Coming October 25: PeerSpot Awards will be announced! Learn more
Alexander Mumladze - PeerSpot reviewer
Network Engineer at LEPL Smart Logic
Real User
Top 5
Good protection and filtering capabilities, and everything can be easily done through the web user interface
Pros and Cons
  • "I have experience with URL filtering, and it is very good for URL filtering. You can filter URLs based on the categories, and it does a good job. It can also do deep packet inspection."
  • "When you make any changes, irrespective of whether they are big or small, Firepower takes too much time. It is very time-consuming. Even for small changes, you have to wait for 60 seconds or maybe more, which is not good. Similarly, when you have many IPS rules and policies, it slows down, and there is an impact on its performance."

What is our primary use case?

They were placed in a company on the perimeter near the ISP. There were two clusters. One cluster was at the front, and one cluster was near the data center to filter the traffic from the users to the data center and from the data center to the users and outside.

How has it helped my organization?

Our clients were completely satisfied with this firewall in terms of protection from attacks, filtering of the traffic that they wanted, being able to see inside the zip files, etc.

What is most valuable?

I have experience with URL filtering, and it is very good for URL filtering. You can filter URLs based on the categories, and it does a good job. It can also do deep packet inspection.

Its IPS engine also works very fine. I don't have much experience with it because I am an IT integrator, and we only configured it, but the company for which we configured these firewalls used this feature, and they say that IPS works very fine. They were also very pleased with its reporting. They said that its reporting is better than other firewalls they have had.

What needs improvement?

When you make any changes, irrespective of whether they are big or small, Firepower takes too much time. It is very time-consuming. Even for small changes, you have to wait for 60 seconds or maybe more, which is not good. Similarly, when you have many IPS rules and policies, it slows down, and there is an impact on its performance.

In terms of tracking users, the Palo Alto Networks firewall is better than Cisco Firepower.

Buyer's Guide
Cisco Firepower NGFW Firewall
October 2022
Learn what your peers think about Cisco Firepower NGFW Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: October 2022.
635,162 professionals have used our research since 2012.

For how long have I used the solution?


What do I think about the stability of the solution?

It is very stable because it is based on the Cisco ASA Firewall hardware, which is an old-generation firewall. I have had Cisco ASA Firewall for more than 10 years, and they have been working fine till now. So, Cisco Firepower NGFW Firewall's performance and stability are the best. I have never seen any issues or heard from anyone that it is bad.

What do I think about the scalability of the solution?

Its scalability is very good. It was a small implementation. Traffic was maximum of 150 megabits per second. 

How are customer service and support?

I haven't worked with Cisco support.

Which solution did I use previously and why did I switch?

I have had experience with the Fortinet FortiGate firewall. It is very easy, and it does its job very well. Both Firepower and FortiGate do their job very well, but I like the Palo Alto Networks firewall the most. I have not experienced it in a real environment. I have placed it in my lab. It is a very complex firewall, and you need to know how to configure it, but it is the best firewall that I have seen in my life.

As compare to the Palo Alto Networks firewall, both Firepower and FortiGate are simpler. You can just learn which button to use and how to write rules, policies, etc. In Palo Alto, you can not guess this. You should know where each button is, how it works, and what it does. If you don't know, you cannot get the performance you want from Palo Alto. So, Firepower and FortiGate are easier to learn.

Firepower is very good for a small implementation. If you are doing a Cisco setup, you can place kind of 16 devices in one cluster. When it comes to the real environment, you need to have maybe three devices in one cluster. If two of them are in one data center and the third one is in another data center, the third firewall does not work very well when it comes to traffic flow because of the MAC address. When you want to implement Firepower in small infrastructures, it is very good, but in big infrastructures, you would have some problems with it. So, I won't use it in a large environment with five gigabits per second traffic. I will use the Palo Alto firewall for a large environment.

How was the initial setup?

It is straightforward. For me, it is very simple. The menu is quite impressive. Everything that you want to do can be done from the web user interface. You don't need to access the CLI if you don't like it. It is very easy to make rules with its web user interface.

Its deployment took two days. In terms of the implementation strategy, the first cluster was in the data center, and its main job was to filter user traffic going to the data center. The second cluster was on the edge. Its main job was to mitigate attacks on the inside network and to capture the traffic that could have viruses, malicious activities, etc.

What about the implementation team?

I deployed it myself, and it took me two days to deploy two clusters of Cisco Firepower NGFW Firewall. 

What was our ROI?

I think our client did get an ROI. They are very satisfied with what they can do with these firewalls. It fits all of their needs.

What's my experience with pricing, setup cost, and licensing?

Its price is in the middle range. Both Firepower and FortiGate are not cheap. Palo Alto and Check Point are the cheapest ones.

I don't remember any costs in addition to the standard licensing fees.

What other advice do I have?

Our client didn't implement dynamic policies for dynamic environments because they were a small company, and they didn't need that kind of segmentation. I am not sure if it reduced their firewall operational costs because they were a small company, and the traffic was not so high.

I would rate Cisco Firepower NGFW Firewall an eight out of 10.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Network Engineer at a computer software company with 51-200 employees
Real User
Enables us to create policies based on who is accessing a resource instead of just IP addresses but the UI needs improvement
Pros and Cons
  • "Another benefit has been user integration. We try to integrate our policies so that we can create policies based on active users. We can create policies based on who is accessing a resource instead of just IP addresses and ports."
  • "It's mainly the UI and the management parts that need improvement. The most impactful feature when you're using it is the user interface and the user experience."

How has it helped my organization?

I can't put Cisco on the firewall when the security landscape has changed so much in the past five to ten years. We are doing a lot more in the next generation of firewalls. We had a legacy classic firewall before we went to Firepower, and we spent a lot less time on that firewall, but we are spending more time on the Firepower because we are utilizing a lot of the features that are available in Firepower that were not available in the previous firewall that we had. I'm not going to say that we're spending less time, but we're gaining more value.

Another benefit has been user integration. We try to integrate our policies so that we can create policies based on active users. We can create policies based on who is accessing a resource instead of just IP addresses and ports.

What is most valuable?

If I were to have been asked a few weeks ago, I would have said threat prevention was the most valuable feature, but the world is changing a lot, so my favorite features a few years ago might not be my favorite features today.

What needs improvement?

The visibility the solution gives when doing deep packet inspection can be complex. I really like the visibility, but it's not always intuitive to use. I also help other customers. We are a contracting company that implements their solutions, and I've found that it's not always easy to get everyone to utilize some of the visibility features. But for me personally, I think they're very valuable. 

The ease of use when it comes to managing Cisco Firepower has a lot of room for improvement. When monitoring a large set of firewall policies, the user interface could be lighter. It's sometimes heavy in use, and there could be improvements there. I know they're trying to make improvements.

It's mainly the UI and the management parts that need improvement. The most impactful feature when you're using it is the user interface and the user experience.

For how long have I used the solution?

We were an early adopter when Firepower first came out. I've been using Cisco firewalls for the last two decades.

What do I think about the stability of the solution?

For newer hardware models, the stability is good. We've tried to run Firepower on some of the legacy-supported hardware as well, but with the stability issues, they are not as good. If I were to judge based on the hardware that I have, I'd say it's good. I haven't had any issues with the stability on my platform.

What do I think about the scalability of the solution?

We just recently enabled Snort 3 so I'm evaluating the functionality. That's what we've considered, but we haven't done any performance testing. Our company would qualify as a small to medium business company. The average office environment is about 100 to 200 people. Performance-wise, my company is about 120 people.

Scalability is really not relevant. I know there are features that address some of those parts, like clustering and stuff, but that's really not applicable in my use cases.

How are customer service and technical support?

The support is eight to nine out of ten. You can't blame them for any faults of the prototypes, but the support has been really good and really helpful when we had any issues.

Which solution did I use previously and why did I switch?

I have hands-on experience in both Fortinet and Palo Alto. So if I were to compare this to Palo Alto, for example, I would say that the user interface in Palo Alto is a lot better. But the reason that I'm working with Firepower is that we have a Cisco network as well, and Cisco ISE. We're trying to integrate different Cisco solutions. We're trying to utilize the ecosystem benefits where I can connect my Cisco Firepower to ISE and have it talk to the App Cloud. There's a benefit of utilizing Cisco Firepower in conjunction with our other Cisco solutions.

Ease of management is similar with Cisco and Fortinet, I would say similar, but it's easier in Palo Alto.

How was the initial setup?

I recently deployed a similar solution at a customer's premises, and that setup was straightforward.

The steps are fairly documented and the documentation and guides on Cisco are straightforward. You know what you're expected to configure, and it's easy to get up, running, and started. It takes some more time to check everything and get everything as you want to have it, but getting started and getting connectivity and starting to create policies was easy to do and didn't take a very long time.

It took two to four hours, including some upgrades.

What other advice do I have?

My main advice would be to utilize all the guides and documentation available from Cisco publicly and not trying to implement it using legacy thinking. Don't try to just replace something else you have. If you have a next-gen firewall, you want to try to utilize what you're getting, and getting the most out of a firewall. There are some great guides and documentation on Cisco that explains what you can do and how you can do it.

I would rate it a seven out of ten. 

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Cisco Firepower NGFW Firewall
October 2022
Learn what your peers think about Cisco Firepower NGFW Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: October 2022.
635,162 professionals have used our research since 2012.
JATINNAGPAL - PeerSpot reviewer
Manager/Security Operations Center Manager at RailTel Corporation of India Ltd
Real User
Top 20
Good content filtering but not mature enough and has too many bugs
Pros and Cons
  • "The content filtering is good."
  • "The maturity needs to be better."

What is our primary use case?

It is the primary data firewall for our organization and our data centers.

How has it helped my organization?

We have faced multiple issues regarding bugs with Cisco Firepower products. A running product is hit with bugs most of the time, and we had a lot of challenges in using the Cisco Firepower product, actually. In the future, we are planning to replace it, or at least use it instead as a secondary firewall.

What is most valuable?

The content filtering is good. 

What needs improvement?

The maturity needs to be better. The product is not yet mature. A running product is hit with the software bugs most of the time, and whenever we then log a case with the tech team, they're sometimes helpless with that. They have to involve the software development team to fix that bug in the next release. It's not ideal. Being an enterprise product, it should be mature enough to handle these types of issues.

For how long have I used the solution?

I've been using the solution for the last three years. 

What do I think about the stability of the solution?

The performance is okay, however, the product is not stable. It is all hit with CVL software bugs routinely. That portion requires attention from Cisco and the tech support in this area is somewhat delayed. An open ticket can sometimes take more than two to three months to resolve. For the production setup, it is tough to rely on the tech team alone for the closure of the case.

What do I think about the scalability of the solution?

The solution is very scalable. 

How are customer service and support?

Cisco support is always available. However, multiple times, it has been tough for them to fix the software bugs in the product. They have to then deploy their development team for the same ticket.

Which solution did I use previously and why did I switch?

Earlier we used the Cisco ASA Firewall. Now, it has been phased out. Firepower is categorized as the next-generation firewall, however, we haven't found the utility of that level in this product. It lacks maturity at many levels.

How was the initial setup?

We have two data centers at two geographical locations. We have two firewalls - one in one data center, at the perimeter, and another at a different location.

The initial setup was okay. We had more of an in-between partner doing the installation part since the product was also new to us. The product was part of my overall product solution. We procured a firewall and another ACL fabric portion for the data center. Overall, the solution installation took over seven to eight months.

We had two people assist with the deployment process. 

What about the implementation team?

We used an integrator for deployment. Overall, the experience was positive. 

What was our ROI?

There is no ROI. It is functioning as a normal firewall, as a data center perimeter, however, we expected much more than that. At times, there has been downtime with the firewall, and our custom modifications have won at a very high level. The product has to be mature when it is being used at the enterprise level.

What's my experience with pricing, setup cost, and licensing?

The solution offers mid-range pricing. We can get a cheaper product like Fortinet, and we can get a costlier product like Palo Alto, and these are all in the same category.

There's only one license based on the support. Cisco Firepower is priced on the support of the product that we require: with SSL and without SSL. Currently, we are not doing any SSL inspection. We have an ATP report firewall.

Which other solutions did I evaluate?

When we were looking for a product, we put it through tender and we put out specifications of the product that we required. Cisco had the lowest price. We evaluated the L1 after it was technically qualifying. That is how we acquired it.

We looked at Palo Alto, however, it was far too costly.

What other advice do I have?

We are a customer and an end-user. 

It was earlier named Sourcefire. Cisco acquired that company and rebranded it as Firepower.

We are actually a public cloud provider. We offer data center services to clients.

I'd advise others considering the solution that, for implementation, the product needs some stability and maturity to be offered as a next-generation firewall at an enterprise level. If a company is in need of an enterprise-level solution, they need to be aware of this.

I'd rate the solution a five out of ten. 

The product needs maturity in terms of running without hitting a bug. We have used other products also. A running product is never hit with a bug. It is normally some vulnerability or something that needs to be attended to, however, a running product is seldom hit with a bug and the operation gets stalled. We rarely find this kind of thing in an enterprise scenario. That is what we ask from Cisco, to build a stable product before offering it to customers.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Zhulien Keremedchiev - PeerSpot reviewer
Lead Network Security Engineer at TechnoCore LTD
Real User
Top 10
Good evaluation period, support, and it has a powerful intrusion policy
Pros and Cons
  • "The most valuable feature that Cisco Firepower NGFW provides for us is the Intrusion policy."
  • "I believe that the current feature set of the device is very good and the only thing that Cisco should work on is improving the user experience with the device."

What is our primary use case?

My primary use case with Cisco Firepower NGFW is implementing, configuring, maintaining, and troubleshooting lab and customer devices in both lab and production environments.

Using best practices for configuration, as well as fine-tuning intrusion policies and utilizing as many of the features that the firewall has to offer, which are feasible in said environment.

Overall, I am confident to say that I have worked with every flavor of Cisco Firepower NGFW, be it their older IPS-only sensors, ASA with Firepower services, as well as the FTD sensor itself.

How has it helped my organization?

Cisco Firepower NGFW has improved our organization by giving us the opportunity to protect both our network and our customer's environments. Being able to work with the device in a lab environment and utilizing the whole feature set is really easy with the Evaluation licenses of 90 days on the FMC. The only thing that you need is an environment with enough resources to virtualize both the FMC and FTD sensors.

I would like to emphasize the easy-to-use evaluation period of the Cisco Firepower NGFW because many other firewall vendors lack this and it is a real pain having to test everything in production environments because you cannot build a good lab environment without paying for licenses.

What is most valuable?

The most valuable feature that Cisco Firepower NGFW provides for us is the Intrusion policy. 

Again, with that being said, I cannot shy away from giving kudos to all of the other features such as AVC (Application Visibility and Control), SSL Decryption, Identity policy, Correlation policy, REST API, and more.

All of the features that are incorporated in the Cisco Firepower NGFW are awesome and easy to configure if you know what you are doing. Things almost always work, unless you hit a bug, which is fixed with a simple software update.

What needs improvement?

I believe that the current feature set of the device is very good and the only thing that Cisco should work on is improving the user experience with the device. 

Also, they need to ensure that all of the implemented features are working as they should, and able to integrate with more third-party software in an easier manner.

As it stands currently, Cisco is doing this, but I am not confident enough to say that their QA team is doing as good a job as they should as there have been software releases that were immediately pulled back the same day as they were released.

For how long have I used the solution?

I have been working with Cisco NGFW for almost five years as of 2020.

What do I think about the stability of the solution?

I have seen devices working without any issues and/or without a reboot of the device for many years (although I do not recommend this) running on base versions of the software, and I have seen an out-of-the-box fresh install having many stability issues. However, overall my impression is that the most recent software versions are very stable without any evident underlying issues.

Keep your software up-to-date and the solution should be stable.

What do I think about the scalability of the solution?

Cisco Firepower NGFW has a large variety of devices that are able to accommodate every company's needs, be they small or large. Overall, the scalability of the devices is very good.

How are customer service and technical support?

Experience with Cisco TAC has been awesome almost always. The SLAs are kept every time, which is very hard to get from any of the other firewall vendors. I have not seen any other vendor get you a proficient engineer on the phone within 15 minutes.

Which solution did I use previously and why did I switch?

Cisco ASA and Firepower NGFW is the first firewall solution that I have and am still using.

How was the initial setup?

Once you deploy a few of these devices, the initial setup is really straightforward and easy to do unless the position of the firewall on the network needs you to do some connectivity magic in order for it to work.

What about the implementation team?

All of the implementations that we have done are with in-house teams, so I have no overview of the vendor team.

What's my experience with pricing, setup cost, and licensing?

Cisco, as we all know, is expensive, but for the money you are paying, you know that you are also getting top-notch documentation as well as support if needed. In some cases, this may save you a lot of money or stress, which is why everyone who uses Cisco solutions loves them.

Which other solutions did I evaluate?

I have worked with many other firewall vendors in both production and lab environments such as CheckPoint, Palo Alto, Fortinet, Juniper, but to be honest I find Cisco's firewall solutions and Palo Alto's firewall solution to be the best.

What other advice do I have?

I believe that Cisco Firepower NGFW is the future leader in NGFW, with only maybe Palo Alto being the main competitor. This is very good, as we all know that having a rival is good for us, the users :) 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Daniel Going - PeerSpot reviewer
Managing architect at Capgemini
Real User
Is intuitive in terms of troubleshooting, easy to consume, and stable
Pros and Cons
  • "The deep packet inspection is useful, but the most useful feature is application awareness. You can filter on the app rather than on a static TCP port."
  • "Licensing is complex, and I'd like it to be simplified. This is an area for improvement."

What is our primary use case?

We use it for data center security for both the north-south and east-west.

With Firepower, you get the next-generation functionality and the next-generation firewall features. Traditionally, when you have a layer three access list, it's really tricky to get the flexibility you need to allow staff to do what they need to do with their apps without being too prescriptive with security. When Firepower comes in, you get much more flexibility and deeper security. They were mutually exclusive previously but are not so much anymore.

We have, probably, 20,000 to 25,000 end users going through the firewalls. Physical locations-wise, there are four data centers in Northern Europe, and the other locations are in the public cloud, that is, Azure and AWS.

How has it helped my organization?

It has improved the organization because we now have more flexibility with deployment, and we can deploy solutions quickly and more securely. As a result, we're improving the time to implement change.

What is most valuable?

The deep packet inspection is useful, but the most useful feature is application awareness. You can filter on the app rather than on a static TCP port.

What needs improvement?

Licensing is complex, and I'd like it to be simplified. This is an area for improvement.

If we could create a Firepower solution that became like an SD-WAN or a SASE solution in a box, then perhaps we could exploit that on remote sites. We've already kind of got that with Meraki, but if we could pull out some of the features from ASA Firepower and make those available in SD-WAN in SASE, then it would be pretty cool.

For how long have I used the solution?

I've been using this solution for probably six years as Firepower and for about 10 to 15 years before Firepower came in.

What do I think about the stability of the solution?

It's very stable. We've seen very few issues that aren't human-related. If I were to rate the stability, it would have to be 10 out of 10 because we haven't seen any failures.

What do I think about the scalability of the solution?

It's tough to scale because it's a firewall appliance, but in terms of the ability to deploy it virtually, it's inherently scalable. That is, as far as a firewall can scale, it's very scalable.

How are customer service and support?

I'd give technical support an eight out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used Check Point previously, and the reason we switched to Firepower was that it would be a common vendor and a commonly supported solution by our team. The consistency with Cisco is why we went with Firepower.

How was the initial setup?

Our deployment model is both public cloud and private cloud. The physical devices are on-premises at a data center or virtual in an on-premises data center, and the network virtual appliances are in distributed public cloud platforms including AWS, Azure, Google, and private cloud.

We have between 20 and 50 people who are responsible for the maintenance of the solution through a various mix of ticketing systems and troubleshooting. Their responsibilities are operating the platform, that is, making sure that the connectivity works, analyzing the security, the posture that those firewalls are protecting, and implementing change.

What was our ROI?

There was no specific investment to make because there was a requirement to implement data center security. That's certainly been fulfilled, and the benefits now versus those previously are time to deliver change and having a more secure, rounded posture. Both of these are being realized.

What's my experience with pricing, setup cost, and licensing?

The pricing was fairly reasonable. It was competitive and was slightly more than Check Point was. However, when we looked at the usability and the features that we would get out of Firepower, it was certainly reasonable.

Licensing is complex, and I'd like it to be simplified.

Which other solutions did I evaluate?

We evaluated Check Point. One of the pros was that we're a Cisco house, so having Cisco Firepower is useful.

Also, the architectural differences between Check Point and Firepower lend themselves to Firepower. The Check Point architecture is a bit more complicated.

It's a bit more complex to deploy and a bit more difficult to troubleshoot. I think troubleshooting with Firepower is much more intuitive, so it's easy for the operations guys to manage, and it's easy for people to consume.

What other advice do I have?

My advice would be to compare equitable vendors and see where Cisco is strong and where they're not as strong. However, take into account your wider environment. If you've got a Cisco house and the solution has the same look and feel, those who are managing the service will say that it's Cisco and that they know it. That carries a huge weight, so pay careful attention to the rest of your environment.

Overall, I'd give this product a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Network Support Engineer at a manufacturing company with 51-200 employees
Real User
Top 20
Poor upgrade process can result in network failure, but the threat defense works well and it is scalable
Pros and Cons
  • "Cisco's technical support is the best and that's why everybody implements their products."
  • "The main problem we have is that things work okay until we upgrade the firmware, at which point, everything changes, and the net stops working."

What is our primary use case?

We primarily use this firewall for IPS, IAM, threat defense, and NAT.

I am from the networking department.

How has it helped my organization?

We are using the Firepower Management Center (FMS) and the management capabilities are okay. I would not say that they are good. The current version is okay but the earlier versions had many issues. The deployment also takes a long time. It takes us hours and in some cases, it took us days. The latest version 6.6.1, is okay and the deployment was quick.

I have tried to compare application visibility and control against Fortinet FortiGate, but so far, I don't see much difference. As I try to determine what is good and what is bad, I am seeking third-party opinions.

What is most valuable?

The most valuable feature is the threat defense. This product works well for threat defense but for everything else, we use Cisco ASA.

What needs improvement?

This product has a lot of issues with it. We are using it in a limited capacity, where it protects our DR site only. It is not used in full production.

The main problem we have is that things work okay until we upgrade the firmware, at which point, everything changes, and the net stops working. As a financial company, we have a lot of transactions and when the net suddenly stops working, it means that we lose transactions and it results in a huge loss.

We cannot research or test changes in advance because we don't have a spare firewall. If we had a spare then we would install the new firmware and test to see if it works, or not. The bottom line is that we shouldn't have to lose the network. If we upgrade the firmware then it should work but if you do upgrade it, some of the networks stop working. 

For how long have I used the solution?

We have been using the Cisco Firepower NGFW Firewall for three years.

How are customer service and support?

Cisco's technical support is the best and that's why everybody implements their products. But, when it comes to Firepower, we have had many delays with their support. For all of the other Cisco products, things are solved immediately.

Nowadays, they're doing well for Firepower also, but initially, there was no answer for some time and they used to tell us that things would be fixed in the next version. That said, when comparing with other vendors, the support from Cisco is good.

Which solution did I use previously and why did I switch?

We use a variety of tools in the organization. There is a separate department for corporate security and they use tools such as RedSeal.

In the networking department, we use tools to analyze and report the details of the network. We also create dashboards that display things such as the UP/DOWN status.

We have also worked with Cisco ASA, and it is much better. Firepower has a lot of issues with it but ASA is a rock-solid platform. The reason we switched was that we needed to move to a next-generation firewall.

How was the initial setup?

The initial setup was not easy and we were struggling with it.

In 2017, we bought the Firepower 2100 Series firewalls, but for a year, there was nothing that we could do with them. In 2018, we were able to deploy something and we had a lot of difficulties with it.

Finally, we converted to Cisco ASA. When we loaded ASA, there was a great difference and we put it into production. At the time, we left Firepower in the testing phase. In December 2018, we were able to deploy Firepower Threat Defense in production, and it was used only in our DR site.

What about the implementation team?

We do our own maintenance and there are three or four of us that are responsible for it. I am one of the network administrators. We can also call Cisco if we need support.

What was our ROI?

From the perspective of return on investment, implementing the Firepower 2100 series is a bad decision.

What's my experience with pricing, setup cost, and licensing?

Firepower has a very high cost and you have to pay for the standby as well, meaning that the cost is doubled. When you compare Fortinet, it is a single cost only, so Fortinet is cheaper.

Which other solutions did I evaluate?

Prior to Firepower, we were Cisco customers and did not look to other vendors.

Given the problems that we have had with Cisco, we are moving away from them. We are now trying to implement FortiGate and have started working with it. One thing that we have found is that the Fortinet technical support is very bad.

What other advice do I have?

I would rate this solution a five out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Information Security and Compliance Manager at RSwitch
Real User
Top 10
Gives us a central point for applying rule changes, rather than logging in to each device
Pros and Cons
  • "Web filtering is a big improvement for us. The previous version we used, the AC520, did not have that feature included. It was not very easy for us, especially because the environment had to be isolated and we needed to get updates from outside, such as Windows patches. That feature has really helped us when we are going outside to pull those patches."
  • "We're getting support but there's a big delay until we get a response from their technical team. They're in the USA and we're in Africa, so that's the difficulty. When they're in the office, they respond."

What is our primary use case?

We are a payment switch and we deal with cardholder data and information. Our primary goal is to ensure the security of customers' payment data, that they are protected.

Our security maturity is now at a good level compared to the past. To be accepted to drive Visa and Mastercard, you have to pass security assessment audits and we have managed to pass all of them now, for some years.

Apart from our firewall, we have three security tools. We have a NAC, we have a SIEM, and our syslogs.

How has it helped my organization?

It's easy now because we have many Cisco devices in a central point. We don't need to log in to each device and apply rules to them. We can do it from the management control and apply them to the specific firewalls that we want to apply them to.

In addition, compared to our previous firewall solution, the security is much better. Through our monitoring, we now see all the information that we require on security, in terms of PCI. We can see exactly what is happening in our environment. We know what is going, what is going in and out. If an incident happens, it provides a notification so that we can do an analysis.

What is most valuable?

Web filtering is a big improvement for us. The previous version we used, the AC520, did not have that feature included. It was not very easy for us, especially because the environment had to be isolated and we needed to get updates from outside, such as Windows patches. That feature has really helped us when we are going outside to pull those patches.

Another important feature for us is user access. Now, we can base access on rules and specify that this or that user has privilege on the NG firewall. That was not available before. 

The IDS also makes it easy to detect abnormal traffic. When it sees such traffic in the environment, it sends a notification.

For how long have I used the solution?

We have been using Cisco Firepower NGFW Firewall for about two months.

What do I think about the stability of the solution?

The solution is stable. It's not hanging. With the firewalls from Cisco we are not facing a situation where devices are hanging because of too much traffic.

What do I think about the scalability of the solution?

The scalability is fine.

How are customer service and support?

We're getting support but there's a big delay until we get a response from their technical team. They're in the USA and we're in Africa, so that's the difficulty. When they're in the office, they respond.

Which solution did I use previously and why did I switch?

We migrated from Cisco AC520 to the Cisco NGFW. We have also used HPE and IBM switches, as well as FortiGate firewalls. We are now completely Cisco.

Previously, we were also using AlienVault and it was easy to integrate with Cisco devices.

How was the initial setup?

The initial setup is 50/50, between straightforward and complex. Migrating from Cisco to another Cisco product is okay, but migrating to Cisco from other network devices, like an IBM switch, is a bit tricky. You can't test the configuration to see if it's the same as what you're going to. But we managed with support from Cisco.

It took a month to complete the deployment.

Our implementation strategy was based on not upgrading everything at the same time. It was phased. We deployed a specific device and then we monitored everything to make sure everything looked okay, and then we moved on to the next one.

It requires a minimum of two people for deployment and maintenance, from our network and security teams.

What about the implementation team?

We used internal resources with support from Cisco.

What was our ROI?

We have gotten exactly what we're looking for, based on the company's requirements.

What's my experience with pricing, setup cost, and licensing?

The pricing is high.

Which other solutions did I evaluate?

Cisco NGFW's ability to provide visibility into threats is good compared to other solutions. The visibility is quite impressive and gives us what we're looking for, based on our security requirements.

What other advice do I have?

The scalability, the performance of the devices, the features, and the support, when looking at them combined, make the product a nine out 10.

We're planning the deployment of Cisco ISE soon, to be like our NAC.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Rifat Hyseni - PeerSpot reviewer
Director of Information Technology at a government with 501-1,000 employees
Real User
Top 20
Provides us with application visibility and control
Pros and Cons
  • "When it comes to the integration among Cisco tools, we find it easy. It's a very practical integration with other components as well."
  • "The initial setup was a bit complex. It wasn't a major challenge, but due to our requirements and network, it was not very straightforward but still easy enough."

What is our primary use case?

We are a large company in the country in which we operate. We are a government agency dealing with taxes and we provide services for all taxpayers within the country. We have services for internal users, as well as services for public users. The main reason we use these firewalls is to protect our environment and to provide our services efficiently so that we are up and running 24/7.

Our solution is deployed in a private cloud. Everything is hosted in our environment and provided as cloud services. We are in the process of moving our infrastructure from the previous environment to the new environment where Cisco firewalls are installed.

In terms of our security maturity as an organization, we are young. In fact, we are young as a country. We have been providing electronic services for more than 10 years for our clients. We have a huge number of clients, with over 120,000 users who subscribe to our system and who access our services on a daily basis or, at a minimum, three to four times per year.

We use a few tools for security in terms of management, both internal and external, but we are mainly relying on Cisco. Our network is based on Cisco, and we also protect our mail system with Cisco. Previously, and in parallel, we used Sophos next-generation firewalls.

What is most valuable?

The solution provides us with application visibility and control and, at this stage, we are happy with it. Similarly, we are very happy with Cisco Firepower Management Center. We're still at an early stage, but we haven't seen any problems with the Cisco products. We are still switching on features and looking at how they are working.

When it comes to the integration among Cisco tools, we find it easy. It's a very practical integration with other components as well.

We also believe that Cisco is updated about all security issues and threats and efficient enough to provide us with the features and protection we need.

For how long have I used the solution?

We just installed them recently. We started installation at the end of 2020 and we completed it this month, April 2021.

What do I think about the stability of the solution?

It's still early, but we believe the stability is alright.

What do I think about the scalability of the solution?

The scalability of the solution is better than the other firewalls we have, due to technical features. Our technicians have realized that this is much more scalable compared to other solutions.

How are customer service and technical support?

So far, the technical support has been excellent.

How was the initial setup?

The initial setup was a bit complex. It wasn't a major challenge, but due to our requirements and network, it was not very straightforward but still easy enough.

We did a proper implementation plan according to the complexity of our network and our requirements. Then we used the best method for implementing it while mitigating our risks and meeting our requirements. We found a good way to implement it.

The setup took us two calendar months, but in terms of the actual time required to configure it, it was not so long. The setup took approximately as long as for other firewalls we have used.

What was our ROI?

It's hard to talk about ROI when it comes to security, but security now is expensive. You have to pay for it.

What's my experience with pricing, setup cost, and licensing?

For us, the pricing was more economical than other products we used. There were no extra costs.

Which other solutions did I evaluate?

We evaluated a lot of the providers: Juniper, Palo Alto, Check Point, and Fortinet. Our technical team really researched things for a considerable amount of time, and they came up with a decision that this would be the best.

Cisco was chosen because there were many features according to assessments made by other users and as noted in technical data sheets we looked at during the research. They came up with a few features which are better than what other products have. 

Also, especially when you have been a long-time user of Cisco products and services, we found that from a budget perspective it was going to be much more preferable than the others.

What other advice do I have?

We are very satisfied with the service and the product. I don't think that any product would be better than Cisco when it comes to next-generation firewalls.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Cisco Firepower NGFW Firewall Report and get advice and tips from experienced pros sharing their opinions.
Updated: October 2022
Product Categories
Firewalls
Buyer's Guide
Download our free Cisco Firepower NGFW Firewall Report and get advice and tips from experienced pros sharing their opinions.