Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4122
Views
0
Helpful
5
Replies

ASA Firepower throughput

Go to solution
cisco8887
Level 2
Level 2

‎10-04-2016 06:35 AM - edited ‎02-20-2020 09:02 PM

Hi Guys,

 

I have noticed Palo Alto and other vendors specify a much higher throughput for their next generation solution compared to Cisco when they do the full URL filtering , anti virus and Spam protection

 

I think this is because they process the packet in parallel where as ASA processes it one by one module, is that right ?

As an example, ASA passed the traffic to URL filtering and then Spam and then ..

 

Where as Palo Alto passes it to URL and SPam and ... all at the same time hence achieving a significantly higher throughput.

 

based on this, is it correct to say Cisco cannot be the dealer in this area due to how they handle Firepower?

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
aledipas
Cisco Employee
Cisco Employee

‎10-05-2016 05:15 AM

It is important to consider that the amount of traffic you can inspect with the SFR module will be inherently limited by how much traffic the ASA itself can pass. There are standalone (bare metal) appliances that can inspect substantially more traffic. The traffic ratings can be found on the spec pages for our Firepower appliances.

Thanks

View solution in original post

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to cisco8887

‎10-08-2016 12:13 PM

I think the best way to look at this is by using NSS Labs reports. They publish a yearly report which includes a graph to see how much you pay per protected Mbit/sec. Since vendor published performance data is not always correct you may want to look at their findings.

I am not sure if you are talking about absolute throughput (e.g. PAN 7080 vs FP9300) but in case you do I would suggest looking at the relative numbers and check how much throughput you lose by using IPS for example.

About architecture: performance wise hardware will always beat software. FPGAs used for specific loads will always perform better than generic CPUs. The parallel processing is not something every vendor is doing. Try not to get lost in marketing buzz and just analyze the performance counters and see how they stack up when it comes to pricing - at the end of the day an architecture that results in 10% better performance but 100% higher price might not be what you are looking for. 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
cisco8887
Level 2
Level 2

‎10-05-2016 04:31 AM

anyone :)

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to cisco8887

‎10-08-2016 12:13 PM

I think the best way to look at this is by using NSS Labs reports. They publish a yearly report which includes a graph to see how much you pay per protected Mbit/sec. Since vendor published performance data is not always correct you may want to look at their findings.

I am not sure if you are talking about absolute throughput (e.g. PAN 7080 vs FP9300) but in case you do I would suggest looking at the relative numbers and check how much throughput you lose by using IPS for example.

About architecture: performance wise hardware will always beat software. FPGAs used for specific loads will always perform better than generic CPUs. The parallel processing is not something every vendor is doing. Try not to get lost in marketing buzz and just analyze the performance counters and see how they stack up when it comes to pricing - at the end of the day an architecture that results in 10% better performance but 100% higher price might not be what you are looking for. 

0 Helpful

Go to solution
aledipas
Cisco Employee
Cisco Employee

‎10-05-2016 05:15 AM

It is important to consider that the amount of traffic you can inspect with the SFR module will be inherently limited by how much traffic the ASA itself can pass. There are standalone (bare metal) appliances that can inspect substantially more traffic. The traffic ratings can be found on the spec pages for our Firepower appliances.

Thanks

0 Helpful

Go to solution
cisco8887
Level 2
Level 2
In response to aledipas

‎10-05-2016 08:47 AM

thanks, do you have example of such physical appliances ?

0 Helpful

Go to solution
aledipas
Cisco Employee
Cisco Employee
In response to cisco8887

‎10-05-2016 09:53 AM

Our 7000, 8000, and 9000 series:

http://www.cisco.com/c/en/us/products/security/firepower-7000-series-appliances/index.html

http://www.cisco.com/c/en/us/products/security/firepower-8000-series-appliances/index.html

http://www.cisco.com/c/en/us/products/security/firepower-9000-series/index.html

Thanks!

0 Helpful
Customers Also Viewed These Support Documents