What replaces the ASA5508?

The FPR1120 is the recommended replacement for the ASA5508-X.

Cisco Support for the ASA5508 Adaptive Security Appliance will cease in August 2026 and Cisco recommends that Customers with ASA5508-X products migrate to the Firepower 1000 series firewalls.

The direct replacement for the ASA5508 would be the FPR1120 which can be configured as an ASA initially and reimaged as an FPR NGFW as required.

Assuming your ASA5508 is running as an ASA then the transition to the FPR1120-ASA-K9 should be straightforward.

If, however, you would like to upgrade from the Layer 4 ASA Firewall to a Layer 7 NGFW then Cisco recommend the FPR1120-NGFW-K9.

Layer 4 is the OSI Transport Layer where TCP and UDP function.

Layer 7 is the OSI Application Layer where Apps such as Facebook and Linkdin function – if you want to manage these then you need NGFW.

FPR1120-ASA-K9

Table of Contents

Replace your ASA5508 with an FPR1120 ASA

ASA5500-X Max Performance FRP1010 Models Max Performance
ASA5508-X
FW + AVC + IPS 250Mbs
FPR1120-ASA-K9
Statefull FW 4.5Gbps

Correct as at July 2023 – latest specifications are available on cisco.com

Note that the ASA5508-X refers to the following Cisco ASA 5508 models running the ASA image without any Firepower FTD enabled or installed.

The FPR1120-ASA is a direct replacement for the ASA5508 and will provide improved performance plus a path to upgrade beyond access control and traffic filtering.

With very few changes, the configuration from your ASA5508 can be pasted directly into your ASA imaged FPR1120, and the only requirement is for the essential license be available in your Smart Account.

ASA5508 to FPR1120-ASA Requirements

As a minimum the FPR1120 requires an essentials feature license to function with the ASA image.

How to replace your ASA5508 with an FPR1120-ASA

Buy FPR1120-ASA-K9 or FPR1120-ASA-K9-RF

The FPR1120-ASA-K9 is a direct replacement for your ASA5508-X.

Offering up to 4.5Gbps Firewall performance and running the ASA Firewall image it will (mostly) accept your existing ASA Config for a minimum downtime hardware upgrade.

Our FPR1120-ASA-K9 is delivered direct from Cisco, will be fully licensed and eligible for Smart Net support should you require it.

We also offer the FPR1120-ASA-K9-RF from Cisco Refresh and FPR1120-ASA-K9-WS from Cisco Excess, these models will be cheaper but could be in short supply.

FPR1000-ASA FPR1120 Essentials License - required

Your FPR1120 needs to have an essentials license available in your Cisco Smart Account to register against the device. We include this with our FPR1120-ASA-K9 products but FPR devices from other suppliers may not have this license so we can obtain it for you and provision it to your Smart Account.

Don’t have a Smart Account? Sign up for one here.

Cisco Smart Net for FPR1120-ASA-K9

CON-SW-FPR1120 FPR1120 Cisco Software Support - optional

Cisco Smart Net is Cisco’s award winning support service.

By adding a support contract to your FPR you will gain access to the latest versions of both the ASA and FTD software images, as well as obtaining direct access to Cisco Engineers to assist in the setup and migration of your ASA.

Note that to be eligible for Smart Net your FPR needs to be purchased from an authorized source.

CON-SNT-FPR1120 FPR1120 Cisco Smart Net - recommended

All FPR1120 Smart Net contracts include Software Support which is required to obtain the latest ASA or FTD Images.

The SNT version of Smart Net includes Next Business Day hardware replacement should your FPR1120 develop a fault.

FPR1K-ENC-K9 Strong Encryption (3DES/AES) License

Insufficient Cisco Firepower 1K Series ASA Strong Encryption (3DES/AES) Licenses

Cisco Firepower 1K Series ASA Strong Encryption (3DES/AES)

When the Cisco Firepower 1K Series ASA Strong Encryption (3DES/AES) has been applied you may received an “insufficient licenses” message, this denotes that your Smart Account does not have enough FPR1K-ENC-K9 Licenses and they need to be provisioned. The licenses are free but we charge for the admin required to obtain them.

FPR1K-ENC-K9 Strong Encryption (3DES/AES) License

Once the above Essentials License has been registered the Smart Software Manager will also apply the Strong Encryption License – but only if your Smart Account has permission.

If your Smart Account is not authorized for strong encryption you can (subject to Cisco approval) manually add a strong encryption license to your Smart account to enable the 3DES/AES.

Replace your ASA5508 with an FPR1120 NGFW

ASA5500-X Max Performance FRP1010 Models Max Performance
ASA5508-X
FW + AVC + IPS 250Mbs
FPR1120-NGFW-K9
FW + AVC + IPS 2.3Gbps

Correct as at July 2023 – latest specifications are available on cisco.com

Note that the ASA5506-X refers to the following Cisco ASA 5506 models:

FPR1000 Rack Mounted Models

FPR1120-ASA-K9
Features FPR1120 FPR1140 FPR1150
Throughput
4.5Gbps
6Gbps
7.5Gbs
Connections
200k
400k
600k

FPR1120 NGFW Differences to FPR1120 ASA

The FPR1120-ASA and the FPR1120-NGFW are essentially the same device, the only difference being the image that the device is currently running.

Loading the NGFW image adds application visibility and control and can be licensed to also provide:

0
    0
    Your Cart
    Your cart is emptyReturn to Shop