Cisco Firepower 2110 User Manual

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 15
Data Sheet
Stop more threats
Contain known and unknown malware with leading Cisco® Advanced Malware Protection (AMP) and sandboxing.
Gain more insight
Gain superior visibility into your environment with Cisco Firepower next-gen IPS. Automated risk rankings and impact flags identify priorities for your team.
Detect earlier, act faster
The Cisco Annual Security Report identifies a 100-day median time from infection to detection, across enterprises. Reduce this time to less than a day.
Reduce complexity
Get unified management and automated threat correlation across tightly integrated security functions, including application firewalling, NGIPS, and AMP.
Get more from your network
Enhance security, and take advantage of your existing investments, with optional integration of other Cisco and third-party networking and security solutions.
Features
Cisco Firepower Model
Cisco ASA 5500-FTD-X Model
2110
2120
2130
2140
4110
4120
4140
4150
9300 with 1 SM­24 Module
9300 with 1 SM­36 Module
9300 with 1 SM­44 Module
9300 with 3 SM-44 Modules
5506­FTD-X
5506W­FTD-X
5506H­FTD-X
5508­FTD-X
5516­FTD-X
5525­FTD-X
5545­FTD-X
5555­FTD-X
Throughput FW + AVC (Cisco Firepower Threat Defense)1
1.9 Gbps 3 Gbps
4.75 Gbps
8.5 Gbps
12 Gbps
20 Gbps
25 Gbps
30 Gbps
30 Gbps
42 Gbps
54 Gbps
135 Gbps
250 Mbps
250 Mbps
250 Mbps
450 Mbps
850 Mbps
1100 Mbps
1500 Mbps
1750 Mbps
Throughput: FW + AVC + NGIPS (Cisco Firepower Threat Defense)1
1.9 Gbps 3 Gbps
4.75 Gbps
8.5 Gbps
10 Gbps
15 Gbps
20 Gbps
24 Gbps
24 Gbps
34 Gbps
53 Gbps
133 Gbps
125 Mbps
125 Mbps
125 Mbps
250 Mbps
450 Mbps
650 Mbps
1000 Mbps
1250 Mbps
Cisco Firepower NGFW
The Cisco Firepower® NGFW (next-generation firewall) is the industry’s first fully integrated, threat-focused next-gen firewall with unified management. It uniquely provides advanced threat protection before, during, and after attacks.
Performance Highlights
Table 1 summarizes the performance highlights of the Cisco Firepower 4100 Series NGFW, 9300 Series Security Appliances, and select Cisco ASA 5500-X appliances.
Table 1. Performance Highlights
1
HTTP sessions with an average packet size of 1024 bytes
2
1024 bytes TCP firewall performance
Note: NGFW performance varies depending on network and traffic characteristics. Consult your Cisco representative for
detailed sizing guidance. Performance is subject to change with new software releases.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 15
Cisco Firepower 4100 Series:
The industry’s first 1RU NGFWs with 40-Gbps
interfaces
Cisco Firepower 9300:
Ultra-high-performance NGFW, expandable as your
needs grow
Cisco ASA 5500-X Series:
Models for branch offices, industrial applications, and the Internet edge
Cisco Firepower 2100 Series: The industry’s first 1RU NGFWs delivering sustainable performance when threat inspection is enabled
Platform Support
The Cisco Firepower NGFW includes Application Visibility and Control (AVC), optional next-gen IPS (NGIPS), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering. The Cisco Firepower 2100 Series, 4100 Series, and 9300 appliances use the Cisco Firepower Threat Defense software image. Alternatively, the Cisco Firepower 4100 Series and 9300 appliances can support the Cisco Adaptive Security Appliance (ASA) software image.
The Cisco Firepower Management Center (formerly FireSIGHT) provides centralized management of the Cisco
Firepower NGFW, as well as Cisco Firepower NGIPS and Cisco AMP for Networks. The Cisco Firepower Device Manager is available for local management of 2100 Series and 5500-X Series devices
running the Cisco Firepower Threat Defense software image. The Cisco Adaptive Security Device Manager is available for local management of the Cisco Firepower 4100
Series, Cisco Firepower 9300 Series, and Cisco ASA 5500-X Series devices running the ASA software image.
Cisco Defense Orchestrator cloud-based management is also available for consistent policy management across
Cisco security devices. Also available, on select Cisco Firepower appliances, and direct from Cisco, is the Radware Virtual DefensePro
(vDP) distributed denial of service (DDoS) mitigation capability.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 15
Features
Cisco Firepower Model
Cisco ASA 5500-FTD-X Model
2110
2120
2130
2140
4110
4120
4140
4150
9300 with 1 SM-24 Module
9300 with 1 SM-36 Module
9300 with 1 SM-44 Module
9300 with 3 Cluster ed SM-44 Modules
5506­FTD-X
5506W­FTD-X
5506H­FTD-X
5508­FTD-X
5516­FTD-X
5525­FTD-X
5545­FTD-X
5555­FTD-X
Throughput: FW + AVC1
1.9
Gbps 3 Gbps
4.75
Gbps
8.5
Gbps
12
Gbps
20
Gbps
25
Gbps
30
Gbps
30
Gbps
42
Gbps
54
Gbps
135 Gbps
250
Mbps
250
Mbps
250
Mbps
450
Mbps
850
Mbps
1100
Mbps
1500
Mbps
1750
Mbps
Throughput: AVC + IPS1
1.9
Gbps 3 Gbps
4.75
Gbps
8.5
Gbps
10
Gbps
15
Gbps
20
Gbps
24
Gbps
24
Gbps
34
Gbps
53
Gbps
133 Gbps
125
Mbps
125
Mbps
125
Mbps
250
Mbps
450
Mbps
650
Mbps
1000
Mbps
1250
Mbps
Maximum concurrent sessions, with AVC
1
million
1.2
million 2 million
3.5
million 9 million
15
million
25
million
30
million
30
million
30
million
30
million
60 million
20,000
20,000
20,000
100,000
250,000
500,000
750,000
1,000,000
Maximum new connections per second, with AVC
12,000
16,000
24,000
40,000
68,000
120,000
160,000
200,000
120,000
160,000
300,000
900,000
3,000
3,000
3,000
7,000
8,000
10,000
15,000
20,000
Cisco Firepower 2100 Series Appliances
The Cisco Firepower 2100 Series is a family of four threat-focused NGFW security platforms that deliver business resiliency through superior threat defense. It offers exceptional sustained performance when advanced threat functions are enabled. These platforms uniquely incorporate an innovative dual multicore CPU architecture that optimizes firewall, cryptographic, and threat inspection functions simultaneously. The series’ firewall throughput ranges from 1.9 to 8.5 Gbps, addressing use cases from the Internet edge to the data center.
Cisco Firepower 4100 Series Appliances
The Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms. Their throughput ranges from 35 to 75 Gbps, addressing data center use cases. They deliver superior threat defense, at faster speeds, with a smaller footprint.
Cisco Firepower 9300 Security Appliance
The Cisco Firepower 9300 is a scalable (beyond 1 Tbps when clustered), carrier-grade, modular platform designed for service providers, high-performance computing centers, large data centers, campuses, high-frequency trading environments, and other environments that require low (less than 5-microsecond offload) latency and exceptional throughput. Cisco Firepower 9300 supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. It is also available in Network Equipment Building Standards (NEBS)­compliant configurations.
Cisco ASA 5500-FTD-X Series Appliances
The Cisco ASA 5500-FTD-X Series is a family of eight threat-focused NGFW security platforms. Their throughput ranges from 750 Mbps to 4 Gbps, addressing use cases from the small or branch office to the Internet edge. They deliver superior threat defense in a cost-effective footprint.
Performance Specifications and Feature Highlights
Table 2 summarizes the capabilities of the Cisco Firepower NGFW 4100 Series and 9300 appliances and the Cisco ASA 5500-FTD-X appliances when running the Cisco Firepower Threat Defense image.
Table 2. Performance Specifications and Feature Highlights with the Firepower Threat Defense Image
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 15
Features
Cisco Firepower Model
Cisco ASA 5500-FTD-X Model
2110
2120
2130
2140
4110
4120
4140
4150
9300 with 1 SM-24 Module
9300 with 1 SM-36 Module
9300 with 1 SM-44 Module
9300 with 3 Cluster ed SM-44 Modules
5506­FTD-X
5506W­FTD-X
5506H­FTD-X
5508­FTD-X
5516­FTD-X
5525­FTD-X
5545­FTD-X
5555­FTD-X
Cisco Firepower Device Manager (local mana gement)
Yes
Yes
Yes
Yes - - - - - - - -
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Centralized management
Centralized configuration, logging, monitoring, and reporting are performed by the Management Center or alternatively in the cloud with Cisco Defense Orchestrator.
Application Visibility and Control (AVC)
Standard, supporting more than 4000 applications, as well as geolocations, users, and websites
AVC: OpenAppID support for custom, open source, application detectors
Standard
Cisco Security Intelligence
Standard, with IP, URL, and DNS threat intelligence
Cisco Firepower NGIPS
Available; can passively detect endpoints and infrastructure for threat correlation and indicators of compromise (IoC) intelligence
Cisco AMP for Networks
Available; enables detection, blocking, tracking, analysis, and containment of targeted and persistent malware, addressing the attack continuum both during and after attacks. Integrated threat correlation with Cisco AMP for Endpoints is also optionally available
Cisco AMP Threat Grid sandboxing
Available
URL Filtering: number of categories
More than 80
URL Filtering: number of URLs categorized
More than 280 million
Automated threat feed and IPS signature updates
Yes: class-leading Collective Security Intelligence (CSI) from the Cisco Talos Group (http://www.cisco.com/c/en/us/products/security/talos.html)
Third-party and open­source ecosystem
Open API for integrations with third-party products; Snort® and OpenAppID community resources for new and specific threats
High availability and clustering
Active/standby; for Cisco Firepower 9300 intrachassis clustering of up to 5 chassis is allowed; Cisco Firepower 4100 Series allows clustering of up to 16 chassis.
VLANs maximum
1024
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 15
Features
Cisco Firepower Model
Cisco ASA 5500-FTD-X Model
2110
2120
2130
2140
4110
4120
4140
4150
9300 with 1 SM-24 Module
9300 with 1 SM-36 Module
9300 with 1 SM-44 Module
9300 with 3 Cluster ed SM-44 Modules
5506­FTD-X
5506W­FTD-X
5506H­FTD-X
5508­FTD-X
5516­FTD-X
5525­FTD-X
5545­FTD-X
5555­FTD-X
Cisco Trust Anchor Technologies
ASA 5506-X, 5508-X, and 5516-X appliances, Firepower 2100 Series and Firepower 4100 Series and 9300 platforms include Trust Anchor Technologies for supply chain and software image assurance. Please see the section below for additional details.
Features
Cisco Firepower Model
4110
4120
4140
4150
9300 with 1 SM-24 Module
9300 with 1 SM-36 Module
9300 with 1 SM-44 Module
9300 with 3 SM-44 Modules
Stateful inspection firewall throughput1
35 Gbps
60 Gbps
70 Gbps
75 Gbps
75 Gbps
80 Gbps
80 Gbps
234 Gbps
Stateful inspection firewall throughput (multiprotocol)2
15 Gbps
30 Gbps
40 Gbps
50 Gbps
50 Gbps
60 Gbps
60 Gbps
130 Gbps
Concurrent firewall connections
10 million
15 million
25 million
35 million
55 million
60 million
60 million
70 million
Firewall latency (UDP 64B microseconds)
3.5
3.5
3.5
3.5
3.5
3.5
3.5
3.5
New connections per second
150,000
250,000
350,000
800,000
800,000
1.2 million
1.8 million
4 million
Security contexts3
250
250
250
250
250
250
250
250
Virtual interfaces
1024
1024
1024
1024
1024
1024
1024
1024
IPsec VPN throughput
8 Gbps
10 Gbps
14 Gbps
15 Gbps
15 Gbps
18 Gbps
20 Gbps
60 Gbps4
IPsec/Cisco AnyConnect/Ap ex site-to-site VPN peers
10,000
15,000
20,000
20,000
20,000
20,000
20,000
60,0004
Maximum number of VLANs
1024
1024
1024
1024
1024
1024
1024
1024
1
HTTP sessions with an average packet size of 1024 bytes.
Note: Performance will vary depending on features activated and network traffic protocol mix and packet size characteristics. Performance is subject to change with new software releases. Consult your Cisco representative for detailed sizing guidance.
Table 3 summarizes the performance and capabilities of the Cisco Firepower 4100 Series and 9300 appliances when running the ASA image. For Cisco ASA 5500-X Series performance specifications with the ASA image, please visit the Cisco ASA with FirePOWER Services data sheet.
Table 3. ASA Performance and Capabilities
Loading...
+ 10 hidden pages