Cisco Firewall Services Module Software Version 4.0

The Cisco® Firewall Services Module (FWSM) for Cisco Catalyst® 6500 Series switches and Cisco 7600 Series routers is a high-performance, integrated stateful inspection firewall with application and protocol inspection engines. The FWSM provides up to 5.5 Gbps of throughput, 100,000 connections per second, and one million concurrent connections.

Cisco FWSM Software Version 4.0 is configured and monitored by the integrated, web-GUI-based Cisco Adaptive Security Device Manager (ASDM) Version 6.0F. Cisco FWSM Software Version 4.0 provides:

  • Firewall performance enhancements
  • Increased scalability
  • Additional protocol coverage and enhanced inspection
  • Additional routing support
  • Collaboration with switch services
  • Dynamic Host Control Protocol (DHCP) and Simple Network Management Protocol (SNMP) extensions

Cisco FWSM Software Version 4.0 Release Highlights

Table 1 lists new features in Cisco FWSM Software Version 4.0.

Table 1. New Features in Cisco FWSM Software Version 4.0



Firewall Performance Enhancements

Trusted flow acceleration*

Increases performance up to 30 Gigabit aggregate and 10 Gigabit per flow for data center applications that require more bandwidth between trusted zones, such as bulk FTP or routine data backups.

Scalability Optimizations

Increased access control list (ACL) support

Increases the total access control entries in single context mode from 80,000 to 130,000 entries. Note: This is a best-case figure; please consult the documentation for more details.

Flexible and configurable ACL rules

Increases scalability of rules by allowing configurable ACL partition sizes on a per-virtual-firewall basis.

Additional Protocol Coverage and Enhanced Inspection

Distributed Computing Environment /Remote Procedure Call (DCE/RPC)

Provides support for applications running the Microsoft RPC protocol.

Enhanced Session Initiation Protocol (SIP)

Provides application security and protocol conformance, in addition to the basic firewall functionality (Network Address Translation [NAT] and ACL pinholing). This gives users more control in applying policies and security checks to SIP traffic, as well as the capability to filter out unwanted messages or users.

Enhanced HTTP

Enables FWSM Software Version 3.2 to achieve a tighter protocol conformance and gives the user more control over the HTTP traffic that will flow through the firewall.

Enhanced Extended Simple Mail Transport Protocol (ESMTP)

Provides protocol conformance and application security by giving the user more control over the ESMTP traffic that can traverse the firewall.

Additional Routing Support

Route health injection*

Allows static, directly connected routes and NAT pools to be injected in the forwarding table of the Catalyst 6500/7600 by the FWSM on a per-virtual-firewall basis.

Enhanced Interior Gateway Routing Protocol (EIGRP)

Allows the user to run EIGRP on the FWSM when operating in non-virtual-firewall mode.

Collaboration with Switch Services

Integration with the Cisco Programmable Intelligent Services Accelerator (PISA) discovery and detection mechanism**

PISA provides hardware acceleration for IP services such as Network-Based Application Recognition (NBAR) and Flexible Packet Matching (FPM) on the Cisco Catalyst 6500 Series Supervisor Engine 32. These features allow PISA to recognize many (~100) application protocols, irrespective of the Layer 4 ports used. The FWSM uses the intelligence of PISA to provide security policies to various applications through mutual packet tagging mechanisms.

Interoperability with virtual switching feature*

Allows the FWSM to interoperate with a Catalyst 6500 Series switch in a virtual switch environment.

DHCP and SNMP Extensions

DHCP Option 82

Allows the FWSM to interoperate with the Catalyst 6500 Series switch acting as a relay agent preserving DHCP Option 82 information populated by the switch.

Additional SNMP MIBs

Provides the ability to poll ACL entries and ACL hit counters (with ACL name and line number so that direct correlation can be drawn between the hit counter and the Cisco Application Control Engine [ACE]). [[query: is this end parenthesis in the right spot, or should it be after "line number"?]]