I am about to take you on a tour of the last few generations of Cisco firewall and their architecture to give insight in why the Firepower 2100 is not at all like the Firepower 4100 and not like a ASA5516-X either.
- Cisco Firepower 2100 Configuration Guide
- Cisco Firepower 2100 Series User Manual Pdf
- Cisco Firepower 2100 Series User Manual Free
- Cisco Firepower 2100 Installation Guide
- Cisco Firepower 2100 Series User Manual Online
- Cisco Firepower 2100 Series Hardware Installation Guide
- Cisco Firepower 2100 Series User Manuals Pdf
The Cisco Adaptive Security Device Manager is available for local management of the Cisco Firepower 2100. Series, 4100 Series, Cisco Firepower 9300 Series, and Cisco ASA 5500-X Series devices running the ASA software image. Cisco Defense Orchestrator cloud-based management is also available for consistent policy management across. Cisco Firepower 2100 Series Appliances. USB cable, User manual Wishlist. This product is already in quote request list.
First, I would like to make a note of the lack of presenting the architecture of the ASA5505 and ASA5585-X even though they are still being used today. This is because they differ too much from the architectural evolution of Cisco firewalls and will not help with understanding why Cisco is choosing this specific path for the Firepower 2100 series.
I will start from the top down, with the best performing firewalls continuing to the least performing firewalls and why Cisco is replacing these.
High end architecture - Firepower 9300
A couple of years ago Cisco released a new architectural platform going away from the well-known ASA platform. We were first introduced to Firepower 9300 and subsequently to the Firepower 4100, primarily focused at data center deployments. These models are born with supervisors to make them modular, like several other high-end Cisco platforms. I hope that it will be possible to upgrade the supervisor to enable the use of two single-width 2x 100Gbit network modules (NM) in the 9300, or even to enable the use of future security modules requiring more than two 40Gbit links to the internal switch fabric. I am hoping for these theoretical wishes to come true.
Looking at the block diagram of the 9300 above you see that the supervisor has its own CPU and RAM for controlling the operating system (FX-OS), which is used to deploy Firepower Threat Defense or ASA software to a security module and manage the network interfaces.
Downscaling great architecture - Firepower 4100
Cisco Firepower 2100 Configuration Guide
Firepower 4100 came to be due to the exorbitant cost of the 9300 series. The one thing not supported on the 4100 platform is the 100Gbit interfaces. There are 8x 10Gbit interfaces soldered in the chassis and it is possible to buy additional 1, 10 or 40Gbit interfaces in a network module. Fail-to-wire network modules is also a possibility on this platform.
As seen on the image above, the 4100 series only have one security module compared to the possible three security modules in the 9300, but the architecture is the same as in its older brother.
Legacy firewalling - ASA5512-X to ASA5555-X
This ASA platform is probably the most used today. The reason for this is the performance and modularity. It does support three different IPS engines and the possibility to add more 1Gbit interfaces on the higher end devices.
This block diagram above depicts the architecture of the ASA5512-X through ASA5555-X. The ASA5512-X and ASA5515-X have already been replaced with the newer ASA5508-X and ASA5516-X platform, and now the Firepower 2100 is supposed to relieve the ASA5525-X, ASA5545-X and ASA5555-X platforms of their duties.
Legacy upgrades - ASA5508-X and ASA5516-X
The replacing of the ASA5512-X and ASA5515-X was long overdue, but Cisco hit a soft spot with the customers with the ASA5508-X and ASA5516-X. The price-performance ratio was great for small customers and branches with the option to install Firepower Threat Defense for increased security.
Cisco Firepower 2100 Series User Manual Pdf
You should make a note of the placement of the NPU and compare it to the ASA5512-X to ASA5555-X platform. The NPU on this platform is doing most crypto tasks for IPSec and SSL VPN, just like the crypto engine used to do without the limitation of a system bus connecting the external NICs.
Finding the sweet spot – Firepower 2100
With Firepower 2100 being the youngest brother in the Firepower appliance series, Cisco took a step back towards the ASA X-series architecture. In this we have no supervisor in charge of the switching fabric or the networking interfaces. Everything is owned by the security module itself and this gives us an advantage in the direction of single box deployment management. On-box management is possible on the new Firepower 2100 series appliances but it is not possible on the 4100 nor the 9300 series. Under the hood of the operating system on the 2100 there is a small subset of the FXOS features needed to handle the interface configuration. The main difference (secret sauce) between the 5516-X architecture and the Firepower 2100 is that the NPU is not just used for crypto operations anymore. The new line also uses this NPU for layer 2 – 4 firewall operations and “fast path” traffic offloading. This is a great architectural step forward, but it is of course not as streamlined as the 4100 or 9300 series, where the Smart NIC is doing the traffic offloading and yet another NPU is handling the crypto operations. Personally, I like that every chip is made for specific problems, in opposite to one chip doing all kinds of tasks it was not optimized for.
As of Firepower Threat Defense 6.2 Active/Standby failover is possible on both the 2100, 4100 and 9300. Active/Active will be possible when the multi-context feature will be included in the FTD image. Clustering is unfortunately only supported on the 4100 and the 9300 appliances. Five 9300 chassis can be clustered with three security modules each, while sixteen 4100 appliances can be clustered.
The Firepower 2110 and 2120 appliances come with 12 x 1Gbit RJ-45 ports and 4 x 1Gbit SFP ports with no options to expand this. This is a great rip and replace option for the current owners of the ASA5525-X, ASA5545-X and ASA5555-X firewalls. If you need to upgrade the edge firewall to 10Gbit you will need to buy either the 2130 or 2140 appliances. The Firepower 2130 and 2140 also come with the same 12 x 1Gbit RJ-45 ports as the lower end Firepower 2100 models. Along with this there is 4 x 10Gbit SFP+ ports and the option to put a network module (NM) card to add an additional 8 x 10Gbit SFP+ ports. Fail-to-wire network modules will be available. I do not expect 40Gbit interfaces to be available for this platform.
The Firepower 2100 is a great next generation firewall. As I see it the popularity of this will depend on two things;
1. The price. If it is too expensive customers will find another firewall manufacturer and buy a cheaper model with the same specifications.
2. The feature set. If the features of the ASA software is not implemented in FTD in haste the customer is forced to keep buying ASA X series or, again, go to another manufacturer.
Learn more about the Firepower 2100 appliances at Cisco.com.
If you liked this post, please click 'Like' so that others can find it.
About:Dennis Perto is an enthusiastic security consultant who places great honour in genuinely humble consulting. He believes in serving the client with expert knowledge, and in not being afraid to admit when he is not the right expert anymore. He enjoys configuring Cisco Firepower for every special need.
Feel free to connect with me here on LinkedIn, and follow me on Twitter: @PertoDK
Besides Cisco ASA5500 series firewalls, we know there are also FirePOWER series, like FirePOWER 1000, FirePOWER 2100, FirePOWER 4100, etc. Unlike ASA5500 which is only one series, FirePOWER provide various sub series, what are their differences? Let’s compare.
Overview of FirePOWER 1000
Cisco Firepower 1000 Series is a family of three threat-focused Next-Generation Firewall (NGFW) security platforms that deliver business resiliency through superior threat defense. It offers exceptional sustained performance when advanced threat functions are enabled. The 1000 Series’ throughput range addresses use cases from the small office, home office, remote branch office to the Internet edge. The 1000 Series platforms run Cisco Firepower Threat Defense (FTD).
Cisco Firepower 2100 Series User Manual Free
Cisco Firepower 1000 Series summary
| Model | NGFW | Next-Generation Intrusion Prevention System (NGIPS) | Interfaces |
| FPR-1010 | 650 Mbps | 650 Mbps | 8 x RJ45 |
| FPR-1120 | 1.5 Gbps | 1.5 Gbps | 8 x RJ45, 4 x SFP |
| FPR-1140 | 2.2 Gbps | 2.2 Gbps | 8 x RJ45, 4 x SFP |
Overview of FirePOWER 2100
Cisco Firepower 2100 Installation Guide
Cisco Firepower 2100 Series NGFW appliances deliver business resiliency through superior threat defense. They provide sustained network performance when threat inspection features are activated to keep your business running securely. And they are now simpler to manage for improved IT efficiency and a lower total cost of ownership.
Cisco Firepower 2100 series summary:
Cisco Firepower 2100 Series User Manual Online
| Model | Firewall | NGFW | NGIPS | Interfaces | Optional interfaces |
| FPR-2110 | 3G | 2.3G | 2.3G | 12 x RJ45, 4 x SFP | N/A |
| FPR-2120 | 6G | 3G | 3G | 12 x RJ45, 4 x SFP | N/A |
| FPR-2130 | 10G | 5G | 5G | 12 x RJ45, 4 x SFP+ | 10G SFP+, 1/10G FTW |
| FPR-2140 | 20G | 9G | 9G | 12 x RJ45, 4 x SFP+ | 10G SFP+, 1/10G FTW |
Overview of FirePOWER 4100
Stop more threats with our fully integrated next-generation firewall (NGFW) appliance. The 4100 Series’ 1-rack-unit size is ideal at the Internet edge and in high-performance environments. It shows you what’s happening on your network, detects attacks earlier so you can act faster, and reduces management complexity.
Cisco Firepower 4100 Series summary:
| Model | Firewall | NGFW | NGIPS | Interfaces | Optional Interfaces |
| FPR-4110 | 35G | 11G | 15G | 8 x SFP+ on-chassis | 2 x NM’s: 1/10/40G, FTW |
| FPR-4115(New) | 80G | 26G | 27G | 8 x SFP+ on-chassis | 2 x NMs: 1/10/40G, FTW |
| FPR-4120 | 60G | 19G | 27G | 8 x SFP+ on-chassis | 2 x NM’s: 1/10/40G, FTW |
| FPR-4125(New) | 80G | 35G | 41G | 8 x SFP+ on-chassis | 2 x NMs: 1/10/40G, FTW |
| FPR-4140 | 70G | 27G | 38G | 8 x SFP+ on-chassis | 2 x NM’s: 1/10/40G, FTW |
| FPR-4145(New) | 80G | 45G | 55G | 8 x SFP+ on-chassis | 2 x NMs: 1/10/40G, FTW |
| FPR-4150 | 75G | 39G | 52G | 8 x SFP+ on-chassis | 2 x NM’s: 1/10/40G, FTW |
Performance Comparison of Cisco FirePOWER Series
| Features | FirePOWER 1000 | FirePOWER 2100 | FirePOWER 4100 |
| Throughput: Firewall (FW) + Application Visibility and Control (AVC) (1024B) | 650 Mbps-2.2 Gbps | 2.3 Gbps-9 Gbps | 13 Gbps-45 Gbps |
| Throughput: FW + AVC + Intrusion Prevention System (IPS) (1024B) | 650 Mbps-2.2 Gbps | 2.3 Gbps-9 Gbps | 11 Gbps-39 Gbps |
| Maximum concurrent sessions, with AVC | 100K-400K | 1-3 million | 10-30 million |
| Maximum new connections per second, with AVC | 6K-22K | 14K-57K | 64K-263K |
| Transport Layer Security (TLS) | 150 Mbps-1 Gbps | 365 Mbps-1.4 Gbps | 4.5 Gbps-7.5 Gbps |
| Throughput: NGIPS (1024B) | 650 Mbps-2.2 Gbps | 2.3 Gbps-9 Gbps | 15 Gbps-52 Gbps |
| IPSec VPN throughput (1024B TCP w/Fastpath) | 300 Mbps-1.2 Gbps | 800 Mbps-3.2 Gbps | 6 Gbps-14 Gbps |
| Maximum VPN Peers | 75-400 | 1500-10000 | 10000-20000 |
| Cisco Firepower Device Manager (local management) | Yes | Yes | Yes |
Price Comparison of Cisco FirePOWER Series
Of course, the higher level, the more expensive. Here shares you the GPL.
Cisco Firepower 2100 Series Hardware Installation Guide
| Product | Description | List Price (USD) |
| FPR1140-NGFW-K9 | Cisco Firepower 1140 NGFW Appliance, 1U | $7,495.00 |
| FPR1120-NGFW-K9 | Cisco Firepower 1120 NGFW Appliance, 1U | $4,495.00 |
| FPR2110-NGFW-K9 | Cisco Firepower 2110 NGFW Appliance, 1U | $10,995.00 |
| FPR2130-NGFW-K9 | Cisco Firepower 2130 NGFW Appliance, 1U, 1 x NetMod Bay | $29,995.00 |
| FPR2120-NGFW-K9 | Cisco Firepower 2120 NGFW Appliance, 1U | $19,995.00 |
| FPR2140-NGFW-K9 | Cisco Firepower 2140 NGFW Appliance, 1U, 1 x NetMod Bay | $64,995.00 |
| FPR4140-NGFW-K9 | Cisco Firepower 4140 NGFW Appliance, 1U, 2 x NetMod Bays | $209,995.00 |
| FPR4120-NGFW-K9 | Cisco Firepower 4120 NGFW Appliance, 1U, 2 x NetMod Bays | $149,995.00 |
| FPR4110-NGFW-K9 | Cisco Firepower 4110 NGFW Appliance, 1U, 2 x NetMod Bays | $89,995.00 |
| FPR4115-NGFW-K9 | Cisco Firepower 4115 NGFW Appliance, 1U, 2 x NetMod Bays | $119,995.00 |
| FPR4125-NGFW-K9 | Cisco Firepower 4125 NGFW Appliance, 1U, 2 x NetMod Bays | $189,995.00 |
| FPR4150-NGFW-K9 | Cisco Firepower 4150 NGFW Appliance, 1U, 2 x NetMod Bays | $249,995.00 |
*Check More GPL at itprice.com.
Cisco Firepower 2100 Series User Manuals Pdf
If you have any questions, please leave your comments.
Learn More:
Info: