11-08-2018 12:46 AM - edited 02-21-2020 08:26 AM
Hey everyone.
We have several ASA units, ranging from 5505 to 5555X. Our 5555X is reaching about 55% to 60% CPU during peek hours and we are looking to replace it.
Can anyone help me with some tips on what to look at, are HW boxes still the way to go, or is SDN something to look at ?
Also, we should probably look at 10Gbe.
Thanx for any suggestions.
J
11-08-2018 01:51 AM
Virtual firewalls (ASAv or FTDv) have a place but it's very dependent on your network architecture.
Most customers are going with the unified Firepower Threat Defense (FTD) image. That way you can incorporate protection against the more modern threats that a legacy ASA is not equipped to handle. It still has a few footnotes and asterisks regarding features it doesn't support that are on the legacy ASAs; so it's best to consult with a trusted SE to see which is right for you.
5555-X would normally map to one of the Firepower 4100 series. With regard to medel selection, it's mostly based on throughput requirements.
11-08-2018 01:55 AM
Hi,
Below is the Cisco Firepower Next-Generation Firewall (NGFW) Data Sheet and it supports 10Gb SFP's
Cisco Firepower Threat Defense (FTD) Performance Specifications and Feature Highlights for Physical and Virtual Appliances
Features |
Cisco Firepower Model |
Cisco ASA 5500-FTD-X Model |
|
|||||||||||||||||||
NGFWv |
2110 |
2120 |
2130 |
2140 |
4110 |
4120 |
4140 |
4150 |
9300 with 1 SM‑24 Module |
9300 with 1 SM‑36 Module |
9300 with 1 SM‑44 Module |
9300 with 3 SM‑44 Modules |
5506-FTD-X |
5506W-FTD-X |
5506H-FTD-X |
5508-FTD-X |
5516-FTD-X |
5525-FTD-X |
5545-FTD-X |
5555-FTD-X |
|
|
Throughput: FW + AVC 1024B |
1.9 Gbps |
2.0 Gbps |
3 Gbps |
4.75 Gbps |
8.5 Gbps |
12 Gbps |
20 Gbps |
25 Gbps |
30 Gbps |
30 Gbps |
42 Gbps |
54 Gbps |
135 Gbps |
250 Mbps |
250 Mbps |
250 Mbps |
650 Mbps |
1400 Mbps |
1600 Mbps |
1700 Mbps |
1800 Mbps |
|
Throughput: FW + AVC + IPS 1024B |
1.9 Gbps |
2.0 Gbps |
3 Gbps |
4.75 Gbps |
8.5 Gbps |
10 Gbps |
15 Gbps |
20 Gbps |
24 Gbps |
24 Gbps |
34 Gbps |
53 Gbps |
133 Gbps |
125 Mbps |
125 Mbps |
125 Mbps |
600 Mbps |
1200 Mbps |
1500 Mbps |
1600 Mbps |
1700 Mbps |
|
Maximum concurrent sessions, with AVC |
100K |
1M |
1.2M |
2M |
3M |
9M |
15M |
25M |
30M |
30M |
30M |
30M |
60M |
20K |
20K |
20K |
100K |
250K |
500K |
750K |
1M |
|
Maximum new connections per second, with AVC |
10K |
12K |
16K |
24K |
40K |
68K |
120K |
160K |
200K |
120K |
160K |
300K |
900K |
3K |
3K |
3K |
7K |
8K |
10K |
15K |
20K |
|
IPSec VPN Throughput (1024B TCP w/Fastpath) |
- |
750 Mbps |
1 Gbps |
1.5 Gbps |
3 Gbps |
6 Gbps |
10 Gbps |
13 Gbps |
14 Gbps |
13.5 Gbps |
16 Gbps |
17 Gbps |
51 Gbps |
100 Mbps |
100 Mbps |
100 Mbps |
175 Mbps |
250 Mbps |
300 Mbps |
400 Mbps |
700 Mbps |
|
Maximum VPN Peers |
- |
1500 |
3500 |
7500 |
10000 |
10000 |
15000 |
20000 |
20000 |
20000 |
20000 |
20000 |
60000 |
50 |
50 |
50 |
100 |
300 |
300 |
400 |
700 |
|
Cisco Firepower Device Manager (local management) |
Yes (VMware only) |
Yes |
Yes |
Yes |
Yes |
- |
- |
- |
- |
- |
- |
- |
- |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Centralized management |
Centralized configuration, logging, monitoring, and reporting are performed by the Management Center or alternatively in the cloud with Cisco Defense Orchestrator |
|||||||||||||||||||||
Application Visibility and Control (AVC) |
Standard, supporting more than 4000 applications, as well as geolocations, users, and websites |
|||||||||||||||||||||
AVC: OpenAppID support for custom, open source, application detectors |
Standard |
|||||||||||||||||||||
Cisco Security Intelligence |
Standard, with IP, URL, and DNS threat intelligence |
|||||||||||||||||||||
Cisco Firepower NGIPS |
Available; can passively detect endpoints and infrastructure for threat correlation and Indicators of Compromise (IoC) intelligence |
|||||||||||||||||||||
Cisco AMP for Networks |
Available; enables detection, blocking, tracking, analysis, and containment of targeted and persistent malware, addressing the attack continuum both during and after attacks. Integrated threat correlation with Cisco AMP for Endpoints is also optionally available |
|||||||||||||||||||||
Cisco AMP Threat Grid sandboxing |
Available |
|||||||||||||||||||||
URL Filtering: number of categories |
More than 80 |
|||||||||||||||||||||
URL Filtering: number of URLs categorized |
More than 280 million |
|||||||||||||||||||||
Automated Malware Analysis Feed, Threat Feed, and IPS Signature Updates |
Yes: Industry-leading Threat Intelligence from the Cisco Talos Threat Research Group (https://www.talosintelligence.com/) |
|||||||||||||||||||||
Third-party and open-source ecosystem |
Open API for integrations with third-party products; Snort® and OpenAppID community resources for new and specific threats |
|||||||||||||||||||||
High availability and clustering |
Active/Standby for ESXi and KVM |
Active/standby; for Cisco Firepower 9300 intrachassis clustering of up to 5 chassis is allowed; Cisco Firepower 4100 Series allows clustering of up to 6 chassis |
||||||||||||||||||||
VLANs maximum |
1024 |
1024 |
||||||||||||||||||||
Cisco Trust Anchor Technologies |
- |
ASA 5506-X, 5508-X, and 5516-X appliances, Firepower 2100 Series and Firepower 4100 Series and 9300 platforms include Trust Anchor Technologies for supply chain and software image assurance. Please see the section below for additional details |
Note: Throughput assumes HTTP sessions.
Cisco Firepower 2100 Series Hardware Specifications
Features |
Cisco Firepower Model |
||||
2110 |
2120 |
2130 |
2140 |
||
Dimensions (H x W x D) |
1.73 x 16.90 x 19.76 in. (4.4 x 42.9 x 50.2 cm) |
||||
Form factor (rack units) |
1RU |
||||
Security module slots |
- |
||||
I/O module slots |
0 |
1 NM slot |
|||
Integrated I/O |
12 x 10M/100M/1GBASE-T Ethernet interfaces (RJ-45), 4 x 1 Gigabit (SFP) Ethernet interfaces |
12 x 10M/100M/1GBASE-T Ethernet interfaces (RJ-45), 4 x 10 Gigabit (SFP+) Ethernet interfaces |
|||
Network modules |
None |
(FPR-NM-8X10G) 8 x 10 Gigabit Ethernet Enhanced Small Form-Factor Pluggable (SFP+) network module |
|||
Note: The 2100 Series appliances may also be deployed as dedicated threat sensors with fail-to-wire network modules. Please contact your Cisco representative for details. |
|||||
Maximum number of interfaces |
Up to 16 total Ethernet ports |
Up to 24 total Ethernet ports (12x1G RJ-45, 4x10G SFP+, and network module with 8x10G SFP+) |
|||
Integrated network management ports |
1 x 10M/100M/1GBASE-T Ethernet port (RJ-45) |
||||
Serial port |
1 x RJ-45 console |
||||
USB |
1 x USB 2.0 Type-A (500mA) |
||||
Storage |
1x 100 GB, 1x spare slot (for MSP) |
1x 100 GB, 1x spare slot (for MSP) |
1x 200 GB, 1x spare slot (for MSP) |
1x 200 GB, 1x spare slot (for MSP) |
|
Power supplies |
Configuration |
Single integrated 250W AC power supply. |
Single 400W AC, Dual 400W AC optional. Single/Dual 350W DC optional1 |
Dual 400W AC. Single/dual 350W DC optional1 |
|
AC input voltage |
100 to 240V AC |
100 to 240V AC |
|||
AC maximum input current |
< 2.7A at 100V |
< 6A at 100V |
|||
AC maximum output power |
250W |
400W |
|||
AC frequency |
50 to 60 Hz |
50 to 60 Hz |
|||
AC efficiency |
>88% at 50% load |
>89% at 50% load |
|||
DC input voltage |
- |
-48V to -60VDC |
|||
DC maximum input current |
- |
< 12.5A at -48V |
|||
DC maximum output power |
- |
350W |
|||
DC efficiency |
- |
>88% at 50% load |
|||
Redundancy |
None |
1+1 AC or DC with dual supplies |
|||
Fans |
4 integrated (2 internal, 2 exhaust) fans2 |
1 hot-swappable fan module (with 4 fans)2 |
|||
Noise |
56 dBA @ 25C 74 dBA at highest system performance. |
56 dBA @ 25C 77 dBA at highest system performance. |
|||
Rack mountable |
Yes. Fixed mount brackets included |
Yes. Mount rails included |
|||
Weight |
16.1 lb (7.3 kg): with 2x SSDs |
19.4 lb (8.8 kg) 1 x power supplies, 1 x NM, 1 x fan module, 2x SSDs |
21 lb (9.53 kg) 2 x power supplies, 1 x NM, 1 x fan module, 2x SSDs |
||
Temperature: operating |
32 to 104°F (0 to 40°C) |
32 to 104°F (0 to 40°C) or NEBS operation (see below)3 |
32 to 104°F (0 to 40°C) |
||
Temperature: nonoperating |
-4 to 149°F (-20 to 65°C) |
||||
Humidity: operating |
10 to 85% noncondensing |
||||
Humidity: nonoperating |
5 to 95% noncondensing |
||||
Altitude: operating |
10,000 ft (max) |
10,000 ft (max) or NEBS operation (see below)3 |
10,000 ft (max) |
||
Altitude: nonoperating |
40,000 ft (max) |
||||
NEBS operation (FPR-2130 Only)3 |
Operating altitude: 0 to 13,000 ft (3962 m) Operating temperature: Long term: 0 to 45°C, up to 6,000 ft (1829 m) Long term: 0 to 35°C, 6,000 to 13,000 ft (1829 to 3964 m) Short term: -5 to 55°C, up to 6,000 ft (1829 m) |
Cisco Firepower 4100 Series Hardware Specifications
Features |
Cisco Firepower Model |
||||
4110 |
4120 |
4140 |
4150 |
||
Dimensions (H x W x D) |
1.75 x 16.89 x 29.7 in. (4.4 x 42.9 x 75.4 cm) |
||||
Form factor (rack units) |
1RU |
||||
Security module slots |
- |
||||
I/O module slots |
2 |
||||
Supervisor |
Cisco Firepower 4000 Supervisor with 8 x 10 Gigabit Ethernet ports and 2 Network Module (NM) slots for I/O expansion |
||||
Network modules |
● 8 x 10 Gigabit Ethernet Enhanced Small Form-Factor Pluggable (SFP+) network modules
● 4 x 40 Gigabit Ethernet Quad SFP+ network modules
● 8-port 1Gbps copper, FTW (fail to wire) Network Module
Note: Firepower 4100 Series appliances may also be deployed as dedicated threat sensors, with fail-to-wire network modules. Please contact your Cisco representative for details. |
||||
Maximum number of interfaces |
Up to 24 x 10 Gigabit Ethernet (SFP+) interfaces; up to 8 x 40 Gigabit Ethernet (QSFP+) interfaces with 2 network modules |
||||
Integrated network management ports |
1 Gigabit Ethernet Supports 1-G fiber or copper SFPs |
||||
Serial port |
1 x RJ-45 console |
||||
USB |
1 x USB 2.0 |
||||
Storage |
200 GB |
200 GB |
400 GB |
400 GB |
|
Power supplies |
Configuration |
Single 1100W AC, dual optional. Single/dual 950W DC optional1, 2 |
Single 1100W AC, dual optional. Single/dual 950W DC optional1 |
Dual 1100W AC1 |
Dual 1100W AC1 |
AC input voltage |
100 to 240V AC |
||||
AC maximum input current |
13A |
||||
AC maximum output power |
1100W |
||||
AC frequency |
50 to 60 Hz |
||||
AC efficiency |
>92% at 50% load |
||||
DC input voltage |
-40V to -60VDC |
||||
DC maximum input current |
27A |
||||
DC maximum output power |
950W |
||||
DC efficiency |
>92.5% at 50% load |
||||
Redundancy |
1+1 |
||||
Fans |
6 hot-swappable fans |
||||
Noise |
78 dBA |
||||
Rack mountable |
Yes, mount rails included (4-post EIA-310-D rack) |
||||
Weight |
36 lb (16 kg): 2 x power supplies, 2 x NMs, 6x fans; 30 lb (13.6 kg): no power supplies, no NMs, no fans |
||||
Temperature: operating |
32 to 104°F |
32 to 104°F |
32 to 95°F (0 to 35°C), at sea level |
32 to 95°F (0 to 35°C), at sea level |
|
Temperature: nonoperating |
-40 to 149°F (-40 to 65°C) |
||||
Humidity: operating |
5 to 95% noncondensing |
||||
Humidity: nonoperating |
5 to 95% noncondensing |
||||
Altitude: operating |
10,000 ft (max) |
10,000 ft (max) or NEBS operation (see below) |
10,000 ft (max) |
||
Altitude: nonoperating |
40,000 ft (max) |
||||
NEBS operation (FPR 4120 only) |
Operating altitude: 0 to 13,000 ft (3960 m) Operating temperature: Long term: 0 to 45°C, up to 6,000 ft (1829 m) Long term: 0 to 35°C, 6,000 to 13,000 ft (1829 to 3964 m) Short term: -5 to 50°C, up to 6,000 ft (1829 m) |
Cisco Firepower 9300 Hardware Specifications
Specification |
Description |
|||
Dimensions (H x W x D) |
5.25 x 17.5 x 32 in. (13.3 x 44.5 x 81.3 cm) |
|||
Form factor |
3 Rack Units (3RU), fits standard 19-in. (48.3-cm) square-hole rack |
|||
Security module slots |
3 |
|||
Network module slots |
2 (within supervisor) |
|||
Supervisor |
Cisco Firepower 9000 Supervisor with 8 x 10 Gigabit Ethernet ports and 2 network module slots for I/O expansion |
|||
Security modules |
● Cisco Firepower 9000 Security Module 24 with 2 x SSDs in RAID-1 configuration
● Cisco Firepower 9000 Security Module 36 with 2 x SSDs in RAID-1 configuration
|
|||
Network modules |
● 8 x 10 Gigabit Ethernet Enhanced Small Form-Factor Pluggable (SFP+) network modules
● 4 x 40 Gigabit Ethernet Quad SFP+ network modules
● 2 x 100 Gigabit Ethernet Quad SFP28 network modules (double-wide, occupies both network module bays)
Note: Firepower 9300 may also be deployed as a dedicated threat sensor, with fail-to-wire network modules. Please contact your Cisco representative for details. |
|||
Maximum number of interfaces |
Up to 24 x 10 Gigabit Ethernet (SFP+) interfaces; up to 8 x 40 Gigabit Ethernet (QSFP+) interfaces with 2 network modules |
|||
Integrated network management ports |
1 Gigabit Ethernet Supports 1-G fiber or copper SFPs |
|||
Serial port |
1 x RJ-45 console |
|||
USB |
1 x USB 2.0 |
|||
Storage |
Up to 2.4 TB per chassis (800 GB per security module in RAID-1 configuration) |
|||
Power supplies |
|
AC power supply |
-48V DC power supply |
HVDC power supply |
Input voltage |
200 to 240V AC |
-40V to -60V DC* |
240 to 380V DC |
|
Maximum input current |
15.5A to 12.9A |
69A to 42A |
<14A at 200V |
|
Maximum output power |
2500W |
2500W |
2500W |
|
Frequency |
50 to 60 Hz |
- |
- |
|
Efficiency (at 50% load) |
92% |
92% |
92% (at 50% load) |
|
Redundancy |
1+1 |
|||
Fans |
4 hot-swappable fans |
|||
Noise |
75.5 dBA at maximum fan speed |
|||
Rack mountable |
Yes, mount rails included (4-post EIA-310-D rack) |
|||
Weight |
105 lb (47.7 kg) with one security module; 135 lb (61.2 kg) fully configured |
|||
Temperature: standard operating |
Up to 10,000 ft (3000 M): 32 to 104°F (0 to 40°C) for SM-24 module 32 to 88°F (0 to 35°C) for SM-36 module at sea-level Altitude adjustment notes: For SM-36, maximum temp is 35⁰C, for every 1000 feet above sea level subtract 1⁰C |
|||
Temperature: NEBS operating |
Long term: 0 to 45°C, up to 6,000 ft (1829 m) Long term: 0 to 35°C, 6,000 to 13,000 ft (1829-3964 m) Short term: -5 to 55°C, up to 6,000 ft (1829 m) Note: Cisco Firepower 9300 NEBS compliance applies only to SM-24 configurations. |
|||
Temperature: nonoperating |
-40 to 149°F (-40 to 65°C); maximum altitude is 40,000 ft |
|||
Humidity: operating |
5 to 95% noncondensing |
|||
Humidity: nonoperating |
5 to 95% noncondensing |
|||
Altitude: operating |
SM-24: 0 to 13,000 ft (3962 m) SM-36: 0 to 10,000 ft (3048 m); please see above Operating Temperature section for temperature adjustment notes |
|||
Altitude: nonoperating |
40,000 ft (12,192 m) |
For more specifications
https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/datasheet-c78-736661.html
HTH
Abheesh
11-08-2018 11:42 PM
I would recommend FPR21xx series, It has FPR2110, FPR2120, FPR230, FPR2140.
FPR2130 and FPR2140 supports 10G interface. FPR2110/2120 don't not support 10G.
More over all 4 units support either ASA image or FTD (NGFW) image.
Initially you can choose to load ASA image with same configuration with ASA55xx platfrom, later you can migrate to FTD (NGFW) image..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide