the command
"show managers" [
More Information]. If the output indicates
"Managed locally" then your device is managed by Firepower Device Manager (FDM) and it must be updated per the Field Notice guidelines. If the output indicates
"Type: Manager" and indicates a host IP, then the device is managed by Firepower Management Center (FMC) and that specific FMC may need to be updated per the Field Notice guidelines.
Q: I am unable to upgrade my devices at this time, is there any workaround available?
A: Unfortunately there is no workaround available. Without upgrading the devices, they will no longer trust the certificate presented by the update servers.
Q: What will happen if I am unable to upgrade before March 5th, 2022?
A: Traffic through your device will continue to be processed by the firewall and your existing security policy. However, as Talos continues to identify new IP addresses (v4 & v6), URLs and Domains that may be malicious, your security device will not be able to leverage those new updates. Therefore overtime, the security posture of your device may gradually degrade if a fix is not applied.
Q: I am currently running a code train that has reached an End of Software Maintenance milestone (6.1.x, 6.3.x or 6.5.x) what should I do?
A: Since those versions have reached the end of their software maintenance, we suggest upgrading to more recent, and actively maintained, version of code. Once on a supported version, such as 7.1.0, consult the field notice for information on what specific upgrade patch will be necessary to mitigate this field notice.
Q: It is hard to track what versions i have to upgrade to, and in what steps, to get to a fixed version. Is there any documentation or tool that can help guide me??
A: Yes, we have created a web app that can help demystify the upgrade paths for this Field Notice. Please check out the tool here:
Secure Firewall Upgrade Guidance Tool .
Q: I have a HA Pair of Firepower Management Centers deployed. Do I need to perform the steps on both of the FMCs in the HA Pair?
A: Yes, Both FMCs need to be updated to fully address this issue.
Q: Will there be a traffic interruption when applying a fix (upgrading to the fixed version)?
A: If the devices are managed by Firepower Management Center (FMC) then there should be no interruption to traffic since the actual upgrade is not done on the firewall device, only Firepower Management Center must be upgraded. However, if your device is locally managed using Firepower Device Manager (FDM), you will need to reboot the device as part of the upgrade procedures.
Q: Why is the 6.6.5 Hotfix labeled with 6.6.5.2? I am running 6.6.5 or 6.6.5.1 will it work?
A: The hotfix file names show "6.6.5.2" as the version. Please note that this is expected as part of our hotfix versioning process and can be installed on both version 6.6.5 and 6.6.5.1.
Q: I installed the 6.6.5 hotfix, but my version did not change, is that expected?
A: Hotfix patches do not actually change the version displayed as they are not "full" patches, they are just hotfixes designed to fix very specific issues. If the task to install the hotfix was listed as successful, it is safe to assume the hotfix was installed successfully. If you would like to verify that the hotfix has been installed, you can do the following:
- SSH to the device and enter expert mode.
- Run the command: "cat /etc/sf/patch_history"
You will see the patch history of the device, and the last thing that you should see is the Hotfix that you recently installed. The hotfix will look like: "Hotfix_DE-#_#########"
More information on how hotfixes work can be found here:
Hotfix Release Notes
