The following table lists compatibility between the ASA and threat defense applications with the Firepower 4100/9300.

The bold versions listed below are specially-qualified companion releases. You should use these software combinations whenever possible because Cisco performs enhanced testing for these combinations.

For upgrading, see the following guidelines:

• FXOS—For 2.2.2 and later, you can upgrade directly to a higher version. When upgrading from versions earlier than 2.2.2, you need to upgrade to each intermediate version. Note that you cannot upgrade FXOS to a version that does not support your current logical device version. You will need to upgrade in steps: upgrade FXOS to the highest version that supports your current logical device; then upgrade your logical device to the highest version supported with that FXOS version. For example, if you want to upgrade from FXOS 2.2/ASA 9.8 to FXOS 2.13/ASA 9.19, you would have to perform the following upgrades:

  1. FXOS 2.2→FXOS 2.11 (the highest version that supports 9.8)

  2. ASA 9.8→ASA 9.17 (the highest version supported by 2.11)

  3. FXOS 2.11→FXOS 2.13

  4. ASA 9.17→ASA 9.19

• ASA—ASA lets you upgrade directly from your current version to any higher version, noting the FXOS requirements above.

Note	This section applies only to the Firepower 4100/9300. Other models utilize FXOS only as an underlying operating system that is included in the ASA and threat defense unified image bundles.

Note	FXOS 2.8(1.125)+ and later versions do not support ASA 9.14(1) or 9.14(1.10) for ASA SNMP polls and traps; you must use 9.14(1.15)+. Other releases, such as 9.13 or 9.12, are not affected.

Note	FXOS 2.12/ASA 9.18/Threat Defense 7.2 was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300.

The following table lists the supported Radware DefensePro version for each security appliance and associated logical device.

The following table lists supported single-wide and double-wide network modules on the Firepower 9300 and Firepower 4100 security appliances.

Note

The FXOS CLI output may show the base PID of the network module, which doesn’t contain the 4K/9K prefix. For example, if you use the the FXOS CLI to view information about the FPR9K-NM-8X10G network module, it may appear as Model: FPR-NM-8X10G. For instructions on how to verify your firmware package version and to upgrade the firmware if necessary, see the Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide (https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html). For instructions on how to upgrade FXOS on your Firepower 4100/9300, see the Cisco Firepower 4100/9300 Upgrade Guide (https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/upgrade/b_FXOSUpgrade.html).

The following table lists supported power supply modules on the Firepower 9300 and 4100 security appliances.

Note: For more detailed information about the power supply modules in the 4100 series security appliances, see “Power Supply Modules” in the Cisco Firepower 4100 Series Hardware Installation Guide (http://www.cisco.com/c/en/us/td/docs/security/firepower/4100/hw/guide/b_install_guide_4100.html). For more detailed information about the power supply modules in your 9300 security appliance, see “Power Supply Modules” in the Cisco Firepower 9300 Hardware Installation Guide ( http://www.cisco.com/c/en/us/td/docs/security/firepower/9300/hw/guide/b_install_guide_9300.html).

Prior to 2.6, all security modules in the Firepower 9300 have to match.

In 2.6 and later, you can mix different types of security modules with the following caveats:

• Clustering is not supported on mixed modules in 2.6 and 2.7. However, in 2.8 and later, you can use mixed modules when using multi-instance clustering (a cluster with one container instance on each module). Native clustering still requires all the modules to be the same type.

• High Availability is only supported between same-type modules; but the two chassis can include mixed modules.

The following table lists supported security modules on the Firepower 9300.

Clustering will work with both Cisco and non-Cisco switches from other major switching vendors with no known interoperability issues if they comply with the following requirements and recommendations. Clustering is compatible with technologies such as vPC (Nexus), VSS (Catalyst), and StackWise & StackWise Virtual (Catalyst).

Switch Requirements

• All third party switches must be compliant to the IEEE standard (802.3ad) Link Aggregation Control Protocol.

• EtherChannel bundling must be completed within 45 seconds when connected to Firepower devices and 33 seconds when connected to ASA devices.

• On the cluster control link, the switch must provide fully unimpeded unicast and broadcast connectivity at Layer 2 between all cluster members.

• On the cluster control link, the switch must not impose any limitations on IP addressing or the packet format above Layer 2 headers.

• On the cluster control link, the switch interfaces must support jumbo frames and be configurable for an MTU above 1600.

Switch Recommendations

• The switch should provide uniform traffic distribution over the EtherChannel's individual links.

• The switch should have an EtherChannel load-balancing algorithm that provides traffic symmetry.

• The EtherChannel load balance hash algorithm should be configurable using the 5-tuple, 4-tuple, or 2-tuple to calculate the hash.

Note	For the Firepower 9300 cluster, intra-chassis clustering can operate with any switch because Firepower 9300-to-switch connections use standard interface types.

Note	Some switches, such as the Nexus series, do not support LACP rate fast when performing in-service software upgrades (ISSUs), so we do not recommend using ISSUs with clustering.

See the following additional resources:

• Navigating the Cisco Firepower 4100/9300 FXOS Documentation (documentation roadmap)

• Cisco Firepower 4100/9300 FXOS Release Notes

• Cisco ASA Compatibility

• Cisco Firepower Compatibility

• Cisco’s Next Generation Firewall Product Line Software Release and Sustaining Bulletin