Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
1
Helpful
7
Replies

Cisco Secure Firewall 4225 Instance Sizing

diecarvic
Level 1
Level 1

‎08-29-2025 03:23 AM

Good day all,

I am trying to size the instances of a new multi-instance Cisco Secure Firewall 4225 FTD deployment and I'm confused regarding the amount of CPU/cores I can play with. The documentation states that the device has 128 cores and that the maximum number of instances is 15.

My simple math is that:
128 / 15 = 8.5 cores
So 8 cores per instance.

But at the same time, the minimum number of cores per context is 6:
128 / 6 ~= 21 instances

I can't find any reference in the documentation about the core distribution/reservation done by the device apart from each instance reserving 2 cores for management.

Anyone has any clues?

0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎08-29-2025 06:04 AM

Check command under fxos scope

Set cpus <<- this command assign cores per instance 

MHM

0 Helpful

diecarvic
Level 1
Level 1

‎09-01-2025 12:20 AM - edited ‎09-01-2025 03:35 AM

So I found that I can get the core affinity using the following command in the ftd expert section:

pmtool show affinity

The device indeed has 128 cores: 60 for lina/data, 64 for snort, and 4 for (i assume) FXOS.

Still, it's impossible to know how many of each will be assigned to an instance beforehand unless there is a formula or table that specifies it, like this one that unfortunately does not contain any 42xx device.
Data Plane and Snort Core Distribution Tables

0 Helpful

MHM Cisco World
VIP
VIP
In response to diecarvic

‎09-01-2025 03:33 AM

Sorry I dont get it what is relate of NXOS with FTD ?

How many instances you run ?

MHM

0 Helpful

diecarvic
Level 1
Level 1
In response to MHM Cisco World

‎09-01-2025 03:40 AM

Sorry I meant to type FXOS.

My idea is to run 5 instances. Since the limiting factor will be data and not snort, I want to optimize sizing in that regard.

For instance lowering the core assignment in an instance from 36 to 34 or 32 if that would only lower the number of snort cores assigned to an instance of that size. And increasing the number of cores assigned to the other instances.

MHM Cisco World
VIP
VIP
In response to diecarvic

‎09-01-2025 03:43 AM

All four instances run same feature 

I.e. url filter' IPS' SI' ssl policy?

MHM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎09-01-2025 12:37 AM - edited ‎09-01-2025 12:40 AM

The compute you going to allocate based on the instance requirement and features you using. that is maximum instance that device can offer. based on the performance and usage of the FTD you increase the instance or compute resources, cisco may have tested instance in certain parameters(that may not not be suitable for production environment some times as per my view).

Look at the admin guide more explained here :

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/device-ops-logical-devices.html

Note : If this is single device not Cluster or HA - i would not take risking all eggs in one basket and expect to run as expected.

some performance matrix for reference :

https://selabs.uk/reports/advanced-performance-test-report-cisco-secure-firewall-4225-2025-05

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card