© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 15
Contain known and unknown malware with leading Cisco® Advanced Malware Protection (AMP) and sandboxing.
Gain superior visibility into your environment with Cisco Firepower next-gen IPS.
Automated risk rankings and impact flags identify priorities for your team.
Detect earlier,
act faster
The Cisco Annual Security Report identifies a 100-day median time from infection to detection, across enterprises.
Reduce this time to less than a day.
Get unified management and automated threat correlation across tightly integrated security functions, including
application firewalling, NGIPS, and AMP.
Get more from
your network
Enhance security, and take advantage of your existing investments, with optional integration of other Cisco and
third-party networking and security solutions.
Cisco ASA 5500-FTD-X Model
9300
with
3 SM-44
Modules
Throughput
FW + AVC
(Cisco
Firepower
Threat
Defense)1
Throughput:
FW + AVC +
NGIPS
(Cisco
Firepower
Threat
Defense)1
Cisco Firepower NGFW
The Cisco Firepower® NGFW (next-generation firewall) is the industry’s first fully
integrated, threat-focused next-gen firewall with unified management. It uniquely
provides advanced threat protection before, during, and after attacks.
Performance Highlights
Table 1 summarizes the performance highlights of the Cisco Firepower 4100 Series NGFW, 9300 Series Security
Appliances, and select Cisco ASA 5500-X appliances.
Table 1. Performance Highlights
1
HTTP sessions with an average packet size of 1024 bytes
2
1024 bytes TCP firewall performance
Note: NGFW performance varies depending on network and traffic characteristics. Consult your Cisco representative for
detailed sizing guidance. Performance is subject to change with new software releases.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 15
Cisco Firepower 4100 Series:
The industry’s first 1RU NGFWs with 40-Gbps
interfaces
Cisco Firepower 9300:
Ultra-high-performance NGFW, expandable as your
needs grow
Cisco ASA 5500-X Series:
Models for branch offices, industrial applications, and the Internet edge
Cisco Firepower 2100 Series:
The industry’s first 1RU NGFWs delivering sustainable performance when threat inspection is enabled
Platform Support
The Cisco Firepower NGFW includes Application Visibility and Control (AVC), optional next-gen IPS (NGIPS),
Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering. The Cisco Firepower 2100 Series,
4100 Series, and 9300 appliances use the Cisco Firepower Threat Defense software image. Alternatively, the
Cisco Firepower 4100 Series and 9300 appliances can support the Cisco Adaptive Security Appliance (ASA)
software image.
The Cisco Firepower Management Center (formerly FireSIGHT) provides centralized management of the Cisco
Firepower NGFW, as well as Cisco Firepower NGIPS and Cisco AMP for Networks.
The Cisco Firepower Device Manager is available for local management of 2100 Series and 5500-X Series devices
running the Cisco Firepower Threat Defense software image.
The Cisco Adaptive Security Device Manager is available for local management of the Cisco Firepower 4100
Series, Cisco Firepower 9300 Series, and Cisco ASA 5500-X Series devices running the ASA software image.
Cisco Defense Orchestrator cloud-based management is also available for consistent policy management across
Cisco security devices.
Also available, on select Cisco Firepower appliances, and direct from Cisco, is the Radware Virtual DefensePro
(vDP) distributed denial of service (DDoS) mitigation capability.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 15
Cisco ASA 5500-FTD-X Model
9300 with
3 Cluster
ed SM-44
Modules
Maximum
concurrent
sessions,
with AVC
Maximum
new
connections
per second,
with AVC
Cisco Firepower 2100 Series Appliances
The Cisco Firepower 2100 Series is a family of four threat-focused NGFW security platforms that deliver business
resiliency through superior threat defense. It offers exceptional sustained performance when advanced threat
functions are enabled. These platforms uniquely incorporate an innovative dual multicore CPU architecture that
optimizes firewall, cryptographic, and threat inspection functions simultaneously. The series’ firewall throughput
ranges from 1.9 to 8.5 Gbps, addressing use cases from the Internet edge to the data center.
Cisco Firepower 4100 Series Appliances
The Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms. Their throughput
ranges from 35 to 75 Gbps, addressing data center use cases. They deliver superior threat defense, at faster
speeds, with a smaller footprint.
Cisco Firepower 9300 Security Appliance
The Cisco Firepower 9300 is a scalable (beyond 1 Tbps when clustered), carrier-grade, modular platform designed
for service providers, high-performance computing centers, large data centers, campuses, high-frequency trading
environments, and other environments that require low (less than 5-microsecond offload) latency and exceptional
throughput. Cisco Firepower 9300 supports flow-offloading, programmatic orchestration, and the management of
security services with RESTful APIs. It is also available in Network Equipment Building Standards (NEBS)compliant configurations.
Cisco ASA 5500-FTD-X Series Appliances
The Cisco ASA 5500-FTD-X Series is a family of eight threat-focused NGFW security platforms. Their throughput
ranges from 750 Mbps to 4 Gbps, addressing use cases from the small or branch office to the Internet edge. They
deliver superior threat defense in a cost-effective footprint.
Performance Specifications and Feature Highlights
Table 2 summarizes the capabilities of the Cisco Firepower NGFW 4100 Series and 9300 appliances and the
Cisco ASA 5500-FTD-X appliances when running the Cisco Firepower Threat Defense image.
Table 2. Performance Specifications and Feature Highlights with the Firepower Threat Defense Image
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 15
Cisco ASA 5500-FTD-X Model
9300 with
3 Cluster
ed SM-44
Modules
Cisco
Firepower
Device
Manager
(local mana
gement)
Centralized configuration, logging, monitoring, and reporting are performed by the Management Center or alternatively in the cloud with Cisco Defense Orchestrator.
Application
Visibility
and Control
(AVC)
Standard, supporting more than 4000 applications, as well as geolocations, users, and websites
AVC:
OpenAppID
support for
custom,
open
source,
application
detectors
Cisco
Security
Intelligence
Standard, with IP, URL, and DNS threat intelligence
Available; can passively detect endpoints and infrastructure for threat correlation and indicators of compromise (IoC) intelligence
Available; enables detection, blocking, tracking, analysis, and containment of targeted and persistent malware, addressing the attack continuum both during and after attacks. Integrated
threat correlation with Cisco AMP for Endpoints is also optionally available
Cisco AMP
Threat Grid
sandboxing
URL
Filtering:
number of
categories
URL
Filtering:
number of
URLs
categorized
Automated
threat feed
and IPS
signature
updates
Yes: class-leading Collective Security Intelligence (CSI) from the Cisco Talos Group (http://www.cisco.com/c/en/us/products/security/talos.html)
Third-party
and opensource
ecosystem
Open API for integrations with third-party products; Snort® and OpenAppID community resources for new and specific threats
High
availability
and
clustering
Active/standby; for Cisco Firepower 9300 intrachassis clustering of up to 5 chassis is allowed; Cisco Firepower 4100 Series allows clustering of up to 16 chassis.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 15
Cisco ASA 5500-FTD-X Model
9300 with
3 Cluster
ed SM-44
Modules
Cisco Trust
Anchor
Technologies
ASA 5506-X, 5508-X, and 5516-X appliances, Firepower 2100 Series and Firepower 4100 Series and 9300 platforms include Trust Anchor Technologies for supply chain and software
image assurance. Please see the section below for additional details.
9300 with 3
SM-44
Modules
Stateful
inspection
firewall
throughput1
Stateful
inspection
firewall
throughput
(multiprotocol)2
Concurrent
firewall
connections
Firewall latency
(UDP 64B
microseconds)
New
connections
per second
IPsec/Cisco
AnyConnect/Ap
ex site-to-site
VPN peers
1
HTTP sessions with an average packet size of 1024 bytes.
Note: Performance will vary depending on features activated and network traffic protocol mix and packet size
characteristics. Performance is subject to change with new software releases. Consult your Cisco representative
for detailed sizing guidance.
Table 3 summarizes the performance and capabilities of the Cisco Firepower 4100 Series and 9300 appliances
when running the ASA image. For Cisco ASA 5500-X Series performance specifications with the ASA image,
please visit the Cisco ASA with FirePOWER Services data sheet.
Table 3. ASA Performance and Capabilities