WIXLIB

Data sheetCisco publicCisco Secure Firewall ASAVirtual (ASAv) 2021 Cisco and/or its affiliates. All rights reserved.Page 1 of 13

ContentsProduct overview3Benefits4Smart Software Licensing4Cisco Capital 2021 Cisco and/or its affiliates. All rights reserved.13Page 2 of 13

Today, organizations rely on a mixture of physical and virtual control points to meet theirnetwork security needs. They need the flexibility to deploy different physical and virtualfirewalls across a wide range of environments while still maintaining consistent policyacross branch offices, corporate data centers, and all points between. From data centerconsolidation to office relocations, mergers and acquisitions, as well as seasonal peaksin demand on your applications, Cisco’s virtual firewall portfolio helps businesses simplifysecurity management with the convenience of unified policy and the flexibility to deployeverywhere.Cisco Secure Firewall ASA Virtual (formerly ASAv) gives you the flexibility to choose the performance you needfor your organization. Secure Firewall ASA Virtual is the virtualized option of our popular Secure Firewall ASAsolution and offers security in traditional physical data centers and private and public clouds. Its scalable VPNcapability provides secure access to your organization’s resources—and protects workloads against increasinglycomplex threats with world-class security controls.Product overviewSecure Firewall ASA Virtual is a firewall with powerful VPN capabilities. It supports site-to-site VPN, remoteaccess VPN, and clientless VPN functionalities. Consistent policy simplifies management across your virtual andphysical Secure Firewall ASA solutions. Cisco Smart Software Licensing makes it easy to deploy, manage, andtrack virtual instances of the appliance running in your private cloud or in a public cloud.Figure 1.Cisco Secure Firewall ASA Virtual (formerly ASAv) overview 2021 Cisco and/or its affiliates. All rights reserved.Page 3 of 13

BenefitsVPN head-endCisco AnyConnect client empowers employees to work from home (or anywhere) on any device at any time,securely. Give any user highly secure access to your enterprise network and provide visibility and control toyour IT and security teams to identify who and which devices are accessing the infrastructure. Alleviate strainon your IT and security teams as they support offsite workers and personal devices. Secure Firewall ASA Virtualsupports site-to-site VPN for connecting your data centers.License portability across cloudsDeploy Secure Firewall ASA Virtual everywhere—from your data center to your branch office, to a public cloud—with the portability of one license across public or private clouds (VMware, KVM and Hyper-V, OpenStack,Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI)and government clouds). Expand, contract, and relocate workloads over time spanning private and public cloudinfrastructures with one license.Low-touch deploymentRapidly deploy additional Secure Firewall ASA Virtual appliances to support unplanned or seasonal surges onyour applications or VPN. Add more bandwidth or protection for remote offices by spinning up a new virtualmachine. Choose from higher-performance model options if you need more protection.Smart Software LicensingCisco Smart Software Licensing makes it easier to buy, deploy, track, and renew Cisco licenses. You will enjoy: Simpler purchase and activation of the virtual appliance Easier license management and reporting of virtual appliances due to license pooling Automatic license activation when the virtual appliance is provisionedCustomers, select partners, and Cisco can view product entitlements and services in the Cisco Smart SoftwareManager. Configuration and activation are done with a single token. Secure Firewall ASA Virtual will selfregister with a Cisco server in the cloud, eliminating the need to register products with Product Activation Keys(PAKs). Instead of using PAKs or license files, Smart Software Licensing establishes a pool of software licensesor entitlements that can be used across your organization. When a virtual appliance is instantiated on acustomer’s premises, an entitlement is subtracted from the pool. When a virtual appliance is decommissioned,or when it is deinstantiated within the Smart Software Manager, an entitlement is added to the pool.With the Smart Software Manager, you can manage license deployments throughout your organization easilyand quickly. You can also manage multiple products from Cisco that support Smart Software Licensing.Secure Firewall ASA Virtual uses Smart Software Licensing exclusively. Older forms of licensing are notsupported.Any Secure Firewall ASA Virtual license can be used on any supported ASAv vCPU/memory configuration. Thisallows customers to run on a wide variety of VM resource footprints. This also increases the number ofsupported AWS, Azure, GCP and OCI instance types. When configuring the Secure Firewall ASA Virtual VM, themaximum supported number of vCPUs is 16 and the maximum supported memory is 128GB RAM. 2021 Cisco and/or its affiliates. All rights reserved.Page 4 of 13

Table 1.Specifications for 9.16 and later- ESXi/KVM/OpenStackFeatureEntitlement support: Standard tierLicense Type100M (ASAv5)1G (ASAv10)2G (ASAv30)10G (ASAv50)20G (ASAv100)Stateful inspectionthroughput (maximum)1100 Mbps1 Gbps2 Gbps10 Gbps20 GbpsStateful inspectionthroughput(multiprotocol)2100 Mbps1 Gbps2 Gbps10 Gbps20 GbpsIPsec VPN throughput(AES 450B UDP test)3100 Mbps750 Mbps2 Gbps4 Gbps8 GbpsConnections per second1250060000200,000350000600,000Concurrent s255020010241024Bridge groups1225100250250IPsec VPN peers5025075010,00020,000Cisco AnyConnect orclientless VPN usersessions5025075010,00020,000Virtual CPU coreallocation4114816Memory allocation42GB2GB8GB16GB32GBDisk storage58GB8GB8GB8GB8GBThis data is from testing on the Cisco Unified Computing System (Cisco UCS ) C series M5 serverwith the Intel Xeon Gold 6254 processors running SR-IOV on Intel X520/X710. Stated virtual CPU coreallocation assumes dedicated physical cores with Hyper Threading disabled. Each performance numberabove was obtained while running only the associated test.Note:1Throughput measured with 1500B User Datagram Protocol (UDP) traffic measured under ideal test conditions.2“Multiprotocol” refers to a traffic profile consisting primarily of TCP-based protocols or applications like HTTP, SMTP, FTP, IMAPv4,BitTorrent, and DNS.3The VPN throughput and the number of sessions depend on the ASA device configuration and VPN traffic patterns. These elementsshould be taken into consideration as part of your capacity planning.4Stated resource allocation is required to achieve the documented performance metrics for each tier. Decreased allocations are supportedbut will result in lower performance.5Thin provisioning is supported. 2021 Cisco and/or its affiliates. All rights reserved.Page 5 of 13

Table 2.Specifications for 9.16 and later- AWSAWS PerformanceLicense Type100M (ASAv5)1G (ASAv10)2G (ASAv30)10G (ASAv50)20G (ASAv100)AWS Instance Stateful inspectionthroughput (maximum)6100 Mbps1 Gbps2 Gbps10 Gbps16 GbpsStateful inspectionthroughput(multiprotocol)7100 Mbps1 Gbps2 Gbps4.5 Gbps8 GbpsIPsec VPN throughput(AES 450B UDP test)8100 Mbps1 Gbps2 Gbps3.5 Gbps5.5 GbpsConnections per second12,50062,00090,000120,000200,000Concurrent c VPN peers5025075010,00020,000Cisco AnyConnect orclientless VPN usersessions5025075010,00020,000Table 3.Specifications for 9.16 and later- AzureAzure Performance**License Type100M (ASAv5)1G (ASAv10)2G (ASAv30)10G (ASAv50)20G (ASAv100)Azure VM TypeD3 v2D3 v2D3 v2D4 v2D5 v2Stateful inspectionthroughput (maximum)6100 Mbps1 Gbps2 Gbps5.5 Gbps11 GbpsStateful inspectionthroughput(multiprotocol)7100 Mbps1 Gbps1 Gbps1.5 Gbps2.5 GbpsIPsec VPN throughput(AES 450B UDP test)8100 Mbps1 Gbps1.75 Gbps3.5 Gbps6.5 GbpsConnections per second10,00010,00010,00010,00010,000Concurrent c VPN peers5025075010,00020,000Cisco AnyConnect orclientless VPN usersessions5025075010,00020,000- Measured on instances with Accelerated Networking(AN) enabled. 2021 Cisco and/or its affiliates. All rights reserved.Page 6 of 13

Table 4.Specifications for 9.16 and later- GCPGCP PerformanceLicense Type100M (ASAv5)1G (ASAv10)2G (ASAv30)10G (ASAv50)20G (ASAv100)GCP Machine dard-8c2-standard-16Stateful inspectionthroughput (maximum)6100 Mbps1 Gbps2 Gbps7.6 Gbps16 GbpsStateful inspectionthroughput(multiprotocol)7100 Mbps1 Gbps2 Gbps7.2 Gbps12 GbpsIPsec VPN throughput(AES 450B UDP test)8100 Mbps1 Gbps2 Gbps3.3 Gbps7.2 GbpsConnections per second12,50048,00060,00082,000160,000Concurrent c VPN peers5025075010,00020,000Cisco AnyConnect orclientless VPN usersessions5025075010,00020,000Table 5.Specifications for 9.16 and later- OCIOCI PerformanceLicense Type100M (ASAv5)1G (ASAv10)2G (ASAv30)10G (ASAv50)20G (ASAv100)OCI Shape tandard2.8VM.Standard2.8Stateful inspectionthroughput (maximum)6100 Mbps1 Gbps2 GbpsComing soonComing soonStateful inspectionthroughput(multiprotocol)7100 Mbps1 Gbps2 Gbps2.3 Gbps3 GbpsIPsec VPN throughput(AES 450B UDP test)8100 Mbps550 Mbps550 Mbps550 Mbps620 Mbps6Throughput measured with 1500B User Datagram Protocol (UDP) traffic measured under ideal test conditions.7“Multiprotocol” refers to a traffic profile consisting primarily of TCP-based protocols or applications like HTTP, SMTP, FTP, IMAPv4,BitTorrent, and DNS.8The VPN throughput and the number of sessions depend on the ASA device configuration and VPN traffic patterns. These elementsshould be taken into consideration as part of your capacity planning. 2021 Cisco and/or its affiliates. All rights reserved.Page 7 of 13

OCI PerformanceLicense Type100M (ASAv5)1G (ASAv10)2G (ASAv30)10G (ASAv50)20G (ASAv100)OCI Shape tandard2.8VM.Standard2.8Connections per second12,50026,60026,60026,60038,200Concurrent c VPN peers5025075010,00020,000Cisco AnyConnect orclientless VPN usersessions5025075010,00020,000Table 6.Secure Firewall ASA Virtual models and recommended public cloud instance typesStandard tier100M (ASAv5)1G (ASAv10)*2G (ASAv30)*10G (ASAv50)*20G(ASAv100)*CommentsRecommended c5.largeAWS xlargem4.2xlargeSmallestsupportedinstance type islarge, whichsupportsmaximumthroughput/limitsof 1Gentitlement. AutoScale issupportedF4, F4sF4, F4sF8, F8sD3, D3 v2,D3, D3 v2,D8 v3DS3, DS3 v2DS3, DS3 v2D4, D4 v2,DS4,Recommended F4, F4sAzure VMD3, D3 v2,typesDS3, DS3 v2DS4 v2Recommended c2-standard-4GCP machinetypesc2-standard-4(Version 9.15and aboveonly) 2021 Cisco and/or its affiliates. All rights reserved.c2-standard-4c2-standard-8F16, F16sSmallestsupportedinstance size isF4/F4s, andD5, D5 v2,supports maxD16 v3, DS5,throughput/limitsDS5 v2of 2Gentitlement. Auto(Version 9.15and above only) Scale issupported.AcceleratedNetworking issupported.c2-standard-16 Smallestsupportedinstance size isc2-standard-4,and supportsmaxthroughput/limitsof 2GentitlementPage 8 of 13