Tuesday, October 2, 2018

NGFW: Anyone using FTD in production?

Hi guys, we are currently evaluating multiple NGFW vendors as our old dirty ASAs won't do the job anymore at the internet edge. We got a lot of feedback already and saw multiple products, we also know about the history of Firepower/Sourcefire which is like a real life nightmare... but we don't want to judge based on the past - and a lot of things got promised with 6.2.3 which made the whole solution look way better than it was a year ago. Also there is shiny new hardware available.

Anyway: Does anybody run FTD in production and can share some experiences on daily operations. We are absolutely aware that migration and new technologies will always need some effort but in the end we are looking for a stable and mature solution.

What we know so far:

  • FMC performance is bad except if you have the largest one with SSDs for about 100k per Box (you need 2 for HA obviously)
  • Promised specs nowhere to reality, should be about a third of the named throughputs (Based on NSS labs report)
  • There is always and will always be an ASA hidden in FTD (LINA) - if you know ASA you have some advantage for troubleshooting (I guess)
  • Licensing adds heavy costs but that's the same for other vendors

Maybe in other words: are there any happy FTD customers out there? Because we couldn't find one yet.



No comments:

Post a Comment