ASA Stateful Firewall Throughput
Stateful inspection performance published for the ASA software image and its stated traffic profile.
Choose the software image and management model before comparing headline throughput. ASA and Threat Defense rows use different metrics; threat inspection, TLS decryption and IPsec performance can be more important than basic firewall throughput. Then check sessions, interfaces, HA and licensing.
Choose the software image and enabled security services before using any headline throughput figure. The correct platform must satisfy inspected traffic, encrypted traffic, connection scale, interfaces and resilience together.
| Decision area | Compare these specifications | Practical selection rule |
|---|---|---|
| 01 Software image and managementDecide whether the appliance will run ASA software or Secure Firewall Threat Defense and how it will be managed. | Security Software Image; Local Management; Centralized Management; Licensing | Select the software and management architecture first. ASA and Threat Defense expose different services and named performance metrics, so their headline values are not direct substitutes. |
| 02 Enabled inspection servicesList the production services that will inspect traffic instead of sizing from basic firewall throughput alone. | FTD Firewall + AVC; FTD Firewall + AVC + IPS; NGIPS Throughput | Use the row that represents the services enabled in production and keep the published packet profile attached. Do not use FW + AVC when IPS will also be enabled. |
| 03 Encrypted trafficEstimate TLS decryption and site-to-site or remote-access VPN demand independently. | TLS Decryption Throughput; IPsec VPN Throughput; Maximum VPN Peers | TLS and IPsec exercise different functions and test profiles. Size each workload with its own metric and allow headroom for the production cipher, protocol mix and software release. |
| 04 Connection scaleMeasure both the number of established sessions and the rate at which new sessions arrive. | Concurrent Firewall Connections; Concurrent Sessions with AVC; New Connections per Second | Concurrent sessions describe active scale; connections per second describe churn. A platform can meet one requirement and still fail the other. |
| 05 Interfaces and expansionMap inside, outside, HA, management and segmented links to physical ports and modules. | Data Interfaces; Fixed RJ-45 and SFP Ports; Maximum Interface Expansion; Management Ports | Confirm connector type, speed, port role and expansion-module compatibility. Total interface count does not prove that the required mix of copper, fiber and high-speed ports is available. |
| 06 Resilience and platform resourcesValidate the failure model and the resources required for logging, events and software operation. | High Availability; Clustering; System Memory; Storage; Power Redundancy | Distinguish active/standby HA from clustering and multi-instance features. Confirm the exact model, software image, license and power design support the intended resilience mode. |
The overview uses Threat Defense Product IDs so the security-performance columns remain comparable. ASA Product IDs are available in the selector and retain their separate ASA metrics.
| Product ID | Security Software Image | FTD Firewall + AVC + IPS Throughput | NGIPS Throughput | TLS Decryption Throughput | IPsec VPN Throughput | Concurrent Sessions with AVC | Data Interfaces |
|---|---|---|---|---|---|---|---|
| FPR1010-NGFW-K9 | Cisco Secure Firewall Threat Defense | 0.88 Gbps | 0.9 Gbps | 0.195 Gbps | 0.4 Gbps | 100,000 | 8 x 1000BASE-T RJ-45; ports 1 and 2 support PoE+ output |
| FPR2110-NGFW-K9 | Cisco Secure Firewall Threat Defense | 2.6 Gbps | 2.6 Gbps | 0.365 Gbps | 0.95 Gbps | 1,000,000 | 12 x 10M/100M/1GBASE-T RJ-45 plus 4 x 1G SFP |
| FPR3105-NGFW-K9 | Cisco Secure Firewall Threat Defense | 10 Gbps | 10 Gbps | 3.2 Gbps | 5.5 Gbps | 1,500,000 | 8 x 10M/100M/1GBASE-T RJ-45 plus 8 x 1/10G SFP |
| FPR1120-NGFW-K9 | Cisco Secure Firewall Threat Defense | 2.3 Gbps | 2.6 Gbps | 0.85 Gbps | 1.2 Gbps | 200,000 | 8 x 10M/100M/1GBASE-T RJ-45 plus 4 x 1G SFP |
| FPR1140-NGFW-K9 | Cisco Secure Firewall Threat Defense | 3.3 Gbps | 3.5 Gbps | 1.2 Gbps | 1.4 Gbps | 400,000 | 8 x 10M/100M/1GBASE-T RJ-45 plus 4 x 1G SFP |
| FPR3110-NGFW-K9 | Cisco Secure Firewall Threat Defense | 17 Gbps | 17 Gbps | 4.8 Gbps | 8 Gbps | 2,000,000 | 8 x 10M/100M/1GBASE-T RJ-45 plus 8 x 1/10G SFP |
Available model links open the corresponding product page. Choose a pair below to compare the full set of relevant specifications.
Share the required capacity, interfaces, software, quantity or deployment constraints. A CCIE-level network engineer will help narrow the shortlist at no cost.
Open a frequently requested comparison, or use the search above to compare another pair from this category.
Firewall performance changes with software image, enabled services, packet size and test traffic. ASA and Threat Defense metrics remain separate, and each security-service throughput row answers a different sizing question.
Stateful inspection performance published for the ASA software image and its stated traffic profile.
Threat Defense firewall performance with Application Visibility and Control under the stated packet profile.
Threat Defense throughput with firewalling, application visibility and intrusion prevention enabled in the published test profile.
Capacity published for decrypting and inspecting TLS traffic under a stated cipher and test method.
Concurrent sessions measure active connection scale; connections per second measure the rate of new connection establishment.
Encrypted VPN performance for the stated packet profile, path and acceleration mode.
Browse the full Cisco firewalls catalog, or open an available model page to review product details, request pricing and confirm availability.
Shop Cisco firewallsNo. The software images expose different named performance metrics and security services. Select the operating model first, then compare the corresponding Cisco rows.
Use the production security stack. Firewall plus AVC and IPS, NGIPS, TLS decryption and IPsec VPN throughput can each become the sizing limit depending on enabled services.
Concurrent sessions measure how many connections remain active, while connections per second measure how quickly new sessions are created. A firewall must meet both the steady-state scale and the expected connection churn.
Yes. Pair pages include high availability, clustering when applicable, local management, centralized management and other relevant fields when confirmed for the compared models.
No. TLS inspection and IPsec VPN processing use different protocols, ciphers and test methods. Size each encrypted workload with its matching Cisco metric and the production traffic profile.
Treat active or standby failover and clustering as different resilience designs. Confirm that the exact hardware, software image, license, interfaces and power configuration support the intended mode.