Overview:
Business resiliency is job one for network operations teams. And business resiliency requires security. Your network isn’t really up – your IT environment isn’t delivering customer value – if you’re fighting a pervasive breach. But when it comes to next-generation firewalls (NGFWs), organizations are often forced to choose between security and network throughput performance.
The Cisco Firepower NGFW (next-generation firewall) is the industry’s first fully integrated, threat-focused next-gen firewall with unified management. It uniquely provides advanced threat protection before, during, and after attacks.
The Cisco Firepower 2100 Series NGFW appliances deliver business resiliency through superior threat defense. They provide sustained network performance when threat inspection features are activated to keep your business running securely. And they are now simpler to manage for improved IT efficiency and a lower total cost of ownership.
The Firepower 2100 Series NGFW sustains its throughput performance as threat services are added. They do this by uniquely incorporating an innovative dual multi-core CPU architecture that optimizes firewall, cryptographic, and threat inspection functions simultaneously. They won’t become a network bottleneck or lose effectiveness like competitors when threat inspection is turned on. Now, achieving security doesn’t come at the expense of network performance.
And when it comes to management, Cisco Firepower NGFW is now even less time consuming to set up and less costly to manage. You have choices of local, centralized, and cloud based managers that fit your environment and the way you work.
The Cisco Firepower 2100 Series appliances can be deployed either as a Next-Generation Firewall (NGFW) or as a Next-Generation IPS (NGIPS). They are perfect for the Internet edge and all the way in to the data center. Four new models are available.
- The Firepower 2110 and 2120 models offer 1.9 and 3 Gbps of firewall throughput, respectively. They provide increased port density and can provide up to sixteen (16) 1 Gbps ports in a 1 rack unit (RU) form factor.
- The Firepower 2130 and 2140 models provide 5 and 8.5 Gbps of firewall throughput, respectively. These models differ from the others in that they can be customized through the use of network modules, or NetMods. They can provide up to twenty-four (24) 1 Gbps ports in a 1 RU appliance, or to provide up to twelve (12) 10 Gbps ports.
- Firepower 2100 NGFWs uniquely provide sustained performance when supporting threat functions, such as IPS. This is done using an innovative dual multi-core architecture. Layer 2 and 3 functionality is processed on one NPU (Network Processing Unit). Threat inspection and other services are processed on a separate multi-core x86 CPU. By splitting the workload, we eliminate the performance degradation that you see with competing solutions when turning on threat inspection.
Benefits
- Ensure business resiliency through superior security with sustained performance
- Eliminate the performance costs of activating IPS
- Get twice the port density and performance vs. similarly priced competition
- Go from connection to protection in 5 minutes with low touch provisioning
- Save on power and space costs with a 1RU form factor
Features:
- Stop more threats
Contain known and unknown malware with leading Cisco Advanced Malware Protection (AMP) and sandboxing.
- Gain more insight
Gain superior visibility into your environment with Cisco Firepower next-gen IPS.
Automated risk rankings and impact flags identify priorities for your team.
- Detect earlier, act faster
The Cisco Annual Security Report identifies a 100-day median time from infection to detection, across enterprises. Reduce this time to less than a day.
- Reduce complexity
Get unified management and automated threat correlation across tightly integrated security functions, including application firewalling, NGIPS, and AMP.
- Get more from your network
Enhance security, and take advantage of your existing investments, with optional integration of other Cisco and third-party networking and security solutions.
Threat-focused NGFW
Improve business resiliency and maintain performance with superior threat defense. Apply granular application control. Protect against malware. Shrink time to detection and remediation. Reduce complexity with the on-device management interface.
Optimized performance and port density
Firewall throughput speeds from 2 Gbps to 8.5 Gbps. Support for sixteen (16) 1 GE ports on the low-end models. The high-end models support up to twenty-four (24) 1 GE ports or up to twelve (12) 10 GE ports. All in a 1RU form factor.
Innovative architecture
With its unique dual-CPU, multicore architecture, the 2100 maintains throughput performance when threat inspection is activated by routing different workloads to different chips. And enabling the threat protection features does not affect the firewall throughput.
Integration adds value
Further strengthen your defenses. Share intelligence, context, and policy controls by integration with third-party and other Cisco security solutions. Enable automatic device quarantining and rapid threat containment with Cisco ISE.
Management to meet your needs
Cisco Firepower NGFW is now even less time-consuming to configure and less costly to manage. You can choose from local, centralized, and cloud-based managers that fit your environment and the way you work.
Platform Image Support
The Cisco Firepower NGFW includes Application Visibility and Control (AVC), optional Next-Gen IPS (NGIPS), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering. The Cisco Firepower 2100 Series appliances use the Cisco Firepower Threat Defense software image. Alternatively, Cisco Firepower 2100 Series appliances can support the Cisco Adaptive Security Appliance (ASA) software image.
Management Options
Cisco Firepower NGFWs may be managed in a variety of ways depending on the way you work, your environment, and your needs.
The Cisco Firepower Management Center (formerly FireSIGHT) provides centralized management of the Cisco Firepower NGFW, the Cisco Firepower NGIPS, and Cisco AMP for Networks. It also provides threat correlation for network sensors and Advanced Malware Protection (AMP) for Endpoints.
The Cisco Firepower Device Manager is available for local management of 2100 Series and select 5500-X Series devices running the Cisco Firepower Threat Defense software image.
The Cisco Adaptive Security Device Manager is available for local management of the Cisco Firepower 2100 Series, 4100 Series, Cisco Firepower 9300 Series, and Cisco ASA 5500-X Series devices running the ASA software image.
Cisco Defense Orchestrator cloud-based management is also available for consistent policy management across Cisco security devices running the ASA software image, enabling greater management efficiency for the distributed enterprise.
Firepower DDoS Mitigation
The Cisco Firepower 2100 Series is a family of four threat-focused NGFW security platforms that deliver business resiliency through superior threat defense. It offers exceptional sustained performance when advanced threat functions are enabled. These platforms uniquely incorporate an innovative dual multicore CPU architecture that optimizes firewall, cryptographic, and threat inspection functions simultaneously. The series’ firewall throughput range addresses use cases from the Internet edge to the data center.
Cisco Firepower NGFW Virtual (NGFWv) Appliances
Cisco Firepower NGFWv is available on VMware, KVM, and the Amazon Web Services (AWS) and Microsoft Azure environments for virtual, public, private, and hybrid cloud environments. Organizations employing SDN can rapidly provision and orchestrate flexible network protection with Firepower NGFWv. As well, organizations using NFV can further lower costs utilizing Firepower NGFWv.
Cisco Trust Anchor Technologies
Cisco Trust Anchor Technologies provide a highly secure foundation for certain Cisco products. They enable hardware and software authenticity assurance for supply chain trust and strong mitigation against a man-in-the-middle compromise of software and firmware.
Trust Anchor capabilities include:
- Image signing: Cryptographically signed images provide assurance that the firmware, BIOS, and other software are authentic and unmodified. As the system boots, the system’s software signatures are checked for integrity.
- Secure Boot: Secure Boot anchors the boot sequence chain of trust to immutable hardware, mitigating threats against a system’s foundational state and the software that is to be loaded, regardless of a user’s privilege level. It provides layered protection against the persistence of illicitly modified firmware.
- Trust Anchor module: A tamper-resistant, strong-cryptographic, single-chip solution provides hardware authenticity assurance to uniquely identify the product so that its origin can be confirmed to Cisco, providing assurance that the product is genuine.
Technical Specifications:
Cisco Firepower 2100 Series |
Throughput: FW + AVC |
2.0 Gbps |
3 Gbps |
4.75 Gbps |
8.5 Gbps |
Throughput: AVC + IPS |
2.0 Gbps |
3 Gbps |
4.75 Gbps |
8.5 Gbps |
Maximum concurrent sessions, with AVC |
1 million |
1.2 million |
2 million |
3.0 million |
Maximum new connections per second, with AVC |
12,000 |
16,000 |
24,000 |
40,000 |
IPSec VPN Throughput (1024B TCP w/Fastpath) |
750 Mbps |
1 Gbps |
1.5 Gbps |
3 Gbps |
Maximum VPN Peers |
1500 |
3500 |
7500 |
10000 |
Cisco Firepower Device Manager (local management) |
Yes |
Yes |
Yes |
Yes |
Centralized management |
Centralized configuration, logging, monitoring, and reporting are performed by the Management Center or alternatively in the cloud with Cisco Defense Orchestrator |
Application Visibility and Control (AVC) |
Standard, supporting more than 4000 applications, as well as geolocations, users, and websites |
AVC: OpenAppID support for custom, open source, application detectors |
Standard |
Cisco Security Intelligence |
Standard, with IP, URL, and DNS threat intelligence |
Cisco Firepower NGIPS |
Available; can passively detect endpoints and infrastructure for threat correlation and Indicators of Compromise (IoC) intelligence |
Cisco AMP for Networks |
Available; enables detection, blocking, tracking, analysis, and containment of targeted and persistent malware, addressing the attack continuum both during and after attacks. Integrated threat correlation with Cisco AMP for Endpoints is also optionally available |
Cisco AMP Threat Grid sandboxing |
Available |
URL Filtering: number of categories |
More than 80 |
URL Filtering: number of URLs categorized |
More than 280 million |
Automated threat feed and IPS signature updates |
Yes: class-leading Collective Security Intelligence (CSI) from the Cisco Talos Group |
Third-party and open-source ecosystem |
Open API for integrations with third-party products; Snort and OpenAppID community resources for new and specific threats |
High availability and clustering |
Active/standby; for Cisco Firepower 9300 intrachassis clustering of up to 5 chassis is allowed; Cisco Firepower 4100 Series allows clustering of up to 6 chassis |
VLANs maximum |
1024 |
Cisco Trust Anchor Technologies |
ASA 5506-X, 5508-X, and 5516-X appliances, Firepower 2100 Series and Firepower 4100 Series and 9300 platforms include Trust Anchor Technologies for supply chain and software image assurance. Please see the section below for additional details |
Stateful inspection firewall throughput1 |
3 Gbps |
6 Gbps |
10 Gbps |
20 Gbps |
Stateful inspection firewall throughput (multiprotocol)2 |
1.5 Gbps |
3 Gbps |
5 Gbps |
10 Gbps |
Concurrent firewall connections |
1 million |
1.5 million |
2 million |
3 million |
Firewall latency (UDP 64B microseconds) |
- |
- |
- |
- |
New connections per second |
18000 |
28000 |
40000 |
75000 |
IPsec VPN throughput (450B UDP L2L test) |
500 Mbps |
700 Mbps |
1 Gbps |
2 Gbps |
IPsec/Cisco Secure Client (including AnyConnect)/Apex site-to-site VPN peers |
1500 |
3500 |
7500 |
10000 |
Maximum number of VLANs |
400 |
600 |
750 |
1024 |
Security contexts (included; maximum) |
2; 25 |
2; 25 |
2; 30 |
2; 40 |
High availability |
Active/active and active/standby |
Clustering |
- |
Scalability |
VPN Load Balancing |
Centralized management |
Centralized Management (CSM) not currently supported for 2100 series |
Adaptive Security Device Manager |
Web-based, local management for small-scale deployments |
Dimensions (H x W x D) |
1.73 x 16.90 x 19.76 in. (4.4 x 42.9 x 50.2 cm) |
Form factor (rack units) |
1RU |
1RU |
1RU |
1RU |
Security module slots |
- |
- |
- |
- |
I/O module slots |
0 |
0 |
1 NM slot |
1 NM slot |
Integrated I/O |
12 x 10M/100M/1GBASE-T Ethernet interfaces (RJ-45), 4 x 1 Gigabit (SFP) Ethernet interfaces |
12 x 10M/100M/1GBASE-T Ethernet interfaces (RJ-45), 4 x 10 Gigabit (SFP+) Ethernet interfaces |
Network modules |
None |
(FPR-NM-8X10G) 8 x 10 Gigabit Ethernet Enhanced Small Form-Factor Pluggable (SFP+) network module* |
Maximum number of interfaces |
Up to 16 total Ethernet ports
(12x1G RJ-45, 4x1G SFP) |
Up to 24 total Ethernet ports (12x1G RJ-45, 4x10G SFP+, and network module with 8x10G SFP+) |
Integrated network management ports |
1 x 10M/100M/1GBASE-T Ethernet port (RJ-45) |
Serial port |
1 x RJ-45 console |
USB |
1 x USB 2.0 Type-A (500mA) |
Storage |
1x 100 GB, 1x spare slot (for MSP) |
1x 100 GB, 1x spare slot (for MSP) |
1x 200 GB, 1x spare slot (for MSP) |
1x 200 GB, 1x spare slot (for MSP) |
Fans |
4 integrated (2 internal, 2 exhaust) fans4 |
1 hot-swappable fan module (with 4 fans)4 |
Noise |
56 dBA @ 25C
74 dBA at highest system performance. |
56 dBA @ 25C
77 dBA at highest system performance. |
Rack mountable |
Yes. Fixed mount brackets included
(2-post). Mount rails optional (4-post EIA-310-D rack) |
Yes. Mount rails included (4-post EIA-310-D rack) |
Weight |
16.1 lb (7.3 kg): with 2x SSDs |
16.1 lb (7.3 kg): with 2x SSDs |
19.4 lb (8.8 kg) 1 x power supplies, 1 x NM, 1 x fan module, 2x SSDs |
21 lb (9.53 kg) 2 x power supplies, 1 x NM, 1 x fan module, 2x SSDs |
Temperature: operating |
32 to 104°F (0 to 40°C) |
32 to 104°F (0 to 40°C) |
32 to 104°F (0 to 40°C) or NEBS operation (see below)5 |
32 to 104°F (0 to 40°C) |
Temperature: nonoperating |
-4 to 149°F (-20 to 65°C) |
Humidity: operating |
10 to 85% noncondensing |
Humidity: nonoperating |
5 to 95% noncondensing |
Altitude: operating |
10,000 ft (max) |
10,000 ft (max) |
10,000 ft (max) or NEBS operation (see below)5 |
10,000 ft (max) |
Altitude: nonoperating |
40,000 ft (max) |
40,000 ft (max) |
40,000 ft (max) |
40,000 ft (max) |
NEBS operation (FPR-2130 Only)5 |
Operating altitude: 0 to 13,000 ft (3962 m)
Operating temperature:
Long term: 0 to 45°C, up to 6,000 ft (1829 m)
Long term: 0 to 35°C, 6,000 to 13,000 ft (1829 to 3964 m)
Short term: -5 to 55°C, up to 6,000 ft (1829 m) |
Configuration |
Single integrated 250W AC power supply. |
Single integrated 250W AC power supply. |
Single 400W AC, Dual 400W AC optional. Single/Dual 350W DC optional3 |
Dual 400W AC. Single/dual 350W DC optional3 |
AC input voltage |
100 to 240V AC |
100 to 240V AC |
100 to 240V AC |
100 to 240V AC |
AC maximum input current |
< 2.7A at 100V |
< 2.7A at 100V |
< 6A at 100V |
< 6A at 100V |
AC maximum output power |
250W |
250W |
400W |
400W |
AC frequency |
50 to 60 Hz |
50 to 60 Hz |
50 to 60 Hz |
50 to 60 Hz |
AC efficiency |
>88% at 50% load |
>88% at 50% load |
>89% at 50% load |
>89% at 50% load |
DC input voltage |
- |
- |
-48V to -60VDC |
-48V to -60VDC |
DC maximum input current |
- |
- |
< 12.5A at -48V |
< 12.5A at -48V |
DC maximum output power |
- |
- |
350W |
350W |
DC efficiency |
- |
- |
>88% at 50% load |
>88% at 50% load |
Redundancy |
None |
None |
1+1 AC or DC with dual supplies |
1+1 AC or DC with dual supplies |
*Note: The 2100 Series appliances may also be deployed as dedicated threat sensors with fail-to-wire network modules. Please contact your Cisco representative for details.
1 Throughput measured with User Datagram Protocol (UDP) traffic measured under ideal test conditions.
2 “Multiprotocol” refers to a traffic profile consisting primarily of TCP-based protocols and applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3 Dual power supplies are hot-swappable.
4 Fans operate in a 3+1 redundant configuration where the system will continue to function with only 3 operational fans. The 3 remaining fans will run at full speed.
5 FPR-2130 platform is designed to be NEBS ready. The availability of NEBS certification is pending.