Return To Blog
Cisco Firepower 6.5
A Welcome Upgrade!
By Liam Keegan - December 2, 2019
I've been working a lot on #programmability and #automation, and one of the platforms I've been dedicating time to has been #Cisco #FirePower.
I have two long-standing gripes about the platform.
I recently spun up a new set of Firepower 6.5.0 instances, consisting of Firepower Management Center Virtual (vFMC) and a Firepower Threat Defense Virtual (vFTD). I'm running this on a Cisco UCS C220 M4 with spininng disks (no SSD), and the overall performance of both the vFMC and vFTD is much faster, and we have hit counters!
It's not often that performance improvements are this visible, but a standard ACL push happens in about one minute on not the best hardware. Compare this to 4-5 minutes in previous versions.
The lack of hit counters has always been a pain. There have been ways to work around them, but the issue stems from the fact that when managing a set of firewalls that may or may not have the same policies applied to them, there hasn't been a way to easily see just one firewall's metrics. Until now!
Open your policy, then click Analyze Hit Counts:
Pick the device you'd like to view, and boom, there you go.
All and all, a nice change. I'd recommend looking at getting your infrastructure upgraded to 6.5, but note that some models of ASA firewalls (specifically the ASA 5506, 5512 and 5515s) are not supported. However, for the cost to performance, it's well worth it to simply replace these lower-end boxes with the newest FirePower 1100 appliances.
A new FirePower 1010 appliance - rated for 650 Mbps of throughput - costs $1,100 list (part number FPR1010-NGFW-K9). Compare that to the ASA5512 (rated for 500 Mbps of throughput) at $4,000 list. With a 5-year full security license (L-FPR1010T-TMC-5Y at $2,870 list), you're in an updated platform for less than $2,500 for five years of protection.
Cisco is making a lot of progress getting the price points and performance where it needs to be, as well as making key usability improvements. Good job!
- It's really slow to push commits. Like, really slow. Did I mention it's slow?
- Where are the hit counters for ACL rules? I need to know what's getting hit and what isn't without writing a report.