Cisco Firepower 2110 User Manual

Data Sheet

Stop more threats

Contain known and unknown malware with leading Cisco® Advanced Malware Protection (AMP) and sandboxing.

Gain more insight

Gain superior visibility into your environment with Cisco Firepower next-gen IPS. Automated risk rankings and impact flags identify priorities for your team.

Detect earlier, act faster

The Cisco Annual Security Report identifies a 100-day median time from infection to detection, across enterprises. Reduce this time to less than a day.

Reduce complexity

Get unified management and automated threat correlation across tightly integrated security functions, including application firewalling, NGIPS, and AMP.

Get more from your network

Enhance security, and take advantage of your existing investments, with optional integration of other Cisco and third-party networking and security solutions.

Features

Cisco Firepower Model

Cisco ASA 5500-FTD-X Model

2110

2120

2130

2140

4110

4120

4140

4150

9300 with 1 SM24 Module

9300 with 1 SM36 Module

9300 with 1 SM44 Module

9300 with 3 SM-44 Modules

5506FTD-X

5506WFTD-X

5506HFTD-X

5508FTD-X

5516FTD-X

5525FTD-X

5545FTD-X

5555FTD-X

Throughput FW + AVC (Cisco Firepower Threat Defense)1

1.9 Gbps 3 Gbps

4.75 Gbps

8.5 Gbps

12 Gbps

20 Gbps

25 Gbps

30 Gbps

42 Gbps

54 Gbps

135 Gbps

250 Mbps

450 Mbps

850 Mbps

1100 Mbps

1500 Mbps

1750 Mbps

Throughput: FW + AVC + NGIPS (Cisco Firepower Threat Defense)1

1.9 Gbps 3 Gbps

4.75 Gbps

8.5 Gbps

10 Gbps

15 Gbps

20 Gbps

24 Gbps

34 Gbps

53 Gbps

133 Gbps

125 Mbps

250 Mbps

450 Mbps

650 Mbps

1000 Mbps

1250 Mbps

Cisco Firepower NGFW

The Cisco Firepower® NGFW (next-generation firewall) is the industry’s first fully integrated, threat-focused next-gen firewall with unified management. It uniquely provides advanced threat protection before, during, and after attacks.

Performance Highlights

Table 1 summarizes the performance highlights of the Cisco Firepower 4100 Series NGFW, 9300 Series Security Appliances, and select Cisco ASA 5500-X appliances.

Table 1. Performance Highlights

1

HTTP sessions with an average packet size of 1024 bytes

2

1024 bytes TCP firewall performance

Note: NGFW performance varies depending on network and traffic characteristics. Consult your Cisco representative for

detailed sizing guidance. Performance is subject to change with new software releases.

Cisco Firepower 4100 Series:

The industry’s first 1RU NGFWs with 40-Gbps

interfaces

Cisco Firepower 9300:

Ultra-high-performance NGFW, expandable as your

needs grow

Cisco ASA 5500-X Series:

Models for branch offices, industrial applications, and the Internet edge

Cisco Firepower 2100 Series: The industry’s first 1RU NGFWs delivering sustainable performance when threat inspection is enabled

Platform Support

The Cisco Firepower NGFW includes Application Visibility and Control (AVC), optional next-gen IPS (NGIPS), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering. The Cisco Firepower 2100 Series, 4100 Series, and 9300 appliances use the Cisco Firepower Threat Defense software image. Alternatively, the Cisco Firepower 4100 Series and 9300 appliances can support the Cisco Adaptive Security Appliance (ASA) software image.

The Cisco Firepower Management Center (formerly FireSIGHT) provides centralized management of the Cisco

Firepower NGFW, as well as Cisco Firepower NGIPS and Cisco AMP for Networks. The Cisco Firepower Device Manager is available for local management of 2100 Series and 5500-X Series devices

running the Cisco Firepower Threat Defense software image. The Cisco Adaptive Security Device Manager is available for local management of the Cisco Firepower 4100

Series, Cisco Firepower 9300 Series, and Cisco ASA 5500-X Series devices running the ASA software image.

Cisco Defense Orchestrator cloud-based management is also available for consistent policy management across

Cisco security devices. Also available, on select Cisco Firepower appliances, and direct from Cisco, is the Radware Virtual DefensePro

(vDP) distributed denial of service (DDoS) mitigation capability.

Features

Cisco Firepower Model

Cisco ASA 5500-FTD-X Model

2110

2120

2130

2140

4110

4120

4140

4150

9300 with 1 SM-24 Module

9300 with 1 SM-36 Module

9300 with 1 SM-44 Module

9300 with 3 Cluster ed SM-44 Modules

5506FTD-X

5506WFTD-X

5506HFTD-X

5508FTD-X

5516FTD-X

5525FTD-X

5545FTD-X

5555FTD-X

Throughput: FW + AVC1

1.9

Gbps 3 Gbps

4.75

Gbps

8.5

Gbps

12

Gbps

20

Gbps

25

Gbps

30

Gbps

30

Gbps

42

Gbps

54

Gbps

135 Gbps

250

Mbps

250

Mbps

250

Mbps

450

Mbps

850

Mbps

1100

Mbps

1500

Mbps

1750

Mbps

Throughput: AVC + IPS1

1.9

Gbps 3 Gbps

4.75

Gbps

8.5

Gbps

10

Gbps

15

Gbps

20

Gbps

24

Gbps

24

Gbps

34

Gbps

53

Gbps

133 Gbps

125

Mbps

125

Mbps

125

Mbps

250

Mbps

450

Mbps

650

Mbps

1000

Mbps

1250

Mbps

Maximum concurrent sessions, with AVC

1

million

1.2

million 2 million

3.5

million 9 million

15

million

25

million

30

million

30

million

30

million

30

million

60 million

20,000

100,000

250,000

500,000

750,000

1,000,000

Maximum new connections per second, with AVC

12,000

16,000

24,000

40,000

68,000

120,000

160,000

200,000

120,000

160,000

300,000

900,000

3,000

7,000

8,000

10,000

15,000

20,000

Cisco Firepower 2100 Series Appliances

The Cisco Firepower 2100 Series is a family of four threat-focused NGFW security platforms that deliver business resiliency through superior threat defense. It offers exceptional sustained performance when advanced threat functions are enabled. These platforms uniquely incorporate an innovative dual multicore CPU architecture that optimizes firewall, cryptographic, and threat inspection functions simultaneously. The series’ firewall throughput ranges from 1.9 to 8.5 Gbps, addressing use cases from the Internet edge to the data center.

Cisco Firepower 4100 Series Appliances

The Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms. Their throughput ranges from 35 to 75 Gbps, addressing data center use cases. They deliver superior threat defense, at faster speeds, with a smaller footprint.

Cisco Firepower 9300 Security Appliance

The Cisco Firepower 9300 is a scalable (beyond 1 Tbps when clustered), carrier-grade, modular platform designed for service providers, high-performance computing centers, large data centers, campuses, high-frequency trading environments, and other environments that require low (less than 5-microsecond offload) latency and exceptional throughput. Cisco Firepower 9300 supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. It is also available in Network Equipment Building Standards (NEBS)compliant configurations.

Cisco ASA 5500-FTD-X Series Appliances

The Cisco ASA 5500-FTD-X Series is a family of eight threat-focused NGFW security platforms. Their throughput ranges from 750 Mbps to 4 Gbps, addressing use cases from the small or branch office to the Internet edge. They deliver superior threat defense in a cost-effective footprint.

Performance Specifications and Feature Highlights

Table 2 summarizes the capabilities of the Cisco Firepower NGFW 4100 Series and 9300 appliances and the Cisco ASA 5500-FTD-X appliances when running the Cisco Firepower Threat Defense image.

Table 2. Performance Specifications and Feature Highlights with the Firepower Threat Defense Image

Features

Cisco Firepower Model

Cisco ASA 5500-FTD-X Model

2110

2120

2130

2140

4110

4120

4140

4150

9300 with 1 SM-24 Module

9300 with 1 SM-36 Module

9300 with 1 SM-44 Module

9300 with 3 Cluster ed SM-44 Modules

5506FTD-X

5506WFTD-X

5506HFTD-X

5508FTD-X

5516FTD-X

5525FTD-X

5545FTD-X

5555FTD-X

Cisco Firepower Device Manager (local mana gement)

Yes

Yes - - - - - - - -

Yes

Centralized management

Centralized configuration, logging, monitoring, and reporting are performed by the Management Center or alternatively in the cloud with Cisco Defense Orchestrator.

Application Visibility and Control (AVC)

Standard, supporting more than 4000 applications, as well as geolocations, users, and websites

AVC: OpenAppID support for custom, open source, application detectors

Standard

Cisco Security Intelligence

Standard, with IP, URL, and DNS threat intelligence

Cisco Firepower NGIPS

Available; can passively detect endpoints and infrastructure for threat correlation and indicators of compromise (IoC) intelligence

Cisco AMP for Networks

Available; enables detection, blocking, tracking, analysis, and containment of targeted and persistent malware, addressing the attack continuum both during and after attacks. Integrated threat correlation with Cisco AMP for Endpoints is also optionally available

Cisco AMP Threat Grid sandboxing

Available

URL Filtering: number of categories

More than 80

URL Filtering: number of URLs categorized

More than 280 million

Automated threat feed and IPS signature updates

Yes: class-leading Collective Security Intelligence (CSI) from the Cisco Talos Group (http://www.cisco.com/c/en/us/products/security/talos.html)

Third-party and opensource ecosystem

Open API for integrations with third-party products; Snort® and OpenAppID community resources for new and specific threats

High availability and clustering

Active/standby; for Cisco Firepower 9300 intrachassis clustering of up to 5 chassis is allowed; Cisco Firepower 4100 Series allows clustering of up to 16 chassis.

VLANs maximum

1024

Features

Cisco Firepower Model

Cisco ASA 5500-FTD-X Model

2110

2120

2130

2140

4110

4120

4140

4150

9300 with 1 SM-24 Module

9300 with 1 SM-36 Module

9300 with 1 SM-44 Module

9300 with 3 Cluster ed SM-44 Modules

5506FTD-X

5506WFTD-X

5506HFTD-X

5508FTD-X

5516FTD-X

5525FTD-X

5545FTD-X

5555FTD-X

Cisco Trust Anchor Technologies

ASA 5506-X, 5508-X, and 5516-X appliances, Firepower 2100 Series and Firepower 4100 Series and 9300 platforms include Trust Anchor Technologies for supply chain and software image assurance. Please see the section below for additional details.

Features

Cisco Firepower Model

4110

4120

4140

4150

9300 with 1 SM-24 Module

9300 with 1 SM-36 Module

9300 with 1 SM-44 Module

9300 with 3 SM-44 Modules

Stateful inspection firewall throughput1

35 Gbps

60 Gbps

70 Gbps

75 Gbps

80 Gbps

234 Gbps

Stateful inspection firewall throughput (multiprotocol)2

15 Gbps

30 Gbps

40 Gbps

50 Gbps

60 Gbps

130 Gbps

Concurrent firewall connections

10 million

15 million

25 million

35 million

55 million

60 million

70 million

Firewall latency (UDP 64B microseconds)

3.5

New connections per second

150,000

250,000

350,000

800,000

1.2 million

1.8 million

4 million

Security contexts3

250

Virtual interfaces

1024

IPsec VPN throughput

8 Gbps

10 Gbps

14 Gbps

15 Gbps

18 Gbps

20 Gbps

60 Gbps4

IPsec/Cisco AnyConnect/Ap ex site-to-site VPN peers

10,000

15,000

20,000

60,0004

Maximum number of VLANs

1024

1

HTTP sessions with an average packet size of 1024 bytes.

Note: Performance will vary depending on features activated and network traffic protocol mix and packet size characteristics. Performance is subject to change with new software releases. Consult your Cisco representative for detailed sizing guidance.

Table 3 summarizes the performance and capabilities of the Cisco Firepower 4100 Series and 9300 appliances when running the ASA image. For Cisco ASA 5500-X Series performance specifications with the ASA image, please visit the Cisco ASA with FirePOWER Services data sheet.

Table 3. ASA Performance and Capabilities