Cisco Firewall Comparisons

Compare Cisco Firewalls by Security Throughput, Sessions and Interfaces

Choose the software image and management model before comparing headline throughput. ASA and Threat Defense rows use different metrics; threat inspection, TLS decryption and IPsec performance can be more important than basic firewall throughput. Then check sessions, interfaces, HA and licensing.

40searchable models
7published comparisons
6featured models
Build a firewall comparison

Search exact Product IDs

Firewalls only
  1. 1Choose a category
  2. 2Select models
Choose a product categoryAll selected models must be from the same category.
Select models to compareChoose two to four exact Cisco Product IDs.

Select one category and at least two different models.

Selection decision matrix

Cisco firewall selection decision matrix

Choose the software image and enabled security services before using any headline throughput figure. The correct platform must satisfy inspected traffic, encrypted traffic, connection scale, interfaces and resilience together.

Decision areaCompare these specificationsPractical selection rule
01 Software image and managementDecide whether the appliance will run ASA software or Secure Firewall Threat Defense and how it will be managed. Security Software Image; Local Management; Centralized Management; Licensing Select the software and management architecture first. ASA and Threat Defense expose different services and named performance metrics, so their headline values are not direct substitutes.
02 Enabled inspection servicesList the production services that will inspect traffic instead of sizing from basic firewall throughput alone. FTD Firewall + AVC; FTD Firewall + AVC + IPS; NGIPS Throughput Use the row that represents the services enabled in production and keep the published packet profile attached. Do not use FW + AVC when IPS will also be enabled.
03 Encrypted trafficEstimate TLS decryption and site-to-site or remote-access VPN demand independently. TLS Decryption Throughput; IPsec VPN Throughput; Maximum VPN Peers TLS and IPsec exercise different functions and test profiles. Size each workload with its own metric and allow headroom for the production cipher, protocol mix and software release.
04 Connection scaleMeasure both the number of established sessions and the rate at which new sessions arrive. Concurrent Firewall Connections; Concurrent Sessions with AVC; New Connections per Second Concurrent sessions describe active scale; connections per second describe churn. A platform can meet one requirement and still fail the other.
05 Interfaces and expansionMap inside, outside, HA, management and segmented links to physical ports and modules. Data Interfaces; Fixed RJ-45 and SFP Ports; Maximum Interface Expansion; Management Ports Confirm connector type, speed, port role and expansion-module compatibility. Total interface count does not prove that the required mix of copper, fiber and high-speed ports is available.
06 Resilience and platform resourcesValidate the failure model and the resources required for logging, events and software operation. High Availability; Clustering; System Memory; Storage; Power Redundancy Distinguish active/standby HA from clustering and multi-instance features. Confirm the exact model, software image, license and power design support the intended resilience mode.
Shortlist overview

Popular Cisco firewalls specification matrix

The overview uses Threat Defense Product IDs so the security-performance columns remain comparable. ASA Product IDs are available in the selector and retain their separate ASA metrics.

Product ID Security Software ImageFTD Firewall + AVC + IPS ThroughputNGIPS ThroughputTLS Decryption ThroughputIPsec VPN ThroughputConcurrent Sessions with AVCData Interfaces
FPR1010-NGFW-K9 Cisco Secure Firewall Threat Defense0.88 Gbps0.9 Gbps0.195 Gbps0.4 Gbps100,0008 x 1000BASE-T RJ-45; ports 1 and 2 support PoE+ output
FPR2110-NGFW-K9 Cisco Secure Firewall Threat Defense2.6 Gbps2.6 Gbps0.365 Gbps0.95 Gbps1,000,00012 x 10M/100M/1GBASE-T RJ-45 plus 4 x 1G SFP
FPR3105-NGFW-K9 Cisco Secure Firewall Threat Defense10 Gbps10 Gbps3.2 Gbps5.5 Gbps1,500,0008 x 10M/100M/1GBASE-T RJ-45 plus 8 x 1/10G SFP
FPR1120-NGFW-K9 Cisco Secure Firewall Threat Defense2.3 Gbps2.6 Gbps0.85 Gbps1.2 Gbps200,0008 x 10M/100M/1GBASE-T RJ-45 plus 4 x 1G SFP
FPR1140-NGFW-K9 Cisco Secure Firewall Threat Defense3.3 Gbps3.5 Gbps1.2 Gbps1.4 Gbps400,0008 x 10M/100M/1GBASE-T RJ-45 plus 4 x 1G SFP
FPR3110-NGFW-K9 Cisco Secure Firewall Threat Defense17 Gbps17 Gbps4.8 Gbps8 Gbps2,000,0008 x 10M/100M/1GBASE-T RJ-45 plus 8 x 1/10G SFP

Available model links open the corresponding product page. Choose a pair below to compare the full set of relevant specifications.

Free product-selection help

Not sure which Cisco firewall fits your project?

Share the required capacity, interfaces, software, quantity or deployment constraints. A CCIE-level network engineer will help narrow the shortlist at no cost.

Metric definitions

How to read Cisco firewall specifications

Firewall performance changes with software image, enabled services, packet size and test traffic. ASA and Threat Defense metrics remain separate, and each security-service throughput row answers a different sizing question.

01

ASA Stateful Firewall Throughput

Stateful inspection performance published for the ASA software image and its stated traffic profile.

Comparison boundaryDo not compare it directly with Threat Defense FW + AVC, IPS or NGIPS figures. The software image and enabled services differ.
02

FTD Firewall + AVC Throughput

Threat Defense firewall performance with Application Visibility and Control under the stated packet profile.

Comparison boundaryDo not use it as the production sizing value when IPS will also be enabled; use the matching FW + AVC + IPS row.
03

FTD Firewall + AVC + IPS Throughput

Threat Defense throughput with firewalling, application visibility and intrusion prevention enabled in the published test profile.

Comparison boundaryKeep packet size and software context attached. It is not automatically equivalent to NGIPS throughput or ASA multiprotocol performance.
04

TLS Decryption Throughput

Capacity published for decrypting and inspecting TLS traffic under a stated cipher and test method.

Comparison boundaryDo not compare it with raw firewall or IPsec VPN throughput. TLS versions, ciphers, key sizes and traffic mix materially affect sizing.
05

Concurrent Sessions and Connections per Second

Concurrent sessions measure active connection scale; connections per second measure the rate of new connection establishment.

Comparison boundaryNeither metric can replace the other. Validate both against the application mix and expected peak behavior.
06

IPsec VPN Throughput

Encrypted VPN performance for the stated packet profile, path and acceleration mode.

Comparison boundaryDo not substitute TLS-decryption or clear-text firewall throughput. Compare the same packet size and VPN test context.
Price, stock and ordering

Ready to price a model?

Browse the full Cisco firewalls catalog, or open an available model page to review product details, request pricing and confirm availability.

Shop Cisco firewalls
Selection questions

Cisco Firewall Comparisons FAQ

Should I compare ASA and Threat Defense throughput directly?

No. The software images expose different named performance metrics and security services. Select the operating model first, then compare the corresponding Cisco rows.

Which firewall performance metrics matter most?

Use the production security stack. Firewall plus AVC and IPS, NGIPS, TLS decryption and IPsec VPN throughput can each become the sizing limit depending on enabled services.

What is the difference between concurrent sessions and connections per second?

Concurrent sessions measure how many connections remain active, while connections per second measure how quickly new sessions are created. A firewall must meet both the steady-state scale and the expected connection churn.

Does the comparison include high availability and management?

Yes. Pair pages include high availability, clustering when applicable, local management, centralized management and other relevant fields when confirmed for the compared models.

Should TLS decryption and IPsec VPN throughput be compared directly?

No. TLS inspection and IPsec VPN processing use different protocols, ciphers and test methods. Size each encrypted workload with its matching Cisco metric and the production traffic profile.

How do I compare firewall high availability and clustering?

Treat active or standby failover and clustering as different resilience designs. Confirm that the exact hardware, software image, license, interfaces and power configuration support the intended mode.