Presentation is loading. Please wait.

Presentation is loading. Please wait.

FirePOWER Services for ASA Sizing Guidance and Performance Discussion

Published bySolomon Golden Modified over 9 years ago

Similar presentations

Presentation on theme: "FirePOWER Services for ASA Sizing Guidance and Performance Discussion"— Presentation transcript:

1 FirePOWER Services for ASA Sizing Guidance and Performance Discussion

2 FirePOWER Services Sizing Numbers
Note: These are sizing numbers using the “Transactional” performance profile. They are comparable to Sourcefire IPS or Cisco ASA IPS Transactional data sheet numbers. Use these numbers – not headline datasheet numbers – for sizing purposes. . Model 5512-X 5515-X 5525-X 5545-X 5555-X FirePOWER IPS or AVC 100 150 375 575 725 1200 2000 3500 6000 IPS + AVC 75 255 360 450 800 2100 IPS + AVC + AMP 60 85 205 310 340 550 850 1500 2300

3 Performance: How to measure and Why it matters?
Sizing: Which device do I need to buy? Upgrade of existing or new device? Features: What features am I going to need or want to run? Firewall, IPS, Application Control, URL, Malware? Location: Where is the device in the network? In front of a DNS only datacenter with millions of very small very fast transactions or in front of HTTP web servers serving normal web pages? Datacenter looking at only internal traffic or Internet Edge looking at the wild Internet? As with all performance discussions, YOUR MILEAGE MAY VARY!!

4 How to measure? Datasheets generally have some indication of performance. In most cases this includes the infamous “throughput” measurement. Different product spaces have different typical “throughput” tests. The firewall industry almost always publishes a max throughput number, usually based on a traffic type that is never helpful in determining sizing of the product. UDP 1518 byte packet size is fairly common. The IPS industry has generally been more conservative about throughput estimates on their datasheets, partly because their performance range is much more variable than firewalls, and partly because of industry choice. TCP 440 byte HTTP is fairly common.

5 FirePOWER Services on ASA Feature Guidance
Comparable performance to classic IPS on same platforms with 440- Byte TCP/Transactional Profile (same test as FirePOWER appliance) If you run AVC or AVC+AMP on top of IPS, reduce throughput by: 30-45% less for IPS + AVC 50-65% less for IPS + AVC + AMP Proportions generally consistent with FirePOWER Appliances

6 Performance Impacts by Location
Location can have direct and indirect impacts on performance Direct impact would include different traffic types and different average packet sizes causing a higher workload Indirect impact could be the Internet Edge where the amount of malicious traffic is greater that might cause more events to be generated or logging load to increase vs an internal only datacenter.

7 Location Specific Traffic Profiles
When deploying FirePOWER Services for ASA, the traffic profiles at the location can impact the performance of the device differently than standard test methods. Educational, ISP, and SMB protocol mixes have a slight impact Enterprise applications and Enterprise Datacenter have a greater impact

8 FirePOWER Services for ASA Data Sheet (Draft)
It is planned that FirePOWER Services for ASA will include both a maximum throughput number as well as a 440 Byte HTTP number more relevant for sizing. Model 5512-X 5515-X 5525-X 5545-X 5555-X Maximum Application Control Throughput in Mbps 300 500 1100 1500 1750 4500 7000 10000 15000 Maximum Application Control and IPS Throughput in Mbps 150 250 650 1000 1250 2000 3500 6000 Application Control or IPS Sizing Throughput in Mbps (440 Byte HTTP) 100 375 575 725 1200

9 How to use the numbers? Maximum Throughput numbers are generally only used to compare datasheets. Because they are tested using traffic types or configuration profiles that do not attempt to represent real deployments, they should not be used for sizing. Sizing Data should always be measured with some sort of traffic that stresses the device. It should also have a configuration that exercises the different inspection paths that normally get used. 440 Byte HTTP average packet size connections represent a reasonably difficult traffic profile for most boxes. Multi protocol tests are potentially better, but they are much harder to reproduce and sometimes hard to understand the real performance stress they provide Byte HTTP is easier to reproduce and approximates the stress on the device much as real world traffic would.

10 Sizing Guidance for Upgrade
When replacing an existing service module like Cisco CX or the classic IPS module: Understand the traffic load the device is seeing Understand the inspection load the current device is under Compare the current inspection load if possible, to the expected load on the new module, reducing available throughput based on the features required If you run more features, the performance will be impacted (more work is harder than less work!).

11 FirePOWER Services for ASA vs Cisco ASA-CX
Comparing FirePOWER Services to CX on ASA 5525-X using EMIX (ASA multiprotocol test) AVC URL: matched applications and HTTP URLs on both platforms ASA-CX IPS: Around 1000 threats FirePOWER Services IPS: Balanced policy with ~4000 sigs AVC URL AVC URL IPS FirePOWER Services on 5525 750 400 CX on 5525 675 260 For IPS on SFR: We used “Balanced Security and connectivity” For IPS on CX: Default CX IPS policy For AVC, 2 rules are configured, one matching SMTP traffic, one matching URL categories.

12 FirePOWER Services vs ASA Classic IPS
IPS-only test comparing throughput of FirePOWER Services for ASA to the classic IPS only module. Tested using the same 440 byte HTTP Transactional test that was the benchmark for classic IPS. 5512 5515 5525 5545 5555 FirePOWER Services On ASA 100 150 375 575 725 1200 2000 3500 6000 Classic IPS on ASA 250 400 600 850 1150 1500 3000 5000

13 FirePOWER Services vs FirePOWER Appliance
IPS test comparing throughput of FirePOWER Services for ASA to FirePOWER appliances Tested using the same 440 byte HTTP Transactional test used by Sourcefire High end 82xx and 83xx appliances scale from 10 Gbps up to 60 Gbps of IPS Appliances do not have a published IPS+AVC performance number 5512 5515 SFR 7030 5525 5545 5555 IPS 100 150 250 375 575 725 IPS + AVC 75 255 360 450 SFR 7120 7125 8130 8140 82xx 83xx IPS 1000 1200 1250 2000 3500 4000 6000 10000+ IPS + AVC 800 2100

14 Upgrading from ASA with Classic IPS to FirePOWER Services for ASA
When upgrading from classic IPS to FirePOWER services, adding new features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity. Model 5512-X 5515-X 5525-X 5545-X 5555-X Classic IPS Module 150 250 400 600 850 1150 1500 3000 5000 FirePOWER AVC or IPS 100 375 575 725 1200 2000 3500 6000 IPS + AVC 75 255 360 450 800 2100 IPS + AVC + AMP 60 85 205 310 340 550 2300 This is a general approximation!

Download ppt "FirePOWER Services for ASA Sizing Guidance and Performance Discussion"

Similar presentations

Not to be distributed or reproduced by anyone other than Qwest entities. Copyright © 2010 Qwest. All Rights Reserved. Government Services TIC from an Industry.

Not to be distributed or reproduced by anyone other than Qwest entities. Copyright © 2010 Qwest. All Rights Reserved. Government Services TIC from an Industry.
Web Server Benchmarking Using the Internet Protocol Traffic and Network Emulator Carey Williamson, Rob Simmonds, Martin Arlitt et al. University of Calgary.

Web Server Benchmarking Using the Internet Protocol Traffic and Network Emulator Carey Williamson, Rob Simmonds, Martin Arlitt et al. University of Calgary.
Capacity Planning and Predicting Growth for Vista Amy Edwards, Ezra Freeloe and George Hernandez University System of Georgia 2007.

Capacity Planning and Predicting Growth for Vista Amy Edwards, Ezra Freeloe and George Hernandez University System of Georgia 2007.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
MSIT 458: Information Security & Assurance By Curtis Pethley.

MSIT 458: Information Security & Assurance By Curtis Pethley.
© 2011 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1 Cisco Connected Energy Vision Utility Operations Connected Buildings.

© 2011 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1 Cisco Connected Energy Vision Utility Operations Connected Buildings.
Preview of Cisco New Low-End ASA 5500-X Appliances - Cisco ASA 5506-X & 5508-X Your name Your team Date.

Preview of Cisco New Low-End ASA 5500-X Appliances - Cisco ASA 5506-X & 5508-X Your name Your team Date.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation

Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Networking Components

Networking Components
Ch. 28 Q and A IS 333 Spring 2015. Q1 Q: What is network latency? 1.Changes in delay and duration of the changes 2.time required to transfer data across.

Ch. 28 Q and A IS 333 Spring Q1 Q: What is network latency? 1.Changes in delay and duration of the changes 2.time required to transfer data across.
Department Of Computer Engineering

Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
CS332 Ch. 28 Spring 2014 Victor Norman. Access delay vs. Queuing Delay Q: What is the difference between access delay and queuing delay? A: I think the.

CS332 Ch. 28 Spring 2014 Victor Norman. Access delay vs. Queuing Delay Q: What is the difference between access delay and queuing delay? A: I think the.
Meet the Next Generation Firewall (NGFW)

Meet the Next Generation Firewall (NGFW)
CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance---

CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance---
Traffic Modeling.

Traffic Modeling.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Similar presentations

Ads by Google