First Published: March 5, 2025

This document contains release information for Cisco Firepower eXtensible Operating System (FXOS) 2.17.0.

Use these Release Notes as a supplement with the other documents listed in the documentation roadmap:


Note

The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product.

Introduction

The Cisco security appliance is a next-generation platform for network and content security solutions. The security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.

The security appliance provides the following features:

  • Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.

  • Firewall Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.

  • FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.

  • FXOS REST API—Allows users to programmatically configure and manage their chassis.

Software Download

You can download software images for FXOS and supported applications from one of the following URLs:

For information about the applications that are supported on a specific version of FXOS, see the Cisco FXOS Compatibility guide at this URL:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

Important Notes

  • In FXOS 2.4(1) or later, if you are using an IPSec secure channel in FIPS mode, the IPSec peer entity must support RFC 7427.

  • When you upgrade a network or security module, certain faults are generated and then cleared automatically. These include a “hot swap not supported” fault or a “module removed when in online state” fault. If you have followed the appropriate procedures, as described in the Cisco Firepower 9300 Hardware Installation Guide or Cisco Firepower 4100 Series Hardware Installation Guide, the fault(s) are cleared automatically and no additional action is required.

  • From FXOS 2.13 release, the set maxfailedlogins command no longer works. The value can still be set, but if you try to log in a greater number of times than the already set value with an invalid password, you are not locked out. For compatibility, a similar command, set max-login-attempts, is available under scope security. This command also prevents logging in after a certain number of failed attempts but sets the value for all users. These commands are only available for Firepower 2100 platform mode and do not affect other platforms.

System Requirements

  • You can access the Firewall Chassis Manager using the following browsers:

    • Mozilla Firefox—Version 42 and later

    • Google Chrome—Version 47 and later

    • Microsoft Internet Explorer—Version 11 and later

    We tested FXOS 2.17.0 using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. Other versions of these browsers are expected to work. However, if you experience any browser-related issues, we suggest you use one of the tested versions.

Upgrade Instructions

You can upgrade your Firepower 9300 or Firepower 4100 series security appliance directly to FXOS 2.17.0 if it is currently running FXOS version 2.2(2) or later. Before you upgrade your Firepower 9300 or Firepower 4100 series security appliance to FXOS 2.16.0 first upgrade to FXOS 2.2(2), or verify that you are currently running FXOS 2.2(2).

For upgrade instructions, see the Cisco Firepower 4100/9300 Upgrade Guide.

Installation Notes

  • From FXOS 2.14.1, the FXOS firmware is bundled with FXOS software image. During FXOS upgrade, the system will auto-upgrade the firmware to the latest version if applicable. If the firmware is upgraded, the system will reboot 2 times and the total FXOS upgrade duration will be extended.

    Following tables lists the time taken for upgrade with or without firmaware uprade:

    FXOS Upgrade With Firmware Upgrade Duration(in mins)
    Initiate FXOS Upgrade with integrated FW changes -
    First Reboot triggered by FXOS upgrade ~9
    CLI after FXOS Upgrade (before FW Upgrade) ~8
    Second Reboot triggered by FW Upgrade ~1 to 20 *
    CLI after FXOS Upgrade and FW Upgrade ~8
    Blade to come online ~13
    Application to come online ~10
    Total ~49-70mins
    FXOS Upgrade Without Firmware Upgrade Duration(in mins)
    Initiate FXOS Upgrade with integrated firmware changes -
    Reboot triggered by FXOS upgrade ~9
    CLI after FXOS Upgrade (before firmware upgrade) ~8
    Blade to come online ~13
    Application to come online ~10
    Total ~40 mins

  • If you are upgrading a Firepower 9300 or Firepower 4100 series security appliance that is running a standalone logical device or if you are upgrading a Firepower 9300 security appliance that is running an intra-chassis cluster, traffic does not traverse through the device while it is upgrading.

  • If you are upgrading a Firepower 9300 or a Firepower 4100 series security appliance that is part of an inter-chassis cluster, traffic does not traverse through the device being upgraded while it is upgrading. However, the other devices in the cluster continue to pass traffic.

  • Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.

Resolved and Open Bugs

The resolved and open bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Resolved bugs in FXOS 2.17.0.545

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.17.0.545:

Identifier

Headline

CSCws07111

Secure Firewall 4200 port-manager error portmanager DIED after doing 'no shut' for ethernet interfaces

CSCwq53328

Multicast and unicast packets do not reach the correct instance for random subinterfaces

CSCwp60896

ASA Clock reverts to UTC after device reload

CSCwn93411

FXOS reset and reload due to snmpd service failure

CSCwr59870

ASAv on Hyper-v encountering boot loop issues when running netvsc driver

CSCwq44834

Multicast and broadcast packets do not reach all multi-instance firewalls via shared interface on 3100/4200

CSCwq85986

Secure Firewall 4225, interface with SFP - 10/25G_LR_S (or CSR_S) is not coming up after reboot of peer side.

CSCwq88955

Secure Firewall 4200 Mgmt NIC firmware is not upgraded/downgraded in between 7.6.x and later and 9.22.1 and later

CSCwq74986

Threat defense instance stuck in Boot Loop

CSCws79626

FXOS CLI Command Execution Failures Due to Intermittent DME Timeouts

CSCwq13032

Secure Firewall 3100/4200, 1G Management interface flapping after upgrade

CSCwq31342

Secure Firewall 3100/4200 Multi Instance Chassis Deployment Failed in DNS configuration

CSCwr22508

Device doesn't boot and gets stuck after a successful upgrade

CSCwp22743

Secure Firewall 4200 - 1gsx link remains up on device but on switch side it shows as not connected

CSCwr01482

Secure Firewall 4215 - "Not supported" alarm occurred, when insert the SFPs

CSCwr88733

Collecting "show tech-support fprm" results in corefile in TAR process

CSCws33720

If ssh is used repeatedly for device access, in some cases the /var/sysmgr partition may become full.

CSCwq52255

SSH login to threat defense management IP address lands in FXOS shell instead of threat defense CLISH due to missing /mnt/boot/application/*.def file

CSCwq95241

Reboots on Firepower 2130 due to missing heimdall PID

CSCwr83527

Firepower 2110 Critical fault alerts for remote users

CSCwq92373

Secure Firewall 4200 MI: Two apps went to Not Responding state with reason: Error in App Instance ftd. sma reported fault: Instance xxx is disabled due to restart loop. Please consider reinstalling this app-instance.

Resolved bugs in FXOS 2.17.0.537

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.17.0.537:

Identifier

Headline

CSCwp02224

 Firepower failover split brain when upgrade primary/standby device's FXOS version
CSCwq21442 3RU MI Cluster instances offline after baseline/creation
CSCwq27947 Threat Defense device stuck in rommon mode after pressing reset button

Online Resources

Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open service requests. Use these resources to install and configure FXOS software and to troubleshoot and resolve technical issues.

Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.

Contact Cisco

If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.