cisco firewpower 2100 replacement or supplement?

ba32810 · ‎10-21-2017

I'm researching replacing an old firewall.

All the talk about NGFW seems to be about the advanced features. We still need the core features of a firewall to set up specific rules to allow specific types of traffic through and block what we don't want.

We still need the VPN capabilities and the traffic routing abilities of an ASA firewall.

All the additional NGFW features are great, but the core functions of our existing ASA are still relevant.

Here's my confusion. This article specifically calls the Firepower 2100 series an upgrade "rip and replace" option:

https://blogs.cisco.com/perspectives/firepower-2100-the-architectural-need-to-know

The Firepower 2110 and 2120 appliances come with 12 x 1Gbit RJ-45 ports and 4 x 1Gbit SFP ports with no options to expand this. This is a great rip and replace option for the current owners of the ASA5525-X, ASA5545-X and ASA5555-X firewalls.

But then he ends the article with this statement:

The feature set. If the features of the ASA software is not implemented in FTD in haste the customer is forced to keep buying ASA X series or, again, go to another manufacturer.

So that leaves me with the question. Is the Firepower 2100 series lacking core features that an ASA-x firewall provides? Is it truly a firewall in any sense, or just a supplemental NextGen Security appliance with no real core firewall features?

In what situation would an older ASA-x firewall be better than the latest offering from Cisco?

Flavio Miranda · ‎10-21-2017

Hi @ba32810

According to this description:

"Cisco ASA with FirePOWER Services extends the capabilities of the Cisco ASA 5500-X Series Next-Generation Firewalls and Cisco ASA 5585-X Adaptive Security Appliance firewall products with continuous monitoringand protection. This product delivers integrated threat defense for the entire attack continuum -- before, during and after an attack -- by combining the security capabilities of the Cisco ASA firewall with the industry-leading Sourcefire threat and advanced malware protection features together in a single device."

They I understand this, Fire Power extend Cisco ASA features but it is still a basic ASA firewall.

-If I helped you somehow, please, rate it as useful.-

Marvin Rhoads · ‎10-21-2017

The Firepower 2100 is available with either Firepower Threat Defense (FTD) or ASA image. For purposes of this discussion, we will focus on the FTD image type.

FTD has all of the features of the Firepower OS (Next Generation IPS or NGIPS) plus many (but not all) of the features of the ASA code. Standard ACLs, NAT and basic routing are all available. It also includes basic site-to-site VPN and client-based (AnyConnect) SSL VPN. Drilling down into those reveals some details that may be an issue depending on your requirements - for instance, remote access SSL VPN does not allow for local authentication on the FTD appliance, there is no clientless SSL VPN, etc.

It is best to discuss your requirements in detail with your local Cisco or partner Security SE to ensure that you make an informed decision. Some use cases (the ones I mentioned and several others as well) would steer you towards a new ASA appliance with Firepower services vs. a new FTD appliance. As features continue to be added to FTD, those use cases become fewer and fewer.