Comparison between Hacom pfSense Appliances and Cisco ASA Firewalls
If performance and technical requirements are known and one is familiar with Cisco ASA Security Appliances, the comparison tables are useful to select a comparable pfSense appliance for a particular application.
The pfSense website has the up-to-date and most comprehensive list of features in the following URL: http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43.
It also lists common deployments in the following: http://www.pfsense.org/index.php?option=com_content&task=view&id=71&Itemid=81.
All of the features and capabilities of pfSense are included and available for uses. However, some features require more hardware capabilities: higher CPU performance, larger memory capacity, or a hard-drive/SSD instead of flash memory. In contrast to commercial network security appliances like Cisco ASA firewalls, some of the features and capabilities require additional and more costly licenses. Some features of pfSense like Intrusion Detection and Prevention require third-party annual subscription; about $500/sensor for Snort.
There are four tables: Low-End Appliances, Upper Low-End Appliances, Mid-Range Appliances, and Upper Mid-Range Appliances. The primary category is based on CPU performance. Low-End Appliances are based on the 500 Mhz VIA C7. Upper Low-End Appliances are based on the 1Ghz VIA C7, while Mid-Range Appliances are Celeron-M/Pentium-M and Atom N270-based systems. The Upper Mid-Range Appliances are based on the Core2Duo/Core2Quad with memory capacity from 2-8 GB.
Each table is divided into three sections: performance, technical and additional network security capabilities. If the performance or technical detail requirements are known, the tables can be used to quickly identify the appropriate security appliances. Although all of pfSense capabilities are available throughout the ranges, it is recommended that only the Mid-Range Appliances, and Upper Mid-Range Appliances are considered for additional network security capabilities, like Anti-spam, anti-phishing, URL filtering or Content Security (Anti-virus, Anti-Spyware, File Blocking).
Please contact our technical support if there are questions which appliance is best for a particular application.
| Firewall Model (Cisco License) |
Phoenix IT-100 | Phoenix Uno | Cisco ASA 55053 (Security Plus) |
Cisco ASA 55103 (Security Plus) |
|---|---|---|---|---|
| Product Image |  |
 |
- | 1U server |
| Network Location | SOHO (Small Office Home Office) Branch Office SMB (Small and Medium Business) Enterprise Teleworkers Internet Edge |
Small Business Branch Office Enterprise Teleworker3 |
Internet Edge3 | |
| Performance Summary | ||||
| Concurrent Sessions | 50,000 (limited by 128MB RAM) |
250,000 (500,000 maximum limited by 1GB maximum RAM) |
10,000 (25,000) |
50,000 (130,000) |
| Firewall Throughput | 70 Mbps | 85 Mbps | 150 Mbps | 300 Mbps |
| IPSec VPN Throughput | 14Mbps (AES-256)1,2 9.5 Mbps (3DES)1,2 |
40Mbps (AES-256)1,2 10 Mbps (3DES)1,2 |
40 Mbps4 (100 Mbps3) |
66 Mbps1 (170 Mbps3) |
| Maximum Site-to-Site and Remote Access VPN Sessions | 10,000 (limited by RAM capacity) |
10 (25) |
250 | |
| Multi-Wan Load Balancing |
Dual Wan (limited by number of available interfaces) |
? | ? | |
| High-availability Support | Active/Standby5 | Not supported (Stateless Active/Standby) |
Not supported (Active/Standby Active/Active)6 |
|
| Technical Summary | ||||
| CPU Speed | 500Mhz fanless Transmeta Crusoe TM5600 |
500Mhz fanless VIA C7 | 500Mhz AMD Geode LX | 1.6Ghz Celeron |
| Memory | 128MB | 512MB (Maximum 1GB) |
512MB | 1GB |
| Storage | 20GB HD | 2GB Compact Flash (optional 2.5inch HD/SSD) |
minimum 64MB System Flash | minimum 64MB System Flash |
| Interfaces | 2 x Realtek RTL8100B Fast Ethernet (1 x 802.11b/g WiFi) |
3 x Realtek RTL8100C Fast Ethernet |
8-port Fast Ethernet switch with dynamic port grouping (including 2 PoE ports) |
5 Fast Ethernet ports (2 Gigabit Ethernet + 3 Fast Ethernet) |
| Virtual Interfaces (VLAN) | None (RTL8100B/RTL8100C does not support VLAN) |
3 (20) |
50 (100) |
|
| Power Consumption | 12W | ~ 12W (estimated) | ~ 45W (estimated) | |
| Additional Network Security Capabilities | ||||
| Intrusion Prevention | Snort (Subscription required) |
Not Available | with AIP SSM | |
| Anti-spam, anti-phishing, URL filtering |
Squid |
Not Available | Content Security Plus License features | |
| Content Security (Anti-virus, Anti-Spyware, File Blocking) |
HAVP (HD Required) |
Not Available | with CSC SSM | |
| Cost | $250 | $450 | $3867 ($850)8 |
$2,1817 ($2,866)8 |
Notes:
1As measured by IPerf. The IPerf performance of the Cisco ASA 5510 was measured and discussed in the article IPSec Performance of Cisco ASA 5510 as Measured by IPerf.
2With the built-in VIA C7 Padlock VPN Hardware Accelerator. The IPerf performance of the Phoenix Uno and Phoenix Openrick-E was measured and discussed in the article IPSec Performance of pfSense Firewall Appliance.
3As reported in Cisco Sales Literature and Documentation. (Cisco Router Performance data come from here.)
4Estimated from Cisco ASA 5510 iperf data
5Detail CARP configuration is discussed at http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP). Active-active configuration is not possible at this time.
6Active/Active configuration requires multiple security contexts (or virtual firewalls).
7Cisco ASA firewall cost is typically found on the Internet and includes the basic firewall feature set of Cisco ASA Software Release 8.2.
8Cisco ASA firewall cost includes the security plus license, which is required for advanced features like security contexts and active/active high-availability.
| Firewall Model (Cisco License) |
Mercury OpenBrick-M VIA C7 |
Mercury III pfSense 1U Server | Cisco ASA 55103 (Security Plus) |
Cisco ASA 55203 |
|---|---|---|---|---|
| Product Image |  Mercury OpenBrick-M |
 Mercury III 1U Server |
1U Server | 1U Server |
| Network Location | Branch Office SMB (Small and Medium Business) Internet Edge |
Internet Edge3 | Internet Edge3 | |
| Performance Summary | ||||
| Concurrent Sessions | 500,000 (limited by 1GB maximum RAM) |
50,000 (130,000) |
280,000 | |
| Firewall Throughput | 1.0 Gbps | 300 Mbps | 450 Mbps | |
| IPSec VPN Throughput | 79 Mbps (AES-256)1 21 Mbps (3DES)1 (79 Mbps1,2 with Soekris VPN1401) |
66 Mbps1 170 Mbps3 |
87 Mbps4 225 Mbps3 |
|
| Maximum Site-to-Site and Remote Access VPN Sessions | 10,000 (limited by RAM capacity) |
250 | 750 | |
| Multi-Wan Load Balancing |
Three (3) WAN (limited by number of available interfaces) |
Three (3) or Five (5) or Seven (7) WAN (limited by number of available interfaces) |
? | ? |
| High-availability Support | Active/Standby5 | Not supported (Active/Standby Active/Active)6 |
Active/Standby Active/Active6 | |
| Technical Summary | ||||
| CPU Speed | 1.0Ghz VIA C7 | 1.6Ghz Celeron | 2.0Ghz Pentium-4 | |
| Memory | 1GB | 1GB | 2GB | |
| Storage | 2GB Industrial CF (optional 2.5inch HD/SSD) |
2GB Industrial CF (optional 2.5inch HD/SSD) |
minimum 64MB System Flash | minimum 64MB System Flash |
| Interfaces | 1 Fast Ethernet port and 3 Gigabit Ethernet ports |
1 VIA VT6103 Fast Ethernet port (Expandable up to 1 Fast Ethernet and 5 Gigabit Ethernet) |
5 Fast Ethernet ports (2 Gigabit Ethernet + 3 Fast Ethernet) |
4 Gigabit Ethernet ports and 1 Fast Ethernet port |
| Virtual Interfaces (VLAN) | None (with VIA VT6103L Fast Ethernet) ~4,000 (with Realtek/Intel Gigabit) |
None (with VIA VT6103L Fast Ethernet) ~4,000 (with Intel Gigabit) |
50 (100) |
150 |
| Power Consumption | 25W | 45W | ~ 45W (estimated) | ~ 100W (estimated) |
| Additional Network Security Capabilities | ||||
| Intrusion Prevention | Snort (Subscription required) |
with AIP SSM | with AIP SSM | |
| Anti-spam, anti-phishing, URL filtering | Squid Squidguard (HD Required) |
Content Security Plus License features | Content Security Plus License features | |
| Content Security (Anti-virus, Anti-Spyware, File Blocking) |
HAVP (HD Required) |
with CSC SSM | with CSC SSM | |
| Cost | $500 | $700 | $2,1817 ($2,866)8 |
$4,2957 |
Notes:
1As measured by IPerf.
2With the Soekris VPN1411 VPN Hardware Accelerator. The IPerf performance of the Mercury was measured and discussed in the article IPSec Performance Gained by VPN Hardware Accelerator.3As reported in Cisco Sales Literature and Documentation. (Cisco Router Performance data come from here.)
4Estimated from Cisco ASA 5510 iperf data. The IPerf performance of the Cisco ASA 5510 was measured and discussed in the article IPSec Performance of Cisco ASA 5510 as Measured by IPerf.
5Detail CARP configuration is discussed at http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP). Active-active configuration is not possible at this time.
6Active/Active configuration requires multiple security contexts (or virtual firewalls).
7Cisco ASA firewall cost is typically found on the Internet and includes the basic firewall feature set of Cisco ASA Software Release 8.2.
8Cisco ASA firewall cost includes the security plus license, which is required for advanced features like security contexts and active/active high-availability.
| Firewall Model | Mars 1U Server Celeron-M | Mars OpenBrick-M Atom D525 | Mars II pfSense 1U Server | Cisco ASA 55203 | Cisco ASA 55403 |
|---|---|---|---|---|---|
| Product Image |  Mars 1U Server |
Mars OpenBrick-M Appliance |
 Mars II pfSense 1U Server |
1U Server | 1U Server |
| Network Location | Branch Office SMB (Small and Medium Business) Internet Edge |
Internet Edge3 | Internet Edge3 | ||
| Performance Summary | |||||
| Concurrent Sessions | 500,000 (limited by 1GB maximum RAM) |
500,000 (1GB RAM) 1,000,000 (2GB RAM) |
1,000,000 (2GB RAM) 2,000,000 (4GB RAM) |
280,000 | 400,000 |
| Firewall Throughput | 180Mbps (Fast Ethernet) | 1.6 Gbps | 450 Mbps | 650Mbps | |
| 650Mbps (Gigabit Ethernet) | |||||
| IPSec VPN Throughput | 30 Mbps (AES-256)1 20 Mbps (3DES)1 |
70 Mbps (AES-256)1 45 Mbps (3DES)1 |
87 Mbps1 (225 Mbps3) |
125 Mbps4 (325 Mbps3) |
|
| 65 Mbps1,2 (with Soekris VPN1411) |
87 Mbps (AES-256)1,2 85 Mbps (3DES)1,2 (with Soekris VPN1401) |
||||
| Maximum Site-to-Site and Remote Access VPN Sessions | 10,000 (limited by RAM capacity) |
750 | 2500 | ||
| Multi-Wan Load Balancing |
Three (3) WAN (limited by number of available interfaces) |
Four (4) or Six (6) WAN (limited by number of available interfaces) |
? | ? | |
| High-availability Support | Active/Standby5 | Active/Standby Active/Active6 | Active/Standby Active/Active6 | ||
| Technical Summary | |||||
| CPU Speed | 1.0Ghz Celeron-M | 1.8Ghz Dual-Core Atom D525 | 2.0Ghz Pentium-4 | 2.0Ghz Pentium-4 | |
| Memory | 1GB | 1GB (expandable to 4GB max) |
2GB (expandable to 4GB max) |
2GB | 2GB |
| Storage | 2GB Compact Flash (optional 2.5inch HD/SSD) |
2GB Compact Flash (optional 2.5inch HD/SSD) |
8GB SSD (optional 2.5inch HD/SSD or Raid 1 Mirroring) |
minimum 64MB System Flash | minimum 64MB System Flash |
| Interfaces | 4 x Realtek Fast Ethernet (optional Intel Gigabit) |
1 x Realtek RTL8111DL and 3 x Intel 82541PI Gigabit | 5 Gigabit Ethernet ports: 2 x Intel 82573L and 3 x Intel 82541PI (expandable to seven (7) Intel Gigabit ports) |
4 Gigabit Ethernet ports and 1 Fast Ethernet port |
4 Gigabit Ethernet ports and 1 Fast Ethernet port |
| Virtual Interfaces (VLAN) | None (with Realtek Fast Ethernet) ~4,000 (with Intel Gigabit) |
~4,000 | 50 (100) |
150 | |
| Power Consumption | 16W | 25W | 45W | ~ 45W (estimated) | ~ 150W (estimated) |
| Additional Network Security Capabilities | |||||
| Intrusion Prevention | Snort (Subscription required) |
with AIP SSM | with AIP SSM | ||
| Anti-spam, anti-phishing, URL filtering | Squid Squidguard (HD Required) |
Content Security Plus License features | Content Security Plus License features | ||
| Content Security (Anti-virus, Anti-Spyware, File Blocking) |
HAVP (HD Required) |
with CSC SSM | with CSC SSM | ||
| Cost | $690 | $700 | $900 | $4,2957 | $6,3717 |
Notes:
1As measured by IPerf.
2With the Soekris VPN1411 VPN Hardware Accelerator. The IPerf performance of the Mercury was measured and discussed in the article IPSec Performance Gained by VPN Hardware Accelerator.3As reported in Cisco Sales Literature and Documentation. (Cisco Router Performance data come from here.)
4Estimated from Cisco ASA 5510 iperf data. The IPerf performance of the Cisco ASA 5510 was measured and discussed in the article IPSec Performance of Cisco ASA 5510 as Measured by IPerf.
5Detail CARP configuration is discussed at http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP). Active-active configuration is not possible at this time.
6Active/Active configuration requires multiple security contexts (or virtual firewalls).
7Cisco ASA firewall cost is typically found on the Internet and includes the basic firewall feature set of Cisco ASA Software Release 8.2.
| Firewall | Jupiter I | Jupiter III | Cisco ASA 55403 | Cisco ASA 5580-203 |
|---|---|---|---|---|
| Product Image |  Jupiter 1U Server |
 Jupiter III 1U Server |
1U Server | 4U server |
| Network Location | SMB (Small and Medium Business) Internet Edge Corporate Headquarter Data Center Campus |
Internet Edge3 | Data Center Campus3 |
|
| Performance Summary | ||||
| Concurrent Sessions | 1,000,000 (limited by 2GB maximum RAM) |
2,000,000 (4GB RAM) |
400,000 | 1,000,000 |
| Firewall Throughput | 2.0 Gbps8 | 4.0 Gbps9 | 650 Mbps | 5 Gbps |
| IPSec VPN Throughput | 110Mbps1,2 | 200Mbps1,2 (Estimated) |
125 Mbps4 (325 Mbps3) |
385 Mbps4 (1 Gbps3) |
| Maximum Site-to-Site and Remote Access VPN Sessions | 10,000 (limited by RAM capacity) |
10,000 (limited by RAM capacity) |
5,000 | 10,000 |
| Multi-Wan Load Balancing |
3-5 WAN (limited by number of available interfaces) |
5-7 WAN (limited by number of available interfaces) |
? | ? |
| High-availability Support | Active/Standby5 | Active/Standby Active/Active6 | Active/Standby Active/Active6 | |
| Technical Summary | ||||
| CPU Speed | 2.0Ghz Core2Duo T7200 (2 Core) | 2.5Ghz Intel i5-2400s (4 cores) |
2.0Ghz Pentium-4 | AMD Opteron (2 CPU, 4 cores) |
| Memory | 2GB | 4GB (Maximum 16GB) |
2GB | 8GB |
| Storage | 2GB Compact Flash (optional 2.5inch HD/SSD) |
8GB SSD (optional 2.5inch HD/SSD or Raid 1 Mirroring) |
minimum 64MB System Flash | minimum 1GB System Flash |
| Interfaces | 4 x Intel Gigabit (Expendable to 6GbE) |
6 x Intel Gigabit (Expendable to 2 x 1GbE and 6 x 10GbE) |
4 Gigabit Ethernet ports and 1 Fast Ethernet port |
6 Gigabit Ethernet ports (Expendable to 10 x 1GbE and 2 x 10GbE) |
| Virtual Interfaces (VLAN) | ~4,000 | 200 | 250 | |
| Power Consumption | 65W | 150W | ~ 150W (estimated) | ??? |
| Additional Network Security Capabilities | ||||
| Intrusion Prevention | Snort (Subscription required) |
with AIP SSM | Not Available?3 | |
| Anti-spam, anti-phishing, URL filtering | Squid Squidguard (HD required) |
Content Security Plus License features | Yes?3 | |
| Content Security (Anti-virus, Anti-Spyware, File Blocking) |
HAVP (HD Required) |
with CSC SSM | Yes?3 | |
| Cost | $1,650 | $2,500 | $6,3717 | $29,4897 |
Notes:
1As measured by IPerf.
2With the Soekris VPN1411 VPN Hardware Accelerator. The IPerf performance of the Jupiter I was measured and discussed in the article IPSec Performance Gained by VPN Hardware Accelerator.
3As reported in Cisco Sales Literature and Documentation. (Cisco Router Performance data come from here.)
4Estimated from Cisco ASA 5510 iperf data. The IPerf performance of the Cisco ASA 5510 was measured and discussed in the article IPSec Performance of Cisco ASA 5510 as Measured by IPerf.
5Detail CARP configuration is discussed at http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP). Active-active configuration is not possible at this time.
6Active/Active configuration requires multiple security contexts (or virtual firewalls).
7Cisco ASA firewall cost is typically found on the Internet and includes the basic firewall feature set of Cisco ASA Software Release 8.2. Advanced features like security contexts and active/active high-availability may require additional licenses.
8The four (4) built-in GBE are on their own PCIe x1 lanes.
9The six (6) built-in GBE are on their own PCIe x1 lanes.
