First Published: December 1, 2015

Cisco Firepower 4100/9300 FXOS Compatibility

This document lists software and hardware compatibility information for the Firepower eXtensible Operating System (FXOS), Cisco Firepower 9300 and Cisco Firepower 4100 series security appliances, and supported logical devices.

Firepower 4100/9300 Compatibility with ASA and Threat Defense

For the Firepower 4100/9300, you must maintain compatibility between FXOS and all ASA and threat defense logical devices. Upgrade FXOS before you upgrade the sofware. The bold versions the the following table are specially-qualified (enhanced testing) companion releases. Use these combinations whenever possible.

Note that for other device models, the FXOS compatibility work is done for you. In most cases, upgrading the software automatically upgrades FXOS. For the Secure Firewall 3100/4200 in multi-instance mode, the management center guides you through upgrading FXOS and then threat defense.

To upgrade:

  • FXOS: From FXOS 2.2.2 and later, you can upgrade directly to any higher version. When upgrading from versions earlier than 2.2.2, you need to upgrade to each intermediate version. Note that you cannot upgrade FXOS to a version that does not support your current logical device version. You will need to upgrade in steps: upgrade FXOS to the highest version that supports your current logical device; then upgrade your logical device to the highest version supported with that FXOS version. For example, if you want to upgrade from FXOS 2.2/ASA 9.8 to FXOS 2.13/ASA 9.19, you would have to perform the following upgrades:

    1. FXOS 2.2→FXOS 2.11 (the highest version that supports 9.8)

    2. ASA 9.8→ASA 9.17 (the highest version supported by 2.11)

    3. FXOS 2.11→FXOS 2.13

    4. ASA 9.17→ASA 9.19

  • Threat Defense: Interim upgrades may be required for threat defense, in addition to the FXOS requirements above. For the exact upgrade path, refer to the management center upgrade guide for your version.

  • ASA: ASA lets you upgrade directly from your current version to any higher version, noting the FXOS requirements above.


Note

FXOS 2.8(1.125)+ and later versions do not support ASA 9.14(1) or 9.14(1.10) for ASA SNMP polls and traps; you must use 9.14(1.15)+. Other releases, such as 9.13 or 9.12, are not affected.

Table 1. Firepower 4100/9300 Compatibility with ASA and Threat Defense

FXOS Version

Model

ASA Version

Threat Defense Version

2.16

Firepower 4112

9.22 (recommended)

9.20

9.19

9.18

9.17

7.6 (recommended)

7.4

7.3

7.2

7.1

Firepower 4145

Firepower 4125

Firepower 4115

9.22 (recommended)

9.20

9.19

9.18

9.17

7.6 (recommended)

7.4

7.3

7.2

7.1

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.14(1)

Firepower 4112

9.20 (recommended)

9.19

9.18

9.17

9.16

9.14

7.4 (recommended)

7.3

7.2

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.20 (recommended)

9.19

9.18

9.17

9.16

9.14

7.4 (recommended)

7.3

7.2

7.1

7.0

6.6

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.13

Firepower 4112

9.19 (recommended)

9.18

9.17

9.16

9.14

7.3 (recommended)

7.2

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.19 (recommended)

9.18

9.17

9.16

9.14

7.3 (recommended)

7.2

7.1

7.0

6.6

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.12

Firepower 4112

9.18 (recommended)

9.17

9.16

9.14

7.2 (recommended)

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.18 (recommended)

9.17

9.16

9.14

9.12

7.2 (recommended)

7.1

7.0

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.18 (recommended)

9.17

9.16

9.14

9.12

7.2 (recommended)

7.1

7.0

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.11

Firepower 4112

9.17 (recommended)

9.16

9.14

7.1 (recommended)

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.17 (recommended)

9.16

9.14

9.12

7.1 (recommended)

7.0

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.17 (recommended)

9.16

9.14

9.12

9.8

7.1 (recommended)

7.0

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.10

Note

 

For compatibility with 7.0.2+ and 9.16(3.11)+, you need FXOS 2.10(1.179)+.

Firepower 4112

9.16 (recommended)

9.14

7.0 (recommended)

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.16 (recommended)

9.14

9.12

7.0 (recommended)

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.16 (recommended)

9.14

9.12

9.8

7.0 (recommended)

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.9

Firepower 4112

9.14

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.14

9.12

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14

9.12

9.8

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.8

Firepower 4112

9.14

6.6

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

Firepower 4145

Firepower 4125

Firepower 4115

9.14 (recommended)

9.12

Note

 

Firepower 9300 SM-56 requires ASA 9.12(2)+

6.6 (recommended)

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14 (recommended)

9.12

9.8

6.6 (recommended)

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

6.4

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.157)

Note

 

You can now run ASA 9.12+ and FTD 6.4+ on separate modules in the same Firepower 9300 chassis

Firepower 4145

Firepower 4125

Firepower 4115

9.12

Note

 

Firepower 9300 SM-56 requires ASA 9.12.2+

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.8

6.4 (recommended)

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.131)

Firepower 9300 SM-48

Firepower 9300 SM-40

9.12

Not supported

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.8

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.73)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Note

 

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

6.2.3 (recommended)

Note

 

6.2.3.16+ requires FXOS 2.3.1.157+

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.66)

2.3(1.58)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Note

 

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Threat Defense versions are EoL

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

Radware DefensePro Compatibility

The following table lists the supported Radware DefensePro version for each security appliance and associated logical device.

Table 2. Radware DefensePro Compatibility
FXOS Version ASA Threat Defense Radware DefensePro Security Appliance Models

2.16

9.22(1)

7.6

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4112

Firepower 4115

Firepower 4125

Firepower 4145

2.14(1)

9.20(1)

7.4(1)

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4112

Firepower 4115

Firepower 4125

Firepower 4145

2.13.0

9.19(1)

7.3

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4112

Firepower 4115

Firepower 4125

Firepower 4145

2.12.0

9.18(1)

7.2

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.11.1

9.17(1)

7.1

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.10.1

9.16(1)

7.0

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.10.1

9.16(1)

7.0

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.9.1

9.15(1)

6.7.0

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.8.1

9.14(1)

6.6.0

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.7(1)

9.13(1)

6.5

8.13.01.09-3

Firepower 9300

Firepower 4110

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150
2.6(1)

9.12(1)

9.10(1)

6.4.0

6.3.0

 8.13.01.09-3

Firepower 9300

Firepower 4110

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150
2.4(1)

9.9(2)

9.10(1)

6.2.3

6.3

 8.13.01.09-2

Firepower 9300

Firepower 4110

Firepower 4120

Firepower 4140

Firepower 4150
2.3(1)

9.9(1)

9.9(2)

6.2.2

6.2.3

 8.13.01.09-2

Firepower 9300

Firepower 4110 (Firepower Threat Defense only)

Firepower 4120

Firepower 4140

Firepower 4150
2.2(2)

9.8(1)

9.8(2)

9.8(3)

6.2.0

6.2.2

 8.10.01.17-2

Firepower 9300

Firepower 4110 (Firepower Threat Defense only)

Firepower 4120

Firepower 4140

Firepower 4150
2.2(1)

9.7(1)

9.8(1)

 6.2.0 8.10.01.17-2

Firepower 9300

Firepower 4110 (Firepower Threat Defense only)

Firepower 4120

Firepower 4140

Firepower 4150
2.1(1)

9.6(2)

9.6(3)

9.6(4)

9.7(1)

 not supported 8.10.01.16-5

Firepower 9300

Firepower 4120

Firepower 4140

Firepower 4150
2.0(1)

9.6(1)

9.6(2)

9.6(3)

9.6(4)

 not supported 8.10.01.16-5

Firepower 9300

Firepower 4120

Firepower 4140

Firepower 4150
1.1(4) 9.6(1) not supported 1.1(2.32-3) 9300

Network Module Support

The following table lists supported single-wide and double-wide network modules on the Firepower 9300 and Firepower 4100 security appliances.


Note
Network Module Firepower 9300 Firepower 4100 series
Firepower 8-port 10G Network Module single-wide FPR9K-NM-8X10G FPR4K-NM-8X10G
Firepower 4-port 40G Network Module single-wide FPR9K-NM-4X40G FPR4K-NM-4X40G
Firepower 2-port 100G Network Module double-wide FPR9K-DNM-2X100G

(FXOS 1.1.4 and later)

Note: Requires firmware package 1.0.10 or later

 Not supported
Firepower 6-port 1G SX Network Module single-wide, FTW Not supported FPR4K-NM-6X1SX-F

(FXOS 2.0.1 and later)
Firepower 6-port 10G SR Network Module single-wide, FTW FPR9K-NM-6X10SR-F

(FXOS 2.0.1 and later)

 FPR4K-NM-6X10SR-F

(FXOS 2.0.1 and later)
Firepower 6-port 10G LR Network Module single-wide, FTW FPR9K-NM-6X10LR-F

(FXOS 2.0.1 and later)

 FPR4K-NM-6X10LR-F

(FXOS 2.0.1 and later)
Firepower 2-port 40G SR Network Module single-wide, FTW FPR9K-NM-2X40G-F

(FXOS 2.0.1 and later)

 FPR4K-NM-2X40G-F

(FXOS 2.0.1 and later)
Firepower 8-port 1G Network Module single-wide, FTW Not supported FPR-NM-8X1G-F

(FXOS 2.1.1 and later; Firepower Threat Defense 6.2 and later)
Firepower 2-port 100G Network Module single-wide FPR9K-NM-2X100G

(FXOS 2.4.1 and later)

 FPR4K-NM-2X100G

(FXOS 2.13 and later)

Note

 

Only supported on Firepower 4112, 4115, 4125, and 4145 devices.
Firepower 4-port 100G Network Module single-wide FPR9K-NM-4X100G

(FXOS 2.4.1 and later)

 Not supported

Power Supply Support

The following table lists supported power supply modules on the Firepower 9300 and 4100 security appliances.

Table 3. Power Supply Support
Power Supply Firepower Model
9300 4112 4115 4125 4145
AC YES YES YES YES YES
DC YES YES YES YES YES
HVDC YES

Note

 

Requires FXOS version 2.1.1 or later
NO NO NO NO

Note: For more detailed information about the power supply modules in the 4100 series security appliances, see “Power Supply Modules” in the Cisco Firepower 4100 Series Hardware Installation Guide (http://www.cisco.com/c/en/us/td/docs/security/firepower/4100/hw/guide/b_install_guide_4100.html). For more detailed information about the power supply modules in your 9300 security appliance, see “Power Supply Modules” in the Cisco Firepower 9300 Hardware Installation Guide ( http://www.cisco.com/c/en/us/td/docs/security/firepower/9300/hw/guide/b_install_guide_9300.html).

Security Module Compatibility

Prior to 2.6, all security modules in the Firepower 9300 have to match.

In 2.6 and later, you can mix different types of security modules with the following caveats:

  • Clustering is not supported on mixed modules in 2.6 and 2.7. However, in 2.8 and later, you can use mixed modules when using multi-instance clustering (a cluster with one container instance on each module). Native clustering still requires all the modules to be the same type.

  • High Availability is only supported between same-type modules; but the two chassis can include mixed modules.

The following table lists supported security modules on the Firepower 9300.

Table 4. Security Module Compatibility
Security Module and Product ID Description FXOS Version

SM-40 (FPR9K-SM-40)

40-physical core security module with two SSDs

2.6.1 and later

Note: Requires ASA 9.12(1) or FTD 6.4 and later

SM-48 (FPR9K-SM-48)

48-physical core security module with two SSDs

2.6.1 and later

Note: Requires ASA 9.12(1) or FTD 6.4 and later

SM-56 (FPR9K-SM-56)

 56-physical core security module with two SSDs

2.6.1 and later

Note: Requires ASA 9.12(2) or FTD 6.4 and later

ASA and Threat Defense Clustering External Hardware Support

Clustering will work with both Cisco and non-Cisco switches from other major switching vendors with no known interoperability issues if they comply with the following requirements and recommendations. Clustering is compatible with technologies such as vPC (Nexus), VSS (Catalyst), and StackWise & StackWise Virtual (Catalyst).

Switch Requirements

  • All third party switches must be compliant to the IEEE standard (802.3ad) Link Aggregation Control Protocol.

  • EtherChannel bundling must be completed within 45 seconds when connected to Firepower devices and 33 seconds when connected to ASA devices.

  • On the cluster control link, the switch must provide fully unimpeded unicast and broadcast connectivity at Layer 2 between all cluster members.

  • On the cluster control link, the switch must not impose any limitations on IP addressing or the packet format above Layer 2 headers.

  • On the cluster control link, the switch interfaces must support jumbo frames and be configurable for an MTU above 1600.

Switch Recommendations

  • The switch should provide uniform traffic distribution over the EtherChannel's individual links.

  • The switch should have an EtherChannel load-balancing algorithm that provides traffic symmetry.

  • The EtherChannel load balance hash algorithm should be configurable using the 5-tuple, 4-tuple, or 2-tuple to calculate the hash.


Note

For the Firepower 9300 cluster, intra-chassis clustering can operate with any switch because Firepower 9300-to-switch connections use standard interface types.


Note

Some switches, such as the Nexus series, do not support LACP rate fast when performing in-service software upgrades (ISSUs), so we do not recommend using ISSUs with clustering.