Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
955
Views
20
Helpful
10
Replies

FP sizing for 2000 active connections

Go to solution
lcaruso
Level 6
Level 6

‎12-16-2022 10:13 AM

I have a question about FP sizing.

For a site that has approximately 2000 active connections through an ASA5506x (not running any firepower just classic ASA, output of "show conn") would a FP1010 be powerful enough to run all three FTD licenses?

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-16-2022 10:30 AM - edited ‎12-16-2022 10:38 AM

@lcaruso yes the 1010 hardware should be sufficent, datasheet included for reference (and comparison with the other models).

https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

You may want to check other limitations of each hardware model depending on your future requirements, network bandwidth etc.

 

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to lcaruso

‎12-18-2022 07:35 PM

With IPS, URL Filtering and Malware all enabled, the Firepower 1010 can handle about 160 Mbps (Snort 2) to 220 Mbps (Snort 3). Under those conditions you should be at or below the recommended 80% CPU utilization according to the tool.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to lcaruso

‎12-20-2022 05:39 AM

@lcaruso the Firepower 1120 (or anything higher) can handle that speed with all three features. For the 1120, the expected CPU is 57% with Snort 3 and FTD 7.2

View solution in original post

10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎12-16-2022 10:30 AM - edited ‎12-16-2022 10:38 AM

@lcaruso yes the 1010 hardware should be sufficent, datasheet included for reference (and comparison with the other models).

https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

You may want to check other limitations of each hardware model depending on your future requirements, network bandwidth etc.

 

Go to solution
lcaruso
Level 6
Level 6
In response to Rob Ingram

‎12-16-2022 04:03 PM

Have you access to and tried this site?

https://ngfwpe.cisco.com/

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to lcaruso

‎12-17-2022 01:02 AM

@lcaruso sorry I don't have access, only partners or cisco employees can use this tool. I believe @Marvin Rhoads works for a partner would have access to run this tool.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to lcaruso

‎12-18-2022 03:54 AM

Concurrent connections are not a parameter used in the NGFWPE tool. For that you can refere to the data sheet that @Rob Ingram linked earlier.

The tool takes into account throughput, average packet size and enabled features (Base, URL Filtering, Malware analysis  and SSL decryption (where used)).

Go to solution
lcaruso
Level 6
Level 6
In response to Marvin Rhoads

‎12-18-2022 10:20 AM

Yes, that is exactly what I noticed after seeing a demo video of this tool noting throughput as the critical parameter and why I wanted to access it. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to lcaruso

‎12-18-2022 07:35 PM

With IPS, URL Filtering and Malware all enabled, the Firepower 1010 can handle about 160 Mbps (Snort 2) to 220 Mbps (Snort 3). Under those conditions you should be at or below the recommended 80% CPU utilization according to the tool.

Go to solution
lcaruso
Level 6
Level 6
In response to Marvin Rhoads

‎12-19-2022 11:00 AM

Would it be too much to ask to provide the correct FTD model for a 600Mbps ISP connection for all three licenses? I always try to ensure the edge device is not throttling down. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to lcaruso

‎12-20-2022 05:39 AM

@lcaruso the Firepower 1120 (or anything higher) can handle that speed with all three features. For the 1120, the expected CPU is 57% with Snort 3 and FTD 7.2

Go to solution
lcaruso
Level 6
Level 6
In response to Marvin Rhoads

‎12-20-2022 08:00 AM

Marvin, thanks kindly once again for this help. I finally got in touch with our account team and they requested access to the tool while I was on the phone with them, so it would seem to be no small favor for you to not only take the time but also arrange this. I really appreciate you helping us get a favorable client outcome. Best Regards, sir!

0 Helpful

Go to solution
lcaruso
Level 6
Level 6

‎12-19-2022 07:02 AM

Thank you kindly for running that scenario. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card