Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2074
Views
10
Helpful
4
Replies

FTD 1000 vs 2100 TLS performance

Go to solution
tato386
Level 6
Level 6

‎12-27-2021 07:33 PM

I was browsing Cisco's web site looking specifically for SSL/TLS decryption specs for 1000 and 2100 FTD devices when I ran into something I did not expect.  According to the site (see attached files) the 2100 family has better specs pretty much across the board *except* for TLS?  Is this an error or misprint?

 

Another thing I noticed is that specs for FW+AVC, FW+AVC+IPS and for TLS are separated.  What about if I would like to use all four features, meaning FW+AVC+IPS+TLS?  How is that measured/rated?

 

Thanks,

Diego  

1 person had this problem
Preview file
99 KB
Preview file
109 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-28-2021 05:12 AM

Due to the CPU used, the Firepower 1000 series are able to use Intel Quick Assist Technology (QAT) and get better TLS performance as a result.

https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html

The TLS numbers generally aren't stressed unless the firewall is serving a large number of remote access VPN clients so it's usually not the gating performance factor when considering which device is recommended. Overall throughput as bounded by the "FW+ x" numbers is usually more important.

View solution in original post

4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-28-2021 05:12 AM

Due to the CPU used, the Firepower 1000 series are able to use Intel Quick Assist Technology (QAT) and get better TLS performance as a result.

https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html

The TLS numbers generally aren't stressed unless the firewall is serving a large number of remote access VPN clients so it's usually not the gating performance factor when considering which device is recommended. Overall throughput as bounded by the "FW+ x" numbers is usually more important.

Go to solution
tato386
Level 6
Level 6
In response to Marvin Rhoads

‎12-28-2021 05:59 AM

Thanks for the link Marvin.  In my case I won't be doing much VPN.  My main concern is maximum IPS protection of web servers behind the firewall.  Given that almost all web traffic is encrypted nowadays, which numbers should I be concentrating on?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tato386

‎12-28-2021 06:33 AM

If you are planning to do SSL/TLS decryption of your web servers' traffic then it's a whole other calculation as that is much more CPU-intensive than basic TLS termination.

You might want to check with your Cisco SE or reseller to have them run the numbers through Cisco's internal / partner performance tool for that use case.

Go to solution
tato386
Level 6
Level 6
In response to Marvin Rhoads

‎12-28-2021 07:54 AM

Sounds like a plan.  Thx

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card