Cisco Secure Firewall Threat Defense/Firepower Hotfix Release Notes
Hotfixes are minor updates that address particular, urgent issues.
This document provides quicklinks to download pages for publicly available hotfixes. Some quicklinks may not go to the download page for your specific model. However, as long as the appliance is in the same family or series, you can safely download and apply the hotfix. If you want to be absolutely sure, browse to the page for your specific model.
BIOS and Firmware Hotfixes for Management Center Hardware
We provide updates for BIOS and RAID controller firmware on management center hardware. If your management center does not meet the requirements, apply the appropriate hotfix. If your management center model and version are not listed and you think you need to update, contact Cisco TAC.
|
Platform |
Version |
Hotfix |
BIOS |
RAID Controller Firmware |
CIMC Firmware |
|---|---|---|---|---|---|
|
FMC 1700, 2700, 4700 |
7.4 |
BIOS Update Hotfix EZ |
C225M6.4.3.2c.0 |
52.20.0-4523 |
4.3(2.240009) |
|
FMC 1600, 2600, 4600 |
7.4 7.3 7.2 7.0 |
BIOS Update Hotfix EZ |
C220M5.4.3.2a.0 |
51.10.0-3612 |
4.3(2.240009) |
|
7.1 6.7 6.6 6.4 |
BIOS Update Hotfix EN |
C220M5.4.2.3b.0 |
51.10.0-3612 |
4.2(3b) |
|
|
FMC 1000, 2500, 4500 |
7.0 6.7 6.6 6.4 |
BIOS Update Hotfix EN |
C220M5.4.2.3b.0 |
51.10.0-3612 |
4.2(3b) |
|
6.2.3 |
BIOS Update Hotfix EL |
C220M4.4.1.2c.0 |
24.12.1-0456 |
4.1(2g) |
|
|
FMC 2000, 4000 |
6.6 6.4 6.2.3 |
BIOS Update Hotfix EI |
C220M3.3.0.4e.0 |
23.33.1-0060 |
3.0(4s) |
|
FMC 750, 1500, 3500 |
6.4 6.2.3 |
BIOS Update Hotfix EI |
C220M3.3.0.4e.0 |
23.33.1-0060 |
3.0(4s) |
Hotfixing is the only way to update the BIOS and RAID controller firmware. Upgrading the software does not accomplish this task, nor does reimaging to a later version. If the management center is already up to date, the hotfix has no effect.
 Tip |
These hotfixes also update the CIMC firmware; for resolved issues see Release Notes for Cisco UCS Rack Server Software. Note that in general, we do not support changing configurations on the management center using CIMC. However, to enable logging of invalid CIMC usernames, apply the latest hotfix, then follow the instructions in the Viewing Faults and Logs chapter in the Cisco UCS C-Series Servers Integrated Management Controller CLI Configuration Guide, Version 4.0 or later. |
 Note |
The management center web interface may display these hotfixes with a version that is different from (usually later than) the current software version. This is expected behavior and the hotfixes are safe to apply. |
Determining BIOS and Firmware Versions
To determine the current versions on the management center, run these commands from the Linux shell/expert mode:
-
BIOS: sudo dmidecode -t bios -q
-
RAID controller firmware (FMC 4500): sudo MegaCLI -AdpAllInfo -aALL | grep "FW Package"
-
RAID controller firmware (all other models): sudo storcli /c0 show | grep "FW Package"
Version 7.4.x Hotfixes
|
Hotfix |
Versions |
Platforms |
Resolves |
||
|---|---|---|---|---|---|
|
Hotfix EZ |
7.4.0 7.4.x 7.4.x.x |
Management Center (all hardware models): Cisco_Secure_FW_Mgmt_Center_Hotfix_EZ_BIOSUPDATE-7.4.99.99-6
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
Version 7.3.x Hotfixes
|
Hotfix |
Versions |
Platforms |
Resolves |
||
|---|---|---|---|---|---|
|
Hotfix EZ |
7.3.0 7.3.x 7.3.x.x |
Management Center (all hardware models): Cisco_Secure_FW_Mgmt_Center_Hotfix_EZ_BIOSUPDATE-7.3.99.99-6
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
Version 7.2.x Hotfixes
|
Hotfix |
Versions |
Platforms |
Resolves |
||
|---|---|---|---|---|---|
|
Hotfix EZ |
7.2.0 7.2.x 7.2.x.x |
Management Center (all hardware models): Cisco_Secure_FW_Mgmt_Center_Hotfix_EZ_BIOSUPDATE-7.2.99.99-6.sh.REL.tar
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix BJ |
7.2.5 |
Firepower 1000 series: Cisco_FTD_SSP_FP1K_Hotfix_BJ-7.2.5.1-1 Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_BJ-7.2.5.1-1 Secure Firewall 3100 series: Cisco_FTD_SSP_FP3K_Hotfix_BJ-7.2.5.1-1 Firepower 4100/9300 Cisco_FTD_SSP_Hotfix_BJ-7.2.5.1-1 ISA 3000: Threat Defense Virtual: |
CSCwh23100: Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability CSCwh45108: Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
||
|
Hotfix AW |
7.2.4 |
Firepower 1000 series: Cisco_FTD_SSP_FP1K_Hotfix_AW-7.2.4.1-1 Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_AW-7.2.4.1-1 Secure Firewall 3100 series: Cisco_FTD_SSP_FP3K_Hotfix_AW-7.2.4.1-1 Firepower 4100/9300 Cisco_FTD_SSP_Hotfix_AW-7.2.4.1-1 ISA 3000: Threat Defense Virtual: |
CSCwf71606: Cisco ASA and FTD ACLs Not Installed upon Reload |
||
|
Hotfix AN |
7.2.4-165 |
Management Center: Cisco_Secure_FW_Mgmt_Center_Hotfix_AN-7.2.4.1-2
|
CSCwf28592: In some specific scenarios, object optimizer can cause incorrect rules to be deployed to the device |
Version 7.1.x Hotfixes
|
Hotfix |
Versions |
Platforms |
Resolves |
||
|---|---|---|---|---|---|
|
Hotfix EN |
7.1.0 7.1.x 7.1.x.x |
FMC (all hardware models): Cisco_Firepower_Mgmt_Center_BIOSUPDATE_710_EN-11
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix Q |
7.1.0.2 |
Secure Firewall 3100 series: |
CSCwb88651: Cisco ASA and FTD Software RSA Private Key Leak Vulnerability CSCwc28334: Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
||
|
Hotfix P |
7.1.0.1 |
Firepower 1000 series: Cisco_FTD_SSP_FP1K_Hotfix_P-7.1.0.2-2 Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_P-7.1.0.2-2 Firepower 4100/9300 Cisco_FTD_SSP_Hotfix_P-7.1.0.2-2 ISA 3000: FTDv: |
CSCwb88651: Cisco ASA and FTD Software RSA Private Key Leak Vulnerability CSCwc28334: Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
||
|
Hotfix A |
7.1.0 |
Firepower 1000 series with FDM: Cisco_FTD_SSP_FP1K_Hotfix_A-7.1.0.1-7 Firepower 2100 series with FDM: Cisco_FTD_SSP_FP2K_Hotfix_A-7.1.0.1-7 Firepower 4100/9300 with FDM: Cisco_FTD_SSP_Hotfix_A-7.1.0.1-7 ISA 3000 with FDM: FTDv with FDM:
|
CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability |
Version 7.0.x Hotfixes
|
Hotfix |
Versions |
Platforms |
Resolves |
||
|---|---|---|---|---|---|
|
Hotfix EZ |
7.0.0 7.0.x 7.0.x.x |
Management Center (1600, 2600, 4600): Cisco_Firepower_Mgmt_Center_BIOSUPDATE_700_EZ-5
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix EN |
7.0.0 7.0.x 7.0.x.x |
Management Center (1000, 2500, 4500): Cisco_Firepower_Mgmt_Center_BIOSUPDATE_700_EN-11
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix EI |
7.0.6 |
Firepower 1000 series: Cisco_FTD_SSP_FP1K_Hotfix_EI-7.0.6.1-3 Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_EI-7.0.6.1-3 Firepower 4100/9300: Cisco_FTD_SSP_Hotfix_EI-7.0.6.1-3 ASA 5500-X series and ISA 3000 with FTD: FTDv: |
CSCwh23100: Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability CSCwh45108: Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
||
|
Hotfix DC |
7.0.5 |
FMC: |
CSCwd88641: Deployment changes to push VDB package based on Device model and snort engine |
||
|
Hotfix S |
7.0.1 |
Firepower 1000 series with FDM: Cisco_FTD_SSP_FP1K_Hotfix_S-7.0.1.1-10 Firepower 2100 series with FDM: Cisco_FTD_SSP_FP2K_Hotfix_S-7.0.1.1-10 Firepower 4100/9300 with FDM: Cisco_FTD_SSP_Hotfix_S-7.0.1.1-10 ASA 5500-X series and ISA 3000 with FDM: FTDv with FDM:
|
CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability CSCwa55039: Firepower Threat Defense Hotfix S for 7.0.1 cause system failing when ran twice |
Version 6.7.x Hotfixes
|
Hotfix |
Versions |
Platforms |
Resolves |
||
|---|---|---|---|---|---|
|
Hotfix EN |
6.7.0 6.7.x 6.7.x.x |
FMC (all hardware models): Cisco_Firepower_Mgmt_Center_BIOSUPDATE_670_EN-11
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix AA |
6.7.0.3 |
Firepower 1000 series: Cisco_FTD_SSP_FP1K_Hotfix_AA-6.7.0.4-2 Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_AA-6.7.0.4-2 Firepower 4100/9300: Cisco_FTD_SSP_Hotfix_AA-6.7.0.4-2 ASA 5500-X series and ISA 3000: FTDv: |
CSCvw94160: CIAM: openssl CVE-2020-1971 CSCvx64478: Unwanted console output during SAML transactions CSCvz70595: Traceback observed on ASA while handling SAML handler CSCvz76966: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS DoS CSCvz81480: IV in the outbound pkt is not updated on Nitrox V platforms when GCM is used for IPsec CSCvz84850: ASA/FTD traceback and reload caused by "timer services" function CSCvz85683: Wrong syslog message format for 414004 CSCvz85913: ASN.1 strings are represented internally within OpenSSL as an ASN1_STR for CISCO-SSL-1.0.2 CSCvz89545: SSL VPN performance degraded and significant stability issues after upgrade CSCvz92016: ASA Privilege Escalation with valid user in AD CSCwa04461: Cisco ASA Software and FTD Software Remote Access SSL VPN Denial of Service CSCwa14485: Cisco Firepower Threat Defense Software Denial of Service Vulnerability CSCwa15185: ASA/FTD: remove unwanted process call from LUA CSCwa33898: Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability CSCwa36678: Random FTD reloads with the traceback during deployment from FMC CSCwa65389: ASA traceback and reload in Unicorn Admin Handler when change interface configuration via ASDM |
||
|
Hotfix Y |
6.7.0.2 |
Firepower 1000 series with FDM: Cisco_FTD_SSP_FP1K_Hotfix_Y-6.7.0.3-7 Firepower 2100 series with FDM: Cisco_FTD_SSP_FP2K_Hotfix_Y-6.7.0.3-7 Firepower 4100/9300 with FDM: Cisco_FTD_SSP_Hotfix_Y-6.7.0.3-7 ASA 5500-X series and ISA 3000 with FDM: FTDv with FDM:
|
CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability |
||
|
Hotfix C |
6.7.0 6.7.x.x |
ISA 3000 with FTD: |
CSCvw53884: M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service |
Version 6.6.x Hotfixes
|
Hotfix |
Versions |
Platforms |
Resolves |
||
|---|---|---|---|---|---|
|
Hotfix EN |
6.6.0 6.6.x 6.6.x.x |
FMC (1000, 1600, 2500, 2600, 4500, 4600): Cisco_Firepower_Mgmt_Center_BIOSUPDATE_660_EN-11
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix EB |
6.6.7.1 |
FMC/FMCv: |
CSCwd88641: Deployment changes to push VDB package based on Device model and snort engine |
||
|
Hotfix DE |
6.6.5 6.6.5.1 |
FMC/FMCv: Cisco_Firepower_Mgmt_Center_Hotfix_DE-6.6.5.2-8 Firepower 1000 series with FDM: Cisco_FTD_SSP_FP1K_Hotfix_DE-6.6.5.2-8 Firepower 2100 series with FDM: Cisco_FTD_SSP_FP2K_Hotfix_DE-6.6.5.2-8 Firepower 4100/9300 with FDM: Cisco_FTD_SSP_Hotfix_DE-6.6.5.2-8 ASA 5500-X series and ISA 3000 with FDM: FTDv with FDM: ASA FirePOWER with ASDM: Cisco_Network_Sensor_Hotfix_DE-6.6.5.2-8
|
CSCwa70008: Expired certs cause Security Intel. and malware file preclassification signature updates to fail |
||
|
Hotfix DA |
6.6.5.1 |
Firepower 1000 series with FDM: Cisco_FTD_SSP_FP1K_Hotfix_DA-6.6.5.2-4 Firepower 2100 series with FDM Cisco_FTD_SSP_FP2K_Hotfix_DA-6.6.5.2-4 Firepower 4100/9300 with FDM: Cisco_FTD_SSP_Hotfix_DA-6.6.5.2-4 ASA 5500-X series and ISA 3000 with FDM: FTDv with FDM:
|
CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability |
||
|
Hotfix EI |
6.6.0 6.6.x 6.6.x.x |
FMC 2000, 4000: Cisco_Firepower_Mgmt_Center_BIOSUPDATE_660_EI-15
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix AB |
6.6.1 |
ISA 3000 with FTD: |
CSCvw53884: M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service |
||
|
Hotfix N |
6.6.0 6.6.0.x |
ISA 3000 with FTD: |
CSCvw53884: M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service |
Version 6.4.0 Hotfixes
|
Hotfix |
Versions |
Platforms |
Resolves |
||
|---|---|---|---|---|---|
|
Hotfix EN |
6.4.0 6.4.x 6.4.x.x |
FMC (1000, 1600, 2500, 2600, 4500, 4600): Cisco_Firepower_Mgmt_Center_BIOSUPDATE_640_EN-11
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix EP |
6.4.0.13 |
Firepower 1000 series with FDM: Cisco_FTD_SSP_FP1K_Hotfix_EP-6.4.0.14-9 Firepower 2100 series with FDM: Cisco_FTD_SSP_FP2K_Hotfix_EP-6.4.0.14-9 ASA 5500-X series and ISA 3000 with FDM: Cisco_FTD_Hotfix_EP-6.4.0.14-9 FTDv with FDM: Cisco_FTD_Hotfix_EP-6.4.0.14-9
|
CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability |
||
|
Hotfix EI |
6.4.0 6.4.0.x |
FMC 750, 1500, 2000, 3500, 4000: Cisco_Firepower_Mgmt_Center_BIOSUPDATE_640_EI-15
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix DV |
6.4.0 6.4.0.x |
ISA 3000 with FTD: |
CSCvw53884: M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service |
||
|
Hotfix BM |
6.4.0.9 |
Firepower 1000 series: Cisco_FTD_SSP_FP1K_Hotfix_BM-6.4.0.10-2 Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_BM-6.4.0.10-2 Firepower 4100/9300: Cisco_FTD_SSP_Hotfix_BM-6.4.0.10-2 ASA 5500-X series and ISA 3000 with FTD: Cisco_FTD_Hotfix_BM-6.4.0.10-2 FTDv: |
CSCvt03598: Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability |
||
|
Hotfix AY |
6.4.0.8 |
Firepower 1000 series: Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3 Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3 Firepower 4100/9300: Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3 ASA 5500-X series and ISA 3000 with FTD: FTDv:
|
CSCvp49481, CSCvp93468: Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability CSCvs10748: Cisco Adaptive Security Appliance and Firepower Threat Defense Denial of Service Vuln CSCvo80853: Cisco Firepower Threat Defense Software Packet Flood Denial of Service Vulnerability CSCvs50459: Cisco ASA and Cisco FTD Malformed OSPF Packets Processing Denial of Service Vulnerability CSCvr86783: Standby FDM lost connectivity after forming HA CSCvr92168: ASA/FTD Slow memory leak in OSPF process when processing OSPF Hellos CSCvt15163: Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability CSCvq89361: Cisco Firepower 1000 Series SSL/TLS Denial of Service Vulnerability CSCvu20521: OSPF is not forming after HF installation |
||
|
Hotfix U |
6.4.0.5 and 6.4.0.6 |
FMC/FMCv: |
CSCvr95287: Cisco Firepower Management Center LDAP Authentication Bypass Vulnerability |
||
|
Hotfix T |
6.4.0 6.4.0.1 to 6.4.0.4 |
FMC/FMCv: |
CSCvr95287: Cisco Firepower Management Center LDAP Authentication Bypass Vulnerability |
||
|
Hotfix AA |
6.4.0.4 to 6.4.0.7 |
FMC/FMCv: Cisco_Firepower_Mgmt_Center_Hotfix_AA-6.4.0.8-4
|
Resolves issues with application identification. |
||
|
Hotfix X |
6.4.0.6 |
FMC/FMCv: |
CSCvr52109: FTD has hitcounts on access-lists but traffic is not hitting Access Policy rules |
||
|
Hotfix F |
6.4.0.2 |
FMC/FMCv: Cisco_Firepower_Mgmt_Center_Hotfix_F-6.4.0.3-2 Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_F-6.4.0.3-2 Firepower 4100/9300: Cisco_FTD_SSP_Hotfix_F-6.4.0.3-2 ASA 5500-X series and ISA 3000 with FTD: FTDv (VMware, FVM): |
CSCvq34224: Firepower Primary Detection Engine process terminated after Manager upgrade |
Version 6.2.3 Hotfixes
|
Hotfix |
Versions |
Platforms |
Resolves |
||
|---|---|---|---|---|---|
|
Hotfix EM |
6.2.3.17 |
Firepower 2100 series with FDM: Cisco_FTD_SSP_FP2K_Hotfix_EM-6.2.3.18-13 ASA 5500-X series and ISA 3000 with FDM: Cisco_FTD_Hotfix_EM-6.2.3.18-13 FTDv with FDM: Cisco_FTD_Hotfix_EM-6.2.3.18-13
|
CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability |
||
|
Hotfix EL |
6.2.3 6.2.3.x |
FMC 1000, 2500, 4500: Sourcefire_3D_Defense_Center_S3_BIOSUPDATE_623_EL-7
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix EI |
6.2.3 6.2.3.x |
FMC 750, 1500, 2000, 3500, 4000: Sourcefire_3D_Defense_Center_S3_BIOSUPDATE_623_EI-15
|
Updates the BIOS, CIMC firmware, and RAID controller firmware. See BIOS and Firmware Hotfixes for Management Center Hardware. |
||
|
Hotfix EH |
6.2.3 6.2.3.x |
ASA 5506-X series with FTD: |
CSCvw53884: M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service |
||
|
Hotfix DT |
6.2.3.15 |
Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3 Firepower 4100/9300: Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3 ASA 5500-X series and ISA 3000 with FTD: Cisco_FTD_Hotfix_DT-6.2.3.16-3 FTDv: |
CSCvr55825: Cisco ASA and FTD Software Path Traversal Vulnerability CSCvp49481, CSCvp93468: Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability CSCvp16945, CSCvp16949: Cisco ASA Software and FTD Software MGCP Denial of Service Vulnerabilities CSCvo62077: Cisco Firepower Threat Defense Software VPN System Logging Denial of Service Vulnerability CSCvs10748: Cisco Adaptive Security Appliance and Firepower Threat Defense Denial of Service Vuln CSCvs50459: Cisco ASA and Cisco FTD Malformed OSPF Packets Processing Denial of Service Vulnerability CSCvo80853: Cisco Firepower Threat Defense Software Packet Flood Denial of Service Vulnerability CSCvr07419: Cisco ASA and FTD Software IPv6 DNS Denial of Service Vulnerability CSCvt15163: Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability |
||
|
Hotfix DW |
6.2.3.15 |
Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_DW-6.2.3.16-6 Firepower 4100/9300: Cisco_FTD_SSP_Hotfix_DW-6.2.3.16-6 ASA 5500-X series and ISA 3000 with FTD: Cisco_FTD_Hotfix_DW-6.2.3.16-6 FTDv: |
CSCvs84578: Upgrading FTD on 4100/9300 Platform to 6.2.3.15 break SSHD, preventing FTD instance from booting up CSCvs84713: Cannot SSH to the device after upgrading FTD on ASA55XX/ISA 3000/FTDv to 6.2.3.15 build 38 CSCvs95725: Virtual FTD Running on 6.2.3.15 blocks SSH request and loses connection with the FMC |
||
|
Hotfix DO |
6.2.3 6.2.3.1 to 6.2.3.15 |
FMC/FMCv: |
CSCvr95287: Cisco Firepower Management Center LDAP Authentication Bypass Vulnerability |
||
|
Hotfix DQ |
6.2.3.15 |
FMC/FMCv: Sourcefire_3D_Defense_Center_S3_Hotfix_DQ-6.2.3.16-2
|
Resolves issues with application identification. |
||
|
Hotfix CY |
6.2.3.14 |
FMC/FMCv: |
CSCvq34224: Firepower Primary Detection Engine process terminated after Manager upgrade |
||
|
Hotfix CK |
6.2.3.12 |
Firepower 2100 series: |
CSCvn77248: Cisco Secure Boot Hardware Tampering Vulnerability |
||
|
Hotfix Local Malware Cert |
6.2.3 6.2.3.x |
FMC/FMCv: |
CSCvm81052: local malware detection updates not downloading to FMC due to invalid certificate chain. |
||
|
Hotfix H |
6.2.3 6.2.3.1 to 6.2.3.3 |
FMC/FMCv: Sourcefire_3D_Defense_Center_S3_Hotfix_H-6.2.3.999-5 Firepower 7000/8000 series: Sourcefire_3D_Device_S3_Hotfix_H-6.2.3.999-5 ASA FirePOWER: Cisco_Network_Sensor_Hotfix_H-6.2.3.999-5 NGIPSv: |
CSCvj07038: Firepower devices need to trust Threat Grid certificate. |
||
|
Hotfix G |
6.2.3 6.2.3.1 to 6.2.3.3 |
Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_G-6.2.3.999-6 Firepower 4100/9300: Cisco_FTD_SSP_Hotfix_G-6.2.3.999-6 ASA 5500-X series with FTD: Cisco_FTD_Hotfix_G-6.2.3.999-6 FTDv (VMware, KVM, AWS): |
CSCvj07038: Firepower devices need to trust Threat Grid certificate. |
||
|
Hotfix T |
6.2.3.1 to 6.2.3.3 |
FMC/FMCv: |
CSCvk06176: SSEConnector is not coming up because of Wrong Executable. |
||
|
Hotfix A |
6.2.3 |
Firepower 2100 series: Cisco_FTD_SSP_FP2K_Hotfix_A-6.2.3.1-10 Firepower 4100/9300: Cisco_FTD_SSP_Hotfix_A-6.2.3.1-10 ASA 5500-X series with FTD: FTDv (VMware, KVM, AWS): |
CSCvg65072: ASA, Threat Defense, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability. CSCvi16029: ASA Web Interface Authentication Bypass. |
Applying Hotfixes
Downloading Hotfixes
Download hotfixes from the Cisco Support & Download site: https://software.cisco.com/download/home.
To find a hotfix, select or search for your model, then browse to the software download page for your current version. Available hotfixes are listed along with upgrade and installation packages. If you cannot find a hotfix on the download page for your patch level—especially if that same hotfix applies to other patches—look on other download pages where the hotfix applies, especially the first version and the last version.
You use the same hotfix package for all models in a family or series. Most hotfix packages use the naming scheme: Platform_Hotfix_letter-version-build.sh.REL.tar. Do not untar signed (.tar) packages.
Installing Hotfixes
You install hotfixes the same way you install patches. For instructions, see one of the following guides. Note that in management center deployments, use the guide for the version of management center (not threat defense) that you are currently running. In device manager deployments, use the device manager guide even if you usually use CDO; you cannot use CDO to hotfix threat defense.
|
Current Management Center Version |
Guide |
|---|---|
|
7.2+ |
Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for your version: Upgrade Management Center |
|
7.1 |
Cisco Firepower Threat Defense Upgrade Guide for Firepower Management Center, Version 7.1: Upgrade the FMC |
|
7.0 or earlier |
Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0: Upgrade Firepower Management Centers |
|
Current Management Center Version |
Guide |
|---|---|
|
Cloud-delivered Firewall Management Center |
Cisco Secure Firewall Threat Defense Upgrade Guide for Cloud-Delivered Firewall Management Center |
|
7.2+ |
Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for your version: Upgrade Threat Defense |
|
7.1 |
Cisco Firepower Threat Defense Upgrade Guide for Firepower Management Center, Version 7.1: Upgrade FTD |
|
7.0 or earlier |
Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0: Upgrade Firepower Threat Defense |
|
Current Threat Defense Version |
Guide |
|---|---|
|
7.2+ |
Cisco Secure Firewall Threat Defense Upgrade Guide for Device Manager for your version: Upgrade Threat Defense |
|
7.1 |
Cisco Firepower Threat Defense Upgrade Guide for Firepower Device Manager, Version 7.1: Upgrade FTD |
|
7.0 or earlier |
Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for your version: System Management |
|
Platform |
Current Manager Version |
Guide |
|---|---|---|
|
Firepower 7000/8000 series with management center |
6.0.0–7.0.x |
Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0: Upgrade Firepower 7000/8000 Series and NGIPSv |
|
NGIPSv with management center |
6.0.0–7.1.x 7.2.0–7.2.5 7.3.x 7.4.0 |
Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0: Upgrade Firepower 7000/8000 Series and NGIPSv |
|
7.2.6–7.2.x 7.4.1–7.4.x |
Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for your version: Upgrade Older ASA FirePOWER and NGIPSv Devices |
|
|
ASA FirePOWER withmanagement center |
6.0.0–7.1.x 7.2.0–7.2.5 7.3.x 7.4.0 |
Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0: Upgrade ASA with FirePOWER Services |
|
7.2.6–7.2.x 7.4.1–7.4.x |
Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for your version: Upgrade Older ASA FirePOWER and NGIPSv Devices |
|
|
ASA FirePOWER with ASDM |
Any |
Cisco Secure Firewall ASA Upgrade Guide: Upgrade the ASA FirePOWER Module |
Verifying Hotfix Success
Applying a hotfix does not update the software version or build. To verify that a hotfix installed successfully, access the Linux shell (also called expert mode) and run the following command:
cat /etc/sf/patch_history
The system lists all successful upgrades, patches, hotfixes, and pre-install packages since the software was first installed.
Unresponsive or Unsuccessful Hotfixes
Do not make or deploy configuration changes while you are installing a hotfix. Even if the system appears inactive, do not manually reboot, shut down, or restart a hotfix in progress. You could place the system in an unusable state and require a reimage. Do not install the same hotfix more than once on a single appliance. If you encounter issues with a hotfix, including a failed hotfix or unresponsive appliance, contact Cisco TAC.
Uninstalling Hotfixes
Do not attempt to uninstall a hotfix. Instead, contact Cisco TAC.
Traffic Flow and Inspection
Device hotfixes can affect traffic flow and inspection, especially if the hotfix reboots the device, or if you need to deploy configuration changes. Device type, deployment type (standalone, high availability, clustered), and interface configurations determine the nature of the interruptions. Install hotfixes in a maintenance window or at a time when any interruption will have the least impact on your deployment. For specifics on traffic flow and inspection, see the appropriate upgrade guide (linked above).
For Assistance
Online Resources
Cisco provides the following online resources to download documentation, software, and tools; to query bugs; and to open service requests. Use these resources to install and configure Cisco software and to troubleshoot and resolve technical issues.
-
Documentation: http://www.cisco.com/go/ftd-docs
-
Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Feedback