When to upgrade to a new firewall

Unanswered Question
Jun 8th, 2012

When do you know it is time to upgrade to a new firewall?  From the Cisco Podcast #7 "Monitoring Firewall Performance", the speakers said when the CPU usage consistently is at 50% or higher, that is the time to upgrade.  They gave their reasons which made sense.  And I can check the CPU usage with a show cpu usage command. 

Are there any other signs beside CPU usage that it is time to upgrade the firewall?

Thanks.

J

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Marcin Latosiewicz Fri, 06/08/2012 - 12:28

J,

I assume you mean hardware not software upgrade.

If you are not running any additional features (like threat detection, inspections, various proxies) and are reaching 50% you might consider an upgrade indeed, especially if you're seeing spiky load.

However before making a decision like this, I would run this by TAC. Don't get me wrong, TAC does not perform capacity planning, but will at least tell you about features that consume CPU, which you might not be using/needing.

M.

Marvin Rhoads Sat, 06/09/2012 - 15:54

A couple of reasons should prompt an hardware or plafform upgrade:

1. When your performance demands exceed the capacity of your current system

2. When you want to avail yourself of services that your current device does not support

3. When your current device has exceeded its support lifetime (typically five years after end of sales for Cisco products).

Hope this helps

nkarthikeyan Sun, 06/10/2012 - 03:04

1) Yes. If your device is reaching 50 % of the cpu usage then you may need to upgrade for the consistent performance.

but the cpu usage increase may be due to other issues as well. But if everything is normal and cpu usage is crossing 50% then you may need to upgrade. This is one of the reason only. there are lot other.

2) Depends on your future expansion / requirement you may need for an upgrade in the model.

 

Feature

Cisco ASA 5505

Cisco ASA 5510

Cisco ASA 5520

Cisco ASA 5540

Cisco ASA 5550

product_data_sheet0900aecd802930c5-01

product_data_sheet0900aecd802930c5-02

product_data_sheet0900aecd802930c5-03

product_data_sheet0900aecd802930c5-04

product_data_sheet0900aecd802930c5-05

Users/Nodes

10, 50, or unlimited

Unlimited

Unlimited

Unlimited

Unlimited

Firewall Throughput

Up to 150 Mbps

Up to 300 Mbps

Up to 450 Mbps

Up to 650 Mbps

Up to 1.2 Gbps

Maximum Firewall and IPS Throughput

• Up to 150 Mbps with AIP-SSC-5

• Up to 150 Mbps with AIP-SSM-10

• Up to 300 Mbps with AIP-SSM-20

• Up to 225 Mbps with AIP-SSM-10

• Up to 375 Mbps with AIP-SSM-20

• Up to 450 Mbps with AIP-SSM-40

• Up to 500 Mbps with AIP-SSM-20

• Up to 650 Mbps with AIP-SSM-40

Not available

3DES/AES VPN Throughput***

Up to 100 Mbps

Up to 170 Mbps

Up to 225 Mbps

Up to 325 Mbps

Up to 425 Mbps

IPsec VPN Peers

10; 251

250

750

5000

5000

Premium AnyConnect VPN Peers* (Included/Maximum)

2/25

2/250

2/750

2/2500

2/5000

Concurrent Connections

10,000; 25,000*

50,000; 130,000*

280,000

400,000

650,000

New Connections/Second

4000

9000

12,000

25,000

33,000

Integrated Network Ports

8-port Fast Ethernet switch (including 2 PoE ports)

5 Fast Ethernet ports; 2 Gigabit Ethernet + 3 Fast Ethernet ports*

4 Gigabit Ethernet, 1 Fast Ethernet

4 Gigabit Ethernet, 1 Fast Ethernet

8 Gigabit Ethernet, 4 SFP Fiber, 1 Fast Ethernet

Virtual Interfaces (VLANs)

3 (no trunking support)/20 (with trunking support)*

50/100*

150

200

400

Security Contexts (Included/Maximum)*

0/0

0/0 (Base); 2/5 (Security Plus)

2/20

2/50

2/50

High Availability

Not supported; stateless Active/Standby and redundant ISP support*

Not supported; Active/Active and Active/Standby**

Active/Active and Active/Standby

Active/Active and Active/Standby

Active/Active and Active/Standby

Expansion Slot

1, SSC

1, SSM

1, SSM

1, SSM

0

User-Accessible Flash Slot

0

1

1

1

1

USB 2.0 Ports

3 (1 on front, 2 on rear)

2

2

2

2

Serial Ports

1 RJ-45 console

2 RJ-45, console and auxiliary

2 RJ-45, console and auxiliary

2 RJ-45, console and auxiliary

2 RJ-45, console and auxiliary

Rack-Mountable

Yes, with rack-mount kit (available in the future)

Yes

Yes

Yes

Yes

Wall-Mountable

Yes, with wall-mount kit (available in the future)

Not available

Not available

Not available

Not available

Security Lock Slot (for Physical Security)

Yes

Not available

Not available

Not available

Not available

Technical Specifications

Memory

512 MB

1 GB

2 GB

2 GB

4 GB

Minimum System Flash

128 MB

256 MB

256 MB

256 MB

256 MB

System Bus

Multibus architecture

Multibus architecture

Multibus architecture

Multibus architecture

Multibus architecture

the above table shows the maximum capability of the ASA firewalls. when the requirement needs upgrade you have to go for that.

3) When it comes for end of support from Cisco tech.

these are the major factors for an upgrade.

do rating if the info is helpful.

cheers

Karthik

Actions

Login or Register to take actions

This Discussion

Posted June 8, 2012 at 8:14 AM
Stats:
Replies:3 Avg. Rating:
Views:297 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,866
2 6,140
3 3,170
4 1,473
5 1,446