Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2203
Views
10
Helpful
3
Replies

Firepower 2100 series

chris.allen08
Level 1
Level 1

‎07-26-2019 02:23 PM

My company is looking to refresh our ASA 5516x with a new NGFW. My previous company was in the middle of replacing all of their ASAs with 2110s. The firewall administrator and director of security were not fans of these. The ASAs were mainly doing S2S VPN connectivity and they were using PAs for internal and external firewalls. My understanding of the source of contention toward the FTDs was the fact that having both VPN terminations and IPS/IDS on the same box caused the box to be extremely slow. Also, the FMC was also very slow.

 

I'd like to get other people's perspective, negative or positive, on the current state of the Firepower.

 

TIA,

Chris

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-26-2019 09:17 PM - edited ‎07-26-2019 09:19 PM

Firepower 2100 series published throughput is the same whether none or all NGIPS features are enabled due to the hardware architecture that's optimized for the software.

Palo Alto Networks' appliances generally have one performance specification for no advanced features and then turning on the features (one or all) has a different number that's half the overall appliance throughput.

PANW management and deployment time required for changes is generally better than Cisco, especially if you're using FMC. You might want to have a look at Cisco Defense Orchestrator (CDO), the cloud-based management option that recently started supporting FTD. It is very fast and modern. It interacts with the managed devices via API vs. the older sftunnel connections and database synchronization model that FMC uses.

Here's a nice CDO demo by Divya Nair:

https://www.youtube.com/watch?v=twQ1GI-GA-A

chris.allen08
Level 1
Level 1
In response to Marvin Rhoads

‎07-29-2019 06:48 AM

Marvin,

Thanks for your input. I will certainly look at the CDO demo. What is your opinion regarding how the Firepower does when VPN and IDS/IPS are both enabled. I have been told by Cisco engineers that if you are going to do run VPN, it should be on a separate box running ASA on the firepower.

 

Thanks,

Chris

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to chris.allen08

‎07-29-2019 07:25 AM - edited ‎07-29-2019 07:26 AM

You're welcome.

The only reason I can think anyone would advise running remote access VPN on a separate ASA is if your particular use case had mandatory requirements for some of the few features that are not yet on FTD (clientless, using multiple AnyConnect modules, using Dynamic Access Policies are the big ones).

Historically remote access VPN was not supported on Firepower Threat Defense but, since support was introduced about 2 years ago, the feature gap has narrowed quite a bit.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card