Cisco is a perennial front-runner in developing state-of-the-art firewall appliances for the broadest possible range of deployments. Cisco's Firepower Next Generation Firewall (NGFW) appliances represent a modern firewall solution that combines sophisticed hardware, cloud services, and next-generation intrusion protection system (NGIPS) to block, identify, and respond to threats without manual intervention. Progent's Cisco-certified CCIE-certified firewall consultants can assist your organization to plan and execute an efficient migration to Cisco Firepower firewalls from Cisco's from ASA 5500-X, ASA 5500, or PIX firewalls and show you how to enhance Firepower appliances with Cisco's security services to create and centrally control IT environments that encompass branch offices, data centers, and cloud resources. Progent can also assist you to manage and troubleshoot older-generation Cisco firewalls. Progent's certified cybersecurity consultants can help you with policy creation and tuning driven by industry best practices in order to build a consistent and effective security profile that applies to all your networked devices anywhere.
Cisco's Firepower Next Generation Firewalls
Cisco's line of Firepower Next-Generation Firewalls offer modern security and centralized control at prices, performance levels, and scale to fit deployments spanning home offices and small businesses to global enterprises and Internet service providers. Cisco's Firepower NGFW devices provide a significant performance boost over Cisco's previous-generation firewalls and include centralized control of advanced security capabilities like application visibility and control, next-generation intrusion protection with intelligent prioritization of risks, advanced malware protection (AMP), DDoS mitigation, and multi-node sandboxing.
All Firepower NGFW firewalls incorporate a single-pass architecture and support uninterrupted analysis and retrospective identification, which makes it possible to initiate outbreak management and to uncover patient zero. Firepower Next-Generation firewalls also have the option of URL Filtering and sandboxing for finding evasive and sandbox-aware threats, behavioral indicators of compromise, and malware artifacts. Next-Generation IPS rule tuning and network firewall policy are performed automatically, eliminating the need for manual intervention by IT security specialists. All Firepower NGFW firewalls give you the choice of using either Cisco Firepower Threat Defense or Adaptive Security Appliance software. Unified configuration, logging, monitoring, and reporting capabilities can be managed either by Management Center or in the cloud with Cisco Defense Orchestrator.
Cisco Firepower 1000 Series NGFW Firewalls
Cisco Firepower NGFW 1000 Series Firewalls are targeted at small businesses, telecommuters, or branch offices. Devices in this series offer better price/performance vs. corresponding Cisco ASA models, providing 4-6X higher firewall throughput. Local management can be performed with Firepower Device Manager. 1000 Series appliances feature an integrated 10/100/1000 RJ-45 Ethernet interface for network management, an RJ-45 console interface, a USB 3.0 Type-A port, and 200 GB of storage. High availability is supported along with VPN load balancing.
Cisco's Firepower 1010 firewall is a desktop or wall-mount, quiet appliance that delivers 890 Mbps throughput, Application Visibility/Control (AVC), and Next Generation Intrusion Prevention System. The appliance has eight integrated RJ-45 I/O interface ports, two of them with POE+. IPsec VPN throughput is 500 Mbps and the unit allows 100K simultaneous sessions, 6,000 new connections/second, and a maximum of 75 VPN peers. The Firepower 1120 firewall is a 1RU appliance that delivers firewall performance of 2.3 Gbps. The firewall comes with 8 RJ45 integrated I/O interfaces and four SFP interfaces. IPsec VPN performance is 1.2 Gbps and the unit supports 200K simultaneous sessions, 15,000 new connections/second with AVC, and a maximum of 150 VPN peers.
The Firepower 1140 firewall is a 1RU rackmount appliance that offers firewall throughput of 3.3 Gbps. The appliance comes with 8 integrated RJ-45 ports and four SFP ports. IPsec VPN throughput is 1.4 Gbps and the unit allows 400K concurrent sessions, 22K new connections/second with AVC, and up to 400 VPN peers. The Firepower 1150 firewall is a 1RU rackmount device that offers firewall performance of 5.3 Gbps. The appliance comes with 8 built-in RJ-45 ports, two SFP interfaces, and two 10G SFP+ interface ports. IPsec VPN throughput is 2.4 Gbps and the firewall supports 600K concurrent sessions, 28,000 new connections/second, and up to 800 VPN peers.
Cisco Firepower 2100 Series Next-Generation Firewalls
Cisco's Firepower 2100 Series Next-Generation Firewalls are single-rack appliances designed for deployment at the Internet edge or the data center. Appliances in this series have a dual multicore processor design that allows them to offer 3-6X faster performance than Cisco ASA firewalls they are engineered to replace. Local management can be performed with Cisco Firepower Device Manager. All Firepower 2100 Series NGFW Firewalls include 12 RJ45 interfaces and four SFP ports. These units include one build-in 10/100/1000 RJ-45 Ethernet interface for management, an RJ-45 console port, and one USB port. High availability is supported along with VPN load balancing.
Cisco's Firepower 2110 firewall includes four integrated 1 Gigabit SFP Ethernet interfaces and 100 GB of storage. The 2110 delivers 2.6 Gbps firewall throughput and 800 Mbps IPsec VPN throughput and allows 1 million concurrent sessions, 18,000 new connections per second, and a maximum of 1,500 VPN peers. Cisco's Firepower 2120 firewall has 12 built-in 10M/100M/1GBASE-T Ethernet RJ-45 interfaces, four integrated 1G SFP Ethernet ports, and 100 GB of storage. The 2120 offers 3.4 Gbps firewall performance and 1 Gbps IPsec VPN throughput and allows 1.5 million concurrent sessions, 28,000 new connections per second and as many as 3,500 VPN peers.
Cisco's Firepower 2130 firewall features 4 built-in 10 Gb SFP+ interfaces and 200 GB of storage. The 2130 also accepts a network module with eight extra ports. The Firepower 2130 delivers 5.4 Gbps firewall performance and 1.9 Gbps IPsec VPN throughput and supports two million concurrent sessions, 30,000 new connections per second, and a maximum of 7,500 VPN peers. Cisco's top-of-the-line Firepower 2140 model firewall includes 4 integrated 10G SFP+ interfaces and 200 GB of storage. The 2140 also scales via a network module with eight additional interface ports for a total of 24 Ethernet interfaces. The 2140 offers 10.4 Gbps firewall performance and 3.6 1Gbps IPsec VPN performance and allows 3 million simultaneous, 57,000 new connections/second, and up to 10,000 VPN peers. Both the 2130 and 2140 units have the option of redundant AC or DC power supplies.
Cisco Secure Firewall 3100 Series
Cisco's Secure Firewall 3100 Series models are modular one-rack devices targeted at enterprises who require performance, high port density, and zero-trust cybersecurity at the Internet edge, the corporate data center, or a private cloud. For high availability, all Secure Firewall 3100 Series appliances allow 8-device clustering and operate in Active/active or Active/standby mode. The units can run Cisco's ASA or Firewall Threat Defense software. Integrated I/O for each unit includes eight 10M/100M/1GBASE-T Ethernet interface ports (RJ-45) and eight 1/10 Gigabit Ethernet interfaces. Available network modules support 1/10/25/40G options and all models include 900 GB of storage plus a spare storage slot.
Cisco's 3110 Firewall device delivers 18 Gbps firewall performance and 8 Gbps IPsec VPN throughput. The 3110 allows 2 million simultaneous sessions, 64,000 new connections/second, and as many as 3,000 VPN peers. Cisco's Secure Firewall 3120 device offers 22 Gbps firewall throughput and up to 10 Gbps IPsec VPN throughput. The 3120 firewall allows 4 million simultaneous sessions, 98K new connections per second, and as many as 7,000 VPN peers. Cisco's 3130 Firewall device delivers 42 Gbps firewall throughput and 14 Gbps IPsec VPN throughput. The 3130 allows 6 million concurrent sessions, 200K new connections/second, and as many as 15,000 VPN peers. Cisco's Secure Firewall 3140 appliance offers 49 Gbps firewall throughput and up to 17 Gbps IPsec VPN performance. The 3140 allows 10 million concurrent sessions, 200K new connections per second, and a maximum of 20K VPN peers.
Cisco Firepower 4100 Series Next-Generation Firewalls
Cisco's Firepower 4100 Series NGFW Firewalls are single-rack units designed for use at the Internet edge or high-performance data centers. Firewalls in this family deliver 5-10X faster throughput than the Cisco ASA 5585-X device they are designed to replace. Local management can be performed using Firepower Device Manager. All Firepower 4100 Series NGFW Firewalls include 8 integrated SFP+ interfaces and all can be expanded with a selection of plug-in network modules for a maximum of 24 ports. All Firepower 4100 Series Next-Generation Firewalls support VPN load balancing, Active/standby high availability, and clustering of as many as six chassis. These security appliances include a built-in 1Gb Ethernet interface for network management, one RJ-45 console interface, and one USB 2.0 port.
The Firepower 4110 firewall includes 200 GB of storage and delivers 13 Gbps firewall throughput and 6 Gbps IPsec VPN performance. The 4110 allows 10 million simultaneous sessions, 64K new connections/second, and a maximum of 10K VPN peers. Cisco's Firepower 4112 firewall features 400 GB of storage and delivers 19 Gbps firewall performance and 8.5 Gbps IPsec VPN performance. The 4112 firewall allows 10 million concurrent sessions, 98K new connections/second, and a maximum of 10,000 VPN peers. Cisco's newer Firepower 4115 firewall comes with 400 GB of storage and offers 27 Gbps firewall performance and 8 Gbps IPsec VPN performance. The 4115 unit supports 15 million simultaneous sessions, 200K new connections per second, and as many as 15,000 VPN peers. Cisco's Firepower 4120 model has 200 GB of storage and offers 22 Gbps firewall performance and 19 Gbps IPsec VPN throughput. The 4120 unit allows 15 million concurrent sessions, 118K new connections per second, and as many as 15,000 VPN peers. Cisco's more recent Firepower 4125 firewall includes 800 GB of storage and offers 40 Gbps firewall performance and 14 Gbps IPsec VPN performance. The 4125 unit supports 25 million concurrent sessions, 265K new connections/second, and up to 20K VPN peers.
Cisco's Firepower 4140 model firewall has 400 GB of storage and offers 32 Gbps firewall throughput and 13 Gbps IPsec VPN throughput. The 4140 firewall supports 25 million simultaneous sessions, 172K new connections per second, and as many as 20K VPN peers. Cisco's more recent Firepower 4145 model includes 800 GB of storage and delivers 53 Gbps firewall throughput and 18 Gbps IPsec VPN throughput. The 4145 firewall allows 30 million concurrent sessions, 350K new connections/second, and a maximum of 20K VPN peers. Cisco's Firepower 4150 unit has 400 GB of storage and delivers 45 Gbps firewall throughput and 14 Gbps IPsec VPN performance. The 4150 firewall allows 30 million concurrent sessions, 263K new connections/second, and a maximum of 20K VPN peers.
Secure Firewall 4200 Series
Cisco's Secure Firewall 4200 appliances are modular 1RU firewalls designed for deployment at large enterprise campuses and data centers that need best-in-class throughput, visibility, and scalability. Cisco's Secure Firewall 4200 Series devices offer more than double the performance of previous generation firewalls from Cisco and feature high port density. Up to 8 units can be clustered for fault tolerance and future expansion. Crypto accelerator allows traffic decryption without performance loss, and zero trust application access (ZTAA) permits comprehensive threat inspection for apps. 4200 Series firewalls can be managed via the Firewall Management Center or in the cloud with Cisco Defense Orchestrator. Every 4200 model comes with 8x 1/10/25 Gigabit Ethernet integrated ports and features two interface module bays for easy upscaling. As many as 24 total Ethernet interfaces are supported. Each 4200 model includes 1.8 TB x 2 storage.
Cisco's Secure Firewall 4215 product is intended for enterprise campuses with high growth potential. The device offers 90 Gbps firewall throughput and 50 Gbps max IPsec VPN performance. The Secure Firewall 4215 supports 15 million simultaneous firewall connections, 1.4 M new connections per second, and as many as 20,000 VPN peers. The Secure Firewall 4225 product is intended for enterprise data centers. The device offers 95 Gbps firewall throughput and 60 Gbps IPsec VPN throughput. Cisco's 4225 firewall supports 30 million simultaneous firewall connections, 1.7 M new connections each second, and as many as 25,000 VPN peers. Cisco's Secure Firewall 4245 device is built for service providers who need to handle a very high volume of traffic. Cisco's 4245 delivers 180 Gbps firewall performance and 70 Gbps IPsec VPN performance. The 4245 can support 60 million simultaneous firewall connections, 2.0 M new connections per second, and up to 30,000 VPN peers.
Cisco Firepower 9300 Series NGFW Firewalls
Cisco's Firepower 9300 Series Next-Generation Firewalls are massively scalable and carrier-grade security appliances. The 3RU enclosure of Firepower 9300 Next-Generation Series firewalls accepts two add-in network modules and three security modules. Altogether, the Firepower 9300 can hold 24 10G Ethernet Enhanced Small Form-Factor Pluggable network interfaces or eight 100G interfaces. Clustering of up to five 9300 chassis delivers up to 1.2 Tbps of firewall throughput. The high-end Cisco Firepower 9300 SM-56 provides 70 Gbps firewall throughput and 27 Gbps IPsec VPN throughput. The unit allows 35 million concurrent sessions, 490K new connections per second, and up to 20,000 VPN peers.
Cisco's ASA 5500-X Series and Legacy Firewalls
Cisco's ASA 5500-X Series, ASA 5500, and PIX 500 firewall appliances offer integrated firewall, IPsec VPN, and intrusion prevention system (IPS) services in compact single-box packages, delivering a wide range of features to match the security and compliance needs of companies ranging from small and mid-size businesses to enterprises and ISPs. Cisco's ASA 5500-X Series, ASA 5500 Series, and PIX 500 firewalls allow network security teams to defend their network perimeter and provide safe offsite and mobile connectivity while using powerful administration tools built on Cisco's world-class firewall products.
Cisco's ASA 5500 and PIX firewall appliances have arrived at end-of-life (EOL) status but are still widely used in smaller organizations as well as in some enterprise data centers. Cisco's ASA 5500-X Next-Generation Firewalls deliver substantially more value and have superseded Cisco's ASA 5500 and PIX 500 families of firewalls for new installations. Still, Cisco's legacy firewalls, if carefully maintained, continue to deliver a high level of security by providing multiple features including stateful firewall, Virtual Private Network (VPN) connections, and IPS.
Following Cisco's purchase of Sourcefire, the whole family of Cisco ASA 5500-X firewalls can be provisioned to support Firepower Services, built on Sourcefire's Snort technology, which is the world's most deployed network intrusion protection system (IPS). Firepower services bring powerful new features including advanced malware protection (AMP), URL filtering, dynamic threat analytics, and security automation.
Progent's Cisco CCIE-premier infrastructure engineers can help your organization to support and troubleshoot legacy ASA 5500 Series and PIX firewalls and can also assist you to design and carry out a smooth migration to Cisco's ASA 5500-X Series firewalls with Firepower Services. Progent can also help you to design, configure, optimize, administer and debug new firewall solutions built on Cisco's latest ASA 5500-X firewalls with Firepower Services. Progent's firewall consultants can also assist your organization to upgrade from your Cisco ASA 5500-X deployment to Cisco's Firepower Next Generation Firewalls.
Cisco's ASA 5500-X Firewall Product Family
Cisco's extensive family of ASA 5500-X firewalls features an enhanced substitute for every rack-mountable unit in the older ASA 5500 line of firewalls. Each ASA 5500-X firewall targets the same environment as the corresponding previous models, which gives most plenty of choice for picking a solution that meets their security requirements and budgets. All ASA 5500-X firewalls build on Cisco's tested stateful-inspection firewall technology and all incorporate 64-bit hardware with multicore CPUs and are capable of running Cisco's powerful security services. All devices in Cisco's ASA 5500-X family deliver dependable security across any combination of physical, virtual, and cloud deployments.
For additional information about Cisco's ASA 5500-X firewalls, Firepower services, and Progent's consulting for Cisco ASA security appliances, visit Cisco Firepower integration and debugging consulting
Firepower Services for ASA 5500-X Security Appliances
Cisco ASA 5500-X firewalls work with either software or physical modules that support Cisco's Firepower Services, which provide layered protection against advanced attacks. Firepower Services are based on innovative technology acquired by Cisco from Sourcefire. Key capabilities of Firepower Services for ASA 5500-X security appliances include:
- Layered protection against both familiar and zero-day threats
- Advanced Malware Protection that uses big data techniques to find and mitigate intrusions
- A Next-Generation Intrusion Prevention System (NGIPS) that provides contextual analysis that looks at clients, infrastructure, apps, and content to detect attacks that incorporate multiple approaches
- High-resolution Application Visibility and Control that is aware of thousands of applications and can automatically launch standard and customized IPS policies depending on the severity of threats
Firepower Services for Cisco ASA 5500-X firewalls offer advanced multi-layered security
Smaller implementations of Cisco ASA 5500-X firewalls can be effectively administered via Cisco's on-device Adaptive Security Device Manager (ASDM) Adaptive Security Device Manager, a web utility provided with all ASA 5500-X versions. ASDM includes a convenient web console for deploying, administering, and troubleshooting ASA 5500-X devices and modules.
For multi-device and multi-site environments, ASA 5500-X firewalls with Firepower can be managed using Firepower Management Center, implemented as one or several physical or virtual appliances. Cisco's Firepower Management Center provides centralized firewall management, Application Visibility and Control, enhanced IPS, URL filtering, and Advanced Malware Protection (AMP). Because of frequent rebranding since Cisco's purchase of Sourcefire Defense Center, Firepower Management Center has been offered under several names that include Defense Center, Cisco Firesight Defense Center, and Cisco Firesight Management Center.
Firepower Management Center centralizes event and policy management for Firepower firewalls
Firepower Management Center offers capabilities beyond those available with Cisco's on-box ASDM utility. Additional features include expanded context awareness, Advanced Malware Protection with mitigation for user devices, a dashboard that offers dynamic network infrastructure visualization, automated policy tuning based on risk assessment of attacks, comprehensive IPS, custom app discovery for Application Visibility and Control, customized health notifications, improved reporting features, and APIs for host input and databases. Hardware-dependent options such as clustering, stacking, switching, routing, VPN, and NAT must be handled using either the on-box ASDM or the ASA command line interface.
Cisco ASA 5500 Series Adaptive Security Appliances
Cisco Adaptive Security Appliances Firewalls leverage engineering developed for the PIX 500 Security Appliance, the IPS 4200 sensor, and the Cisco VPN 3000 Series concentrator. These solutions enable the Cisco Adaptive Security Appliances (ASA) 5500 Series Firewall product line to deliver a firewall that defends against the widest variety of attacks. Cisco Adaptive Security Appliances (ASA) Firewalls provide program security, local containment and control, and safe Virtual Private Network functionality across Cisco's product line. This breadth of security enables the guarding of any network area, which includes the most common threat conduits like remote locations, locally-connected inside users, and remote access VPNs.
The expandable design of the Cisco ASA 5500 Series permits you to add security services by installing service modules and security service cards. These easy-to-install enhancements provide the option of adding IPS and content protection functions like filtering virus, spyware, and phishing attacks and executing file and web filtering. Beside enabling you to react rapidly to the latest risk environments, the expandable architecture of the ASA 5500 Series also protects your hardware investment by prolonging the useful life of your security appliances. The Cisco ASA 5500 Series also leverages your investment in administrative staff training by utilizing the familiar library of PIX 500 security management tools and protocols including the Cisco ASDM platform, protected command-line interface availability, verbose syslog, and Simple Network Management Protocol (SNMP).
Cisco ASA 5500 Series firewalls provide a high-level of application security through intelligent, application-aware inspection engines that analyze network flows at Layers 4-7. This results in a more secure network covering Web, voice, and mobile wireless access. To protect networks against application-layer assaults and to offer better policing of the applications and protocols used in their networks, these inspection engines incorporate broad application and protocol knowledge and rely on protection enforcement technologies such as anomaly detection and state tracking. Also included are assault detection and mitigation techniques including application/protocol command filtering and URL deobfuscation. Cisco ASA 5500 Series firewall inspection engines also provide management of IM and tunneling applications, allowing businesses to police usage policies and free up bandwidth for important business applications.
For additional information about Progent's consulting services for Cisco's ASA 5500 firewalls, see Cisco ASA 5500 series firewalls configuration and troubleshooting services.
Based upon a tested, specialized operating system that delivers rich protection services, Cisco PIX firewall appliances provide excellent protection and have earned Common Criteria Evaluation Assurance Level 4 status and ICSA Firewall and IPsec certification. Cisco PIX security appliances offer protection for a broad array of VoIP and other multimedia conventions including H.323 Version 4, Session Initiation Protocol, SCCP, RTSP, and Media Gateway Control Protocol (MGCP), enabling businesses to protect installations of a wide array of contemporary and next-generation Voice over IP and multimedia applications.
PIX firewall appliances feature a wealth of configuration, monitoring, and analysis features, giving IT managers the versatility to utilize the techniques that most closely match their requirements. Management solutions include centralized, policy-based management tools, integrated web-based management, and compatibility with remote-monitoring standards like SNMP and syslog. The integrated Cisco Adaptive Security Device Manager (ASDM) system offers a powerful Web-based control platform that significantly streamlines the deployment, ongoing modification, and monitoring of a single Cisco PIX security appliance without requiring any extra software other than a standard Web browser and Java plug-in to be running on an administrator's PC.
IT managers can furthermore remotely configure, monitor, and analyze PIX security appliances via a command-line interface (CLI). Safe CLI interface communication is possible using a number of techniques including Secure Shell (SSHv2) Protocol, Telnet through IP Security, and out-of-band through a console port. Cisco PIX firewall appliances also include dependable automatic-update features, a collection of advanced secure remote-administration services that ensure security settings and software images are kept current.
For additional information about Progent's support services for PIX 500 firewalls, see PIX firewalls configuration and debugging consulting.
Progent's Migration Consulting Support for Cisco Firewalls
Since Cisco has ceased selling the PIX and ASA 5500 families of firewalls, many businesses are uncomfortable with relying on a key security mechanism that may stop being supported by Cisco. ASA 5500-X and Firepower Series firewalls have the advantage of being new products and also offer a number of technical and economic advantages in comparison to PIX devices. These benefits include substantially higher performance, optional SSL VPN capability, and an expandable architecture that protects your investment by allowing you to self-install more security services when and if you require them. Progent's Cisco certified experts can help your company to assess the strategic value of for migrating from PIX or ASA 5500 security appliances, design a migration process that allows for a quick and seamless upgrade, help you to deploy new ASA 5500-x Series or Firepower Series firewalls, and offer remote training, consulting, and technical support services.
Other Ways Progent Can Help Your Business with Cisco Firewalls
Cisco's Firepower Series, ASA Series, and PIX family security appliances incorporate an array of configuration, monitoring, and troubleshooting features which give you the ability to deploy these security appliances to match your company's requirements. Progent's CCIE authorized network professionals can assist you to design a cost-effective infrastructure that incorporates Cisco security appliances and that offers world-class protection, fault tolerance, throughput, and manageability. Progent's GISA and CISM-certified information security experts can help you to develop a security policy appropriate for your situation and can configure your firewall to support your security policies. Progent's risk evaluation engineers can evaluate the effectiveness of your existing firewall solution and audit the security of your entire IS environment. Progent's Technical Response Center (TRC) can deliver emergency online troubleshooting for Cisco technology and offer quick access to a Cisco CCIE network engineer.
Integration of Cisco and Third-party Security Technology
To find out about Progent's consulting and support services for additional Cisco products and technologies, select a topic:
For more details about Progent's professional support for Cisco products, pick a topic:
Progent offers expertise in firewall and VPN products from all major vendors and can help you integrate Cisco technology with additional security solutions to help you build a cost-effective network infrastructure that provides a level of security and flexibility appropriate for your business. Third-party firewall and VPN support services available from Progent include:
For more information about Progent's consulting and support services for Cisco technology, call 1-800-993-9400 or visit Contact Progent.
Ransomware 24x7 Hot Line: Call 800-462-8800
Progent's Ransomware 24x7 Hot Line is intended to guide you to carry out the urgent first step in responding to a ransomware assault by containing the malware. Progent's remote ransomware expert can help you to identify and isolate breached devices and protect undamaged assets from being compromised. If your network has been breached by any strain of ransomware, don't panic. Get immediate help by calling Progent's Ransomware Hot Line at 800-462-8800. For details, see Progent's Ransomware 24x7 Hot Line.