At 24/7 Networks, we get a lot of questions about Cisco's strategy regarding the legacy Cisco ASA appliances and the new FirePower 2100, 4100 and 9300-series appliances. Customers have been asking, "I have to upgrade - which one do I choose?" Not sure which is the best for your organization? Let me provide you some pros and cons of both options.
But first, a bit of history.
In the beginning, there was the ubiquitous Cisco ASA (Adaptive Security Appliance). This was the de-facto standard for Layer 3 and 4 firewalls. VPN remote access, it was all done on this platform. However, security changed - instead of ports and protocols, firewalls needed to look at applications and behavior. Other vendors released their Next Generation Firewalls (NGFW), and Cisco had to catch up.
So, what does Cisco do? July of 2013, Cisco spent $2.3 billion for SourceFire, a preeminent manufacturer of Next Generation Firewalls. Since then, Cisco has spent millions integrating the SourceFire purchase with their existing ASA firewalls. The SourceFire firewall is commonly referred to as FirePower.
For the last few years, if you had a Cisco ASA 5500-X series firewall, you could run a virtualized instance of FirePower right on your ASA as a separate instance. You still had to manage the ASA, then manage the FirePower. Two interfaces were never great, so the security team at Cisco merged the functionality of the ASA with the NGFW capabilities of the FirePower. This new image is called FirePower Threat Defense, or FTD for short.
FTD does NOT have feature parity with the ASA. For the basic functionality, you're fine, but if you do complex remote access VPN policies (like DAP), that feature isn't included with FTD. They're working on it, but it's not a 1:1 replacement - you need to do a bit of due diligence.
On to today....
If you have a Cisco ASA 5500-X appliance, you can either run the legacy ASA image (plus a FirePower virtual NGFW), or now you have the option to convert your 5500-X to FTD. I wouldn't say that customers have been chomping at the bit to make this change, since everyone is familiar with ASA and doing upgrades for the sake of upgrades isn't high on anyone's list.
In the last year, Cisco has released the successor product line to the ASA 5500-X. The next-gen product lines are the Cisco FirePower 2100, 4100 and 9100 appliances. They are MUCH faster, have considerably more interfaces and scalability, and are at a much better price-per-gig price point.
Here's an old vs. new chart on list price on the ASA and FPR appliances:
- ASA 5525: $8,995 - 650 Mbps
- ASA 5545: $17,995 - 1 Gbps
- ASA 5555: $24,995 - 1.25 Gbps
- FPR 2110: $10,995 - 2 Gbps
- FPR 2120: $19,995 - 3 Gbps
- FPR 2130: $29,995 - 4.75 Gbps
- FPR 2140: $69,995 - 8.5 Gbps
For most mid-market customers, the 2110 is going to be the sweet spot. You get 2x the performance at 1/2 the cost. It's a no-brainer to pick the newer product line.
But read on… There’s a catch!
On the new FirePower appliances, you can run ASA or FTD images. It's very flexible. But, if you run ASA, you can ONLY run ASA - no NGFW capabilities. If you want NGFW - and you do - you must run an FTD image. Because you're switching to FTD, you need to make sure the capacities you need are in the product line.
- The new Cisco 2100/4100/9300 appliances have more capacity/bang for the buck than the old ASA 5500-X appliances.
- The Firepower Threat Defense (FTD) software image that's available on the 5500-X and new 2100/4100/9300 appliances doesn't have all the features that the legacy ASA code has.
- If you want NGFW capabilities on the new 2100/4100/9300 appliances, you must run an FTD image. You can still run ASA code on the 2100/4100/9300 platform, without the NGFW feature.
If you need an evaluation of your current ASA platform and what it'd take to migrate to FTD, please feel free to contact us!
(Here are the part numbers referenced in the price chart above: ASA5525-K9,ASA5545-K9,ASA5555-K9,FPR2110,FPR2120,FPR2130,FPR2140)