topic I assume by Mb you mean in Network Security

choosing a firewall

Sergiy Pyvovaroff — Tue, 12 Mar 2019 09:29:12 GMT

Hello, community!

I have to choose firewall for a big enterprise network. I’m CCNP in R&S but new to firewalls. The goals of the firewall will be:

Filter traffic branch to HQ 600Mb.
NAT company traffic to the Internet, ~900Mb. At this point, I’m searching replacement of the Ms TMG, but firewall has no proxy functions. Is it real to use a just firewall to replace TMG or should search for the proxy either?
Web server traffic to DB 200Mb.

I’m very interested in new product Cisco Firepower® NGFW 2110.

But I have several questions

Is NGFW support IEGRP? If Yes, great! Only if No, Can I mix bridge and routing firewall?
Is NGFW 2110 and ASA5516X run the same set of futures?
Is multicontext supported?
Is Active –Active supported?
Can I auth users access to Inet via MS AD or LDAP?

I'll grateful for any bits of advice!

Regards Sehii .

I assume by Mb you mean

Marvin Rhoads — Fri, 09 Jun 2017 08:26:48 GMT

I assume by Mb you mean Megabits per second or Mbps. Adding the 3 figures you have means we need to handle 1.7 Gbps. The 2110 would be well-suited performance wise.

Regarding your feature questions:

1. Yes - although it's not in the GUI just yet. You configure it with a FlexConfig which requires using a FirePOWER Management Center (FMC) vs. local management.

2. No. The 2110 runs only the FirePOWER Threat Defense (FTD) unified image at this time. While a 5516-X can run FTD it much more commonly runs ASA software plus FirePOWER on a software service module. Feature difference is a lot of details that are probably best to review with your local SE.

3. No. This is a long term goal for Cisco but we don't expect it soon. There may be other ways to achieve your goal depending on why you need multiple contexts.

4. No (clustering is currently available on the higher end 4100 and 9300 series).

5. Yes, requires an external agent to be installed in your domain though to get userid-IP mapping from logon events via WMI (or can use Cisco ISE if you have that).

Thank you for so detailed

Sergiy Pyvovaroff — Fri, 09 Jun 2017 10:21:37 GMT

Thank you for so detailed comment!
Could I ask few more detail, please?
If we will look on Firepower® NGFW 2110 as a replacement of Ms TMG (obsolete product), should I also look for a (firewall + other caching proxy), of just NAT on a firewall is ok nowadays?

(q #1) About differences between ASA software and FirePOWER Threat Defense (FTD). If we want to use Firepower® NGFW 2110 as (1: NAT + !URL Filter! internet gate), (2: Stateful firewall between branch and HQ; Web servers and DB) is FirePOWER Threat Defense (FTD) ok for this? Actually we a choosing Firepower® NGFW 2110 or ASA5516X. The reason why we hadn’t purchase ASA5516X is we are afraid it's too weak for our traffic.

(q #4) If “active-active” clustering is not supported, is “active-passive” HA supported? Is so I can solve HA case with just additional links.

Regards Sehii .

You're welcome.

Marvin Rhoads — Fri, 09 Jun 2017 13:57:11 GMT

You're welcome.

An FTD device has the license options of Threat (IPS), URL filtering and Malware (or any combination of those - depending on your requirements).

It can do active/standby high availability. Your failure scenarios can generally accomodate outbound traffic easily. Inbound traffic can be problematic depending on what sort of services (if any) you expose to outside users.