Cisco ASA EoL
Aug 2023
Cisco have stopped selling the ASA (Adaptive Security Appliance) 5500 firewalls – End of Life (EoL) and End of Support (EoS) dates have been announced for all ASA5500 models.
All of the Cisco FirePOWER subscriptions are now End of Life (EoL) and will be End of Support (EoS) in 2025 or 2026.
If you are using the L-ASAxxx FirePOWER services subscriptions then you must migrate to the FPR NGFW as the FPR ASA does not run FirePOWER services (as at Aug 2023).
The decision to move away from the ASA has been made for you, the next step is to decide if you wish to stick with Cisco or move to another firewall provider.
Cisco have laid out a migration path for the ASA5500 to the FPR Firepower NGFW but it’s not straightforward and it’s not cheap.
ASA MIGRATION OPTIONS
Need help with your ASA migration?
ASA5500 Replacement Options
Time to move on from Cisco Firewalls?
Cisco have not been a leader in the Gartner® Magic Quadrant™ for Network Firewalls since 2019.
The top 3 (2023) leading firewall providers, according to Gartner® are Fortinet, Palo Alto and Checkpoint Software Technologies.
Source Fortinet
Hwever, Cisco is still a leading network Firewall provider, and was named as 2023 Best Next Generation Firewall by SE labs.
Source Cisco
Cisco were named a leader in The Forrester Wave: Enterprise Firewalls in Q3 2020, but have slipped back to being a Strong Performer in the latest reports.
With end of support dates of 2025 and 2026, now is the time to plan and execute a migration. The only decision left is which device you migrate to.
If you have Cisco software such as Any Connect (Cisco Secure Mobile Client) then migrating to another vendor will likely involve migration to another software product.
In addition to hardware costs, you need to consider migration expenses, software support and licensing and compatibility with your existing environment.
The decision to move on from the ASA5500 has been made for you, if you can’t update the OS then at some point it will stop being compatible with other systems, or will suffer from an unpatchable vulnerability.
Best Next Generation Firewall (NGFW) 2023
The top 3 (2022) leading firewall providers, according to Gartner® are Fortinet, Palo Alto and Checkpoint Software Technologies.
Source Fortinet
Cisco have been given a caution rating in the Cyberratings Q2 2023 Enterprise Firewall Comparitive Report (FPR2130 v7.3.1-19 tested) 19.50% security effectiveness.
The same report gave a rating of Neutral for Palo Alto Networks (PA-3220 v10.2.3 tested) 79,15% security effectiveness.
The Check Point Quantum QLS250 Lightspeed R81.20 and the Fortinet FortiGate 600F v6.4.12 achieved 98.14% and 99.88% security effectiveness in the same tests.
Source cyberratings.org
| Manufacturer | NGFW Tested | Security Effectiveness |
|---|---|---|
|
Fortinet |
Fortinet FortiGate 600F v6.4.12 build5431 (GA) |
99.88% |
|
Check Point |
Check Point Quantum QLS250 Lightspeed R81.20 |
98.14% |
|
Palo Alto Networks |
Palo Alto Networks PA-3220 v10.2.3 |
79.15% |
|
Cisco |
Cisco Firepower 2130 v7.3.1-19 |
19.50% |
Replace your ASA 5500 with an FPR1000 ASA
If you decide to stay with Cisco then the FRP1000 is the recommended replacement for your ASA 5500, however the FPR2100 devices do overlap in performance and price and may be a better choice.
If your ASA is running without the ASA Firepower Module (ASA SFR) or the Firepower services are not implemented, and assuming you have other systems performing NGFW functions, then simply replace your ASA with an FPR1000 running the ASA image.
It is possible to simply replace your ASA 5500 with an FPR running the ASA Image. There are very few differences between the devices and in most cases the ASA config can be pasted directly into the FPR.
| ASA5500-X | Max Performance | FRP1000 Model | Max Performance | Refresh Price |
|---|---|---|---|---|
|
750Mbs |
FPR1010-ASA-K9 |
Statefull FW 2 Gbps |
||
|
1 Gbps |
FPR1120-ASA-K9 |
Statefull FW 4.5 Gbps |
||
|
ASA5512-X |
1 Gbps |
FPR1120-ASA-K9 |
Statefull FW 4.5 Gbps |
|
|
ASA5515-X |
1.8 Gbps |
FPR1140-ASA-K9 |
Statefull FW 6 Gbps |
|
|
1.8 Gbps |
FPR1140-ASA-K9 |
Statefull FW 6 Gbps |
||
|
2 Gbps |
FPR1150-ASA-K9 |
Statefull FW 7.5 Gbps |
||
|
3 Gbps |
FPR1150-ASA-K9 |
Statefull FW 7.5 Gbps |
||
|
4 Gbps |
FPR1150-ASA-K9 |
Statefull FW 7.5 Gbps |
Correct as at July 2023 – latest specifications are available on cisco.com
Cisco have no plans to cease support or developement of the Secure Firewall ASA code, and you may wish to use the FPR as an ASA if you do not need the advanced capabilities of the threat defense, or if you need an ASA feature that is not available on threat defense.
Cisco have, however announced that the ASA REST API is no longer being enhanced which may indicate reduced develpment for the ASA platform.
With very few changes, the configuration from your ASA5500-X can be pasted directly into your ASA imaged FPR1000, and the only requirement is for the essential license be available in your Smart Account.
Swapping the ASA5500 hardware for an FPR1000 running the ASA image will result in increased performance and an extended life for your ASA firewalls.
Replace your ASA 5500 with an FPR1000 or FPR2100 NGFW
Cisco are viewing the ASA (Adaptive Security Applicance) code and the FTD (Firewall Threat Defense) code as two products that serve different functions, and as such have no plans to cease development or support of the ASA code.
However, the threat defense contains most of the major funtionality of the ASA, plus additional next generation firewall and IPS functionality, we would recommend migrating from ASA to FTD at some point.
The device will run slower with the FTD code as FTD is a combination of ASA code and Firepower Snort, but the FTD adds Layer 7 application inspection and firewalling which is recommended.
The base FTD License includes Application Visibility and Control (AVC) which supports over 4000 applications, as well as geolocations, users and websites.
Correct as at July 2023 – latest specifications are available on cisco.com
| ASA5500-X | AVC and IPS | Cisco Firepower | AVC and IPS | Refresh Price |
|---|---|---|---|---|
|
ASA5506-X |
125 Mbps |
FPR1010-NGFW-K9 |
650 Mpbs |
|
|
ASA5508-X |
125 Mbps |
FPR1120-NGFW-K9 |
1.5 Gbps |
|
|
ASA5512-X |
150 Mpbs |
FPR1120-NGFW-K9 |
1.5 Gbps |
|
|
ASA5515-X |
250 Mbps |
FPR1140-NGFW-K9 |
2.2 Gbps |
|
|
ASA5516-X |
450 Mbps |
FPR1140-NGFW-K9 |
2.2 Gbps |
|
|
ASA5525-X |
650 Mbps |
FPR1150-NGFW-K9 |
3 Gbps |
|
|
|
|
FPR2110-NGFW-K9 |
2.6 Gbps |
|
|
|
|
FPR2120-NGFW-K9 |
3.4 Gbps |
|
|
ASA5545-X |
1 Gbps |
FPR1150-NGFW-K9 |
3 Gbps |
|
|
|
|
FPR2130-NGFW-K9 |
5.4 Gbps |
|
|
ASA5555-X |
1.25 Gbps |
FPR1150-NGFW-K9 |
3 Gbps |
|
|
|
|
FPR2140-NGFW-K9 |
10.4 Gbps |