Firepower services on ASA 5500-x firewalls

Lee Dress · ‎11-14-2019

I've noticed that the latest suggested release of Firepower services (6.4.0.4) is only compatible with the larger 5508 and 5516-x firewalls. I have an environment with 2 5516-x, 2 5508-x and about 15 5506-x firewalls.

I can't find a recommended "roadmap" with how to deal with my environment.

I'm wondering if I should

1. upgrade my virtual management server and the larger firewalls to 6.4.0.4 and leave the 5506-x devices on 6.2.3.14

or.

2. leave everything on 6.2.3.14

anyone have suggestions? I can't be the only person with this type of environment. I'm also not prepared to throw away all my 5506x devices

nspasov · ‎11-14-2019

Hello Lee-

Yes, 6.2.3.x is the latest FTD train that the 5506 is going go support
The replacement appliance, FPR-1010, for the 5506 was recently released:
- https://www.cisco.com/c/en/us/products/security/firepower-1000-series/index.html#~models
- It provides at a much higher throughput while still being fan less. In addition, unlike the 5506, the 1010 has PoE support and hardware switch
6.0.4 was only recently made the recommended release. Thus, you are absolutely fine staying on 6.2.3.x. However, upgrading to 6.4.x will give you access to new features and performance improvements.
With that said, you can definitely upgrade your supported hardware to 6.4.0.4 while keeping the 5506 devices on 6.2.3.x. I have several customers doing this without any issues. You just need to make sure that you keep your policies unique enough where you don't try to use a new feature that is only supported on 6.4.x and try to push it to both devices on 6.2.3.x and 6.4.0.x

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!