Data Sheet
Cisco Firepower NGFW
The Cisco Firepower® NGFW (next-generation firewall) is the industry’s first fully integrated, threat-focused next-gen firewall with unified management. It uniquely provides advanced threat protection before, during, and after attacks.
Stop more |
Contain known and unknown malware with leading Cisco® Advanced Malware Protection (AMP) and sandboxing. |
threats |
|
|
|
Gain more |
Gain superior visibility into your environment with Cisco Firepower next-gen IPS. |
insight |
Automated risk rankings and impact flags identify priorities for your team. |
|
|
Detect earlier, |
The Cisco Annual Security Report identifies a 100-day median time from infection to detection, across enterprises. |
act faster |
Reduce this time to less than a day. |
|
|
Reduce |
Get unified management and automated threat correlation across tightly integrated security functions, including |
complexity |
application firewalling, NGIPS, and AMP. |
|
|
Get more from |
Enhance security, and take advantage of your existing investments, with optional integration of other Cisco and |
your network |
third-party networking and security solutions. |
|
|
Performance Highlights
Table 1 summarizes the performance highlights of the Cisco Firepower 4100 Series NGFW, 9300 Series Security Appliances, and select Cisco ASA 5500-X appliances.
Table 1. Performance Highlights
Features |
Cisco Firepower Model |
Cisco ASA 5500-FTD-X Model |
|
|
|
|
2110 |
2120 |
2130 |
2140 |
4110 |
4120 |
4140 |
4150 |
9300 |
9300 |
9300 |
9300 |
5506- |
5506W- |
5506H- |
5508- |
5516- |
5525- |
5545- |
5555- |
|
|
|
|
|
|
|
|
with |
with |
with |
with |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
|
|
|
|
|
|
|
|
1 SM- |
1 SM- |
1 SM- |
3 SM-44 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
24 |
36 |
44 |
Modules |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Module |
Module |
Module |
|
|
|
|
|
|
|
|
|
Throughput |
1.9 |
3 |
4.75 |
8.5 |
12 |
20 |
25 |
30 |
30 |
42 |
54 |
135 |
250 |
250 |
250 |
450 |
850 |
1100 |
1500 |
1750 |
FW + AVC |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
(Cisco |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Firepower |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Threat |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense)1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Throughput: |
1.9 |
3 |
4.75 |
8.5 |
10 |
15 |
20 |
24 |
24 |
34 |
53 |
133 |
125 |
125 |
125 |
250 |
450 |
650 |
1000 |
1250 |
FW + AVC + |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
NGIPS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(Cisco |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Firepower |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Threat |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense)1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1HTTP sessions with an average packet size of 1024 bytes
21024 bytes TCP firewall performance
Note: NGFW performance varies depending on network and traffic characteristics. Consult your Cisco representative for detailed sizing guidance. Performance is subject to change with new software releases.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. |
Page 1 of 15 |
Cisco Firepower 2100 Series:
The industry’s first 1RU NGFWs delivering sustainable performance when threat inspection is enabled
Cisco Firepower 4100 Series: |
Cisco Firepower 9300: |
The industry’s first 1RU NGFWs with 40-Gbps |
Ultra-high-performance NGFW, expandable as your |
interfaces |
needs grow |
Cisco ASA 5500-X Series:
Models for branch offices, industrial applications, and the Internet edge
Platform Support
The Cisco Firepower NGFW includes Application Visibility and Control (AVC), optional next-gen IPS (NGIPS), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering. The Cisco Firepower 2100 Series, 4100 Series, and 9300 appliances use the Cisco Firepower Threat Defense software image. Alternatively, the Cisco Firepower 4100 Series and 9300 appliances can support the Cisco Adaptive Security Appliance (ASA) software image.
The Cisco Firepower Management Center (formerly FireSIGHT) provides centralized management of the Cisco Firepower NGFW, as well as Cisco Firepower NGIPS and Cisco AMP for Networks.
The Cisco Firepower Device Manager is available for local management of 2100 Series and 5500-X Series devices running the Cisco Firepower Threat Defense software image.
The Cisco Adaptive Security Device Manager is available for local management of the Cisco Firepower 4100 Series, Cisco Firepower 9300 Series, and Cisco ASA 5500-X Series devices running the ASA software image.
Cisco Defense Orchestrator cloud-based management is also available for consistent policy management across Cisco security devices.
Also available, on select Cisco Firepower appliances, and direct from Cisco, is the Radware Virtual DefensePro (vDP) distributed denial of service (DDoS) mitigation capability.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. |
Page 2 of 15 |
Cisco Firepower 2100 Series Appliances
The Cisco Firepower 2100 Series is a family of four threat-focused NGFW security platforms that deliver business resiliency through superior threat defense. It offers exceptional sustained performance when advanced threat functions are enabled. These platforms uniquely incorporate an innovative dual multicore CPU architecture that optimizes firewall, cryptographic, and threat inspection functions simultaneously. The series’ firewall throughput ranges from 1.9 to 8.5 Gbps, addressing use cases from the Internet edge to the data center.
Cisco Firepower 4100 Series Appliances
The Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms. Their throughput ranges from 35 to 75 Gbps, addressing data center use cases. They deliver superior threat defense, at faster speeds, with a smaller footprint.
Cisco Firepower 9300 Security Appliance
The Cisco Firepower 9300 is a scalable (beyond 1 Tbps when clustered), carrier-grade, modular platform designed for service providers, high-performance computing centers, large data centers, campuses, high-frequency trading environments, and other environments that require low (less than 5-microsecond offload) latency and exceptional throughput. Cisco Firepower 9300 supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. It is also available in Network Equipment Building Standards (NEBS)- compliant configurations.
Cisco ASA 5500-FTD-X Series Appliances
The Cisco ASA 5500-FTD-X Series is a family of eight threat-focused NGFW security platforms. Their throughput ranges from 750 Mbps to 4 Gbps, addressing use cases from the small or branch office to the Internet edge. They deliver superior threat defense in a cost-effective footprint.
Performance Specifications and Feature Highlights
Table 2 summarizes the capabilities of the Cisco Firepower NGFW 4100 Series and 9300 appliances and the Cisco ASA 5500-FTD-X appliances when running the Cisco Firepower Threat Defense image.
Table 2. |
Performance Specifications and Feature Highlights with the Firepower Threat Defense Image |
|
|
|
|
|||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Features |
Cisco Firepower Model |
|
|
|
|
|
|
|
|
|
Cisco ASA 5500-FTD-X Model |
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2110 |
2120 |
2130 |
2140 |
4110 |
4120 |
4140 |
4150 |
9300 |
9300 |
9300 |
9300 with |
5506- |
5506W- |
5506H- |
5508- |
5516- |
5525- |
5545- |
5555- |
|
|
|
|
|
|
|
|
|
with 1 |
with 1 |
with 1 |
3 Cluster |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
|
|
|
|
|
|
|
|
|
SM-24 |
SM-36 |
SM-44 |
ed SM-44 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Module |
Module |
Module |
Modules |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Throughput: |
1.9 |
3 |
4.75 |
8.5 |
12 |
20 |
25 |
30 |
30 |
42 |
54 |
135 Gbps |
250 |
250 |
250 |
450 |
850 |
1100 |
1500 |
1750 |
FW + AVC1 |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
|
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Throughput: |
1.9 |
3 |
4.75 |
8.5 |
10 |
15 |
20 |
24 |
24 |
34 |
53 |
133 Gbps |
125 |
125 |
125 |
250 |
450 |
650 |
1000 |
1250 |
AVC + IPS1 |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
Gbps |
|
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Mbps |
Maximum |
1 |
1.2 |
2 |
3.5 |
9 |
15 |
25 |
30 |
30 |
30 |
30 |
60 million |
20,000 |
20,000 |
20,000 |
100,000 |
250,000 |
500,000 |
750,000 |
1,000,000 |
concurrent |
million |
million |
million |
million |
million |
million |
million |
million |
million |
million |
million |
|
|
|
|
|
|
|
|
|
sessions, |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
with AVC |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Maximum |
12,000 |
16,000 |
24,000 |
40,000 |
68,000 |
120,000 |
160,000 |
200,000 |
120,000 |
160,000 |
300,000 |
900,000 |
3,000 |
3,000 |
3,000 |
7,000 |
8,000 |
10,000 |
15,000 |
20,000 |
new |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
connections |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
per second, |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
with AVC |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. |
Page 3 of 15 |
Features |
Cisco Firepower Model |
|
|
|
|
|
|
|
|
|
Cisco ASA 5500-FTD-X Model |
|
|
|
|
|||||
|
2110 |
2120 |
2130 |
2140 |
4110 |
4120 |
4140 |
4150 |
9300 |
9300 |
9300 |
9300 with |
5506- |
5506W- |
5506H- |
5508- |
5516- |
5525- |
5545- |
5555- |
|
|
|
|
|
|
|
|
|
with 1 |
with 1 |
with 1 |
3 Cluster |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
|
|
|
|
|
|
|
|
|
SM-24 |
SM-36 |
SM-44 |
ed SM-44 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Module |
Module |
Module |
Modules |
|
|
|
|
|
|
|
|
Cisco |
Yes |
Yes |
Yes |
Yes |
- |
- |
- |
- |
- |
- |
- |
- |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Firepower |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Device |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Manager |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(local mana |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
gement) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Centralized Centralized configuration, logging, monitoring, and reporting are performed by the Management Center or alternatively in the cloud with Cisco Defense Orchestrator.
management
Application Standard, supporting more than 4000 applications, as well as geolocations, users, and websites
Visibility and Control (AVC)
AVC: |
Standard |
OpenAppID |
|
support for |
|
custom, |
|
open |
|
source, |
|
application |
|
detectors |
|
|
|
Cisco |
Standard, with IP, URL, and DNS threat intelligence |
Security |
|
Intelligence |
|
|
|
Cisco |
Available; can passively detect endpoints and infrastructure for threat correlation and indicators of compromise (IoC) intelligence |
Firepower |
|
NGIPS |
|
|
|
Cisco AMP |
Available; enables detection, blocking, tracking, analysis, and containment of targeted and persistent malware, addressing the attack continuum both during and after attacks. Integrated |
for |
threat correlation with Cisco AMP for Endpoints is also optionally available |
Networks |
|
|
|
Cisco AMP |
Available |
Threat Grid |
|
sandboxing |
|
|
|
URL |
More than 80 |
Filtering: |
|
number of |
|
categories |
|
|
|
URL |
More than 280 million |
Filtering: |
|
number of |
|
URLs |
|
categorized |
|
|
|
Automated Yes: class-leading Collective Security Intelligence (CSI) from the Cisco Talos Group (http://www.cisco.com/c/en/us/products/security/talos.html) threat feed
and IPS signature updates
Third-party Open API for integrations with third-party products; Snort® and OpenAppID community resources for new and specific threats
and open- |
|
source |
|
ecosystem |
|
|
|
High |
Active/standby; for Cisco Firepower 9300 intrachassis clustering of up to 5 chassis is allowed; Cisco Firepower 4100 Series allows clustering of up to 16 chassis. |
availability |
|
and |
|
clustering |
|
|
|
VLANs |
1024 |
maximum |
|
|
|
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. |
Page 4 of 15 |
Features |
Cisco Firepower Model |
|
|
|
Cisco ASA 5500-FTD-X Model |
|
|
|
|
|||||||||||
|
|
|
|
|
|
|
||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2110 |
2120 |
2130 |
2140 |
4110 |
4120 |
4140 |
4150 |
9300 |
9300 |
9300 |
9300 with |
5506- |
5506W- |
5506H- |
5508- |
5516- |
5525- |
5545- |
5555- |
|
|
|
|
|
|
|
|
|
with 1 |
with 1 |
with 1 |
3 Cluster |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
FTD-X |
|
|
|
|
|
|
|
|
|
SM-24 |
SM-36 |
SM-44 |
ed SM-44 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Module |
Module |
Module |
Modules |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cisco Trust |
ASA 5506-X, 5508-X, and 5516-X appliances, Firepower 2100 Series and Firepower 4100 Series and 9300 platforms include Trust Anchor Technologies for supply chain and software |
|||||||||||||||||||
Anchor |
image assurance. Please see the section below for additional details. |
|
|
|
|
|
|
|
|
|
|
|
||||||||
Technologies |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 HTTP sessions with an average packet size of 1024 bytes.
Note: Performance will vary depending on features activated and network traffic protocol mix and packet size characteristics. Performance is subject to change with new software releases. Consult your Cisco representative for detailed sizing guidance.
Table 3 summarizes the performance and capabilities of the Cisco Firepower 4100 Series and 9300 appliances when running the ASA image. For Cisco ASA 5500-X Series performance specifications with the ASA image, please visit the Cisco ASA with FirePOWER Services data sheet.
Table 3. |
ASA Performance and Capabilities |
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
Features |
|
Cisco Firepower Model |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4110 |
4120 |
4140 |
4150 |
9300 with 1 |
9300 with 1 |
9300 with 1 |
9300 with 3 |
|
|
|
|
|
|
SM-24 |
SM-36 |
SM-44 |
SM-44 |
|
|
|
|
|
|
Module |
Module |
Module |
Modules |
|
|
|
|
|
|
|
|
|
|
Stateful |
|
35 Gbps |
60 Gbps |
70 Gbps |
75 Gbps |
75 Gbps |
80 Gbps |
80 Gbps |
234 Gbps |
inspection |
|
|
|
|
|
|
|
|
|
firewall |
|
|
|
|
|
|
|
|
|
throughput1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Stateful |
|
15 Gbps |
30 Gbps |
40 Gbps |
50 Gbps |
50 Gbps |
60 Gbps |
60 Gbps |
130 Gbps |
inspection |
|
|
|
|
|
|
|
|
|
firewall |
|
|
|
|
|
|
|
|
|
throughput |
|
|
|
|
|
|
|
|
|
(multiprotocol)2 |
|
|
|
|
|
|
|
|
|
Concurrent |
|
10 million |
15 million |
25 million |
35 million |
55 million |
60 million |
60 million |
70 million |
firewall |
|
|
|
|
|
|
|
|
|
connections |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Firewall latency |
3.5 |
3.5 |
3.5 |
3.5 |
3.5 |
3.5 |
3.5 |
3.5 |
|
(UDP 64B |
|
|
|
|
|
|
|
|
|
microseconds) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
New |
|
150,000 |
250,000 |
350,000 |
800,000 |
800,000 |
1.2 million |
1.8 million |
4 million |
connections |
|
|
|
|
|
|
|
|
|
per second |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Security |
|
250 |
250 |
250 |
250 |
250 |
250 |
250 |
250 |
contexts3 |
|
|
|
|
|
|
|
|
|
Virtual |
|
1024 |
1024 |
1024 |
1024 |
1024 |
1024 |
1024 |
1024 |
interfaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IPsec VPN |
|
8 Gbps |
10 Gbps |
14 Gbps |
15 Gbps |
15 Gbps |
18 Gbps |
20 Gbps |
60 Gbps4 |
throughput |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IPsec/Cisco |
|
10,000 |
15,000 |
20,000 |
20,000 |
20,000 |
20,000 |
20,000 |
60,0004 |
AnyConnect/Ap |
|
|
|
|
|
|
|
|
|
ex site-to-site |
|
|
|
|
|
|
|
|
|
VPN peers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Maximum |
|
1024 |
1024 |
1024 |
1024 |
1024 |
1024 |
1024 |
1024 |
number of |
|
|
|
|
|
|
|
|
|
VLANs |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. |
Page 5 of 15 |