Cisco FTD 2100/4100/9300 has Built in SSL Chip!

The new #Cisco #FTD boxes such as the 2100/4100/9300 has a built in SSL Chip, but what kind?

The #Cisco 2100 has the Cavium Octeon chip, just like some of the ASA’s (5506/08/16), but the 4100/9300 #FTD boxes have the all-so-powerful #Cavium Nitrox chip set for SSL decryption (same as Bluecoat/F5).

So, should you just replace your current ASA’s with the new 4100/9300’s? Sure! If you have unlimited funds, absolutely. However, if you’re like the rest of us, we’ll continue to use our existing hardware if we can. Some current ASA’s have the Nitrox chip in them, so they are still very much useful even though Cisco lists them as EOL.

You can see this by using a show module on each you can see the crypto chip:

  • 5506/08/16: Crypto Accelerator: Cavium Octeon III CN7020 2 core 1.2GHz or Cavium Octeon III CN7130 4 core 1.6GHz
  • 5525/45/55: Crypto Accelerator: Cavium Nitrox PX CN1610 or CN1620

Sometime around the 4th quarter of 2018 or so you’ll see the FTD code released that enables the power of the Nitrox chip to be used, however, in the meantime, the chip is now used by the Lina core to do IPSec and SSL vpn.

The key takeaway here is that your 5525/45/55 ASA’s can be migrated to FTD; they are powerful and still very useful!

So cool!

2 Comments

    1. Yes, of course! There is an SSL policy that you can configure for all FTD devices. The 4100/9300 have a nitrox chip set that is better than the 2100 for onboard decryption by far.

Comments are closed.