This article is about Cisco Firewalls. It aggregates available information from datasheets published by Cisco.

Cisco ASA

ASA or Adaptive Security Appliance is one of the most commonly deployed firewalls and successor of Cisco PIX, which was Cisco’s first firewall available with acquisition of Network Translation in 1995.

Original ASA line consisted of 6 models with the following parameters, as published on Cisco website. All of the models below are well past End-Of-Sale date.

IPS performance numbers can be achieved only using Advanced Inspection and Prevention or AIP hardware module.

Model Form-factor Firewall Mbps FW + IPS Mbps VPN AES Mbps Sessions
5505 Desktop 150 75 100 25,000
5510 1RU 300 300 170 130,000
5520 1RU 450 450 225 280,000
5540 1RU 650 650 325 400,000
5550 1RU 1,200 N/A 425 650,000
5580-20 4RU 5,000 N/A 1,000 1,000,000
5580-40 4RU 10,000 N/A 1,000 2,000,000

Table 1. Legacy ASA Performance

More information is available on official Cisco website.

The next generation of Cisco ASA line introduced Next-Gen Features, such as antivirus, file blocking, antispam, URL blocking and content control with new hardware security module called Content Security and Control or CSC Module for ASA 5520/40/80. New ASA 5525-X, 5545-X and 5555-X models had these features available without any additional hardware.

New X models also had significantly higher throughput. Below are published specs for the newer models:

Model Firewall (UDP-based) Mbps Firewall (Multi-protocol) Mbps FW+IPS Mbps Next-Gen Throughput Mbps VPN AES Mbps Sessions
5520 450 * 450 ** 225 280,000
5525-X 2,000 1,000 600 650 300 500,000
5540 650 * 650 ** 325 400,000
5545-X 3,000 1,500 900 1,000 400 750,000
5550 1,200 * N/A ** 425 650,000
5555-X 4,000 2,000 1,300 1,400 700 1,000,000

Table 2. ASA Gen2 Performance

* – Performance data is not published ** – CSC module is responsible for Next-Gen features on these models. Performance data is not published

Cisco also made available multi-protocol firewall throughput numbers for the new platforms based on multiple TCP-based applications, such as HTTP, SMTP and FTP. The table above shows values for both maximum achievable and closer to real life multi-protocol performance.

Current product line includes Next-Gen features, such as Sourcefire Threat and Advance Malware Protection. These technologies became available with Cisco’s acquisition of Sourcefire in 2013. Firewalls model name has “with FirePOWER Services” added to the 55xx series as per table below.

Model Form-factor Firewall (Multi-protocol) Mbps FW + AVC Mbps FW + AVC + NGIPS Mbps FW + AVC + NGIPS 440 byte Mbps VPN AES Mbps Sessions
5506-X 5506W-X 5506H-X Desk W - is for wireless H - is ruggedized 300 250 125 90 100 50,000
5508-X 1RU 500 450 250 180 175 100,000
5516-X 1RU 900 850 450 300 250 250,000
5525-X 1RU 1,000 1,000 650 375 300 500,000
5545-X 1RU 1,500 1,500 1,000 575 400 750,000
5555-X 1RU 2,000 1,750 1,250 725 700 1,000,000

Table 3. ASA Current Gen Performance

The current models can either run:

  • ASA software with FirePOWER services as a software module managed by FirePOWER Management Center.
  • FTD or unified image with the single control plane. Traditional ASA configuration with CLI will not be available to perform changes.

The screenshot of the software download page shows options for ASA5506-X as an example with the options marked with red dot are required to image ASA with FirePOWER services. Blue dot option is the unified image.

Cisco Firepower Series

Firepower devices include 4 series of the products:

All Firepower devices can run FTD image and either support or will support ASA image.

Firepower 1000 series is the most recent addition to the family and has impressive performance numbers, especially with NGIPS and AVC features enabled. At the time of writing Firepower 1000 supports only FTD image. Local management via Firepower Device Manager or centralized via Management Center options are available.

Model Form-factor Firewall (Multi-protocol) Mbps FW+AVC 1024 byte Mbps FW + AVC + NGIPS 1024 byte Mbps VPN AES Mbps TLS Mbps Sessions
1010 Desk 650 650 650 300 150 100,000
1120 1RU 1,500 1,500 1,500 1,000 700 200,000
1140 1RU 2,200 2,200 2,200 1,200 1,000 400,000

Table 4. FTD 1000 Series Performance

Firepower 2100 series consists of 4 models and has dual multi-core CPU architecture. FTD performance is as per the table below. All devices are 1RU.

Model Firewall Max (UDP) Mbps FW+AVC 1024 byte Mbps FW + AVC + NGIPS 1024 byte Mbps VPN AES Mbps TLS Mbps Sessions
2110 3,000 2,300 2,300 800 365 1,000,000
2120 6,000 3,000 3,000 1,000 475 1,500,000
2130 10,000 5,000 5,000 1,600 735 2,000,000
2140 20,000 9,000 9,000 3,200 1,400 3,000,000

Table 5. Firepower 2100 Series Performance - FTD Image

Cisco also publishes performance number when Firepower 2100 is running ASA image captured in the next table.

Model Firewall Max (UDP) Mbps Firewall (Multi-protocol) Mbps VPN AES Mbps Sessions
2110 3,000 1,500 500 1,000,000
2120 6,000 3,000 700 1,500,000
2130 10,000 5,000 1,000 2,000,000
2140 20,000 10,000 2,000 3,000,000

Table 6. Firepower 2100 Series Performance - ASA Image

Firepower 4100 Series consists of 7 models. Original models are 41×0 and 41×5 are more recent addition. All devices are 1RU. This series can operate at much higher speed and is positioned for data center use. It can also run multiple instances of FTDs using Docker container packaging.

The device has 2 x86 CPUs with internal hardware optimization with programmable Smart NICs and Crypto Accelerators.

450-byte packet size numbers are published and shown in the table below for FTD image.

Model Firewall Max (UDP) Mbps FW+AVC 1024 byte Mbps FW+AVC 450 byte Mbps FW+AVC + NGIPS 1024 byte Mbps FW+AVC + NGIPS 450 byte Mbps VPN AES Mbps TLS Mbps Sessions
4110 35,000 13,000 3,500 11,000 2,500 6,000 4,500 10,000,000
4115 80,000 27,000 10,000 26,000 7,000 8,000 6,500 15,000,000
4120 60,000 22,000 6,500 19,000 4,500 10,000 7,100 15,000,000
4125 80,000 40,000 13,000 35,000 9,000 14,000 8,000 25,000,000
4140 70,000 32,000 9,500 27,000 6,500 13,000 7,300 25,000,000
4145 80,000 53,000 17,000 45,000 12,000 18,000 10,000 30,000,000
4150 75,000 45,000 14,500 39,000 10,000 14,000 7,500 30,000,000

Table 7. Firepower 4100 Series Performance - FTD Image

4100 ASA image performance is as per table below.

Model Firewall Max (UDP) Mbps Firewall (Multi-protocol) Mbps VPN AES Mbps Sessions
4110 35,000 15,000 8,000 10,000,000
4115 80,000 40,000 15,000 15,000,000
4120 60,000 30,000 10,000 15,000,000
4125 80,000 45,000 19,000 25,000,000
4140 70,000 40,000 14,000 25,000,000
4145 80,000 50,000 23,000 40,000,000
4150 75,000 50,000 15,000 35,000,000

Table 8. Firepower 4100 Series Performance - ASA Image

Firepower 9300 is carrier-grade modular firewall in 3RU form factor. Each firewall can have up to 3 security modules installed of the same type, which are internally clustered. Security modules have the same architecture as Firepower 4100 with 2 x86 CPUs, Smart NIC and Crypto Accelerator.

Model number and naming is based on number of CPU cores per socket. Performance is published for single security module and for 3x clustered modules to show how throughput scales.

Model Firewall Max (UDP) Mbps FW+AVC 1024 byte Mbps FW+AVC 450 byte Mbps FW+AVC + NGIPS 1024 byte Mbps FW+AVC + NGIPS 450 byte Mbps VPN AES Mbps TLS Mbps Sessions
SM-24 75,000 25,000 7,500 21,000 5,000 13,500 7,500 30,000,000
SM-36 80,000 34,000 9,500 29,000 7,000 16,000 8,500 30,000,000
SM-44 80,000 50,000 16,000 43,000 11,500 17,000 10,000 30,000,000
3x SM-44 234,000 148,000 48,000 132,000 32,500 51,000 25,000 63,000,000
SM-40 80,000 54,000 19,000 48,000 13,000 20,000 10,000 35,000,000
SM-48 80,000 64,000 22,000 55,000 15,000 25,000 11,000 35,000,000
SM-56 80,000 70,000 25,000 64,000 18,000 27,000 12,000 35,000,000
3x SM-56 235,000 168,000 60,000 153,000 43,000 81,000 28,000 60,000,000

Table 9. Firepower 9300 Series Performance - FTD Image

9300 ASA image performance is as per table below.

Model Firewall Max (UDP) Mbps Firewall (Multi-protocol) Mbps VPN AES Mbps Sessions
SM-24 75,000 50,000 15,000 55,000,000
SM-36 80,000 60,000 18,000 60,000,000
SM-44 80,000 60,000 20,000 60,000,000
3x SM-44 234,000 130,000 60,000 70,000,000
SM-40 80,000 55,000 25,000 55,000,000
SM-48 80,000 60,000 27,000 60,000,000
SM-56 80,000 64,000 30,000 60,000,000
3x SM-56 235,000 172,000 74,000 195,000,000

Table 10. Firepower 9300 Series Performance - ASA Image

Cisco ASAv

ASAv is virtualized Cisco ASA that can be deployed on all popular virtualization platforms, including VMware ESXi, KVM and Hyper-V. Use cases for virtualized platforms data center deployments with Cisco ACI where firewall provisioning and insertion can be automated. ASAv is also supported in Azure and AWS.

There are 4 models available with the parameters and performance numbers as per table below. Measurement was performed on Xeon E5-2690v4 with SR-IOV.

Model vCPUs RAM GB Firewall Max (UDP) Mbps Firewall (Multi-protocol) Mbps VPN AES Mbps Sessions
ASAv5 1 1.5 100 50 50 50,000
ASAv10 1 2 1,000 500 250 100,000
ASAv30 4 8 2,000 1,000 750 500,000
ASAv50 8 16 10,000 5,000 10,000 2,000,000

Table 11. Cisco ASAv Performance

Cisco NGFWv

NGFWv can be deployed on VMware ESXi and KVM. Hyper-V is not supported. Both Azure and AWS can host NGFWv. Use case for virtual NGFWv are the same as with Cisco ASAv.

There are 3 supported CPU/RAM configurations listed below.

vCPUs RAM GB FW+AVC 1024 byte Mbps
4 8 2,000
8 16 4,000
12 24 8,000

Table 12. Cisco NGFWv Performance

Meraki MX

Cisco acquired Meraki in 2012. Meraki products are cloud-controlled and target customers looking for simpler management and rapid provisioning. There are unique features, such as Auto VPN which provides very quick and simple way to establish full mesh VPN site-to-site connectivity. This is possible due to centralized cloud control plane which performs automatic security parameters management.

There are some drawbacks in configuration flexibility and feature set. For example, Application Layer Gateway (ALG) functionality is not supported with MX firewalls which can affect VoIP support. See the following URL for details.

Base license includes stateful firewall and Auto VPN features. Advanced security services license unlocks IPS, Advanced Malware Protection and Content Filtering.

Meraki MX firewalls for small branches include the following models:

  • MX64, MX64W
  • MX65, MX65W (similar to MX64, but with extra ports)
  • MX67, MX67W, MX67C
  • MX68, MX68W, MX68CW (similar to MX67, but with extra ports)

W in the model number is wireless support and C is built-in 3G/4G. All models support 3G/4G USB modems for failover connectivity.

Medium branch:

  • MX84
  • MX100

Large branch/campus:

  • MX250
  • MX450

Public cloud support is possible with vMX. It can be deployed on AWS and Azure to provide VPN concentrator functionality.

Model Stateful Firewall Mbps VPN Throughput Mbps Recommended number of users
MX64, MX64W, MX65, MX65W 250 100 50
MX67, MX67W, MX67C, MX68, MX68W, MX68CW 450 200 50
MX84 500 250 200
MX100 750 500 500
MX250 4,000 1,000 2,000
MX450 6,000 2,000 10,000
vMX100 500 500 N/A

Table 13. Meraki MX Performance