Supported Devices and Software Versions for Cisco Security Manager 4.14
General Device to Feature Support for Cisco Security Manager
IPv6 Support Summarized by Device Class and Application
Explicitly Supported Devices for Cisco Security Manager
Generically Supported Devices for Cisco Security Manager
Supported Software for Cisco Security Manager
Software Supported in Downward Compatibility Mode
Supported Devices and Software Versions for Auto Update Server
Communications, Services, and Additional Information
Cisco Security Manager and its related applications support the devices and operating system versions listed in these sections:
Broadly speaking, Cisco Security Manager has these main features: device configuration, event management, report management, health and performance monitor, and image management. Table 1 explains which classes of device are supported for each feature. The exact models and software versions supported in each device class are listed in subsequent sections.
Adaptive Security Appliance (ASA), including the Cisco Adaptive Security Virtual Appliance (ASAv) and service modules |
|||||
Intrusion Prevention System (IPS) appliances and service modules1 |
Yes 1 |
No 1 |
|||
Cisco Security Manager provides some support for IPv6, but only for configuring policies on a device (for example, firewall rules and IPS rules). Support is for traffic through the device. However, Cisco Security Manager does not support client-server communication using IPv6.
Cisco Security Manager also provides management support for ASA devices, but not for IPS devices.
Table 2 summarizes IPv6 support by device class in each Cisco Security Manager application (for example, Configuration Manager).
If a particular device class has no policies that use IPv6 (for example, Cisco IOS IPS in supported routers), then the table lists “Not applicable.” The table also lists “Not applicable” for devices that are not supported at all by a particular application (for example, Image Manager supports only ASAs and ASAv’s).
For the specific policies that you can configure, see the Getting Started chapter in the User Guide for Cisco Security Manager.
Adaptive Security Appliance (ASA), including the Cisco Adaptive Security Virtual Appliance (ASAv) and service modules |
Yes2 |
||||
Intrusion Prevention System (IPS) appliances and service modules |
|||||
The following table lists the devices you can manage in Cisco Security Manager. These specific models are explicitly supported, that is, Cisco Security Manager is aware of the features available on the device and recognizes the device module.
Tip If a device model is not listed in this table, you might still be able to manage it as a generic device type. For more information, see Generically Supported Devices for Cisco Security Manager.
[support for ASA Version 9.4.1, 9.5.1, 9.5.2, 9.6.1 and 9.6.2] |
|
Cisco 1783 Industrial Security Appliance |
|
Cisco ASA-5500 Series Adaptive Security Appliance [support for ASA Version 9.4.1, 9.5.1, 9.5.2, 9.6.1 and 9.6.2] |
|
Cisco ASA-5500 Series Adaptive Security Appliance [support for ASA versions 8.2(3), 8.4(1-6), 9.0(1), and later] |
|
Note You must select Cisco Catalyst 6500 Series ASA Services Module as the device type to manage the ASA Services Module on a 7600 Series Router. |
|
Cisco Catalyst 6500 Series Firewall Services Module (FWSM) 1 |
|
Cisco ASA 5500 Series Advanced Inspection and Prevention (AIP) Security Services Module |
|
Cisco ASA Advanced Inspection and Prevention Security Services Card (SSC) |
|
Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Module 1 |
|
Cisco Intrusion Prevention System Advanced Integration Module (AIM) for Cisco1841, 2800, and 3800 Series Integrated Services Routers |
|
Cisco Intrusion Prevention System Network Module Enhanced (NME) |
|
Cisco ASR 1000 Series Aggregation Services Routers Support includes all Ethernet (all speeds), Serial, ATM, and Packet over Sonet (POS) shared port adapters (SPA), but not services SPAs. Note Support is limited to the following Cisco IOS XE Software consolidated packages: Advanced IP Services, Advanced Enterprise Services. The IP Base packages are not supported. |
|
Cisco Catalyst 6500 Series Switches Note The virtual switching system (VSS) mode is not supported. |
|
Cisco 7600/Catalyst 6500 IPSec VPN Services Module (VPNSM)3 |
|
Cisco 7600 Series/Catalyst 6500 Series IPSec VPN Shared Port Adapter (VPN SPA) 1 |
|
Cisco Catalyst 6500 Series VPN Services Port Adapter (VSPA) 1 |
Cisco Security Manager can manage some device models even if the model does not appear in the supported device list. This type of generic device support relies on the fact that device features are controlled more by the software running on the device than the device model.
If you have a device that does not appear in the explicitly supported device list, you can try to manage it as a generic device using the device modules listed in the following table.
The following table lists the device models that have been tested for generic support:
Cisco Security Manager supports the software on the devices that it manages as described in the following sections:
Note Cisco Security Manager deployment will fail if ASA/IOS router has engineering image. Deployment will be successful only with released ASA/IOS router images.
The following list describes the minimum supported software versions plus the specific release numbers that have additional support in Cisco Security Manager for devices that run operating systems other than Cisco IOS Software. You must use a software version that meets at least the minimum. If you use a version that is not listed, Cisco Security Manager will treat it as one of these versions (the most closely-matching version, which is typically the release number nearest to it but lower). Any features that are unique to the version you are using are not supported in Cisco Security Manager.
Tip The primary software support that is new in Version 4.14 of Cisco Security Manager is support for ASA 9.8.1.
Note If you upgrade to ASA Version 9.4(4)34 or later, you must upgrade Cisco Security Manager to Version 4.19 or later. Earlier versions of Cisco Security Manager are not compatible with ASA Version 9.4(4)34 or later.
The following special cases and exceptions apply to ASA software support:
– If you upgrade a device that you are already managing in Cisco Security Manager from 8.x to 9.0(1) or higher, you must rediscover the device inventory so that Cisco Security Manager starts interpreting the device as a 9.x device and then you must rediscover the policies on the device to ensure that Cisco Security Manager looks for and discovers the appropriate policy types. Alternatively, you can delete the device from Cisco Security Manager and then add the device again.
– If you perform one of the following upgrades to a device that you are already managing in Cisco Security Manager:
—from any lower version to 8.3(1) or higher
—from 8.3(x) to 8.4(2) or higher
you must rediscover the device in Cisco Security Manager. This is required due to significant policy changes between the two releases.
For detailed information on these scenarios, refer to the section titled “Validating a Proposed Image Update on a Device” in the User Guide for Cisco Security Manager 4.8 at the following URL:
http://www.cisco.com/c/en/us/support/security/security-manager/products-user-guide-list.html
– Although 8.2(4) is supported in downward compatibility mode as 8.2(3), Cisco Security Manager does support ASA 5585-X models with SSP-10 and SSP-40 running 8.2(4).
– You cannot use Cisco Security Manager to manage SSL VPNs on ASA 7.x.
– You cannot use Cisco Security Manager to manage an ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Cisco Security Manager inventory.
– Release 8.5(1) applies to the Catalyst 6500 Series ASA Services Module (ASA-SM) only. The ASA-SM does not support any type of VPN configuration for this version. However, starting from the 9.0(1) version, ASA-SM supports VPN configurations.
– Release 8.6(1) applies to the following Cisco ASA 5500-X based Adaptive Security Appliance models only: 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X.
– Cisco Security Manager 4.8 supports ASAv’s when you are using ASA 9.2(1) or other versions of ASA that support ASAv’s.
– Table 6 provides the details of the ASA platforms that are supported and not supported for ASA 9.2(1) and above.
– Release 5.1(5)E1 and later only support IPS signature updates.
– Release 7.1 is supported on the following platforms: Cisco ASA 5585 Series IPS Security Services Processor; IPS 4300 series sensors; IPS 4500 series sensors; IPS 4270; and Cisco ASA 5500 Series IPS Security Services Processor.
– Release 7.1(6) is supported on six hardware platforms: IPS 4240; IPS 4255; IPS 4260; ASA 5500 AIP SSM-10; ASA 5500 AIP SSM-20; and ASA 5500 AIP SSM-40.
– Release 7.3(1)E4 is supported on four hardware platforms: IPS-4345 (standalone IPS sensor); IPS-4360 (standalone IPS sensor); IPS-4510 (standalone IPS sensor); and IPS-4520 (standalone IPS sensor).
– Release 7.3(2)E4 is supported on the following platforms: IPS 4345, IPS 4360, IPS 4510, IPS 4520, IPS 4520-XL, ASA 5512-X IPS SSP, ASA 5515-X IPS SSP, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, ASA 5555-X IPS SSP, ASA 5585-X IPS SSP-10, ASA 5585-X IPS SSP-20, ASA 5585-X IPS SSP-40, and ASA 5585-X IPS SSP-60.
– Release 7.3(3)E4 is supported on the following platforms: IPS 4345, IPS 4360, IPS 4510, IPS 4520, IPS 4520-XL, ASA 5512-X IPS SSP, ASA 5515-X IPS SSP, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, ASA 5555-X IPS SSP, ASA 5585-X IPS SSP-10, ASA 5585-X IPS SSP-20, ASA 5585-X IPS SSP-40, and ASA 5585-X IPS SSP-60.
The following sections explain the basic versions supported for Cisco IOS Software and the limitations and restrictions that apply to managing Cisco IOS Software devices:
The following list describes the minimum supported Cisco IOS Software versions plus the specific release numbers that have additional support in Cisco Security Manager for standard routers. You must use a software version that meets at least the minimum. If you use a version that is not listed, Cisco Security Manager will treat it as one of these versions (the most closely-matching version, which is typically the release number nearest to it but lower). Any features that are unique to the version you are using are not supported in Cisco Security Manager. Note that the device model might limit the versions you are allowed to install; this is not controlled by Cisco Security Manager.
Note Cisco Security Manager provides limited support for features in routers running the Cisco IOS Software releases. The Eventing, Monitoring, Reporting, and Image Management functionalities are not supported on IOS devices. For Cisco Security Manager to manage IOS routers, you must make sure that the IOS versions comply with the list of supported versions.
Note Cisco Security Manager supports 15.2(1)T1 on 88x, 89x, 19xx, 29xx, and 39xx routers only. ScanSafe is the only supported new feature in this version.
– 12.3(1), including 12.3(1a)B.
– 12.3(2), including the XA3, XB3, XC2, XE2, and XF versions.
– 12.3(3), including the B and B1 versions.
– 12.3(4), including the XD4, XG3, XK2, and XQ1 versions.
– 12.3(5), including the 12.3(5a)B, 12.3(5a)B0a, and 12.3(5a)B1-4 versions.
– 12.3(7), including the XI6, XR, XR2, XR4, XJ2, and XS2 versions.
– 12.3(8), including the XU4, XW3, XX1, YA1, YD1, YG2, YH, YI, and YI1 versions.
– 12.3(9), including the 12.3(9a)BC, BC1, and BC2 versions.
– 12.3(11), including the XL1, YK1, and YS versions.
– 12.2(11)YU, YX, YX1, YZ, and YZ2.
– 12.2(13)T, T12, ZD2, and ZE.
– 12.2(14)S, SU, SU2, SX, SY, and SZ.
– 12.2(18)SE, SW, SXD, SXE, and SXF.
– 12.2(20)EW, EWA, EX, and S8.
– 12.2(25)EY, EZ, FX, FY, JA, SEA, SEB, SEC, SED, SEE, and SG.
The Cisco ASR 1000 Series Aggregation Services Routers use Cisco IOS XE Software, which uses a different numbering scheme from standard Cisco IOS Software. However, these release numbers are mapped to standard IOS release numbers in Cisco Security Manager. The following are the supported Cisco IOS XE Software releases and the Cisco IOS software equivalent releases used in Cisco Security Manager:
Tip Although the 2.x ASR releases are mapped to IOS 12.2 releases, you must select IOS 12.3+ as the operating system type when adding the device to the Cisco Security Manager inventory.
Cisco routers and switches have these software restrictions:
Note You cannot use the Catalyst Operating System on a device managed by Cisco Security Manager.
– 12.2(25)EWA, FZ, EZ, EY, SE, EW, SEA, SEB, SEC, SED, SEE, SEG
– 3.000.001, supported in 12.4(11)T to 12.4(11)T4.
– 3.001.001, supported in 12.4(15)T to 12.4(15)T2.
Cisco Security Manager directly supports many individual point releases for the various operating systems you can use with the supported devices. When Cisco Security Manager supports a specific point release, it means that you can configure some features new to that release using the product.
Some point releases are supported in “downward compatibility mode.” In this mode, you can use the product to configure devices running that point release, but you cannot configure features that are new in the release unless you use FlexConfigs. Thus, the point release is treated as being the same as the nearest point release to it, and Cisco Security Manager maps the release number to that supported release.
The following table lists the releases that are specifically supported in Cisco Security Manager, and the point releases that are supported as downward equivalents to the release. The table might not include information about every downward compatible release. In general, if a version is not listed here or in Supported Software for Cisco Security Manager, Cisco Security Manager will treat it as one of the supported versions (the most closely-matching version, which is typically the release number nearest to it but lower).
You can use the Auto Update Server application with any Cisco ASA-5500 Series Adaptive Security Appliance, Catalyst 6500 Series ASA Services Module, or Cisco PIX 500 Series Firewall and the ASA or PIX software versions supported by Cisco Security Manager.
Note You cannot use devices configured in multiple-context mode with Auto Update Server.
For the complete list of documents supporting this release, see the release-specific document roadmap:
http://www.cisco.com/c/en/us/support/security/security-manager/products-documentation-roadmaps-list.html
Lists document set that supports the Cisco Security Manager release and summarizes contents of each document.
http://www.cisco.com/go/csmanager
Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.