Firewall Architecture: FTD vs ASA
Firewall Architecture: FTD vs ASA
Introduction
When you deploy a firewall in a modern network, the platform you choose and the software image it runs determine everything — from the security features available to the throughput you can expect. In this lesson, we break down the architecture of the Cisco Secure Firewall product line, comparing the two primary software personalities: Firepower Threat Defense (FTD) and the Adaptive Security Appliance (ASA).
Understanding the architectural differences between FTD and ASA is essential for any CCNP Security candidate. Both run on the same hardware platforms, but they offer very different feature sets and performance profiles. By the end of this lesson, you will be able to:
- Describe the internal hardware architecture of the Secure Firewall 1200 Series and 9300 Series platforms.
- Compare FTD and ASA throughput numbers across key traffic profiles.
- Explain how Cisco Security Cloud Control provides unified management across firewall deployments.
- Identify FTD-exclusive capabilities such as Encrypted Visibility Engine (EVE) and Umbrella cloud security integration.
- Understand deployment provisioning options including Low Touch Provisioning and Zero Touch Provisioning.
Key Concepts
FTD vs ASA: Two Software Images, One Hardware Platform
The Secure Firewall hardware platforms support both ASA and FTD software images. The choice of image changes the feature set dramatically.
ASA is the traditional stateful firewall image. It excels at raw packet throughput, stateful connection tracking, and site-to-site IPsec VPN. It has been the backbone of Cisco firewall deployments for over a decade.
FTD is the next-generation firewall (NGFW) image. It layers Application Visibility and Control (AVC), Intrusion Prevention System (IPS), TLS decryption, and advanced threat detection on top of the stateful firewall engine. The trade-off is lower raw throughput compared to ASA on the same hardware, because every packet goes through deeper inspection.
| Feature | ASA | FTD |
|---|---|---|
| Stateful firewall | Yes | Yes |
| AVC + IPS | No | Yes |
| Encrypted Visibility Engine (EVE) | No | Yes (7.1+) |
| Umbrella Cloud Security integration | No | Yes (7.2+) |
| TLS decryption | Limited | Full |
| Management via Security Cloud Control | Yes | Yes |
Cisco Security Cloud Control
Cisco Security Cloud Control is a platform-level management layer that consolidates multiple security products under a single login. Instead of managing individual product consoles separately, Security Cloud Control provides:
- A unified login that removes the need for multiple individual security product logins.
- Consolidated provisioning and administration across security products.
- A customizable dashboard with tiles for Firewall Manager, Multicloud Defense, and other security services.
- Multi-tenant support with organizations, Role-Based Access Control (RBAC), licensing, and an API gateway.
The platform follows a hierarchical model: the global Security Cloud Control platform sits above regional security applications. Each organization — for example, "Organization TEST" or "Organization X" — has its own isolated tenant within the platform, and each tenant can manage its own set of firewalls and security services.
How It Works
Secure Firewall 1200 Series Architecture
The Secure Firewall 1200 Series is built around an ARM-based Network/Security System-on-Chip (SoC). The internal architecture includes:
- ARM CPU Complex: The 1230 and 1240 models use 12 cores, while the 1250 uses 16 cores.
- RAM: The 1230 ships with 16 GB of RAM; the 1240 and 1250 ship with 32 GB.
- Inline Crypto Accelerator: Dedicated hardware for IPsec and TLS offload, built into the system bus.
- Ethernet Internal Switch Fabric: Connects on-board copper and SFP+ interfaces to the CPU complex.
The on-board interfaces vary by model:
| Component | 1230 | 1240 | 1250 |
|---|---|---|---|
| On-board copper | 8x1GE | 8x1GE | 8x1GE |
| On-board SFP+ | 4x1/10GE | 4x1/10GE | 4x1/10GE |
| Uplink SFP+ | 2x10GE | 2x10GE | 1x50GE |
| Additional SFP | 1x10GE | 1x10GE | 1x25GE |
| Management | 1x1GE | 1x1GE | 1x1GE |
Physical connectivity includes RJ-45 and USB-C console ports, plus USB-A for external flash storage. The management interface is a dedicated 10/100/1000BaseT Ethernet port. The 1200 Series supports ASA 9.23 and FTD 7.7.
Secure Firewall 9300 Series Architecture
The Secure Firewall 9300 Series is a modular chassis platform designed for data center and high-performance environments. Its architecture is fundamentally different from the 1200 Series:
- Supervisor Module: Handles application deployment, orchestration, network attachment, traffic distribution, and provides the clustering base layer for ASA or FTD.
- Service Modules: Each module contains an embedded Smart NIC and crypto hardware. Each service module can independently run either ASA or FTD, and the chassis supports mixed-mode operation — meaning one module can run ASA while another runs FTD in the same chassis.
- Network Modules: Two bays support 10GE, 40GE, and 100GE interfaces, including hardware bypass options for inline NGIPS deployments.
The Supervisor connects to each Service Module via 2x40GE switching fabric links and has 5x40GE links toward the Network Module bays, plus 8xSFP/SFP+ built-in ports and one SFP management port. The chassis uses AC/DC redundant power supplies rated at 3000W.
Key 9300 performance numbers per Service Module:
- Up to 64 Gbps for FW + AVC + IPS with 1024-byte average packet size
- Up to 51 Gbps for IPsec with 1024-byte average packet size (release 7.2)
- Clustering support for up to 16 units
Network interface allocation on the 9300 uses Port-Channels with LACP or Static mode (available since FXOS 2.4.1), supporting up to 16 member ports per channel.
FTD vs ASA Performance Comparison — 1200 Series
The same hardware produces very different throughput numbers depending on whether you run ASA or FTD, because FTD adds deep packet inspection overhead.
FTD Performance (1200 Series, FTD 7.7):
| Metric | 1230 | 1240 | 1250 |
|---|---|---|---|
| AVC+IPS (HTTP, 1024B avg) | 9 Gbps | 12 Gbps | 18 Gbps |
| IPsec VPN (1024B TCP, FastPath) | 13 Gbps | 18 Gbps | 22 Gbps |
| TLS 50% decrypt | 2.5 Gbps | 3.1 Gbps | 4.1 Gbps |
| Concurrent sessions (AVC) | 0.4M | 0.6M | 1M |
| New connections/sec | 50k | 80k | 100k |
| Maximum VPN peers | 500 | 1,000 | 1,500 |
| Maximum VRFs | 5 | 5 | 10 |
ASA Performance (1200 Series, ASA 9.23):
| Metric | 1230 | 1240 | 1250 |
|---|---|---|---|
| UDP (1500B avg) | 20+ Gbps | 20+ Gbps | 20+ Gbps |
| Multiprotocol mix | 20+ Gbps | 20+ Gbps | 20+ Gbps |
| IPsec site-to-site (450B, AES-256) | 13 Gbps | 18 Gbps | 22 Gbps |
| Concurrent sessions (stateful) | 0.4M | 0.6M | 1M |
| New connections/sec | 350k | 450k | 550k |
| Maximum VPN peers | 500 | 1,000 | 1,500 |
Key takeaway: ASA delivers significantly higher new connections per second (350k–550k vs 50k–100k on the 1200 Series) because it does not perform AVC or IPS inspection. Choose ASA when raw throughput and connection rate are the priority. Choose FTD when you need application-level visibility and threat prevention.
Encrypted Visibility Engine (EVE)
Encrypted Visibility Engine (EVE) is an FTD-exclusive feature available starting with FTD 7.1. EVE generates unique fingerprints for client applications based on outer packet fields in TLS ClientHello messages. It identifies applications without decrypting the traffic.
For example, EVE can inspect a TLS flow from 192.168.2.110/34624 to 172.16.45.200/443 and determine with 99.94% confidence that it originates from firefox.exe version 76.0.1, running on Windows 10, categorized as a browser, with the destination FQDN cisco.com. It can also detect anonymizer tools — identifying tor.exe version 9.0.2 at 100% confidence on a flow to 203.0.113.154/443.
EVE has evolved across releases:
- FTD 7.1: Initial release — process name detection and confidence scoring in unified events, plus inference-based threat alerts.
- FTD 7.2: Detected process names can be linked to a custom Application ID for enforcement in access control policies.
- FTD 7.4+ (EVE 2.0): Adds inference-based AppID enrichment, connection filtering based on malware confidence scores, and fingerprint updates with anonymized telemetry sharing.
- FTD 7.6: Ability to exempt certain applications from fingerprinting to avoid false positives.
Umbrella Cloud Security Integration
Starting with FTD 7.2, the firewall can selectively redirect DNS, SaaS, and other outbound traffic to Umbrella for cloud-delivered security. This addresses a key limitation of edge firewalls: dynamically changing DNS destinations and undecryptable TLS connections are difficult to inspect locally. Umbrella provides DNS filtering that blocks most threats early without consuming local processing cycles, and Cloud Security Access Broker (CASB) for SaaS traffic eliminates the need for on-box SaaS traffic decryption.
Configuration Example
FTD Deployment via Security Cloud Control
FTD devices can be onboarded to Security Cloud Control using two provisioning methods:
Low Touch Provisioning (LTP): A registration key is generated from Security Cloud Control and applied on the device using the CLI.
configure manager add <SCC-hostname> <reg-key>
Zero Touch Provisioning (ZTP): A new, factory-reset, or factory-shipped device is onboarded using only its serial number in Security Cloud Control. The device can be shipped directly from the manufacturer to the customer location — no on-site CLI access is required.
Best practice: Use Zero Touch Provisioning for branch office deployments where no on-site engineer is available. The device ships directly to the location, powers on, and registers itself with Security Cloud Control using its serial number.
9300 Port-Channel Configuration
On the Secure Firewall 9300, network interfaces are allocated and connected to service modules through the Supervisor. Port-Channels can be created using LACP or Static mode with up to 16 member ports:
scope eth-uplink
scope fabric a
create port-channel 1
set port-type data
set speed 10gbps
create member-port Ethernet1/1
create member-port Ethernet1/2
Note: Static Port-Channel support was introduced in FXOS 2.4.1. For environments where the upstream switch does not support LACP, static mode is available as an alternative.
Real-World Application
Branch Office Deployment
The Secure Firewall 1200 Series is purpose-built for branch offices and small campuses. The 1230 with its 9 Gbps FTD AVC+IPS throughput covers most branch scenarios. For branches with heavier VPN requirements, the 1250 provides up to 22 Gbps IPsec throughput and supports 1,500 VPN peers.
Zero Touch Provisioning makes large-scale branch rollouts practical — devices ship from the factory to the branch, and the central security team onboards them through Security Cloud Control using serial numbers alone.
Data Center Deployment
The 9300 Series with its modular service modules, clustering support for up to 16 units, and per-module throughput of 64 Gbps (FW+AVC+IPS) handles data center workloads. Mixed-mode operation allows running ASA on one service module for high-throughput stateful inspection while running FTD on another for traffic requiring deep inspection.
Hybrid Cloud with DPU Acceleration
For virtualized environments, ASAv or FTDv software deploys on x86 CPUs in private and public clouds. When an Nvidia BlueField Data Processing Unit (DPU) is present, additional ARM software components program inline acceleration for flow processing, IPsec and (D)TLS encryption, and Regex matching — offloading these intensive tasks from the general-purpose x86 CPU.
Enhancing Edge Security with Umbrella
In deployments where the edge firewall cannot effectively inspect all outbound traffic — particularly dynamically changing DNS destinations and undecryptable TLS — FTD 7.2+ integrates with Umbrella to redirect selected traffic for cloud-based DNS filtering and CASB inspection. This hybrid approach keeps heavy lifting in the cloud while the on-premises firewall handles traditional stateful inspection and IPS.
Summary
- FTD and ASA run on the same hardware but serve different purposes: ASA maximizes raw throughput and connection rates, while FTD adds AVC, IPS, EVE, and cloud security integration at the cost of lower throughput.
- The Secure Firewall 1200 Series uses ARM-based SoCs with inline crypto acceleration, supporting up to 18 Gbps FTD AVC+IPS throughput (1250 model) and 20+ Gbps ASA throughput.
- The Secure Firewall 9300 Series is a modular chassis supporting mixed ASA/FTD operation, clustering up to 16 units, and up to 64 Gbps per service module for FW+AVC+IPS.
- Encrypted Visibility Engine (EVE) identifies applications inside encrypted TLS sessions without decryption, available from FTD 7.1 with ongoing enhancements through 7.6.
- Security Cloud Control unifies firewall management, provisioning, and dashboarding across organizations, eliminating the need for multiple product-specific consoles.
In the next lesson, we will explore access control policy design on FTD, building on the architectural foundation covered here.