Firepower Feature Matrix

Doc type / Publish Date
Cisco Partner Confidential / 2.6.2023
Cisco Secure Firewall Feature

Comparison Matrix version 7.4.x
Security Business Group
Network Security Technical Marketing Engineering
22 December 2023
© 2021 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information.
Contents
Introduction 2
Platform Selection: 2
ASA Management Selection: 3
FTD Management Selection: 4
Management Features Matrix – ASA 5
Management Features Matrix – FTD 14
Public Cloud Secure Firewall 31
Azure Native vs. Cisco Secure Firewall 31
Google Cloud vs. Cisco Secure Firewall 40
AWS Firewall vs. Cisco Secure Firewall 46
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 1 of 51
Introduction
The purpose of this document is to inform and accelerate our users' decision-making when choosing between Cisco
ASA or FTD platforms and available management options. More information on ASA to FMT migration is available here:
Cisco ASA to FTD using FMT
Platform Selection:
Choose ASA for Choose FTD for

• Traditional/Stateful L3-L4 Firewall • Next-Gen Firewall and IPS (NGFW, NGIPS), VPN
• Layer 7 Protocol Inspection • Advanced Malware Protection (AMP)
• Simple 5 tuple-based Access control • True multi-tenancy with multi-Instance
• CGNAT, QoS, Advanced Routing • Advanced network visibility and threat analytics
• VPN only deployment o Correlation Rules
• Remote Access VPN Headend with the following o Custom IPS Rules
features: o Firepower Recommendations
o Secure Client VPN • Incident response and threat investigation
o EzVPN/L2TP/3rd Party Clients • TLS decryption, Encrypted traffic visibility
o TACACS/Kerberos • SD-WAN (DIA, Auto Tunnel, Application Routing)
• Multi-context firewall • Zero Trust Network Access for Web Applications
Management Features Matrix – ASA Management Features Matrix – FTD
ASA Management Selection:
Features CSM ASDM Co-Managers CDO
Type of manager On premise and multi-device On-box local device Cloud, multi-device, multi-platform
Firewall
Active/Standby, Active/Active, Active/Standby, Active/Active,
Deployment Active/Standby
Cluster, VPN Load Balancing Cluster, VPN Load Balancing
Modes
CLI and GUI based configuration for

GUI-based configuration for GUI-based configuration for
Secure Client (AnyConnect),
Secure Client (AnyConnect), Secure Client (AnyConnect),
VPN Management (Hostscan or DAP configurable
Hostscan, Policy and Route Based Hostscan, Policy and Route Based
through CLI/ASDM only), Policy and
VPNs VPNs
Route Based VPNs
Firewall
Rule Optimization, Shared Hit counts and Configuration Object Conflicts, Rule Optimization,
Management
Configuration, Usage reports Wizards Configuration templates, CLI Macros
Automation
Event Viewer and Report Event Viewer manager, Syslog, Event Viewer and Enhanced VPN
manager, Syslog, Netflow to Netflow to external logging monitoring and reporting,
Eventing
external logging servers, SAL servers SAL cloud integration SAL Cloud integration with Cross
cloud integration using SEC using SEC Launch
FTD Management Selection:
Features FMC FDM cloud-delivered FMC/CDO
Type of manager On premise and multi-device On-box local device Cloud, multi-device, multi-platform
NGFW, NGIPS (in cdFMC)

Type of Device NGFW, NGIPS NGFW
ASA, Meraki, AWS VPC (in CDO)
Deployment Mode High Availability, Clustering, Multi-Instance High Availability High Availability, Multi-instance, Cluster
Network Discovery, Application and user Application and user visibility, Host profiles
Contextual Visibility visibility, Host profiles, Dynamic Objects
Application and user visibility
generated by Analytics from SAL
Prefilter Rules, SI, Identity Policy, Granular IPS TLS1.3 Server Identity Discovery, Prefilter Rules, SI, Identity Policy, Granular IPS
and Malware Policies, URL, Application SI, Identity Policy, Granular IPS and and Malware Policies, URL and Application
Access Controls Filtering, L2-L7 rules, Dynamic Objects, Malware Policies, URL and Filtering, L2-L7 rules, Dynamic Objects,
Encrypted Flow Visibility, QUIC detection, Application Filtering, L3-L7 rules, Encrypted Flow Visibility, QUIC detection,
TLS1.3 decryption TLS1.3 decryption TLS1.3 decryption
Application Aware Routing, Loopback Application Aware Routing, Loopback Interface,

SD-WAN/Simplified
Interface, DVTI, Link Health Monitoring, DIA, ECMP, Dual ISP DVTI, Link Health Monitoring, DIA, ECMP, Dual
Branch ECMP, Dual ISP, Data interface Management ISP, Data interface for Management
Authenticate and authorize access to Authenticate and authorize access to protected

Zero Trust Access for
protected web-based resources along with Not supported web-based resources along with Full stack
Web Applications Full stack Security Inspection Security Inspection
Talos, 3rd party feeds using CTID, 3rd party Talos, Additional Threat Intelligence through SAL
Threat Intelligence vulnerability databases, MITRE info in Events
Talos
integration, MITRE focused Analytics alerts
Firepower recommendations, Correlation

Wizard based configuration, Rapid Threat Containment, SecureX
Automation Rules, Rapid Threat Containment, CTID,
contextual help, Orchestration automation workflows
SecureX Orchestration automation workflow
Cisco Secure Logging and Analytics SaaS (90-

FMC, Syslog, eStreamer, Cisco Secure FDM, Syslog, Cisco Secure
Eventing and day storage up to 3 years), Syslog, Hybrid
Logging and Analytics OnPrem and SaaS, Logging and Analytics SaaS,
Analytics Logging with on-prem FMC, SecureX, Summary
FMC for dashboard and analytics, SecureX SecureX
Dashboard
Management Features Matrix – ASA
LEGEND
Matured, tested, and verified
Deprecated
Not Supported
Cisco Security Manager Adaptive Security Device Manager Cisco Defense Orchestrator
Features (4.28) (7.20) (Dec 2023)
Management Features
Location and type of manager Off-box Centralized Manager for up to Java Based, Integrated on-box Cloud-Based Manager for ASA, FTD, Meraki,
2500 ASAs (Based on deployment manager for single device. Available AWS VPC and IOS devices. Subscription
scenario), supports TLS1.3 free with every ASA image based on managed device. ASA can be co-
managed with ASDM
Managed Devices Secure Firewall 1000, 2100, 3100, Secure Firewall 1000, 2100, 3100, Secure Firewall 1000, 2100, 3100, 4100,
4100, 4200, 9300, ISA 3000, VMWare, 4100, 4200, 9300, ISA 3000, VMWare, 4200, 9300, ISA 3000, VMWare, KVM, AWS,
KVM, AWS, Azure, Rackspace, Hyper-V, KVM, AWS, Azure, Rackspace, Hyper- Azure, Rackspace, Hyper-V, OCI, GCP,
OCI, GCP, OpenStack, Nutanix, V, OCI, GCP, OpenStack, Nutanix, OpenStack, Nutanix, HyperFlex
HyperFlex HyperFlex
Available Form Factors Client-server application installed on Java based application Cloud based web application
Windows server.
Multi Tenancy ✗ ✗ ✔ ( Also offers a dedicated MSP Portal)
Management Authentication ✔ ✔ SAML 2FA -- Cisco provided (Cisco Secure

Sign-On) or Roll Your Own
Management RBAC (Authorization) ✔ ✔ Super Admin, Admin, Read-Only, Deploy-
Only, Edit-Only, VPN Session Manager role
Management Audit (Accounting) ✔ ✔ ✔
Deployment History ✔ ✗ ✔
Pending Changes ✔ ✔ ✔
Policy Compare ✔ ✗ ✔
Configuration Archive ✔ ✗ ✔
OOB Change Detection ✔ (Configurable, option to discard) ✔ (Not Configurable) ✔ (Configurable, option to discard)
Integration with AWS Guard Duty CLI Only CLI Only CLI Only
Global Search ✗ ✗ ✔
Cisco Security Manager Adaptive Security Device Cisco Defense Orchestrator
Features
(4.28) Manager (7.20) (Dec 2023)
Firewall Operating Mode Features
Stateful Transparent Firewall ✔ ✔ ✔
Stateful Routed Firewall ✔ ✔ ✔
Scalability and High Availability Features

Active/Active Failover ✔ ✔ ✔
Active/Standby Failover ✔ ✔ ✔
Performance Profile ✔ ✗ ✔
Clustering on Virtual form factor ✔ ✔ ✗(Only CLI)
(VMWare and KVM)
Clustering on 3100/4200 ✔ ✔ ✗(Only CLI)
Inter-Chassis and Intra-Chassis ✔ ✔ ✗(Only CLI)
Clustering on 4100/9300
Integrate with Azure and AWS
✔ ✗ ✗(Only CLI)
Gateway LB
Clustering on AWS and Azure ✔ ✗ ✗(Only CLI)
Hardware Specific Features

Fail to wire interfaces ✔ ✔ ✔
ASA & FTD in 9300 (different SMs) (Only ASA) (Only ASA) ✔
Stateful Firewall Features

Initial Setup Wizard Has a Jumpstart Wizard to help with 12 step Startup Wizard for Cloud-native onboarding for FTD - no need
initial configuration Interfaces/NAT/DHCP/etc for on-prem SDC. Useful when mgmt IP is
connectivity for the ASA DHCP assigned and for branches.
Simple Secure Device Connector (SDC)
Interfaces ✔ ✔ ✔
Cisco Security Manager Adaptive Security Device Cisco Defense Orchestrator
Features
(4.28) Manager (7.20) (Dec 2023)
Stateful Firewall Object Features
Object based ACL ✔ ✔ ✔
IP address objects (v4 & v6) ✔ ✔ ✔
Object groups ✔ ✔ ✔
Groups of groups ✔ ✔ ✔
UDP and TCP ports in one object ✔ ✔ ✔
Address ranges ✔ ✔ ✔
Port ranges ✗ ✗ ✗
Object change history ✔ ✗ ✔
Find unused objects ✔ ✗ ✔

IP object based on a host/domain ✔ ✔ ✔
name (FQDN object)
Classic Firewall Features
Access Ctrl rules (IP, port) ✔ ✔ ✔
Integrated routing and Bridging in ✔ ✔ ✔
the same context
TCP State bypass ✔ ✔ ✔
Only packets that belong to ✔ ✔ ✔
established sessions can be
allowed through the firewall
TCP Sequence random. ✔ ✔ ✔
Connection limits and TCP ✔ ✔ ✔
Intercept
Dead Connection Detection ✔ ✔ ✔
Adaptive Security Device Cisco Defense Orchestrator
Features Cisco Security Manager (4.28)
Manager (7.20) (Dec 2023)
Advanced Protocol Inspection Features
SIP ✔ ✔ ✗
FTP ✔ ✔ ✗
DNS ✔ ✔ ✗
DCE-RPC ✔ ✔ ✗
GTP ✔ ✔ ✗
H323 (H225, RAS) ✔ ✔ ✗
ICMP ✔ ✔ ✗
NetBIOS ✔ ✔ ✗
RTSP ✔ ✔ ✗
SCCP ✔ ✔ ✗
RSH ✔ ✔ ✗
ESMTP ✔ ✔ ✗
SQLNET ✔ ✔ ✗
SUNRPC ✔ ✔ ✗
XDMCP ✔ ✔ ✗
TFTP ✔ ✔ ✗
Stateful Firewall Other Features

NAT ✔ ✔ ✔
FQDN based NAT ✔ ✔ ✗
Certificate Trustpoints ✔ ✔ ✔
System Settings ✔ ✔ ✔
Routing ✔ ✔ ✔ (Static Routing only)
Path Monitoring Metrics for PBR ✔ ✔ ✗
egress interface selection (ICMP
and HTTP)
VXLAN ✔ ✔ ✗
Cisco Security Adaptive Security Device Cisco Defense Orchestrator
Features
Manager (4.28) Manager (7.20) (Dec 2023)
VPN -> Site-to-Site Features
IKEv1, IKEv2 ✔ ✔ Allows onboarding of ASAs with S2S
VPN configured. Can be used to
monitor tunnel status. Configuration
allowed only for SASE tunnel to
Umbrella.
Static, Dynamic Peering ✔ ✔ ✔
IPv4, IPv6 Addressing ✔ ✔ ✔
PSK Authentication ✔ ✔ ✔
Certificate Authentication ✔ ✔ ✗ (CLI/ASDM only)
Policy Based VPN ✔ ✔ ✔
Route Based VPN ✔ ✔ ✔
Static and Dynamic VTI ✔ ✔ ✗ (CLI/ASDM only)
Loopback Support ✔ ✔ ✗ (CLI/ASDM only)
Monitoring ✔ ✔ ✔
VPN -> Remote Features

Connection Protocol ✔ ✔ ✔
AnyConnect Client ✔ ✔ ✔
3rd Party Client ✔ ✔ ✗ (CLI/ASDM only)
Dual Stack IPv4/v6 (3rd party and AnyConnect) ✔ ✔ ✗ (CLI/ASDM only)
Authentication Protocol ✔ ✔ ✔
Passwordless Authentication (WebAuthN) ✗ ✔ ✗ (CLI/ASDM only)
Certificate Authentication ✔ ✔ ✔
TLS 1.3 ✔ ✔ ✗ (CLI/ASDM only)
2FA/MFA ✔ ✔ ✔
Authorization Protocol ✔ ✔ ✔
Accounting Protocol ✔ ✔ ✔
DAP/HostScan ✔ ✔ ✗(CLI/ASDM only)
ISE Posture & CoA ✔ ✔ ✗(CLI/ASDM only)
Features
AnyConnect Profile Attributes ✔ ✔ ✔
Monitoring ✔ ✔ ✔(Client Geolocation info and ability
to terminate VPN sessions with VPN
Session Manager)
VPN Load Balancing ✔ ✔ ✗
IPSEC Offload (3100 series) ✔ ✔ ✗
SAML with cert auth ✔ ✔ ✗
Layer 2 - 7 Access Control Filter Features

IP address ✔ ✔ ✔
VLAN ✔ ✔ ✔
User ID / User Group ✔ ✔ ✔
Ports ✔ ✔ ✔
Protocol ✔ ✔ ✔
Objects ✔ ✔ ✔
SGT ✔ ✔ ✔
Trusting Traffic / No inspection ✔ ✔ ✔
Tunnel Policies ✔ ✔ ✔
NGFW Identity Awareness & Control Features

Passive authentication ✔ ✔ ✔
Active Authentication/Captive Portal/Cut ✔ ✔ ✔
Through Proxy and Direct Authentication
Enforce traffic policy by SGT ✔ ✔ ✔
Read SGT from packets ✔ ✔ ✔
Rapid Threat Containment using ISE ✗ ✗ ✗
Features
NGFW Layer 4 - 7 Firewall Functionality Features
Application Control ✗ ✗ ✗
Limit bandwidth by user/application (Rate ✗ ✗ ✗
Limiting)
URL Filtering ✗ ✗ ✗
SSL Decryption in software ✗ ✗ ✗
SSL Decryption in hardware ✗ ✗ ✗
OpenAppID ✗ ✗ ✗
AMP For networks ✗ ✗ ✗
ThreatGRID Dynamic Analysis ✗ ✗ ✗
Threat/Risk Reports ✗ ✗ ✗
Web SafeSearch and YouTube Edu ✗ ✗ ✗
TLS Proxy for Encrypted Voice Inspection ✗ ✗ ✗
Web Cache Services Using WCCP ✔ ✔ ✔
Pre-filter Policy (Tunneled & Fastpath) ✔ ✔ ✔
Firewall Management Automation

Hit Counts ✔ ✔ ✔
Rule Conflict Detection (Redundant & ✔ ✗ ✔
Shadowed)
Object Conflict detection ✗ ✗ ✔
Cisco Security Manager Adaptive Security Cisco Defense
Features
(4.28) Device Manager (7.20) Orchestrator (Dec 2023)
Logging & Analytic Features
Log connections to management console ✔ ✔ ✔
Send syslogs- from the management console ✔ ✔ ✔
Send syslogs - directly from the device ✔ ✔ ✔
Security Analytics and Logging ✔(Event viewer is in CDO with ✔(Event Viewer is in CDO with ✔
Analytics in SWC) Analytics in SWC)
Dashboards ✔ ✔ ✗
Reporting ✔ ✗ ✔
eStreamer ✗ ✗ ✗
CEF ✗ ✗ ✗
NetFlow ✔ ✔ ✔
SecureX Integration ✗ ✗ ✔
Risk Reports/SRA ✗ ✗ ✗
✗(Only UI) ✗ (Only UI) ✔(Email alerts and UI

Notification Service
notifications)
✔ ✔ ✗
Device Health Report
APIs
REST API ✔ ✔ ✔
Workflows (Submitter, Approver, Deployer) ✔ ✗ ✔
Ticket Management System Integration ✔ ✗ ✔
ASA to FTD Migration ✔ ✗ ✔
Management Features Matrix – FTD
LEGEND
Matured, tested, and verified
Deprecated
Not Supported
Firepower Management Firepower Device Manager Cloud-delivered FMC in CDO

Features
Center (7.4.x) (7.4.x) (December 2023)
Management Features
Location and type of manager Web-based, Off-box Centralized Manager for Simple, Web-based, Intuitive, Integrated on- SaaS based Centralized Manager for up to
up to 1000 Sensors (Based on FMC box manager for single device. 1000 Sensors – service upkeep managed
Appliance model). Available free with every FTD image and maintained by Cisco
Co-management with CDO-FDM
management, no co-management with FMC
Managed Devices 5508-X,5516-X, FP1000, FP2100, FP3100, Any ASA, FP1000, FP2100, FP3100, 5508-X,5516-X, FP1000, FP2100,
FP4100, FP4200, FP9300, ISA 3000, FTDv in FP4100 and FP9300, ISA3000, VMWare, Secure Firewall 3100, Secure Firewall
VMWare, KVM, Nutanix, OpenStack, KVM, HyperFlex, Nutanix, GCP, Azure and 4200, FP4100, FP9300, ISA 3000, FTDv
HyperFlex, Azure, AWS, GCP, OCI ( AWS in VMWare, KVM, Azure, AWS, GCP, OCI,
Autoscale supported for GCP,OCI, AWS and Nutanix, OpenStack, HyperFlex
Azure, along with Accelerated Networking in Running version 7.2 and above (Supported
Azure). for devices running 7.0 with 7.0.3)
Available Form Factors FMC1700, FMC 2700, FMC4700 (New) On box on Physical FTDs, FTDv running on Cloud based web application
FMC1600, FMC 2600, FMC4600 VMWare, KVM, AWS, Azure, GCP, OCI,
FMCv2/10/25 (VMware, KVM, AWS, Azure, Nutanix, OpenStack, HyperFlex
GCP, OCI, Nutanix, Hyperflex, Hyper-
V,OpenStack), FMCv300 (VMware, AWS,
Azure, KVM and OCI)
High Availability FMC HA in all hardware models, VMWare, ✗ ✔ (cloud based redundancy)
KVM, Hyper-V, HyperFlex, AWS, Azure, OCI DR across Availability zones, within the
same availability zone, daily snapshot
Multi Tenancy ✔ FMC Domains ✗ ✔( true separate cloud tenants) with a
unified multi-tenant management portal –
Management Authentication Local, AD, Radius, also allows to specify a SAML SSO, Common Access Card (CAC) SAML 2FA -- Cisco provided (Cisco
real name for a user account, SAML SSO with SAML, Local Admin and RADIUS Secure Sign-On) or Your Own SAML idP
Features
Center (7.4.x) (7.4.x) (December 2023)
Management RBAC Granular RBAC provided locally, SAML SSO Available w/ RADIUS and SAML Super Admin, Admin, Read-Only, Edit-Only,
(Authorization) authentication, Roles: Audit Admin, Deploy-Only, VPN Session Manager
Crypto Admin, RO, RW and Admin
Management Audit Audit Logs. Reports in HTML, PDF and CSV ✔ Audit Logs. report can be generated from
(Accounting) formats, syslog server supported these logs in HTML, PDF and CSV formats
Change Management
✔ ✗ ✗
Workflow
✔ Audit Log support ✔ Audit Log support
Routing Policies, FTD Platform Settings, VPN, Routing Policies, FTD Platform Settings, VPN,
Deployment History DHCP, DDNS, Pre-Filter Policies, QoS ✔ DHCP, DDNS, Pre-Filter Policies, QoS
Policies, Objects (Network, Port, URL, VLAN Policies, Objects (Network, Port, URL, VLAN
Tag Tag
- High level indication in Deploy Policies - High level indication in Deploy Policies
- Audit Log support - Audit Log support
Pending Changes Routing Policies, FTD Platform Settings, VPN, ✔ Routing Policies, FTD Platform Settings, VPN,
DHCP, DDNS, Pre-Filter Policies, QoS DHCP, DDNS, Pre-Filter Policies, QoS
Policies, Objects (Network, Port, URL, VLAN) Policies, Objects (Network, Port, URL, VLAN)
- Available for DNS, File, Health, Identity, - Available for DNS, File, Health, Identity,
Intrusion, Network Analysis, SSL policies Intrusion, Network Analysis, SSL policies
- Audit Log support - Audit Log support
Policy Compare ✔
Routing Policies, FTD Platform Settings, VPN, Routing Policies, FTD Platform Settings, VPN,
DHCP, DDNS, Pre-Filter Policies, QoS DHCP, DDNS, Pre-Filter Policies, QoS
Policies, Objects (Network, Port, URL, VLAN) Policies, Objects (Network, Port, URL, VLAN)
Configuration Archive ✔ ✔ ✔
Bulk Edit ✔ ✗ ✔
Advanced Search ✔ ✗ ✔
Object-group rule optimization ✔ ✔ ✔
Interface Object Optimization ✔( Native and MI ) ✗ ✔( Native and MI)

Time Based Rules ✔ ✔(API ) ✔
Selective Deployment ✔ ✗ ✔
Config Rollback ✔ ✗(You can discard undeployed changes) ✔
Move Rules within Policy ✔ ✔ ✔
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Move Rules across Policies ✔ ✗ ✔
✔(You can create category and club rules ✔(You can create category and club rules under
Rule Sets (set of rules shared
under them but they can’t be shared across ✗ them but they can’t be shared across policies)
by multiple FTDs) policies)
Remote Branch Deployment
(Using Data interface for ✔(Standalone and HA) ✔ ✔(Standalone and HA)
Management)
Upgrade Package
✔ ✗ (On box single device manager) ✗
Management
Bulk Upgrade ✔ ✗ (On box single device manager) ✔
Revert Upgrade ✔(Major and Maintenance upgrades) ✔(Major and Maintenance upgrades)
Notification Service ✔(Only UI) ✔(Only UI) ✔(UI, Email and Webhooks)
New and Suggested Release

✔(Only UI) ✗ ✗
Notification
Firewall Operating Mode Features

Stateful Transparent firewall ✔ ✗ ✔
Stateful Routed firewall ✔ ✔ ✔
Multi-Instance (3100, 4100, ✔ ✗ ✔
9300)
Scalability and High Availability Features

Active/Standby Failover ✔ ✔ ✔
Clustering on Virtual form ✔ ✗ ✔
factor (Azure, GCP, AWS,
VMWare and KVM)
Intra-Chassis and Inter- ✔ ✗ ✔
Chassis Clustering on
Firepower Appliance (9300)
Inter-Chassis Clustering on ✔ ✗ ✔
3100/4200
Multi-Instance Clustering ✔ ✗ ✔
(4100/9300)
Integrate with AWS GWLB ✔ ✗ ✔
Integrate with Azure Gateway
✔ ✔
Load Balancers
NGFW Advanced Inspection Features

Snort - best in class IPS ✔ ✔ ✔
Snort3 ✔ ✔ ✔
Encrypted Traffic Visibility ✔ ✗ ✔
Normalization and inspection of ✔ ✔ ✔

traffic up to application layer for anti-
evasion
Custom IPS Rules ✔ ✔ ✔
Elephant Flow Visibility and Mitigation ✔ ✔ ✔
FQDN based Security intelligence ✔ ✔ ✔

feeds
DNS Inspection and sink holing ✔ ✗ ✔
DNS reputation based filtering ✔ ✔ ✔
File Archive support (zip, rar..) ✔ ✔ ✔
File pre-classification and local ✔ ✔ ✔

malware inspection
IoC Update Feed ✔ ✗ ✔
Trusted DNS Servers ✔ ✗ ✔
Wildcard Masks ✔ ✗ ✔
Detect HTTP/3 and SMB over QUIC ✔ ✗ ✔
Sensitive Data Masking ✔ ✗ ✔
First packet App Detection ✔ ✗ ✔
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Hardware Specific Features
Flow Offload on 9300 and 4100 ✔ ✔ ✔
Fail to wire interfaces ✔ ✔ (Inline sets not supported) ✔
ASA & FTD in 9300 (different SMs) (Only FTD) (Only FTD) (Only FTD)
L2 switchports and PoE in 1010 ✔ ✔ ✔
Stateful Firewall Features

Initial Setup Wizard Improved initial setup experience: 3 step Easy Setup Wizard: Cloud-native onboarding for FTD
- Default boot protocol set to DHCP - Outside/DHCP/NTP connectivity for using registration key.
(Support for Non-DHCP the FTD
environments) - Create default for NAT and Routing Low touch Provisioning upon device
- UI or CLI based configuration (3 in the background. bootup using device S/N
steps) - Creates default deny ACL Rule
- Change password - Has a Live topology display that
- Accept EULA changes color as it progresses
- Configure Network
Bootstrap CLI for remote
management on data interface
Interfaces ✔ Except Redundant, Inline interfaces ✔
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Stateful Firewall Object Features
✔ ✔ ✔
Object based access control policy
✔ ✔ ✔
IP address objects (v4 & V6)
✔ ✔ ✔
Object groups
✔ ✔ ✔
Groups of groups
✔ ✔ ✔
UDP and TCP ports in one object
✔ ✔ ✔
Address ranges
✔ ✔ ✔
Port ranges
✔ ✔ ✔
Object change history
✔ ✗ ✔
Find unused objects
IP object based on a host/domain ✔ ✔ ✔
name (FQDN object)
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Object Support
IPv4 Private-Use - All RFC1918 ✔ ✔ ✔
IPv4 Private-Use - 10/8 ✔ ✔ ✔
IPv4 Private-Use - 172.16/12 ✔ ✔ ✔
IPv4 Private-Use - 192.168/16 ✔ ✔ ✔
IPv6 Private-Use - Unique Local ✔ ✔ ✔

Addresses
IPv4 Link-Local ✔ ✔ ✔
IPv6 Link-Local ✔ ✔ ✔
IPv4 Multicast ✔ ✔ ✔
IPv6 to IPv4 Relay Anycast ✔ ✔ ✔
IPv4 Benchmark Tests ✔ ✔ ✔
IPv6 - IPv4 Mapped ✔ ✔ ✔
any ipv4 ✔ ✔ ✔
any ipv6 ✔ ✔ ✔
any both (our keyword any) ✔ ✔ ✔
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Layer 3 and 4 Capabilities
Acc. ctrl rules (IP, port) ✔ ✔ ✔
Integrated routing and Bridging in the ✔ ✔ ✔

same context
TCP State bypass ✔ Flexconfig ✔
Only packets belonging to ✔ Flexconfig ✔

established sessions allowed
TCP Sequence randomization ✔ Flexconfig ✔
Connection limits and TCP Intercept ✔ Flexconfig ✔
Dead Connection Detection Flexconfig Flexconfig Flexconfig
NAT Firepower NAT also included ✔ Firepower NAT also included
FQDN based NAT ✔ ✔ ✔
OSPF, EIGRP, BGP, RIP, Multicast, Static, Static and Route Tracking(SLA) on UI OSPF, EIGRP, BGP, RIP, Multicast, Static,
Route Tracking(SLA) - Supported on UI OSPF, BGP and respective route object – Route Tracking(SLA) - Supported on UI
PBR, ISIS, BFD, ECMP SmartCLI PBR, ISIS, BFD, ECMP
Only API for static route, VRF, Application Global EIGRP – FDM UI Only API for static route, VRF, Application
Routing
based Routing (DIA) Multicast, Interface EIGRP , PBR - based Routing (DIA)
FlexConfig
APIs available for Static Route, OSPF,
BGP and generic Flexconfig, VRF, ECMP
Layer 2 - 7 Access Control
Filter Features
Zone (a logical group of physical or ✔ ✔ ✔
virtual interfaces)
IP address ✔ ✔ ✔
Geolocation ✔ ✔ ✔
VLAN ✔ ✔ ✔
User ID / User Group ✔ ✔ ✔
VDI user identity ✔ ✗ ✔
AppID ✔ ✔ ✔
Ports ✔ ✔ ✔
Protocol ✔ ✔ ✔
URL ✔ ✔ ✔
Objects ✔ ✔ ✔
SGT ✔ ✔ ✔
Device type (ISE) ✔ ✔ ✔
Location IP (ISE) ✔ ✔ ✔
Trusting Traffic / No inspection ✔ ✔ ✔
Tunnel Policies ✗ ✗ ✗
X-Forwarded-For policy ✔ ✗ ✔
Advanced Access Control

Features
Network Discovery ✔ ✗ ✗
Application Discovery ✔ ✗ ✗
User Discovery ✔ ✗ ✗
Indicators Of Compromise, Impact ✔ ✗ ✗

Analysis, Firepower recommendation,
etc.
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Advanced Protocol Inspection Features
SIP ✔ Flexconfig ✔
FTP ✔ Flexconfig ✔
DNS ✔ Flexconfig ✔
DCE-RPC ✔ Flexconfig ✔
5G (GTP,M3UA,Diameter, SCTP) ✔(requires Carrier License) ✗ ✔(requires Carrier License)
H323 (H225, RAS) ✔ Flexconfig ✔
ICMP ✔ Flexconfig ✔
NetBIOS ✔ Flexconfig ✔
RTSP ✔ Flexconfig ✔
SCCP ✔ Flexconfig ✔
RSH ✔ Flexconfig ✔
ESMTP ✔ Flexconfig ✔
SQLNET ✔ Flexconfig ✔
SUNRPC ✔ Flexconfig ✔
XDMCP ✔ Flexconfig ✔
TFTP ✔ Flexconfig ✔
Features
Center (7.4.x) (7.4.x) (Dec 2023)
VPN -> Site-to-Site Features
IKEv1, IKEv2 ✔ ✔ ✔
Static, Dynamic Peering ✔ ✔ ✔
IPv4, IPv6 Addressing ✔ ✔ ✔
PSK Authentication ✔ ✔ ✔
Certificate Authentication ✔ ✔ ✔
Policy Based VPN (Crypto Map) ✔ ✔ ✔
Route Based VPN (VTI) ✔ ✔ ✔
Static, Dynamic and Backup VTI ✔ ✔
Loopback Interface ✔ ✗ ✔
Monitoring ✔ ✗ ✔
Dynamic RRI ✔ ✗ (Only FTD API) ✔
Umbrella SIG Auto-Tunnel ✔ ✗ ✔
Features
Center (7.4.x) (7.4.x) (Dec 2023)
VPN -> Remote Features
Connection Protocol TLSv1.2, TLSv1.3, IKEv2, DTLS TLSv1.2, IKEv2, DTLS TLSv1.2, TLSv1.3, IKEv2, DTLS
AnyConnect Client ✔ ✔ ✔
Clientless VPN ✗ ✗ ✗
3rd Party Client ✗ ✗ ✗
Authentication Protocol RADIUS, LDAP, Local, SAML RADIUS, LDAP, Local, SAML RADIUS, LDAP, Local, SAML
Passwordless Authentication ✔ ✔ ✔
(WebAuthN)
Certificate Authentication ✔ (Multi Cert too) ✔ ✔ (Multi Cert too)
2FA/MFA ✔ ✔ ✔
Authorization Protocol RADIUS, LDAP, SAML, SAML & RADIUS, LDAP RADIUS, LDAP, SAML, SAML &
Certificate Certificate
Accounting Protocol RADIUS RADIUS RADIUS
DAP/HostScan ✔ ✗ (FTD API) ✔
ISE Posture & CoA ✔ ✔ ✔
AnyConnect Profile Attributes ✔ Flexconfig ✔
AnyConnect Management Tunnel ✔ ✗ ✔
AnyConnect Modules ✔ ✗ (FTD API) ✔
AnyConnect Custom Attributes ✔ ✗ ✔
Monitoring ✔(Additional Client Geolocation info and ✔ ✔(Additional Client Geolocation info and
ability to terminate VPN sessions) ability to terminate VPN sessions)
VPN Load Balancing ✔ ✗ ✔
IPSEC Offload (3100 and 4200 ✔ ✔(FlexConfig CLI) ✔

series)
SAML with cert auth ✔ ✔ ✔
Firepower Management Firepower Device Cloud-delivered FMC in
Features
Center (7.4.x) Manager (7.4.x) (Dec 2023)
NGFW Identity Awareness & Control Features
Passive authentication ✔ ✔ ✔
Azure AD as Identity Source ✔ ✗ ✔
Active Authentication/Captive Portal/Cut ✔ ✔ ✗

Through Proxy and Direct
Authentication
Captive Portal Support for Multiple AD ✔ ✗ ✗
realms
Control over sharing captive portal ✔ ✗ ✔
authentication sessions across Firewalls
Enforce traffic policy by SGT ✔ ✔ ✔
Read SGT from packets ✔ ✔ ✔
Rapid Threat Containment using ISE ✔ ✗ ✔
Device Level Subnet Filtering ✔ (CLI command ) ✗ ✔ (CLI command )
AD Realm Sequence ✔ ✔ ✔
PxGrid 2.0 support ✔ ✔ ✔
Dynamic Object and CSDAC (AWS, ✔Supports TXT based feeds ✗ ✔(CSDAC option within CDO)
Azure, Azure Tags, GCP, Github, O365, additionally
vCenter, Webex and Zoom)
Workload Policy Integration ✔ ✗ ✔
Cross Domain for AD domains ✔ ✗ ✔
Source Fire User Agent Deprecated starting 6.7 Deprecated starting 6.7 Deprecated starting 6.7
Features
Center (7.4.x) (7.4.x) (Dec 2023)
SD-WAN
Low Touch Provisioning ✔ ✗ ✔
Direct Internet Access ✔ ✗ ✔
Application based Routing ✔ ✗ ✔
SGT and User-identity based routing ✔ ✗ ✔
Link Monitoring for path selection ✔ ✗ ✔

(ICMP and HTTP)
Scale (ECMP, Loopback Interface) ✔ ✗ ✔
Remote Management (Dual ISP, Data ✔ ✗ ✔

interface, HA)
SD-WAN Dashboard ✔ ✗ ✗
SASE: Auto Tunnel with Umbrella ✔ ✗ ✔
Hub and Spoke( dVTI) ✔ ✗ ✔
Zero Trust Access for Web Applications

Dashboard ✔ ✗ ✗
Per Application Policy ✔ ✗ ✔
Application Groups ✔ ✗ ✔
SSL Decryption ✔ ✗ ✔
IPS and Malware Inspection ✔ ✗ ✔
SAML Authentication and ✔ ✗ ✔

Authorization
Diagnostics Tool ✔ ✗ ✗
NGFW Layer 4 - 7 Firewall Functionality Features
Application Control ✔ ✔ ✔
Limit bandwidth by user/application ✔ Flexconfig ✔
(Rate Limiting)
URL Filtering ✔ ✔ ✔
SSL Decryption in software ✔ (TLS 1.3 Server Identity Discovery ✔ (TLS 1.3 Server Identity ✔
and Encrypted Traffic Visibility well ) Discovery as well )
SSL Decryption in hardware ✔ ✔ ✔
TLS 1.3 Decryption ✔ ✔ ✔
OpenAppID ✔ ✔ ✔
AMP For networks ✔ ✔ ✔
ThreatGRID Dynamic Analysis ✔ ✗ ✔
Threat/Risk Reports ✔ ✗ ✗
Web SafeSearch and YouTube Edu ✔ ✔ ✔
TLS Proxy for Encrypted Voice ✗ ✗ ✗
Inspection
Web Cache Services Using WCCP Flexconfig Flexconfig Flexconfig
Pre-filter Policy (Tunneled & Fastpath) ✔ ✗ ✔
Firewall management automation

Hit Counts ✔ ✔ ✔
Rule Conflict Detection (Redundant & ✔ ✗ ✔
Shadowed)
Object Conflict detection ✗ ✔ ✗
Access control rule conflict analysis ✔ ✗ ✔
Features
Center (7.4.x) (7.4.x) CDO (Dec 2023)
Logging and Analytics features
Log connections to management ✔ ✔ ✔
console
Unified Event Viewer ✔ ✗ ✔ (supports Background Searches)
Send syslogs- from the management ✔ ✔ ✗
console
Send syslogs - directly from the ✔ ✔ ✔
device
Security Analytics and Logging ✔ (On Prem and Cloud) ✔ (Cloud) ✔ (Cloud)
Dashboards ✔ ✔ Dashboards available for:
- Predefined and Customizable - Multiple predefined dashboards for Top Applications
dashboard and widgets for network health, network and threat Top Attackers
and threat Top Destinations
- Limited Device health Top Targets
Top Threats
Reporting ✔ including ✗ ✔(High Level Security Report
- Provides templates for reports. available)
- Reports can be exported etc.
- Report Designer can convert
Dashboard to Reports
eStreamer ✔ ✗ ✗
IBM with QRadar ✔ ✗ ✗
CEF ✗ ✗ ✗
NetFlow ✔ Flexconfig ✔
SecureX Integration ✔ ✔ (No Ribbon or cross launch) ✔
Risk Reports/SRA ✔ ✗ ✗
Health Monitoring Functionality

Customizable Dashboard and Widgets ✔ ✔ ✔ (For FTDs)
OpenConfig Telemetry Stream ✔ ✗ ✔
Chassis Health Alerts for 4100/9300 ✔ ✗ ✗
Features
Center (7.4.x) (7.4.x) CDO (Dec 2023)
APIs
REST API ✔ FTD APIs available for all FDM ✔ (Uses CDO API Token)
Host Input API ✔ ✗ ✔
Remediation API ✔ ✗ ✔
Database Access API ✔ ✗ ✔
Estreamer API ✔ ✗ ✗
Workflows (Submitter, Approver, ✗ ✗ ✗
Deployer)
Ticket Management System ✗ ✗ ✗
Integration
ASA to FTD Migration ✔ Use CDO Tool ✔
Public Cloud Secure Firewall
Azure Native vs. Cisco Secure Firewall
LEGEND
Supported (Yes)
Partial
Not supported (No)
Security FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Firewall
Azure Firewall
Features Azure Azure Azure Azure Premium
Site to Site VPN
IPSec / Site to Site Yes Yes Yes Yes Using Azure VPN and Using Azure VPN and
VPN - Hub & Spoke VIrtual Network VIrtual Network Gateway
Gateway (VNG) (VNG)
IPSec / Site to Site Yes Yes Yes Yes Using Azure VPN and Using Azure VPN and
VPN - 3rd party / VIrtual Network VIrtual Network Gateway
Extranet Gateway (VNG) (VNG)
PKI support Yes Yes Yes Yes Using Azure VPN and Using Azure VPN and
VIrtual Network VIrtual Network Gateway
Gateway (VNG) (VNG)
VTI support Yes Yes Yes Yes Using Azure VPN and Using Azure VPN and
Gateway (VNG) (VNG)
IKEv2 support Yes Yes Yes Yes Using Azure VPN and Using Azure VPN and
Gateway (VNG) (VNG)
Azure Firewall
RA VPN
Clientless-SSL VPN No No Yes Yes No
Anyconnect or Client Yes Yes Yes Yes No
VPN
SAML Yes Yes Yes Yes No
MFA-RSA SDI Yes Yes Yes Yes No
MFA-Duo Yes Yes Yes Yes No
Local Auth Yes Yes Yes Yes Yes
RADIUS Yes Yes Yes Yes No
TACACS No No Yes Yes No
Dynamic Access Yes Yes Yes Yes No
Policy
Azure Firewall
General
Enterprise FW Yes Yes Yes Yes Yes
App Visibility & Control Yes Yes Cisco ASA can Cisco ASA can Azure Firewall only Azure Firewall only
use FQDN (all use FQDN (all uses FQDN filtering uses FQDN filtering
traffic), ports and traffic), ports and rules ( outbound HTTP rules ( outbound HTTP
protocols. protocols. only), ports and only), ports and
protrocols for filtering protrocols for filtering
Geolocation Yes Yes No No No
SSL Decryption No No No TLS configuration is
primitive in the Azure
Premium FIrewall. One
CA, and no rules to
determine which traffic
to dercypt, pass-
through or drop. Also, it
only supports East-
West and Outbound.
North-South is
supported by the Azure
Application Gateway,
but this is only HTTPS.
Known key Yes Yes No No No No
Resign Yes Yes No No No Yes
NGIPS / NGIDS Yes Yes No No Yes
Snort 3 Yes Yes No No No No
DDoS No No No No Azure offers Azure Azure offers Azure
DDoS. DDoS.
URL/Web Filtering Yes Yes No No No Yes
Web Proxy Integration No No No No No No
Advance Malware Yes Yes No No No No
Protection and Breach
Detection
Azure Firewall
Continuous Analysis & Yes Yes No No No No
Retrospective
Detection
Malware Remediation Yes Yes No No No No
Integrated Sandboxing Yes Yes No No No No
Contextual Awareness Yes Yes No No No No
(who, what, when,
where, why, How)
User Awareness Yes Yes Yes Yes No
Security Automation & Yes Yes No No Yes Yes
Adaptive Threat
Management
IoCs Yes Yes No No No No
Network Awareness Yes Yes No No No No
Endpoint Awareness Yes Yes No No No No
Network File Yes Yes No No No No
Trajectory
Impact Assesment Yes Yes No No No No
DNS Based Policy & Yes Yes No No No No
Sinkholing
Encrypted Traffic Yes Yes Yes Yes No No
Analytics
Dynamic Objects Yes Yes No No FQDNs and Service FQDNs and Service
Tags only Tags only
Azure Firewall
Threat Intelligence
System Feed (Talos or Yes Yes No No Yes Yes
eq)
3rd party - system Yes Yes No No No No
feed
3rd party feeds Yes Yes No No Azure Sentinel is a Taxii Azure Sentinel is a Taxii
/Threat Intelligence client client
Director / Integrations
Automated Yes Yes No No Yes Yes
Intelligence feeds
Operational Capabilities
Software Defined Yes Yes Yes Yes Yes
Segmentation
Automatic Threat Yes Yes No No Azure triggers can take Azure triggers can take
Containment automated action automated action
Syslog & Event Data Export
Local / Built into Yes Yes Yes Yes Yes Yes
management
Syslog Yes Yes Yes Yes Yes Yes
Reporting Dashboards Yes Yes Yes Yes Yes Yes
SIEM Yes Yes Yes Yes Yes
SOAR Yes Yes Yes Yes Yes
Cisco Threat Yes Yes No No No No
Response
SecureX Yes Yes No No No No
Remediation API Yes Yes No No No No
Host API Yes Yes No No No No
Azure Firewall
NetOps Features
High Availability Yes Yes
Clustering Yes Yes Yes No No No
Auto-scale out Yes Yes Yes Yes Yes Yes
Routed Yes Yes Yes Yes Yes Yes
Transparent No No No No No No
WCCP No No No No No No
Static and Policy Yes Yes Yes Yes Yes Yes
Based Routing
OSPF No No
BGP Yes Yes Yes Yes Yes Yes
RIP No
EIGRP No
IS-IS No
Multicast No No No No No
NAT/PAT Yes Yes Yes Yes Only Outbound SNAT & Only Outbound SNAT &
Inbound DNAT. DNAT Inbound DNAT. DNAT
not supported in Spoke not supported in Spoke
to Spoke environments. to Spoke environments.
Platform Exchange Yes Yes No No No No
Grid (pxGrid)
Device APIs Yes Yes Yes Yes Yes Yes
AAA for Management
TACACS No No Yes Yes No No
Radius Yes Yes Yes Yes No No
SAML Yes Yes Yes Yes No No
MFA-RSA SDI No No
MFA-Duo Yes Yes Yes Yes No No
Local Auth Yes Yes Yes Yes Yes Yes
RBAC Yes Yes Yes Yes Yes Yes
FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Azure Firewall
Security Features
Azure Azure Azure Azure Firewall Premium
Management Platform
On-box Yes Yes Yes Yes Not applicable Not applicable
Cloud delivered Yes Yes Yes Yes Yes Yes
Centralized Yes Yes Yes Yes Yes Yes
Single Sign On (SSO) Yes Yes Yes Yes Yes Yes
Upgrade Yes Yes Yes Yes Not applicable Not applicable

Backup/Restore Yes Yes Yes Yes Yes Yes
Health Policy and Yes Yes Yes Yes Yes Yes
Monitoring
Policy Inheritance Yes Yes Yes Yes No No
Audit Yes Yes Yes Yes Yes Yes
Change Control Yes Yes Yes Yes Yes Yes
Multi-domain Yes Yes Yes Yes No No
management
Azure Application Yes Yes No No Yes Yes
Insights
FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Firewall
Security Features Azure Firewall
Azure Azure Azure Azure Premium
Management Platform
Enterprise Firewall Included Included Included Included Free to use. Free to use.
Deployment and Deployment and Data
Data processing cost processing cost
Application Visibility Included Included NA NA Free to use. Free to use.
Deployment and Deployment and Data
IPS BYOL | Smart BYOL | Smart NA NA Not applicable Not applicable
Licensing Licensing
Malware Remediation BYOL | Smart BYOL | Smart NA NA Not applicable Not applicable
Licensing Licensing
Malware Sandboxing BYOL | Smart BYOL | Smart NA NA Not applicable Not applicable
Licensing Licensing
URL Filtering BYOL | Smart BYOL | Smart NA NA Free to use. Free to use.
Licensing Licensing Deployment and Deployment and Data
Management Cloud BYOL | Smart BYOL | Smart BYOL | Smart BYOL | Smart Additional Service to Additional Service to
Delivered Licensing Licensing Licensing Licensing install. Free to use. install. Free to use.
(Cisco Defense (Cisco Defense (Cisco Defense ((Cisco Defense Deployment and Deployment and Data
Orchestrator is Orchestrator is Orchestrator is Orchestrator is Data processing cost processing cost
supported but CDO supported but CDO supported but CDO supported but CDO
licensing is separate) licensing is separate) licensing is separate) licensing is separate)
Management BYOL | Smart BYOL | Smart BYOL | Smart BYOL | Smart Additional Service to Additional Service to
Centralized Licensing Licensing Licensing Licensing install. Free to use. install. Free to use.
(Firepower (Firepower (CSM is supported (CSM is supported Deployment and Deployment and Data
Management Center Management Center but CSM licensing is but CSM licensing is Data processing cost processing cost
is supported but FMC is supported but separate) separate)
licensing is separate) FMC licensing is
separate)
Management On-box Included (FDM) Included (FDM) Included (ASDM) Included (ASDM) Included Included
Security FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Azure Firewall
Features Azure Azure Azure Azure Firewall Premium
Deployment
Total # of NICs Up to 8 Up to 8 Up to 8 Up to 8 Not applicable Not applicable
Azure Instances Standard_D3, Standard_D3, Standard_D3, Standard_D3, Not applicable Not applicable
Standard_D3_v2, Standard_D3_v2, Standard_D4, Standard_D4,
Standard_D4_v2, Standard_D4_v2, Standard_D5. Standard_D5.
Standard_D5_v2 Standard_D5_v2 Standard_D3_v2, Standard_D3_v2,
Standard_D8s_v3 Standard_D8s_v3 Standard_D4_v2, Standard_D4_v2,
Standard_D16s_v3 Standard_D16s_v3 Standard_D5_v2, Standard_D5_v2,
Standard_F8s_v2 Standard_F8s_v2 Standard_D8_v3, Standard_D8_v3,
Standard_F16s_v2 Standard_F16s_v2 Standard_DS3, Standard_DS3,
Standard_DS4, Standard_DS4,
Standard_DS5, Standard_DS5,
Standard_DS3_v2, Standard_DS3_v2,
Standard_DS4_v2, Standard_DS4_v2,
Standard_DS5_v2 Standard_DS5_v2
Standard_F4, Standard_F4,
Standard_F4s, Standard_F4s,
Standard_F8s, Standard_F8s,
Standarf_F16s Standarf_F16s
Standard_D8s_v3 Standard_D8s_v3
Standard_D16s_v3 Standard_D16s_v3
Standard_F8s_v2 Standard_F8s_v2
Standard_F16s_v2 Standard_F16s_v2
Azure Security Yes Yes Yes Yes Yes Yes
Center
Azure Government Yes Yes Yes Yes Yes Yes
Cloud
Custom Image Yes Yes No No Yes Yes

Snapshot
Google Cloud vs. Cisco Secure Firewall
LEGEND
Supported (Yes)
Partial
Not supported (No)
Security Features FTD 7.4 in Google Cloud ASA 9.20 in Google Cloud Google Cloud Firewall
Site to Site VPN

IPSec / Site to Site VPN - Hub & Yes Yes Using VPN
Spoke
IPSec / Site to Site VPN - 3rd party Yes Yes Using VPN
/ Extranet
PKI support Yes Yes Using VPN
VTI support Yes Yes Using VPN
IKEv2 support Yes Yes Using VPN
RA VPN
Clientless-SSL VPN No Yes No
Anyconnect or Client VPN Yes Yes No
SAML Yes Yes No
MFA-RSA SDI Yes Yes No
MFA-Duo Yes Yes No
Local Auth Yes Yes Yes
RADIUS Yes Yes No
TACACS No Yes No
Dynamic Access Policy Yes Yes
Enterprise FW Yes Yes Yes
App Visibility & Control Yes
Geolocation Yes No No
SSL Decryption Yes No
Known key Yes No No
Resign Yes No No
NGIPS / NGIDS Yes No No
Snort 3 Yes No No
DDoS No No
URL/Web Filtering Yes No
Web Proxy Integration No No No
Advance Malware Protection and Yes No No
Breach Detection
Continuous Analysis & Retrospective Yes No No
Detection
Malware Remediation Yes No No
Integrated Sandboxing Yes No No
Contextual Awareness (who, what, Yes No No
when, where, why, How)
User Awareness Yes Yes No
Security Automation & Adaptive Yes No Yes
Threat Management
IoCs Yes No No
Network Awareness Yes No No
Endpoint Awareness Yes No No
Network File Trajectory Yes No No
Impact Assesment Yes No No
DNS Based Policy & Sinkholing Yes No
Encrypted Traffic Analytics Yes Yes
Threat Intelligence
System Feed (Talos or eq) Yes No Yes
3rd party - system feed Yes No No
3rd party feeds /Threat Intelligence Yes No

Automated Intelligence feeds Yes No
Software Defined Segmentation No No Yes
Automatic Threat Containment Yes No

Local / Built into management Yes Yes Yes
Syslog Yes Yes Yes
Reporting Dashboards Yes Yes Yes
SIEM Yes Yes Yes
SOAR Yes - Based on Vendor support ** Yes - Based on Vendor support ** Yes
Cisco Threat Response Yes No No
SecureX Yes No No
Remediation API Yes No No
Host API Yes No No
NetOps Features
High Availability Yes
Clustering Yes No
Auto-scale out Yes Yes
Routed Yes Yes Yes
Transparent No No No
WCCP – On -USECASE No No No
Static and Policy Based Routing Yes Yes Yes
OSPF No
BGP Yes – Anything with Unicast Yes Yes
RIP No
EIGRP No
IS-IS No
Multicast No No No
NAT/PAT Yes Yes
Platform Exchange Grid (pxGrid) No No
Device APIs Yes Yes Yes
AAA for Management

TACACS No Yes No
Radius Yes Yes No
SAML Yes Yes No
MFA-RSA SDI No
MFA-Duo Yes Yes No
RBAC Yes No Yes
Management Platform
On-box Yes Yes NA
Cloud delivered Yes Yes Yes
Centralized Yes Yes Yes
Single Sign On (SSO) Yes Yes (CDO) Yes
Upgrade Yes Yes NA
Backup/Restore Yes Yes Yes
Health Policy and Monitoring Yes Yes Yes
Policy Inheritance Yes Yes No
Audit Yes Yes Yes
Change Control Yes Yes Yes
Multi-domain management Yes -Through FMC No No
Free to use. Deployment and Data
Enterprise Firewall Included Included
processing cost
Application Visibility Included NA
processing cost
IPS BYOL | Smart Licensing NA NA
Malware Remediation BYOL | Smart Licensing NA NA
Malware Sandboxing BYOL | Smart Licensing NA NA
URL Filtering BYOL | Smart Licensing NA
processing cost
BYOL | Smart Licensing
Additional Service to install. Free to
(Cisco Defense Orchestrator is
Management Cloud Delivered Yes use. Deployment and Data
supported but CDO licensing is
processing cost
separate)
BYOL | Smart Licensing BYOL | Smart Licensing
(Firepower Management Center is (CSM is supported but CSM licensing
Management Centralized use. Deployment and Data
supported but FMC licensing is is separate)
processing cost
separate)
Management On-box Included Included Included
Deployment
Total # of NICs Based on Instance (Datasheet) Based on Instance (Datasheet) NA
FTDv GCP N2-Standard-4 ASAv GCP N2-Standard-4
FTDv GCP C2-Standard-4 ASAv GCP C2-Standard-4
Google Instances NA
FTDv GCP N2-highcpu-16 ASAv GCP N2-highcpu-16
FTDv GCP N2-highmem-16 ASAv GCP N2-highmem-16
Autoscale Yes No NA
No
Google Security Centre No Yes
No No
Google Government Cloud Yes
AWS Firewall vs. Cisco Secure Firewall
LEGEND
Supported (Yes)
Partial
Not supported (No)
Security Features FTD 7.4 in AWS ASA 9.20 in AWS AWS Firewall
Site to Site VPN

IPSec / Site to Site VPN - Hub & Yes Yes Using VPN
Spoke
IPSec / Site to Site VPN - 3rd party Yes Yes Using VPN
/ Extranet
PKI support Yes Yes Using VPN
VTI support Yes Yes Using VPN
IKEv2 support Yes Yes Using VPN
RA VPN
Clientless-SSL VPN No Yes No
Anyconnect or Client VPN Yes Yes Yes
SAML Yes Yes Yes
MFA-RSA SDI Yes Yes No
MFA-Duo Yes Yes No
RADIUS Yes Yes No
TACACS No Yes No
Dynamic Access Policy Yes Yes No
Enterprise FW Yes Yes Yes
App Visibility & Control Yes
Geolocation Yes No No
SSL Decryption Yes No
Known key Yes No No
Resign Yes No No
NGIPS / NGIDS Yes No No
Snort 3 Yes No No
DDoS No No
URL/Web Filtering Yes No
Web Proxy Integration No No No
Advance Malware Protection and Yes No No
Breach Detection
Continuous Analysis & Retrospective Yes No No
Detection
Malware Remediation Yes No No
Integrated Sandboxing Yes No No
Contextual Awareness (who, what, Yes No No
when, where, why, How)
User Awareness Yes Yes No
Security Automation & Adaptive Yes No Yes
Threat Management
IoCs Yes No No
Network Awareness Yes No No
Endpoint Awareness Yes No No
Network File Trajectory Yes No No
Impact Assesment Yes No No
DNS Based Policy & Sinkholing Yes No
Encrypted Traffic Analytics Yes Yes
Threat Intelligence
System Feed (Talos or eq) Yes No Yes
3rd party - system feed Yes No No
3rd party feeds /Threat Intelligence Yes No

Automated Intelligence feeds Yes No
Software Defined Segmentation No No Yes
Automatic Threat Containment Yes No

Local / Built into management Yes Yes Yes
Syslog Yes Yes Yes
Reporting Dashboards Yes Yes Yes
SIEM Yes Yes Yes
SOAR Yes - Based on Vendor support ** Yes - Based on Vendor support ** Yes
Cisco Threat Response Yes No No
SecureX Yes No No
Remediation API Yes No No
Host API Yes No No
NetOps Features
High Availability No Yes
Clustering + Integration with GWLB Yes Yes No
Auto-scale out Yes Yes
Routed Yes Yes Yes
Transparent No No No
WCCP – On -USECASE No No No
Static and Policy Based Routing Yes Yes Yes
OSPF Yes Yes No
BGP Yes – Anything with Unicast Yes Yes
RIP Yes Yes No
EIGRP Yes Yes No
IS-IS No
Multicast No No No
NAT/PAT Yes Yes
Platform Exchange Grid (pxGrid) Yes No No
Device APIs Yes Yes Yes
AAA for Management

TACACS No Yes No
Radius Yes Yes No
SAML Yes Yes Yes
MFA-RSA SDI No
MFA-Duo Yes Yes No
RBAC Yes No Yes
Management Platform
On-box Yes Yes Not applicable
Cloud delivered Yes Yes Yes
Centralized Yes Yes Yes
Single Sign On (SSO) Yes Yes (CDO) Yes
Upgrade Yes Yes Not applicable
Backup/Restore Yes Yes Yes
Health Policy and Monitoring Yes Yes Yes
Policy Inheritance Yes Yes No
Audit Yes Yes Yes
Change Control Yes Yes Yes
Multi-domain management Yes -Through FMC No No
Enterprise Firewall Included Included
processing cost
Application Visibility Included NA
processing cost
Basic IPS functions with Suricata
IPS BYOL | Smart Licensing NA
based IPS rules
Malware Remediation BYOL | Smart Licensing NA No
Malware Sandboxing BYOL | Smart Licensing NA No
URL Filtering BYOL | Smart Licensing NA
processing cost
BYOL | Smart Licensing
(Cisco Defense Orchestrator is
Management Cloud Delivered Yes use. Deployment and Data
supported but CDO licensing is
processing cost
separate)
BYOL | Smart Licensing BYOL | Smart Licensing
(Firepower Management Center is (CSM is supported but CSM licensing
Management Centralized use. Deployment and Data
supported but FMC licensing is is separate)
processing cost
separate)
Management On-box Included Included Included
Deployment
Total # of NICs Based on Instance (Datasheet) Based on Instance (Datasheet) NA
AWS Instances AWS Instance Types AWS Instance Types NA
Autoscale Yes Yes NA
AWS Guard Duty Yes No Yes
AWS Government Cloud Yes Yes Yes
Custom Image Snapshot Custom Image Snapshot N/A

Firepower Feature Matrix

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firepower Feature Matrix

Uploaded by

Copyright:

Available Formats

Doc type / Publish Date

Cisco Partner Confidential / 2.6.2023

Cisco Secure Firewall Feature

Choose ASA for Choose FTD for

Features CSM ASDM Co-Managers CDO

CLI and GUI based configuration for

NGFW, NGIPS (in cdFMC)

Application Aware Routing, Loopback Application Aware Routing, Loopback Interface,

Authenticate and authorize access to Authenticate and authorize access to protected

Firepower recommendations, Correlation

Cisco Secure Logging and Analytics SaaS (90-

Management Authentication ✔ ✔ SAML 2FA -- Cisco provided (Cisco Secure

Stateful Routed Firewall ✔ ✔ ✔

Scalability and High Availability Features

Hardware Specific Features

Stateful Firewall Features

IP address objects (v4 & v6) ✔ ✔ ✔

UDP and TCP ports in one object ✔ ✔ ✔

Object change history ✔ ✗ ✔

Find unused objects ✔ ✗ ✔

H323 (H225, RAS) ✔ ✔ ✗

Stateful Firewall Other Features

FQDN based NAT ✔ ✔ ✗

Routing ✔ ✔ ✔ (Static Routing only)

VPN -> Remote Features

Layer 2 - 7 Access Control Filter Features

NGFW Identity Awareness & Control Features

Firewall Management Automation

✗(Only UI) ✗ (Only UI) ✔(Email alerts and UI

ASA to FTD Migration ✔ ✗ ✔

Firepower Management Firepower Device Manager Cloud-delivered FMC in CDO

Object-group rule optimization ✔ ✔ ✔

Interface Object Optimization ✔( Native and MI ) ✗ ✔( Native and MI)

New and Suggested Release

Firewall Operating Mode Features

Scalability and High Availability Features

NGFW Advanced Inspection Features

Encrypted Traffic Visibility ✔ ✗ ✔

Normalization and inspection of ✔ ✔ ✔

Elephant Flow Visibility and Mitigation ✔ ✔ ✔

FQDN based Security intelligence ✔ ✔ ✔

DNS reputation based filtering ✔ ✔ ✔

File Archive support (zip, rar..) ✔ ✔ ✔

File pre-classification and local ✔ ✔ ✔

Trusted DNS Servers ✔ ✗ ✔

Detect HTTP/3 and SMB over QUIC ✔ ✗ ✔

Sensitive Data Masking ✔ ✗ ✔

First packet App Detection ✔ ✗ ✔

Stateful Firewall Features

Interfaces ✔ Except Redundant, Inline interfaces ✔

IPv4 Private-Use - All RFC1918 ✔ ✔ ✔

IPv4 Private-Use - 10/8 ✔ ✔ ✔

IPv4 Private-Use - 172.16/12 ✔ ✔ ✔

IPv4 Private-Use - 192.168/16 ✔ ✔ ✔

IPv6 Private-Use - Unique Local ✔ ✔ ✔

IPv6 to IPv4 Relay Anycast ✔ ✔ ✔

IPv4 Benchmark Tests ✔ ✔ ✔

IPv6 - IPv4 Mapped ✔ ✔ ✔

any both (our keyword any) ✔ ✔ ✔

Acc. ctrl rules (IP, port) ✔ ✔ ✔

Integrated routing and Bridging in the ✔ ✔ ✔

Only packets belonging to ✔ Flexconfig ✔

Connection limits and TCP Intercept ✔ Flexconfig ✔

Dead Connection Detection Flexconfig Flexconfig Flexconfig