Coming October 25: PeerSpot Awards will be announced! Learn more

Cisco ASA Firewall OverviewUNIXBusinessApplication

Cisco ASA Firewall is #4 ranked solution in best firewalls. PeerSpot users give Cisco ASA Firewall an average rating of 8.4 out of 10. Cisco ASA Firewall is most commonly compared to Fortinet FortiGate: Cisco ASA Firewall vs Fortinet FortiGate. Cisco ASA Firewall is popular among the large enterprise segment, accounting for 51% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a comms service provider, accounting for 32% of all views.
Cisco ASA Firewall Buyer's Guide

Download the Cisco ASA Firewall Buyer's Guide including reviews and more. Updated: October 2022

What is Cisco ASA Firewall?

Cisco ASA Firewall is a security device that combines firewall, intrusion prevention, virtual private network (VPN), and antivirus capabilities. Its main purpose is to provide proactive threat defense to stop attacks before they spread through the network.

Cisco ASA Firewall Features

Cisco ASA Firewall has many valuable key features, including:

  • Intrusion prevention system (IPS): Cisco ASA Firewall’s IPS provides contextual awareness.
  • Advanced threat protection: Gain protection against zero day threats (based on using global threat intelligence) .
  • Rapid threat containment: With Cisco ASA Firewall, you can proactively mitigate risks. If a threat is detected, additional security policies are applied to other network devices for increased protection.
  • High availability: Cisco ASA Firewall offers high availability for high resiliency applications
  • Integrated IPS, VPN, and unified communications capabilities
  • Multi-node clustering
  • Multi-site
  • High performance

Cisco ASA Firewall Benefits

Some of the benefits of using Cisco ASA Firewall include:

  • Superior protection from threats through CSC, IPS, and the like.
  • Better pricing means that TCO is reduced. 
  • High performance levels that can be scaled to achieve 10+ Gbps.
  • You can deploy new applications easily over secured layers.
  • Identity-based access helps you access business resources.
  • Identity-based access can be integrated with other services, such as LDAP and Microsoft Active Directory.
  • By implementing Cisco ASA Firewall, IT resources are freed up.
  • Because Cisco ASA Firewall offers effective prevention, your spyware cleanup costs decrease.

Reviews from Real Users

Below are some reviews and helpful feedback written by Cisco ASA Firewall users.

A Cisco Security Specialist at a tech services company says, “All the features are very valuable. Among them is the integration for remote users, with AnyConnect, to the infrastructure. All the security through that is wonderful and it's very easy. You connect and you are inside your company network via VPN. Everything is encrypted and it's a very good solution.” He goes on to add, “The intrusion prevention system, the intrusion detection, is perfect. But you can also integrate Cisco with an IPS solution from another vendor, and just use the ASA with AnyConnect and as a firewall. Cisco ASA also provides application control. You can block or prevent people from going to certain applications or certain content.”

Jonathan M., Head of Information Communication Technology at National Building Society, comments, "The benefits we see from the ASA are connected to teleworking as well as, of course, having the basic functionality of a firewall in place and the prevention of attacks. The standard reports allow us to constantly monitor our environment and take corrective steps.

Eric H., CEO at NPI Technology Management, explains, “The command-line interface is really useful for us. We script basic installations and modifications through the command-line, which is considered sort of old school, and yet it allows us to fully document the changes that we're making due to the fact that we can save the exact script that was applied and say, "Here are the changes that we made."

Cisco ASA Firewall was previously known as Cisco Adaptive Security Appliance (ASA) Firewall, Cisco ASA NGFW, Cisco ASA, Adaptive Security Appliance, ASA, Cisco Sourcefire Firewalls, Cisco ASAv.

Cisco ASA Firewall Customers

There are more than one million Adaptive Security Appliances deployed globally. Top customers include First American Financial Corp., Genzyme, Frankfurt Airport, Hansgrohe SE, Rio Olympics, The French Laundry, Rackspace, and City of Tomorrow.

Cisco ASA Firewall Pricing Advice

What users are saying about Cisco ASA Firewall pricing:
  • "Cost-wise, it's in the same range as its competitors. It's likely cheaper than Palo Alto. Cisco is affordable for a large organization of 500 to 1,000 users and above. You need a Cisco sales partner or engineer to explain to you the licensing aspects."
  • "I think Cisco's price is in the right space now. They have discounts for customers at various levels. I think they're in the right spot. However, Cisco can be expensive when you factor in these additional features."
  • "It is more expensive than the other solutions."
  • "Once you know what the product is, it is not that bad. Yes, it is expensive. When you try to get a license, it is like, "Well, I don't know which one of these I need. And, if I don't buy it now, then I will probably be back later. Now, I have to justify the money." Typically, you end up just buying everything that you don't use most of the time. It is one of those solutions where you get what you pay for. If you don't know what you need, just buy everything. We have additional licenses that we don't use."
  • Cisco ASA Firewall Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Paul Nduati - PeerSpot reviewer
    Assistant Ict Manager at a transportation company with 51-200 employees
    Real User
    Top 20
    Includes multiple tools that help manage and troubleshoot, but needs SD-WAN for load balancing
    Pros and Cons
    • "I love the ASDM (Adaptive Security Device Manager) which is the management suite. It's a GUI and you're able to see everything at a glance without using the command line. There are those who love the CLI, but with ASDM it is easier to see where everything is going and where the problems are."
    • "A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition."

    What is our primary use case?

    We have two devices in Active-Active mode, acting as a perimeter firewall. It is the main firewall that filters traffic in and out of our organization. This is where there are many rules and the mapping is done to the outside world. We use it as a next-generation firewall, for intrusion detection and prevention.

    It's also linked also to Firepower, the software for network policies that acts as our network access control. 

    How has it helped my organization?

    I find it very useful when we're publishing some of our on-prem servers to the public. I am able to easily do the NATing so that they are published. It also comes in very handy for aspects of configuration. It has made things easy, especially for me, as at the time I first started to use it I was a novice.

    I have also added new requirements that have come into our organization. For example, we integrated with a server that was sitting in an airport because we needed to display the flight schedule to our customers. We needed to create the access rules so that the server in our organization and the server in the other organization could communicate, almost like creating a VPN tunnel. That experience wasn't as painful as I thought it would be. It was quite dynamic. If we had not been able to do that, if the firewall didn't have that feature, linking the two would have been quite painful.

    In addition, we have two devices configured in an Active-Active configuration. That way, it's able to load balance in case one firewall is overloaded. We've tested it where, if we turn off one, the other appliance is able to seamlessly pick up and handle the traffic. It depends on how you deploy the solution. Because we are responsible for very critical, national infrastructure, we had to ensure we have two appliances in high-availability mode.

    What is most valuable?

    I love the ASDM (Adaptive Security Device Manager) which is the management suite. It's a GUI and you're able to see everything at a glance without using the command line. There are those who love the CLI, but with ASDM it is easier to see where everything is going and where the problems are.

    The ASDM makes it very easy to navigate and manage the firewall. You can commit changes with it or apply them before you save them to be sure that you're doing the right thing. You can perform backups easily from it.

    It also has a built-in Packet Tracer tool, ping, and traceroute, all in a graphical display. We are really able to troubleshoot very quickly when there are issues. With the Packet Tracer, you're able to define which packet you're tracing, from which interface to which other one, and you're able to see an animation that shows where the traffic is either blocked or allowed. 

    In addition, it has a monitoring module, which also is a very good tool for troubleshooting. When you fill in the fields, you can see all the related items that you're looking for. In that sense, it gives you deep packet inspection. I am happy with what it gives me.

    It also has a dashboard when you log in, and that gives you a snapshot of all the interfaces, whether they're up or down, at a glance. You don't need to spend a lot of time trying to figure out issues.

    What needs improvement?

    Our setup is quite interesting. We have a Sophos firewall that sits as a bridge behind the Cisco ASA. Once traffic gets in, it's taken to the Sophos and it does what it does before the traffic is allowed into the LAN, and it is a bridge out from the LAN to the Cisco firewall. The setup may not be ideal, but it was deployed to try to leverage and maximize what we already have. So far, so good; it has worked.

    The Cisco doesn't come with SD-WAN capabilities which would allow me to load balance two or three ISPs. You can only configure a backup ISP, not necessarily an Active-Active, where it's able to load balance and shift traffic from one interface to the other.

    When I joined the organization, we only had one ISP. We've recently added a second one for redundancy. The best scenario would be to load balance. We plan to create different traffic for different kinds of users. It's capable of doing that, but it would have been best if it could have done that by itself, in the way that Sophos or Cisco Meraki or even Fortigate can.

    A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition. While I'm able to configure it as a backup, the reality is that in a modern workplace, you can't rely on one service provider for the internet and your device should be able to give you optimal service by load balancing all the connections, all the IPSs you have, and giving you the best output.

    I know Cisco has deployed other devices that are now capable of SD-WAN, but that would have been great on the 5516 as well. It has been an issue for us.

    Buyer's Guide
    Cisco ASA Firewall
    October 2022
    Learn what your peers think about Cisco ASA Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: October 2022.
    635,162 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been using Cisco ASA Firewalls since November 2019.

    What do I think about the stability of the solution?

    Cisco products are quite resilient. We've had problems due to power failures and our UPSs not being maintained and their batteries being drained. With the intermittent on and off, the Cisco ASAs, surprisingly, didn't have any issue at all. The devices really stood on their own. We didn't even have any issue in terms of losing configs. I'm pretty satisfied with that.

    I've had experience with some of the new Cisco devices and they're quite sensitive to power fluctuations. The power supply units can really get messed up. But the ASA 5516 is pretty resilient. We've deployed in a cluster, but even heating up, over-clocking, or freezing, has not happened.

    We also have the Sophos as a bridge, although it's only a single device, it is not in a cluster or in availability mode, but we've had issues with it freezing. We have had to reboot it.

    What do I think about the scalability of the solution?

    It's easy to scale it up and extend it to other operations. When we merged with another company, we were able to extend its usage to serve the other company. It became the main firewall for them as well. It works and it's scalable.

    It's the main perimeter firewall for all traffic. Our organization has around 1,000 users spread across the country. It's also our MPLS solution for the traffic for branch networks. It's able to handle at least 1,000 connections simultaneously, give or take.

    Which solution did I use previously and why did I switch?

    Prior to my joining the organization, there was a ransomware attack that encrypted data. It necessitated management to invest in network security.

    When I joined the project to upgrade the network security infrastructure in our organization, I found that there was a legacy ASA that had been decommissioned, and was being replaced by the 5516. Being a type-for-type, it was easy to pick up the configs and apply them to the new one.

    How was the initial setup?

    When I joined this organization, the solution had just been deployed. I was tasked with administrating and managing it. Managing it has been quite a learning curve. Prior to that, I had not interacted with ASAs at all. It was a deep-dive for me. But it has been easy to understand and learn. It has a help feature, a floating window where you can type in whatever you're looking for and it takes you right there.

    We had a subsidiary that reverted back to our organization. That occurred just after I started using the 5516 and I needed to configure the integration with the subsidiary. That was what I would consider to be experience in terms of deployment because we had to integrate with Meraki, which is what the subsidiary was using.

    The process wasn't bad. It was relatively easy to integrate, deploy, and extend the configurations to the other side, add "new" VLANs, et cetera. It wasn't really difficult. The ASDM is a great feature. It was easy to navigate, manage, and deploy. As long as you take your backups, it's good.

    It was quite a big project. We had multiple solutions, including Citrix ADC and ESA email security among others. The entire project from delivery of equipment to commissioning of the equipment took from July to November. That includes the physical setup and racking.

    Two personnel are handling the day-to-day maintenance.

    What was our ROI?

    We have seen ROI with the Cisco ASA, especially because we've just come to the end of the three-year subscription. We are now renewing it. We've not had any major security incident that was a result of the firewall not being able to detect or prevent something. That's a good return on investment.

    Our device, the 5516, has been declared end-of-life. The cost of upgrading is almost equivalent to deploying a new appliance. But having had it for three years, it has served its purpose.

    As with any security solution, the return on investment must be looked at in terms of what could happen. If you have a disaster or a cyber attack, that is when you can really see the cost of not having this. 

    What's my experience with pricing, setup cost, and licensing?

    Cost-wise, it's in the same range as its competitors. It's likely cheaper than Palo Alto. Cisco is affordable for a large organization of 500 to 1,000 users and above.

    You need a Cisco sales partner or engineer to explain to you the licensing aspects. Out-of-the-box, Firepower is the module that you use to handle your network access policy for the end-user. It's a separate module that you need to include, it's not bundled. You need to ensure you have that subscription.

    A Cisco presales agent is key for you to know what you need. Once they understand your use cases, they'll be able to advise you about all the licenses you need. You need guidance. I wouldn't call it straightforward.

    With any Cisco product, you need a service level agreement and an active contract to maximize the support and the features. We have not had an active service contract. We just had the initial, post-implementation support.

    As a result, we've wasted a bit of time in terms of figuring out how best to troubleshoot things here and there. It would be best to ensure you are running an active contract with SLAs, at least with a Cisco partner. 

    Also, we were not able to use its remote VPN capabilities, Cisco AnyConnect, because of a licensing limitation.

    What other advice do I have?

    I would encourage people to go for the newer version of Cisco ASA. 

    When you are procuring that device, be sure to look at the use cases you want it for. Are you also going to use it to serve as your remote VPN and, in that case, do you need more than the out-of-the-box licenses it comes with? How many concurrent users will you need? That is a big consideration when you're purchasing the device. Get a higher version, something that is at least three years ahead of being declared end-of-life or end-of-support.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Shashidhara B N - PeerSpot reviewer
    Director & CIO of IT services at Connectivity IT Services Private Limited
    Real User
    Top 10
    The micro-segmentation features are helpful for access control layers and virtual LAN policy enforcement
    Pros and Cons
    • "ASA integrates with FirePOWER, IPS functionality, malware filtering, etc. This functionality wasn't there in the past. With its cloud architecture, Cisco can filter traffic at the engine layer. Evasive encryptions can be entered into the application, like BitTorrent or Skype. This wasn't possible to control through a traditional firewall."
    • "There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so you need to be slightly careful, especially on the site track."

    What is our primary use case?

    I'm a solution architect specializing in IT infrastructure designs. I create solutions for clients using Cisco and other products. I've developed solutions with various Cisco Firewall models. I may use an entry-level solution for smaller businesses, like the Cisco 555 Series or 5500. If it's a large enterprise, I may use the 4000 Series, or an ISR router integrated with a firewall for a branch office, and maybe an ISR router, which is integrated with the firewall.

    I work with businesses of all sizes, but I see Cisco more often in medium-sized companies or large enterprises. Small businesses often pick Sophos or FortiGate because of the pricing. Large enterprises use Cisco and other products like Palo Alto or Check Point, especially for managing cloud architectures like GCP and AWS. 

    If the customer only needs a plain firewall, Cisco ASA is sufficient. It can compete with FortiGate or Sophos. When I talk about a next-gen firewall, the basics include malware protection, instruction prevention, URL filtering, etc. Firepower is integrated to address these next-gen requirements. 

    I may use the tabs for dynamic policy implementation in cloud environments depending on the clients' needs, but not typically VMware. I might get a false positive with the VMware operator and platform layer. If I stop some surveys, my production will stop. In such cases, I cannot just go by dynamic classification blindly. It would be better for the application layer, not the platform layer.

    How has it helped my organization?

    I don't have any metrics about how ASA has improved operations for my clients, but I can look at their market share relative to Check Point and other competitors. Cisco has a decent footprint today, and it reduced my customers' CapEx. I don't have the numbers. I'm just speaking relatively. Cisco can reduce operational expenditures by around 40 percent. I'm just giving a vague estimate, but I don't have any specific metrics.

    Cisco offers two architectures. I can choose the Meraki track if I want an OpEx model or the traditional track, which is a CapEx model. Due to Cisco's tech acquisitions, I have various feature options within the same product. The DNA of Cisco combines the traditional Cisco architecture with the next-generation firewall.

    Segmentation can be helpful for some clients. Let's use a financial organization as an example. We have traffic moving through the branch to the core banking. This is where we can employ segmentation. We can do security policy restrictions for branch employees to prevent them from accessing certain financial reporting systems. We can limit them to the branch level. 

    I can enforce certain policies to prevent all branch traffic from reaching one layer of a particular segment by minimizing the overall traffic on the network. I can always control the traffic when I segment it. This set of capabilities is beneficial when a lot of financial algorithms are done.

    What is most valuable?

    ASA integrates with Firepower, IPS functionality, malware filtering, etc. This functionality wasn't there in the past. With its cloud architecture, Cisco can filter traffic at the engine layer. Evasive encryptions can be entered into the application, like BitTorrent or Skype. This wasn't possible to control through a traditional firewall. 

    Deep Packet Inspection looks at the header information and inspects the contents of a particular packet. We can also look at traffic management. It can control end-user applications, and we can check device performance when we do this type of regression on our resources. This is what we look at with a DPI. It can help us reduce the overall OpEx and CapEx.

    Traditionally, we needed multiple software and hardware tools. With these features, we can snoop into our network and understand each packet at a header level. That's called the service control engine.

    Within Cisco's Service Control Engine Architecture, there's something called the Preferred Architecture, which has a supervisor engine. It's more of a network management tool. Cisco makes it more convenient to manage our resources. It has a nice UI, or we can go into the command-line level. 

    Cisco's micro-segmentation features are helpful for access control layers and virtual LAN policy enforcement. That's how we segregate it. Micro-segmentation is focused on the application layer. When we design a policy that is more automated or granular, and we have a specific business requirement, we get into micro-segmentation. Otherwise, the majority of the implementation will be generic network segmentation.

    Dynamic classification is also essential given the current security risks and the attacks. We cannot wait for it to tell us if it's a false positive or a real threat. In those cases, dynamic classification is essential, especially at a MAC level.
    When using WiFi, we may have a suspicious guest, and we cannot wait for someone to stop it manually. The firewall needs to at least block the traffic and send an alert.

    In cases like these, integration with Cisco ISE is handy. If the firewall alone doesn't help, you must redesign your architecture to include various associated products as you increase your requirements. For example, you may have to get into multiple servers, so you'll need an ISE for identity management. 

    As you start scaling up your requirements, you go beyond a firewall. You start from an L1 layer and go to the L7 sitting at the organization's gateway. When you talk about dynamic policy implementation, that's where you start to get serious about your operations and can change things suddenly when an attack is happening.

    With ISE integration, you get another dynamic classification if an endpoint connects immediately. ISE has a lot of authorization rules, so it applies a filter. The dynamic policy capabilities enable tighter integration at the application workload level. Snort 3 IPS enables you to run more rules without sacrificing performance, and IPS puts you one step ahead of any threats to the organization.

    What needs improvement?

    There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so we need to be slightly careful, especially on the site track. 

    We face challenges with Cisco when implementing some security vulnerability assessments, including the algorithms and implementing SSL 3.0. I may change the entire product line because traditional product lines don't support that.

    Integration isn't typically a problem because the network is compatible, but Cisco could upgrade the threat database. They could integrate the threat database of the on-premise firewall with the cloud. Check Point has cloud integration with a market database of all the vulnerabilities. Cisco could add this to its roadmap to make the product more effective.

    For how long have I used the solution?

    I have been working with firewalls for about 20 to 25 years, but I've been using Cisco for around 12 to 15 years.

    What do I think about the stability of the solution?

    Cisco ASA Firewall is reliable, especially in the Indian context. For example, I had a couple of banks with around 5,000 branches and ATMs. It was easy to deploy remotely or send it to each branch. 

    What do I think about the scalability of the solution?

    Cisco ASA Firewall is scalable to a certain extent.

    How are customer service and support?

    Cisco support is okay, but not great. I rate Cisco support five out of ten. The response time is too long. We need an instant response to security issues. They follow some legacy processes.

    In some cases, I think they're good, but they have hundreds of questions and steps to go through before the ticket is escalated. The local partner adds a lot of value in that case.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    The standard setup is straightforward and takes around four hours. You can also do more customization and adjustments to deploy it in a particular environment.
    I design a custom implementation strategy for each customer. It depends on whether I'm migrating an existing environment or doing a fresh deployment. I try to understand the customer's security footprint and all the issues I need to address before installation. 

    What's my experience with pricing, setup cost, and licensing?

    I think Cisco's price is in the right space now. They have discounts for customers at various levels. I think they're in the right spot. However, Cisco can be expensive when you factor in these additional features. 

    If you add SecureX, Cisco's cost will definitely jump. We started with the standard ASA, then we added segmentation and micro-segmentation, and now we're talking about automation and unified architecture. SecureX is an integrated security portfolio. It gives a vertical and 360-degree algorithm with an open, integrated platform that can scale.

    Which other solutions did I evaluate?

    In most next-generation products, the UA itself will manage a lot of things, but it's easier to find people with expertise. If you put 10 firewall experts in the room, six will be talking about Cisco, but you can hardly find one or two people talking about Check Point or Palo Alto. Others would be more talking about Sophos, FortiGate, etc.

    What other advice do I have?

    I rate Cisco ASA Firewall seven out of ten. If you're implementing a Cisco firewall, you must be crystal clear about your business requirements and how a Cisco ASA firewall will address your problem. You need to understand whether this product line contains all the features you need. 

    Can it pass a security audit? Does it integrate with your network device? How scalable is it? Will this solution you're implementing today be adequate in the next three years? These are the questions that you should ask.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Cisco ASA Firewall
    October 2022
    Learn what your peers think about Cisco ASA Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: October 2022.
    635,162 professionals have used our research since 2012.
    Tushar Gaba - PeerSpot reviewer
    Technical Solutions Architect at NIL Data Communications
    Video Review
    Real User
    Top 20
    Provides perimeter security, allowing/blocking of traffic, IPS, and port scans
    Pros and Cons
    • "The return on investment is not going to be restricted to just the box... Now, these genres have been expanded to cyber, to third-party integrations, having integrated logging, having integrated micro and macro segmentations. The scope has been widened, so the ROI, eventually, has multiplied."
    • "The only improvement that we could make is maybe [regarding] the roadmap, to have better visibility as to what we are targeting ahead in the next few quarters."

    What is our primary use case?

    With [my company], NIL, it's cross-domain. It's just not ASA, but in particular we work with customers where we talk about the physical boxes or even the virtual appliances that we're deploying. The use cases can be multiple, but mostly what we have seen is perimeter security, looking at blocking [and] allowing of traffic before accessing the internet.

    The majority of the challenges that we see across customers and partners is looking at the data, the integrity, security, [and] looking at various areas where they need to put in boxes or solutions which could secure their environments. It's not just about the data, but even looking at the endpoints, be it physical or virtual. That, in itself, makes the use case for putting in a box like ASA. 

    And, of course, with the integrations nowadays that we have from a firewall, looking at multiple identity solutions or logging solutions you could integrate with, that in itself becomes a use case of expanding the genres of integrated security.

    What is most valuable?

    The best features would obviously be the ones that are most used: the perimeter security, allowing/blocking of traffic, NAT-ing, and routing, or making it easy as compared to a router. If you were to do the similar features on a router, it would be way more extensive and difficult as compared to a firewall. These are the majority of the features that anyone would begin with.

    But of course, they expanded to other features like IPS or cyber security or looking at vulnerabilities or scanning, port scans. Those are the advanced things.

    [In terms of overall performance] in the last decade or so, especially in the last three or four years, the scale of where the architecture has been—all the numbers, the stats, everything—has gone up exponentially. It's all because of the innovations that are always happening, and not just at the hardware level, but particularly at the software level. Of course, we can always look at the data sheets and talk about the numbers, but all I can say, in my experience, is that the numbers have really gone up, and the speed at which the numbers have gone up in the last couple of years or so, is really progressive. That's really good to see.

    What needs improvement?

    We're reaching [the point] where we want it to be. If you go 10 years back, we did miss the bus on bringing in the virtual versus the physical appliance, but now that we have had it, the ASAv, for a few years, I think we are doing the right things at the right place. 

    The only improvement that we could make is maybe [regarding] the roadmap, to have better visibility as to what we are targeting ahead in the next few quarters. That is where we, as partners, can also leverage our repos with our customers and making them aware that there might be some major changes that we may have to introduce in their networks in the near future.

    For how long have I used the solution?

    I started back in the days with ASA when I was [with] Cisco. I was [with] Cisco for 12 years. I started as a TAC engineer, and one of the teams I was leading was the ASA team, firewall, and across VPN, AAA. it became like a cross-border team or cross-architecture, and it's been long enough. I've been working with ASAs for about 12 or more years now.

    What do I think about the stability of the solution?

    From the stability standpoint, it's way better. Is there a scope for improvement? Of course. There always is. But I can just speak from my experience. What it was and what it is today, it is way better.

    What do I think about the scalability of the solution?

    We look at scalability for any product of Cisco. I cannot be confined to the ASAs. We have physical, virtual, and cloud deployments. Everything is possible, so scalability is no issue.

    How are customer service and support?

    Support, when you look at any product from Cisco, has been top-notch. I was a TAC guy myself for 10 years and I can vouch for it like anyone would do from TAC.

    Support has always been extensive. There is great detail in root cause analysis. Going back into my Cisco TAC experience, it's always the story that if you know the product well, you know the things that you need to collect for TAC or for any other junior SME to work with you collectively, to get down to the solutions sooner. Otherwise, they have to let you know what you need to collect. It's better to know the product, get the right knowledge transfer, work towards those goals, and then, collectively, we can work as a great team.

    How was the initial setup?

    I have mostly been involved in the pre-sales stage, and then eventually the post-sales as well. But we do the groundwork of making sure that we have set the stage for the customer to get the initial onboarding. And at times, I do it with other engineers or other colleagues who take it over from there. In my experience, it has been pretty straightforward.

    It's not just the implementation, but [it's] also managing or maintaining [the ASA]. It would depend on how complex a configuration is, a one-box versus cluster versus clusters at different sites. Depending on the amount of configuration complexity and the amount of nodes that you have, you would need to look at staff from there. It's hard to put a number [on it and] just say you need a couple of guys. It could be different for different use cases and environments.

    [In terms of maintenance] it's about a journey: the journey from having the right knowledge transfer, knowing how to configure a product, knowing how to deploy it, and then how to manage it. Now, of course, from the manageability standpoint, there are some basic checks that you have to do, like firmware upgrades, or backup restores, or looking at the sizing—how much your customer needs: a single node versus multiple nodes, physical versus virtual, cloud versus on-prem. But once you are done with that, it also depends on how much the engineers or SMEs know about configuring the product, because if they know about configuring the product, that's when they would know if something has been configured incorrectly. That also comes in [regarding] maintenance [of] or troubleshooting the product. Knowledge transfer is the key, and making sure that you're up to date and you have your basic checks done. Then, [the] manageability is like any other product, it's going to be easy.

    What was our ROI?

    The return on investment is not going to be restricted to just the box, because nowadays, if you look at the integrated security that Cisco has been heavily investing into, it's not just about ASA doing the firewalling functions. Now, these genres have been expanded to cyber, to third-party integrations, having integrated logging, having integrated micro and macro segmentations. The scope has been widened, so the ROI, eventually, has multiplied.

    What other advice do I have?

    Being a partner, we work with customers who already have different vendor solutions as well. At times, there are a mix of small SMB sites, which could be, let's say, a grocery. There are smaller stores and there are bigger stores, and at times, they do local DIAs or local internet breakouts. [That's where] you do see some cloud-based or very small firewalls as well, but when you look at the headquarters or bigger enterprises, that is where we would probably position Cisco.

    [My advice] would depend [on] if they are comfortable with a particular product, if they've been working with a particular vendor. If it's a Cisco shop, or if they've been working on Cisco, or the customers are quite comfortable with Cisco, I would say this is the way to go. Unless they have a mixed environment. It will still depend on the SME's expertise, how comfortable they are, and then looking at the use cases and which products would nullify or solve them. That is where we should position it.

    My lessons are endless with ASA, but my lessons are mostly toward product knowledge. When you look at the deployment side of things, or for me, personally, when I was TAC, to know how things work internally within ASA—like an A to Z story, and there are 100 gaps between and you need to know those gaps—and then, eventually, you will get to the problem and solve it in minutes rather than hours.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Team Leader Network and Mail Team at a energy/utilities company with 10,001+ employees
    Real User
    Top 10
    Packet inspection with ASDM works well, but upgrading requires notable planning and effort
    Pros and Cons
    • "Cisco ASA works very nicely from an administration perspective. The management of the device is very nice. The ASDM (Adaptive Security Device Manager) is the software that we use and it is very easy to configure using the GUI."
    • "The operation of the ASA is good but the problem is that whenever you require an upgrade, there are multiple pieces of software that you have to upgrade. Extensive planning is required, because if you upgrade one piece of the software it has to be compatible with the others as well. You always need to check the compatibility metrics."

    How has it helped my organization?

    Remote access through the VPN wasn't available in the old firewall that we used, so that was a value-add. That's one way Cisco ASA has impacted our company. Also, from an administrator's perspective, newcomers have a shorter learning curve working with the ASA firewalls.

    Also, when we deployed it on the data center firewalls, we did some microsegmentation using different subnets for the whole environment, including UAT and production. We didn't have segmentation before, but with the growing security needs, we segmented the servers. For each of the subnets we made different gateways on the firewall. That helped us achieve the requirements of the latest standards.

    Thanks to the IPS, the malicious traffic has dropped. Initially, when we deployed the IPS, it gave us some problems. But after a week or two, it worked very well. I used a balanced security policy when I integrated it with the FMC server. On the FMC, the GUI gives me a very good, extensive view of what traffic is getting dropped and at what time. It gives me all the visibility that I need.

    What is most valuable?

    • The normal firewalling features are very good. You can easily create objects and work with them. 
    • The AnyConnect software for remote VPN is an added feature on the firewall that works very well in our environment.
    • The IPS is another important feature that I use. It doesn't impact the overall performance of the ASAs.

    All of these features work fine.

    Cisco ASA works very nicely from an administration perspective. The management of the device is very nice. The ASDM (Adaptive Security Device Manager) is the software that we use and it is very easy to configure using the GUI. If you are familiar with the ASDM software, it's very easy for anyone to handle. The CLI isn't different from other Cisco CLIs, so that makes it easy as well.

    Also, the visibility when doing packet inspection on the ASA, using the ASDM GUI, works well. You can go to the monitoring part and see the live logs, the syslogs. All the traffic events are displayed in the syslog. You can filter on whatever event you are interested in and it is visible to you in no time. It provides a real-time display of the traffic. Troubleshooting issues is very easy using ASDM. 

    In addition, if you want to do some captures at the interface level, there's a packet tracer, a tool within the ASDM and the ASA, which is available on both the GUI and the CLI. That is on the newer firewalls as well and it's very nice. It shows you the life cycle of a packet within the firewall, from entry to the exit, and how many steps it goes through. It really helps while troubleshooting. I'm very satisfied with that.

    What needs improvement?

    The operation of the ASA is good but the problem is that whenever you require an upgrade, there are multiple pieces of software that you have to upgrade. Extensive planning is required, because if you upgrade one piece of the software it has to be compatible with the others as well. You always need to check the compatibility metrics.

    For example, if the ASA Firewall's software has to be upgraded, it has to be compatible with the IPS software—the FireSIGHT software. So that has to be upgraded as well, in addition to the ASDM software that you use to manage the firewall using the GUI. Besides that, if you are using the remote VPN part of the firewall, there is the AnyConnect hidden software that also requires an update.

    So upgrading is a very extensive exercise, both when you're planning it and when you are doing it. The upgrades are very lengthy. Then Cisco introduced FTD as a unified approach, and that was a leap forward, but it has its own issues.

    For how long have I used the solution?

    I've been working as a Cisco partner for about four years. Before that, I was using Cisco firewalls as a network admin. I've been engaged with Cisco firewalls since 2015.

    On the FTD (Firepower Threat Defense) model, I've been working with version 6.7. I haven't tried the latest 7.0 version.

    What do I think about the stability of the solution?

    The robustness of the ASA is very good. Whenever you upgrade it, it does very well. There are no hiccups or hitches, post-upgrade.

    How are customer service and support?

    Cisco's TAC provides very good support. If you have any issues, you can contact them and they provide assistance. You need a subscription for that. The subscription comes with a notable cost but you get great value from it. I'm very satisfied with it. 

    The tech support of Cisco is unparalleled if I compare it to any other product that I have used. I've been using Citrix, Juniper, and even Palo Alto, but the support that I get from Cisco is very good. It's easy to get support and the engineers get engaged. Sometimes they provide more than you need. For example, if there are design-level issues, they will tell you that it isn't implemented well and that there are things that need to be corrected. That's not their responsibility but they'll provide that feedback.

    I consider Cisco support to be the industry standard.

    How would you rate customer service and support?

    Positive

    What was our ROI?

    I've seen Cisco deployed for five to seven years. The product life cycle is good and they're continuing to support things. If you add more features and utilize it to the maximum, using the remote VPN and the like, it becomes more cost-effective. 

    Having the IPS part within one box also saves you on costs. Back in 2015, the IPS was a different box that had to be deployed separately. At that time, it cost more if I had to buy another IPS and a box.

    Which other solutions did I evaluate?

    Before ASA, we were using Juniper. It had a GUI, but the CLI part of Juniper was difficult. The network administrators required a little bit of a different type of expertise. Juniper was very good, but its CLI wasn't as simple as Cisco's. When somebody new comes into the company to work on the firewall, the Cisco learning curve is relatively short and easy.

    Nowadays, everybody is working with Cisco. Juniper has almost been phased out. Some people use Juniper for certain reasons, but there's a very specific clientele for it.

    We went with Cisco because it is very easy to operate. It provided next-generation firewalling when it came out with ASA plus Sourcefire IPS. That was very effective at that time, compared to the others.

    These days, Palo Alto is matching Cisco and, in some ways, Palo Alto is better. From 2015 to 2018/19, Cisco was considered to be the best. The security leaders are always preferred and Cisco was a leader. That's why we preferred it.

    We were also always happy with Cisco support. It was very convenient to get to Cisco support, and it was very prompt and effective. They really solved our problems.

    What other advice do I have?

    The Nextgen firewalls have a good IPS, but that IPS part wasn't very configurable using the ASDM. Later, they introduced the FMC (Firewall Management Center) and we could integrate the ASA with the FMC and get the IPS configured from the FMC GUI. That was good, but you needed two things to monitor one box. For the IPS you needed an FMC server, and for the firewalls, you needed the ASDM or the CLI.

    In terms of integration with other solutions, it is a simple firewall that is integrated with the syslog servers and the SNMP monitoring from the NMS. Those types of simple things work very well. I haven't worked with much integration beyond that. You can't attach that many feeds to it. That's more a function of the Next-Generation Firewall with the IPS and FMC.

    SecureX is a relatively new cloud-based solution. It's been around for one or two years. It's offered for free if you have any Cisco security solution. It encompasses ADR and NDR. The clients I work with in Pakistan are mostly financial institutions. Because it's a cloud-based security solution, they are not interested. They want on-prem solutions.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Isaiah Etuk - PeerSpot reviewer
    Chief Digital & Technical Officer at Capital Express Assurance Limited
    Real User
    Top 20
    Comes with good security and filtering capabilities and does what it has been configured to do very well
    Pros and Cons
    • "Its security and filtering are most valuable. Every layer of data that comes into the organization goes through it. After setting up the criteria, it automatically filters the traffic. We don't have to check it often."
    • "Its user interface is good, but it could be better. Currently, you have to know what to do before you can manage a device. If you don't know what to do, you can mess things up. There are some devices that are easier, such as FortiGate. The user interface of FortiGate is more intuitive. It is very easy to log in and configure things."

    What is our primary use case?

    We are an insurance company. The core of what we do is service. We manage people and security. We have all the implementation for security. 

    We have one ERP running on-prem and another one is running on the GCP cloud. We have a cloud service that runs that ERP on GCP. Our other service is running with Microsoft 365. So, we have an in-house AD that syncs with the cloud AD, but it is the firewall that is managing the communication process in between. The on-prem AD sync with the cloud AD is managed by the firewall. It is like a gateway. 

    A vendor implemented this system for us to use and manage the process. We have an integration with the GCP. We've integrated this system with our network in such a way that you cannot access the GCP applications or infrastructure if you are not on-premises. This integration with the GCP and our virtual network online has been done locally.

    How has it helped my organization?

    In general, the management of our infrastructure is now easy. I can manage remotely. I can manage on-prem. I can always log in. I have a couple of users who work remotely via VPN because of the license. Not everybody works remotely in my organization. For people who work remotely, we have licenses for them to log in remotely from where they are and use the service. So, managing people, resources, and devices is easy. It has been a good experience. I don't intend to change it because it's giving me the service I need.

    In terms of money, it has saved a lot of money. A lot of other organizations that don't have this kind of easy-to-manage layer of security are going through different kinds of attacks. We have a culture of being careful, even though you cannot be a hundred percent careful. When I hear that people have some security issues, I come and check my devices, and I notice that my firewall has actually blocked a lot of things. It gives me rest and peace. So, it saves a lot when you consider the cost of the organization's operations going down, even for one, two, or three hours. We would lose a lot if that happens. It probably saves us over a million dollars a year. The investment is totally worth it.

    Our network is a little bit flat. We have a load balancer before getting into our network. We have configured the load balancer on the device itself. We have two major service providers. We have a core business application, and there are some people who use the core business application. We also have some light users. We have set up criteria to give priority to the people who use the core business application. I have a provider that gives me 300 MB to 500 MB, and I have another provider that gives me 20 MB to 25 MB as a backup. I have set priority based on the usage. If you're using the core business application, it pushes you to the fast network. Otherwise, it sends you to the other network. All that has been done on the firewall. It has been very good for this. I have no complaints.

    It enables us to implement dynamic policies for dynamic environments, which is important for us. We can control the network based on different kinds of users. We can quickly and easily define the policies. We can set priorities based on different applications, systems, and users on our network.

    What is most valuable?

    Its security and filtering are most valuable. Every layer of data that comes into the organization goes through it. After setting up the criteria, it automatically filters the traffic. We don't have to check it often. Sometimes, when users complain that they are not able to see a particular thing, we log in to check the scan and see what it has scanned and filtered. It is usually something it has filtered out. It works perfectly.

    What needs improvement?

    It is easy to use. There is a GUI, and there is a backend that is being managed by our consultant. When we log in to the GUI, we are able to do anything we want to do. Its user interface is good, but it could be better. Currently, you have to know what to do before you can manage a device. If you don't know what to do, you can mess things up. There are some devices that are easier, such as FortiGate. The user interface of FortiGate is more intuitive. It is very easy to log in and configure things. With Cisco, there is also a lower limit on virtual accounts. In FortiGate, they could be in thousands. Cisco is also more expensive. 

    For how long have I used the solution?

    I have been using this solution for about three to four years.

    What do I think about the stability of the solution?

    It is very stable. I've not had any thought of reconfiguring it. I have just applied my criteria, and I'm good.

    What do I think about the scalability of the solution?

    Scalability is not a problem because I still have a span of five to seven more years. After that, I might have to go for a bigger device. For now, I have no issues. I can scale up or down. I'm good with that.

    How are customer service and support?

    Their support is very good. We had an issue where the OS got corrupted. We got Cisco to log in. They did the reset on it, reformatted it, and sent it back to us. Because of the subscription we have with Cisco, we got a copy back in no time. We're now good. We've not been calling their tech support very often. We only call them when we have a very serious issue. I would rate them a nine out of ten.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    It wasn't simple. Its implementation doesn't take much time, but we had to get a consultant in. Implementing a Cisco solution from scratch is harder than implementing FortiGate. With FortiGate, I can do my implementation and put all the criteria easily, but with Cisco, I need to do a lot more research, and I need to get someone to help me, but after implementation, it just works.

    What about the implementation team?

    We had a consultant from a local vendor here called Incognito. Our experience with him was good. I can refer him to anybody.

    When we have issues and we need improvement, he comes in. There was a time we noticed that we had lag on our network. We were trying to figure out the cause for it. We were using two service providers but the same backbone. We called him to make the required modifications.

    What's my experience with pricing, setup cost, and licensing?

    It is more expensive than the other solutions. 

    Which other solutions did I evaluate?

    I'm the CIO here. When I came here, I did an audit of the IT infrastructure to see what was there. I looked at what was existing and thought of improvement. I got in all the vendors and had a meeting with them. I also got in a Cisco vendor and sat down with him and told him about the implementation I wanted. Because of the cost, I didn't change any equipment. So, he did the implementation. At any other place, I would look at the users and implement what is easy for them to manage. For a big enterprise with a whole crew, I would definitely consider Cisco. For any other place, I would go for Fortinet. Cisco is harder to implement and manage, but its stability is good. It is also more expensive. There are other cheaper solutions I would have gone for, but I had to focus on what was existing and improve. I had to make sure I worked with what was existing. We also have Cisco switches.

    What other advice do I have?

    What it's been configured to do, it does it well. I would rate this solution a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Enterprise Architect at a tech services company with 51-200 employees
    MSP
    We don't have to worry when something goes down because of its automatic failovers and built-in redundancy
    Pros and Cons
    • "I like the ASDM for the firewall because it is visual. With the command line, it is harder to visualize what is going on. A picture is worth a thousand words."
    • "Sometimes, it is not easy to troubleshoot. You need to know where to go. It took me quite awhile. It's like, "Okay, if it doesn't go smoothly here, then go find the documentation." Once you do it, it is not so bad. However, it is sometimes a steep learning curve on the troubleshooting part of it."

    What is our primary use case?

    We mainly use it for site-to-site VPNs, connecting to other businesses. I work in manufacturing and hospitals.

    We connect to remote networks: manufacturing-to-businesses and hospital-to-hospital.

    It was deployed in our data center across multiple sites. At the hospital where I last worked, it was deployed at 18 sites, then we did VPNs between our hospital and clinics.

    How has it helped my organization?

    We don't have to worry about when something goes down. Instead of saying, "Oh my gosh, this went down and now we have a gap here," it has automatic failovers and built-in redundancy. So, it says, "I don't have a gap anymore." This is one less thing to worry about, which was a big benefit for me. If our security group comes back, and says, "Hey, this is down." Then, it is like, "Yeah, we got it covered."

    Our security groups are always very adamant that things stay up. If something went down, they say, "Why did it go down? How do we prevent it?" Since resiliency is already built-in on its initial design, we don't have to go back in every time, and say, "Here, this is what we did. This is why it was done like this." Instead, it is just, "Yes, they blessed it, and it's approved," and we don't have to go back and keep reinventing the wheel every time.

    What is most valuable?

    I like the ASDM for the firewall because it is visual. With the command line, it is harder to visualize what is going on. A picture is worth a thousand words.

    What needs improvement?

    Sometimes, it is not easy to troubleshoot. You need to know where to go. It took me quite awhile. It's like, "Okay, if it doesn't go smoothly here, then go find the documentation." Once you do it, it is not so bad. However, it is sometimes a steep learning curve on the troubleshooting part of it.

    For how long have I used the solution?

    I have been using this solution for more than 20 years.

    What do I think about the stability of the solution?

    I have never had any problems with stability. In the 20-plus years that I have used them, I don't think I have ever had a failure on them. They have always been rock-solid.

    What do I think about the scalability of the solution?

    We haven't done much with scalability. We have always just done active standby. However, it scales once you figure out how to do it. If there are site-to-site VPNs within your own location, it is easier because there is a template, where it is, "Here, change this IP address. Change this IP address. There, it's done." 

    Third-parties weren't bad. Once my side was done, then we could easily cut and paste it, and say, "Okay, here's what my side's configured for. If you have something that is not working, then you can tell me what it is and I will help you." However, we never really had anything that we couldn't fix. It was also possible to scale on the other side.

    How are customer service and support?

    I haven't called tech support very often. When I did call them, they could tell me what the problem was. That is where I started learning, "Here are the commands that you should be using to debug this." They have been very helpful. I would rate them as nine out of 10.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I have used Palo Alto and Fortinet. We switched mainly because we were trying to unify all our products. Instead of using multiple systems, everything with the Cisco solution is end-to-end with different views of security. Some of them wanted to be diverse, keeping things separate. For others, it was easier if everything was just with one vendor. Also, if you are Cisco-centric, it is also easier.

    Since I have been using this solution, I have seen it grow. When they first started doing it, it was more like, "Here's the command line. Here's what you got to do." Now, it's easier for a new engineer to come on, and say, "Okay. Here, you are going to start supporting this, and here is how you do it," which has made life easier. Since it is a repeatable thing, no matter which company you go to, it is the same. If you get somebody who is doing it on the other side of the VPN, it is a lot easier. So, I like the Cisco product. I have used several different ones, and it's like, "Well, this is the easiest one." It might be just the easiest one because I have used it long enough, but it is also a good product. It just helps us be consistent.

    How was the initial setup?

    We did a lot of site-to-site VPNs. We also did a third-party, which is Palo Alto or something. Though, some of them were SonicWall. It is like, "Okay, I don't know how the site is configured, then I spend hours trying to troubleshoot a VPN." The more you use it, the easier it gets. It used to take days to do it. Whereas, the last one that I built took about 30 minutes. The more we use it, the better the outcome is and the faster we can do it. Now, I am not spending days building a VPN, which should only take 10 to 15 minutes.

    What was our ROI?

    There is ROI when you use it more.

    What's my experience with pricing, setup cost, and licensing?

    Once you know what the product is, it is not that bad. Yes, it is expensive. When you try to get a license, it is like, "Well, I don't know which one of these I need. And, if I don't buy it now, then I will probably be back later. Now, I have to justify the money." Typically, you end up just buying everything that you don't use most of the time. It is one of those solutions where you get what you pay for. If you don't know what you need, just buy everything. We have additional licenses that we don't use.

    What other advice do I have?

    Take your time with it. Actually, read the documentation. Don't just assume you know what stuff means since that will sometimes come back and bite you. I have done that too many times. If you go from version to version, it changes a little bit, and so it is like, "Well I don't know why it doesn't work." Then, you go read the notes, "Oh, yeah. This changed and it is done over here now."

    Building more resiliency should be a priority, and it's going to take money to do that. So, you need to actually believe and invest in it. Otherwise, it's an idea. It's great, because we all want redundancy, but nobody typically wants to spend the money to do it. Or, they want to do it as cheaply as possible. It's like, "Okay, I can do that," but you're going to have more gaps. Then, it is not really worth it. Therefore, invest the money the first time and do it right.

    I would rate it as nine out of 10.

    Which deployment model are you using for this solution?

    Private Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Vipin Garg - PeerSpot reviewer
    Co-Founder at Multitechservers
    Real User
    Top 5Leaderboard
    Great remote VPN features, easy to set up, and offers 24/7 access to support
    Pros and Cons
    • "Cisco ASA provides us with very good application visibility and control."
    • "If they want to add better features to the current Cisco ASA, they can start by increasing the encryption. That is the only thing they need to improve."

    What is our primary use case?

    We are primarily using the solution for VLAN implementations and also for remote VPN capability - basically it's used for connecting to remote offices securely.

    How has it helped my organization?

    After implementing tools, including Cisco ASA, unauthorized access comes down a lot. We are not facing asset issues as of now. We are not facing an issue related to malicious traffic or any bad activity in our network.

    What is most valuable?

    The solution can allow and block traffic over the VLANs.Some of the unauthorized actions and malicious traffic can also be blocked effectively, as we are following PCI DSS compliance. We are a card industry. We are using cards as a payment method, and therefore we need to follow the compliance over the PCI DSS. That's why we chose one of the best products. ASA Firewall is very secure.

    It's always easy to integrate Cisco with the same company products. If you are using other CIsco products, there's always easy integration.

    Cisco is one of the most popular brands, and therefore the documentation is easily available over the internet.

    They are best-in-class.

    The remote VPN feature is one of the best features we've found. 

    We like that there is two-factor authentication on offer.  We can integrate a Google authenticator with Cisco ASA so that whenever a person is logging on to any network device, they need to enter the password as well as the security code that is integrated by Google. It's a nice added security feature.

    Cisco ASA provides us with very good application visibility and control. The Cisco CLI command line is one of the easiest we found on the market due to the fact that the GUI and the user interface are very familiar. If you're a beginner, you can easily access it. There's no complicated UI.

    When compared to other products available, the cost is pretty similar. There's no big gap when you compare Cisco pricing to other products. 

    There are multiple features in a single appliance, which is quite beneficial to us.

    Support that is on offer 24/7. Whenever we face some technical issue, we can reach out to them easily.

    We have not had any security breaches. 

    They provide a helpful feature that allows us to configure email. 

    We are getting a lot from the appliance in real-time.

    What needs improvement?

    There's an upgraded version of the 5500 that has come to the market. It offers the latest encryption that they have. If they want to add better features to the current Cisco ASA, they can start by increasing the encryption. That is the only thing they need to improve. The rest is good.

    For how long have I used the solution?

    We've been using the solution for about five or more years at this point. It's been a while. 

    What do I think about the stability of the solution?

    The stability and availability are very good. there are no bugs or glitches. It doesn't crash or freeze. it's a reliable solution. 

    What do I think about the scalability of the solution?

    We have it in our infrastructure for around 15 plus users, including Fortinet sites.

    We have found that whenever the traffic spikes at peak times, the product automatically scales up to the requirement. We have also implemented the single sign-on it, and therefore, it automatically scales up. We haven't felt any limitations. Currently, we are using it for 1500 plus users. At any given time, there are around 700 plus users available in the office. It's a 24/7 infrastructure. We have tested it for up to 750 plus users, and it's perfectly fine.

    How are customer service and technical support?

    Technical support is excellent. they are always available, no matter the time of day, or day of the week. We are quite satisfied with their level of support. They are quite helpful and very responsive. I'd rate them at a ten out of ten. They deserve perfect marks.

    Which solution did I use previously and why did I switch?

    We did not previously use a different solution. When the office was launched we implemented Cisco as a fresh product.

    We are using a Cisco ASA Firewall, as well as Sophos at the remote sites. We are using another product is for log collecting. There are three solutions that basically cover us for security purposes. Those, at least, are the physical devices we are using as of now. The rest are cloud solutions such as Nexus. 

    That said, I personally, have used Sophos XG as a firewall in the past. Sophos is good in terms of traffic blocking and identifying interruptions to the traffic. The features are better on Cisco's side. For example, there is two-factor authentication and a remote VPN. The only benefit I found in Sophos was the way it dealt with the traffic. 

    How was the initial setup?

    The initial setup was not overly complex or difficult. It was quite straightforward and very easy to implement. 

    Deployment takes about 20 to 25 minutes. 

    In terms of the implementation strategy, at first, we put up the appliances in the data center. After that, we connected it with the console. After connecting the console, we had an in-house engineer that assisted. Cisco provided us onboarding help and they configured our device for us. We have just provided them the IP address and which port we wanted up. Our initial configuration has been done by them.

    What about the implementation team?

    While most of the setup was handled in-house, we did have Cisco help us with the initial configurations.

    What was our ROI?

    The ROI we are getting from Cisco ASA is higher availability, which we are getting all the time. On top of that, it's good at blocking traffic and protecting us from cyber-crime issues.

    What's my experience with pricing, setup cost, and licensing?

    The pricing is pretty reasonable. it's standard and comparable to other solutions. The maximum difference between products might be $20 to $40. It's not much of a difference. 

    Which other solutions did I evaluate?

    We did not evaluate other solutions. We trust Cisco. It's a very good product and well known in the market.

    What other advice do I have?

    We are a customer and an end-user.

    We are using physical Cisco appliances.

    We use a lot of Cisco products, Cisco router (the 3900-series routers), and Cisco switches.

    In the next quarter, we will implement SD-WAN. Once the SD-WAN is implemented, then we will go with an automated policy and DNS kinds of tools. We are in the process of upgrading to Cisco ASA Firepower in the next quarter. We have not integrated Cisco ASA with Cisco's SecureX solution.

    I'd recommend the solution, especially for medium-sized or larger companies and those who are looking for long-term solutions (for example those with a user base of around 2,000 plus users in and around 20 plus applications). It's reliable and offers users a lot of features. This helps companies avoid having to rely on other third-party solutions.

    If you are new to Cisco, you should take advantage of the education they have on offer. Cisco provides access to training and it's worth taking advantage of this.

    Overall, I'd are the solution at a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Simon Watkins - PeerSpot reviewer
    Senior Network Architect at a consultancy with 11-50 employees
    Real User
    Top 20
    Usability of the GUI front end helps admins get to a diagnosis quickly
    Pros and Cons
    • "One of the most valuable features is the GUI front end, which is very easy to use. But I'm also a command-line guy, and being able to access the device via command-line for advanced troubleshooting is quite important."
    • "One area that could be improved is its logging functionality. Your logs are usually displayed on the screen, but if you want to go back one or two days, then you need another solution in place because those logs are overwritten within minutes."

    What is our primary use case?

    Typically, we use them on the internet edge for protecting customer networks from the internet. It's a delimiter between the local area network and the wider internet. Other use cases include securing data centers or protecting certain areas within a network. It's not particularly internet-based, but it gives you that added layer of security between networks or between VLANs and your network, rather than using a Layer 3 switch.

    Ultimately, it's about securing data. Data is like your crown jewels and you need to be able to secure it from different user groups. Obviously, you need to protect your data from the internet and that's why we generally deploy Cisco ASAs.

    How has it helped my organization?

    The usability, with the GUI front end, certainly helps and it means you don't have to be a command-line person. We have to get away from that now because if you put the typical IT admin in front of a CLI they might struggle. Having something graphical, where they can click in logs to see what's going through the firewall— what's been denied, what's being allowed—very quickly, helps to get to a diagnosis or know something has been blocked. And when it comes to making changes within the environment, that can be done very quickly as well. I've seen something be blocked within a couple of minutes, and any IT admin can make a change through the GUI.

    What is most valuable?

    One of the most valuable features is the GUI front end, which is very easy to use. But I'm also a command-line guy, and being able to access the device via command-line for advanced troubleshooting is quite important.

    What needs improvement?

    One area that could be improved is its logging functionality. Your logs are usually displayed on the screen, but if you want to go back one or two days, then you need another solution in place because those logs are overwritten within minutes. 

    To have that kind of feature, it's more than likely there would need to be some kind of storage on the device, but those boxes were designed a number of years ago now. They weren't really designed to have that built-in. Having said that, if you do reflash into the FTD image, and you've got the Firepower Management Center to control those devices, then all that logging is kept within the Firepower Management Center.

    For how long have I used the solution?

    I've been using Cisco ASA Firewalls since they came out. Before ASA, I used Cisco PIX Firewalls. I've been using them since about 1999 or 2000.

    I'm involved in the presale events as well as the implementation and post-sale support. We do everything. That is probably different from a lot of organizations. We are quite a small company, so we have to be involved at all levels. I see it from all angles.

    How are customer service and support?

    One of the reasons I've stuck with Cisco all these years is that you always get excellent support. If a network goes down due to major issues, I know I can raise a case with TAC and get through to subject matter experts very quickly.

    Obviously, you need a SMARTnet contract. That means if a device has completely failed, you can get a box replaced according to the SLAs of that contract. That's very important for customers because if you have an internet edge failure and you just have a single device, you want to know that the replacement box is going to be onsite within four hours.

    When a network goes down, you're going to know about it. You want to be safe in the knowledge that someone is going to be there for you and have your back. Cisco do have your back on those kinds of things.

    Cisco support is a major selling point.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    In terms of deployment, a lot of organizations are moving to the cloud. People are looking at the ASAv image for deploying into the public cloud on Azure or AWS. But there are still a lot of organizations that use ASAs as their internet edge.

    The on-prem and the cloud-based deployments are very similar. When you're designing a solution, you need to look at the customer's business requirements and what business outcomes they actually want from a solution. From there, you develop architecture. Then it's a matter of selecting the right kinds of kits to go into the architecture to deliver those business outcomes. We talk to customers to understand what they want and what they're trying to achieve, and we'll then develop a solution to hopefully exceed their requirements. 

    Once we've gotten that far, we're down to creating a low-level design and fitting the components that we're going to deploy into that design, including the ASA firewalls and the switches, et cetera. We then deploy it for the customer.

    What was our ROI?

    Your investments are protected because of the innovations over time and the fact that you're able to migrate to the latest and greatest technology, through Cisco. 

    There are also a lot of Cisco ASA skills out there in the marketplace, so if you have ASAs deployed and you get a new employee, it's more than likely they have had experience with ASAs and that means you're not having to retrain people.

    Which other solutions did I evaluate?

    We do deploy other manufacturers' equipment as well, but if I were to deploy a solution with firewalling, my number-one choice would probably be Cisco ASA or the FTD image or Cisco Meraki MX.

    The flexibility you have in a Cisco ASA solution is generally much greater than that of others in the marketplace. 

    For any Cisco environment, we choose Cisco because it comes down to support. If the network is Cisco, then you have one throat to choke. If there is a network issue, there's no way that Cisco can say, "It's the HP switch you've got down in the access layer."

    What other advice do I have?

    ASA morphed from being just a traditional firewall, when they introduced the Firepower Next-Generation Firewall side. There has also been progress because you can reflash your old ASAs and turn them into an FTD (Firepower Threat Defense) solution. So you've got everything from your traditional ASA to an ASA with Firepower.

    Cisco ASA has been improved over time, from what it was originally to what it is now. Your investments are being protected by Cisco because it has moved from a traditional firewall through to being a next-gen firewall. I'm a fan of ASA.

    I think ASAs are coming towards the end of their lifespan and will be replaced by the FTDs. It's only a matter of time. But there are still a lot of Cisco customers who use ASAs, so migrating that same level of knowledge those customers have of the ASA platform across to the FPR/FTD image, will be a challenge and will require investment.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner/reseller
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Cisco ASA Firewall Report and get advice and tips from experienced pros sharing their opinions.
    Updated: October 2022
    Product Categories
    Firewalls
    Buyer's Guide
    Download our free Cisco ASA Firewall Report and get advice and tips from experienced pros sharing their opinions.