Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1640
Views
14
Helpful
4
Replies

4100 or 5585-x for Data Center deployment?

mo shea
Level 1
Level 1

‎05-24-2016 08:19 AM - edited ‎03-12-2019 06:01 AM

Hi,

With the release of the 4100/9300 appliances with FTD image, does it make sense to skip the 5585-X SSP40 option and go with a 4120 appliance to be deployed in the Data Center, not the perimeter.

I can see the following pros,

- Better combined throughput

- Better Price wise

- Unified Management

- IPS unified model better than traffic forwarding to firepower module, especially for high availability scenarios

Some Cons though,

- Product fairly recent, stability of FTD not like ASA OS

- Not all ASA features present, lack of Multicast routing a worry.

Our decision was going towards Fortinet due to budget issues with 5585 but this product seems within our budget. I hope to have more feedback or experiences that can assist us with our decision.


All help is appreciated

Regards,

Moe Shea

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Pujita Patni
Cisco Employee
Cisco Employee

‎05-25-2016 03:26 PM

Hi Mo,

Why dont you get in touch with your Cisco Account Manager. They should be able to demo the product to you and provide you the advantages and disadvantages in your network.

Thanks,

Pujita

0 Helpful

mo shea
Level 1
Level 1
In response to Pujita Patni

‎05-26-2016 04:12 AM

Thanks Marvin and Pujita for the feedback.

I have actually contacted our local Cisco Security Engineer, but would also like to hear from people who have actually deployed and worked with such a scenario. 

I understood that the 4100 will pass multicast but wont participate in multicast routing, which is a slight relief. As per Cisco Engineer, all ASA features will be supported in a years time. He suggested to use the traditional ASA image on the 4100 and upgrade to the FTD image anytime later, which is fair enough if our deployment is heavily relying on the ASA features.

We have lots of access policies (IP ACLs) and will place the Firewall inline between our Campus and DC network.

Thanks again for the info.

Moe Shea

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mo shea

‎05-26-2016 04:49 AM

We haven't deployed any yet. The first couple of sales of that platform are in the pipeline at my company ( I work for a partner.)

FirePOWER 4100 with ASA image is running native ASA code 9.6 so it's a very low risk. You also don't have to worry about converting your ACLs as the ASA configuration can be loaded straight in (with minor modifications to account for interface numbering etc.). (A tool for conversion from ASA config file to FTD (strictly GUI-based input) is coming with 6.1 but as of right now it's strictly "by hand".)

However, you do not have the option of FirePOWER services until you re-image and convert it to running the FTD image. You will then have to license the FirePOWER features (IPS, URL Filtering and Malware) like on any other FirePOWER software-based platform.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-25-2016 07:55 PM

FP 4100 series is a much stronger NGIPS platform than the ASA 5585-X unless you really need NGIPS plus some of the ASA features (like the multicast routing or remote access VPN) that aren't yet in the FTD image.

The code is based mostly on the Sourcefire / FirePOWER legacy so I'd be very confident n it for NGIPS features.

Price-performance it beats the 5585 hands down.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card