07-26-2019 02:23 PM
My company is looking to refresh our ASA 5516x with a new NGFW. My previous company was in the middle of replacing all of their ASAs with 2110s. The firewall administrator and director of security were not fans of these. The ASAs were mainly doing S2S VPN connectivity and they were using PAs for internal and external firewalls. My understanding of the source of contention toward the FTDs was the fact that having both VPN terminations and IPS/IDS on the same box caused the box to be extremely slow. Also, the FMC was also very slow.
I'd like to get other people's perspective, negative or positive, on the current state of the Firepower.
TIA,
Chris
07-26-2019 09:17 PM - edited 07-26-2019 09:19 PM
Firepower 2100 series published throughput is the same whether none or all NGIPS features are enabled due to the hardware architecture that's optimized for the software.
Palo Alto Networks' appliances generally have one performance specification for no advanced features and then turning on the features (one or all) has a different number that's half the overall appliance throughput.
PANW management and deployment time required for changes is generally better than Cisco, especially if you're using FMC. You might want to have a look at Cisco Defense Orchestrator (CDO), the cloud-based management option that recently started supporting FTD. It is very fast and modern. It interacts with the managed devices via API vs. the older sftunnel connections and database synchronization model that FMC uses.
Here's a nice CDO demo by Divya Nair:
07-29-2019 06:48 AM
Marvin,
Thanks for your input. I will certainly look at the CDO demo. What is your opinion regarding how the Firepower does when VPN and IDS/IPS are both enabled. I have been told by Cisco engineers that if you are going to do run VPN, it should be on a separate box running ASA on the firepower.
Thanks,
Chris
07-29-2019 07:25 AM - edited 07-29-2019 07:26 AM
You're welcome.
The only reason I can think anyone would advise running remote access VPN on a separate ASA is if your particular use case had mandatory requirements for some of the few features that are not yet on FTD (clientless, using multiple AnyConnect modules, using Dynamic Access Policies are the big ones).
Historically remote access VPN was not supported on Firepower Threat Defense but, since support was introduced about 2 years ago, the feature gap has narrowed quite a bit.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide