Network Wizkid

, , ,

Cisco Firewall Migration Paths

Published by

iwiizkiid

on

UpdateDate
Added additional migration options for some of the announced EoL devices.27/03/2024
Added additional migration options for organisations that want to skip the 2100 series.27/03/2024
Change Log

This article aims to highlight the possible migration paths from Cisco Firewalls that have been announced End of Life (EoL) to newer models.

Note

Although the 2100 series firewalls have not been announced EoL yet, some customers may choose to opt for the newer 3100 series firewalls. Therefore, we have included 3100 series firewall options where 2100s have been listed as a potential migration option.

Cost factors should also be considered.

Note

While we endeavour to keep this document updated as Cisco firewalls are announced EoL and newer devices are announced, we may not always have the latest information.

Furthermore, device migration paths may differ depending on your actual requirements and so we recommend that you always seek additional guidance where necessary.

If you feel as though any information is missing or inaccurate, please leave a comment and we will do our best to look into it.

Announced EoL Devices

Announced EoL Cisco Firewalls
Cisco ASA 5506
Cisco ASA 5508
Cisco ASA 5516
Cisco ASA 5525
Cisco ASA 5545
Cisco ASA 5555
Firepower 4110
Firepower 4120
Firepower 4140
Firepower 4150

The following selections ensure that each announced EoL device is matched with the closest available Firepower alternative, considering factors such as performance metrics, scalability, and compatibility.

Migration Options Summary

Announced EoL Cisco FirewallMigration Options
ASA 5506Firepower 1010/1010E
ASA 5508Firepower 1010/1010E
Firepower 1140
ASA 5516Firepower 2110
Firepower 2120
Firepower 1140
ASA 5525Firepower 2120
Firepower 1150
ASA 5545Firepower 2120
Firepower 2130
Firepower 3110
ASA 5555Firepower 2120
Firepower 2140
Firepower 3120
Firepower 4110Firepower 4125
Firepower 4120Firepower 4125
Firepower 4140Firepower 4125
Firepower 4150Firepower 4125
Migration Option Summary

Migration Options Detail

ASA 5506 Migration Options

Best Migration Option

MetricASA 5506Firepower 1010/1010EImprovementReason
Stateful Inspection Firewall Throughput750 Mbps2 Gbps+1.25 GbpsFirepower 1010/1010E offers higher throughput
Stateful Inspection Firewall Throughput (multiprotocol)300 Mbps1.4 Gbps+1.1 GbpsFirepower 1010/1010E offers higher multiprotocol throughput
Concurrent Firewall Connections50,000100,000+50,000Firepower 1010/1010E supports more concurrent connections
New Connections per second5,00025,000+20,000Firepower 1010/1010E offers higher new connections per second
IPsec VPN Throughput100 Mbps500 Mbps+400 MbpsFirepower 1010/1010E offers higher VPN throughput
Maximum VPN Peers5075+25Firepower 1010/1010E supports more VPN peers
Best Migration Option for the ASA 5506

ASA 5508 Migration Options

Option One – Closest Match

MetricASA 5508Firepower 1010/1010EImprovementReason
Stateful Inspection Firewall Throughput1 Gbps2 Gbps+1 GbpsFirepower 1010 offers higher throughput
Stateful Inspection Firewall Throughput (multiprotocol)400 Mbps1.4 Gbps+1 GbpsFirepower 1010 offers higher multiprotocol throughput
Concurrent Firewall Connections100,000100,000EqualBoth devices support the same number of concurrent connections
New Connections per second10,00025,000+15,000Firepower 1010 offers higher new connections per second
IPsec VPN Throughput250 Mbps500 Mbps+250 MbpsFirepower 1010 offers higher VPN throughput
Maximum VPN Peers25075-175Firepower 1010 supports fewer VPN peers
Best Migration Option for the ASA 5508 – Closest Matched

Option Two – All Metrics Improved

MetricASA 5508Firepower 1140ImprovementReason
Stateful Inspection Firewall Throughput1 Gbps6 Gbps+5 GbpsFirepower 1140 offers higher throughput
Stateful Inspection Firewall Throughput (multiprotocol)400 Mbps3.5 Gbps+3.1 GbpsFirepower 1140 offers higher multiprotocol throughput
Concurrent Firewall Connections100,000400,000+300,000Firepower 1140 supports more concurrent connections
New Connections per second10,000100,000+90,000Firepower 1140 offers higher new connections per second
IPsec VPN Throughput250 Mbps1.2 Gbps+950 MbpsFirepower 1140 offers higher VPN throughput
Maximum VPN Peers250400+150Firepower 1140 supports more VPN peers
Best Migration Option for the ASA 5508 – All metrics improved

ASA 5516 Migration Options

Option One – Closest Match

MetricASA 5516Firepower 2110ImprovementReason
Stateful Inspection Firewall Throughput1.8 Gbps3 Gbps+1.2 GbpsFirepower 2110 offers an improvement in stateful inspection firewall throughput compared to ASA 5516.
Stateful Inspection Firewall Throughput (multiprotocol)900 Mbps1.5 Gbps+600 MbpsFirepower 2110 provides an improvement in multiprotocol throughput compared to ASA 5516.
Concurrent Firewall Connections250,0001 million+750,000Firepower 2110 offers a substantial increase in concurrent firewall connections compared to ASA 5516.
New Connections per Second20,00018,000-2,000Firepower 2110 provides a similar level of new connections per second compared to ASA 5516.
IPsec VPN Throughput250 Mbps500 Mbps+250 MbpsFirepower 2110 offers an improvement in IPsec VPN throughput compared to ASA 5516.
Maximum VPN Peers3001,500+1,200Firepower 2110 supports a significant increase in maximum VPN peers compared to ASA 5516.
Best Migration Option for the ASA 5516 – Closest Match

Option Two – All Metrics Improved

MetricASA 5516Firepower 2120ImprovementReason
Stateful Inspection Firewall Throughput1.8 Gbps6 Gbps+4.2 GbpsFirepower 2120 offers a significant improvement in stateful inspection firewall throughput compared to ASA 5516.
Stateful Inspection Firewall Throughput (multiprotocol)900 Mbps3 Gbps+2.1 GbpsFirepower 2120 provides a substantial improvement in multiprotocol throughput compared to ASA 5516.
Concurrent Firewall Connections250,0001.5 million+1.25 millionFirepower 2120 offers a substantial increase in concurrent firewall connections compared to ASA 5516.
New Connections per Second20,00028,000+8,000Firepower 2120 provides an improvement in new connections per second compared to ASA 5516.
IPsec VPN Throughput250 Mbps700 Mbps+450 MbpsFirepower 2120 offers an increase in IPsec VPN throughput compared to ASA 5516.
Maximum VPN Peers3003,500+3,200Firepower 2120 supports a significant increase in maximum VPN peers compared to ASA 5516.
Best Migration Option for the ASA 5516 – All metrics improved

Option Three – Non-2100 Series Firewall (All Metrics Improved)

MetricASA 5516Firepower 1140ImprovementReason
Stateful Inspection Firewall Throughput1.8 Gbps6 Gbps+4.2 GbpsFirepower 1140 offers higher throughput
Stateful Inspection Firewall Throughput (multiprotocol)900 Mbps3.5 Gbps+2.6 GbpsFirepower 1140 offers higher throughput
Concurrent Firewall Connections250,000400,000+150,000Firepower 1140 supports more concurrent connections
New Connections per second20,000100,000+80,000Firepower 1140 offers higher new connections per second
IPsec VPN Throughput250 Mbps1.2 Gbps+950 MbpsFirepower 1140 offers higher VPN throughput
VPN Peers300400+100Firepower 1140 supports more VPN peers
Best Migration Option for the ASA 5516 – Non-2100 Series Option

ASA 5525 Migration Options

Option One – Closest Match

MetricASA 5525Firepower 2120ImprovementReason
Stateful Inspection Firewall Throughput2 Gbps6 Gbps+4 GbpsFirepower 2120 offers a significant improvement in stateful inspection firewall throughput compared to ASA 5525.
Stateful Inspection Firewall Throughput (multiprotocol)1 Gbps3 Gbps+2 GbpsFirepower 2120 provides a substantial improvement in multiprotocol throughput compared to ASA 5525.
Concurrent Firewall Connections500,0001.5 million+1 millionFirepower 2120 offers a substantial increase in concurrent firewall connections compared to ASA 5525.
New Connections per Second20,00028,000+8,000Firepower 2120 provides an improvement in new connections per second compared to ASA 5525.
IPsec VPN Throughput300 Mbps700 Mbps+400 MbpsFirepower 2120 offers an increase in IPsec VPN throughput compared to ASA 5525.
Maximum VPN Peers2,5003,500+1,000Firepower 2120 supports an increase in maximum VPN peers compared to ASA 5525.
Best Migration Option for the ASA 5525 – Closest Match

Option Two – Non-2100 Series Firewall (All Metrics Improved)

MetricASA 5516Firepower 1150ImprovementReason
Stateful Inspection Firewall Throughput1.8 Gbps7.5 Gbps+5.7 GbpsFirepower 1150 offers significantly higher throughput
Stateful Inspection Firewall Throughput (multiprotocol)900 Mbps4.5 Gbps+3.6 GbpsFirepower 1150 offers significantly higher throughput
Concurrent Firewall Connections250,000600,000+350,000Firepower 1150 supports more concurrent connections
New Connections per second20,000150,000+130,000Firepower 1150 offers significantly higher new connections per second
IPsec VPN Throughput250 Mbps1.7 Gbps+1.45 GbpsFirepower 1150 offers significantly higher VPN throughput
VPN Peers300800+500Firepower 1150 supports more VPN peers
Best Migration Option for the ASA 5525 – Non-2100 Series Option

ASA 5545 Migration Options

Option One – Closest Match

MetricASA 5545Firepower 2120ImprovementReason
Stateful Inspection Firewall Throughput3 Gbps6 Gbps+3 GbpsFirepower 2120 offers a significant improvement in stateful inspection firewall throughput compared to ASA 5545.
Stateful Inspection Firewall Throughput (multiprotocol)1.5 Gbps3 Gbps+1.5 GbpsFirepower 2120 provides a substantial improvement in multiprotocol throughput compared to ASA 5545.
Concurrent Firewall Connections750,0001.5 million+750,000Firepower 2120 offers a substantial increase in concurrent firewall connections compared to ASA 5545.
New Connections per Second30,00028,000-2,000Firepower 2120 provides a slightly lower value for new connections per second compared to ASA 5545.
IPsec VPN Throughput400 Mbps700 Mbps+300 MbpsFirepower 2120 offers an increase in IPsec VPN throughput compared to ASA 5545.
Maximum VPN Peers2,5003,500+1,000Firepower 2120 supports an increase in maximum VPN peers compared to ASA 5545.
Best Migration Option for the ASA 5545 – Closest Match

Option Two – All Metrics Improved

MetricASA 5545Firepower 2130ImprovementReason
Stateful Inspection Firewall Throughput3 Gbps10 Gbps+7 GbpsFirepower 2130 offers a significant improvement in stateful inspection firewall throughput compared to ASA 5545.
Stateful Inspection Firewall Throughput (multiprotocol)1.5 Gbps5 Gbps+3.5 GbpsFirepower 2130 provides a substantial improvement in multiprotocol throughput compared to ASA 5545.
Concurrent Firewall Connections750,0002 million+1.25 millionFirepower 2130 offers a substantial increase in concurrent firewall connections compared to ASA 5545.
New Connections per Second30,00040,000+10,000Firepower 2130 provides an improvement in new connections per second compared to ASA 5545.
IPsec VPN Throughput400 Mbps1 Gbps+600 MbpsFirepower 2130 offers a substantial improvement in IPsec VPN throughput compared to ASA 5545.
Maximum VPN Peers2,5007,500+5,000Firepower 2130 supports a significant increase in maximum VPN peers compared to ASA 5545.
Best Migration Option for the ASA 5545 – All metrics improved

Option Three – Non-2100 Series Firewall (All Metrics Improved)

MetricASA 5545Firepower 3110ImprovementReason
Stateful Inspection Firewall Throughput3 Gbps18 Gbps+15 GbpsFirepower 3110 offers significantly higher throughput
Stateful Inspection Firewall Throughput (multiprotocol)1.5 Gbps15 Gbps+13.5 GbpsFirepower 3110 offers significantly higher throughput
Concurrent Firewall Connections750,0002 million+1.25 millionFirepower 3110 supports more concurrent connections
New Connections per second30,000300,000+270,000Firepower 3110 offers significantly higher new connections per second
IPsec VPN Throughput400 Mbps8 Gbps+7.6 GbpsFirepower 3110 offers significantly higher VPN throughput
VPN Peers2,5003,000+500Firepower 3110 supports more VPN peers
Best Migration Option for the ASA 5545 – Non-2100 Series Option

ASA 5555 Migration Options

Option One – Closest Match

MetricASA 5555Firepower 2120ImprovementReason
Stateful Inspection Firewall Throughput4 Gbps6 Gbps+2 GbpsFirepower 2120 offers a higher throughput of 6 Gbps, an improvement over ASA 5555’s 4 Gbps.
Stateful Inspection Firewall Throughput (multiprotocol)2 Gbps3 Gbps+1 GbpsFirepower 2120 provides a multiprotocol throughput of 3 Gbps, compared to ASA 5555’s 2 Gbps, resulting in a 1 Gbps improvement.
Concurrent Firewall Connections1,000,0002,000,000+1,000,000Firepower 2120 supports double the concurrent firewall connections, providing a significant improvement over ASA 5555.
New Connections per second50,00040,000-10,000ASA 5555 has a higher rate of new connections per second at 50,000 compared to Firepower 2120’s 40,000, resulting in a slight decrease.
IPsec VPN Throughput700 Mbps1 Gbps+300 MbpsFirepower 2120 offers a higher IPsec VPN throughput of 1 Gbps, compared to ASA 5555’s 700 Mbps, resulting in a 300 Mbps improvement.
VPN Peers5,0007,500+2,500Firepower 2120 supports 2,500 more VPN peers than ASA 5555, providing an enhancement in VPN capacity.
Best Migration Option for the ASA 5545 – Closest Match

Option Two – All Metrics Improved

MetricASA 5555Firepower 2140ImprovementReason
Stateful Inspection Firewall Throughput4 Gbps20 Gbps+16 GbpsFirepower 2140 has much higher throughput
Stateful Inspection Firewall Throughput (multiprotocol)2 Gbps10 Gbps+8 GbpsFirepower 2140 has significantly higher throughput
Concurrent Firewall Connections1,000,0003,000,000+2,000,000Firepower 2140 supports far more connections
New Connections per second50,00075,000+25,000Firepower 2140 supports more new connections per second
IPsec VPN Throughput700 Mbps2 Gbps+1.3 GbpsFirepower 2140 has much higher VPN throughput
VPN Peers5,00010,000+5,000Firepower 2140 supports more VPN peers
Best Migration Option for the ASA 5555 – All metrics improved

Option Three – Non-2100 Series Firewall (All Metrics Improved)

MetricASA 5555Firepower 3120ImprovementReason
Stateful Inspection Firewall Throughput4 Gbps22 Gbps+18 GbpsFirepower 3120 offers significantly higher throughput
Stateful Inspection Firewall Throughput (multiprotocol)2 Gbps17 Gbps+15 GbpsFirepower 3120 offers significantly higher throughput
Concurrent Firewall Connections1,000,0004 million+3 millionFirepower 3120 supports significantly more concurrent connections
New Connections per second50,000500,000+450,000Firepower 3120 offers significantly higher new connections per second
IPsec VPN Throughput700 Mbps10 Gbps+9.3 GbpsFirepower 3120 offers significantly higher VPN throughput
VPN Peers5,0007,000+2,000Firepower 3120 supports more VPN peers
Best Migration Option for the ASA 5555 – Non-2100 Series Option

Firepower 4110 Migration Options

Best Migration Option

MetricFirepower 4110Firepower 4125ImprovementReason
Stateful Inspection Firewall Throughput70 Gbps80 Gbps+10 GbpsThe Firepower 4125 offers a higher stateful inspection firewall throughput.
Stateful Inspection Firewall Throughput (multiprotocol)40 Gbps45 Gbps+5 GbpsThe Firepower 4125 provides a higher multiprotocol firewall throughput.
Concurrent Firewall Connections25 million25 millionSameBoth devices support the same number of concurrent firewall connections.
New Connections per Second350,0001.1 million+750,000The Firepower 4125 supports a significantly higher number of new connections per second.
IPsec VPN Throughput14 Gbps19 Gbps+5 GbpsThe Firepower 4125 offers higher IPsec VPN throughput.
VPN Peers20,00020,000SameBoth devices support the same number of VPN peers.
Best Migration Option for the Firepower 4110

Firepower 4120 Migration Options

Best Migration Option

MetricFirepower 4120Firepower 4125ImprovementReason
Stateful Inspection Firewall Throughput70 Gbps80 Gbps+10 GbpsFirepower 4125 offers higher throughput, an improvement over Firepower 4120.
Stateful Inspection Firewall Throughput (multiprotocol)40 Gbps45 Gbps+5 GbpsFirepower 4125 provides a higher multiprotocol throughput, an improvement over Firepower 4120.
Concurrent Firewall Connections25 million25 millionSameBoth devices support the same number of concurrent connections.
New Connections per second350,0001.1 million+750,000Firepower 4125 supports a significantly higher rate of new connections per second.
IPsec VPN Throughput14 Gbps19 Gbps+5 GbpsFirepower 4125 offers higher VPN throughput, an improvement over Firepower 4120.
VPN Peers20,00020,000SameBoth devices support the same number of VPN peers.
Best Migration Option for the Firepower 4120

Firepower 4140 Migration Options

Best Migration Option

MetricFirepower 4140Firepower 4125ImprovementReason
Stateful Inspection Firewall Throughput70 Gbps80 Gbps+10 GbpsFirepower 4125 offers higher throughput
Stateful Inspection Firewall Throughput (multiprotocol)40 Gbps45 Gbps+5 GbpsFirepower 4125 offers higher throughput
Concurrent Firewall Connections25 million25 millionSameFirepower 4125 supports the same connections
New Connections per second350,0001.1 million+750,000Firepower 4125 offers significantly higher new connections per second
IPsec VPN Throughput14 Gbps19 Gbps+5 GbpsFirepower 4125 offers higher VPN throughput
VPN Peers20,00020,000SameFirepower 4125 offers the same number of VPN peers as Firepower 4140, ensuring consistent support for VPN connections.
Best Migration Option for the Firepower 4140

Firepower 4150 Migration Options

Best Migration Option

MetricFirepower 4150Firepower 4125ImprovementReason
Stateful Inspection Firewall Throughput70 Gbps80 Gbps+10 GbpsFirepower 4125 offers higher throughput
Stateful Inspection Firewall Throughput (multiprotocol)40 Gbps45 Gbps+5 GbpsFirepower 4125 offers higher throughput
Concurrent Firewall Connections25 million25 millionSameFirepower 4125 supports the same connections
New Connections per second350,0001.1 million+750,000Firepower 4125 offers significantly higher new connections per second
IPsec VPN Throughput14 Gbps19 Gbps+5 GbpsFirepower 4125 offers higher VPN throughput
VPN Peers20,00020,000SameBoth devices support the same number of VPN peers
Best Migration Option for the Firepower 4150

Additional Reading

Cisco Firepower 1000 Series Data Sheet – Cisco

Cisco Firepower 2100 Series Data Sheet – Cisco

Cisco Secure Firewall 3100 Series Data Sheet – Cisco

Cisco Firepower 4100 Series Data Sheet – Cisco

Cisco Network Security Ordering Guide – Cisco

Cisco ASA 5500 Data Sheet

Cisco EoS and EoL Products

Discover more from Network Wizkid

Subscribe to get the latest posts to your email.

Leave a Reply

Previous Post
Next Post

Discover more from Network Wizkid

Subscribe now to keep reading and get access to the full archive.

Continue reading

0
YOUR CART
  • No products in the cart.
Subtotal:
£0.00
CHECKOUT
BEST SELLING PRODUCTS
Network Wizkids CCIE Security v6.1 Lab Tracker
Network Wizkids CCIE Security v6.1 Lab Tracker
£2.99
Weekly, Monthly & Yearly Goals Tracker
Weekly, Monthly & Yearly Goals Tracker
£0.00
802.1X .PCAP Files
802.1X .PCAP Files
£0.00
Bulk Upload Users to Duo .CSV File
Bulk Upload Users to Duo .CSV File
£0.00
Yearly Goals - Network Wizkid Template
Yearly Goals - Network Wizkid Template
£0.00