cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1237
Views
12
Helpful
24
Replies

Looking a replacement for the firewall module of c6500

yishaky_ub
Level 1
Level 1

Looking a replacement for the firewall module of c6500

24 Replies 24

Hi

Good Recommendation ....I am also thinking 2130 with FTD 

your comment on next point pls ..

1. I think it is wise direction to use FTD SW than the ASA SW version ....

2. we are planning to use FTD though we will not subscribe for the IPS and AMP license currently b/c of budget constraint.....so do you think the relevance of the using FTD Sw ...

3. we are planning to use this Firewall to segregate our critical servers from our Internal networks ..in other words we are using it to separtate two internal networks ..not to use in the external connection like internet ...so my question is ...does it has a signefcant relevance to use threat IPS and AMP ( how about we can skip these features)

When ordering a 2100 Series NGFW with the Cisco Firepower Threat Defense image, both licenses and a subscription to security services are required. The entry level license is Threat (Security Intelligence and Cisco Firepower Next-Generation IPS).

If you go with the ASA image you do not need to add any subscription licenses.

The benefit of having the threat license is that you protect the internal servers from attack vectors originating within the company. Many times threats are launched and spread from infected machines, especially if they may travel in and out of the relatively controlled corporate environment. Of course having that extra protection costs more.

Other points are that FTD is relatively new and as a pure firewall (as you intend to use it at first) has a few less features than ASA software. It also has fewer experts familiar with it and fewer deployments meaning relatively less time spent in production networks and varied use cases where inevitable bugs are found (and fixed).

Hi

I really appreciate for your valuable information.

So what is your recommendation....

May be if I add more point on the above...

if we are going to use only firewall feature only ..then it is better to go to the ASA image

otherwise if we are going to use the threat defense license then it is better to go the FTD sw image ....

is it possible to put is this way ..or do you have any other?

Hi 

Appreciated your comment on the above post

Yes, I would agree with that assessment. A Firepower 2130 appliance with ASA image would appear to be the best fit given what you have shared about your requirements.

If in the future you need to transition to an FTD image, it will be possible using the same hardware.

Good ..how do we threat comes from inside ...any solution you propose to address this?

Well the budget constraint is a business decision.

In environments where I have been involved, I document the risk (inside threat in this case) and present the cost for mitigating it (using FTD image with associated Threat license) to the business stakeholders and let them make an informed decision.

You may be able to propose some lesser cost options for dealing with Malware like AMP for Endpoints and/or Cisco Umbrella (former OpenDNS). Those offset the risk and are a good idea in the context of a complete security solution in any case.

If the budget allows then you are recommending the Firewall 2130 with FTD is the best suite?

If I were making a recommendation it would take more knowledge of the existing environment. I would ask the customer to share the current configurations in order to perform due diligence in ensuring there were no features that would disqualify using the FTD image in the current environment.

I would not make a firm recommendation without meeting with the customer to better understand the full set of business requirements.

Review Cisco Networking for a $25 gift card