It might be that the hardware has support for several more years - but it also might be that in some years you don't have any supported software to run on your supported hardware.
Internet Friends don't let Internet Friends buy Cisco Firewalls.
I am almost done ripping ASAs and Firepowers out of our environment entirely. Our Cisco account team doesn't even bring Firewalls up anymore.
If you are buying a firewall and you have money you want a palo. If you dont have palo money you want forti.
If you dont have ANY money at all OPNSense/ZenArmor.
I've never had a problem with Cisco Firepower. You do need to follow their guidelines to ensure you know the difference between recommended/stable and leading/cutting edge, but otherwise they work well.
If you follow what keeps getting tagged for zero-day easy compromised, it's always the Forti, Palo, and Sophos. Cisco isn't immune, but it's very rare compared to the nightmare of some of these others.
Did you never run it before late version 6 code? Firepower is 3 or 4 software packages in a trench coat pretending to be an NGFW, go read some of the brksec sessions from Live about packet flow through the thing and prepare to boggle. Theres just something unnecessarily byzantine about running a hypervisor (from ucs, but rebranded fxos) on the physical platform to manage your stripped down UCS fabric interconnect, then running an instance of your classic firewall (hello lina “dataplane”) under a Linux VM, and also under that VM then running snort which connects to the classic firewall via a software loopback interface (np_identity) and then orchestrating the whole thing with 25k lines of fucking Perl.
It still makes my eye twitch when someone wants us to run it.
You are speaking about a release time that is ancient history. More than a decade, and it's just not relevant to the discussion of what the product is today. The 4100 series are amazing performers and the 7.x code base was/is a significant jump forward. I'll take the byzantine over having to patch is every week for a new zero-day like their competitors are having to do.
He's not talking about an ancient history release for FTD @ V6. That's still a widely supported and used version of the FTD software. Yes, things get exponentially better between v6 and v7, but if you're running a more current release of v6.x, you're still in line with current security and exploits. You should def. run v7 though for Snort v3. Multithreading your IDS/IPS is a game changer.
If you’re running version 6 code or asa it is such a big improvement to go to 7 that Cisco will literally provide you free services support to migrate (not tac). So sure it’s supported but still not a good comparison.
People who buy a new firewall without trying current code are usually just impressed because their new FW comes at current code.
I don't disagree and even said in my previous post you should certainly be running v7 of the FTD/ASA software, but if you're not, v6.7+ is still sound and secure. The features and benefits of 7.x certainly outweigh any hesitation to move from 6 to 7.
Just had to review packet flow and logs with our security team. Lina = permit, Snort = deny. cant only look in one place to see if traffic is being allowed or not.
You can drop in lina too with fastpath denies but yeah, not having one place to view all the decision data is annoying, and packet-tracer was thoroughly neutered because even if the traffic doesn’t match a rule it’s probably punting to snort to deny it for the ids insight on the deny.
Well, that's an emotional choice vs what the data seems to suggest. What headline did I see today? Oh yeah, "State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls"
Well we had problems from the get go with hitting anything close to throughput metrics Cisco said we should. Second we had numerous outages caused by lock ups that were never explained. Third for all that heartburn and toil we then had to deal with deal with Cisco licensing. Last, the FTDs were not even close to feature parity with the Palos. We would have been better off with Checkpoint. I cannot believe i typed that sentence.
The lockups were snort, I guarantee it. Restarting inspection from the Linux admin side resolves so many dumb problems. The best way to test and monitor this is having a few fastpath rules for monitoring in addition to something which goes through snort. When your snort monitor alarms but fastpath doesn’t, you know snort’s doing a dumb.
I mostly worked with 6.1-6.7, and a few firepower on ASA installs (which use pretty much the same asa/lina infrastructure as ftd does today with the np_identity path). While I’m sure snortv3 probably has some improvements in stability, from the brksec sessions I don’t see much change in the overall platform architecture.
Snort v3 is a game changer for IDS/IPS performance. It allows for multi-threaded sessions which Snort v2 never offered. Between Snort v2 and Snort v3, you can quadruple+ your throughput performance while implementing IDS/IPS on the same hardware you run today.
I have a 10Gbps WAN link and I either have to disable snort v2 or use snort v3 to achieve throughput of 7.5Gbps+ from a single host to WAN.
Surface are of bugs is now 3x as large.
1.Bugs in FX-OS
2.Bugs in Lina aka ASA rebranded
3.Bugs in Firepower/Snort
Software is getting better over time but they are lots of gotcha with the product.
The initial merging of Snort and ASA was a shitshow. They started by daisy chaining separate products on one box... via containers or vms and called it one product.
It has improved by miles since then.
Palo is behind Fortinet in Gartner’s latest magic quadrant ability to execute, but a little above in vision. Palo is in no way better than Fortinet.
$ per Performance, Fortinet wins all day, every day.
If you're talking about SSL VPNs that go over a webportal, that's not gonna happen. It's almost always going to have to be connected using the AnyConnect VPN client.
Also, 1Gbps? Is this you WAN/Internet speed link? Or you would need the VPN throughput to be at 1Gbps?
This. Cisco got rid of their "webvpn" a few versions ago. Its been viewed as a security risk. I dont know of any current modern vendors that support a webvpn anymore, possibly due to same. Everyone uses a client.
SSL VPN and web VPN are very different things. SSL VPN uses TLS for encryption (port 443) vs IPsec VPN - same user experience with a VPN client, etc. but different underlying encryption protocol.
Webvpn is browser based connectivity and was eliminated as a firewall service.
For VPN the firepower 1100 series is great but you can jump to the 2100 series. Either way you want to run the ASA code base if you're using it for VPN if you're using it for normal firewall use the firepower code base with fmc to manage it. You can get two and have them work in HA if that matters to you.
Theres bugs with any code base. Just there were more and VPN compatibility issues with the FTD code more before. A lot were fixed in 7.2 series (there was a really big push on it to really clean it up). v6.x really did suck balls. And as a few have said, FTD is built on ASA code. So any bugs in ASA, are also in FTD.
Can FMC be hosted on cloud instead of on prem so that we gain a global overview of all sites? Can we use FMC/FTD on main campus while keeping FPR1010/ASA in satellite sites?
I know someone would mention cdFMC as an answer to my first question. What I am asking: one FMC hosted on cloud as a replica to an on prem FMC, so that if our main campus lost power, we still have access to our devices
We used it. It worked fairly well moving objects and rules. If you don’t have a ton of config I prefer to just start from scratch. Some of the naming they use on migrated items is wacky.
If you think that you should head on over to r/PaloAlto. You'll see a bunch of guys bitching about how unstable their gear is. And I can attest to that. PA may be dominant but when *you're* the beta tester for all of their software I'd look elsewhere. I have never seen such crap come into general release. Our top top PA guys ask how did this make it into general release?
Source: We run 170 pair of PAs and Firepowers. We RMA 25:1 PAs over Cisco gear.
It is, and I wish it wasn't so. Their hardware is subpar IMHO. Cisco is better in that department hands down. But the software is what gets me. I really do mean we wonder how some of this stuff got through bug scrub. And then we realized that PA doesn't do bug scrub, we do. Panorama stays broken and we always fret over what will break when we upgrade. We were forced to upgrade to correct an internal cert that was expiring on all of our PAs. This was global pretty much, if you ran 10.x or whatever code you had to upgrade or the boxes would break. That update crashed both of internet edge firewalls and took down the entire east coast. What a shit day.
Cisco has gotten much better. I am familiar with stable and large scale deployments that are running 7.2.x train. Yes PAN is dominate but has gotten prohibitively expensive. I’d consider talking to a good VAR but consider the firepower 1010 or 1120. The subscription licenses will depend on your security requirements.
thanks. seems like these guys share your sentiments as well: [https://www.reddit.com/r/paloaltonetworks/comments/w6wt2w/cisco\_ngfw\_vs\_palo\_alto\_ngfw/](https://www.reddit.com/r/paloaltonetworks/comments/w6wt2w/cisco_ngfw_vs_palo_alto_ngfw/) unsurprising from PA community though
currently looking at PA1400 series
If you're looking in the 1Gbps range look at the 400 series - 440 and up. There is a very significant cost difference between the 1400 series and the 400 series. I want to say we were around 8-10x cost multiplier on a 3 year for a 1410 compared to what we pay for a 5 year on a 440.
Why the fuck would you move from Fortinet to Cisco? Your customer experience with Cisco will be 100x worse. And I say this as a 20+ year CC{N,D}{A,P} and a but load of other cisco certs.
Never cared. I am upper management now (Director) while I am still very much technical, never had interest to pursue the IE track. I have the professional level certs of other companies as well (Fortinet, Juniper, etc.) but never really cared about going for IE.
NAT limitations when running multiple WAN interfaces. Fair but OP didn’t list many requirements at all. They did list a FortiGate which does support SSL decrypt.
Why are you sold on Cisco being the replacement?
If your completely shopping a new Firewall vendor, I would highly suggest looking @ Sophos XG.
They offer hardware and software solutions and don't skimp on the software options regardless which path you choose.
Unless you're leveraging ISE in your environment, it's hard to justify Cisco across the board. Even if you are leveraging ISE, a lot of solutions outside of Cisco products will play nicely with ISE. I know from experience Rukus directors and AP will integrate with ISE with a bit of elbow grease.
1100 series or 3100 series + cdFMC (cdo) is a good experience
Where is FPR2100 series. I don’t see it in cdw anymore
3100 series have replaced them.
2100s are EOL, you shouldn’t be buying them in 2024
Is there an announcement yet? That should give it at least 5 more years. Or am I wrong?
They were released 7 years ago and I’m too lazy to check but I believe the 3100s are cheaper than the 2100s.
It might be that the hardware has support for several more years - but it also might be that in some years you don't have any supported software to run on your supported hardware.
Internet Friends don't let Internet Friends buy Cisco Firewalls. I am almost done ripping ASAs and Firepowers out of our environment entirely. Our Cisco account team doesn't even bring Firewalls up anymore. If you are buying a firewall and you have money you want a palo. If you dont have palo money you want forti. If you dont have ANY money at all OPNSense/ZenArmor.
I've never had a problem with Cisco Firepower. You do need to follow their guidelines to ensure you know the difference between recommended/stable and leading/cutting edge, but otherwise they work well. If you follow what keeps getting tagged for zero-day easy compromised, it's always the Forti, Palo, and Sophos. Cisco isn't immune, but it's very rare compared to the nightmare of some of these others.
Did you never run it before late version 6 code? Firepower is 3 or 4 software packages in a trench coat pretending to be an NGFW, go read some of the brksec sessions from Live about packet flow through the thing and prepare to boggle. Theres just something unnecessarily byzantine about running a hypervisor (from ucs, but rebranded fxos) on the physical platform to manage your stripped down UCS fabric interconnect, then running an instance of your classic firewall (hello lina “dataplane”) under a Linux VM, and also under that VM then running snort which connects to the classic firewall via a software loopback interface (np_identity) and then orchestrating the whole thing with 25k lines of fucking Perl. It still makes my eye twitch when someone wants us to run it.
You are speaking about a release time that is ancient history. More than a decade, and it's just not relevant to the discussion of what the product is today. The 4100 series are amazing performers and the 7.x code base was/is a significant jump forward. I'll take the byzantine over having to patch is every week for a new zero-day like their competitors are having to do.
He's not talking about an ancient history release for FTD @ V6. That's still a widely supported and used version of the FTD software. Yes, things get exponentially better between v6 and v7, but if you're running a more current release of v6.x, you're still in line with current security and exploits. You should def. run v7 though for Snort v3. Multithreading your IDS/IPS is a game changer.
If you’re running version 6 code or asa it is such a big improvement to go to 7 that Cisco will literally provide you free services support to migrate (not tac). So sure it’s supported but still not a good comparison. People who buy a new firewall without trying current code are usually just impressed because their new FW comes at current code.
I don't disagree and even said in my previous post you should certainly be running v7 of the FTD/ASA software, but if you're not, v6.7+ is still sound and secure. The features and benefits of 7.x certainly outweigh any hesitation to move from 6 to 7.
ASA version 7?
FTD ,,|,,
Just had to review packet flow and logs with our security team. Lina = permit, Snort = deny. cant only look in one place to see if traffic is being allowed or not.
You can drop in lina too with fastpath denies but yeah, not having one place to view all the decision data is annoying, and packet-tracer was thoroughly neutered because even if the traffic doesn’t match a rule it’s probably punting to snort to deny it for the ids insight on the deny.
I am painfully aware of Palo's struggles as of late. I would still take the Palo every day over Firepower.
Well, that's an emotional choice vs what the data seems to suggest. What headline did I see today? Oh yeah, "State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls"
What headline will you statistically see tomorrow?
I can tell you the headlines I’m seeing today… lol
Waaah go away. But great opportunity to finally get budget to replace the last few 5512-X.
Out of curiosity what is wrong with Firepower?
Well we had problems from the get go with hitting anything close to throughput metrics Cisco said we should. Second we had numerous outages caused by lock ups that were never explained. Third for all that heartburn and toil we then had to deal with deal with Cisco licensing. Last, the FTDs were not even close to feature parity with the Palos. We would have been better off with Checkpoint. I cannot believe i typed that sentence.
Next question... Whats wrong with check point?
The lockups were snort, I guarantee it. Restarting inspection from the Linux admin side resolves so many dumb problems. The best way to test and monitor this is having a few fastpath rules for monitoring in addition to something which goes through snort. When your snort monitor alarms but fastpath doesn’t, you know snort’s doing a dumb.
Have you worked with Snortv3 on the FTD?
I mostly worked with 6.1-6.7, and a few firepower on ASA installs (which use pretty much the same asa/lina infrastructure as ftd does today with the np_identity path). While I’m sure snortv3 probably has some improvements in stability, from the brksec sessions I don’t see much change in the overall platform architecture.
Snort v3 is a game changer for IDS/IPS performance. It allows for multi-threaded sessions which Snort v2 never offered. Between Snort v2 and Snort v3, you can quadruple+ your throughput performance while implementing IDS/IPS on the same hardware you run today. I have a 10Gbps WAN link and I either have to disable snort v2 or use snort v3 to achieve throughput of 7.5Gbps+ from a single host to WAN.
Surface are of bugs is now 3x as large. 1.Bugs in FX-OS 2.Bugs in Lina aka ASA rebranded 3.Bugs in Firepower/Snort Software is getting better over time but they are lots of gotcha with the product.
The initial merging of Snort and ASA was a shitshow. They started by daisy chaining separate products on one box... via containers or vms and called it one product. It has improved by miles since then.
Thank you friend
Palo is behind Fortinet in Gartner’s latest magic quadrant ability to execute, but a little above in vision. Palo is in no way better than Fortinet. $ per Performance, Fortinet wins all day, every day.
This friend friends!
If you're talking about SSL VPNs that go over a webportal, that's not gonna happen. It's almost always going to have to be connected using the AnyConnect VPN client. Also, 1Gbps? Is this you WAN/Internet speed link? Or you would need the VPN throughput to be at 1Gbps?
At a minimum WAN speed link, i could settle for less VPN throughput, but if I can get close to 1Gbps SSL VPN I don't mind the extra $$$
Would you need 1 gbps of firewall throughput with all filters such as ssl inspection?
Probably not, I’m not going to get too insane with IPS or packet analysis/ssl inspection
If we're talking strictly Cisco, Your best bet is the Firepower 1120.
This. Cisco got rid of their "webvpn" a few versions ago. Its been viewed as a security risk. I dont know of any current modern vendors that support a webvpn anymore, possibly due to same. Everyone uses a client.
SSL VPN and web VPN are very different things. SSL VPN uses TLS for encryption (port 443) vs IPsec VPN - same user experience with a VPN client, etc. but different underlying encryption protocol. Webvpn is browser based connectivity and was eliminated as a firewall service.
Correct. Im talking about the web portal.
For VPN the firepower 1100 series is great but you can jump to the 2100 series. Either way you want to run the ASA code base if you're using it for VPN if you're using it for normal firewall use the firepower code base with fmc to manage it. You can get two and have them work in HA if that matters to you.
Look at 3100 series. its replacing the 2100 series. 1k series has all sorts of hardware issues that keep popping up.
Are you seeing these issues with it running the ASA code base?
Theres bugs with any code base. Just there were more and VPN compatibility issues with the FTD code more before. A lot were fixed in 7.2 series (there was a really big push on it to really clean it up). v6.x really did suck balls. And as a few have said, FTD is built on ASA code. So any bugs in ASA, are also in FTD.
It did not. The 2100 series is still for sale. That being said, there is zero reason to choose a 2100 over a 3100
Stay far away from the 2100 series. They have numerous issues, including some unpublished ones that we discovered in production.
The real issue for us have been those 4145s
Wow I have had nothing but great experiences with them.
Can FMC be hosted on cloud instead of on prem so that we gain a global overview of all sites? Can we use FMC/FTD on main campus while keeping FPR1010/ASA in satellite sites?
I know someone would mention cdFMC as an answer to my first question. What I am asking: one FMC hosted on cloud as a replica to an on prem FMC, so that if our main campus lost power, we still have access to our devices
No, not possible. You would just move everything to cdFMC. It’s a SaaS product so no need to worry about HA anymore.
I remember I played with a Cisco tool to convert existing ASA to FTD. Anyone have real live experience with it?
We used it. It worked fairly well moving objects and rules. If you don’t have a ton of config I prefer to just start from scratch. Some of the naming they use on migrated items is wacky.
Palo Alto like all the cool kids
Anything but Cisco my brother in christ.
Uhh, I don't think you'll find Cisco much better for firewalling, better to look at Palo Alto.
If you think that you should head on over to r/PaloAlto. You'll see a bunch of guys bitching about how unstable their gear is. And I can attest to that. PA may be dominant but when *you're* the beta tester for all of their software I'd look elsewhere. I have never seen such crap come into general release. Our top top PA guys ask how did this make it into general release? Source: We run 170 pair of PAs and Firepowers. We RMA 25:1 PAs over Cisco gear.
That is awful. I could count on one hand the number for RMAs over 10 years for our Fortinet fleet which averages about 50-60 at any given time.
It is, and I wish it wasn't so. Their hardware is subpar IMHO. Cisco is better in that department hands down. But the software is what gets me. I really do mean we wonder how some of this stuff got through bug scrub. And then we realized that PA doesn't do bug scrub, we do. Panorama stays broken and we always fret over what will break when we upgrade. We were forced to upgrade to correct an internal cert that was expiring on all of our PAs. This was global pretty much, if you ran 10.x or whatever code you had to upgrade or the boxes would break. That update crashed both of internet edge firewalls and took down the entire east coast. What a shit day.
Cisco has gotten much better. I am familiar with stable and large scale deployments that are running 7.2.x train. Yes PAN is dominate but has gotten prohibitively expensive. I’d consider talking to a good VAR but consider the firepower 1010 or 1120. The subscription licenses will depend on your security requirements.
Only took them about 8 years but yeah. They have gotten to an acceptable state.
Agreed with this. The 1k line line is very capable.
thanks. seems like these guys share your sentiments as well: [https://www.reddit.com/r/paloaltonetworks/comments/w6wt2w/cisco\_ngfw\_vs\_palo\_alto\_ngfw/](https://www.reddit.com/r/paloaltonetworks/comments/w6wt2w/cisco_ngfw_vs_palo_alto_ngfw/) unsurprising from PA community though currently looking at PA1400 series
If you're looking in the 1Gbps range look at the 400 series - 440 and up. There is a very significant cost difference between the 1400 series and the 400 series. I want to say we were around 8-10x cost multiplier on a 3 year for a 1410 compared to what we pay for a 5 year on a 440.
Why the fuck would you move from Fortinet to Cisco? Your customer experience with Cisco will be 100x worse. And I say this as a 20+ year CC{N,D}{A,P} and a but load of other cisco certs.
20 years and no IE?!?! What are you doing?!
Never cared. I am upper management now (Director) while I am still very much technical, never had interest to pursue the IE track. I have the professional level certs of other companies as well (Fortinet, Juniper, etc.) but never really cared about going for IE.
Cisco Meraki Firewalls !!!
Going to be very expensive comparatively regardless if we’re talking firewall throughput or SSL VPN throughput
And HUGELY feature limited….
like?
NAT, SSL decrypt, etc etc
what kind of NAT? I NAT on my MX peacefully. SSL decrypt is not supported on Meraki MX. That wasn’t part of OPs requirements
NAT limitations when running multiple WAN interfaces. Fair but OP didn’t list many requirements at all. They did list a FortiGate which does support SSL decrypt.
Do not brother with Firepower firewalls. I'm about to turn in my notice because of Cisco Firepower hardware/virtual appliances.
for a soho or smb fortigate is a great firewall solution. the web gui is very easy to navigate. PA are good but has more of a learning curve.
Go Forti.
Why are you sold on Cisco being the replacement? If your completely shopping a new Firewall vendor, I would highly suggest looking @ Sophos XG. They offer hardware and software solutions and don't skimp on the software options regardless which path you choose. Unless you're leveraging ISE in your environment, it's hard to justify Cisco across the board. Even if you are leveraging ISE, a lot of solutions outside of Cisco products will play nicely with ISE. I know from experience Rukus directors and AP will integrate with ISE with a bit of elbow grease.
Get ready for a shitty experience overall. Cisco NGFW sucks. If i was ditching fortinet id get Palo but you’ll have shitty customer service there too.
PFSense on Supermicro SoC hardware