Cisco Secure Firewall Reviews

Assessment of Cisco Secure Firewall – Policy Unification & Zero-Trust Enablement

I assess the policy unification and operational flexibility of Cisco Secure Firewall very positively, based on our hands-on deployment in the COE (Center of Excellence) lab environment where we conduct regular customer demonstrations.

1. Dynamic Policy Management in a Live Demo Environment

In our COE setup, firewall policies are frequently modified based on customer use cases.

• We regularly update existing rules or create new ones.
• Sometimes changes are required weekly.
• In certain scenarios, rule updates are needed multiple times in a single day.
• The environment is continuously adjusted to reflect customer-specific requirements.

Cisco Secure Firewall enables us to make these changes quickly and efficiently, demonstrating its operational flexibility and centralized policy control.

2. OT Network Segmentation & IDS/IPS Flexibility

Within our lab, we have a dedicated OT segment with multiple security zones configured.

To simulate real-world scenarios:

• We include attacker zones that generate controlled attack traffic.
• For some use cases, we enable IDS (detection-only) to showcase logging and monitoring.
• For other scenarios, we enable IPS signatures to demonstrate active prevention.

The ability to seamlessly switch policies from IDS-only mode to full intrusion prevention allows us to demonstrate multiple use cases using the same infrastructure without complexity.

This flexibility is particularly valuable in OT security environments where detection and prevention requirements may vary depending on operational needs.

3. Zero-Trust Architecture Demonstration

Cisco Secure Firewall plays a critical role in demonstrating Zero-Trust architecture in our lab.

Our integrated setup includes:

• Cisco Secure Firewall
• SDA fabric / trusted network switches
• Cisco Identity Services Engine (Cisco ISE)

Using Cisco ISE:

• Users are securely onboarded onto the network.
• Authentication and authorization policies are enforced.
• Role-based segmentation is applied.

If a connected user attempts unauthorized actions—such as accessing malicious destinations or generating abnormal traffic—the system responds automatically.

4. Automated Threat Containment – Practical Demonstration

For example:

• We restrict excessive ICMP traffic between segments.
• If a user continuously generates abnormal ICMP traffic,
• The firewall detects the behavior using IPS signatures.
• The firewall notifies Cisco ISE about the abnormal activity.
• Cisco ISE automatically quarantines the client into a restricted VLAN.

This process occurs without any manual intervention.

Even though our lab does not generate fully malicious real-world attacks, customers can clearly see how:

1. The firewall detects suspicious activity.
2. The integrated ecosystem communicates automatically.
3. The endpoint is isolated in real time.
4. The threat area is segmented from the rest of the network.

This provides a complete, practical Zero-Trust story:

• Secure onboarding
• Least-privilege access
• Continuous monitoring
• Automated threat response
• Dynamic segmentation

5. Unified Security Story for Customers

What makes this powerful is not just the firewall capability alone, but the integrated ecosystem:

• Identity-driven access control
• Behavioral detection
• Automated containment
• Dynamic VLAN reassignment
• Segmentation of threat zones

Cisco Secure Firewall allows us to demonstrate how a fully integrated security architecture can automatically identify, isolate, and contain threats—helping organizations minimize risk and maintain operational continuity.

One of the most valuable aspects of Cisco Secure Firewall is its deep and seamless integration within the Cisco security ecosystem.

While most next-generation firewall capabilities are broadly comparable across OEMs, the true differentiator lies in Cisco’s ecosystem-driven architecture and automation capabilities.

1. Ecosystem-Driven Security Automation (Unique Differentiator)

We have deployed Cisco Identity Services Engine (Cisco ISE) as our NAC solution and integrated it directly with Cisco Secure Firewall.

This integration enables Rapid Threat Containment (RTC):

• If the firewall detects malware activity (e.g., malicious download attempts or suspicious behavior),
• It automatically notifies Cisco ISE,
• Cisco ISE dynamically quarantines the endpoint or moves the user into a restricted security segment,
• All without manual intervention.

This closed-loop automation between detection and enforcement is a powerful advantage. It significantly reduces response time, limits lateral movement, and strengthens overall security posture.

This level of orchestration across network and security components is a major reason we prefer Cisco over other OEMs.

2. Advanced Visibility & Log Analytics

Another strong capability is the rich dashboard visibility within Cisco Secure Firewall.

• Detailed traffic analysis
• Granular log inspection
• Application-level visibility
• Improved troubleshooting capabilities

The dashboard enables faster root cause analysis and better operational decision-making.

3. AI-Driven Optimization with Cisco Secure Cloud Control

Recently, Cisco introduced Cisco Secure Cloud Control (SCC), a cloud-based unified security management platform.

With SCC, we gain access to AI-driven operations (AIOps), which provides:

• Rule optimization recommendations
• Identification of overlapping firewall rules
• Policy cleanup insights
• Performance optimization guidance

This AI-assisted intelligence improves firewall efficiency and reduces configuration complexity over time.

4. Flexible Hybrid Security Management

One of the strongest advantages of Cisco is deployment flexibility.

For customers who:

• Prefer a fully cloud-managed model → SCC provides centralized management.
• Require on-premise control due to compliance or data sovereignty → we can deploy Cisco Firepower Management Center (FMC).
• Want both on-prem control and cloud-based AI benefits → we can integrate on-prem FMC with SCC.

This hybrid capability allows organizations to:

• Maintain data control,
• Leverage AI-driven analytics,
• Manage multiple security products under a single umbrella.

This flexibility is a strong differentiator in environments with regulatory or operational constraints.

5. Improved User Experience & Modernized UI

From a configuration standpoint:

• The latest software releases have significantly enhanced the UI.
• Navigation is more intuitive.
• Policy configuration is more streamlined.
• Overall usability has improved compared to earlier versions.

This reflects Cisco’s continuous investment in platform modernization.

Feedback and Improvement Areas – Cisco Secure Firewall (Customer Perspective)

From a customer point of view, there are a few improvement areas observed while positioning Cisco Secure Firewall in competitive scenarios.

1. Dashboard & Visibility Enhancements

Customers often compare firewall dashboards across different OEMs during evaluation.

• Competing vendors typically provide more feature-rich and visually detailed dashboards.
• There is a perception that Cisco dashboards still require enhancement in terms of visualization, consolidated reporting, and built-in analytics.
• Some OEMs advertise additional security capabilities clearly within their publicly available data sheets, making competitive positioning easier.

In comparison, Cisco sometimes references separate documentation or explains how certain capabilities (such as anti-spam or antivirus functionality) can be achieved through integration or ecosystem components rather than native, built-in features. This creates a perception gap during customer discussions.

Improvement Opportunity:

• Enhance dashboard capabilities.
• Clearly articulate feature availability in public documentation and data sheets.
• Reduce dependency on cross-referenced documentation for commonly compared features.

2. Virtual Firewall / Multi-Instance Capabilities in Lower Models

Another competitive challenge relates to virtual firewall capabilities.

• Several OEMs provide virtual firewall (VDOM-like) functionality in lower-end models.
• In Cisco’s portfolio, multi-instance capability typically starts from higher-end platforms such as the 3K series or higher.
• Customers looking for smaller deployments with logical segmentation are often forced to consider higher models, resulting in a price jump.

Competitors also offer:

• Compact hardware models
• Dongle-based firewall appliances
• Smaller entry-level products with virtual segmentation

In Cisco’s case:

• To achieve similar multi-instance functionality, customers must opt for higher-tier models.
• This creates a significant pricing gap in entry-level or SMB deployments.

This pricing difference becomes a key factor when customers compare solutions. If competitors offer a lower-cost model with virtual segmentation, and Cisco requires a higher platform investment, customers may lean toward alternative OEMs.

3. Documentation Gaps – OT Protocol Visibility

In our lab environment, we have deployed Cisco Secure Firewall and are using Application Visibility and Control (AVC) for OT network monitoring.

Observations:

• OT protocols are clearly visible within application visibility.
• The firewall successfully identifies and classifies OT traffic.

However:

• This capability is not clearly mentioned in publicly available documentation.
• When a feature is available and functional, it should be explicitly documented in data sheets and feature guides.

The need for third-party integration depends on what we are looking for. Here I am saying that the integration with Cisco NAC can be done because RTC functionality is only available with Cisco ISE and the firewall integration. For other ecosystems, if we use a NAC solution that is not Cisco, we can still integrate it for user authentication, such as with VPN user authentication. But in that case, we don't achieve the same functionality, such as RTC with other NAC solutions. This is one aspect.

Another part is that if we are using it, it always happens with some NAC solutions because we have Cisco NAC and Cisco firewall; we want consistent policy across the network, whether the user is on-prem or using VPN services. If this is a unified OEM solution, in that case, we require an agent, such as the Cisco Secure Client. That allows us to easily check the posture status of the remote user and connect to the network effortlessly. But if we are using a third-party solution, we can't achieve that.

From a SIEM perspective, certain prerequisites must be fulfilled before integration with Cisco Secure Firewall can be completed. The feasibility of integration depends on the capabilities of the SIEM platform. If the SIEM solution supports the required APIs and event handling mechanisms, similar functionality can be achieved. Therefore, integration itself is generally not the challenge; the key consideration is the desired security outcome within the overall ecosystem.

If the customer does not have a SIEM solution and intends to automate quarantine actions or enforce restricted access for users, a Network Access Control (NAC) solution becomes mandatory. In this scenario, the recommended NAC solution is Cisco Identity Services Engine (Cisco ISE). Automated quarantine and dynamic access control workflows are dependent on NAC capabilities.

From a feature enhancement perspective for Cisco Secure Firewall, deeper NAC-driven integration adds significant value.

1. TrustSec / Tag-Based Policy Enforcement

Cisco ISE supports Cisco TrustSec, which enables Security Group Tag (SGT)-based segmentation.

• In traditional (legacy) networks, firewall policies are created based on IP addresses.
• With TrustSec, policies are defined based on user identity, group membership, and security tags instead of IP subnets.
• When users authenticate to the network, Cisco ISE assigns Security Group Tags (SGTs).
• These tags are shared with Cisco Secure Firewall.
• The firewall then enforces policies based on SGT-to-SGT rules rather than IP-to-IP rules.

Benefits:

• Significant reduction in the number of firewall rules
• Simplified policy management
• Improved scalability
• Easier implementation of role-based access control

This integration enhances operational efficiency and security posture.

2. Rapid Threat Containment (RTC)

Another key capability is Rapid Threat Containment (RTC).

If Cisco Secure Firewall detects malicious activity—such as malware download attempts identified via signature-based or advanced threat detection—it can notify Cisco ISE about the compromised endpoint.

Based on this input:

• Cisco ISE can automatically quarantine the user
• The endpoint can be moved to a restricted VLAN
• Access can be dynamically limited without manual intervention

This automated workflow ensures faster response time and reduces the risk of lateral movement within the network.

3. VPN and Posture Assessment

This functionality is not limited to wired or LAN users.

For VPN users:

• Authentication can be integrated with third-party NAC solutions.
• However, if posture assessment (device compliance checking) is required in addition to authentication, Cisco ISE integration with Cisco Secure Firewall becomes essential.

Cisco ISE enables:

• Endpoint posture validation
• Dynamic policy assignment
• Automated remediation workflows

I have been working with Cisco Secure Firewall for around four to five years.

For Cisco's technical support, I always rate it a ten. It's excellent.

Positive

Implementation Approach – Cisco Secure Firewall

The implementation of Cisco Secure Firewall primarily depends on customer requirements and the selected management approach. Broadly, there are two deployment models:

1. Cloud-based management
2. On-premises management

Functionally, both approaches provide similar capabilities. The difference lies mainly in deployment workflow and management architecture.

1. Cloud-Based Deployment – Simplified Onboarding

When using cloud-based management through Cisco Secure Cloud Control, onboarding a new firewall is straightforward and efficient.

Key advantages:

• Plug-and-play provisioning
• No initial CLI configuration required
• Automatic onboarding to the management platform
• Centralized visibility from the cloud console

The typical process includes:

• Activating the tenant in the cloud management portal
• Completing basic prerequisites
• Connecting the firewall to the network
• Ensuring the device receives an IP address via DHCP
• Confirming internet connectivity for cloud registration

Once connected, the device automatically appears in the management portal and can be claimed without complex manual steps. This significantly simplifies large-scale or remote deployments.

2. On-Premises Deployment – Structured Preparation

For on-premises management using Cisco Firepower Management Center (FMC), the process is similarly straightforward but requires some initial preparation.

Before onboarding the firewall:

• FMC must be installed and fully configured.
• Network reachability between FMC and the firewall must be ensured.
• Registration keys and management connectivity must be prepared.

Once these prerequisites are completed, the firewall can be onboarded and managed centrally.

3. Deployment Timeline & Practical Experience

From our practical experience:

• Basic reachability and initial configuration can typically be completed within 30 minutes to a couple of hours.
• Plug-and-play onboarding significantly reduces deployment effort.
• Advanced configurations—such as production IPS signature tuning, policy optimization, and security rule validation—may require additional time depending on the environment.

Overall, the initial onboarding process is simple and efficient. The time investment primarily depends on the complexity of the security policies and production-level tuning requirements.

Overall Assessment

Cisco Secure Firewall offers:

• Flexible deployment models (cloud or on-prem)
• Simplified plug-and-play onboarding
• Minimal CLI dependency for initial setup
• Scalable management architecture
• Efficient initial configuration timeline

Regarding the impact of the cloud-delivered firewall on my customer's security posture, considering the firewall's deployment in production is crucial. When someone deploys the firewall, they will apply some intelligence and follow best practices to deploy the solutions. But after, the person managing the firewall is sometimes adding rules based on urgency, allowing certain rules that might permit any-any traffic. To mitigate some issues, they forget to disable this rule later. This rule shouldn't remain active in the firewall. This is one aspect they can encounter.

Another issue we face with customers is that they continue with the same configuration without updating new patches. They only update the setup when something happens. This is what sometimes occurs; users don't renew their license subscriptions. If they lack an updated subscription, they won't receive updates for the latest signatures. This will create problems in the live environment. Overall, I would rate this solution an eight out of ten.

My main use cases for Cisco Secure Firewall are to help secure the network and control what we allow in and out of the network.

The benefits of Cisco Secure Firewall's features for my company include giving us more visibility into what's going on when there's either an attack or just normal traffic, allowing us to see what's going through it.

The feature of Cisco Secure Firewall that I appreciate the most is the central management. The central management feature makes it easier to configure once, push out, and replace firewalls when they go bad. It's nice to have one pane of view, one pane of glass. 

I assess Cisco Secure Firewall's ability to unify policies across my environment as definitely easy. We just do it through the one central management and then push it out from there. It is important for our organization to have such a feature. The importance of this feature lies in that it just helps standardize our configuration approach, allowing us to ensure that our ideas get pushed out to everything.

Cisco Secure Firewall could be improved by providing more visibility, especially regarding encryption, to be able to see what's in those traffic flows. More application visibility would also help; it knows about certain types of traffic yet not everything. It would be awesome if it knew everything. 

To make Cisco Secure Firewall a better product or a perfect product, visibility is a good improvement area. You sort of have to know the product to use it, so user and technical improvements should aim for simplicity. There's so much it does that I don't know how much more simple it could go, so I'm not sure what really could be improved.

My impression of Cisco Secure Firewall's visibility and control capabilities in managing encrypted traffic is that somewhat limited. Most tools seem to be limited on encrypted traffic, so we don't get too much visibility into it—just the general type of traffic, not too much more than that.

We've been using the solution for at least 15 years.

The stability and reliability of the Cisco Secure Firewall platform are very good; it's rock solid and has always just done its work.

Cisco Secure Firewall is growing and handling everything we ask it to do, so it's performing that part effectively.

I evaluate customer service and technical support of Cisco overall as good; it's definitely one of the better companies to work with.

Positive

While using Cisco Secure Firewall, we did consider other solutions. We recently upgraded all of them to the latest edition of Cisco, and we looked at Palo Alto and other tools at that time, but those firewalls have been in place for about 15 years. I don't know what happened when we initially put them in, but we did do an evaluation three years ago and decided to stay with Cisco.

The deployment seems to go well. I'm not the one personally doing it. That said, the guys I tell to do it get it done when we need it done.

I don't see a return on investment with Cisco Secure Firewall; it's more of a needed tool, just something we need to do to get business done, so I'm not really looking at it as a tool that would give us an ROI.

My experience with the pricing, the setup cost, and the licensing of Cisco Secure Firewall has been what I expect; I'd always prefer it cheaper, but nothing too exorbitant.

Familiarity was the biggest reason for staying with Cisco; everybody knows how to use the Cisco CLI, so it wasn't worth the effort to swap out, as there were no big benefits from other solutions.

I'm not sure if there are any new features or functionalities that I have tried recently in Cisco Secure Firewall; it's just been doing its work for a while now. 

I don't really use a cloud-delivered firewall as of today, so the only effect of not looking at it is speed. We're looking for the best performance we can get, and cloud usually isn't that. Cisco Secure Firewall helps us along the path to implementing a zero-trust security model, but there are a lot of tools and different paths to cover, so it's just really one tool in the arsenal.

On a scale of one to ten, I rate Cisco Secure Firewall an eight.

On-premises

The challenges during the implementation of Cisco Secure Firewall mainly involve the complexity of the rules to be migrated or the complexity of the scenarios to be implemented, which are related to OT scenarios and disconnected environments.

I benefit from using Cisco Secure Firewall mainly because at least 99% of my customers have a Cisco environment, including switching and routing, making it easier to integrate with other Cisco components than with other vendors.

The impact of a cloud-delivered firewall on my organization's security posture depends on the environments I manage, which are primarily disconnected and focused more on industrial security rather than the cloud. While traditional IT recognizes that the delivery of cloud services is beneficial, comparing it to Azure Firewall, Google Firewall, or AWS Firewall shows that they are not true firewalls but rather sets of rules that do not work perfectly. From my perspective, it is better to add Cisco Secure Firewall for proper coverage.

The best features of Cisco Secure Firewall that make it distinct from the rest of the vendors are mainly its Layer 4 capabilities, as it is the best in routing and switching mode, along with the way Cisco Secure Firewall works in disconnected environments.

The deployment for Cisco Secure Firewall takes no more than six to eight hours, but the fine-tuning of the solution typically takes four or five days.

Using Cisco Secure Firewall is financially beneficial as it provides clear settings for all members managing the solution, making it easy to teach the engineering team how it works and how to configure it, ultimately reducing the time needed to apply policies or make changes in the infrastructure.

I have not noticed any significant drawbacks or weak points in Cisco Secure Firewall. The deployment is not complex, but the complexity arises during fine-tuning due to customers migrating from other solutions, as copying and pasting rules is not the same across all vendors, which necessitates fine-tuning. This can be a pain point when lacking tools to assist in the migration process.

I would assess Cisco Secure Firewall's ability to unify policies across environments as complex, since different customers have varying situations. Some wish to consolidate rules in the same place, while others prefer different rule sets in different locations.

I have been working with Cisco Secure Firewall for around 20 years.

My thoughts about the technical support of Cisco are positive. The times I have opened a ticket, the support has been responsive, and for incidents rated P up to P3, the responses have been satisfactory. I have not needed to open a P2 or P1 incident.

I would rate Cisco's technical support a nine out of ten.

Positive

The number of people involved in the process depends on the customer. Sometimes I am alone doing the task, but there are times when I define the task and the customer team handles it, which can involve three, four, or six people, depending on the customer.

I am focused mainly on the security part, utilizing all of the tools such as Palo Alto, Fortinet, Check Point, Sophos, CyberArk, Delinea, Netskope, Splunk, and all the security suite from Microsoft.

I am working with both on-premises and cloud deployment models.

I have not used any new features or functionalities recently in Cisco Secure Firewall, as it usually functions as a Layer 4 firewall without applying any filtering or inspection.

My experience with the licensing model indicates that for a long time, I believed the price was reasonable, but currently, I am uncertain as all services I purchase are directly from the customer while I act as a consultant, not purchasing any components myself.

I would rate this product a nine out of ten overall.

On-premises

Other

My main use cases for Cisco Secure Firewall include certain requirements from the energy sector, NERC CIP compliance, acting as a perimeter security device, doing layer three routing for us, and VLAN segmentation, as well as creating DMZs.

These features benefit my company by reducing my troubleshooting time, and in the energy sector, time is money, so it does help. The time reduction depends on how quickly someone gets used to it.

The feature of Cisco Secure Firewall I prefer most is troubleshooting, packet capture, and packet tracer; I love those features.  

You can quickly run certain commands on CLI or on FMC CLI to find out what could be the root cause, and it varies from person to person, but it's very useful.

I prefer Cisco since it has been here for a very long time, we have a good relationship with the sales team and Cisco representatives, and the support is pretty good, providing us with 24/7 support, which makes me pretty happy.

Cisco Secure Firewall in helping my company implement a zero-trust security model. I've yet to try it, however, I'm very excited to work on it. My impression of the visibility and control capabilities of Cisco Secure Firewall in managing encrypted traffic is pretty good. We can build site-to-site tunnels and various ways of site-to-route based or policy-based, allowing us to see the packets and cap decaps, and Cisco CLI provides a way to see the packets inside, which is very helpful.

Cisco Secure Firewall's licensing model can be improved, as I struggle with it in an air-gapped environment. To make it a ten, a couple of challenges need to be addressed, particularly with the licensing model, as I'm looking for a permanent license solution for air-gapped environments. 

The second issue is the ROMmon mode, where during power outages the firewalls go into ROMmon mode, causing outages and financial loss until we can send someone on-site.

I have been using Cisco Secure Firewall for almost six years.

The stability and reliability of the platform are pretty stable. 

The only challenge I see is with the substation, where when it loses power and there's no manual reboot, it ends up in ROMmon mode and requires a physical reboot, which means we have to send somebody on-site. It does not pick it up when the power goes out and comes back up, going into ROMmon mode, so I need better answers from Cisco about that.

I'm not sure how Cisco Secure Firewall scales with the growing needs of my company.

My experience with customer service and technical support has been good. If I were to rate customer service and technical support on a scale of one to ten, I would give them an eight.

Positive

In the past, we have used other solutions such as Palo Alto and other vendors. I am more of a Cisco person and prefer Cisco.

My experience with the deployment of Cisco Secure Firewall is that it's pretty straightforward.

The biggest return on investment for me when using Cisco Secure Firewall is reliability and robust network design.

Regarding pricing and setup costs, apart from the licensing issue, Cisco products are on the pricier side. That said, they're worth it. We have over 500 substations plus our data center just on OT, and everything is Cisco, so we are a core Cisco customer, and as long as the product is reliable, it's worth every penny.

We did consider other solutions before choosing Cisco Secure Firewall.

I'm not sure how Cisco Secure Firewall's ability to unify policies across my environment is, as I haven't tried that. 

I am not using Cisco SecureX with Secure Firewall; I'm using FMC for centralized management for the firewalls.

The impact of the cloud-delivered firewall on my company's security posture is tricky. For compliance, we are not supposed to have anything cloud-based, so it must be on-prem. We're a big company and we can use it in some other parts of the network, just not for my team.

Overall, I would rate Cisco Secure Firewall an eight out of ten.

We bundle Cisco Secure Firewall with our telco offerings as a service provider. We bundle it basically with Meraki.

We have received good feedback from our engineers. It helps them with their day-to-day operations. I need to get some more input on specific items they need to gather more information about, but so far, there are no issues.

Regarding Cisco Secure Firewall's ability to unify policies across our environment, I haven't heard any particular issues from our engineers.

The feature of Cisco Secure Firewall that I appreciate the most is its ability to be used via the cloud, so we don't have to deploy service engineers on-site at any time. 

Since telcos just provide basic connectivity, bundling Cisco Secure Firewall has actually allowed us to gain more value for our customers and level up versus our competitors. It helps our customers even more because they don't have to worry about cybersecurity issues, as we put it out of the box.

We found something that prevented us from using it and integrating it a few years back, so they should really have a discussion about improving those aspects. More specifically, it's related to cybersecurity technical details. Implementing a zero-trust security model is what we need help with. We're making progress. We have different types of security for our native applications, but we're slowly looking into what Cisco can deliver. We tried to look into Z3 models before, but our cybersecurity team found some issues where it was lacking. They found some bugs or loopholes, so we wanted Cisco to address these before we fully roll out the solution. We're trying again, and hopefully, with Cisco's updates, it will be acceptable to us in the near future.

We've been using Cisco Secure Firewall since 2016.

Cisco Secure Firewall covers roughly our 2,000 employees really effectively. It's just a matter of expanding the requirements and infrastructure requirements with AWS, and I believe Cisco has some integrations that allow us to use that scale to our advantage.

My opinion is somewhat biased because we have access to Cisco's TAC, and we are very much managed by our Cisco Philippines company team. I'd give them a nine out of ten.

Positive

The biggest return on investment when using Cisco Secure Firewall is that there's no waste in any infrastructure cost and licensing costs for us. If we have to repurpose a specific box per year, we could save on cost by just transferring it to another person or project rather than pay another one-year license for it.

The pricing is very good for us, especially since we have a partnership with Cisco. The challenge is the licensing. There are competitors that offer more flexible licensing, such as daily licensing, some offer hourly, but Cisco is locked in for one, three, and five years. We don't have much flexibility, especially if we want to shift applications or shift users at any time. Hopefully, licensing becomes more flexible.

There were solutions from Fortinet. The main difference between Cisco and Fortinet is that Cisco will have more flexibility. It's just a matter of being able to put together the flexibility that we require versus what Cisco can provide at this time.

The impact of the cloud-delivered Cisco Secure Firewall on my company's security posture involves some hesitation because it's on the cloud, but we're slowly adopting certain parts of it for our cybersecurity team. We're undergoing that transition and don't have full visibility yet on how they see that as a future mode of operations versus what other companies are doing globally. 

I would rate Cisco Secure Firewall an eight out of ten. 

Public Cloud

I primarily use Cisco Secure Firewall for two main purposes. The first is perimeter security, particularly for all locations, especially data centers where we determined that SASE would be overkill. I secure all traffic from the firewalls for servers hosted in data centers, with a small group of users working and having their internet egress out of data centers. Perimeter security for secure internet access is the predominant use case.

The second purpose is segmentation. We have different zones depending upon the criticality of applications. We have a DMZ, an internal DMZ, and other zones. The primary task is to ensure that whenever there is a difference in the trust level from one zone to another, we have a firewall in between. These firewalls provide next-generation advanced threat prevention, firewall rules, stateful firewall rules, and we use Snort 3 for IPS/IDS detections. We are using all the features that Cisco Secure Firewall has to offer.

For all inline traffic, Cisco Secure Firewall definitely delivers. The IPS engine is based upon a Snort 3 license and uses signature-based scanning. Behavioral detection exists to an extent, but it is not an ideal replacement for a traditional NDR (Network Detect and Response). It does not do AI-based modeling at the same level as traditional NDRs, but it is definitely decent. All signature scanning looks at the traffic, and if decryption is applied, post-decryption scanning examines the payload and matches signatures. If a signature is found, an alert is generated. It is a good solution, though not Suricata, but Snort 3 works differently and gets the job done.

Cisco Secure Firewall is a next-generation firewall, and you must leverage all that can be leveraged for preventing lateral movement attacks and all these things that traditional security rules and firewall rules cannot address. Snort 3 and adaptive security bring behavioral and anomaly-based detections. Again, this is not as elaborate as NDR, but it is designed as a firewall and does the job effectively.

Cisco Secure Firewall provides deep packet inspection, so I get deep visibility into every single packet. If attackers or insiders are smart enough to change the protocol behavior or tunnel the traffic through DNS tunneling or similar methods, the firewall can easily detect them. Deep packet visibility and deep packet inspection are crucial, as that is where it all starts. Additional features include DNS security and advanced IPS (NGIPS), which perform signature-based scanning. These feeds are updated in real time by Cisco Talos and integrated across all firewalls. While I would not say this protects against zero-day attacks, it is very close. It helps with lateral movement-based attacks because of the segmentation these firewalls enforce. It definitely cannot help with TLS 1.3, as no firewall can. There are many nuances involved. The key valuable features are deep packet visibility and inspection, the ability to enforce at all layers of the server model, and the ease of applying signature-based scanning along with behavioral-based detection, though not extensive.

Regarding integration options with user IDs, with the emergence of zero-trust network access and new paradigms, you must configure policies based upon who the user is and not IP addresses. Cisco Secure Firewall does support this and can integrate with Active Directory and Entra ID. However, based on my comparisons with Palo Alto next-generation firewalls, which I work with extensively, the number of options available with Palo Alto is quite extensive. You can integrate with any identity provider, but with Palo Alto it is not just traditional LDAP server and user ID and IP mapping constructs. There is room for improvement in this area.

Based on my experience with Palo Alto and a couple of its competitors, there is room for improvement with the integrations with identity providers. The number of options and integration partners available with Palo Alto is more extensive compared to Cisco Secure Firewall. This is not because Cisco lacks these capabilities, but rather because other vendors are doing better things in this area. However, this is on Cisco's roadmap. I had contact with their sales teams and alliance teams, and they have these improvements carved out in their roadmap.

Cisco Secure Firewall evolved from Cisco ASA, and then Cisco purchased Sourcefire. They integrated ASA with Sourcefire, and now they have Firepower. The current form of Cisco Secure Firewall represents this evolution. I have worked with Cisco Firewalls since 2013 or 2014.

When Cisco acquired Sourcefire and turned it into Firepower, it was a very problematic device. We had challenges every single day, with connectivity issues between the firewall and FMC (the management plane). The connection used to break, and we had to perform upgrades. Feature releases used to cause issues. Lately, this has not been the case.

It was really problematic back then. Lately, we have not had significant service outages. The firewall is stable now. There are multiple firewall clusters that we have not rebooted in more than a year, which speaks volumes about stability. We receive regular feature releases and upgrades, and we get security advisories. Cisco has definitely done an excellent job in the last two to three years. Before that, it was not a very good product, and many places were moving away from Cisco Firewalls to Palo Alto or Fortinet due to stability issues. Currently, if I were purchasing Cisco Secure Firewall because I already have a Cisco footprint, I would not hesitate based upon stability alone.

Given the business we run, I do not think we have hit the bottleneck yet. Every time we detect a potential issue, we proactively monitor performance and have thresholds clearly demarcated. If traffic crosses a particular threshold, we provision a new instance. Until now, we have not hit those hard limits where we are helpless and unable to scale out. It still works for us. However, if we were handling several hundred gigabits of outbound or east-west traffic, I would think harder and look for better designs and a more distributed approach rather than using a single cluster and forcing it to scale out indefinitely. That is more of a design consideration. In our current context, we have not hit those thresholds. There are a couple of on-premise locations where we did hit limits, but that was because we sent out more traffic than we planned for, and we simply had to replace those devices. That is not a product problem.

Cisco Secure Firewall offers many deployment options depending on the architecture and functionality required. If it is a cloud deployment, you can achieve native load balancing with active-standby, active-active, and active-active configurations with cloud-native load balancers such as AWS Gateway Load Balancer or Network Load Balancer. The same deployment options apply to Azure and GCP. Cisco offers cloud firewall functions where they provide templates and onboarding options to spin up firewalls and scale them out as part of auto-scaling instances. These capabilities are on par with what competitors are offering. On-premise deployments, of course, are hardware-based, and you can achieve active-active and active-standby configurations. This depends on latency requirements, security requirements, and the capabilities you want to leverage. Proper sizing is essential. Cisco Secure Firewall is highly scalable in cloud environments. On-premise deployments are bound by the restrictions inherent to all hardware firewalls, but with proper sizing, they perform fairly.

One of my clients did deploy cloud firewalls on AWS, and I believe they did the same for Azure Marketplace. I am not certain about the specific pricing, but it is clearly outlined. You can choose between BYOL (bring your own license) or pay-as-you-go models. During unit testing and the initial PoC, we selected pay-as-you-go. Later, the client teams purchased from AWS Marketplace and leveraged committed spend with AWS to acquire the cloud firewall clusters. This option is available.

Based on my experience with Palo Alto and a couple of its competitors, there is room for improvement with the integrations with identity providers. The number of options and integration partners available with Palo Alto is more extensive compared to Cisco Secure Firewall. This is not because Cisco Secure Firewall lacks these capabilities, but rather because other vendors are doing better things in this area. However, this is on Cisco's roadmap.

I manage a few dozen firewalls, close to 100 in total. You cannot manage each firewall manually, especially if you have local IT teams scattered across locations. It would be too much work. Centralized management attempts to align with what Gartner describes as a hybrid mesh. You hook the firewalls to the centralized management and integrate them with the device management platform. All you have to do is manage your security policies, rules, IPS signatures, and configurations from that central console. You can also take backups, restore them, and if you want to replace a device, you do it from this same console. This definitely reduces administrative overhead, costs, and the number of people you must employ to manage your firewall infrastructure.

The time we need to spend to triage any incidents or potential events is significantly reduced. Before events become incidents, we already have complete insights into who or which IP or source was attempting to reach what, whether it was crypto mining, and we receive all details about the category of URLs or endpoints on the internet the user was trying to access, including whether they were suspicious or potentially benign. The ability to classify these is crucial, and nothing can be done without Talos. However, you must size your firewall properly, because you are ingesting all these feeds from Cisco Talos, and if your firewall is a small model or not sized perfectly, performance can become unstable. You must perform capacity planning well. All third-party threat intelligence feeds vary in quality, but Cisco Talos is definitely one of the most mature threat intelligence feeds that has been around for quite some time and has a decent reputation.

Based on quotes I have seen in the last couple of months, Cisco Secure Firewall is fairly priced. I sometimes find Palo Alto is more expensive than Cisco. Of course, the money you pay is for the capabilities you get. If it is an apple-to-apple comparison, Cisco Secure Firewall is fairly priced. I have no concerns about the pricing. My overall rating for Cisco Secure Firewall is 7.5 out of 10.

My main use cases for Cisco Secure Firewall are mainly user access to the internet and blocking firewall sites.

With the centralized management of Cisco Secure Firewall, it's good in unifying policies across my environment. The simplicity and supportability are important to my organization as it's much easier if everything's the same as much as possible.

I appreciate that the central management of Cisco Secure Firewall is from one location, which saves a lot of time. 

The IPS protection is good for us for security reasons. 

The central management feature of Cisco Secure Firewall saves one location instead of having to log on to multiple locations, which speeds up deployment of any changes or requirements for monitoring.

The upgrading process of Cisco Secure Firewall is a long process on a per-firewall basis, and it would be nice if that could be improved. One firewall can take two to two and a half hours to upgrade, so we end up having to watch it. It becomes a problem; in the old firewall days, it would be about a ten-minute job. I know it's more complicated with the newer firewalls. It's just a long-winded process even if they have sorted it out a little bit with automation.

I have been using Cisco Secure Firewall for probably about eight years.

I have not had one Cisco Secure Firewall fail so far, which shows it is stable and reliable. Right now, I have not experienced any downtime, crashes, or performance issues with Cisco Secure Firewall.

Cisco Secure Firewall scales with the growing needs of my organization, as we have different models and sizes, and our central boxes are powerful enough to cover whatever we want whenever we want.

My evaluation of customer service and technical support for Cisco Secure Firewall is that I have generally hardly ever had to use them. We did two weeks ago, and it was a very quick response that identified exactly where the issue in our configuration was. 

Two weeks ago, I received a very quick response from customer service, which identified exactly where the issue on our configuration was, and it went very smoothly, so out of ten, I would give it a nine.

Positive

Prior to adopting Cisco Secure Firewall, I was also using previous Cisco firewalls, and before that, we had Fortinet and Juniper.

The factors that led me to consider the change to Cisco Secure Firewall were actually price, as Cisco's was a very competitive price, and we received a very good deal.

My experience with the deployment of Cisco Secure Firewall has been generally okay.

I have seen a return on investment with Cisco Secure Firewall since we run them for a long time. 

Our current Cisco Secure Firewall units have been in place for probably over three years now, and at the moment, we're not looking to replace them, indicating a good return on investment since they last and are supported quite a long time after they're released.

My experience with pricing, setup costs, and licensing for Cisco Secure Firewall shows it can be expensive, especially the bigger boxes, since they do a lot more and handle a lot more, with a big jump from the smaller firewalls to the big firewalls.

The other solutions I considered before selecting Cisco Secure Firewall include Fortinet, Juniper, and Palo Alto. We're generally a Cisco house and have been for quite a few times with the old Cisco firewalls, so it was a natural progression. 

We did not purchase the product on AWS Marketplace.

We actually don't do that much encrypted inspecting traffic at the moment with Cisco Secure Firewall, which is something we want to look at. We just want to make sure we don't max out the CPU with the many jobs it does. Cisco Secure Firewall will be a building block part of our zero-trust security model, however, there will be a few other parts needed, such as Cisco Secure Access. 

I have not really expanded the usage of Cisco Secure Firewall. My advice to other organizations considering Cisco Secure Firewall is that it does what it says on the tin; it works, it's reliable, and I have never had one fail, so I think it's good. 

On a scale of one to ten, I rate Cisco Secure Firewall a nine.

My main use case for Cisco Secure Firewall is only as a VPN concentrator.

The only feature I find most valuable in Cisco Secure Firewall is the VPN concentrator because we use it.

The only real benefit I realize from using Cisco Secure Firewall in this use case is that it's a different vendor, so a different attack vector.

A significant drawback for Cisco Secure Firewall is the ASA software, as I have not used the Firepower software yet. The ASA software has a GUI that is extremely ugly and appears to be made in the 1980s. At 28 years old, I am not accustomed to working with something that primitive.

The update procedures do not work, and the VPN creation wizard does not work. The GUI is useless for me and frustrates me to a very high degree, which led me to switch to the CLI for configuration.

I have been using Cisco Secure Firewall for three years.

I assess the stability and reliability of this firewall as both very good. I have had no issues with stability, as once they run, they run.

Since I am not using Cisco Secure Firewall for very heavy operations such as IPS or other intensive features, it scales quite well. We have two Firepower 1150s, and we are far under the limit of what our organization needs, so it scales well with our needs.

I have used Cisco support extensively, and I used it for this product once because during the setup there was an issue with the licensing, and I needed Cisco support to help me with the licensing for the ASA.

I am always satisfied with the level of support that I received. On a scale of 1 to 10, it is a 10 because they are reactive and effective. That is all we ask for in support.

Positive

We could accomplish this with another vendor such as Palo Alto, where we would not have to pay for licensing.

When I use the CLI, everything works quite well. I attempted to do everything with the GUI at the beginning, but nothing works. I managed to set up the HA pair with no issues once I used the CLI.

We are using quite a few other vendors for firewalls, and I do not think I can disclose which firewall we use where, but we use other major vendors such as Fortinet, Palo Alto, and Check Point. We have a bit of everything in our portfolio.

If it was my choice, I would have put another firewall there with something easier to configure, more straightforward, and a cleaner interface to maintain it.

My honest advice for someone who is evaluating Cisco Secure Firewall based on my experience would be that if you can get something else, go for something else. If you are going to use it, then use the CLI because the GUI is not usable. If I had the choice, I would not be using Cisco Firepower or ASA on top of it because in my opinion and the opinion of my colleagues and my management, it is not the best device for the role it is playing.

My overall rating for Cisco Secure Firewall is 5 out of 10.

On-premises

I have been working on Cisco Secure Firewall since the ASA hardware, not the new FTDs with ASA operating system. For the FTDs, I have been working on them for approximately 10 years.

All of our deployments of Cisco Secure Firewall are currently on-premise.

The stability of the firewall and the way our customers feel about their services and service continuity are critical for our banking customers, as services are very crucial for this type of business.

Cisco Secure Firewall excels on the perimeter; however, the biggest area where you can see the difference between Cisco and other vendors is actually in the data center.

One of the main features I appreciate is the cloud management, which we have had for approximately one year. In version 7.6, we now have the AI assistant, which helps with configuration by automatically reviewing and analyzing what policies are being used and which are not. Additionally, Cisco continues to improve their firewalls with capabilities such as throughput that are becoming increasingly impressive. The same small firewall in size now comes with much greater capabilities, and the configuration deployment and changes are becoming smoother and smoother.

Cisco has something special when comparing it to other firewalls. It has a large portfolio of products that provide extensive integration capabilities and visibility. Meanwhile, other companies may have a vast portfolio, but the stability of the firewalls and how much a customer can rely on them is where Cisco stands out. Mixing these two aspects is what I consider a significant advantage.

Cisco Secure Firewall is very scalable, and I have options in deployment, especially for clustering, where I think in the latest hardware, I can deploy a cluster of six or more. Additionally, they have many sizes available, such as the 200, 3000, 4000, and 6000 series.

Two years ago, I could mention feature X as something I valued, but in every major release, Cisco always surprises me with new features. In every major release, I am surprised and receive nice new features.

Right now, I do not have anything specific in mind that I would say needs improvement, but it is actually improving constantly.

AI is indeed moving very fast. Cisco has already started to integrate and focus on AI, not just in the firewalls but in everything. However, this will need more improvement because AI is advancing quickly.

I have been in networking since 2012, which is approximately 14 years ago.

The stability and service continuity are the most important return on investment that any company or organization can get from Cisco Secure Firewall solution because losing services translates to losing money.

I can say it is just a few times we have cases on the FTDs, but I do not think that there is another vendor that can provide this reliability for the data center.

In the early days of Firepower, we had some issues; however, this has improved significantly over a couple of years. The hardware and software have become more reliable, faster, and user-friendly.

My experience with Cisco's customer service and technical support has been excellent. Since my beginning in networking, Cisco is number one in support, especially in after-sales. Even as an integrator, this advantage is significant for us as Cisco partners, and we often discuss how great Cisco support is.

Negative

I have worked on other firewalls, such as Palo Alto and Fortinet.

Deploying Cisco Secure Firewall was harder in the early days, but today it has become very easy. Cisco can support me with the necessary tools to migrate, making the process easier now.

For me, working for an integrator, it is mostly about reputation. The stability of the product gives the vendor, Cisco, and their partners a good reputation. The customer feels that this product is good, this vendor is good, and this partner is good, which extends to the technical engineer as well.

The stability and service continuity are the most important return on investment that any company or organization can get from Cisco Secure Firewall solution because losing services translates to losing money.

Taking a general look at the main competitors of Cisco, the pricing is not high and not low. It is approximately in the middle.

I have worked on other firewalls, such as Palo Alto and Fortinet.

My advice to other companies considering Cisco Secure Firewall is to give it a try. Some companies stick with a vendor, but as an integrator with some experience with Cisco insiders, I recommend giving it a try. Cisco always offers demos, including virtual firewalls. Give it a try, and you will appreciate it. I would rate my overall experience with this product as a 10.

On-premises

Other

In terms of security, Cisco Secure Firewall is very reliable, especially when clients are up to date and run their security updates regularly. It is one of the greatest solutions for security in terms of networking. It is very easy to use, aside from being somewhat costly compared to other firewalling solutions. Cisco has been in existence for a while compared to other firewalling devices, which makes it more expensive. It is very easy to use, especially when you have hands-on experience with any of Cisco's devices before. You do not even need to probably take higher professional courses before you can manage it, especially if you can learn easily. For me, I learn quickly and I approach anything with the understanding that nothing is impossible, though it might take some time.

Because we have a centralized solution that manages all of our Cisco Secure Firewall and Cisco devices within the network, and IHS spreads across more than 10 countries, all of which communicate together using the same devices, we can push policies centrally from the central management system to all the Cisco Secure Firewall devices and the policies take effect immediately.

We have been using Cisco Secure Firewall since 2015, which is when I joined IHS. Currently, I cannot remember the exact name because it has been a while since I logged into that environment, and I have already resigned from IHS to work as a consultant. We are using Cisco AnyConnect for our VPN, to be precise. We majorly use the VPN because all of our clients are on VPN, so whenever they want to connect to any of the resources from outside the network, they connect through the VPN.

The major improvement so far is that everything has moved from a black screen interface to a GUI that you can easily use. It is not necessary to do everything on a black screen. Aside from the price constraint, I do not really see much in terms of the disadvantages of this product. Although everything has advantages and disadvantages, the major disadvantage is the cost, which is why many people in the industry are moving to products like Check Point or Sophos because they are cheaper compared to Cisco Secure Firewall.

The major improvement needed is the GUI interface. Most of the new generation firewalls actually come with a GUI where you can do whatever you want to do without running a command, and they give that privilege. I believe Cisco Secure Firewall has already probably introduced that, as from the Cisco centralized application, you can manage many things, push many configurations, and do many things. However, they need to do more so that it is not necessary to give access to the black screen as in the core device to your users before they can do certain things. From the GUI interface, they should be able to do certain things. It creates a kind of restriction, and it is only when it is necessary that you probably launch the GUI or SSH to that device that users do whatever they need to do.

I have been using Cisco Secure Firewall since 2015, which is when I joined IHS.

Reliability is superb because we usually have monthly maintenance on all of our devices. Because all of our devices are on HA, we test the high availability and run any patches that need to be run. So far so good, it is reliable because there has never been a time when we have had a failover test that we ran into a problem.

Cisco Secure Firewall is scalable.

Technically, Cisco covers a lot.

Positive

Currently, I do not use any other firewalling solutions. I think the other HP product I probably worked with is not used anymore.

I might not say because I cannot compare my own experience with other people's experiences. For people like me and probably the majority of my team, we do not find it difficult to implement or deploy. However, for some new generation people that are just coming to the industry, they might find other firewalls very easy and straightforward in terms of deployment because they cannot be compared to Cisco Secure Firewall devices. For me, probably based on my years of experience, I do not find any challenges in terms of deployment.

The implementation team was effective.

Of course, what we are getting from Cisco Secure Firewall is worth it. There is always a return on investment because you find you invest heavily, but your environment is secure and then you are at rest; you do not need to panic. Even if attackers are coming, you know you will be rest assured that you are covered. Although other firewalls are okay, they cannot be compared to Cisco Secure Firewall.

The setup cost is somewhat high compared to other firewalling solutions.

I have a different job title now as I am doing more consulting work.

For instance, we have some resources on Azure, and when it comes to security posture on Azure, I take about more than 50% of it because I am in charge. When it comes to cloud security, we do not really have full control 100%, unlike when you have your firewall on-premises where you are the alpha and omega of the solution and these devices. You can do whatever you want to do. However, cloud security gives a kind of platform whereby you have some limitations because you do not have physical intervention to that device.

Aside from that, it is very easy to use, especially when you have hands-on experience with any of Cisco's devices before. You do not even need to take higher professional courses before you can manage it, especially if you can learn easily. For me, I learn quickly and I approach anything with the understanding that nothing is impossible, though it might take some time. My overall rating for Cisco Secure Firewall is 9 out of 10.

Hybrid Cloud

Microsoft Azure