Cisco Firepower 4140 NGFW Appliance
Industry's First Fully Integrated, Threat-Focused Next-Generation Firewall
Click here for more options and pricing!
Please Note: All Prices are Inclusive of GST
Most next-generation firewalls (NGFWs) focus heavily on enabling application control, but little on their threat defense capabilities. To compensate, some NGFW’s will try to supplement their first-generation intrusion prevention with a series of non-integrated add-on products. However, this approach does little to protect your business against the risks posed by sophisticated attackers and advanced malware. Further, once you do get infected, they offer no assistance in scoping the infection, containing it, and remediating quickly.
Stop more threats with our fully integrated next-generation firewall (NGFW) appliance. The 4100 Series’ 1-rack-unit size is ideal at the Internet edge and in high-performance environments. It shows you what’s happening on your network, detects attacks earlier so you can act faster, and reduces management complexity.
What you need is an integrated, threat-centric next-generation firewall. One that not only delivers granular application control, but also provides effective security against the threats posed by sophisticated and evasive malware attacks.
The Cisco Firepower Next-Generation Firewall (NGFW) is the industry’s first fully integrated, threat-focused NGFW. It delivers comprehensive, unified policy management of firewall functions, application control, threat prevention, and advanced malware protection from the network to the endpoint.
It can be deployed on Cisco Firepower 2100 Series, 4100 Series, and 9300 appliances to provide a performance and density optimized NGFW security platform for Internet edge and other high-performance environments.
Protect Your Organization Before, During, and After an Attack
The Cisco Firepower NGFW includes the industry’s most widely deployed stateful firewall and provides granular control over more than 4,000 commercial applications. Its single management interface delivers unified visibility from the network to the endpoint. Firepower NGFW enables comprehensive policy management that controls access, stops attacks, defends against malware and provides integrated tools to track, contain and recover from attacks that do get through.
The Cisco Firepower NGFW is unique in the industry because it is the only next-generation firewall that:
- Provides a next-generation intrusion prevention system (NGIPS) to deliver industry-leading threat protection
- Includes a fully integrated advanced malware protection (AMP) solution that addresses both known and unknown threats, along with an integrated sandbox
- Gives you the ability to track and contain malware infections
- Automatically correlates threat events with your network’s vulnerabilities so you can focus your resources on the threats that matter most
- Analyzes your network’s weaknesses and recommends the best security policies to put in place
- Integrates with a number of Cisco network security products to take advantage of your previous investments and provide stronger security
- Stop more threats - both known and unknown - with the industry’s most effective threat protection
- Gain more insight into and control over the users, applications, devices, threats, and vulnerabilities in your network
- Detect earlier and act faster by shrinking malware time to detection from months down to hours and enable quicker remediation
- Reduce Complexity and simplify your operations by consolidating all security functions into a single management interface
- Get more from your network by integrating with other Cisco security and network solutions
- Stop more threats
Contain known and unknown malware with leading Cisco Advanced Malware Protection (AMP) and sandboxing.
- Gain more insight
Gain superior visibility into your environment with Cisco Firepower next-gen IPS. Automated risk rankings and impact flags identify priorities for your team.
- Detect earlier, act faster
The Cisco Annual Security Report identifies a 100-day median time from infection to detection, across enterprises. Reduce this time to less than a day.
- Reduce complexity
Get unified management and automated threat correlation across tightly integrated security functions, including application firewalling, NGIPS, and AMP.
- Get more from your network
Enhance security, and take advantage of your existing investments, with optional integration of other Cisco and third-party networking and security solutions.
Get granular application control. Protect against malware. Gain insight into and control over threats and vulnerabilities. Shrink time to detection and remediation. Reduce complexity with a single management interface.
Performance and density optimized
Key capabilities include support for 1/10/40 Gigabit Ethernet interfaces, up to 60 Gbps stateful firewall throughput, low latency, and a 1 RU form factor.
Integrates with Cisco and third-party solutions
Further strengthen your defenses. Share intelligence, context, and policy controls by integrating other Cisco networking and security solutions.
Reduce complexity and simplify operations. Consolidate all security functions in a single management interface. It automatically prioritizes security events, recommends tailored security protections, and tracks and contains malware infections.
Platform Image Support
The Cisco Firepower NGFW includes Application Visibility and Control (AVC), optional Next-Gen IPS (NGIPS), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering. The Cisco Firepower 4100 Series appliances use the Cisco Firepower Threat Defense software image. Alternatively, Cisco Firepower 4100 Series appliances can support the Cisco Adaptive Security Appliance (ASA) software image.
Cisco Firepower NGFWs may be managed in a variety of ways depending on the way you work, your environment, and your needs.
The Cisco Firepower Management Center (formerly FireSIGHT) provides centralized management of the Cisco Firepower NGFW, the Cisco Firepower NGIPS, and Cisco AMP for Networks. It also provides threat correlation for network sensors and Advanced Malware Protection (AMP) for Endpoints.
The Cisco Firepower Device Manager is available for local management of 2100 Series and select 5500-X Series devices running the Cisco Firepower Threat Defense software image.
The Cisco Adaptive Security Device Manager is available for local management of the Cisco Firepower 2100 Series, 4100 Series, Cisco Firepower 9300 Series, and Cisco ASA 5500-X Series devices running the ASA software image.
Cisco Defense Orchestrator cloud-based management is also available for consistent policy management across Cisco security devices running the ASA software image, enabling greater management efficiency for the distributed enterprise.
Firepower DDoS Mitigation
The Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms that deliver business resiliency through superior threat defense. It offers exceptional sustained performance when advanced threat functions are enabled. These platforms uniquely incorporate an innovative dual multicore CPU architecture that optimizes firewall, cryptographic, and threat inspection functions simultaneously. The series’ firewall throughput range addresses use cases from the Internet edge to the data center.
Cisco Firepower NGFW Virtual (NGFWv) Appliances
The Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms. Their throughput range addresses data center and internet edge use cases. They deliver superior threat defense, at faster speeds, with a smaller footprint. Cisco Firepower 4100 Series supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. Network Equipment Building Standards (NEBS)-compliance is supported by the Cisco Firepower 4120 platform.
Cisco Trust Anchor Technologies
Cisco Trust Anchor Technologies provide a highly secure foundation for certain Cisco products. They enable hardware and software authenticity assurance for supply chain trust and strong mitigation against a man-in-the-middle compromise of software and firmware.
Trust Anchor capabilities include:
- Image signing: Cryptographically signed images provide assurance that the firmware, BIOS, and other software are authentic and unmodified. As the system boots, the system’s software signatures are checked for integrity.
- Secure Boot: Secure Boot anchors the boot sequence chain of trust to immutable hardware, mitigating threats against a system’s foundational state and the software that is to be loaded, regardless of a user’s privilege level. It provides layered protection against the persistence of illicitly modified firmware.
- Trust Anchor module: A tamper-resistant, strong-cryptographic, single-chip solution provides hardware authenticity assurance to uniquely identify the product so that its origin can be confirmed to Cisco, providing assurance that the product is genuine.
Firepower DDoS Mitigation
Firepower DDoS Mitigation is provided by Radware Virtual DefensePro (vDP), available and supported directly from Cisco on the following Cisco Firepower 9300 and 4100 series appliances:
|Cisco Firepower Model||ASA image||FTD Image|
Radware vDP is an award-winning, real-time, behavioral DDoS attack mitigation solution that protects organizations against multiple DDoS threats. Firepower DDoS mitigation defends your application infrastructure against network and application degredation and outage.
DDoS Mitigation: Protection Set
Firepower’s vDP DDoS mitigation consists of patent-protected, adaptive, behavioral-based real-time signature technology that detects and mitigates zero-day network and application DDoS attacks in real time. It eliminates the need for human intervention and does not block legitimate user traffic when under attack.
The following attacks are detected and mitigated:
- SYN flood attacks
- Network DDoS attacks, including IP floods, ICMP floods, TCP floods, UDP floods, and IGMP floods
- Application DDoS attacks, including HTTP floods and DNS query floods
- Anomalous flood attacks, such as nonstandard and malformed packet attacks
|Cisco Firepower 4100 Series|
|Performance||Firepower 4110||Firepower 4120||Firepower 4140||Firepower 4150|
|Throughput: FW + AVC||12 Gbps||20 Gbps||25 Gbps||30 Gbps|
|Throughput: AVC + IPS||10 Gbps||15 Gbps||20 Gbps||24 Gbps|
|Maximum concurrent sessions, with AVC||9 million||15 million||25 million||30 million|
|Maximum new connections per second, with AVC||68,000||120,000||160,000||200,000|
|IPSec VPN Throughput (1024B TCP w/Fastpath)||6 Gbps||10 Gbps||13 Gbps||14 Gbps|
|Maximum VPN Peers||10000||15000||20000||20000|
|Cisco Firepower Device Manager (local management)||-||-||-||-|
|Centralized management||Centralized configuration, logging, monitoring, and reporting are performed by the Management Center or alternatively in the cloud with Cisco Defense Orchestrator|
|Application Visibility and Control (AVC)||Standard, supporting more than 4000 applications, as well as geolocations, users, and websites|
|AVC: OpenAppID support for custom, open source, application detectors||Standard|
|Cisco Security Intelligence||Standard, with IP, URL, and DNS threat intelligence|
|Cisco Firepower NGIPS||Available; can passively detect endpoints and infrastructure for threat correlation and Indicators of Compromise (IoC) intelligence|
|Cisco AMP for Networks||Available; enables detection, blocking, tracking, analysis, and containment of targeted and persistent malware, addressing the attack continuum both during and after attacks. Integrated threat correlation with Cisco AMP for Endpoints is also optionally available|
|Cisco AMP Threat Grid sandboxing||Available|
|URL Filtering: number of categories||More than 80|
|URL Filtering: number of URLs categorized||More than 280 million|
|Automated threat feed and IPS signature updates||Yes: class-leading Collective Security Intelligence (CSI) from the Cisco Talos Group|
|Third-party and open-source ecosystem||Open API for integrations with third-party products; Snort and OpenAppID community resources for new and specific threats|
|High availability and clustering||Active/standby; for Cisco Firepower 9300 intrachassis clustering of up to 5 chassis is allowed; Cisco Firepower 4100 Series allows clustering of up to 6 chassis|
|Cisco Trust Anchor Technologies||ASA 5506-X, 5508-X, and 5516-X appliances, Firepower 2100 Series and Firepower 4100 Series and 9300 platforms include Trust Anchor Technologies for supply chain and software image assurance. Please see the section below for additional details|
|ASA Performance and Capabilities||Firepower 4110||Firepower 4120||Firepower 4140||Firepower 4150|
|Stateful inspection firewall throughput1||35 Gbps||60 Gbps||70 Gbps||75 Gbps|
|Stateful inspection firewall throughput (multiprotocol)2||15 Gbps||30 Gbps||40 Gbps||50 Gbps|
|Concurrent firewall connections||10 million||15 million||25 million||35 million|
|Firewall latency (UDP 64B microseconds)||3.5||3.5||3.5||3.5|
|New connections per second||150,000||250,000||350,000||800,000|
|IPsec VPN throughput (450B UDP L2L test)||8 Gbps||10 Gbps||14 Gbps||15 Gbps|
|IPsec/Cisco AnyConnect/Apex site-to-site VPN peers||10,000||15,000||20,000||20,000|
|Maximum number of VLANs||1024||1024||1024||1024|
|Security contexts (included; maximum)||10; 250||10; 250||10; 250||10; 250|
|High availability||Active/active and active/standby|
|Clustering||Up to 16 appliances|
|Scalability||VPN Load Balancing, Firewall Clustering|
|Centralized management||Centralized configuration, logging, monitoring, and reporting are performed by Cisco Security Manager or alternatively in the cloud with Cisco Defense Orchestrator|
|Adaptive Security Device Manager||Web-based, local management for small-scale deployments|
|Hardware||Firepower 4110||Firepower 4120||Firepower 4140||Firepower 4150|
|Dimensions (H x W x D)||1.75 x 16.89 x 29.7 in. (4.4 x 42.9 x 75.4 cm)|
|Form factor (rack units)||1RU||1RU||1RU||1RU|
|Security module slots||-||-||-||-|
|I/O module slots||2||2||2||2|
|Supervisor||Cisco Firepower 4000 Supervisor with 8 x 10 Gigabit Ethernet ports and 2 Network Module (NM) slots for I/O expansion|
Note: Firepower 4100 Series appliances may also be deployed as dedicated threat sensors, with fail-to-wire network modules. Please contact your Cisco representative for details.
|Maximum number of interfaces||Up to 24 x 10 Gigabit Ethernet (SFP+) interfaces; up to 8 x 40 Gigabit Ethernet (QSFP+) interfaces with 2 network modules|
|Integrated network management ports||1 x Gigabit Ethernet copper port|
|Serial port||1 x RJ-45 console|
|USB||1 x USB 2.0|
|Storage||200 GB||200 GB||400 GB||400 GB|
|Fans||6 hot-swappable fans|
|Rack mountable||Yes, mount rails included (4-post EIA-310-D rack)|
|Weight||36 lb (16 kg): 2 x power supplies, 2 x NMs, 6x fans; 30 lb (13.6 kg): no power supplies, no NMs, no fans|
|Temperature: operating||32 to 104°F (0 to 40°C)||32 to 104°F
(0 to 40°C) or NEBS operation (see below)
|32 to 95°F (0 to 35°C), at sea level||32 to 95°F (0 to 35°C), at sea level|
|Temperature: nonoperating||-4 to 149°F (-20 to 65°C)|
|Humidity: operating||5 to 95% noncondensing|
|Humidity: nonoperating||5 to 95% noncondensing|
|Altitude: operating||10,000 ft (max)||10,000 ft (max) or NEBS operation (see below)||10,000 ft (max)||10,000 ft (max)|
|Altitude: nonoperating||40,000 ft (max)||40,000 ft (max)||40,000 ft (max)||40,000 ft (max)|
|NEBS operation (FPR-2130 Only)5||Operating altitude: 0 to 13,000 ft (3962 m)
Long term: 0 to 45°C, up to 6,000 ft (1829 m)
Long term: 0 to 35°C, 6,000 to 13,000 ft (1829 to 3964 m)
Short term: -5 to 50°C, up to 6,000 ft (1829 m)
|Power Supplies||Firepower 4110||Firepower 4120||Firepower 4140||Firepower 4150|
|Configuration||Single 1100W AC, dual optional. Single/dual 950W DC optional3||Single 1100W AC, dual optional. Single/dual 950W DC optional3||Dual 1100W AC3||Dual 1100W AC3|
|AC input voltage||100 to 240V AC||100 to 240V AC||100 to 240V AC||100 to 240V AC|
|AC maximum input current||13A||13A||13A||13A|
|AC maximum output power||1100W||1100W||1100W||1100W|
|AC frequency||50 to 60 Hz||50 to 60 Hz||50 to 60 Hz||50 to 60 Hz|
|AC efficiency||>92% at 50% load||>92% at 50% load||>92% at 50% load||>92% at 50% load|
|DC input voltage||-40V to -60VDC||-40V to -60VDC||-40V to -60VDC||-40V to -60VDC|
|DC maximum input current||27A||27A||27A||27A|
|DC maximum output power||950W||950W||950W||950W|
|DC efficiency||>92.5% at 50% load||>92.5% at 50% load||>92.5% at 50% load||>92.5% at 50% load|
|Key DDoS Performance Metrics||Firepower 4110||Firepower 4120||Firepower 4140||Firepower 4150|
|Maximum mitigation capacity/throughput||10 Gbps|
|Maximum legitimate concurrent sessions||209,000 Connections Per Second (CPS)|
|Maximum DDoS flood attack prevention rate||1,800,000 Packets Per Second (PPS)|
*Note: The 2100 Series appliances may also be deployed as dedicated threat sensors with fail-to-wire network modules. Please contact your Cisco representative for details.
1 Throughput measured with User Datagram Protocol (UDP) traffic measured under ideal test conditions.
2 "Multiprotocol" refers to a traffic profile consisting primarily of TCP-based protocols and applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3 Dual power supplies are hot-swappable.
Download the Cisco Firepower NGFW Datasheet (PDF).
- All Prices are Inclusive of GST
- Pricing and product availability subject to change without notice.