topic Cisco Secure Firewall 4225 Instance Sizing in Network Security

Cisco Secure Firewall 4225 Instance Sizing

diecarvic — Fri, 29 Aug 2025 10:23:36 GMT

Good day all,

I am trying to size the instances of a new multi-instance Cisco Secure Firewall 4225 FTD deployment and I'm confused regarding the amount of CPU/cores I can play with. The documentation states that the device has 128 cores and that the maximum number of instances is 15.

My simple math is that:
128 / 15 = 8.5 cores
So 8 cores per instance.

But at the same time, the minimum number of cores per context is 6:
128 / 6 ~= 21 instances

I can't find any reference in the documentation about the core distribution/reservation done by the device apart from each instance reserving 2 cores for management.

Anyone has any clues?

Re: Cisco Secure Firewall 4225 Instance Sizing

MHM Cisco World — Fri, 29 Aug 2025 13:04:04 GMT

Check command under fxos scope

Set cpus <<- this command assign cores per instance

MHM

Re: Cisco Secure Firewall 4225 Instance Sizing

diecarvic — Mon, 01 Sep 2025 10:35:32 GMT

So I found that I can get the core affinity using the following command in the ftd expert section:

pmtool show affinity

The device indeed has 128 cores: 60 for lina/data, 64 for snort, and 4 for (i assume) FXOS.

Still, it's impossible to know how many of each will be assigned to an instance beforehand unless there is a formula or table that specifies it, like this one that unfortunately does not contain any 42xx device.
Data Plane and Snort Core Distribution Tables

Re: Cisco Secure Firewall 4225 Instance Sizing

balaji.bandi — Mon, 01 Sep 2025 07:40:09 GMT

The compute you going to allocate based on the instance requirement and features you using. that is maximum instance that device can offer. based on the performance and usage of the FTD you increase the instance or compute resources, cisco may have tested instance in certain parameters(that may not not be suitable for production environment some times as per my view).

Look at the admin guide more explained here :

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/device-ops-logical-devices.html

Note : If this is single device not Cluster or HA - i would not take risking all eggs in one basket and expect to run as expected.

some performance matrix for reference :

https://selabs.uk/reports/advanced-performance-test-report-cisco-secure-firewall-4225-2025-05

Re: Cisco Secure Firewall 4225 Instance Sizing

MHM Cisco World — Mon, 01 Sep 2025 10:33:38 GMT

Sorry I dont get it what is relate of NXOS with FTD ?

How many instances you run ?

MHM

Re: Cisco Secure Firewall 4225 Instance Sizing

diecarvic — Mon, 01 Sep 2025 10:40:16 GMT

Sorry I meant to type FXOS.

My idea is to run 5 instances. Since the limiting factor will be data and not snort, I want to optimize sizing in that regard.

For instance lowering the core assignment in an instance from 36 to 34 or 32 if that would only lower the number of snort cores assigned to an instance of that size. And increasing the number of cores assigned to the other instances.

Re: Cisco Secure Firewall 4225 Instance Sizing

MHM Cisco World — Mon, 01 Sep 2025 10:43:51 GMT

All four instances run same feature

I.e. url filter' IPS' SI' ssl policy?

MHM

Re: Cisco Secure Firewall 4225 Instance Sizing

MHM Cisco World — Mon, 01 Sep 2025 20:10:40 GMT

I think this what you looking for

https://secure.cisco.com/secure-firewall/docs/firepower-multi-instance-performance

MHM