Datasheets firewall Cisco ISA-3000-4C-FTD

Specification

Port

4x 10/100/1000Mbps RJ45 ports

Hardware

● 4-core Intel ® Atom ® processor (industrial temp)

● 8-GB DRAM (soldered down)

● 16-GB onboard flash memory

● mSATA 64GB

● 1-GB removable SD flash memory card (industrial temp.)

● Mini-USB connector for console

● RJ-45 traditional console connector

● Dedicated 10/100/1000 management port

● Hardware-based anti-counterfeit, anti-tamper chip

● Factory reset option

Base software

FTD (Firepower Threat Defense)

Alarm I/O

● Two alarm inputs to detect dry contact open or closed

● One Form C alarm output relay

Dimensions (WxHxD)

● 11.2 x 13 x 16 cm (4.41 x 5.12 x 6.30 in.)

Weight

● 1.9 kg (4.2 lb)

Power supply and ranges

● Dual internal DC

● Nominal: ± 12V DC, 24V DC, or 48V DC

● Maximum range: 9.6V DC to 60V DC

● Power consumption: 24W

Mean time between failures (MTBF)

● ISA-3000-4C: 398,130 hours

Performance

Throughput: NGIPS (1024B)

500 Mbps

Throughput: Firewall (FW) + Application Visibility and Control (AVC) (1024B)

375 Mbps

Throughput: FW + AVC + Intrusion Prevention System (IPS) (1024B)

350 Mbps

Maximum concurrent sessions, with AVC

50

Maximum new connections per second, with AVC

2700

IPsec VPN throughput

(1024B TCP with Fastpath)

50 Mbps

Maximum VPN peers

25

Application Visibility and Control (AVC)

Standard, supporting more than 4000 applications as well as geo locations, users, and websites

URL filtering

More than 80 categories

More than 280 million URLs categorized

Defined interfaces

200, 400 (with SecPlus license on ASA), 400 (FTD)

VLAN counts

5, 100 (with SecPlus license on ASA), 100 (FTD)

IPv4 MACsec Access Control Entries (ACEs)

1000 with default TCAM template

NAT

Bidirectional, 128 unique subnet NAT entries, which can expand to tens of thousands of translated entries if designed properly

Feature

Proven, extensible access control

● Enforces ISA99/IEC 62443 segmentation needs

● Stateful inspection (Layers 2 through 7)

● Transparent and routed firewall operation modes

● Provides features to enable electronic security perimeter (ESP) for NERC-CIP compliance

● Next-Generation Intrusion Prevention System (NGIPS)

● Identity-based access control policies (users, devices, SGTs, etc.)

● VPN: Remote Access, site-to-site

Application control

● Visibility and control of all DMZ infrastructure

● Visibility and control of industrial applications

● Visibility and control of individual protocol commands and values

● ICS/OT protocol visibility and/or control

Remote access enablement and control

● Network access control via Cisco AnyConnect ®

● Cisco ISE support

● Site-to-site VPN

● Remote Access VPN

● Cisco Secure Desktop

● Support for Citrix and VMware clientless connections

Multilevel access controls

● Global block lists — automated or manual

● Global allow lists

● Third-party intelligence feed utilization

● File allow lists

● File block lists

● Application-level access control

● 802.1X support

Cisco TrustSec® controls

● In-band and out-of-band identity

● Active Directory integration

● Policy based on SGTs

● 802.1X support

● MACsec and MAC Authentication Bypass (MAB) support

● Enforces endpoint security state for remote access

Uncompromising threat detection and protection

● Leverages industry-leading rules developed by Cisco Talos research teams

● Over 55,000 rules, providing the widest range of protection anywhere

● Hundreds of industrial-focused rules

● Industrial equipment exploit protection rules

● Protocol abuse identification

● Protection for web-based control systems

● Network behavior analytics

● Passive device discovery

Threat network mapping

● Passive device identification

● Mobile device identification

● Application host network mapping

● Vulnerability/host network mapping

● User/host network mapping

Threat discovery

● Indicators of Compromise (IoC) tracking

● OpenAppID – open community ID system

● Correlation policies and responses

● Traffic variance detection

● Router-based remediation actions

● NetFlow tracking

● 55,000+ threat identifiers

● Customizable identifiers

● Can create wholly new identifiers

● Widest identifier contributorship

File tracking

● Approved file trace

● Suspect file trace

● Malware match

DMZ infrastructure

● DNS services

● Dynamic Host Configuration Protocol (DHCP) services

● Authentication, authorization, and accounting (AAA) support

● IP routing (v4 and v6)

Layer 3 routing

● IPv4 static routing

● Dynamic routing (Routing Information Protocol [RIP], Enhanced Internet Gateway Routing Protocol [EIGRP], Intermediate System to Intermediate System [IS-IS], Open Shortest Path First [OSPF], and Border Gateway Protocol [BGP])

Network Address Translation (NAT)

● Static NAT

● With port translation, one-to-many, nonstandard ports

● Dynamic NAT

● Dynamic Port Address Translation (PAT)

● Identity NAT

Layer 2 IPv6

● IPv6 host support, HTTP over IPv6, Simple Network Management Protocol (SNMP) over IPv6

Trunking

● 802.1q trunks supported

Logging

● Local logs, syslog, Security Analytics and Logging (SAL), eStreamer, and Log in the management application

● Proven integration with leading security information and event management (SIEM) systems (QRadar, Splunk, etc.)