thanks Marvin. Appreciate your inputs.

Based on your first input i.e. observing current traffic levels how do we establish relevant models.

Also, how do we select a specific model based on Internet speed? Cisco data sheet for ASA does not provide any criteria based on Internet speed. Is there any matrix which shows mapping to the number of users accessing internet etc?

Thanks in advance.

I advocate keeping it simple.

If the customer has (for example) 1 Gbps upstream, I recommend at least a firewall capable of at least 1 Gbps. That's unless they can tell me based on monitoring or some other data that they never use more than some smaller number - say 100 Mbps maximum usage and no plans to add users etc. that would give them reason to think that will change significantly.

The product data sheet (table 2 in the link below) has throughput listed:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html?cachemode=refresh

The use cases for ASAs are many but I am using the most common example for purposes of discussion - ASA as the perimeter firewall with outside interface being connected to the customer's Internet service. As I noted, your local SE should be discussing your exact use case to help you make a well-informed decision.

It's usually not productive to start counting number of users (except for things like VPN licenses) because the traffic per user can vary widely.

A call center with 1000 users who do nothing but interact with an application that's a single set of web pages hosted on a remote system will have quite different Internet usage than a college with 1000 students doing both class work and living in dormitories and streaming media all night long. 

thanks once again Marvin.

I will try to collect the data and work on the appropriate ASA models.

One last query - 

If we are refreshing the existing EOS (end of support) models of ASA, are there any specific considerations to look for?

Regards

When refereshing the EOS models, we consider what features and licenses are curently in use and evaluate the current product offerings in that light.

Two most common items would be:

1. The presence or use of the legacy IPS or CX module (replaced by FirePOWER)

2. If and how remote access VPN is being used. Any new remote access VPN should be SSL VPN (AnyConnect-based) and licensing should be taken into consideration for that.

Other things are considerations about the new model - i.e the 5512-X and 5515-X have EoS announcement themselves in favor of 5516-X. The 5585-X (with FirePOWER module) likewise. So look at the FirePOWER 2100 series (FTD only) and 4100 series (ASA or FTD images) if higher end throughput is a factor. That remonds me to also consider the possible applicability of FTD vs. ASA image type if the customer environment is best suited for that.

The above are the top of my head considerations a good SE would have in mind when proposing new hardware for a customer.

When sizing Firewall for different models, which throughput to be considered?

1. throughput with AVC
2. Throughput with AVC and IPS
3. Stateful inspection Throughput
4. Stateful inspection throughput (with multiprotocol)

Regards

It depends on what features you plan to use. If you are unsure, please work with your reseller.

If you are a reseller, you can contact Partner Helpdesk and they can guide you through a series of inputs and tell you the utilization of the various ASA models given the parameters you are able to provide.