Hi,

My suggestion is to go for 1120 or 1140 (price difference is not much so I
say go 1140). This is more powerful than 2120 due to the use of new
processors (except for memory which shouldn't be an issue as you are moving
from 5515). You can review firepower datasheet.

Another important aspect is your current feature set used on 5515. Majority
of features in asa has been move to firepower but still some are in
roadmap. So look at your current features and see if they are supported in
firepower (you can always used flexconfig feature to fill the gap).

Otherwise firepower is so powerful compared to asa and has evolved
significantly to make it very competitive with palo alto or fortinet.

Finally have a final check with a cisco partner to get their validation.

***** please remember to rate useful posts

hi mohammed,

we'll also be doing a HW refresh on our ASA 5500-x soon and replace them with firepower/FTD.

is it wise to deploy them in ASA appliance mode in the long run?

we just need to run basic FW, NAT and S2S VPN services in our environment and don't want to incur any CAPEX/OPEX to maintain FMC and smart licenses.

The problem is "basic firewall" doesn't protect fully against current threats. If you want something with real protection then a modern firewall like Cisco Firepower Threat Defense (FTD) running on a Firepower appliance is needed. Haiving at least the IPS subscription isn't very much ongoing expense for the added protection you get.

Whatever perimeter firewall you use should be complemented with endpoint and DNS security - for example Cisco AMP for Endpoints and Umbrella.