I have to choose firewall for a big enterprise network. I’m CCNP in R&S but new to firewalls. The goals of the firewall will be:
I’m very interested in new product Cisco Firepower® NGFW 2110.
But I have several questions
I'll grateful for any bits of advice!
I assume by Mb you mean Megabits per second or Mbps. Adding the 3 figures you have means we need to handle 1.7 Gbps. The 2110 would be well-suited performance wise.
Regarding your feature questions:
1. Yes - although it's not in the GUI just yet. You configure it with a FlexConfig which requires using a FirePOWER Management Center (FMC) vs. local management.
2. No. The 2110 runs only the FirePOWER Threat Defense (FTD) unified image at this time. While a 5516-X can run FTD it much more commonly runs ASA software plus FirePOWER on a software service module. Feature difference is a lot of details that are probably best to review with your local SE.
3. No. This is a long term goal for Cisco but we don't expect it soon. There may be other ways to achieve your goal depending on why you need multiple contexts.
4. No (clustering is currently available on the higher end 4100 and 9300 series).
5. Yes, requires an external agent to be installed in your domain though to get userid-IP mapping from logon events via WMI (or can use Cisco ISE if you have that).
Thank you for so detailed comment!
Could I ask few more detail, please?
If we will look on Firepower® NGFW 2110 as a replacement of
(q #1) About differences between ASA software and FirePOWER Threat Defense (FTD). If we want to use Firepower® NGFW 2110 as (1: NAT + !URL Filter! internet gate), (2: Stateful firewall between branch and HQ; Web servers and DB) is FirePOWER Threat Defense (FTD) ok for this? Actually we a choosing Firepower® NGFW 2110 or ASA5516X. The reason why we hadn’t purchase ASA5516X is we are afraid it's too weak for our traffic.
(q #4) If “active-active” clustering is not supported, is “active-passive” HA supported? Is so I can solve HA case with just additional links.
An FTD device has the license options of Threat (IPS), URL filtering and Malware (or any combination of those - depending on your requirements).
It can do active/standby high availability. Your failure scenarios can generally accomodate outbound traffic easily. Inbound traffic can be problematic depending on what sort of services (if any) you expose to outside users.