Cisco FWSM

From Wikipedia, the free encyclopedia
Jump to: navigation, search

The Firewall Services Module (FWSM) is a firewall module integrated by Cisco into its Komodo blade on Catalyst 6500 Switches and 7600 Series Routers.

Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Internet Router, the FWSM allows any VLAN on the switch to be passed through to the device to operate as a firewall port and integrates firewall security inside the network infrastructure.

The FWSM is based on Cisco PIX technology and uses the same Cisco PIX Operating System, a secure, real-time operating system. The Cisco FWSM enables organizations to manage multiple firewalls from the same management platform.

It has reached end of support status as of September 26, 2007[1] and replaced by the Cisco Catalyst 6500 Series 7600 Series ASA Services Module.[2]


The FWSM has five processors, two central CPUs (Pentium III 1 GHz processor) and three network processors (IBM 4GS3 PowerNP). It is unknown if both of the Pentium CPUs are used for management.

The central CPUs are responsible for fixups and for traffic sourced from and destined to the FWSM itself (mainly management traffic). The central CPUs are also responsible for rule-base compilation. The rulebase is converted (compiled) into configuration for the Network Processors, so the majority of the traffic is handled in dedicated hardware.

The three Network Processors in the FWSM handle the majority of the traffic. Fast Path NP1 and NP2 handle the main traffic and have each three 1 Gigabit connections to the Backplane. The third NP sits above NP1 and NP2 and is the session manager.[3]

As the rulebase is compiled into hardware, the FWSM has clear restrictions on the maximum number of Access Control Entries (ACE). The limitation is only reached with large and inefficient rulebases. The limit cannot be extended by memory upgrade as on PIX and ASA platforms.


Resource manager helps organizations limit the resources allocated to any security context at any time thus ensuring that one security context does not interfere with another.

The transparent firewall feature configures the FWSM to act as a Layer 2 bridging firewall resulting in minimal changes to network topology. [4]