Firepower 7125 EOL soon, What to replace with?

tahscolony · ‎01-18-2022

Last day of support is June 30 2024, so little more than 2 years before being replaced, and Cisco has not gone above 6.4 code for these appliances. The company doesn't leave EOL unsupported network hardware running in service for very long except switches that have spares and are not a security threat, so time to start looking into replacements. I am not seeing a standalone wired appliance anymore and these things have been amazingly stable, rock solid performers with fail to wire working flawlessy during upgrades. I get daily updates from Cisco regarding bugs and such and the vast majority of bugs and issues hit the embedded ASA Firepower devices, which concerns me as an impact on Firepower on an ASA could also bring the ASA down, leaving us DITW, where an appliance issue would fail to wire and leaves us still functioning.

What is the next solution for replace these devices? Will we forced into the firewall/IPS solution in the end? The all eggs in one basket approach is not something we prefer.

Rob Ingram · ‎01-18-2022

@tahscolony according to this cisco documentation below, the Firepower 2100 series hardware is the replacement for the 7125.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-7000-series-appliances/eos-eol-notice-c51-741685.html

Here is the 2100 series datasheet

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

balaji.bandi · ‎01-18-2022

check here recommended : (Product migration options)

https://www.cisco.com/c/en/us/products/collateral/security/firepower-7000-series-appliances/firepower-7000-eol.html

This is based on the information. You can also contact partner can help right model after reviewing your new requirement.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tahscolony · ‎01-18-2022

I did not realize it can be either or, thought the 2100 series was a dual like the current 5555-X is, which are EOL 18 months later. This is good news, and will give it all a good read.

balaji.bandi · ‎01-18-2022

If you have budget you can 2100 model, that is medium sized kit, depends on the load and where this was locating in the network.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tahscolony · ‎01-18-2022

OK, after going through the spec sheet, looks like the 2130 model will be able to replace the 7125's as well as provide 10G connectivity. They were asking about a 10G firewall, so this would be a good option for our hub to AWS.

balaji.bandi · ‎01-18-2022

it got 10GB Firewall throughput - if the cost is marginal i go with 2140 it got 20GB Firewall throughput.

You looking any NGFW features like IPS ? 2130 5G/5G compare to 2140 9G/9G

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tahscolony · ‎07-08-2024

I have a pair of 3120 running 7.4.1 now in Multi Instance mode. One will be a Secure Firewall instance running FTD, the other will be the IPS to replace the 7125. What I need now is documentation showing how to configure the FTD to replace the 7125. Do I configure as Routed, or Transparent? I have the policy used on the 7125, however I cannot assign the Zone to the Inline pair. If I try to create a new zone, the Inline pair doesn't show up. Should I reconfigure the FTD to be routed instead?

balaji.bandi · ‎07-08-2024

Draw how your existing network looks like.

check multi instance config here :

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/threat-defense/use-case/multi-instance-sec-fw/multi-instance-sec-fw.html

New FTD can able to use snort 3 support both bump on wire and other.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tahscolony · ‎07-09-2024

I figured it out, the policy from the 7125 was "locked" so couldn't be edited, I copied and applied it so now it pulls the correct interfaces. The big thing was not having to recreate the policy in use.