09-16-2023 11:04 AM
Hi,
I am working to deploy NGFW to one of my project. Please help/suggest me to choose a model that meet below specification-
Minimun specification requirement as below-
platform should be capable of providing firewall, application visibility, IPS and Anti-Malware functionality in a single appliance.
appliance should have at least 8x 1G Copper ports and 4x SFP Ports.
Should have minimum 16 GB System Memory and Minimum storage with 1* 200 GB SSD or higher.
Firewall should not be proprietary ASIC based in nature & should be open architecture based on multi-core cpu's to protect & scale against dynamic latest security threats.
Should support atleast 2.2 Gbps of NGFW performance throughput (includes FW, Application Visibility & IPS) |
Maximum Sessions with AVC : 195K or higher. |
New connections per second 12K or higher. |
Minimum Transport Layer Security (TLS) : 600 Mbps or higher. |
NG Firewall should support 1.1 Gbps IPSec VPN Throughput with 144 VPN Peers |
Maximum VPN Peers : 144 or higher. |
Minimum number of URLs filtering categorized 270 million |
The Firewall should support IPS, Malware & URL Protection Feature. |
Firewall should support Active/Standby failover |
Should support Static, RIP, OSPF, OSPFv3 and BGP |
Should be capable of detecting and blocking IPv6 attacks. |
The solution must provide IP reputation feed that comprised of several regularly updated collections of poor repuration of IP addresses determined by the proposed security vendor |
Solution must support IP reputation intelligence feeds from third party and custom lists of IP addresses including a global blacklist. |
Should must support URL and DNS threat inetllifence feeds to protect against threats |
Should support Reputation- and category-based URL filtering offering comprehensive alerting and control over suspect web traffic and enforces policies on more than 270 million of URLs in more than 80 categories. |
Solution must be capable of passively gathering details unique to mobile devices traffic to identify a wide variety of mobile operating systems, mobile applications and associated mobile device hardware. |
Should be capable of providing network-based detection of malware by checking the disposition of known files in the cloud using the SHA-256 file-hash as they transit the network and capability to do dynamic analysis on-premise on purpose built-appliance (if required in future) |
NGFW OEM must have its own threat intelligence analysis center and should use the global footprint of security deployments for more comprehensive network protection. |
The detection engine should support capability of detecting and preventing a wide variety of threats (e.g., malware, network probes/reconnaissance, VoIP attacks, buffer overflows, P2P attacks, etc.). |
Should be able to identify attacks based on Geo-location and define policy to block on the basis of Geo-location |
The detection engine should support the capability of detecting variants of known threats, as well as new threats |
The detection engine must incorporate multiple approaches for detecting threats, including at a minimum exploit-based signatures, vulnerability-based rules, protocol anomaly detection, and behavioral anomaly detection techniques. Identify and explain each type of detection mechanism supported. |
Thanks
Imran
Solved! Go to Solution.
09-17-2023 02:00 AM
You have not specified your budget, use for the firewall (i.e. DC, branch office, internet gateway, etc.), company size / number of users and expected concurrent connections and expected growth which will all be a factor in determining which firewall to choose.
If you are looking for the closest exact match, then the FTD1120 is the closes, but does not give you much room for growth.
But, with the information provided, I would suggest the FTD1150. It will give you some room for growth, the option for SFP+. Along with that, the URL, Threat and Malware licenses will support what you are asking for. optionally you can also get the AnyConnect license for RAVPN. The firewall does to a network discovery to identify what type of devices are passing traffic through it, but an ISE implementation or secure network analytics installation might be better suited for that task.
09-16-2023 02:57 PM
here is datasheet check - based on the budget and requirement buy :
https://www.cisco.com/site/us/en/products/security/firewalls/index.html
09-16-2023 09:57 PM
I know what serieses are out there. I actually needed a specific series/model that comply the spec that i shared.
br
imran
09-16-2023 08:02 PM
Get a reputable systems integrator.
https://community.cisco.com/t5/routing/cisco-router-selection-query-need-urgent-help/m-p/4924489
https://community.cisco.com/t5/switching/cisco-switch-selection-query-need-urgent-help/m-p/4924494
Base on the number of threads created, you are out of your depth. One wrong move and it will cost you a fortune to correct.
09-17-2023 02:00 AM
You have not specified your budget, use for the firewall (i.e. DC, branch office, internet gateway, etc.), company size / number of users and expected concurrent connections and expected growth which will all be a factor in determining which firewall to choose.
If you are looking for the closest exact match, then the FTD1120 is the closes, but does not give you much room for growth.
But, with the information provided, I would suggest the FTD1150. It will give you some room for growth, the option for SFP+. Along with that, the URL, Threat and Malware licenses will support what you are asking for. optionally you can also get the AnyConnect license for RAVPN. The firewall does to a network discovery to identify what type of devices are passing traffic through it, but an ISE implementation or secure network analytics installation might be better suited for that task.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide