Planning Your Upgrade

Before upgrading the Secure Firewall ASA, you should perform the following preparation:

  • Check the upgrade path for the current version to the target version; ensure you plan for any intermediate versions required for each operating system.

  • Check for guidelines and limitations that affect your intermediate and target versions, or that affect failover and clustering zero downtime upgrading.

  • Download all software packages required from Cisco.com.

  • Back up your configurations, especially if there is a configuration migration.

The following topics explain how to upgrade your ASA.

Important Guidelines Before You Upgrade

Check for upgrade guidelines and limitations, and configuration migrations for each operating system.

ASA Upgrade Guidelines

Before you upgrade, check for migrations and any other guidelines.

Version-Specific Guidelines and Migrations

Depending on your current version, you might experience one or more configuration migrations, and have to consider configuration guidelines for all versions between the starting version and the ending version when you upgrade.

9.23 Guidelines
  • The ASA SSH stack was deprecated in 9.23—You can no longer use the ASA SSH stack. The Cisco SSH stack is now the only stack. Because the Cisco SSH stack does not support EDDSA, before you upgrade you must change your configuration for a supported key pair:

    1. Generate the default key pair.

      crypto key generate {ecdsa elliptic-curve size | rsa modulus size}

      Do not add the label keyword; SSH only uses the default key pair (named Default-type-Key).

    2. If you configured the ssh key-exchange hostkey eddsa command, you need to remove it with the no form. If you use this command, you may get unexpected results.

9.22 Guidelines
  • Smart licensing default transport changed in 9.22—In 9.22, the smart licensing default transport changed from Smart Call Home to Smart Transport. You can configure the ASA to use Smart Call Home if necessary using the transport type callhome command. When you upgrade to 9.22, the transport is automatically changed Smart Transport. If you downgrade, the transport is set back to Smart Call Home, and if you want to use Smart Transport, you need to specify transport type smart . Note also that the licensing URL for Smart Transport is https://smartreceiver.cisco.com (compared to tools.cisco.com), so be sure to allow that URL on upstream routers.

9.20 Guidelines
  • OSPFv3 redistribute commands that specify a route-map that matches a prefix-list will be removed in 9.20(2)—When you upgrade to 9.20(2), OSPFv3 redistribute commands where the specified route-map uses a match ip address prefix-list will be removed from the configuration. Although prefix lists have never been supported, the parser still accepted the command. Before upgrading, you should reconfigure OSPFv3 to use route maps that specify an ACL in the match ip address command.


    Remember


    Redistribution of route maps with IPv4 prefix list on OSPFv2 is supported.


9.19 Guidelines
  • ASDM 7.19(1) requires Oracle Java version 8u261 or later—Before you upgrade to ASDM 7.19, be sure to update Oracle Java (if used) to version 8u261 or later. This version supports TLSv1.3, which is required to upgrade the ASDM Launcher. OpenJRE is not affected.

9.18 Guidelines
  • ASDM signed-image support in 9.18(2)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)

  • 9.18(1) upgrade issue if you enabled HTTPS/ASDM (with HTTPS authentication) and SSL on the same interface with the same port—If you enable both SSL (webvpn > enable interface) and HTTPS/ASDM (http ) access on the same interface, you can access AnyConnect from https://ip_address and ASDM from https://ip_address/admin, both on port 443. However, if you also enable HTTPS authentication (aaa authentication http console), then you must specify a different port for ASDM access starting in 9.18(1). Make sure you change the port before you upgrade using the http command. (CSCvz92016)

  • ASDM Upgrade Wizard—Due to ASD API migration, you must use ASDM 7.18 or later to upgrade to ASA 9.18 or later. Because ASDM is backwards compatible with earlier ASA versions, you can upgrade ASDM to 7.18 or later for any ASA version.

9.17 Guidelines
  • ASDM signed-image support in 9.17(1.13)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)

  • No support for Clientless SSL VPN in 9.17(1) and later—Clientless SSL VPN is no longer supported.

    • webvpn—The following subcommands are removed:

      • apcf

      • java-trustpoint

      • onscreen-keyboard

      • port-forward

      • portal-access-rule

      • rewrite

      • smart-tunnel

    • group-policy webvpn—The following subcommands are removed:

      • port-forward

      • smart-tunnel

      • ssl-clientless

  • ASDM Upgrade Wizard—Due to an internal change, starting in March 2022 the upgrade wizard will no longer work with pre-ASDM 7.17(1.152) versions. You must manually upgrade to 7.17(1.152) to use the wizard.

9.16 Guidelines
  • ASDM signed-image support in 9.16(3.19)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)

  • SNMPv3 users using MD5 hashing and DES encryption are no longer supported, and the users will be removed when you upgrade to 9.16(1)—Be sure to change any user configuration to higher security algorithms using the snmp-server user command before you upgrade.

  • SSH host key action required in 9.16(1)—In addition to RSA, we added support for the EDDSA and ECDSA host keys for SSH. The ASA tries to use keys in the following order if they exist: EDDSA, ECDSA, and then RSA. When you upgrade to 9.16(1), the ASA will fall back to using the existing RSA key. However, we recommend that you generate higher-security keys as soon as possible using the crypto key generate {eddsa | ecdsa} command. Moreover, if you explicitly configure the ASA to use the RSA key with the ssh key-exchange hostkey rsa command, you must generate a key that is 2048 bits or higher. For upgrade compatibility, the ASA will use smaller RSA host keys only when the default host key setting is used. RSA support will be removed in a later release.

  • In 9.16 and later, certificates with RSA keys are not compatible with ECDSA ciphers—When you use the ECDHE_ECDSA cipher group, configure the trustpoint with a certificate that contains an ECDSA-capable key.

  • ssh version command removed in 9.16(1)—This command has been removed. Only SSH version 2 is supported.

  • When you upgrade to 9.16 or later, you might see a different certificate serial number—In 9.16, the ASA started using OpenSSL, which causes negative values in certificates to be computed differently, so you may see a different serial number after upgrading. This change does not affect operation. (CSCvv30338)

  • SAMLv1 feature removed in 9.16(1)—Support for SAMLv1 was removed.

  • No support for DH groups 2, 5, and 24 in 9.16(1)—Support has been removed for the DH groups 2, 5, and 24 in SSL DH group configuration. The ssl dh-group command has been updated to remove the command options group2, group5, and group24.

9.12 Guidelines
  • ASDM signed-image support in 9.12(4.50)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)

  • ASDM Upgrade Wizard—Due to an internal change, the wizard is only supported using ASDM 7.10(1) and later; also, due to an image naming change, you must use ASDM 7.12(1) or later to upgrade to ASA 9.10(1) and later. Because ASDM is backwards compatible with earlier ASA releases, you can upgrade ASDM no matter which ASA version you are running.

  • SSH security improvements and new defaults in 9.12(1)—See the following SSH security improvements:

    • SSH version 1 is no longer supported; only version 2 is supported. The ssh version 1 command will be migrated to ssh version 2 .

    • Diffie-Hellman Group 14 SHA256 key exchange support. This setting is now the default (ssh key-exchange group dh-group14-sha256 ). The former default was Group 1 SHA1. Make sure that your SSH client supports Diffie-Hellman Group 14 SHA256. If it does not, you may see an error such as "Couldn't agree on a key exchange algorithm." For example, OpenSSH supports Diffie-Hellman Group 14 SHA256.

    • HMAC-SHA256 integrity cipher support. The default is now the high security set of ciphers (hmac-sha1 and hmac-sha2-256 as defined by the ssh cipher integrity high command). The former default was the medium set.

  • The NULL-SHA TLSv1 cipher is deprecated and removed in 9.12(1)—Because NULL-SHA doesn't offer encryption and is no longer considered secure against modern threats, it will be removed when listing supported ciphers for TLSv1 in the output of tls-proxy mode commands/options and show ssl ciphers all . The ssl cipher tlsv1 all and ssl cipher tlsv1 custom NULL-SHA commands will also be deprecated and removed.

  • The default trustpool is removed in 9.12(1)—In order to comply with PSB requirement, SEC-AUT-DEFROOT, the "default" trusted CA bundle is removed from the ASA image. As a result, crypto ca trustpool import default and crypto ca trustpool import clean default commands are also removed along with other related logic. However, in existing deployments, certificates that were previously imported using these command will remain in place.

  • The ssl encryption command is removed in 9.12(1)—In 9.3(2) the deprecation was announced and replaced by ssl cipher . In 9.12(1), ssl encryption is removed and no longer supported.

Clustering Guidelines

There are no special requirements for Zero Downtime Upgrades for ASA clustering with the following exceptions.


Note


Zero Downtime Downgrades are not officially supported with clustering.


  • Firepower 4100/9300 Failover and Clustering hitless upgrade requirements for flow offload—Due to bug fixes in the flow offload feature, some combinations of FXOS and ASA do not support flow offload (see the compatibility table). Flow offload is disabled by default for ASA. To perform a Failover or Clustering hitless upgrade when using flow offload, you need to follow the below upgrade paths to ensure that you are always running a compatible combination when upgrading to FXOS 2.3.1.130 or later:

    1. Upgrade ASA to 9.8(3) or later

    2. Upgrade FXOS to 2.3.1.130 or later

    3. Upgrade ASA to your final version

    For example, you are on FXOS 2.2.2.26/ASA 9.8(1), and you want to upgrade to FXOS 2.6.1/ASA 9.12(1), then you can:

    1. Upgrade ASA to 9.8(4)

    2. Upgrade FXOS to 2.6.1

    3. Upgrade ASA to 9.12(1)

  • Firepower 4100/9300 Cluster Upgrade to FXOS 2.3/ASA 9.9(2)—Data units on ASA 9.8 and earlier cannot rejoin a cluster where the control unit is on FXOS 2.3/9.9(2) or later; they will join after you upgrade the ASA version to 9.9(2)+ [CSCvi54844].

  • Distributed Site-to-Site VPN—Distributed Site-to-Site VPN sessions on a failed unit require up to 30 minutes to stabilize on other units. During this time, additional unit failures might result in lost sessions. Therefore, during a cluster upgrade, to avoid traffic loss, follow these steps. Refer to the FXOS/ASA cluster upgrade procedure so you can integrate these steps into your upgrade task.


    Note


    Zero Downtime Upgrade is not supported with Distributed Site-to-Site VPN when upgrading from 9.9(1) to 9.9(2) or later. In 9.9(2), due to Active Session Redistribution enhancements, you cannot run some units on 9.9(2) and other units on 9.9(1).


    1. On the chassis without the control unit, disable clustering on one module using the ASA console.

      cluster group name

      no enable

      If you are upgrading FXOS on the chassis as well as ASA, save the configuration so clustering will be disabled after the chassis reboots:

      write memory

    2. Wait for the cluster to stabilize; verify all backup sessions have been created.

      show cluster vpn-sessiondb summary

    3. Repeat steps 1 and 2 for each module on this chassis.

    4. Upgrade FXOS on the chassis using the FXOS CLI or Firepower Chassis Manager.

    5. After the chassis comes online, update the ASA image on each module using the FXOS CLI or Firepower Chassis Manager.

    6. After the modules come online, re-enable clustering on each module at the ASA console.

      cluster group name

      enable

      write memory

    7. Repeat steps 1 through 6 on the second chassis, being sure to disable clustering on the data units first, and then finally the control unit.

      A new control unit will be chosen from the upgraded chassis.

    8. After the cluster has stabilized, redistribute active sessions among all modules in the cluster using the ASA console on the control unit.

      cluster redistribute vpn-sessiondb

  • Upgrade issue for 9.9(1) and later with clustering—9.9(1) and later includes an improvement in the backup distribution. You should perform your upgrade to 9.9(1) or later as follows to take advantage of the new backup distribution method; otherwise upgraded units will continue to use the old method.

    1. Remove all secondary units from the cluster (so the cluster consists only of the primary unit).

    2. Upgrade 1 secondary unit, and rejoin the cluster.

    3. Disable clustering on the primary unit; upgrade it, and rejoin the cluster.

    4. Upgrade the remaining secondary units, and join them back to the cluster, one at a time.

  • Firepower 4100/9300 Cluster Upgrade to ASA 9.8(1) and earlier—When you disable clustering on a data unit (no enable ), which is part of the upgrade process, traffic directed to that unit can drop for up to three seconds before traffic is redirected to a new owner [CSCvc85008].

  • Zero Downtime Upgrade may not be supported when upgrading to the following releases with the fix for CSCvb24585. This fix moved 3DES from the default (medium) SSL ciphers to the low cipher set. If you set a custom cipher that only includes 3DES, then you may have a mismatch if the other side of the connection uses the default (medium) ciphers that no longer include 3DES.

    • 9.1(7.12)

    • 9.2(4.18)

    • 9.4(3.12)

    • 9.4(4)

    • 9.5(3.2)

    • 9.6(2.4)

    • 9.6(3)

    • 9.7(1)

    • 9.8(1)

  • Upgrade issues for fully-qualified domain name (FQDN) ACLs—Due to CSCuv92371, ACLs containing FQDNs might result in incomplete ACL replication to secondary units in a cluster or failover pair. This bug is present in 9.1(7), 9.5(2), 9.6(1), and some interim releases. We suggest that you upgrade to a version that includes the fix for CSCuy34265: 9.1(7.6) or later, 9.5(3) or later, 9.6(2) or later. However, due to the nature of configuration replication, zero downtime upgrade is not available. See CSCuy34265 for more information about different methods of upgrading.

  • Firepower Threat Defense Version 6.1.0 clusters do not support inter-site clustering (you can configure inter-site features using FlexConfig starting in 6.2.0). If you deployed or re-deployed a 6.1.0 cluster in FXOS 2.1.1, and you entered a value for the (unsupported) site ID, then you must remove the site ID (set it to 0) on each unit in FXOS before you upgrade to 6.2.3. Otherwise, the units will not be able to rejoin the cluster after the upgrade. If you already upgraded, change the site ID to 0 on each unit to resolve the issue. See the FXOS configuration guide to view or change the site ID

  • Upgrade to 9.5(2) or later (CSCuv82933)—Before you upgrade the control unit, if you enter show cluster info , the upgraded data units show as “DEPUTY_BULK_SYNC”; other mismatched states are also shown. You can ignore this display; the status will show correctly when you upgrade all units.

  • Upgrade from 9.0(1) or 9.1(1) (CSCue72961)—Zero Downtime Upgrade is not supported.

Failover Guidelines

There are no special requirements for Zero Downtime Upgrades for failover with the following exceptions:

  • For the Firepower 1010, invalid VLAN IDs can cause problems—Before you upgrade to 9.15(1), make sure you are not using a VLAN for switch ports in the range 3968 to 4047. These IDs are for internal use only, and 9.15(1) includes a check to make sure you are not using these IDs. For example, if these IDs are in use after upgrading a failover pair, the failover pair will go into a suspended state. See CSCvw33057 for more information.

  • Firepower 4100/9300 Failover and Clustering hitless upgrade requirements for flow offload—Due to bug fixes in the flow offload feature, some combinations of FXOS and ASA do not support flow offload (see the compatibility table). Flow offload is disabled by default for ASA. To perform a Failover or Clustering hitless upgrade when using flow offload, you need to follow the below upgrade paths to ensure that you are always running a compatible combination when upgrading to FXOS 2.3.1.130 or later:

    1. Upgrade ASA to 9.8(3) or later

    2. Upgrade FXOS to 2.3.1.130 or later

    3. Upgrade ASA to your final version

    For example, you are on FXOS 2.2.2.26/ASA 9.8(1), and you want to upgrade to FXOS 2.6.1/ASA 9.12(1), then you can:

    1. Upgrade ASA to 9.8(4)

    2. Upgrade FXOS to 2.6.1

    3. Upgrade ASA to 9.12(1)

  • Upgrade issues with 8.4(6), 9.0(2) , and 9.1(2)—Due to CSCug88962, you cannot perform a Zero Downtime Upgrade to 8.4(6), 9.0(2), or 9.1(3). You should instead upgrade to 8.4(5) or 9.0(3). To upgrade 9.1(1), you cannot upgrade directly to the 9.1(3) release due to CSCuh25271, so there is no workaround for a Zero Downtime Upgrade; you must upgrade to 9.1(2) before you upgrade to 9.1(3) or later.

  • Upgrade issues for fully-qualified domain name (FQDN) ACLs—Due to CSCuv92371, ACLs containing FQDNs might result in incomplete ACL replication to secondary units in a cluster or failover pair. This bug is present in 9.1(7), 9.5(2), 9.6(1), and some interim releases. We suggest that you upgrade to a version that includes the fix for CSCuy34265: 9.1(7.6) or later, 9.5(3) or later, 9.6(2) or later. However, due to the nature of configuration replication, zero downtime upgrade is not available. See CSCuy34265 for more information about different methods of upgrading.

  • Upgrade issue with 9.7(1) to 9.7(1.x) and later for VTI and VXLAN VNI—If you configure both Virtual Tunnel Interfaces (VTIs) and VXLAN Virtual Network Identifier (VNI) interfaces, then you cannot perform a zero downtime upgrade for failover; connections on these interface types will not replicate to the standby unit until both units are on the same version. (CSCvc83062)

  • Before upgrading to 9.8(2) or later, FIPS mode requires the failover key to be at least 14 characters—Before you upgrade to to 9.8(2) or later in FIPS mode, you must change the failover key or failover ipsec pre-shared-key to be at least 14 characters long. If your failover key is too short, when you upgrade the first unit, the failover key will be rejected, and both units will become active until you set the failover key to a valid value.

  • Upgrade issue with GTP inspection—There could be some downtime during the upgrade, because the GTP data structures are not replicated to the new node.

Additional Guidelines

  • Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability—Multiple vulnerabilities have been fixed for clientless SSL VPN in ASA software, so you should upgrade your software to a fixed version. See http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa for details about the vulnerability and a list of fixed ASA versions. Also, if you ever ran an earlier ASA version that had a vulnerable configuration, then regardless of the version you are currently running, you should verify that the portal customization was not compromised. If an attacker compromised a customization object in the past, then the compromised object stays persistent after you upgrade the ASA to a fixed version. Upgrading the ASA prevents this vulnerability from being exploited further, but it will not modify any customization objects that were already compromised and are still present on the system.

FXOS Upgrade Guidelines

Before you upgrade, read the release notes for each FXOS version in your chosen upgrade path. Release notes contain important information about each FXOS release, including new features and changed functionality.

Upgrading may require configuration changes that you must address. For example, new hardware supported in an FXOS release might also require that you update the FXOS firmware.

FXOS release notes are available here: https://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-release-notes-list.html.

ASA Upgrade Checklist

To plan your upgrade, use this checklist.

  1. ASA model (Upgrade Path: ASA Appliances): _____________________

    Current ASA version (Upgrade Path: ASA Appliances): _____________________

  2. Check the ASA/ASDM compatibility per model (ASA and ASDM Compatibility Per Model).

    Target ASA version: _____________________

    Target ASDM version: _____________________

  3. Check the upgrade path for the Firepower 2100 in Platform mode (Upgrade Path: ASA on Firepower 2100 in Platform Mode). Are there intermediate versions required? Yes _____ No _____

    If yes, intermediate ASA version(s): ______________________________________________________

  4. Download the target ASA/ASDM versions (Download ASA Software).


    Note


    ASDM is included in the image package for all Firepower and Secure Firewall platforms.


  5. Is your ASA model a Firepower 4100 or 9300? Yes _____ No _____

    If yes:

    1. Current FXOS version: _____________________

    2. Check ASA/Firepower 4100 and 9300 compatibility (Firepower 4100/9300 Compatibility with ASA and Firewall Threat Defense).

      Target FXOS version: _____________________

    3. Are there intermediate versions required? Yes _____ No _____

      If yes, intermediate FXOS versions: ______________________________________________________

      Make sure you plan to upgrade the ASA in step with the FXOS upgrades to stay compatible.

      Intermediate ASA versions required to stay compatible during the upgrade: ______________________________________________________

    4. Download the target and intermediate FXOS version (Download FXOS for the Firepower 4100/9300).

      Download the intermediate ASA versions (Download ASA Software).

    5. Do you use the Radware DefensePro decorator application? Yes _____ No _____

      If yes:

      1. Current DefensePro version: _____________________

      2. Check ASA/FXOS/DefensePro compatibility (Radware DefensePro Compatibility).

        Target DefensePro version: _____________________

      3. Download the target DefensePro version.

  6. Check upgrade guidelines for each operating system.

  7. Back up your configurations. See the configuration guide for each operating system for backup methods.

Compatibility

This section includes tables showing the compatibility between platforms, operating systems, and applications.

ASA and ASDM Compatibility Per Model

The following tables list ASA and ASDM compatibility for current models. For older versions and models, see Cisco ASA Compatibility.

ASA 9.23 and 9.22

Releases in bold are the recommended versions.


Note


  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.22(1) can manage an ASA 5516-X on ASA 9.10(1).

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.20 with ASA 9.22. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.22(1.2) with ASDM 7.22(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.


Table 1. ASA and ASDM Compatibility: 9.23 and 9.22

ASA

ASDM

ASA Model

ASA Virtual

Firepower 1010

1010E

1120

1140

1150

Secure Firewall 1210CE

1210CP

1220CX

Secure Firewall 1230

1240

1250

Secure Firewall 3105

3110

3120

3130

3140

Firepower 4112

4115

4125

4145

Secure Firewall 4215

4225

4245

Firepower 9300

ISA 3000

9.23(1)

7.23(1)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.22(1.1)

7.22(1)

YES

YES

YES

YES

YES

YES

YES

YES

ASA 9.20 and 9.19


Note


  • ASA 9.20(x) was the final version for the Firepower 2100 series.

  • ASA 9.18(x) was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.19(1) can manage an ASA 5516-X on ASA 9.10(1).

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.18 with ASA 9.19. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.20(1.5) with ASDM 7.20(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.


Table 2. ASA and ASDM Compatibility: 9.20 and 9.19

ASA

ASDM

ASA Model

ASA Virtual

Firepower 1010

1120

1140

1150

Firepower 2110

2120

2130

2140

Secure Firewall 3105

3110

3120

3130

3140

Firepower 4112

4115

4125

4145

Secure Firewall 4215

4225

4245

Firepower 9300

ISA 3000

9.20(3)

7.20(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.20(2)

7.20(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.20(1)

7.20(1)

YES

9.19(1)

7.19(1)

YES

YES

YES

YES

YES

YES

YES

ASA 9.18 to 9.17


Note


  • ASA 9.16(x) was the final version for the ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.17(1) can manage an ASA 5516-X on ASA 9.10(1).

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.17 with ASA 9.18. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.17(1.2) with ASDM 7.17(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

  • ASA 9.17(1.13) and 9.18(2) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)


Table 3. ASA and ASDM Compatibility: 9.18 to 9.17

ASA

ASDM

ASA Model

ASA Virtual

Firepower 1010

1120

1140

1150

Firepower 2110

2120

2130

2140

Secure Firewall 3110

3120

3130

3140

Firepower 4110

4112

4115

4120

4125

4140

4145

4150

Firepower 9300

ISA 3000

9.18(4)

7.19(1)95

YES

YES

YES

YES

YES

YES

YES

9.18(3)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

9.18(2)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

9.18(1)

7.18(1)

YES

YES

YES

YES

YES

YES

YES

9.17(1.13)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

9.17(1)

7.17(1.155)

YES

YES

YES

YES

YES

YES

YES

ASA 9.16


Note


  • ASA 9.16(x) was the final version for the ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X.

  • ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.15(1) can manage an ASA 5516-X on ASA 9.10(1).

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.15 with ASA 9.16. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.16(1.15) with ASDM 7.16(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

  • ASA 9.16(3.19) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)


Table 4. ASA and ASDM Compatibility: 9.16

ASA

ASDM

ASA Model

ASA 5506-X

5506H-X

5506W-X

5508-X

5516-X

ASAv

Firepower 1010

1120

1140

1150

Firepower 2110

2120

2130

2140

Firepower 4110

4112

4115

4120

4125

4140

4145

4150

Firepower 9300

ISA 3000

9.16(4)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

9.16(3.19)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

9.16(3)

7.16(1.150)

YES

YES

YES

YES

YES

YES

YES

9.16(2)

7.16(1.150)

YES

YES

YES

YES

YES

YES

YES

9.16(1)

7.16(1)

YES

YES

YES

YES

YES

YES

YES

ASA 9.14 to 9.13

Releases in bold are the recommended versions.


Note


  • ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.

  • ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.13(1) can manage an ASA 5516-X on ASA 9.10(1). ASDM 7.13(1) and ASDM 7.14(1) did not support ASA 5512-X, 5515-X, 5585-X, and ASASM; you must upgrade to ASDM 7.13(1.101) or 7.14(1.48) to restore ASDM support.

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.13 with ASA 9.14. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.14(1.2) with ASDM 7.14(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

  • ASA 9.14(4.14) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)


Table 5. ASA and ASDM Compatibility: 9.14 to 9.13

ASA

ASDM

ASA Model

ASA 5506-X

5506H-X

5506W-X

5508-X

5516-X

ASA 5525-X

5545-X

5555-X

ASAv

Firepower 1010

1120

1140

1150

Firepower 2110

2120

2130

2140

Firepower 4110

4112

4115

4120

4125

4140

4145

4150

Firepower 9300

ISA 3000

9.14(4.14)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

YES

9.14(4)

7.14(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.14(3)

7.14(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.14(2)

7.14(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.14(1.30)

7.14(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.14(1.6)

7.14(1.48)

YES (+ASAv100)

9.14(1)

7.14(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.13(1)

7.13(1)

YES

YES

YES

YES

YES

YES (except 4112)

YES

YES

ASA 9.12


Note


  • ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.12(1) can manage an ASA 5515-X on ASA 9.10(1).

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.10 with ASA 9.12. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.12(1.15) with ASDM 7.12(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

  • ASA 9.8(4.45) and 9.12(4.50) and later require ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)


Table 6. ASA and ASDM Compatibility: 9.12

ASA

ASDM

ASA Model

ASA 5506-X

5506H-X

5506W-X

5508-X

5516-X

ASA 5512-X

5515-X

5525-X

5545-X

5555-X

ASA 5585-X

ASAv

ASASM

Firepower 2110

2120

2130

2140

Firepower 4110

4120

4140

4150

Firepower 4115

4125

4145

Firepower 9300

ISA 3000

9.12(4.50)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.12(4)

7.12(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.12(3)

7.12(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.12(2)

7.12(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.12(1)

7.12(1)

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

Firepower 4100/9300 Compatibility with ASA and Firewall Threat Defense

For the Firepower 4100/9300, you must maintain compatibility between FXOS and all ASA and Firewall Threat Defense logical devices. Upgrade FXOS before you upgrade the sofware. The bold versions the the following table are specially-qualified (enhanced testing) companion releases. Use these combinations whenever possible.

Note that for other device models, the FXOS compatibility work is done for you. In most cases, upgrading the software automatically upgrades FXOS. For the Secure Firewall 3100/4200 in multi-instance mode, the Firewall Management Center guides you through upgrading FXOS and then Firewall Threat Defense.

To upgrade:

  • FXOS: From FXOS 2.2.2 and later, you can upgrade directly to any higher version. (FXOS 2.0.1–2.2.1 can upgrade as far as 2.8.1. For versions earlier than 2.0.1, you need to upgrade to each intermediate version.) Note that you cannot upgrade FXOS to a version that does not support your current logical device version. You will need to upgrade in steps: upgrade FXOS to the highest version that supports your current logical device; then upgrade your logical device to the highest version supported with that FXOS version. For example, if you want to upgrade from FXOS 2.2/ASA 9.8 to FXOS 2.13/ASA 9.19, you would have to perform the following upgrades:

    1. FXOS 2.2 → FXOS 2.11 (the highest version that supports 9.8)

    2. ASA 9.8 → ASA 9.17 (the highest version supported by 2.11)

    3. FXOS 2.11 → FXOS 2.13

    4. ASA 9.17 → ASA 9.19

  • Firewall Threat Defense: Interim upgrades may be required for Firewall Threat Defense, in addition to the FXOS requirements above. For the exact upgrade path, refer to the Firewall Management Center upgrade guide for your version.

  • ASA: ASA lets you upgrade directly from your current version to any higher version, noting the FXOS requirements above.


Note


FXOS 2.8(1.125)+ and later versions do not support ASA 9.14(1) or 9.14(1.10) for ASA SNMP polls and traps; you must use 9.14(1.15)+. Other releases, such as 9.13 or 9.12, are not affected.


Table 7. Firepower 4100/9300 Compatibility with ASA and Firewall Threat Defense

FXOS Version

Model

ASA Version

Firewall Threat Defense Version

2.17

Firepower 4112

9.23 (recommended)

9.22

9.20

9.19

9.18

7.7 (recommended)

7.6

7.4

7.3

7.2

Firepower 4145

Firepower 4125

Firepower 4115

9.23 (recommended)

9.22

9.20

9.19

9.18

7.7 (recommended)

7.6

7.4

7.3

7.2

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.16

Firepower 4112

9.22 (recommended)

9.20

9.19

9.18

9.17

7.6 (recommended)

7.4

7.3

7.2

7.1

Firepower 4145

Firepower 4125

Firepower 4115

9.22 (recommended)

9.20

9.19

9.18

9.17

7.6 (recommended)

7.4

7.3

7.2

7.1

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.14(1)

Firepower 4112

9.20 (recommended)

9.19

9.18

9.17

9.16

9.14

7.4 (recommended)

7.3

7.2

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.20 (recommended)

9.19

9.18

9.17

9.16

9.14

7.4 (recommended)

7.3

7.2

7.1

7.0

6.6

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.13

Firepower 4112

9.19 (recommended)

9.18

9.17

9.16

9.14

7.3 (recommended)

7.2

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.19 (recommended)

9.18

9.17

9.16

9.14

7.3 (recommended)

7.2

7.1

7.0

6.6

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.12

Firepower 4112

9.18 (recommended)

9.17

9.16

9.14

7.2 (recommended)

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.18 (recommended)

9.17

9.16

9.14

9.12

7.2 (recommended)

7.1

7.0

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.18 (recommended)

9.17

9.16

9.14

9.12

7.2 (recommended)

7.1

7.0

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.11

Firepower 4112

9.17 (recommended)

9.16

9.14

7.1 (recommended)

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.17 (recommended)

9.16

9.14

9.12

7.1 (recommended)

7.0

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.17 (recommended)

9.16

9.14

9.12

9.8

7.1 (recommended)

7.0

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.10

Note

 

For compatibility with 7.0.2+ and 9.16(3.11)+, you need FXOS 2.10(1.179)+.

Firepower 4112

9.16 (recommended)

9.14

7.0 (recommended)

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.16 (recommended)

9.14

9.12

7.0 (recommended)

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.16 (recommended)

9.14

9.12

9.8

7.0 (recommended)

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.9

Firepower 4112

9.14

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.14

9.12

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14

9.12

9.8

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.8

Firepower 4112

9.14

6.6

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

Firepower 4145

Firepower 4125

Firepower 4115

9.14 (recommended)

9.12

Note

 

Firepower 9300 SM-56 requires ASA 9.12(2)+

6.6 (recommended)

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14 (recommended)

9.12

9.8

6.6 (recommended)

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

6.4

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.157)

Note

 

You can now run ASA 9.12+ and FTD 6.4+ on separate modules in the same Firepower 9300 chassis

Firepower 4145

Firepower 4125

Firepower 4115

9.12

Note

 

Firepower 9300 SM-56 requires ASA 9.12.2+

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.8

6.4 (recommended)

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.131)

Firepower 9300 SM-48

Firepower 9300 SM-40

9.12

Not supported

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.8

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.73)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Note

 

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

6.2.3 (recommended)

Note

 

6.2.3.16+ requires FXOS 2.3.1.157+

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.66)

2.3(1.58)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Note

 

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Firewall Threat Defense versions are EoL

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

Radware DefensePro Compatibility

The following table lists the supported Radware DefensePro version for each security appliance and associated logical device.


Note


Radware DefensePro 8.22.2 is the final version of Radware DefensePro that is supported on the Firepower 4100/9300 platforms. Firepower 4100/9300 platforms do not support any version later than 8.22.2.


Table 8. Radware DefensePro Compatibility
FXOS Version ASA Firewall Threat Defense Radware DefensePro Security Appliance Models

2.17

9.23(1)

7.7

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4112

Firepower 4115

Firepower 4125

Firepower 4145

2.16

9.22(1)

7.6

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4112

Firepower 4115

Firepower 4125

Firepower 4145

2.14(1)

9.20(1)

7.4(1)

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4112

Firepower 4115

Firepower 4125

Firepower 4145

2.13.0

9.19(1)

7.3

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4112

Firepower 4115

Firepower 4125

Firepower 4145

2.12.0

9.18(1)

7.2

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.11.1

9.17(1)

7.1

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.10.1

9.16(1)

7.0

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.10.1

9.16(1)

7.0

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.9.1

9.15(1)

6.7.0

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.8.1

9.14(1)

6.6.0

8.13.01.09-3

8.22.2

Firepower 9300

Firepower 4110

Firepower 4112

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.7(1)

9.13(1)

6.5

8.13.01.09-3

Firepower 9300

Firepower 4110

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.6(1)

9.12(1)

9.10(1)

6.4.0

6.3.0

8.13.01.09-3

Firepower 9300

Firepower 4110

Firepower 4115

Firepower 4120

Firepower 4125

Firepower 4140

Firepower 4145

Firepower 4150

2.4(1)

9.9(2)

9.10(1)

6.2.3

6.3

8.13.01.09-2

Firepower 9300

Firepower 4110

Firepower 4120

Firepower 4140

Firepower 4150

2.3(1)

9.9(1)

9.9(2)

6.2.2

6.2.3

8.13.01.09-2

Firepower 9300

Firepower 4110 (Firepower Threat Defense only)

Firepower 4120

Firepower 4140

Firepower 4150

2.2(2)

9.8(1)

9.8(2)

9.8(3)

6.2.0

6.2.2

8.10.01.17-2

Firepower 9300

Firepower 4110 (Firepower Threat Defense only)

Firepower 4120

Firepower 4140

Firepower 4150

2.2(1)

9.7(1)

9.8(1)

6.2.0 8.10.01.17-2

Firepower 9300

Firepower 4110 (Firepower Threat Defense only)

Firepower 4120

Firepower 4140

Firepower 4150

2.1(1)

9.6(2)

9.6(3)

9.6(4)

9.7(1)

not supported 8.10.01.16-5

Firepower 9300

Firepower 4120

Firepower 4140

Firepower 4150

2.0(1)

9.6(1)

9.6(2)

9.6(3)

9.6(4)

not supported 8.10.01.16-5

Firepower 9300

Firepower 4120

Firepower 4140

Firepower 4150

1.1(4) 9.6(1) not supported 1.1(2.32-3) 9300

Upgrade Path

For each operating system that you are upgrading, check the supported upgrade path. In some cases, you may have to install interim upgrades before you can upgrade to your final version.

Upgrade Path: ASA Appliances

What Version Should I Upgrade To?

On the Cisco Support & Download site, the suggested release is marked with a gold star. For example:

Figure 1. Suggested Release
Suggested Release

View Your Current Version

To view your current version and model, use one of the following methods:

  • ASDM: Choose Home > Device Dashboard > Device Information.

  • CLI: Use the show version command.

Upgrade Guidelines

Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. See ASA Upgrade Guidelines.

For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.

Upgrade Paths

This table provides upgrade paths for ASA.


Note


ASA 9.20 was the final version for the Firepower 2100.

ASA 9.18 was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300.

ASA 9.16 was the final version for the ASA 5506-X, 5508-X, and 5516-X.

ASA 9.14 was the final version for the ASA 5525-X, 5545-X, and 5555-X.

ASA 9.12 was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

ASA 9.2 was the final version for the ASA 5505.

ASA 9.1 was the final version for the ASA 5510, 5520, 5540, 5550, and 5580.


Table 9. Upgrade Path

Current Version

Interim Upgrade Version

Target Version

9.22

Any of the following:

→ 9.23

9.20

Any of the following:

→ 9.23

→ 9.22

9.19

Any of the following:

→ 9.23

→ 9.22

→ 9.20

9.18

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

9.17

Any of the following:

→ 9.22

→ 9.20

→ 9.19

→ 9.18

9.16

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

9.15

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

9.14

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

9.13

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

9.12

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

9.10

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

→ 9.12

9.9

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

→ 9.12

9.8

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

→ 9.12

9.7

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

→ 9.12

9.6

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

→ 9.12

9.5

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

→ 9.12

9.4

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

→ 9.12

9.3

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

→ 9.12

9.2

Any of the following:

→ 9.23

→ 9.22

→ 9.20

→ 9.19

→ 9.18

→ 9.17

→ 9.16

→ 9.12

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4)

Any of the following:

→ 9.12

9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.12

Upgrade Path: ASA on Firepower 2100 in Platform Mode

To view your current version and model, use one of the following methods:

  • ASDM: Choose Home > Device Dashboard > Device Information.

  • CLI: Use the show version command.

This table provides upgrade paths for the ASA on the Firepower 2100 in Platform mode. Some versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.

Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. See ASA Upgrade Guidelines.

For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.


Note


ASA 9.20 was the final version for the Firepower 2100.


Table 10. Upgrade Path

Current Version

Interim Upgrade Version

Target Version

9.19

Any of the following:

9.20

9.18

Any of the following:

9.20

9.19

9.17

Any of the following:

9.20

9.19

9.18

9.16

Any of the following:

9.20

9.19

9.18

→ 9.17

9.15

Any of the following:

9.20

9.19

9.18

→ 9.17

9.16

9.14

Any of the following:

9.20

9.19

9.18

→ 9.17

9.16

→ 9.15

9.13

→ 9.18

Any of the following:

9.20

9.19

9.13

Any of the following:

9.18

→ 9.17

9.16

→ 9.15

→ 9.14

9.12

→ 9.18

Any of the following:

9.20

9.19

9.12

Any of the following:

9.18

→ 9.17

9.16

→ 9.15

→ 9.14

9.10

→ 9.17

Any of the following:

9.20

9.19

9.18

9.10

Any of the following:

→ 9.17

9.16

→ 9.15

→ 9.14

→ 9.12

9.9

→ 9.17

Any of the following:

9.20

9.19

9.18

9.9

Any of the following:

→ 9.17

9.16

→ 9.15

→ 9.14

→ 9.12

9.8

→ 9.17

Any of the following:

9.20

9.19

9.18

9.8

Any of the following:

→ 9.17

9.16

→ 9.15

→ 9.14

→ 9.12

Upgrade Path: ASA Logical Devices for the Firepower 4100/9300

To view your current version and model, use one of the following methods:

  • Firepower Chassis Manager: Choose Overview, and look at the Model and Version fields at the top.

  • CLI: For the version, use the show version command, and look at the Package-Vers: field. For the model, enter scope chassis 1 , and then show inventory .

  • FXOS: From FXOS 2.2.2 and later, you can upgrade directly to any higher version. (FXOS 2.0.1–2.2.1 can upgrade as far as 2.8.1. For versions earlier than 2.0.1, you need to upgrade to each intermediate version.) Note that you cannot upgrade FXOS to a version that does not support your current logical device version. You will need to upgrade in steps: upgrade FXOS to the highest version that supports your current logical device; then upgrade your logical device to the highest version supported with that FXOS version. For example, if you want to upgrade from FXOS 2.2/ASA 9.8 to FXOS 2.13/ASA 9.19, you would have to perform the following upgrades:

    1. FXOS 2.2 → FXOS 2.11 (the highest version that supports 9.8)

    2. ASA 9.8 → ASA 9.17 (the highest version supported by 2.11)

    3. FXOS 2.11 → FXOS 2.13

    4. ASA 9.17 → ASA 9.19

  • Firewall Threat Defense: Interim upgrades may be required for Firewall Threat Defense, in addition to the FXOS requirements above. For the exact upgrade path, refer to the Firewall Management Center upgrade guide for your version.

  • ASA: ASA lets you upgrade directly from your current version to any higher version, noting the FXOS requirements above.

Table 11. Firepower 4100/9300 Compatibility with ASA and Firewall Threat Defense

FXOS Version

Model

ASA Version

Firewall Threat Defense Version

2.17

Firepower 4112

9.23 (recommended)

9.22

9.20

9.19

9.18

7.7 (recommended)

7.6

7.4

7.3

7.2

Firepower 4145

Firepower 4125

Firepower 4115

9.23 (recommended)

9.22

9.20

9.19

9.18

7.7 (recommended)

7.6

7.4

7.3

7.2

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.16

Firepower 4112

9.22 (recommended)

9.20

9.19

9.18

9.17

7.6 (recommended)

7.4

7.3

7.2

7.1

Firepower 4145

Firepower 4125

Firepower 4115

9.22 (recommended)

9.20

9.19

9.18

9.17

7.6 (recommended)

7.4

7.3

7.2

7.1

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.14(1)

Firepower 4112

9.20 (recommended)

9.19

9.18

9.17

9.16

9.14

7.4 (recommended)

7.3

7.2

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.20 (recommended)

9.19

9.18

9.17

9.16

9.14

7.4 (recommended)

7.3

7.2

7.1

7.0

6.6

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.13

Firepower 4112

9.19 (recommended)

9.18

9.17

9.16

9.14

7.3 (recommended)

7.2

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.19 (recommended)

9.18

9.17

9.16

9.14

7.3 (recommended)

7.2

7.1

7.0

6.6

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.12

Firepower 4112

9.18 (recommended)

9.17

9.16

9.14

7.2 (recommended)

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.18 (recommended)

9.17

9.16

9.14

9.12

7.2 (recommended)

7.1

7.0

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.18 (recommended)

9.17

9.16

9.14

9.12

7.2 (recommended)

7.1

7.0

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.11

Firepower 4112

9.17 (recommended)

9.16

9.14

7.1 (recommended)

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.17 (recommended)

9.16

9.14

9.12

7.1 (recommended)

7.0

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.17 (recommended)

9.16

9.14

9.12

9.8

7.1 (recommended)

7.0

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.10

Note

 

For compatibility with 7.0.2+ and 9.16(3.11)+, you need FXOS 2.10(1.179)+.

Firepower 4112

9.16 (recommended)

9.14

7.0 (recommended)

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.16 (recommended)

9.14

9.12

7.0 (recommended)

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.16 (recommended)

9.14

9.12

9.8

7.0 (recommended)

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.9

Firepower 4112

9.14

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.14

9.12

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14

9.12

9.8

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.8

Firepower 4112

9.14

6.6

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

Firepower 4145

Firepower 4125

Firepower 4115

9.14 (recommended)

9.12

Note

 

Firepower 9300 SM-56 requires ASA 9.12(2)+

6.6 (recommended)

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14 (recommended)

9.12

9.8

6.6 (recommended)

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

6.4

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.157)

Note

 

You can now run ASA 9.12+ and FTD 6.4+ on separate modules in the same Firepower 9300 chassis

Firepower 4145

Firepower 4125

Firepower 4115

9.12

Note

 

Firepower 9300 SM-56 requires ASA 9.12.2+

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.8

6.4 (recommended)

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.131)

Firepower 9300 SM-48

Firepower 9300 SM-40

9.12

Not supported

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.8

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.73)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Note

 

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

6.2.3 (recommended)

Note

 

6.2.3.16+ requires FXOS 2.3.1.157+

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.66)

2.3(1.58)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Note

 

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Firewall Threat Defense versions are EoL

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

Note on Downgrades

Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.

Download the Software from Cisco.com

Download all software packages from Cisco.com before you start your upgrade. Depending on the operating system and whether you are using CLI or GUI, you should place the images on a server or on your management computer. See each installation procedure for details on supported file locations.


Note


A Cisco.com login and Cisco service contract are required.


Download ASA Software

If you are using the ASDM Upgrade Wizard, you do not have to pre-download the software. If you are manually upgrading, for example for a failover upgrade, download the images to your local computer.

For a CLI upgrade, you can put the software on many server types, including TFTP, HTTP, and FTP. See the copy command in the ASA command reference.

ASA software can be downloaded from Cisco.com. These tables include naming conventions and information about ASA packages.

Table 12. Current Platforms

ASA Model

Download Location

Packages

ASA virtual

http://www.cisco.com/go/asav-software

ASA Software (Upgrade)

Choose Adaptive Security Appliance (ASA) Software > version.

The ASA virtual upgrade file has a filename like asa962-smp-k8.bin; use this upgrade file for all hypervisors. Note: The .zip (VMware), .vhdx (Hyper-V), and .qcow2 (KVM) files are only for initial deployment.

Note

 

To upgrade the ASA virtual for public cloud services such as Amazon Web Services, you can download the above image from Cisco.com (which requires a Cisco.com login and Cisco service contract) and perform the upgrade as described in this guide. There is no way to obtain an upgrade image from the public cloud service.

ASDM Software (Upgrade)

Choose Adaptive Security Appliance (ASA) Device Manager > version.

The ASDM software file has a filename like asdm-762.bin.

REST API Software

Choose Adaptive Security Appliance REST API Plugin > version.

The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide.

ASA Device Package for Cisco Application Policy Infrastructure Controller (APIC)

Choose ASA for Application Centric Infrastructure (ACI) Device Packages > version.

For APIC 1.2(7) and later, choose either the Policy Orchestration with Fabric Insertion, or the Fabric Insertion-only package. The device package software file has a filename like asa-device-pkg-1.2.7.10.zip. To install the ASA device package, see the “Importing a Device Package” chapter of the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.

Firepower 1000

http://www.cisco.com/go/asa-firepower-sw

ASA, ASDM, and FXOS Software

Choose your model > Adaptive Security Appliance (ASA) Software > version.

The ASA package includes ASA, ASDM, and FXOS software. The ASA package has a filename like cisco-asa-fp1k.9.13.1.SPA.

ASDM Software (Upgrade)

Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.

Use this image to upgrade to a later version of ASDM using your current ASDM or the ASA CLI. The ASDM software file has a filename like asdm-7131.bin.

Note

 

When you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA because they have the same name (asdm.bin). But if you manually chose a different ASDM image that you uploaded (for example, asdm-7131.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should either upgrade ASDM before you upgrade the bundle, or you should reconfigure the ASA to use the bundled ASDM image (asdm.bin) just before upgrading the ASA bundle.

Secure Firewall 1200

http://www.cisco.com/go/asa-firepower-sw

ASA, ASDM, and FXOS Software

Choose your model > Adaptive Security Appliance (ASA) Software > version.

The ASA package includes ASA, ASDM, and FXOS software. The ASA package has a filename like cisco-asa-csf1200.9.22.1.3.SPA.

ASDM Software (Upgrade)

Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.

Use this image to upgrade to a later version of ASDM using your current ASDM or the ASA CLI. The ASDM software file has a filename like asdm-7221.bin.

Note

 

When you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA because they have the same name (asdm.bin). But if you manually chose a different ASDM image that you uploaded (for example, asdm-7221.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should either upgrade ASDM before you upgrade the bundle, or you should reconfigure the ASA to use the bundled ASDM image (asdm.bin) just before upgrading the ASA bundle.

Secure Firewall 3100

https://cisco.com/go/asa-secure-firewall-sw

ASA, ASDM, and FXOS Software

Choose your model > Adaptive Security Appliance (ASA) Software > version.

The ASA package includes ASA, ASDM, and FXOS software. The ASA package has a filename like cisco-asa-fp3k.9.17.1.SPA.

ASDM Software (Upgrade)

Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.

Use this image to upgrade to a later version of ASDM using your current ASDM or the ASA CLI. The ASDM software file has a filename like asdm-7171.bin.

Note

 

When you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA because they have the same name (asdm.bin). But if you manually chose a different ASDM image that you uploaded (for example, asdm-7171.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should either upgrade ASDM before you upgrade the bundle, or you should reconfigure the ASA to use the bundled ASDM image (asdm.bin) just before upgrading the ASA bundle.

Firepower 4100

http://www.cisco.com/go/firepower4100-software

ASA and ASDM Software

Choose your model > Adaptive Security Appliance (ASA) Software > version.

The ASA package includes both ASA and ASDM. The ASA package has a filename like cisco-asa.9.6.2.SPA.csp.

ASDM Software (Upgrade)

Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.

Use this image to upgrade to a later version of ASDM using your current ASDM or the ASA CLI. The ASDM software file has a filename like asdm-762.bin.

Note

 

When you upgrade the ASA bundle in FXOS, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA because they have the same name (asdm.bin). But if you manually chose a different ASDM image that you uploaded (for example, asdm-782.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should either upgrade ASDM before you upgrade the bundle, or you should reconfigure the ASA to use the bundled ASDM image (asdm.bin) just before upgrading the ASA bundle.

REST API Software

Choose your model > Adaptive Security Appliance REST API Plugin > version.

The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide.

Secure Firewall 4200

https://cisco.com/go/asa-secure-firewall-sw

ASA, ASDM, and FXOS Software

Choose your model > Adaptive Security Appliance (ASA) Software > version.

The ASA package includes ASA, ASDM, and FXOS software. The ASA package has a filename like cisco-asa-fp4200.9.20.1.SPA.

ASDM Software (Upgrade)

Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.

Use this image to upgrade to a later version of ASDM using your current ASDM or the ASA CLI. The ASDM software file has a filename like asdm-7201.bin.

Note

 

When you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA because they have the same name (asdm.bin). But if you manually chose a different ASDM image that you uploaded (for example, asdm-7201.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should either upgrade ASDM before you upgrade the bundle, or you should reconfigure the ASA to use the bundled ASDM image (asdm.bin) just before upgrading the ASA bundle.

Firepower 9300

http://www.cisco.com/go/firepower9300-software

ASA and ASDM Software

Choose Adaptive Security Appliance (ASA) Software > version.

The ASA package includes both ASA and ASDM. The ASA package has a filename like cisco-asa.9.6.2.SPA.csp.

ASDM Software (Upgrade)

Choose Adaptive Security Appliance (ASA) Device Manager > version.

Use this image to upgrade to a later version of ASDM using your current ASDM or the ASA CLI. The ASDM software file has a filename like asdm-762.bin.

Note

 

When you upgrade the ASA bundle in FXOS, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA because they have the same name (asdm.bin). But if you manually chose a different ASDM image that you uploaded (for example, asdm-782.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should either upgrade ASDM before you upgrade the bundle, or you should reconfigure the ASA to use the bundled ASDM image (asdm.bin) just before upgrading the ASA bundle.

REST API Software

Choose Adaptive Security Appliance REST API Plugin > version.

The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide.

ISA 3000

http://www.cisco.com/go/isa3000-software

ASA Software

Choose your model > Adaptive Security Appliance (ASA) Software > version.

The ASA software file has a filename like asa962-lfbff-k8.SPA.

ASDM Software

Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.

The ASDM software file has a filename like asdm-762.bin.

REST API Software

Choose your model > Adaptive Security Appliance REST API Plugin > version.

The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide.

Table 13. Legacy Platforms

ASA Model

Download Location

Packages

ASA 5506-X, ASA 5508-X, and ASA 5516-X

http://www.cisco.com/go/asa-firepower-sw

ASA Software

Choose your model > Adaptive Security Appliance (ASA) Software > version.

The ASA software file has a filename like asa962-lfbff-k8.SPA.

ASDM Software

Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.

The ASDM software file has a filename like asdm-762.bin.

REST API Software

Choose your model > Adaptive Security Appliance REST API Plugin > version.

The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide

ROMMON Software

Choose your model > ASA Rommon Software > version.

The ROMMON software file has a filename like asa5500-firmware-1108.SPA.

ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

http://www.cisco.com/go/asa-software

ASA Software

Choose your model > Software on Chassis > Adaptive Security Appliance (ASA) Software > version.

The ASA software file has a filename like asa962-smp-k8.bin.

ASDM Software

Choose your model > Software on Chassis > Adaptive Security Appliance (ASA) Device Manager > version.

The ASDM software file has a filename like asdm-762.bin.

REST API Software

Choose your model > Software on Chassis > Adaptive Security Appliance REST API Plugin > version.

The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide

ASA Device Package for Cisco Application Policy Infrastructure Controller (APIC)

Choose your model > Software on Chassis > ASA for Application Centric Infrastructure (ACI) Device Packages > version.

For APIC 1.2(7) and later, choose either the Policy Orchestration with Fabric Insertion, or the Fabric Insertion-only package. The device package software file has a filename like asa-device-pkg-1.2.7.10.zip. To install the ASA device package, see the “Importing a Device Package” chapter of the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.

ASA 5585-X

http://www.cisco.com/go/asa-software

ASA Software

Choose your model > Software on Chassis > Adaptive Security Appliance (ASA) Software > version.

The ASA software file has a filename like asa962-smp-k8.bin.

ASDM Software

Choose your model > Software on Chassis > Adaptive Security Appliance (ASA) Device Manager > version.

The ASDM software file has a filename like asdm-762.bin.

REST API Software

Choose your model > Software on Chassis > Adaptive Security Appliance REST API Plugin > version.

The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide.

ASA Device Package for Cisco Application Policy Infrastructure Controller (APIC)

Choose your model > Software on Chassis > ASA for Application Centric Infrastructure (ACI) Device Packages > version.

For APIC 1.2(7) and later, choose either the Policy Orchestration with Fabric Insertion, or the Fabric Insertion-only package. The device package software file has a filename like asa-device-pkg-1.2.7.10.zip. To install the ASA device package, see the “Importing a Device Package” chapter of the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.

Firepower 2100

http://www.cisco.com/go/asa-firepower-sw

ASA, ASDM, and FXOS Software

Choose your model > Adaptive Security Appliance (ASA) Software > version.

The ASA package includes ASA, ASDM, and FXOS software. The ASA package has a filename like cisco-asa-fp2k.9.8.2.SPA.

ASDM Software (Upgrade)

Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.

Use this image to upgrade to a later version of ASDM using your current ASDM or the ASA CLI. The ASDM software file has a filename like asdm-782.bin.

Note

 

When you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA because they have the same name (asdm.bin). But if you manually chose a different ASDM image that you uploaded (for example, asdm-782.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should either upgrade ASDM before you upgrade the bundle, or you should reconfigure the ASA to use the bundled ASDM image (asdm.bin) just before upgrading the ASA bundle.

ISA 3000

http://www.cisco.com/go/isa3000-software

ASA Software

Choose your model > Adaptive Security Appliance (ASA) Software > version.

The ASA software file has a filename like asa962-lfbff-k8.SPA.

ASDM Software

Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.

The ASDM software file has a filename like asdm-762.bin.

REST API Software

Choose your model > Adaptive Security Appliance REST API Plugin > version.

The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide.

Download FXOS for the Firepower 4100/9300

FXOS packages for the Firepower 4100/9300 are available on the Cisco Support & Download site.

To find FXOS packages, select or search for your Firepower appliance model, then browse to the Firepower Extensible Operating System download page for the target version.


Note


If you plan to use the CLI to upgrade FXOS, copy the upgrade package to a server that the Firepower 4100/9300 can access using SCP, SFTP, TFTP, or FTP.


Table 14. FXOS Packages for the Firepower 4100/9300

Package Type

Package

FXOS image

fxos-k9.version.SPA

Recovery (kickstart)

fxos-k9-kickstart.version.SPA

Recovery (manager)

fxos-k9-manager.version.SPA

Recovery (system)

fxos-k9-system.version.SPA

MIBs

fxos-mibs-fp9k-fp4k.version.zip

Firmware: Firepower 4100 series

fxos-k9-fpr4k-firmware.version.SPA

Firmware: Firepower 9300

fxos-k9-fpr9k-firmware.version.SPA

Back Up Your Configurations

We recommend that you back up your configurations and other critical files before you upgrade, especially if there is a configuration migration. Each operating system has a different method to perform backups. Check the ASA, ASDM, ASA FirePOWER local management, Firepower Management Center, and FXOS configuration guides for more information.