Solved: Re: Best Firewall to choose for enterprise network

sami2022 · ‎08-02-2022

Hi all,

I'm new to Cisco Firewalls, and I have questions about enterprise network design, so the requirements are:

- VPN site to site and remote access for 100 user.

- IP packets Inspection.

- Supports IPS and IDS.

- Supports routing between internal networks (OSPF, IEGRP, RIP) We may need BGP in the future.

- And what is the recommended management tool for this device Maybe in the future we will add some cisco devices to the network, Currently, we are using Netgear switches and Mikrotik routers.

I searched for a while to see which firewall fits these requirements and got this Cisco ASA 5525-x firewall but I have never used Cisco before, I need your help to decide.

Thank you so much for your advice!

Marius Gunnerud · ‎08-03-2022

The 2100 series will give you everything that your requirements specify and will allow for future expansion. Again, depending on your future network plans, I would recommend considering the FPR2130 or FPR2140as this will give you an option to install a 10Gig SFP module if you at some point would require this.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Philip D'Ath · ‎08-02-2022

I'm surprised a 100-user site requires OSPF, EIGRP, RIP and BGP. If you removed that requirement, I would say hands down a Cisco Meraki MX. Something around the size of an MX85.
https://meraki.cisco.com/product/security-sd-wan/medium-branch/mx85/
It is cloud managed. You only need a web browser.

If the routing protocols are a hard requirement, then I would look at the Cisco Firepower 1000 series.
https://www.cisco.com/c/en/us/products/security/firepower-1000-series/index.html

Marius Gunnerud · ‎08-03-2022

What are your throughput requirements? Based on the requirements you have posted so far you could go for the FPR2110. I would not recommend getting the ASA as the Firepower devices are now slowly but surely replacing them.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

--
Please remember to select a correct answer and rate helpful posts

sami2022 · ‎08-03-2022

Thanks everyone, throughput is around 1 G, and management wants a long-term solution, and it fits future expansion as well.

To ensure that the Firepower 2100 series supports site-to-site VPN, remote VPN access, and restrict some remote VPNs to access certain servers but not the whole network. Routing protocols in case we need them in the future, because they will have some remote branches of the company.

Or do you suggest another product to take instead of the Firepower 2100 series.

Thanks again

Marius Gunnerud · ‎08-03-2022

The 2100 series will give you everything that your requirements specify and will allow for future expansion. Again, depending on your future network plans, I would recommend considering the FPR2130 or FPR2140as this will give you an option to install a 10Gig SFP module if you at some point would require this.

--
Please remember to select a correct answer and rate helpful posts

sami2022 · ‎08-03-2022

Thanks so much @Marius Gunnerud

sami2022 · ‎08-03-2022

Please @Marius Gunnerud What would you recommend to buy FMC for management or other software.
Thanks

Marius Gunnerud · ‎08-03-2022

This depends on budget. Configuration support for FDM is getting better and with the integration with CDO it is quite good. I have mainly used FMC.

--
Please remember to select a correct answer and rate helpful posts

IP_Cartel · ‎08-03-2022

2100s are great IPS NGFW. Just make sure you get the requirement for the IPS throughput. You want to know how much ISP throughput you'll need. A 100 users is small network. EIGRP will be the easiest to use if you decide to connect multiple buildings together. When it comes to BGP this is a handoff provided by the service provider for multiple sites.

Marvin Rhoads · ‎08-03-2022

I'd be more aligned with @Philip D'Ath 's recommendation of a Meraki firewall for simplicity. For most smaller networks having the firewall simply default route RFC 1918 subnets to the inside generally suffices.

Otherwise if you really need all of those dynamic routing protocols, an 1100 series can scale up to several Gbps and be a better investment than the 2100 series which is getting quite old by now. Although I do wonder how you can possibly need EIGRP if you are running Microtik and Netgear now. Similarly BGP is seldom needed as it generally suffices to have a default gateway to your ISP router.