Cisco Firepower 1010

[Tech9]

the newer model is the obvious choice

This is also correct. Netgate even changed the model names. Mine is about 2-years old SG-5100, now it's called Netgate 5100. It used to have hardware options for RAM and Flash at purchase. They are gone now. I believe 5100 is going to disappear soon, replaced by 6100.

 

[itpp20]

other issue with the sg-5100 is it's only got gbe ports - 2gig and 4gig fibre to the home means that's not very future proof

As you can see in the reviews and I've tested this myself, you can aggregate 3 ports as WAN and get 3gbits throughput, Lawrence claims higher rates can be achieved with 4 port aggregation as that only maxes out halve a LAN port.

Also remember 8gbits WAN = 1 gbyte LAN.

 

[John Davis]

Also remember 8gbits WAN = 1 gbyte LAN.

you seem a bit confused unit-wise - gbe == 1 gigabit/s - if you can iperf a gbe link at 1 gigabyte/s I’d love to see it!

 

[itpp20]

A gigabit is 10(9th) or 1,000,000,000 bits. It is one-eighth the size of a gigabyte (GB), which means a gigabit is eight times smaller than a gigabyte.

What is the difference between GB and Gb? - mixvoip.com

Find out what does GB and Gb stand for, what is the difference between them and why it matters when you choose a hosting plan.

www.mixvoip.com

Iow. your 1gb(it) WAN download (getting typical these days) needs to go to 8x before it can saturate a 1gbyte LAN link.

America's broadband providers are constantly improving their infrastructure and already deliver one gigabit speeds to 80 percent of U.S. homes. With 10 gigabits, the sky is the limit.

Is a Gigabit the Same as a Gigabyte? | NCTA — The Internet & Television Association

Gigabit. Gigabyte. You've heard and seen these words before, but do you really know what they mean? Here is a quick crash course on bits and bytes, and what they mean for consumers. This is especially helpful as 10G—the industry's initiative to bring 10 gigabit speeds to American households and...

www.ncta.com

10gbits WAN will saturate your 1gbyte LAN which again with the 5100 you can LAG the LAN as well to a switch which supports LAG, ea. a GS1900-24E. Though the 5100 most likely won't go beyond 4gbits WAN. (6 ports with 2 LAN LAG)

 

[Tech9]

you can aggregate 3 ports

True, but the device you connect to has to support ports aggregation too. Netgate 6100 solves this problem.

 

[itpp20]

Agreed, I had the chance to test this with 3 cable connections, back to one for awhile now but it worked as Lawrence showed in his demo but then with real ISP connections. With 6 gbyte ports on a 5100 LAG can go to 5 for the WAN, though I have to admit I did not test anymore then 3. I do have 2 LAN ports aggregated to a managed LAN switch. In general it shows that LAG works on both sides with more then 2 links, atom cpu's or not.

 

[coxhaus]

I know what's inside and what can run on it. Netgate hardware is actually exactly 46.7% faster in what scales linearly. For example, OpenVPN: Cisco 1010 ~300Mbps -> SG-5100 >400Mbps. Same for routing performance. The 3x difference comes when hardware + available software performance is in play. Netgate with pfSense has available Suricata multi-threaded IDS/IPS (for a long time). Cisco 1010 users have to wait for Snort 3.x engine integration in software. Current Snort engine is single-threaded. Another advantage of SG-5100 is upgradability. It has a RAM slot and M.2 SATA port. Cisco components are soldered on the PCB. Sorry about the crap, but I don't work with "In my mind, I would think, I assume". Someone else may be interested to know what the differences are. You are free to purchase, use and subscribe to whatever you like.



Both Snort and Suricata are available, user's choice:
https://docs.netgate.com/pfsense/en/latest/packages/snort/index.html

i am glad you found something that ran better than a consumer ASUS router. You still have it wrong on the Firepower 1010. There are 2 ways to run a Firepower 1010. I am talking ASA character mode. What you are explaining is the FTD mode. You still don't understand.

 

[Tech9]

You still have it wrong on the Firepower 1010.

It's all in tech specifications and software capabilities description. It's good for other folks to know that Cisco 1010 compared to updated Netgate 6100 (currently the same price as 5100) is a weaker hardware device with slower interfaces and bound to limited options proprietary software with subscription services. Very common Cisco business practice to milk the customers forever. You with "I believe" can prepare your credit card.

 

[coxhaus]

So naive about software. You seem to think everybody writes it the same.

You will never talk me into running pfsense again.

 

[Tech9]

You seem to think everybody writes it the same.

No, some use their past reputation to spy on customers. Better to avoid such companies.

Cisco removed its seventh backdoor account this year, and that's a good thing

Seventh backdoor account discovered in Cisco Small Business Switches firmware.

www.zdnet.com

Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it's Cisco again

Better ban this gear from non-US core networks, right?

www.theregister.com

You will never talk me into running pfsense again.

I have no intentions to do so. Merry Christmas to you!

 

[jdabbs]

I manage one of the 1010s bigger brothers and can answer some questions.

I'm speaking in general product family terms and haven't verified that everything pertains to the 1010. Still, this will give you an idea of what to check for.

Device management--depends on the codebase. You can run Firepower in classic ASA OS, or FTD. If you run FTD, you have CDO (cloud managed), FMC (dedicated management host), and FDM (onboard device manager). You will likely either run the 1010 in ASA mode or use FTD w/ FDM. FDM is the management GUI--you lose the random crashes of ASDM and some of the features, but it works for the most part. I come from an ASA CLI background and many of the troubleshooting commands still work, but they're now within the read-only diagnostic CLI. FDM is fine for small biz use but it's too clunky for heavy lifting.

VPN user cap--the ASA model is that your IPsec VPNs, clientless VPNs, and client-based VPNs (AnyConnect) pull from the same pool. You don't need an AnyConnect license if you won't use it. The ASA 5505 came with 2 free AnyConnect licenses in the 3.X days, but I'm not sure how FirePower does it. If you want to use AnyConnect, you need to acquire a user license. You're looking at Smart Account account setup, registering an Anyconnect PAK, and converting it to a smart license. You're going to be almost halfway there anyway just to get the firewall out of eval mode, but there is significantly more hassle with Firepower than the PIX/ASA PAK classic licensing.

IPS functionality--it's something we're building to in our deployment, but I don't think Firepower allows you to run an IPS module like the pre-FTD 5500-X series did. If so, FMC may become a hard requirement. Unfortunately, the bad guys have heard of HTTPS too, and without SSL inspection IPS is limited. I would not recommend a home user set up FMC and pay for a TMC license.

Support contracts--which one you get is dependent on your code base, but CON-SNT-FPR1010N is $99/yr on CDW.

 

[coxhaus]

Some people don't understand the difference between enterprise level software and consumer level software.

 

[coxhaus]

Using the GUI mode is not an option for me as I will not have a good enough UPS that can do an auto shutdown on the Cisco FirePower to keep it from having corrupt files. The ASA mode is what I would have to use as I stated above. I am not recommending this for everybody. I was trained on old Cisco PIX firewalls which is close to ASA. I ran PIX firewalls in the past I am sure I can make it run for me and my daughter.

SSL inspection on IPS is not something you will find on consumer level routers. Untangle has it but I don't know if you can run it at home on a home license. It did not exist anywhere back when I ran Untangle.

 

[coxhaus]

Here is a link on the Firepower firewalls.
Session Presentation (ciscolive.com)

Remember the Firepower 1010 is the smallest model.