Cisco is a perennial front-runner in developing cutting-edge firewall appliances for the broadest possible variety of environments. Cisco's Firepower Next Generation Firewall (NGFW) security appliances provide an advanced firewall platform that marshals dedicated hardware, cloud services, and next-generation intrusion protection system (NGIPS) to anticipate, identify, and respond to cyberthreats without manual intervention. Progent's Cisco-certified CCIE-certified firewall experts can help you to design and carry out an efficient migration to Firepower Series firewalls from Cisco's legacy ASA 5500-X, ASA 5500, or PIX firewalls and show you how to enhance Firepower firewalls with Cisco's cloud-based services to create and centrally manage IT environments that encompass local offices, data centers, private clouds and public clouds. Progent's firewall consultants can also help you to manage and troubleshoot legacy Cisco security appliances. Progent's certified cybersecurity consultants can help you with policy creation and tuning driven by leading practices in order to establish a consistent and effective cybersecurity profile that applies to all your endpoints anywhere.
Cisco's Firepower Next Generation Firewall Appliances
Cisco's family of Firepower Next-Generation Firewalls offer modern protection and centralized management at price points, speed, and scale suitable for environments ranging from home offices and small organizations to major enterprises and Internet service providers. Cisco's Firepower NGFW devices provide a significant performance boost compared to Cisco's older security appliances and include unified management and automation of advanced security capabilities like application visibility, next-generation intrusion protection with risk prioritization, advanced malware protection (AMP), URL filtering, and multi-node sandboxing.
All Firepower NGFW firewalls have a single-pass architecture and permit continuous inspection and retrospective identification, which makes it possible to initiate outbreak management and to pinpoint root causes. Firepower Next-Generation firewalls also offer URL Filtering and sandboxing for detecting evasive and sandbox-aware threats, actionable event correlations, and malware artifacts. Next-Generation IPS rule tuning and network firewall policy creation can be performed automatically, eliminating the need for manual intervention by cybersecurity experts. All Firepower NGFW firewalls offer the choice of running either Cisco Firepower Threat Defense or Adaptive Security Appliance software. Unified deployment, logging, system monitoring, and reporting functions can be managed either via Management Center or in the cloud with Cisco Defense Orchestrator.
Cisco Firepower 1000 Series Next-Generation Firewalls
Firepower NGFW 1000 Series Firewalls are intended for small organizations, telecommuters, or branches. Firewalls in this series offer improved price/performance vs. corresponding Cisco ASA models, providing 4-6X higher firewall throughput. Local management can be done with Cisco Firepower Device Manager. 1000 Series firewalls include a built-in 10/100/1000 Ethernet port for network management, an RJ-45 console port, a USB 3.0 Type-A connection, and 200 Gbytes of storage. Active/active and Active/standby high availability is provided along with VPN load balancing.
Cisco's Firepower 1010 firewall is a desktop, fanless appliance that offers 890 Mbps throughput, AVC, and Next Generation Intrusion Prevention System (NGIPS). The firewall has 8 integrated RJ-45 I/O interface ports, two of them with POE+. IPsec VPN performance is 500 Mbps and the firewall supports 100K concurrent sessions, 6,000 new connections per second, and a maximum of 75 VPN peers. The Firepower 1120 firewall is a 1RU appliance that provides firewall performance of 2.3 Gbps. The unit has 8 RJ45 integrated I/O ports and four SFP interface ports. IPsec VPN performance is 1.2 Gbps and the unit supports 200K concurrent sessions, 15,000 new connections per second with Application Visibility/Control (AVC), and as many as 150 VPN peers.
The Firepower 1140 model firewall is a 1RU appliance that offers firewall throughput of 3.3 Gbps. The appliance features 8 integrated RJ-45 interface ports and four SFP ports. IPsec VPN performance is 1.4 Gbps and the device supports 400K concurrent sessions, 22K new connections per second with AVC, and a maximum of 400 VPN peers. The Firepower 1150 firewall is a 1RU appliance that delivers firewall throughput of 5.3 Gbps. The appliance includes eight integrated RJ-45 ports, two SFP ports, and two 10G SFP+ interfaces. IPsec VPN performance is 2.4 Gbps and the firewall supports 600K simultaneous sessions, 28,000 new connections/second, and up to 800 VPN peers.
Cisco Firepower 2100 Series Next-Generation Firewalls
Cisco's Firepower 2100 Series NGFW Firewalls are 1RU rack units intended for deployment at the data center. Firewalls in this family have a dual multicore processor architecture that enables them to offer 3-6X higher throughput than Cisco ASA 5545-X to ASA 5555-X firewalls they are designed to replace. Local management can be performed using Cisco Firepower Device Manager. All Firepower 2100 Series Next-Generation Firewalls include 12 RJ45 interfaces and four SFP ports. These appliances include one build-in 10/100/1000 RJ-45 Ethernet interface for network management, an RJ-45 console port, and one USB interface. High availability is supported as well as VPN load balancing.
The Firepower 2110 model firewall has 4 built-in 1 Gb SFP Ethernet ports and 100 GB of storage. The 2110 offers 2.6 Gbps firewall performance and 800 Mbps IPsec VPN throughput and supports 1 million simultaneous sessions, 18,000 new connections/second, and as many as 1,500 VPN peers. Cisco's Firepower 2120 model firewall includes 12 integrated 10M/100M/1GBASE-T Ethernet RJ-45 interface ports, four integrated 1G SFP Ethernet interface ports, and 100 GB of storage. The 2120 offers 3.4 Gbps firewall throughput and 1 Gbps IPsec VPN performance and allows 1.5 million concurrent sessions, 28,000 new connections per second and up to 3,500 VPN peers.
Cisco's Firepower 2130 firewall includes four built-in 10 Gigabit SFP+ interfaces and 200 GB of storage. The 2130 also scales via a network module with eight additional interface ports. The Firepower 2130 offers 5.4 Gbps firewall throughput and 1.9 Gbps IPsec VPN throughput and allows two million simultaneous sessions, 30,000 new connections per second, and up to 7,500 VPN peers. Cisco's high-end Firepower 2140 model firewall has four integrated 10G SFP+ ports and 200 GB of storage. The 2140 also accepts a network module with 8 extra interfaces for a total of 24 Ethernet ports. The 2140 offers 10.4 Gbps firewall throughput and 3.6 1Gbps IPsec VPN performance and supports three million simultaneous, 57,000 new connections per second, and up to 10,000 VPN peers. Both the 2130 and 2140 units have the option of dual AC or DC power supplies.
Cisco Secure Firewall 3100 Series
Cisco's 3100 Firewall Series appliances are modular single-rack units designed for enterprises who require performance, high port density, and zero-trust cybersecurity at the Internet edge, the data center, or a private cloud. For high uptime, all Secure Firewall 3100 Series models allow 8-chassis clustering and operate in Active/active or Active/standby mode. The devices can run Cisco's ASA or Firewall Threat Defense (FTD) software. Built-in I/O for each device includes 8 10M/100M/1GBASE-T Ethernet interfaces (RJ-45) and 8 1/10 Gigabit (SFP) Ethernet ports. Available network modules support 1/10/25/40G options and all versions have 900 GB of storage plus a spare storage expansion slot.
Cisco's 3100 Firewall model offers 18 Gbps firewall performance and 8 Gbps IPsec VPN performance. The 3110 supports two million simultaneous sessions, 64,000 new connections/second, and as many as 3,000 VPN peers. Cisco's Secure Firewall 3120 device offers 22 Gbps firewall throughput and up to 10 Gbps IPsec VPN performance. The 3120 firewall allows 4 million concurrent sessions, 98K new connections per second, and up to 7,000 VPN peers. Cisco's Secure Firewall 3130 model delivers 42 Gbps firewall performance and up to 14 Gbps IPsec VPN throughput. The 3130 firewall allows 6 million concurrent sessions, 200K new connections per second, and up to 15,000 VPN peers. Cisco's 3140 Firewall appliance delivers 49 Gbps firewall throughput and up to 17 Gbps IPsec VPN throughput. The 3140 firewall supports 10 million concurrent sessions, 200K new connections per second, and a maximum of 20K VPN peers.
Cisco Firepower 4100 Series NGFW Firewalls
Cisco's Firepower 4100 Series Next-Generation Firewalls are single-rack units designed for operation at the Internet edge or high-performance data centers. Appliances in this family offer 5-10X higher performance than the Cisco ASA 5585-X device they are designed to succeed. Local management can be done using Firepower Device Manager. All Firepower 4100 Series Next-Generation Firewalls have 8 integrated SFP+ interfaces and all can be expanded with a selection of add-in network modules for a maximum of 24 interfaces. All Firepower 4100 Series Next-Generation Firewalls offer virtual private network load balancing, Active/standby high availability, and clustering of as many as six chassis. These security appliances include an integrated 1Gb Ethernet interface for management, an RJ-45 console interface, and one USB 2.0 interface.
The Firepower 4110 model firewall includes 200 GB of storage and delivers 13 Gbps firewall performance and 6 Gbps IPsec VPN performance. The 4110 allows 10 million simultaneous sessions, 64K new connections per second, and as many as 10K VPN peers. Cisco's Firepower 4112 firewall comes with 400 GB of storage and delivers 19 Gbps firewall throughput and 8.5 Gbps IPsec VPN performance. The 4112 appliance allows 10 million simultaneous sessions, 98K new connections/second, and up to 10,000 VPN peers. Cisco's newer Firepower 4115 firewall comes with 400 GB of storage and delivers 27 Gbps firewall performance and 8 Gbps IPsec VPN throughput. The 4115 unit allows 15 million simultaneous sessions, 200K new connections/second, and up to 15,000 VPN peers. Cisco's Firepower 4120 appliance has 200 GB of storage and delivers 22 Gbps firewall throughput and 19 Gbps IPsec VPN throughput. The 4120 firewall allows 15 million concurrent sessions, 118K new connections per second, and a maximum of 15,000 VPN peers. Cisco's newer Firepower 4125 device features 800 GB of storage and offers 40 Gbps firewall performance and 14 Gbps IPsec VPN performance. The 4125 firewall allows 25 million simultaneous sessions, 265K new connections/second, and up to 20K VPN peers.
The Firepower 4140 firewall comes with 400 GB of storage and delivers 32 Gbps firewall performance and 13 Gbps IPsec VPN performance. The 4140 firewall allows 25 million concurrent sessions, 172K new connections per second, and up to 20K VPN peers. Cisco's more recent Firepower 4145 appliance includes 800 GB of storage and offers 53 Gbps firewall throughput and 18 Gbps IPsec VPN performance. The 4145 firewall allows 30 million concurrent sessions, 350K new connections per second, and a maximum of 20K VPN peers. Cisco's Firepower 4150 unit features 400 GB of storage and offers 45 Gbps firewall performance and 14 Gbps IPsec VPN performance. The 4150 unit allows 30 million simultaneous sessions, 263K new connections/second, and up to 20K VPN peers.
Cisco Firepower 9300 Series NGFW Firewalls
Cisco's Firepower 9300 Series Next-Generation Firewalls are massively scalable and ultra-high performing firewalls. The 3RU chassis of Firepower 9300 Next-Generation Series firewalls accepts two network modules and three security modules. Altogether, the Firepower 9300 can support 24 10-Gigabit Ethernet Enhanced Small Form-Factor Pluggable ports or eight 100 Gigabit Ethernet ports. Clustering of up to five 9300 chassis allows up to 1.2 Tbps of firewall performance. The top-of-the-line Cisco Firepower 9300 SM-56 provides 70 Gbps firewall throughput and 27 Gbps IPsec VPN performance. The 9300 SM-56 allows 35 million concurrent sessions, 490K new connections per second, and up to 20,000 VPN peers.
Cisco's ASA 5500-X and Legacy Firewalls
Cisco’s ASA 5500-X, ASA 5500 Series, and PIX firewalls offer integrated firewall, VPN, and intrusion prevention system (IPS) services in compact single-box packages, delivering a broad range of features to meet the security and compliance needs of organizations from small businesses to enterprises and ISPs. Cisco’s ASA 5500-X, ASA 5500, and PIX 500 firewalls enable IT security teams to protect their network edge and provide safe offsite and mobile connectivity while using advanced management tools based on Cisco's industry-leading firewall technology.
Cisco’s ASA 5500 and PIX firewalls have reached end-of-life but are still widely deployed in smaller businesses and in a few larger data centers. The ASA 5500-X Series Next-Generation Firewalls represent significantly more bang for the buck and have supplanted Cisco's ASA 5500 and PIX 500 lines of firewalls for new installations. Still, Cisco's older model firewall appliances, if properly maintained, can deliver a high level of security by providing multiple features such as firewall, VPN tunneling, and IPS.
Following Cisco's purchase of Sourcefire, the entire family of ASA 5500-X firewalls can be provisioned to enable Firepower Services, built on Sourcefire's Snort product, which is the world's most deployed intrusion protection system (IPS). Firepower services bring enhanced features such as advanced malware protection (AMP), URL filtering, real-time threat analytics, and automation.
Progent's Cisco CCIE-premier network consultants can help you to support and debug legacy ASA 5500 and PIX firewalls and can also assist you to design and carry out an efficient migration to Cisco’s ASA 5500-X Series firewalls with Firepower. Progent can also help you to design, integrate, optimize, manage and debug new firewall solutions built on Cisco's latest ASA 5500-X models with Firepower. Progent can also assist your organization to migrate from your Cisco ASA 5500-X deployment to Cisco's Firepower Next Generation Firewalls (NGFWs).
Cisco's ASA 5500-X Series Firewalls
Cisco's extensive line of ASA 5500-X security appliances features an enhanced replacement for each rack-mountable model in the older ASA 5500 line of firewalls. Each ASA 5500-X model is suited for the identical environment as the corresponding earlier models, which gives small and midsize businesses plenty of room for picking a firewall that aligns with their security needs and budgets. All ASA 5500-X firewalls build on Cisco's proven stateful-inspection firewall technology and all incorporate purpose-built 64-bit hardware with multicore processors and support Cisco's advanced security services. All devices in Cisco's ASA 5500-X family provide dependable security across any combination of physical, virtual, and cloud environments.
For additional information about ASA 5500-X security appliances, Firepower services, and Progent's support for Cisco ASA security appliances, visit Cisco Firepower integration and debugging expertise
Firepower Services for ASA 5500-X Firewalls
Cisco ASA 5500-X firewalls work with software or physical modules that enable Firepower Services, which offer layered protection against advanced threats. Firepower Services are powered by technology adopted by Cisco from Sourcefire. Major capabilities of Firepower Services for ASA security appliances include:
Smaller implementations of ASA firewalls can be efficiently administered using Cisco's on-box Adaptive Security Device Manager (ASDM) Adaptive Security Device Manager, a web utility provided with all ASA 5500-X models. ASDM provides a convenient web dashboard for deploying, managing, and debugging ASA 5500-X appliances and modules.
For more complex environments, ASA 5500-X appliances with Firepower can be managed using Cisco's Firepower Management Center, available as one or several physical units or virtual appliances. Firepower Management Center offers centralized firewall management, Application Visibility and Control, advanced IPS, URL filtering, and Cisco's Advanced Malware Protection. Due to ongoing rebranding after Cisco's acquisition of Sourcefire Defense Center, Firepower Management Center has been delivered under various names that include Cisco Defense Center, Cisco Firesight Defense Center, and FireSIGHT Management Center.
Firepower Management Center offers features beyond those available with Cisco's on-box Adaptive Security Device Manager utility. Additional features include expanded context awareness, Advanced Malware Protection (AMP) with remediation for client devices, a console that provides real-time network infrastructure visualization, automated policy optimization based on impact assessment of threats, comprehensive IPS, custom application detectors for Application Visibility and Control, customized health notifications, improved reporting features, and application interfaces for host input and database access. Hardware-dependent options such as clustering, stacking, switching, routing, VPN, and NAT must be managed using either Cisco's ASA 5500-X on-device ASDM or the ASA 5500-X command line interface.
Cisco ASA 5500 Series Adaptive Security Appliances
Cisco Adaptive Security Appliances (ASA) 5500 Series Firewalls build on engineering developed for the Cisco PIX 500 Series Security Appliance, the IPS 4200 Intrusion Prevention System, and the VPN 3000 family concentrator. These solutions converge on the Cisco Adaptive Security Appliances Firewall product line to deliver a platform that stops the broadest range of attacks. Cisco ASA 5500 Series Firewalls deliver application protection, network containment, and safe Virtual Private Network functionality across the entire product portfolio. This broad scope of security enables the guarding of any network section, including the most common attack conduits like remote locations, locally-connected internal users, and remote access VPNs.
Cisco Adaptive Security Appliances (ASA) firewalls deliver a high-level of application security through smart, application-aware inspection engines that analyze traffic at Layers 4-7. The result is a more secure environment including Web, voice, and mobile wireless connectivity. To protect networks against application-layer assaults and to offer better policing of the applications and protocols utilized in their environments, Cisco's inspection engines incorporate broad application and protocol knowledgebases and rely on protection enforcement solutions such as protocol anomaly detection and application and protocol state monitoring. Also incorporated are assault detection and mitigation technology including application and protocol command filters and URL deobfuscation. Cisco Adaptive Security Appliances (ASA) 5500 Series firewall inspection engines also provide control over instant messaging and tunneling applications, allowing organizations to police usage policies and preserve bandwidth for vital business applications.
For more details about Progent's support services for Cisco's ASA 5500 firewalls, see ASA 5500 series firewalls integration and debugging consulting.
Cisco PIX Security Appliance Series
Built around a tested, purpose-built software platform that offers rich security features, Cisco PIX security appliances provide a high level of protection and have earned Common Criteria Evaluation Assurance Level (EAL) 4 status and ICSA Labs Firewall and IPsec qualification. PIX security appliances provide security for a wide array of VoIP and other multimedia standards such as H.323 Version 4, Session Initiation Protocol, SCCP, RTSP, and Media Gateway Control Protocol (MGCP), enabling organizations to protect deployments of a wide range of contemporary and next-generation VoIP and mixed-media applications.
IT managers can also remotely set up, track, and troubleshoot PIX firewall appliances via a command-line interface. Secure CLI interface communication is available through a number of methods including Secure Shell (SSHv2) Protocol, Telnet through IP Security, and out-of-band via a console port. PIX security appliances also have robust automatic-update capabilities, a collection of advanced secure remote-management services that make sure that security settings and software images are kept current.
For more information about Progent's consulting services for PIX firewalls, visit PIX firewalls integration and debugging support.
Progent's Migration Support Services for Cisco Firewalls
Since Cisco has ceased selling the PIX and ASA 5500 product lines, many companies are uncomfortable with depending on a critical infrastructure component that may no longer be supported by Cisco. ASA 5500-X and Firepower NGFW Series security appliances have the advantage of being current products and also bring a number of functions and budgetary advantages in comparison to PIX devices. These advantages include significantly higher performance, optional SSL tunneling capability, and an expandable architecture that protects your investment by enabling you to self-install more security features when and if you need them. Progent's CCIE-certified experts can help your company to assess the strategic case for upgrading from PIX 500 or Cisco ASA 5500 security appliances, design a migration process that allows for a fast and non-disruptive changeover, help your IT staff to set up new ASA 5500-x Series or Firepower Series firewalls, and offer online, consulting, and technical support services.
Other Ways Progent Can Assist You with Cisco ASA and PIX Firewalls
Cisco Firepower Series, ASA 5500 Series, and PIX firewalls incorporate a wealth of setup, tracking, and analysis features which offer you the flexibility to deploy these firewalls to match your business needs. Progent's CCIE certified network professionals can assist you to build a cost-effective infrastructure that incorporates Cisco firewall technology and that provides advanced security, fault tolerance, throughput, and manageability. Progent's CISA and CISSP-ISSP-certified IS security experts can help your business to create a security strategy appropriate for your situation and can configure your PIX or ASA firewall to enforce your security strategy. Progent's security evaluation consultants can assess the effectiveness of your current firewall deployment and help determine the overall security of your entire IT environment. Progent’s Technical Response Center can provide urgent online troubleshooting for Cisco products and can give you quick access to a Cisco CCIE expert.
Integration of Cisco and Third-party Security Technology
Progent offers expertise in firewall and VPN products from all major vendors and can help you integrate Cisco technology with additional security solutions to help you build a cost-effective network infrastructure that provides a level of security and flexibility appropriate for your business. Third-party firewall and VPN support services available from Progent include:
For more information about Progent's consulting and support services for Cisco technology, call