IBM Support

QRadar M7 xSeries firmware V3.0.0 for 1U and 2U appliances (ISO/XClarity Controller remote installs)

Release Notes


Abstract

This firmware update (V3.0.0) provided by IBM updates QRadar® M7 appliances with updates for UEFI, XCC, RAID controllers, and HDD software fixes and enhancements. This firmware can be used on all QRadar M7 appliances, but requires that the administrator configures their XClarity Controller (XCC) for remote management.

Content

Important: Select a tab to read each step of the firmware procedure.

Part 1: About the M7 firmware V3.0.0 update


The M7 firmware v3.0.0 ISO is intended to remotely update software through the XClarity Controller (XCC) user interface. Administrators must extract the EXE file and apply the uxz file to update their XClarity Controller, then the ISO can be mounted to apply the remainder of the firmware updates. The installation instructions are provided on tab named 'Part 2. Installing Firmware Updates'. These instructions guide customers through a remote upgrade of their firmware.
 
 
Limitation: Due to changes in the bundled software, a USB firmware update method is not available on IBM Fix Central at this time. Administrators must use the XCC method to update their M7 firmware.


Important: If your appliance is in a HA pair, there are configuration steps required to set the status properly for your primary and secondary high-availability appliances. For more information, see: http://www.ibm.com/support/docview.wss?uid=swg27047121#HA.
 

 

Supported appliances, types, and model information


This firmware update applies to the following IBM Security QRadar M7 (1U and 2U form factor) appliance types:
Hardware Details
Appliance and machine type model (MTM)
1U
IBM QRadar Network Insights Appliance 1901 (MTM 4723-N9C)
IBM QRadar XX05 1U (MTM 4723-Q7B)
IBM QRadar Event/QFlow Collector Appliance 1501/1201 1U (MTM 4723-Q9C)
IBM QRadar XX48 1U (MTM 4793-Q8D)
 
 
2U
IBM QRadar Network Insights 1920 2U (MTM 4723-N2A)
IBM QRadar Network Insights 1940 2U (MTM 4723-N4B)
IBM QRadar XX29 M7 appliance 2U (4723-Q9A)
IBM QRadar Incident Forensics Appliance 2U (MTM 4723-F1A)

For capabilities on these appliances, see QRadar M7 appliance overview.
Server Type M7
Server Machine Type SR630 V2 (7Z71)/ M7 1U
SR650 V2 (7Z73) / M7 2U
Table 1: List of appliances the M7 appliance firmware V3.0.0 can update.
 

Important information and prerequisites in this firmware update

Administrators must ensure that their M7 appliance includes the minimum version outlined in the Prerequisite version column. If your M7 appliance does not meet the prerequisite versions outlined in the table, the administrator must contact IBM QRadar Support to discuss a custom upgrade path for your M7 appliance.
Component Prerequisites Firmware version in this update File name 
UEFI/BIOS  None afe124g-2.10 lnvgy_fw_uefi_afe124g-2.10_anyos_32-64.uxz
XCC None fot38m-3.80 oem_fw_xcc_afot38m-3.80_anyos_noarch.uxz
LXPM None xwl118e-3.21 llnvgy_fw_lxpm_xwl118e-3.21_anyos_noarch.uxz
RAID controller
  • ThinkSystem RAID 940-8e 4GB Flash PCIe 12Gb Adapter
  • ThinkSystem RAID 940-16i 8GB Flash PCIe Gen4 12Gb Adapter
  • ThinkSystem RAID 540-8i PCIe Gen4 12Gb Adapter
None 940-52.22.0-4774-4 (940-8e)
940-52.22.0-4774-4 (940-16i)
540-52.22.0-4775-2 (540-8i)
lnvgy_fw_raid_mr3.5.940-52.22.0-4774-4_linux_x86-64.bin
lnvgy_fw_raid_mr3.5.940-52.22.0-4774-4_linux_x86-64.bin
lnvgy_fw_raid_mr3.5.540-52.22.0-4775-2_linux_x86-64.bin
NIC
  • ThinkSystem Intel E810-DA2 10/25GbE
    SFP28 2-Port PCIe Ethernet Adapter
  • ThinkSystem Intel I350 1GbE RJ45 4-
    port OCP Ethernet Adapter
None 4.22-1.3357.0-4
9.2-6.2-1.3357.0-2
intclnvgy_fw_nic_net.e800.da2.pcie4.22-1.3357.0-4_linux_x86-
64.bin

intc-lnvgy_fw_nic_net-9.2-6.2-1.3357.0-2_linux_x86-64.bin
 
Emulex None 5.70-1.3218.0-4 elx-lnvgy_fw_fc_lp.35-14.0.376.28-4_linux_x86-64.bin
Table 2: Firmware versions and any prerequisite for each component are provided in this table.

 
NOTES
  • A number of hard disk drives can be installed in this appliance. The HDD update tool examines the hard disk drives that are present and selects the latest firmware version that is available for your drive.
  • The base system pack might contain other firmware packages that are not present in QRadar appliances. Firmware updates from the base system pack might be displayed with a status of "undetected" when the tool compares available firmware to the hardware in the appliance.
  • For general firmware questions and information, see our FAQ page at http://ibm.biz/qradarfirmware.


 

Security issues resolved in this firmware update

The table lists the software versions and CVEs addressed in the firmware release.

Component File name  Updates
UEFI/BIOS  lnvgy_fw_uefi_afe124g-2.10_anyos_32-64.uxz

Security
  • Integrated Intel BKC 2023.3 IPU
    • Updated SPS to SPS_E5_04.04.04.500.0
    • Updated MCU to m_87_606a6_0d0003a5.mcb
  • Updated DBX MAY 2023 to address PSIRT issue LEN-127392
    Note: User could take one of the two methods to apply the default DBX, but it will reset all keys to default. Users need readd their customer keys after the operation
    • GUI: Go to the setup menu, Security > Secure Boot Configuration > Secure Boot Policy, select Reset All Keys to Default, then save and exit setup.
    • Command line: Use the OneCLI command to update the new DBX:
      OneCli.exe config set SecureBootConfiguration.SecureBootPolicy 
      "Reset All Keys to Default" --imm <USERID>:<PASSW0RD>@<IP>
Enhancements
  • Added a function for uEFI to report OS boot status to XCC when system is staying in power on password and privileged admin password input message box.
  • Fixed PCIe Link Width Degrade with Diamanti Network Accelerator.
  • Fixed PCIe Link Width Degrade with AEC-PCIe-45 produced by Adrienne Electronics.
  • Added a new system event log (FQXSFMA0076M: DIMM [arg1] is not supported, DIMM identifier is [arg2]) for unsupported DIMM error reporting.
Fixes
  • Fixed the issue that XCC web cannot show the detailed inventory information for generic onboard SATA drive.
  • Added OS WHEA event log while memory UE occurred.
  • Fixed some setting that are not synced with operating mode after system reboot when changing OperatingModes.ChooseOperatingMode in OneCLI.
  • Fixed wrong behavior of setup menu "Initiator IP Address", "Initiator Subnet Mask" and "Gateway" at page "System Settings > Network > iSCSI Settings > Host iSCSI Configuration > Attemp #" in System Setup Utility.
  • Fixed the issue that set up items in "BMC Settings" are loaded to default by selecting "Load Default Settings" in the system setup utility.
  • Supported over 20 boot devices in "Boot manager > Change Boot Order".
  • Supported domain name as the input of OneCLI iSCSI.TargetIp.
  • Fix issue that system hang when you select "Discard Settings" after "System Settings > Network > iSCSI Settings > Host iSCSI Configuration > Attemp # > Target Address" is input as domain name in System Setup Utility.
  • Fixed the issue that SGX PRMRR size can not be configured as 512GB when MMIO base is 3GB.
  • Fixed the issue that system hang when selecting "Discard Settings" after "System Settings > Network > iSCSI Settings > Host iSCSI Configuration > Attemp # > Target Address" is input as domain name in System Setup Utility.
  • Cleaned up the invalid address input in "System Settings > Network > Network Boot Settings > IPv6 Configuration List > Click any configuration > Enter Configuration Menu > Change Policy to manual > Advanced Configuration".
  • Fixed wrong behavior of setup menu "Initiator IP Address", "Initiator Subnet Mask" and "Gateway" at page "System Settings > Network > iSCSI Settings > Host iSCSI Configuration > Attemp #" in System Setup Utility.
  • Fixed the issue that AMT (Advanced Memory Test) fails to be triggerred by OneCLI or LXPM when "System Settings > Memory > Memory Test" is configured as "Disabled"
  • Do not highlight "F1:System Setup" in POST screen when Shift + F1 are pressed.
  • Fixed the issue that changing BootOrder.HardDiskBootOrder failed by OneCLI when "Boot manager > Boot Modes > Prevent OS Change To Boot Order" is enabled.
  • Fixed the issue that Linux efibootmgr cannot show "BootCurrent" after IPMI is set to one time boot.
  • Fixed the bug when you change a setup item at "BMC Settings > Network Settings > Advanced Settings for BMC Ethernet" can display an error message box. This occurred when "BMC Settings > Network Settings > Save Network Settings" is selected in System Setup Utility.
  • Fixed the issue that Manufacturer is empty for Intel SATA drives in "System Settings > Storage > SATA Drives > SATA Drive Information" in System Setup Utility.
  • Fixed the issue that SMBIOS Type 1 "Family" field cannot be updated when yo change SYSTEM_PROD_DATA.SysInfoFamily in OneCLI.
Limitations
XCC oem_fw_xcc_afot38m-3.80_anyos_noarch.uxz  
Fixes
  • Fixed a privilege escalation problem in the Redfish interface.
  • Fixed a privilege escalation problem that can be triggered by an HTTP request smuggling attack.
  • Fixed a SQL command injection problem.
  • Fixed a problem that XCC inventory show intel S4520 SSD as SED.
  • Fixed a problem that disk part number/FRU number of Slot2 to Slot7 not recognized in XCC for SR650V2.
  • Fixed a problem that "FQXSFPU4053G: System TPM_POLICY does not match the planar" showed as an Info, instead of a warning.
  • Fixed a problem that fan speed disappeared but it is still observed in utilization.
  • Fixed a problem that retimer adapter is not seen temporarily at webGUI(Frimware Update page) during host power cycle.
Enhancements
  • Added enhancement of callhome feature to enable annual reminder to verify the contact information and retry for connection for LUF.
  • Add support in Redfish for XCC TLS Cipher Configuration.
  • Add support in OneCLI to allow turning deviceorderbyfirmware on or off for ThinkSystem 540 and 940 RAID controllers.
  • Added support in Redfish to show system OS boot status.
  • Added alert category to report event of HDD removed.
  • Added alert category to report event of host network disconnection.
    Extend SNMPv1 and SNMvP2c trap destination to three destinations.
  • Added support to access XCC Remote Control through below URL directly
    https://<ip_address>/#/remote.
  • Added support in Redfish for Trespass message and use DNS to discover LXCA.
  • Added support in Redfish to modify UEFI protected setting.
  • Added support in Redfish to select drives when create RAID volume.
  • Added support for SAN ( Subject Alternative Name) when creating a CSR in XCC web/redfish interface.
  • Added support to enable individual drive temperature reading for Microchip RAID card.
  • Added support to display Xilinx X3522 marketing name in XCC interface.
  • Supported 2600W TT ITIC PSU for SR650V2.
LXPM llnvgy_fw_lxpm_xwl118e-3.21_anyos_noarch.uxz None
RAID controller lnvgy_fw_raid_mr3.5.940-52.22.0-4774-4_linux_x86-64.bin
lnvgy_fw_raid_mr3.5.940-52.22.0-4774-4_linux_x86-64.bin
lnvgy_fw_raid_mr3.5.540-52.22.0-4775-2_linux_x86-64.bin
None
NIC intclnvgy_fw_nic_net.e800.da2.pcie4.22-1.3357.0-4_linux_x86-
64.bin

intc-lnvgy_fw_nic_net-9.2-6.2-1.3357.0-2_linux_x86-64.bin
None
Emulex elx-lnvgy_fw_fc_lp.35-14.0.376.28-4_linux_x86-64.bin None
Table 3: Security issues resolved in the M7 firmware update 3.0.0.

 


 

A. Before you begin

  • This installation method uses the hardware's integrated XCC interface to remotely update firmware.
  • If your appliances are in a HA pair, you must prepare your high-availability appliances by using the instructions found here: http://www.ibm.com/support/docview.wss?uid=swg27047121#HA .
  • A number of hard disk drives can be installed in this appliance. The HDD update tool examines the hard disk drives that are present and selects the most current firmware level that is available.

B. Downloading and extracting the firmware update

  1. Download the QRadar M7 appliance firmware from IBM Fix Central: M7 firmware 3.0.0 EXE download.
  2. Copy the M7 appliance firmware EXE to a directory on the Windows host.
  3. Double-click the file Qradar_EXE_M7_1U_SR630V2_7Z71_2U_SR650V2_7Z73_3_0_0.exe.
  4. Select or type a directory path for the firmware update and click Extract.
    image-20240126091938-1
  5. The following files are extracted:
    image-20240126090219-1

C. Updating the XCC firmware

  1. Log in to the XClarity interface on your QRadar M7 appliance.
  2. From the navigation sidebar, click Firmware Update.
    image 12300
  3. Click Update Firmware.
    image 12301
  4. Click Browse and choose the XClarity (XCC) firmware update oem_fw_xcc_afot38m-3.80_anyos_noarch.uxz.
    image-20200313095447-7
  5. Click Next to upload and verify the XCC firmware file.
    image-20200313095729-9
  6.  Select the BMC (Primary) check box and click Next.
    Important: The backup firmware bank is automatically updated. Administrators must ensure the BMC (Backup) check box is cleared (not selected). Administrators who select both check boxes must reinstall their firmware to ensure the primary bank updates properly.
    image-20200313095945-10
  7. Wait for the update the primary firmware banks to complete.
    image-20200313100001-11
  8. Click Restart BMC and clear your browser cache.
    image-20200313103521-12

    Results
    Wait for 5 minutes for the XCC interface to restart and log in. Continue to the next section to mount the firmware ISO and configure the boot options.

D. Mounting the M7 Firmware ISO

 
  1. From the OEM Controller menu, click Remote Console.
  2. Click Remote Console Preview.
    IMPORTANT: Confirm the following parameters:
    2a. Launch the session in Single User Mode.
    2b. Clear the Allow others to request my remote session disconnect check box.
    2c. Click Launch Remote Console to connect to the appliance.
    image 6269
  3. To open the file mount options, click Diagnostic > Media.
    IMPORTANT: Confirm the following parameters:
    3a. Verify that the First Boot Device is set to CD/DVD Rom.
    3b. Verify that the Boot Mode drop-down is set as Legacy Mode.
    image 3783
  4. Click Mount Local Media, and click Activate.
    image 12299
  5. Click Browse and select Qradar_ISO_M7_1U_SR630V2_7Z71_2U_SR650V2_7Z73_3_0_0.iso.
  6. Click Mount all local media.
    Note: If successful, a checkmark appears next to the uploaded ISO file.

    image-20240126090742-2
  7. From the OEM Controller menu, click OS Installation.
  8. Select Power > Boot Server to System Startup.
    image 3782
  9. Wait for the setup menu to display.
  10. From the navigation menu, click UEFI Setup.
    image 3786
  11. Click Start Options, then CD/DVD Rom.
    image 3787
  12. In the Update Settings menu, verify that all check boxes are clear (not selected) and click Next.
    image 12297
  13. From the Update Comparison menu, click Begin.
    image 12297
  14. The IBM UpdateXpress System Pack Installer compares the current package with the installed firmware.
  15. Review the list of updates.
    Important: In the next step, administrators must confirm that all recommended updates are CHECKED, except for Lenovo/XClarify Controller XCC as this firmware was updated manually by the administrator in previous steps.
  16. Verify the check box for Lenovo/XClarity Controller (XCC) is clear (not selected) and click Next.
    image 12295
  17. Wait for the firmware updates to load.
    image 12296
  18. Click Begin Update to install the firmware.
    image 12294

    NOTE: Administrators might be prompted with a confirmation dialogue and need to click Yes to continue.
    image 12293
  19. Verify that all updates complete successfully and click Next.
    image 12292
  20. Click Finish to exit.
    image 12291
  21. The appliance must reboot to complete the firmware installation.
    image 3796
  22. Log in to the XClarity interface and connect to the appliance with the Remote Console.
  23. Click Diagnostic > Media and click Unmount.
    image-20240126091039-1

    Results
    After the ISO file is unmounted, the administrator can log out and complete this procedure on other QRadar appliances. If you experience any installation issues, you can contact QRadar Support for assistance and open a software support case for your appliance. The support representative can request the firmware logs for review to determine the root cause of the issue or if replacement hardware is required. If the issue is hardware-related, the support representative can change the case type and involve the proper teams to schedule replacement parts.
Troubleshooting
  • A green screen is not indicative of failure by itself, press CTRL on your keyboard to wake up the screen saver. If CTRL does not wake up the screensaver, you might need to press ENTER key. After ENTER key is pressed, if the Green background screen remains, check the power state of the XCC by going to the OEM Controller home page to view the power status in the upper left screen.

    Note: If you can't reconnect to the IMM, or XCC, you need to send someone to the site to check on the machine status. In some rare circumstances, IMM can disconnect and the server maybe waiting for someone to press ENTER key locally.
 
 

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtcAAA","label":"Hardware"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
26 January 2024

UID

ibm17112080