Table of Contents
- General Device to Feature Support for Security Manager
- IPv6 Support Summarized by Device Class and Application
- Explicitly Supported Devices for Security Manager
- Generically Supported Devices for Security Manager
- Supported Software for Security Manager
- Software Supported in Downward Compatibility Mode
- Supported Devices and Software Versions for Auto Update Server
- Supported Devices and Software Versions for Performance Monitor
- Product Documentation
Broadly speaking, Security Manager has these main features: device configuration, event management, report management, health and performance monitor, and image management. Table 1 explains which classes of device are supported for each feature. The exact models and software versions supported in each device class are listed in subsequent sections.
Intrusion Prevention System (IPS) appliances and service modules1
Security Manager provides some support for IPv6, but only for configuring policies on a device (e.g., firewall rules, IPS rules). Support is for traffic through the device; it is not for communication from Security Manager to the device.
Table 2 summarizes IPv6 support by device class in each Security Manager application (e.g., Configuration Manager).
If a particular device class has no policies that use IPv6 (e.g., Cisco IOS IPS in supported routers), then the table lists “Not applicable.” The table also lists “Not applicable” for devices that are not supported at all by a particular application (e.g., Image Manager supports only ASAs).
For the specific policies that you can configure, see the Getting Started chapter in the User Guide for Cisco Security Manager .
The following table lists the devices you can manage in Cisco Security Manager. These specific models are explicitly supported, that is, Security Manager is aware of the features available on the device and recognizes the device module.
Tip If a device model is not listed in this table, you might still be able to manage it as a generic device type. For more information, see Generically Supported Devices for Security Manager.
Cisco Catalyst 6500 Series Firewall Services Module (FWSM) 1
Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Module 1
Cisco 7600/Catalyst 6500 IPSec VPN Services Module (VPNSM)2
Cisco 7600 Series/Catalyst 6500 Series IPSec VPN Shared Port Adapter (VPN SPA) 1
Cisco Catalyst 6500 Series VPN Services Port Adapter (VSPA) 1
Security Manager can manage some device models even if the model does not appear in the supported device list. This type of generic device support relies on the fact that device features are controlled more by the software running on the device than the device model.
- This type of generic support works best for new models of series that are already explicitly supported. For example, a new model in the ASR 1000 series, or in the ISR 88x or 89x series. Generic support does not work with carrier-class routers (the CRS) or for Catalyst switches.
- Because this support is generic, Security Manager cannot determine if a particular feature is not available on the specific model you are managing. You are responsible for determining if a feature that you are allowed to configure in Security Manager is not supported on the device. If you configure an unsupported feature, you will see errors when you deploy the configuration to the device.
- If the device contains an explicitly supported module, such as an AIM-IPS module, the module is also supported. However, the module’s model must be explicitly supported: there is no generic module support.
- If a particular ASR is not listed as being explicitly supported in Table 3, but a previous version is, that particular ASR is supported generically in Security Manager with “Generic Router Backward Compatibility Support.”
The following list describes the minimum supported software versions plus the specific release numbers that have additional support in Security Manager for devices that run operating systems other than Cisco IOS Software. You must use a software version that meets at least the minimum. If you use a version that is not listed, Security Manager will treat it as one of these versions (the most closely-matching version, which is typically the release number nearest to it but lower). Any features that are unique to the version you are using are not supported in Security Manager.
- Cisco ASA-5500 Series Adaptive Security Appliances (ASA)—ASA Software Release 7.0(1-2, 4-8), 7.1(1-2), 7.2(1-5), 8.0(2-3, 5), 8.1(1-2), 8.2(1-3), 8.3(1-2), 8.4(1-4), 8.4(5), 8.5(1), 8.6(1), 9.0(1), 9.1(1).
– If you upgrade a device that you are already managing in Security Manager to 8.3(1) or higher, you must rediscover the device from the inventory. This is required due to significant policy changes between the 8.3 release and lower releases. This requirement applies to all device models, including upgrades of a 5585-X from 8.2(3) to 8.4(4).
– You cannot use Security Manager to manage an ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.
– Release 8.5(1) applies to the Catalyst 6500 Series ASA Services Module (ASA-SM) only. The ASA-SM does not support any type of VPN configuration for this version. However, starting from the 9.0(1) version, ASA-SM supports VPN configurations.
- Cisco Catalyst 6500 Series Firewall Services Module (FWSM)—FWSM Software Release 2.2(1), 2.3(1-4), 3.1(1, 3-9), 3.2(1-4), 4.0(1), and 4.1(1).
- Cisco PIX 500 Series Firewalls—PIX Firewall Software Release 6.3(1-5), 7.0(1-2, 4-8), 7.1(1-2), 7.2(1-5), and 8.0(2-4).
- IPS sensors and modules—IPS Software 5.1, 6.0, 6.1, 6.2, 7.0, 7.1 [7.1(1), 7.1(2), 7.1(3), and 7.1(4)] with these restrictions:
The following list describes the minimum supported Cisco IOS Software versions plus the specific release numbers that have additional support in Security Manager for standard routers. You must use a software version that meets at least the minimum. If you use a version that is not listed, Security Manager will treat it as one of these versions (the most closely-matching version, which is typically the release number nearest to it but lower). Any features that are unique to the version you are using are not supported in Security Manager. Note that the device model might limit the versions you are allowed to install; this is not controlled by Security Manager.
- 15.1T—Versions include 15.1(1)T.
- 15.0—Versions include 15.0(1)M.
- 12.4T—Versions include 12.4(2)T, 12.4(4)T, 12.4(6)T, 12.4(9)T, 12.4(11)T, 12.4(11)T1, 12.4(11)T2, 12.4(15)T, 12.4(20)T, 12.4(22)T, 12.4(24)T.
- 12.4—Versions include 12.4(1), 12.4(1a), 12.4(3).
- 12.3(2)T—Versions include 12.3(2)T1-9, 12.3(4)T, 12.3(4)T1-11, 12.3(7)T, 12.3(7)T1-7, 12.3(8)T, 12.3(8)T1-7, 12.3(11)T, 12.3(11)T1-3, 12.3(13)T, 12.3(14)T, 12.3(14)T2.
- 12.3—Versions include:
The Cisco ASR 1000 Series Aggregation Services Routers use Cisco IOS XE Software, which uses a different numbering scheme from standard Cisco IOS Software. However, these release numbers are mapped to standard IOS release numbers in Security Manager. The following are the supported Cisco IOS XE Software releases and the Cisco IOS software equivalent releases used in Security Manager:
- 2.1.x—Called 12.2(33)XNA.
- 2.2.x—Called 12.2(33)XNB.
- 2.3.x—Called 12.2(33)XNC. Security Manager treats this release as equivalent to 2.2 (12.2(33)XNB) except for the addition of GET VPN support.
- 2.4.x—Called 12.2(33)XND. No features that are new in this release are supported. This is the lowest release supported on the ASR 1002 Fixed Router.
- 2.5.x—Called 12.2(33)XNE. Security Manager treats this release as equivalent to 2.4 (12.2(22)XND) except for the addition of DMVPN phase 3 support (for direct spoke-to-spoke communications).
- 2.6.x—Called 12.2(33)XNF. No features that are new in this release are supported.
- 3.1.x—Called 15.0(1)S. No features that are new in this release are supported.
- 3.5 – 3.7 (requires Service Pack 1)
- Security Manager does not support Cisco IOS Software Release 15.x for Catalyst switches.
- For routers running Release 12.1 and 12.2, there is limited support for Layer 3 access rules, interfaces, and FlexConfigs, but not for any other features.
- The software release you can use on a device is always limited to those releases that the hardware supports. For example, the 1900, 2900, and 3900 series ISRs require 15.0(1)M as a minimum release.
- The Cisco ASR 1000 Series Aggregation Services Routers require Cisco IOS XE Software. For more detailed information, see Basic Cisco IOS XE Software Support.
- For the Catalyst 6500/7600, you can use Cisco IOS Software Release 12.1, 12.2 and these versions at the specified point release and later: 12.1(13)E, 12.1(17B)SXA, 12.1(19)E, 12.1(20)E, 12.1(22)E, 12.1(23)E, 12.1(26)E, 12.2(14)SX, 12.2(14)SY, 12.2(17a)SX, 12.2(17d)SXB, 12.2(18)SXD, 12.2(18)SXE, 12.2(18)SXE1, 12.2(18)SXE2, 12.2(18)SXE4, 12.2(18)SXF2, 12.2(18)SXF4, 12.2(33)SRA, 12.2(33)SRB, 12.2(33)SXH, and 12.2(33)SXI.
- For the Catalyst 3500/4500, you can use Cisco IOS Software Release 12.1 and 12.2 and the following versions at the specified point release and later. Note that specific devices support a subset of the listed versions:
- To configure and manage VPNs on Catalyst 6500/7600 devices, the earliest software release is Cisco IOS Software Release 12.2(17b)SXA.
- To configure and manage IDSM settings on Catalyst 6500/7600 devices, the earliest software release is Cisco IOS Software Release 12.2(18)SXF4.
- For routers running an IPS-enabled version of Cisco IOS Software, the earliest supported Cisco IOS Software release is 12.4(11)T2. In addition, to perform signature updates on routers running Cisco IOS Software release 15.0, you need a a separate ios-ips-update license, which you must manually apply to the device.
- The IPS subsystem has a separate numbering scheme, which you can view in the device properties in Security Manager. The 3.x subsystems are equivalent to IPS 5.x. The subsystems are:
Security Manager directly supports many individual point releases for the various operating systems you can use with the supported devices. When Security Manager supports a specific point release, it means that you can configure some features new to that release using the product.
Some point releases are supported in “downward compatibility mode.” In this mode, you can use the product to configure devices running that point release, but you cannot configure features that are new in the release unless you use FlexConfigs. Thus, the point release is treated as being the same as the nearest point release to it, and Security Manager maps the release number to that supported release.
The following table lists the releases that are specifically supported in Security Manager, and the point releases that are supported as downward equivalents to the release. The table might not include information about every downward compatible release. In general, if a version is not listed here or in Supported Software for Security Manager, Security Manager will treat it as one of the supported versions (the most closely-matching version, which is typically the release number nearest to it but lower).
You can use the Auto Update Server application with any Cisco ASA-5500 Series Adaptive Security Appliance, Catalyst 6500 Series ASA Services Module, or Cisco PIX 500 Series Firewall and the ASA or PIX software versions supported by Security Manager.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html .
Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.This document is to be used in conjunction with the documents listed in the “Product Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.