This article is about Cisco Firewalls. It aggregates available information from datasheets published by Cisco.
Cisco ASA
ASA or Adaptive Security Appliance is one of the most commonly deployed firewalls and successor of Cisco PIX, which was Cisco’s first firewall available with acquisition of Network Translation in 1995.
Original ASA line consisted of 6 models with the following parameters, as published on Cisco website. All of the models below are well past End-Of-Sale date.
IPS performance numbers can be achieved only using Advanced Inspection and Prevention or AIP hardware module.
| Model | Form-factor | Firewall Mbps | FW + IPS Mbps | VPN AES Mbps | Sessions |
|---|---|---|---|---|---|
| 5505 | Desktop | 150 | 75 | 100 | 25,000 |
| 5510 | 1RU | 300 | 300 | 170 | 130,000 |
| 5520 | 1RU | 450 | 450 | 225 | 280,000 |
| 5540 | 1RU | 650 | 650 | 325 | 400,000 |
| 5550 | 1RU | 1,200 | N/A | 425 | 650,000 |
| 5580-20 | 4RU | 5,000 | N/A | 1,000 | 1,000,000 |
| 5580-40 | 4RU | 10,000 | N/A | 1,000 | 2,000,000 |
Table 1. Legacy ASA Performance
More information is available on official Cisco website.
The next generation of Cisco ASA line introduced Next-Gen Features, such as antivirus, file blocking, antispam, URL blocking and content control with new hardware security module called Content Security and Control or CSC Module for ASA 5520/40/80. New ASA 5525-X, 5545-X and 5555-X models had these features available without any additional hardware.
New X models also had significantly higher throughput. Below are published specs for the newer models:
| Model | Firewall (UDP-based) Mbps | Firewall (Multi-protocol) Mbps | FW+IPS Mbps | Next-Gen Throughput Mbps | VPN AES Mbps | Sessions |
|---|---|---|---|---|---|---|
| 5520 | 450 | * | 450 | ** | 225 | 280,000 |
| 5525-X | 2,000 | 1,000 | 600 | 650 | 300 | 500,000 |
| 5540 | 650 | * | 650 | ** | 325 | 400,000 |
| 5545-X | 3,000 | 1,500 | 900 | 1,000 | 400 | 750,000 |
| 5550 | 1,200 | * | N/A | ** | 425 | 650,000 |
| 5555-X | 4,000 | 2,000 | 1,300 | 1,400 | 700 | 1,000,000 |
Table 2. ASA Gen2 Performance
* – Performance data is not published
** – CSC module is responsible for Next-Gen features on these models. Performance data is not published
Cisco also made available multi-protocol firewall throughput numbers for the new platforms based on multiple TCP-based applications, such as HTTP, SMTP and FTP. The table above shows values for both maximum achievable and closer to real life multi-protocol performance.
The second generation models data sheet is available here.
Current product line includes Next-Gen features, such as Sourcefire Threat and Advance Malware Protection. These technologies became available with Cisco’s acquisition of Sourcefire in 2013. Firewalls model name has “with FirePOWER Services” added to the 55xx series as per table below.
| Model | Form-factor | Firewall (Multi-protocol) Mbps | FW + AVC Mbps | FW + AVC + NGIPS Mbps | FW + AVC + NGIPS 440 byte Mbps | VPN AES Mbps | Sessions |
|---|---|---|---|---|---|---|---|
| 5506-X 5506W-X 5506H-X | Desk W - is for wireless H - is ruggedized | 300 | 250 | 125 | 90 | 100 | 50,000 |
| 5508-X | 1RU | 500 | 450 | 250 | 180 | 175 | 100,000 |
| 5516-X | 1RU | 900 | 850 | 450 | 300 | 250 | 250,000 |
| 5525-X | 1RU | 1,000 | 1,000 | 650 | 375 | 300 | 500,000 |
| 5545-X | 1RU | 1,500 | 1,500 | 1,000 | 575 | 400 | 750,000 |
| 5555-X | 1RU | 2,000 | 1,750 | 1,250 | 725 | 700 | 1,000,000 |
Table 3. ASA Current Gen Performance
The current models can either run:
- ASA software with FirePOWER services as a software module managed by FirePOWER Management Center.
- FTD or unified image with the single control plane. Traditional ASA configuration with CLI will not be available to perform changes.
The screenshot of the software download page shows options for ASA5506-X as an example with the options marked with red dot are required to image ASA with FirePOWER services. Blue dot option is the unified image.
Cisco Firepower Series
Firepower devices include 4 series of the products:
- Firepower 1000 series (link)
- Firepower 2100 series (link)
- Firepower 4100 series (41×0 and 41×5)
- Firepower 9000 series (SM-24, SM-36, SM-44 and SM-40, SM-48, SM-56)
All Firepower devices can run FTD image and either support or will support ASA image.
Firepower 1000 series is the most recent addition to the family and has impressive performance numbers, especially with NGIPS and AVC features enabled. At the time of writing Firepower 1000 supports only FTD image. Local management via Firepower Device Manager or centralized via Management Center options are available.
| Model | Form-factor | Firewall (Multi-protocol) Mbps | FW+AVC 1024 byte Mbps | FW + AVC + NGIPS 1024 byte Mbps | VPN AES Mbps | TLS Mbps | Sessions |
|---|---|---|---|---|---|---|---|
| 1010 | Desk | 650 | 650 | 650 | 300 | 150 | 100,000 |
| 1120 | 1RU | 1,500 | 1,500 | 1,500 | 1,000 | 700 | 200,000 |
| 1140 | 1RU | 2,200 | 2,200 | 2,200 | 1,200 | 1,000 | 400,000 |
Table 4. FTD 1000 Series Performance
Firepower 2100 series consists of 4 models and has dual multi-core CPU architecture. FTD performance is as per the table below. All devices are 1RU.
| Model | Firewall Max (UDP) Mbps | FW+AVC 1024 byte Mbps | FW + AVC + NGIPS 1024 byte Mbps | VPN AES Mbps | TLS Mbps | Sessions |
|---|---|---|---|---|---|---|
| 2110 | 3,000 | 2,300 | 2,300 | 800 | 365 | 1,000,000 |
| 2120 | 6,000 | 3,000 | 3,000 | 1,000 | 475 | 1,500,000 |
| 2130 | 10,000 | 5,000 | 5,000 | 1,600 | 735 | 2,000,000 |
| 2140 | 20,000 | 9,000 | 9,000 | 3,200 | 1,400 | 3,000,000 |
Table 5. Firepower 2100 Series Performance - FTD Image
Cisco also publishes performance number when Firepower 2100 is running ASA image captured in the next table.
| Model | Firewall Max (UDP) Mbps | Firewall (Multi-protocol) Mbps | VPN AES Mbps | Sessions |
|---|---|---|---|---|
| 2110 | 3,000 | 1,500 | 500 | 1,000,000 |
| 2120 | 6,000 | 3,000 | 700 | 1,500,000 |
| 2130 | 10,000 | 5,000 | 1,000 | 2,000,000 |
| 2140 | 20,000 | 10,000 | 2,000 | 3,000,000 |
Table 6. Firepower 2100 Series Performance - ASA Image
Firepower 4100 Series consists of 7 models. Original models are 41×0 and 41×5 are more recent addition. All devices are 1RU. This series can operate at much higher speed and is positioned for data center use. It can also run multiple instances of FTDs using Docker container packaging.
The device has 2 x86 CPUs with internal hardware optimization with programmable Smart NICs and Crypto Accelerators.
450-byte packet size numbers are published and shown in the table below for FTD image.
| Model | Firewall Max (UDP) Mbps | FW+AVC 1024 byte Mbps | FW+AVC 450 byte Mbps | FW+AVC + NGIPS 1024 byte Mbps | FW+AVC + NGIPS 450 byte Mbps | VPN AES Mbps | TLS Mbps | Sessions |
|---|---|---|---|---|---|---|---|---|
| 4110 | 35,000 | 13,000 | 3,500 | 11,000 | 2,500 | 6,000 | 4,500 | 10,000,000 |
| 4115 | 80,000 | 27,000 | 10,000 | 26,000 | 7,000 | 8,000 | 6,500 | 15,000,000 |
| 4120 | 60,000 | 22,000 | 6,500 | 19,000 | 4,500 | 10,000 | 7,100 | 15,000,000 |
| 4125 | 80,000 | 40,000 | 13,000 | 35,000 | 9,000 | 14,000 | 8,000 | 25,000,000 |
| 4140 | 70,000 | 32,000 | 9,500 | 27,000 | 6,500 | 13,000 | 7,300 | 25,000,000 |
| 4145 | 80,000 | 53,000 | 17,000 | 45,000 | 12,000 | 18,000 | 10,000 | 30,000,000 |
| 4150 | 75,000 | 45,000 | 14,500 | 39,000 | 10,000 | 14,000 | 7,500 | 30,000,000 |
Table 7. Firepower 4100 Series Performance - FTD Image
4100 ASA image performance is as per table below.
| Model | Firewall Max (UDP) Mbps | Firewall (Multi-protocol) Mbps | VPN AES Mbps | Sessions |
|---|---|---|---|---|
| 4110 | 35,000 | 15,000 | 8,000 | 10,000,000 |
| 4115 | 80,000 | 40,000 | 15,000 | 15,000,000 |
| 4120 | 60,000 | 30,000 | 10,000 | 15,000,000 |
| 4125 | 80,000 | 45,000 | 19,000 | 25,000,000 |
| 4140 | 70,000 | 40,000 | 14,000 | 25,000,000 |
| 4145 | 80,000 | 50,000 | 23,000 | 40,000,000 |
| 4150 | 75,000 | 50,000 | 15,000 | 35,000,000 |
Table 8. Firepower 4100 Series Performance - ASA Image
Firepower 9300 is carrier-grade modular firewall in 3RU form factor. Each firewall can have up to 3 security modules installed of the same type, which are internally clustered. Security modules have the same architecture as Firepower 4100 with 2 x86 CPUs, Smart NIC and Crypto Accelerator.
Model number and naming is based on number of CPU cores per socket. Performance is published for single security module and for 3x clustered modules to show how throughput scales.
| Model | Firewall Max (UDP) Mbps | FW+AVC 1024 byte Mbps | FW+AVC 450 byte Mbps | FW+AVC + NGIPS 1024 byte Mbps | FW+AVC + NGIPS 450 byte Mbps | VPN AES Mbps | TLS Mbps | Sessions |
|---|---|---|---|---|---|---|---|---|
| SM-24 | 75,000 | 25,000 | 7,500 | 21,000 | 5,000 | 13,500 | 7,500 | 30,000,000 |
| SM-36 | 80,000 | 34,000 | 9,500 | 29,000 | 7,000 | 16,000 | 8,500 | 30,000,000 |
| SM-44 | 80,000 | 50,000 | 16,000 | 43,000 | 11,500 | 17,000 | 10,000 | 30,000,000 |
| 3x SM-44 | 234,000 | 148,000 | 48,000 | 132,000 | 32,500 | 51,000 | 25,000 | 63,000,000 |
| SM-40 | 80,000 | 54,000 | 19,000 | 48,000 | 13,000 | 20,000 | 10,000 | 35,000,000 |
| SM-48 | 80,000 | 64,000 | 22,000 | 55,000 | 15,000 | 25,000 | 11,000 | 35,000,000 |
| SM-56 | 80,000 | 70,000 | 25,000 | 64,000 | 18,000 | 27,000 | 12,000 | 35,000,000 |
| 3x SM-56 | 235,000 | 168,000 | 60,000 | 153,000 | 43,000 | 81,000 | 28,000 | 60,000,000 |
Table 9. Firepower 9300 Series Performance - FTD Image
9300 ASA image performance is as per table below.
| Model | Firewall Max (UDP) Mbps | Firewall (Multi-protocol) Mbps | VPN AES Mbps | Sessions |
|---|---|---|---|---|
| SM-24 | 75,000 | 50,000 | 15,000 | 55,000,000 |
| SM-36 | 80,000 | 60,000 | 18,000 | 60,000,000 |
| SM-44 | 80,000 | 60,000 | 20,000 | 60,000,000 |
| 3x SM-44 | 234,000 | 130,000 | 60,000 | 70,000,000 |
| SM-40 | 80,000 | 55,000 | 25,000 | 55,000,000 |
| SM-48 | 80,000 | 60,000 | 27,000 | 60,000,000 |
| SM-56 | 80,000 | 64,000 | 30,000 | 60,000,000 |
| 3x SM-56 | 235,000 | 172,000 | 74,000 | 195,000,000 |
Table 10. Firepower 9300 Series Performance - ASA Image
Cisco ASAv
ASAv is virtualized Cisco ASA that can be deployed on all popular virtualization platforms, including VMware ESXi, KVM and Hyper-V. Use cases for virtualized platforms data center deployments with Cisco ACI where firewall provisioning and insertion can be automated. ASAv is also supported in Azure and AWS.
There are 4 models available with the parameters and performance numbers as per table below. Measurement was performed on Xeon E5-2690v4 with SR-IOV.
| Model | vCPUs | RAM GB | Firewall Max (UDP) Mbps | Firewall (Multi-protocol) Mbps | VPN AES Mbps | Sessions |
|---|---|---|---|---|---|---|
| ASAv5 | 1 | 1.5 | 100 | 50 | 50 | 50,000 |
| ASAv10 | 1 | 2 | 1,000 | 500 | 250 | 100,000 |
| ASAv30 | 4 | 8 | 2,000 | 1,000 | 750 | 500,000 |
| ASAv50 | 8 | 16 | 10,000 | 5,000 | 10,000 | 2,000,000 |
Table 11. Cisco ASAv Performance
Cisco NGFWv
NGFWv can be deployed on VMware ESXi and KVM. Hyper-V is not supported. Both Azure and AWS can host NGFWv. Use case for virtual NGFWv are the same as with Cisco ASAv.
There are 3 supported CPU/RAM configurations listed below.
| vCPUs | RAM GB | FW+AVC 1024 byte Mbps |
|---|---|---|
| 4 | 8 | 2,000 |
| 8 | 16 | 4,000 |
| 12 | 24 | 8,000 |
Table 12. Cisco NGFWv Performance
Meraki MX
Cisco acquired Meraki in 2012. Meraki products are cloud-controlled and target customers looking for simpler management and rapid provisioning. There are unique features, such as Auto VPN which provides very quick and simple way to establish full mesh VPN site-to-site connectivity. This is possible due to centralized cloud control plane which performs automatic security parameters management.
There are some drawbacks in configuration flexibility and feature set. For example, Application Layer Gateway (ALG) functionality is not supported with MX firewalls which can affect VoIP support. See the following URL for details.
Base license includes stateful firewall and Auto VPN features. Advanced security services license unlocks IPS, Advanced Malware Protection and Content Filtering.
Meraki MX firewalls for small branches include the following models:
- MX64, MX64W
- MX65, MX65W (similar to MX64, but with extra ports)
- MX67, MX67W, MX67C
- MX68, MX68W, MX68CW (similar to MX67, but with extra ports)
W in the model number is wireless support and C is built-in 3G/4G. All models support 3G/4G USB modems for failover connectivity.
Medium branch:
- MX84
- MX100
Large branch/campus:
- MX250
- MX450
Public cloud support is possible with vMX. It can be deployed on AWS and Azure to provide VPN concentrator functionality.
| Model | Stateful Firewall Mbps | VPN Throughput Mbps | Recommended number of users |
|---|---|---|---|
| MX64, MX64W, MX65, MX65W | 250 | 100 | 50 |
| MX67, MX67W, MX67C, MX68, MX68W, MX68CW | 450 | 200 | 50 |
| MX84 | 500 | 250 | 200 |
| MX100 | 750 | 500 | 500 |
| MX250 | 4,000 | 1,000 | 2,000 |
| MX450 | 6,000 | 2,000 | 10,000 |
| vMX100 | 500 | 500 | N/A |