When the term “Hybrid Mesh Firewall” was first introduced into the market last year, it was defined as “management of virtual firewalls, cloud firewalls, and physical firewalls in one experience.”
At Cisco, we don’t think this definition extends far enough. Given the sheer complexity and evolving definition of networks and applications, the traditional definition of “firewall” is too limiting because it still requires the administrator figure out what needs access, where that access should be enforced, and how that policy gets implemented. The traditional definition stops at just Next-Generation Firewall (NGFW) form factors. Instead, we use it as a verb—“firewalling”—and extend a distributed presence in every server, every application, every VM, every container, and every endpoint with the intelligence of how to secure them. We also solve for new and unique outcomes: handling encrypted traffic at scale whether in trusted boundaries or on the workload themselves, driving microsegmentation outcomes, and meeting new AI use cases.
Today, we’re excited to announce an expansion of our Hybrid Mesh Firewall capabilities, with a new generation of firewalls, extended segmentation enforcement, and multi-vendor intent-based policy creation and orchestration.
Better enforcement points
With the addition of the latest Secure Firewall 6100 and 200 series, Cisco has now completed a full refresh of our entire Secure Firewall portfolio in just two years and delivered top-to-bottom price performance leadership.
With our 6100 series, designed for the ultra-high-end market, our focus is on Layer 7 threat performance. Delivering 400 Gbps of Layer 7 performance in a compact two-rack-unit (RU) design, Cisco’s 6100 delivers superior performance with a smaller footprint compared to a competitor’s five-rack unit appliance which achieves only 180 Gbps. Cisco’s innovative active-active and N+1 clustering architecture enables unmatched scalability. By clustering up to 16 Cisco 6100 units, customers can achieve over 4 Tbps of performance, far exceeding our competitor’s 1.4 Tbps appliance. Even with just eight clustered units, Cisco delivers better performance and cost efficiency, while requiring less space, power, and cooling. This modular approach ensures organizations can scale incrementally without overhauling infrastructure.
With our 200 series, our smaller firewalls designed for branch, we also achieve market-leading price performance. Offering over 1.5Gbps of AI-powered, on-box threat inspection in a compact, cost-effective package, the 200 is three times the market’s typical price-to-performance ratio. This powerhouse enables advanced threat use cases, like encrypted visibility engine and Snort ML in Snort 3, to be deployed directly at branch locations. Beyond its impressive capabilities, the device has built-in SD-WAN with pre-built templates, easy setup, SASE configuration, and robust security cloud control, providing a comprehensive, streamlined experience for modern network management.
In addition to our new hardware platforms, we have simplified how you extend your firewalling to your cloud workloads using Cisco Multicloud Defense to orchestrate your cloud network, deploy, scale, upgrade, and heal Secure Firewall Virtual Gateways, with an hourly licensing model that matches the dynamic nature of the cloud. The Secure Firewall Virtual Gateways use the same configuration and policies that you already have, making it simple to extend your private cloud security to the public cloud.
We’re starting to melt security into the network with Cisco Hypershield Smart Switches. Expanding from our initial data center-focused N9300 models launched in February, we’re now introducing the Cisco Catalyst 9350 for campus and branch networks. These Smart Switches combine traditional switching with stateful Layer 4 firewall capabilities in a single platform. The N9300 series supports 800 Gbps of stateful security, ideal for cloud on-ramp, zone segmentation, and top-of-rack deployments. The Catalyst 9350 extends this integrated security model into campus environments, simplifying branch and campus segmentation.
By embedding security where switching occurs, these devices streamline operations by eliminating complex traffic steering between separate appliances—particularly beneficial for high-performance east-west traffic inspection. As your network grows, or you are refreshing your network infrastructure, consider Smart Switches.
Security policies are centrally managed via Security Cloud Control, while switch management remains with familiar network tools. Additionally, the Smart Switches analyze traffic to suggest segmentation policies, which administrators can validate with live traffic before deployment.
This unified approach significantly reduces hardware footprint and power usage, enabling scalable security management without added complexity.
Smarter segmentation and simplified management
Beside adding powerful new firewall hardware to the Hybrid Mesh Firewall, we’re proud to announce that we’re expanding the enforcement points of Cisco Hybrid Mesh Firewall to Cisco Application Centric Infrastructure (ACI). Secure Workload, a key component of Cisco Hybrid Mesh Firewall, is Cisco’s industry-leading microsegmentation capability that uses AI/ML to process the network topology, workload metadata, netflows, and application process data, which is used to generate intelligent microsegmentation policy to reduce the attack surface without impacting application access. The policy is then enforced either agentlessly leveraging the Cisco ACI fabric along with others such as Secure Firewall, cloud providers, application delivery controllers, or through the Secure Workload agent that can be deployed on modern and legacy operating systems.
Mesh Policy Engine: A multi-vendor segmentation policy
Cisco Security Cloud Control introduces Mesh Policy Engine, enabling teams to define a single intent-based policy that is enforced across Cisco and third-party firewalls. Not only does this simplify day-to-day operations, it also enables organizations to change enforcement points without re-writing policy. Mesh Policy Engine allows organizations to transform how they manage network access requests to use intent-based policies instead of traditional firewall rules. The traditional approach places the burden on the network administrator to first understand the access request, translate it to network rules, then determine which firewall devices to update, and push policy. This can take hours to days just to figure out which firewall devices need to be updated—let alone whether the access should be granted, what the rule needs to be, and how to apply it on the multiple firewall vendor management consoles.
Mesh Policy Engine redefines how the network access is granted and managed by shifting the focus away from firewall-specific policies and instead to the actual application access request. Administrators create policies that directly match what the request is—Mesh Policy Engine handles the heavy lifting of converting that to traditional firewall rule, computing the effective total policy, and updating the policy on the relevant firewalls. Teams can easily review the Security Cloud Control dashboard to understand not just the “what” and “where” of the policy, but also the “why”, ensuring no rules exist on the firewalls that don’t map back to a specific request. This intent-based logic ensures clarity and continuity in policy management—across Cisco and third-party firewalls.
Not done yet
These announcements are just the latest in how we’re helping organizations secure their applications and networks with the best price-performance firewall hardware models, extending the industry-leading microsegmentation capabilities, while simplifying how customers manage their policies. Looking ahead, we have a lot more capabilities coming that will help customers scale their security, protect their digital assets in a complex threat landscape, and leverage the power of AI to reshape security and security operations. Stay tuned.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Share:
