Cisco Firepower 4100/9300 FXOS Compatibility

This document lists software and hardware compatibility information for the Firepower eXtensible Operating System (FXOS), Cisco Firepower 9300 and Cisco Firepower 4100 series security appliances, and supported logical devices.

Firepower Software and Hardware Compatibility

The following table lists the supported FXOS versions and Firepower models.


Note

Firepower 2100 series appliances utilize FXOS only as an underlying operating system that is included in the ASA and Firepower Threat Defense unified image bundles. Refer to the ASA Compatibility and Firepower Threat Defense Compatibility guides for information about 2100 series compatibility.


FXOS Release Firepower 9300 Firepower 4110 Firepower 4115 Firepower 4120 Firepower 4125 Firepower 4140 Firepower 4145 Firepower 4150
1.1.1 YES NO NO NO NO NO NO NO
1.1.2 YES NO NO NO NO NO NO NO
1.1.3 YES NO NO NO NO NO NO NO
1.1.4 YES YES NO YES NO YES NO NO
2.0.1 YES YES NO YES NO YES NO YES

Note: Requires ASA 9.6(2) or FTD 6.1

2.1.1 YES YES NO YES NO YES NO YES
2.2.1 YES YES NO YES NO YES NO YES
2.2.2 YES YES NO YES NO YES NO YES
2.3.1 YES YES NO YES NO YES NO YES
2.4.1 YES YES NO YES NO YES NO YES
2.6.1 YES YES YES

Note: Requires ASA 9.12(1) or FTD 6.4 or later

YES YES

Note: Requires ASA 9.12(1) or FTD 6.4 or later

YES YES

Note: Requires ASA 9.12(1) or FTD 6.4 or later

YES

Firepower 4100/9300 Compatibility with the ASA or FTD

The following table lists compatibility between the ASA or FTD applications with FXOS and Firepower models.

The FXOS versions with (EoL) appended have reached their end of life (EoL), or end of support.


Note

The bold versions listed below are specially-qualified companion releases. You should use these software combinations whenever possible because Cisco performs enhanced testing for these combinations.



Note

Firepower 1000 and 2100 series appliances utilize FXOS only as an underlying operating system that is included in the ASA and Firepower Threat Defense unified image bundles.


Table 1. ASA or FTD, and Firepower 4100/9300 Compatibility

FXOS Version

Firepower Model

ASA Version

FTD Version

2.6(1.157)+

Note 

You can now run ASA 9.12+ and FTD 6.4+ on separate modules in the same Firepower 9300 chassis

Firepower 9300 SM-56

9.12(2) (recommended)

6.4.0 (recommended)

6.3.0

6.2.3

6.2.2

6.2.0

6.1.0

Firepower 4150

Firepower 4145

Firepower 4140

Firepower 4125

Firepower 4120

Firepower 4115

Firepower 4110

9.12(x) (recommended)

9.10(1)

9.9(x)

9.8(x)

9.6(4)

Note 

9.7(x) is not supported.

Firepower 9300 SM-48

Firepower 9300 SM-44

Firepower 9300 SM-40

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.131)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12(x) (recommended)

9.10(1)

9.9(x)

9.8(x)

9.6(4)

Note 

9.7(x) is not supported.

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.4(1.214)+

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.10(1) (recommended)

9.9(x)

9.8(x)

9.6(3), 9.6(4)

Note 

9.7(x) is not supported.

6.3.0 (recommended)

6.2.3

6.2.2

6.2.0

6.1.0

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.4(1.101)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.10(1) (recommended)

9.9(x)

9.8(x)

9.6(3), 9.6(4)

Note 

9.7(x) is not supported.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.73)+

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.9(x) (recommended)

9.8(x)

9.7(x)

9.6(3), 9.6(4)

Note 

9.8(2.12) or later is required for flow offload when running FXOS 2.3(1.130) or later.

6.2.3 (recommended)

6.2.2

6.2.0

6.1.0

Note 

6.2.2.2 or later is required for flow offload when running FXOS 2.3(1.130) or later.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.66)

2.3(1.58)

2.3(1.56)

Note 

FXOS 2.3(1.56), which was briefly available on Cisco.com, is no longer supported. For more information, see the Cisco FXOS Release Notes, 2.3(1).

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.9(x) (recommended)

9.8(x)

9.7(x)

9.6(3), 9.6(4)

Note 

9.8(2.12) or later is required for flow offload when running FXOS 2.3(1.130) or later.

6.2.2 (recommended)

6.2.2

6.2.0

6.1.0

Note 

6.2.2.2 or later is required for flow offload when running FXOS 2.3(1.130) or later.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2(2)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8(x)

(recommended)

6.2.2 (recommended)

6.2.0

Note 

6.2.2 or later is required for flow offload when running FXOS 2.2(2.91) or later.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2(1)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8(1) (recommended)

9.7(x)

Note 

9.7(1.15) or later is required for flow offload.

6.2.0 (recommended)

Note 

6.2.0.3 or later is required for flow offload.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.1(1) (EoL)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.7(x) (recommended)

9.6(2), 9.6(3), 9.6(4)

6.2.0 (recommended)

6.1.0

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.0(1)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.6(2), 9.6(3), 9.6(4) (recommended)

9.6(1)

6.1.0 (recommended)

6.0.1

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

1.1(4)

Firepower 4140

Firepower 4120

Firepower 4110

9.6(1) (recommended)

9.5(2), 9.5(3)

6.0.1 (recommended)

Firepower 9300 SM-36

Firepower 9300 SM-24

1.1(3)

Firepower 9300 SM-36

Firepower 9300 SM-24

9.5(2), 9.5(3) (recommended)

9.4(2)

1.1(2)

Firepower 9300 SM-36

Firepower 9300 SM-24

9.4(2) (recommended)

9.4(1)

1.1(1) (EoL)

Firepower 9300 SM-36

Firepower 9300 SM-24

9.4(1) (recommended)

Radware DefensePro Compatibility

The following table lists the supported Radware DefensePro version for each Firepower security appliance and associated logical device.

FXOS Version ASA Firepower Threat Defense Radware DefensePro Firepower Models
1.1(4) 9.6(1) not supported 1.1(2.32-3) 9300
2.0(1)

9.6(1)

9.6(2)

9.6(3)

9.6(4)

not supported 8.10.01.16-5

Firepower 9300

Firepower 4120

Firepower 4140

Firepower 4150

2.1(1)

9.6(2)

9.6(3)

9.6(4)

9.7(1)

not supported 8.10.01.16-5

Firepower 9300

Firepower 4120

Firepower 4140

Firepower 4150

2.2(1)

9.7(1)

9.8(1)

6.2.0 8.10.01.17-2

Firepower 9300

Firepower 4110 (Firepower Threat Defense only)

Firepower 4120

Firepower 4140

Firepower 4150

2.2(2)

9.8(1)

9.8(2)

9.8(3)

6.2.0

6.2.2

8.10.01.17-2

Firepower 9300

Firepower 4110 (Firepower Threat Defense only)

Firepower 4120

Firepower 4140

Firepower 4150

2.3(1)

9.9(1)

9.9(2)

6.2.2

6.2.3

8.13.01.09-2

Firepower 9300

Firepower 4110 (Firepower Threat Defense only)

Firepower 4120

Firepower 4140

Firepower 4150

2.4(1)

9.9(2)

9.10(1)

6.2.3

6.3.0

8.13.01.09-2

Firepower 9300

Firepower 4110

Firepower 4120

Firepower 4140

Firepower 4150

2.6(1)

9.10(1)

9.12(1)

6.3.0

6.4.0

8.13.01.09-3

Firepower 9300

Firepower 4110

Firepower 4120

Firepower 4140

Firepower 4150

Network Module Support

The following table lists supported single-wide and double-wide network modules on the Firepower 9300 and Firepower 4100 security appliances.

Network Module Firepower 9300 Firepower 4100 series
Firepower 8-port 10G Network Module single-wide FPR9K-NM-8X10G FPR4K-NM-8X10G
Firepower 4-port 40G Network Module single-wide FPR9K-NM-4X40G FPR4K-NM-4X40G
Firepower 2-port 100G Network Module double-wide FPR9K-DNM-2X100G

(FXOS 1.1.4 and later)

Note: Requires firmware package 1.0.10 or later

Not supported
Firepower 6-port 1G SX Network Module single-wide, FTW Not supported FPR4K-NM-6X1SX-F

(FXOS 2.0.1 and later)

Firepower 6-port 10G SR Network Module single-wide, FTW FPR9K-NM-6X10SR-F

(FXOS 2.0.1 and later)

FPR4K-NM-6X10SR-F

(FXOS 2.0.1 and later)

Firepower 6-port 10G LR Network Module single-wide, FTW FPR9K-NM-6X10LR-F

(FXOS 2.0.1 and later)

FPR4K-NM-6X10LR-F

(FXOS 2.0.1 and later)

Firepower 2-port 40G SR Network Module single-wide, FTW FPR9K-NM-2X40G-F

(FXOS 2.0.1 and later)

FPR4K-NM-2X40G-F

(FXOS 2.0.1 and later)

Firepower 8-port 1G Network Module single-wide, FTW Not supported FPR-NM-8X1G-F

(FXOS 2.1.1 and later; Firepower Threat Defense 6.2 and later)

Firepower 2-port 100G Network Module single-wide FPRK9-NM-2X100G

(FXOS 2.4.1 and later)

Not supported
Firepower 4-port 100G Network Module single-wide FPRK9-NM-4X100G

(FXOS 2.4.1 and later)

Not supported

Note: For instructions on how to verify your firmware package version and to upgrade the firmware if necessary, see “Firmware Upgrade” in the Cisco FXOS CLI Configuration Guide or Cisco FXOS Firepower Chassis Manager Configuration Guide (http://www.cisco.com/go/firepower9300-config).

Power Supply Support

The following table lists supported power supply modules on the Firepower 9300 and 4100 security appliances.

Table 2. Power Supply Support
Power Supply FXOS Firepower Model
9300 4110 4120 4140 4150
AC 1.1.1 and later YES YES YES YES YES
DC 1.1.1 and later YES YES YES YES YES
HVDC 2.1.1 and later YES NO NO NO NO

Note: For more detailed information about the power supply modules in the 4100 series security appliances, see “Power Supply Modules” in the Cisco Firepower 4100 Series Hardware Installation Guide (http://www.cisco.com/c/en/us/td/docs/security/firepower/4100/hw/guide/b_install_guide_4100.html). For more detailed information about the power supply modules in your 9300 security appliance, see “Power Supply Modules” in the Cisco Firepower 9300 Hardware Installation Guide ( http://www.cisco.com/c/en/us/td/docs/security/firepower/9300/hw/guide/b_install_guide_9300.html).

Security Module Compatibility

The following table lists supported security modules on the Firepower 9300 security appliances.

Table 3. Security Module Compatibility
Security Module Product ID FXOS Version

24-physical core security module with two SSDs

(NEBS-compliant)

FPR9K-SM-24 1.1.1 and later
36-physical core security module with two SSDs FPR9K-SM-36 1.1.1 and later

40-physical core security module with two SSDs

FPR9K-SM-40

2.6.1 and later

Note: Requires ASA 9.12(1) or FTD 6.4 and later

44-physical core security module with two SSDs FPR9K-SM-44

2.0.1 and later

Note: Requires ASA 9.6(2) or FTD 6.1 and later

48-physical core security module with two SSDs

FPR9K-SM-48

2.6.1 and later

Note: Requires ASA 9.12(1) or FTD 6.4 and later

56-physical core security module with two SSDs FPR9K-SM-56

2.6.1 and later

Note: Requires ASA 9.12(2) or FTD 6.4 and later

ASA and Firepower Threat Defense Clustering External Hardware Support

Clustering will work with both Cisco and non-Cisco switches from other major switching vendors with no known interoperability issues if they comply with the following requirements and recommendations. For switches that have been verified to work with clustering, see the verified switches table below.

Switch Requirements

  • All third party switches must be compliant to the IEEE standard (802.3ad) Link Aggregation Control Protocol.

  • EtherChannel bundling must be completed within 45 seconds when connected to Firepower devices and 33 seconds when connected to ASA devices.

  • On the cluster control link, the switch must provide fully unimpeded unicast and broadcast connectivity at Layer 2 between all cluster members.

  • On the cluster control link, the switch must not impose any limitations on IP addressing or the packet format above Layer 2 headers.

  • On the cluster control link, the switch interfaces must support jumbo frames and be configurable for an MTU above 1600.

Switch Recommendations

  • The switch should provide uniform traffic distribution over the EtherChannel's individual links.

  • The switch should have an EtherChannel load-balancing algorithm that provides traffic symmetry.

  • The EtherChannel load balance hash algorithm should be configurable using the 5-tuple, 4-tuple, or 2-tuple to calculate the hash.


Note

Cisco does not support the resolution of bugs found in non-verified switches.



Note

For the Firepower 9300 cluster, intra-chassis clustering can operate with any switch because Firepower 9300-to-switch connections use standard interface types.



Note

Some switches, such as the Nexus series, do not support LACP rate fast when performing in-service software upgrades (ISSUs), so we do not recommend using ISSUs with clustering.


Verified Switches

The following table lists verified Cisco external hardware and software to interoperate with clustering.

Table 4. Verified Switches

External Hardware

External Software

Cisco Firepower 1000, 2100, 4100, and 9300

Cisco ASA Series

You can connect a cluster directly to one or more Firepower or ASA chassis in standalone or failover mode, running either ASA or Firepower Threat Defense. For example, you might connect an Active/Standby ASA failover pair in multiple context mode to a Firepower Threat Defense cluster with inline sets (NGIPS mode).

Any

Cisco ASR 9000 with RSP 440

Cisco IOS XR 5.3(1)+

Cisco Nexus 3000

Cisco Nexus 6000

Cisco Nexus 7000

Cisco Nexus 9500

Cisco Nexus 9300

Note 

For the Nexus 7000, you can use F1-series line cards for the cluster control link, but we do not recommend using them for data EtherChannels in Spanned EtherChannel mode due to asymmetric load-balancing, which can cause performance degradation for data throughput on the cluster.

Note 

For the Nexus 3000, we do not recommend using this switch for data EtherChannels in Spanned EtherChannel mode due to asymmetric load-balancing, which can cause performance degradation for data throughput on the cluster. You can use the switch for the cluster control link or for interfaces in Individual Interface mode.

Cisco NX-OS 7.0(2)N1(1)+

APIC 1.0(1)+

Catalyst 3750-X

Catalyst 6500 with Supervisor 2T

Catalyst 6800 with Supervisor 2T

Cisco IOS 15.1(2)SY5+

Catalyst 6500 with Supervisor 32, 720, and 720-10GE

Cisco IOS 12.2(33)SXI7, SXI8, and SXI9+

Catalyst 4500 with Supervisor 8-E

Cisco IOS XE 3.7(1E)+

Catalyst 3850

Catalyst 4500-X

Note 

We do not recommend using this switch for data EtherChannels in Spanned EtherChannel mode due to asymmetric load-balancing, which can cause performance degradation for data throughput on the cluster. You can use the switch for the cluster control link or for interfaces in Individual Interface mode.

Cisco IOS 3.7(3)+