Solved: Recommended Firewall model for Enterprise Network

ravinsilvaems · ‎07-25-2022

Dear All,

Can someone please recommend versions suitable for an enterprise network?

Below are some of our requirements

1. Control per-user bandwidth(allocate 10mbps for each client IP)

2. Allocate bandwidth per URL/IP outside

3. Limiting email attachment sizes( if possible)

4. Upload blocking for specific file types eg: word, pdf (if possible)

5. Upload blocking for specific file sizes eg 100MB (if possible)

6. Per IP URL monitoring

7. Block attacks

8. VPN access for the clients

Existing network information

The number of client devices is around 1000 and they are in 10 different subnets in router on stick mode.

Rob Ingram · ‎07-25-2022

@ravinsilvaems if you only have 100Mb ISP circuits then according to the FPR1000 series datasheets, the base model 1010 should suffice for NGFW throughput. However this model only supports 75 VPN users.

You need to verify your requirements against the datasheets for supported maximums.

You are best speaking to your Cisco partner about pricing, but by the sounds of your budget you are unlikely to get the hardware and all the licensing for $3000 - unless you purchase only a 1 year subscription. Bear in mind you need the FMC license (and hardware, unless you purchase the VM license), this will increase the cost as well.

View solution in original post

Marvin Rhoads · ‎07-25-2022

The breadth of requirements you are asking about are better suited by a Unified Threat Management (UTM) type of device. That's a market Cisco doesn't really compete in. I'd suggest you look into the companies catering more to the Small-Medium Business (SMB) market - something like SonicWall or Fortinet, for example.

View solution in original post

Rob Ingram · ‎07-25-2022

@ravinsilvaems you don't say what bandwidth you have, that would provide an indication on what model hardware you require. Here are the datasheets of the appliances, from there you can determine what model meets your requirements.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html
https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html
https://www.cisco.com/c/en/us/products/collateral/security/firepower-4100-series/datasheet-c78-742474.html

You'd want to run the FTD image, which has the NGFW features. You'll need the base + Threat, Malware, URL Filtering and Remote Access VPN (AnyConnect Plus or Apex) licenses to meet your requirements. https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/licensing_the_firepower_system.pdf

You'd need an FMC if you want to use QoS. https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

Kasun Bandara · ‎07-25-2022

I assume you can use cisco FTD 4000 series firewall (according to very basic facts you provided) and also you need to consider more facts than above. such as, Connectivity methods (copper/fiber), number of cables planning to connect, VPN types and counts (site to site and SSL/IPsec clients), HA scenarios, power requirements, number of average applications using via FW and application types, etc...

for above points, some are mainly related to DLP features such as limiting email attachment. those things can achieve using cisco ESA kind of product. for bandwidth controlling you can use QoS features. file blocking is available, but file size limitations are not available directly in FTD. Attack blocking and URL monitoring is possible and enabling SSL decryption gives more ability to observe and control encrypted things. Client VPNs can configure using cisco anyconnect options.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

ravinsilvaems · ‎07-25-2022

Thank you @Rob Ingram @Kasun Bandara for this information,

ISP connectivity is copper and planed to keep two uplink(Active/Standby or load balanced) 100mbps each.

LAN connectivity is copper and planed to keep one/two connection connected to ISR4000 series router

will I be able to get one appliance(below 3K USD budget.) for the requirement mentioned above.

Rob Ingram · ‎07-25-2022

@ravinsilvaems if you only have 100Mb ISP circuits then according to the FPR1000 series datasheets, the base model 1010 should suffice for NGFW throughput. However this model only supports 75 VPN users.

You need to verify your requirements against the datasheets for supported maximums.

You are best speaking to your Cisco partner about pricing, but by the sounds of your budget you are unlikely to get the hardware and all the licensing for $3000 - unless you purchase only a 1 year subscription. Bear in mind you need the FMC license (and hardware, unless you purchase the VM license), this will increase the cost as well.

Marvin Rhoads · ‎07-25-2022

The breadth of requirements you are asking about are better suited by a Unified Threat Management (UTM) type of device. That's a market Cisco doesn't really compete in. I'd suggest you look into the companies catering more to the Small-Medium Business (SMB) market - something like SonicWall or Fortinet, for example.