Professional Documents
Culture Documents
Firepower Feature Matrix
Firepower Feature Matrix
22 December 2023
© 2021 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information.
Contents
Introduction 2
Platform Selection: 2
ASA Management Selection: 3
FTD Management Selection: 4
Management Features Matrix – ASA 5
Management Features Matrix – FTD 14
Public Cloud Secure Firewall 31
Azure Native vs. Cisco Secure Firewall 31
Public Cloud Secure Firewall 40
Google Cloud vs. Cisco Secure Firewall 40
Public Cloud Secure Firewall 46
AWS Firewall vs. Cisco Secure Firewall 46
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 1 of 51
Introduction
The purpose of this document is to inform and accelerate our users' decision-making when choosing between Cisco
ASA or FTD platforms and available management options. More information on ASA to FMT migration is available here:
Cisco ASA to FTD using FMT
Platform Selection:
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 2 of 51
ASA Management Selection:
Type of manager On premise and multi-device On-box local device Cloud, multi-device, multi-platform
Firewall
Active/Standby, Active/Active, Active/Standby, Active/Active,
Deployment Active/Standby
Cluster, VPN Load Balancing Cluster, VPN Load Balancing
Modes
Firewall
Rule Optimization, Shared Hit counts and Configuration Object Conflicts, Rule Optimization,
Management
Configuration, Usage reports Wizards Configuration templates, CLI Macros
Automation
Event Viewer and Report Event Viewer manager, Syslog, Event Viewer and Enhanced VPN
manager, Syslog, Netflow to Netflow to external logging monitoring and reporting,
Eventing
external logging servers, SAL servers SAL cloud integration SAL Cloud integration with Cross
cloud integration using SEC using SEC Launch
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 3 of 51
FTD Management Selection:
Features FMC FDM cloud-delivered FMC/CDO
Type of manager On premise and multi-device On-box local device Cloud, multi-device, multi-platform
Deployment Mode High Availability, Clustering, Multi-Instance High Availability High Availability, Multi-instance, Cluster
Network Discovery, Application and user Application and user visibility, Host profiles
Contextual Visibility visibility, Host profiles, Dynamic Objects
Application and user visibility
generated by Analytics from SAL
Prefilter Rules, SI, Identity Policy, Granular IPS TLS1.3 Server Identity Discovery, Prefilter Rules, SI, Identity Policy, Granular IPS
and Malware Policies, URL, Application SI, Identity Policy, Granular IPS and and Malware Policies, URL and Application
Access Controls Filtering, L2-L7 rules, Dynamic Objects, Malware Policies, URL and Filtering, L2-L7 rules, Dynamic Objects,
Encrypted Flow Visibility, QUIC detection, Application Filtering, L3-L7 rules, Encrypted Flow Visibility, QUIC detection,
TLS1.3 decryption TLS1.3 decryption TLS1.3 decryption
Talos, 3rd party feeds using CTID, 3rd party Talos, Additional Threat Intelligence through SAL
Threat Intelligence vulnerability databases, MITRE info in Events
Talos
integration, MITRE focused Analytics alerts
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 4 of 51
Management Features Matrix – ASA
LEGEND
Matured, tested, and verified
Deprecated
Not Supported
Cisco Security Manager Adaptive Security Device Manager Cisco Defense Orchestrator
Features (4.28) (7.20) (Dec 2023)
Management Features
Location and type of manager Off-box Centralized Manager for up to Java Based, Integrated on-box Cloud-Based Manager for ASA, FTD, Meraki,
2500 ASAs (Based on deployment manager for single device. Available AWS VPC and IOS devices. Subscription
scenario), supports TLS1.3 free with every ASA image based on managed device. ASA can be co-
managed with ASDM
Managed Devices Secure Firewall 1000, 2100, 3100, Secure Firewall 1000, 2100, 3100, Secure Firewall 1000, 2100, 3100, 4100,
4100, 4200, 9300, ISA 3000, VMWare, 4100, 4200, 9300, ISA 3000, VMWare, 4200, 9300, ISA 3000, VMWare, KVM, AWS,
KVM, AWS, Azure, Rackspace, Hyper-V, KVM, AWS, Azure, Rackspace, Hyper- Azure, Rackspace, Hyper-V, OCI, GCP,
OCI, GCP, OpenStack, Nutanix, V, OCI, GCP, OpenStack, Nutanix, OpenStack, Nutanix, HyperFlex
HyperFlex HyperFlex
Available Form Factors Client-server application installed on Java based application Cloud based web application
Windows server.
Multi Tenancy ✗ ✗ ✔ ( Also offers a dedicated MSP Portal)
Deployment History ✔ ✗ ✔
Pending Changes ✔ ✔ ✔
Policy Compare ✔ ✗ ✔
Configuration Archive ✔ ✗ ✔
OOB Change Detection ✔ (Configurable, option to discard) ✔ (Not Configurable) ✔ (Configurable, option to discard)
Integration with AWS Guard Duty CLI Only CLI Only CLI Only
Global Search ✗ ✗ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 5 of 51
Cisco Security Manager Adaptive Security Device Cisco Defense Orchestrator
Features
(4.28) Manager (7.20) (Dec 2023)
Firewall Operating Mode Features
Stateful Transparent Firewall ✔ ✔ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 6 of 51
Cisco Security Manager Adaptive Security Device Cisco Defense Orchestrator
Features
(4.28) Manager (7.20) (Dec 2023)
Stateful Firewall Object Features
Object based ACL ✔ ✔ ✔
Object groups ✔ ✔ ✔
Groups of groups ✔ ✔ ✔
Address ranges ✔ ✔ ✔
Port ranges ✗ ✗ ✗
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 7 of 51
Adaptive Security Device Cisco Defense Orchestrator
Features Cisco Security Manager (4.28)
Manager (7.20) (Dec 2023)
Advanced Protocol Inspection Features
SIP ✔ ✔ ✗
FTP ✔ ✔ ✗
DNS ✔ ✔ ✗
DCE-RPC ✔ ✔ ✗
GTP ✔ ✔ ✗
ICMP ✔ ✔ ✗
NetBIOS ✔ ✔ ✗
RTSP ✔ ✔ ✗
SCCP ✔ ✔ ✗
RSH ✔ ✔ ✗
ESMTP ✔ ✔ ✗
SQLNET ✔ ✔ ✗
SUNRPC ✔ ✔ ✗
XDMCP ✔ ✔ ✗
TFTP ✔ ✔ ✗
Certificate Trustpoints ✔ ✔ ✔
System Settings ✔ ✔ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 8 of 51
Path Monitoring Metrics for PBR ✔ ✔ ✗
egress interface selection (ICMP
and HTTP)
VXLAN ✔ ✔ ✗
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 9 of 51
Cisco Security Adaptive Security Device Cisco Defense Orchestrator
Features
Manager (4.28) Manager (7.20) (Dec 2023)
VPN -> Site-to-Site Features
IKEv1, IKEv2 ✔ ✔ Allows onboarding of ASAs with S2S
VPN configured. Can be used to
monitor tunnel status. Configuration
allowed only for SASE tunnel to
Umbrella.
Static, Dynamic Peering ✔ ✔ ✔
IPv4, IPv6 Addressing ✔ ✔ ✔
PSK Authentication ✔ ✔ ✔
Certificate Authentication ✔ ✔ ✗ (CLI/ASDM only)
Policy Based VPN ✔ ✔ ✔
Route Based VPN ✔ ✔ ✔
Static and Dynamic VTI ✔ ✔ ✗ (CLI/ASDM only)
Loopback Support ✔ ✔ ✗ (CLI/ASDM only)
Monitoring ✔ ✔ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 10 of 51
Cisco Security Adaptive Security Device Cisco Defense Orchestrator
Features
Manager (4.28) Manager (7.20) (Dec 2023)
AnyConnect Profile Attributes ✔ ✔ ✔
Monitoring ✔ ✔ ✔(Client Geolocation info and ability
to terminate VPN sessions with VPN
Session Manager)
VPN Load Balancing ✔ ✔ ✗
IPSEC Offload (3100 series) ✔ ✔ ✗
SAML with cert auth ✔ ✔ ✗
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 11 of 51
Cisco Security Adaptive Security Device Cisco Defense Orchestrator
Features
Manager (4.28) Manager (7.20) (Dec 2023)
NGFW Layer 4 - 7 Firewall Functionality Features
Application Control ✗ ✗ ✗
Limit bandwidth by user/application (Rate ✗ ✗ ✗
Limiting)
URL Filtering ✗ ✗ ✗
SSL Decryption in software ✗ ✗ ✗
SSL Decryption in hardware ✗ ✗ ✗
OpenAppID ✗ ✗ ✗
AMP For networks ✗ ✗ ✗
ThreatGRID Dynamic Analysis ✗ ✗ ✗
Threat/Risk Reports ✗ ✗ ✗
Web SafeSearch and YouTube Edu ✗ ✗ ✗
TLS Proxy for Encrypted Voice Inspection ✗ ✗ ✗
Web Cache Services Using WCCP ✔ ✔ ✔
Pre-filter Policy (Tunneled & Fastpath) ✔ ✔ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 12 of 51
Cisco Security Manager Adaptive Security Cisco Defense
Features
(4.28) Device Manager (7.20) Orchestrator (Dec 2023)
Logging & Analytic Features
Log connections to management console ✔ ✔ ✔
Send syslogs- from the management console ✔ ✔ ✔
Send syslogs - directly from the device ✔ ✔ ✔
Security Analytics and Logging ✔(Event viewer is in CDO with ✔(Event Viewer is in CDO with ✔
Analytics in SWC) Analytics in SWC)
Dashboards ✔ ✔ ✗
Reporting ✔ ✗ ✔
eStreamer ✗ ✗ ✗
CEF ✗ ✗ ✗
NetFlow ✔ ✔ ✔
SecureX Integration ✗ ✗ ✔
Risk Reports/SRA ✗ ✗ ✗
APIs
REST API ✔ ✔ ✔
Workflows (Submitter, Approver, Deployer) ✔ ✗ ✔
Ticket Management System Integration ✔ ✗ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 13 of 51
Management Features Matrix – FTD
LEGEND
Matured, tested, and verified
Deprecated
Not Supported
Location and type of manager Web-based, Off-box Centralized Manager for Simple, Web-based, Intuitive, Integrated on- SaaS based Centralized Manager for up to
up to 1000 Sensors (Based on FMC box manager for single device. 1000 Sensors – service upkeep managed
Appliance model). Available free with every FTD image and maintained by Cisco
Co-management with CDO-FDM
management, no co-management with FMC
Managed Devices 5508-X,5516-X, FP1000, FP2100, FP3100, Any ASA, FP1000, FP2100, FP3100, 5508-X,5516-X, FP1000, FP2100,
FP4100, FP4200, FP9300, ISA 3000, FTDv in FP4100 and FP9300, ISA3000, VMWare, Secure Firewall 3100, Secure Firewall
VMWare, KVM, Nutanix, OpenStack, KVM, HyperFlex, Nutanix, GCP, Azure and 4200, FP4100, FP9300, ISA 3000, FTDv
HyperFlex, Azure, AWS, GCP, OCI ( AWS in VMWare, KVM, Azure, AWS, GCP, OCI,
Autoscale supported for GCP,OCI, AWS and Nutanix, OpenStack, HyperFlex
Azure, along with Accelerated Networking in Running version 7.2 and above (Supported
Azure). for devices running 7.0 with 7.0.3)
Available Form Factors FMC1700, FMC 2700, FMC4700 (New) On box on Physical FTDs, FTDv running on Cloud based web application
FMC1600, FMC 2600, FMC4600 VMWare, KVM, AWS, Azure, GCP, OCI,
FMCv2/10/25 (VMware, KVM, AWS, Azure, Nutanix, OpenStack, HyperFlex
GCP, OCI, Nutanix, Hyperflex, Hyper-
V,OpenStack), FMCv300 (VMware, AWS,
Azure, KVM and OCI)
High Availability FMC HA in all hardware models, VMWare, ✗ ✔ (cloud based redundancy)
KVM, Hyper-V, HyperFlex, AWS, Azure, OCI DR across Availability zones, within the
same availability zone, daily snapshot
Multi Tenancy ✔ FMC Domains ✗ ✔( true separate cloud tenants) with a
unified multi-tenant management portal –
Management Authentication Local, AD, Radius, also allows to specify a SAML SSO, Common Access Card (CAC) SAML 2FA -- Cisco provided (Cisco
real name for a user account, SAML SSO with SAML, Local Admin and RADIUS Secure Sign-On) or Your Own SAML idP
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 14 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in CDO
Features
Center (7.4.x) (7.4.x) (December 2023)
Management RBAC Granular RBAC provided locally, SAML SSO Available w/ RADIUS and SAML Super Admin, Admin, Read-Only, Edit-Only,
(Authorization) authentication, Roles: Audit Admin, Deploy-Only, VPN Session Manager
Crypto Admin, RO, RW and Admin
Management Audit Audit Logs. Reports in HTML, PDF and CSV ✔ Audit Logs. report can be generated from
(Accounting) formats, syslog server supported these logs in HTML, PDF and CSV formats
Change Management
✔ ✗ ✗
Workflow
✔ Audit Log support ✔ Audit Log support
Routing Policies, FTD Platform Settings, VPN, Routing Policies, FTD Platform Settings, VPN,
Deployment History DHCP, DDNS, Pre-Filter Policies, QoS ✔ DHCP, DDNS, Pre-Filter Policies, QoS
Policies, Objects (Network, Port, URL, VLAN Policies, Objects (Network, Port, URL, VLAN
Tag Tag
- High level indication in Deploy Policies - High level indication in Deploy Policies
- Audit Log support - Audit Log support
Pending Changes Routing Policies, FTD Platform Settings, VPN, ✔ Routing Policies, FTD Platform Settings, VPN,
DHCP, DDNS, Pre-Filter Policies, QoS DHCP, DDNS, Pre-Filter Policies, QoS
Policies, Objects (Network, Port, URL, VLAN) Policies, Objects (Network, Port, URL, VLAN)
- Available for DNS, File, Health, Identity, - Available for DNS, File, Health, Identity,
Intrusion, Network Analysis, SSL policies Intrusion, Network Analysis, SSL policies
- Audit Log support - Audit Log support
Policy Compare ✔
Routing Policies, FTD Platform Settings, VPN, Routing Policies, FTD Platform Settings, VPN,
DHCP, DDNS, Pre-Filter Policies, QoS DHCP, DDNS, Pre-Filter Policies, QoS
Policies, Objects (Network, Port, URL, VLAN) Policies, Objects (Network, Port, URL, VLAN)
Configuration Archive ✔ ✔ ✔
Bulk Edit ✔ ✗ ✔
Advanced Search ✔ ✗ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 15 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in CDO
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Move Rules across Policies ✔ ✗ ✔
✔(You can create category and club rules ✔(You can create category and club rules under
Rule Sets (set of rules shared
under them but they can’t be shared across ✗ them but they can’t be shared across policies)
by multiple FTDs) policies)
Remote Branch Deployment
(Using Data interface for ✔(Standalone and HA) ✔ ✔(Standalone and HA)
Management)
Upgrade Package
✔ ✗ (On box single device manager) ✗
Management
Bulk Upgrade ✔ ✗ (On box single device manager) ✔
Revert Upgrade ✔(Major and Maintenance upgrades) ✔(Major and Maintenance upgrades)
Notification Service ✔(Only UI) ✔(Only UI) ✔(UI, Email and Webhooks)
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 16 of 51
Integrate with Azure Gateway
✔ ✔
Load Balancers
Snort3 ✔ ✔ ✔
Wildcard Masks ✔ ✗ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 17 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Hardware Specific Features
Flow Offload on 9300 and 4100 ✔ ✔ ✔
Fail to wire interfaces ✔ ✔ (Inline sets not supported) ✔
ASA & FTD in 9300 (different SMs) (Only FTD) (Only FTD) (Only FTD)
L2 switchports and PoE in 1010 ✔ ✔ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 18 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Stateful Firewall Object Features
✔ ✔ ✔
Object based access control policy
✔ ✔ ✔
IP address objects (v4 & V6)
✔ ✔ ✔
Object groups
✔ ✔ ✔
Groups of groups
✔ ✔ ✔
UDP and TCP ports in one object
✔ ✔ ✔
Address ranges
✔ ✔ ✔
Port ranges
✔ ✔ ✔
Object change history
✔ ✗ ✔
Find unused objects
IP object based on a host/domain ✔ ✔ ✔
name (FQDN object)
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 19 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Object Support
IPv6 Link-Local ✔ ✔ ✔
IPv4 Multicast ✔ ✔ ✔
any ipv4 ✔ ✔ ✔
any ipv6 ✔ ✔ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 20 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Layer 3 and 4 Capabilities
OSPF, EIGRP, BGP, RIP, Multicast, Static, Static and Route Tracking(SLA) on UI OSPF, EIGRP, BGP, RIP, Multicast, Static,
Route Tracking(SLA) - Supported on UI OSPF, BGP and respective route object – Route Tracking(SLA) - Supported on UI
PBR, ISIS, BFD, ECMP SmartCLI PBR, ISIS, BFD, ECMP
Only API for static route, VRF, Application Global EIGRP – FDM UI Only API for static route, VRF, Application
Routing
based Routing (DIA) Multicast, Interface EIGRP , PBR - based Routing (DIA)
FlexConfig
APIs available for Static Route, OSPF,
BGP and generic Flexconfig, VRF, ECMP
Layer 2 - 7 Access Control
Filter Features
Zone (a logical group of physical or ✔ ✔ ✔
virtual interfaces)
IP address ✔ ✔ ✔
Geolocation ✔ ✔ ✔
VLAN ✔ ✔ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 21 of 51
VDI user identity ✔ ✗ ✔
AppID ✔ ✔ ✔
Ports ✔ ✔ ✔
Protocol ✔ ✔ ✔
URL ✔ ✔ ✔
Objects ✔ ✔ ✔
SGT ✔ ✔ ✔
Location IP (ISE) ✔ ✔ ✔
Tunnel Policies ✗ ✗ ✗
X-Forwarded-For policy ✔ ✗ ✔
Application Discovery ✔ ✗ ✗
User Discovery ✔ ✗ ✗
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 22 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) (Dec 2023)
Advanced Protocol Inspection Features
SIP ✔ Flexconfig ✔
FTP ✔ Flexconfig ✔
DNS ✔ Flexconfig ✔
DCE-RPC ✔ Flexconfig ✔
5G (GTP,M3UA,Diameter, SCTP) ✔(requires Carrier License) ✗ ✔(requires Carrier License)
H323 (H225, RAS) ✔ Flexconfig ✔
ICMP ✔ Flexconfig ✔
NetBIOS ✔ Flexconfig ✔
RTSP ✔ Flexconfig ✔
SCCP ✔ Flexconfig ✔
RSH ✔ Flexconfig ✔
ESMTP ✔ Flexconfig ✔
SQLNET ✔ Flexconfig ✔
SUNRPC ✔ Flexconfig ✔
XDMCP ✔ Flexconfig ✔
TFTP ✔ Flexconfig ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 23 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) (Dec 2023)
VPN -> Site-to-Site Features
IKEv1, IKEv2 ✔ ✔ ✔
PSK Authentication ✔ ✔ ✔
Certificate Authentication ✔ ✔ ✔
Loopback Interface ✔ ✗ ✔
Monitoring ✔ ✗ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 24 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) (Dec 2023)
VPN -> Remote Features
Connection Protocol TLSv1.2, TLSv1.3, IKEv2, DTLS TLSv1.2, IKEv2, DTLS TLSv1.2, TLSv1.3, IKEv2, DTLS
AnyConnect Client ✔ ✔ ✔
Clientless VPN ✗ ✗ ✗
Authentication Protocol RADIUS, LDAP, Local, SAML RADIUS, LDAP, Local, SAML RADIUS, LDAP, Local, SAML
Passwordless Authentication ✔ ✔ ✔
(WebAuthN)
Certificate Authentication ✔ (Multi Cert too) ✔ ✔ (Multi Cert too)
2FA/MFA ✔ ✔ ✔
Authorization Protocol RADIUS, LDAP, SAML, SAML & RADIUS, LDAP RADIUS, LDAP, SAML, SAML &
Certificate Certificate
Accounting Protocol RADIUS RADIUS RADIUS
Monitoring ✔(Additional Client Geolocation info and ✔ ✔(Additional Client Geolocation info and
ability to terminate VPN sessions) ability to terminate VPN sessions)
VPN Load Balancing ✔ ✗ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 25 of 51
Firepower Management Firepower Device Cloud-delivered FMC in
Features
Center (7.4.x) Manager (7.4.x) (Dec 2023)
NGFW Identity Awareness & Control Features
Passive authentication ✔ ✔ ✔
AD Realm Sequence ✔ ✔ ✔
Dynamic Object and CSDAC (AWS, ✔Supports TXT based feeds ✗ ✔(CSDAC option within CDO)
Azure, Azure Tags, GCP, Github, O365, additionally
vCenter, Webex and Zoom)
Workload Policy Integration ✔ ✗ ✔
Source Fire User Agent Deprecated starting 6.7 Deprecated starting 6.7 Deprecated starting 6.7
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 26 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) (Dec 2023)
SD-WAN
Low Touch Provisioning ✔ ✗ ✔
Application Groups ✔ ✗ ✔
SSL Decryption ✔ ✗ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 27 of 51
NGFW Layer 4 - 7 Firewall Functionality Features
Application Control ✔ ✔ ✔
Limit bandwidth by user/application ✔ Flexconfig ✔
(Rate Limiting)
URL Filtering ✔ ✔ ✔
SSL Decryption in software ✔ (TLS 1.3 Server Identity Discovery ✔ (TLS 1.3 Server Identity ✔
and Encrypted Traffic Visibility well ) Discovery as well )
SSL Decryption in hardware ✔ ✔ ✔
TLS 1.3 Decryption ✔ ✔ ✔
OpenAppID ✔ ✔ ✔
AMP For networks ✔ ✔ ✔
ThreatGRID Dynamic Analysis ✔ ✗ ✔
Threat/Risk Reports ✔ ✗ ✗
Web SafeSearch and YouTube Edu ✔ ✔ ✔
TLS Proxy for Encrypted Voice ✗ ✗ ✗
Inspection
Web Cache Services Using WCCP Flexconfig Flexconfig Flexconfig
Pre-filter Policy (Tunneled & Fastpath) ✔ ✗ ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 28 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) CDO (Dec 2023)
Logging and Analytics features
Log connections to management ✔ ✔ ✔
console
Unified Event Viewer ✔ ✗ ✔ (supports Background Searches)
Send syslogs- from the management ✔ ✔ ✗
console
Send syslogs - directly from the ✔ ✔ ✔
device
Security Analytics and Logging ✔ (On Prem and Cloud) ✔ (Cloud) ✔ (Cloud)
Dashboards ✔ ✔ Dashboards available for:
- Predefined and Customizable - Multiple predefined dashboards for Top Applications
dashboard and widgets for network health, network and threat Top Attackers
and threat Top Destinations
- Limited Device health Top Targets
Top Threats
Reporting ✔ including ✗ ✔(High Level Security Report
- Provides templates for reports. available)
- Reports can be exported etc.
- Report Designer can convert
Dashboard to Reports
eStreamer ✔ ✗ ✗
IBM with QRadar ✔ ✗ ✗
CEF ✗ ✗ ✗
NetFlow ✔ Flexconfig ✔
SecureX Integration ✔ ✔ (No Ribbon or cross launch) ✔
Risk Reports/SRA ✔ ✗ ✗
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 29 of 51
Firepower Management Firepower Device Manager Cloud-delivered FMC in
Features
Center (7.4.x) (7.4.x) CDO (Dec 2023)
APIs
REST API ✔ FTD APIs available for all FDM ✔ (Uses CDO API Token)
Host Input API ✔ ✗ ✔
Remediation API ✔ ✗ ✔
Database Access API ✔ ✗ ✔
Estreamer API ✔ ✗ ✗
Workflows (Submitter, Approver, ✗ ✗ ✗
Deployer)
Ticket Management System ✗ ✗ ✗
Integration
ASA to FTD Migration ✔ Use CDO Tool ✔
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 30 of 51
Public Cloud Secure Firewall
Azure Native vs. Cisco Secure Firewall
LEGEND
Supported (Yes)
Partial
Not supported (No)
Security FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Firewall
Azure Firewall
Features Azure Azure Azure Azure Premium
Site to Site VPN
IPSec / Site to Site Yes Yes Yes Yes Using Azure VPN and Using Azure VPN and
VPN - Hub & Spoke VIrtual Network VIrtual Network Gateway
Gateway (VNG) (VNG)
IPSec / Site to Site Yes Yes Yes Yes Using Azure VPN and Using Azure VPN and
VPN - 3rd party / VIrtual Network VIrtual Network Gateway
Extranet Gateway (VNG) (VNG)
PKI support Yes Yes Yes Yes Using Azure VPN and Using Azure VPN and
VIrtual Network VIrtual Network Gateway
Gateway (VNG) (VNG)
VTI support Yes Yes Yes Yes Using Azure VPN and Using Azure VPN and
VIrtual Network VIrtual Network Gateway
Gateway (VNG) (VNG)
IKEv2 support Yes Yes Yes Yes Using Azure VPN and Using Azure VPN and
VIrtual Network VIrtual Network Gateway
Gateway (VNG) (VNG)
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 31 of 51
Security FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Firewall
Azure Firewall
Features Azure Azure Azure Azure Premium
RA VPN
Clientless-SSL VPN No No Yes Yes No
Anyconnect or Client Yes Yes Yes Yes No
VPN
SAML Yes Yes Yes Yes No
MFA-RSA SDI Yes Yes Yes Yes No
MFA-Duo Yes Yes Yes Yes No
Local Auth Yes Yes Yes Yes Yes
RADIUS Yes Yes Yes Yes No
TACACS No No Yes Yes No
Dynamic Access Yes Yes Yes Yes No
Policy
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 32 of 51
Security FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Firewall
Azure Firewall
Features Azure Azure Azure Azure Premium
General
Enterprise FW Yes Yes Yes Yes Yes
App Visibility & Control Yes Yes Cisco ASA can Cisco ASA can Azure Firewall only Azure Firewall only
use FQDN (all use FQDN (all uses FQDN filtering uses FQDN filtering
traffic), ports and traffic), ports and rules ( outbound HTTP rules ( outbound HTTP
protocols. protocols. only), ports and only), ports and
protrocols for filtering protrocols for filtering
Geolocation Yes Yes No No No
SSL Decryption No No No TLS configuration is
primitive in the Azure
Premium FIrewall. One
CA, and no rules to
determine which traffic
to dercypt, pass-
through or drop. Also, it
only supports East-
West and Outbound.
North-South is
supported by the Azure
Application Gateway,
but this is only HTTPS.
Known key Yes Yes No No No No
Resign Yes Yes No No No Yes
NGIPS / NGIDS Yes Yes No No Yes
Snort 3 Yes Yes No No No No
DDoS No No No No Azure offers Azure Azure offers Azure
DDoS. DDoS.
URL/Web Filtering Yes Yes No No No Yes
Web Proxy Integration No No No No No No
Advance Malware Yes Yes No No No No
Protection and Breach
Detection
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 33 of 51
Security FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Firewall
Azure Firewall
Features Azure Azure Azure Azure Premium
Continuous Analysis & Yes Yes No No No No
Retrospective
Detection
Malware Remediation Yes Yes No No No No
Integrated Sandboxing Yes Yes No No No No
Contextual Awareness Yes Yes No No No No
(who, what, when,
where, why, How)
User Awareness Yes Yes Yes Yes No
Security Automation & Yes Yes No No Yes Yes
Adaptive Threat
Management
IoCs Yes Yes No No No No
Network Awareness Yes Yes No No No No
Endpoint Awareness Yes Yes No No No No
Network File Yes Yes No No No No
Trajectory
Impact Assesment Yes Yes No No No No
DNS Based Policy & Yes Yes No No No No
Sinkholing
Encrypted Traffic Yes Yes Yes Yes No No
Analytics
Dynamic Objects Yes Yes No No FQDNs and Service FQDNs and Service
Tags only Tags only
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 34 of 51
Security FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Firewall
Azure Firewall
Features Azure Azure Azure Azure Premium
Threat Intelligence
System Feed (Talos or Yes Yes No No Yes Yes
eq)
3rd party - system Yes Yes No No No No
feed
3rd party feeds Yes Yes No No Azure Sentinel is a Taxii Azure Sentinel is a Taxii
/Threat Intelligence client client
Director / Integrations
Automated Yes Yes No No Yes Yes
Intelligence feeds
Operational Capabilities
Software Defined Yes Yes Yes Yes Yes
Segmentation
Automatic Threat Yes Yes No No Azure triggers can take Azure triggers can take
Containment automated action automated action
Syslog & Event Data Export
Local / Built into Yes Yes Yes Yes Yes Yes
management
Syslog Yes Yes Yes Yes Yes Yes
Reporting Dashboards Yes Yes Yes Yes Yes Yes
SIEM Yes Yes Yes Yes Yes
SOAR Yes Yes Yes Yes Yes
Cisco Threat Yes Yes No No No No
Response
SecureX Yes Yes No No No No
Remediation API Yes Yes No No No No
Host API Yes Yes No No No No
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 35 of 51
Security FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Firewall
Azure Firewall
Features Azure Azure Azure Azure Premium
NetOps Features
High Availability Yes Yes
Clustering Yes Yes Yes No No No
Auto-scale out Yes Yes Yes Yes Yes Yes
Routed Yes Yes Yes Yes Yes Yes
Transparent No No No No No No
WCCP No No No No No No
Static and Policy Yes Yes Yes Yes Yes Yes
Based Routing
OSPF No No
BGP Yes Yes Yes Yes Yes Yes
RIP No
EIGRP No
IS-IS No
Multicast No No No No No
NAT/PAT Yes Yes Yes Yes Only Outbound SNAT & Only Outbound SNAT &
Inbound DNAT. DNAT Inbound DNAT. DNAT
not supported in Spoke not supported in Spoke
to Spoke environments. to Spoke environments.
Platform Exchange Yes Yes No No No No
Grid (pxGrid)
Device APIs Yes Yes Yes Yes Yes Yes
AAA for Management
TACACS No No Yes Yes No No
Radius Yes Yes Yes Yes No No
SAML Yes Yes Yes Yes No No
MFA-RSA SDI No No
MFA-Duo Yes Yes Yes Yes No No
Local Auth Yes Yes Yes Yes Yes Yes
RBAC Yes Yes Yes Yes Yes Yes
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 36 of 51
FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Azure Firewall
Security Features
Azure Azure Azure Azure Firewall Premium
Management Platform
On-box Yes Yes Yes Yes Not applicable Not applicable
Cloud delivered Yes Yes Yes Yes Yes Yes
Centralized Yes Yes Yes Yes Yes Yes
Single Sign On (SSO) Yes Yes Yes Yes Yes Yes
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 37 of 51
FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Firewall
Security Features Azure Firewall
Azure Azure Azure Azure Premium
Management Platform
Enterprise Firewall Included Included Included Included Free to use. Free to use.
Deployment and Deployment and Data
Data processing cost processing cost
Application Visibility Included Included NA NA Free to use. Free to use.
Deployment and Deployment and Data
Data processing cost processing cost
IPS BYOL | Smart BYOL | Smart NA NA Not applicable Not applicable
Licensing Licensing
Malware Remediation BYOL | Smart BYOL | Smart NA NA Not applicable Not applicable
Licensing Licensing
Malware Sandboxing BYOL | Smart BYOL | Smart NA NA Not applicable Not applicable
Licensing Licensing
URL Filtering BYOL | Smart BYOL | Smart NA NA Free to use. Free to use.
Licensing Licensing Deployment and Deployment and Data
Data processing cost processing cost
Management Cloud BYOL | Smart BYOL | Smart BYOL | Smart BYOL | Smart Additional Service to Additional Service to
Delivered Licensing Licensing Licensing Licensing install. Free to use. install. Free to use.
(Cisco Defense (Cisco Defense (Cisco Defense ((Cisco Defense Deployment and Deployment and Data
Orchestrator is Orchestrator is Orchestrator is Orchestrator is Data processing cost processing cost
supported but CDO supported but CDO supported but CDO supported but CDO
licensing is separate) licensing is separate) licensing is separate) licensing is separate)
Management BYOL | Smart BYOL | Smart BYOL | Smart BYOL | Smart Additional Service to Additional Service to
Centralized Licensing Licensing Licensing Licensing install. Free to use. install. Free to use.
(Firepower (Firepower (CSM is supported (CSM is supported Deployment and Deployment and Data
Management Center Management Center but CSM licensing is but CSM licensing is Data processing cost processing cost
is supported but FMC is supported but separate) separate)
licensing is separate) FMC licensing is
separate)
Management On-box Included (FDM) Included (FDM) Included (ASDM) Included (ASDM) Included Included
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 38 of 51
Security FTD 7.4 in FTD 7.3 in ASA 9.20 in ASA 9.19 in Azure Azure Firewall
Features Azure Azure Azure Azure Firewall Premium
Deployment
Total # of NICs Up to 8 Up to 8 Up to 8 Up to 8 Not applicable Not applicable
Azure Instances Standard_D3, Standard_D3, Standard_D3, Standard_D3, Not applicable Not applicable
Standard_D3_v2, Standard_D3_v2, Standard_D4, Standard_D4,
Standard_D4_v2, Standard_D4_v2, Standard_D5. Standard_D5.
Standard_D5_v2 Standard_D5_v2 Standard_D3_v2, Standard_D3_v2,
Standard_D8s_v3 Standard_D8s_v3 Standard_D4_v2, Standard_D4_v2,
Standard_D16s_v3 Standard_D16s_v3 Standard_D5_v2, Standard_D5_v2,
Standard_F8s_v2 Standard_F8s_v2 Standard_D8_v3, Standard_D8_v3,
Standard_F16s_v2 Standard_F16s_v2 Standard_DS3, Standard_DS3,
Standard_DS4, Standard_DS4,
Standard_DS5, Standard_DS5,
Standard_DS3_v2, Standard_DS3_v2,
Standard_DS4_v2, Standard_DS4_v2,
Standard_DS5_v2 Standard_DS5_v2
Standard_F4, Standard_F4,
Standard_F8, Standard_F8,
Standard_F16, Standard_F16,
Standard_F4s, Standard_F4s,
Standard_F8s, Standard_F8s,
Standarf_F16s Standarf_F16s
Standard_D8s_v3 Standard_D8s_v3
Standard_D16s_v3 Standard_D16s_v3
Standard_F8s_v2 Standard_F8s_v2
Standard_F16s_v2 Standard_F16s_v2
Azure Security Yes Yes Yes Yes Yes Yes
Center
Azure Government Yes Yes Yes Yes Yes Yes
Cloud
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 39 of 51
Public Cloud Secure Firewall
Google Cloud vs. Cisco Secure Firewall
LEGEND
Supported (Yes)
Partial
Not supported (No)
Security Features FTD 7.4 in Google Cloud ASA 9.20 in Google Cloud Google Cloud Firewall
RA VPN
Clientless-SSL VPN No Yes No
Anyconnect or Client VPN Yes Yes No
SAML Yes Yes No
MFA-RSA SDI Yes Yes No
MFA-Duo Yes Yes No
Local Auth Yes Yes Yes
RADIUS Yes Yes No
TACACS No Yes No
Dynamic Access Policy Yes Yes
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 40 of 51
Security Features FTD 7.4 in Google Cloud ASA 9.20 in Google Cloud Google Cloud Firewall
Enterprise FW Yes Yes Yes
App Visibility & Control Yes
Geolocation Yes No No
SSL Decryption Yes No
Known key Yes No No
Resign Yes No No
NGIPS / NGIDS Yes No No
Snort 3 Yes No No
DDoS No No
URL/Web Filtering Yes No
Web Proxy Integration No No No
Advance Malware Protection and Yes No No
Breach Detection
Continuous Analysis & Retrospective Yes No No
Detection
Malware Remediation Yes No No
Integrated Sandboxing Yes No No
Contextual Awareness (who, what, Yes No No
when, where, why, How)
User Awareness Yes Yes No
Security Automation & Adaptive Yes No Yes
Threat Management
IoCs Yes No No
Network Awareness Yes No No
Endpoint Awareness Yes No No
Network File Trajectory Yes No No
Impact Assesment Yes No No
DNS Based Policy & Sinkholing Yes No
Encrypted Traffic Analytics Yes Yes
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 41 of 51
Security Features FTD 7.4 in Google Cloud ASA 9.20 in Google Cloud Google Cloud Firewall
Threat Intelligence
System Feed (Talos or eq) Yes No Yes
Operational Capabilities
Software Defined Segmentation No No Yes
SOAR Yes - Based on Vendor support ** Yes - Based on Vendor support ** Yes
SecureX Yes No No
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 42 of 51
Security Features FTD 7.4 in Google Cloud ASA 9.20 in Google Cloud Google Cloud Firewall
NetOps Features
High Availability Yes
Clustering Yes No
Auto-scale out Yes Yes
Routed Yes Yes Yes
Transparent No No No
WCCP – On -USECASE No No No
Static and Policy Based Routing Yes Yes Yes
OSPF No
BGP Yes – Anything with Unicast Yes Yes
RIP No
EIGRP No
IS-IS No
Multicast No No No
NAT/PAT Yes Yes
Platform Exchange Grid (pxGrid) No No
Device APIs Yes Yes Yes
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 43 of 51
Security Features FTD 7.4 in Google Cloud ASA 9.20 in Google Cloud Google Cloud Firewall
Management Platform
On-box Yes Yes NA
Cloud delivered Yes Yes Yes
Centralized Yes Yes Yes
Single Sign On (SSO) Yes Yes (CDO) Yes
Upgrade Yes Yes NA
Backup/Restore Yes Yes Yes
Health Policy and Monitoring Yes Yes Yes
Policy Inheritance Yes Yes No
Audit Yes Yes Yes
Change Control Yes Yes Yes
Multi-domain management Yes -Through FMC No No
Free to use. Deployment and Data
Enterprise Firewall Included Included
processing cost
Free to use. Deployment and Data
Application Visibility Included NA
processing cost
IPS BYOL | Smart Licensing NA NA
Malware Remediation BYOL | Smart Licensing NA NA
Malware Sandboxing BYOL | Smart Licensing NA NA
Free to use. Deployment and Data
URL Filtering BYOL | Smart Licensing NA
processing cost
BYOL | Smart Licensing
Additional Service to install. Free to
(Cisco Defense Orchestrator is
Management Cloud Delivered Yes use. Deployment and Data
supported but CDO licensing is
processing cost
separate)
BYOL | Smart Licensing BYOL | Smart Licensing
Additional Service to install. Free to
(Firepower Management Center is (CSM is supported but CSM licensing
Management Centralized use. Deployment and Data
supported but FMC licensing is is separate)
processing cost
separate)
Management On-box Included Included Included
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 44 of 51
Security Features FTD 7.4 in Google Cloud ASA 9.20 in Google Cloud Google Cloud Firewall
Deployment
Total # of NICs Based on Instance (Datasheet) Based on Instance (Datasheet) NA
FTDv GCP N2-Standard-4 ASAv GCP N2-Standard-4
FTDv GCP N2-Standard-8 ASAv GCP N2-Standard-8
FTDv GCP N2-Standard-16 ASAv GCP N2-Standard-16
FTDv GCP C2-Standard-4 ASAv GCP C2-Standard-4
Google Instances NA
FTDv GCP C2-Standard-8 ASAv GCP C2-Standard-8
FTDv GCP C2-Standard-16 ASAv GCP C2-Standard-16
FTDv GCP N2-highcpu-16 ASAv GCP N2-highcpu-16
FTDv GCP N2-highmem-16 ASAv GCP N2-highmem-16
Autoscale Yes No NA
No
Google Security Centre No Yes
No No
Google Government Cloud Yes
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 45 of 51
Public Cloud Secure Firewall
AWS Firewall vs. Cisco Secure Firewall
LEGEND
Supported (Yes)
Partial
Not supported (No)
Security Features FTD 7.4 in AWS ASA 9.20 in AWS AWS Firewall
RA VPN
Clientless-SSL VPN No Yes No
Anyconnect or Client VPN Yes Yes Yes
SAML Yes Yes Yes
MFA-RSA SDI Yes Yes No
MFA-Duo Yes Yes No
Local Auth Yes Yes Yes
RADIUS Yes Yes No
TACACS No Yes No
Dynamic Access Policy Yes Yes No
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 46 of 51
Security Features FTD 7.4 in AWS ASA 9.20 in AWS AWS Firewall
Enterprise FW Yes Yes Yes
App Visibility & Control Yes
Geolocation Yes No No
SSL Decryption Yes No
Known key Yes No No
Resign Yes No No
NGIPS / NGIDS Yes No No
Snort 3 Yes No No
DDoS No No
URL/Web Filtering Yes No
Web Proxy Integration No No No
Advance Malware Protection and Yes No No
Breach Detection
Continuous Analysis & Retrospective Yes No No
Detection
Malware Remediation Yes No No
Integrated Sandboxing Yes No No
Contextual Awareness (who, what, Yes No No
when, where, why, How)
User Awareness Yes Yes No
Security Automation & Adaptive Yes No Yes
Threat Management
IoCs Yes No No
Network Awareness Yes No No
Endpoint Awareness Yes No No
Network File Trajectory Yes No No
Impact Assesment Yes No No
DNS Based Policy & Sinkholing Yes No
Encrypted Traffic Analytics Yes Yes
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 47 of 51
Security Features FTD 7.4 in AWS ASA 9.20 in AWS AWS Firewall
Threat Intelligence
System Feed (Talos or eq) Yes No Yes
Operational Capabilities
Software Defined Segmentation No No Yes
SOAR Yes - Based on Vendor support ** Yes - Based on Vendor support ** Yes
SecureX Yes No No
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 48 of 51
Security Features FTD 7.4 in AWS ASA 9.20 in AWS AWS Firewall
NetOps Features
High Availability No Yes
Clustering + Integration with GWLB Yes Yes No
Auto-scale out Yes Yes
Routed Yes Yes Yes
Transparent No No No
WCCP – On -USECASE No No No
Static and Policy Based Routing Yes Yes Yes
OSPF Yes Yes No
BGP Yes – Anything with Unicast Yes Yes
RIP Yes Yes No
EIGRP Yes Yes No
IS-IS No
Multicast No No No
NAT/PAT Yes Yes
Platform Exchange Grid (pxGrid) Yes No No
Device APIs Yes Yes Yes
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 49 of 51
Security Features FTD 7.4 in AWS ASA 9.20 in AWS AWS Firewall
Management Platform
On-box Yes Yes Not applicable
Cloud delivered Yes Yes Yes
Centralized Yes Yes Yes
Single Sign On (SSO) Yes Yes (CDO) Yes
Upgrade Yes Yes Not applicable
Backup/Restore Yes Yes Yes
Health Policy and Monitoring Yes Yes Yes
Policy Inheritance Yes Yes No
Audit Yes Yes Yes
Change Control Yes Yes Yes
Multi-domain management Yes -Through FMC No No
Free to use. Deployment and Data
Enterprise Firewall Included Included
processing cost
Free to use. Deployment and Data
Application Visibility Included NA
processing cost
Basic IPS functions with Suricata
IPS BYOL | Smart Licensing NA
based IPS rules
Malware Remediation BYOL | Smart Licensing NA No
Malware Sandboxing BYOL | Smart Licensing NA No
Free to use. Deployment and Data
URL Filtering BYOL | Smart Licensing NA
processing cost
BYOL | Smart Licensing
Additional Service to install. Free to
(Cisco Defense Orchestrator is
Management Cloud Delivered Yes use. Deployment and Data
supported but CDO licensing is
processing cost
separate)
BYOL | Smart Licensing BYOL | Smart Licensing
Additional Service to install. Free to
(Firepower Management Center is (CSM is supported but CSM licensing
Management Centralized use. Deployment and Data
supported but FMC licensing is is separate)
processing cost
separate)
Management On-box Included Included Included
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 50 of 51
Security Features FTD 7.4 in AWS ASA 9.20 in AWS AWS Firewall
Deployment
Total # of NICs Based on Instance (Datasheet) Based on Instance (Datasheet) NA
AWS Instances AWS Instance Types AWS Instance Types NA
Autoscale Yes Yes NA
AWS Guard Duty Yes No Yes
AWS Government Cloud Yes Yes Yes
Custom Image Snapshot Custom Image Snapshot N/A
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Partner Confidential Information. Page 51 of 51