https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524398#M1086073 <P>Thanks for the link Marvin.&nbsp; In my case I won't be doing much VPN.&nbsp; My main concern is maximum IPS protection of web servers behind the firewall.&nbsp; Given that almost all web traffic is encrypted nowadays, which numbers should I be concentrating on?</P> Tue, 28 Dec 2021 13:59:24 GMT tato386 2021-12-28T13:59:24Z https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524209#M1086062 <P>I was browsing Cisco's web site looking specifically for SSL/TLS decryption specs for 1000 and 2100 FTD devices when I ran into something I did not expect.&nbsp; According to the site (see attached files) the 2100 family has better specs pretty much across the board *except* for TLS?&nbsp; Is this an error or misprint?</P><P>&nbsp;</P><P>Another thing I noticed is that specs for FW+AVC, FW+AVC+IPS and for TLS are separated.&nbsp; What about if I would like to use all four features, meaning FW+AVC+IPS+TLS?&nbsp; How is that measured/rated?</P><P>&nbsp;</P><P>Thanks,</P><P>Diego&nbsp;&nbsp;</P> Tue, 28 Dec 2021 03:33:49 GMT https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524209#M1086062 tato386 2021-12-28T03:33:49Z https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524378#M1086070 <P>Due to the CPU used, the Firepower 1000 series are able to use Intel Quick Assist Technology (QAT) and get better TLS performance as a result.</P> <P><A href="https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html" target="_blank">https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html</A></P> <P>The TLS numbers generally aren't stressed unless the firewall is serving a large number of remote access VPN clients so it's usually not the gating performance factor when considering which device is recommended. Overall throughput as bounded by the "FW+ x" numbers is usually more important.</P> Tue, 28 Dec 2021 13:12:42 GMT https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524378#M1086070 Marvin Rhoads 2021-12-28T13:12:42Z https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524398#M1086073 <P>Thanks for the link Marvin.&nbsp; In my case I won't be doing much VPN.&nbsp; My main concern is maximum IPS protection of web servers behind the firewall.&nbsp; Given that almost all web traffic is encrypted nowadays, which numbers should I be concentrating on?</P> Tue, 28 Dec 2021 13:59:24 GMT https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524398#M1086073 tato386 2021-12-28T13:59:24Z https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524409#M1086074 <P>If you are planning to do SSL/TLS decryption of your web servers' traffic then it's a whole other calculation as that is much more CPU-intensive than basic TLS termination.</P> <P>You might want to check with your Cisco SE or reseller to have them run the numbers through Cisco's internal / partner performance tool for that use case.</P> Tue, 28 Dec 2021 14:33:47 GMT https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524409#M1086074 Marvin Rhoads 2021-12-28T14:33:47Z https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524462#M1086077 <P>Sounds like a plan.&nbsp; Thx</P> Tue, 28 Dec 2021 15:54:23 GMT https://community.cisco.com/t5/network-security/ftd-1000-vs-2100-tls-performance/m-p/4524462#M1086077 tato386 2021-12-28T15:54:23Z