Cisco Secure Firewall Reviews

We use them for firewall purposes. We use the small ones with the partners for the services they need, such as VPN and security.

Their performance is most valuable.

The stability could be better because we have a lot of issues with the stability of Cisco Firepower.

I've been using Cisco firewalls for 20 years.

We have a lot of issues with the stability of Cisco Firepower.

It depends on the model. We are hitting some issues with scalability. It's getting very expensive to scale out.

They sometimes take too long and don't fix the issue quickly, but eventually, it is fixed. I'd rate their support a nine out of ten.

Positive

We have been using different Cisco firewalls for a long time. We are currently using Cisco Firepower and Cisco ASA. Cisco Firepower is better than Cisco ASA, but stability is an issue.

It's now easier than before. You can have virtual appliances.

We mostly have it on-prem, but some customers want on-prem virtual.

We considered using a different solution such as Check Point or Huawei. We chose to stay with Cisco because we're experienced with Cisco and because of the support.

The old versions or models saved us time, but the newer ones take our time. Overall, I'd rate Cisco Secure Firewall an eight out of ten.

We use them in our data centers and on the client side. We have a small installation of Firepower in our main data center, and we are also using Cisco ASA firewalls. So, we have the old ASA platform and new Firepowers. 

It saves time because it's easy to operate and it's easy to add new zones or firewall rules. It's also easy to troubleshoot. It's a neat platform.

When I was managing these firewalls, I found them easy to understand, easy to deploy, and easy to maintain as compared to some of the other firewalls I have been involved with earlier. The opinion of my coworkers is that it's easy and quick to establish new zones, expand, and maintain.

I'm not very familiar with the largest Firepower models, but competitors like Palo Alto seem to have a more capable engine to do, for instance, TLS/SSL decryption. As I understand, Firepower doesn't let you export the decrypted traffic so that, for instance, the security department can look at the traffic or inspect traffic. It's all in the box. I've heard rumors that this is something Cisco is working on, but it isn't yet available.

We have been using Cisco firewalls for about 10 years. 

Its stability is good. We have a failover standby solution that works fairly well. It can have some improvements, but we are happy with it.

We had an issue where we had to install another cluster for the firewall because we went out of the capabilities on one of them. You need to analyze in advance how much your usage will grow in the future and you have to decide based on that. It's about adding more firewalls. We can scale in this way, and it's good.

Whenever I've used their tech support, they have been successful. They quickly pinpointed the problem and provided swift remediation for all the problems. My experience has been good. I'd rate them a nine out of ten.

Positive

We decided to go for Firepower because we needed to expand, and we have a large installation of Cisco devices in our environment. It's 70% Cisco. We have one location where they are using Extreme equipment, but in that location also, we have Cisco firewalls. Having one vendor leads to ease of management. It's also easy in terms of competence. We have good knowledge of Cisco, so it's easy to maintain and operate a Cisco platform.

For network security, we have a central hub for all the external traffic. That is a huge load of traffic. On those applications, we are using Palo Alto. We have a mixed combination of Cisco and Palo Alto in our central locations.

Using Cisco firewalls has helped to eliminate or consolidate some of the tools and applications. We have some installations of AlgoSec to see what's going on or how the performance is, but we have, more or less, decided that we don't need them now because there is so much information that we can pull from CSM or FMC.

It's easy to deploy and maintain.

We have a partner for Cisco products. We have a contract with a new partner now for the SDA fabric on ACI.

I'd rate Cisco Secure Firewall a nine out of ten. 

We use Cisco Secure Firewall in our own company for site-to-site VPN to access our customers and provide remote support.

We sell the solution to our customers as well. They use the ASA or FMC for dedicated networking, for example, the process network. That is, they dedicate the process network or ASA to the user network.

As a Cisco Secure reseller, I add value with my professional background, for example, in Cisco TAC, to my customers. We choose to sell Cisco Secure Firewall because of our partner status with Cisco.

The most valuable feature for the customers is that they can control what communication is allowed and what is not allowed. That is, they can allow or deny client traffic.

It also secures the internal network to allow specific client traffic or machine traffic.

Cisco Secure Firewall helped reduce our clients' meantime to repair by 40%. This is because they can easily segment the network. It's easy to troubleshoot because of micro-segmentation.

Cisco Secure Firewall should be easier to handle. It uses ASDM, which is not easy to understand. It would be better if there was direct access via HTTPS.

I have used this solution for around five years, but my company has been using it for 30 years.

Cisco's technical support for security is good. The support staff are professional and know what to do. I would give them an eight out of ten.

Positive

The deployment of the firewall is more difficult if you want to use all of the features. However, if you're using it only as a VPN, then it's a little bit easier to deploy.

Compared to Cisco Secure Firewall, other firewall solutions are easier to handle because they do not use ASDM. They have direct access via web browsers.

If you're considering Cisco Secure Firewall, take a look at what you want to use the firewall for and what kind of handling you prefer. If you prefer easy handling via browsers, then you may need to use another solution because ASDM is no longer the state of the art.

Overall, I would rate Cisco Secure Firewall at seven on a scale from one to ten.

The I add as a reseller is the professional background.

With [my company], NIL, it's cross-domain. It's just not ASA, but in particular we work with customers where we talk about the physical boxes or even the virtual appliances that we're deploying. The use cases can be multiple, but mostly what we have seen is perimeter security, looking at blocking [and] allowing of traffic before accessing the internet.

The majority of the challenges that we see across customers and partners is looking at the data, the integrity, security, [and] looking at various areas where they need to put in boxes or solutions which could secure their environments. It's not just about the data, but even looking at the endpoints, be it physical or virtual. That, in itself, makes the use case for putting in a box like ASA. 

And, of course, with the integrations nowadays that we have from a firewall, looking at multiple identity solutions or logging solutions you could integrate with, that in itself becomes a use case of expanding the genres of integrated security.

The best features would obviously be the ones that are most used: the perimeter security, allowing/blocking of traffic, NAT-ing, and routing, or making it easy as compared to a router. If you were to do the similar features on a router, it would be way more extensive and difficult as compared to a firewall. These are the majority of the features that anyone would begin with.

But of course, they expanded to other features like IPS or cyber security or looking at vulnerabilities or scanning, port scans. Those are the advanced things.

[In terms of overall performance] in the last decade or so, especially in the last three or four years, the scale of where the architecture has been—all the numbers, the stats, everything—has gone up exponentially. It's all because of the innovations that are always happening, and not just at the hardware level, but particularly at the software level. Of course, we can always look at the data sheets and talk about the numbers, but all I can say, in my experience, is that the numbers have really gone up, and the speed at which the numbers have gone up in the last couple of years or so, is really progressive. That's really good to see.

We're reaching [the point] where we want it to be. If you go 10 years back, we did miss the bus on bringing in the virtual versus the physical appliance, but now that we have had it, the ASAv, for a few years, I think we are doing the right things at the right place. 

The only improvement that we could make is maybe [regarding] the roadmap, to have better visibility as to what we are targeting ahead in the next few quarters. That is where we, as partners, can also leverage our repos with our customers and making them aware that there might be some major changes that we may have to introduce in their networks in the near future.

I started back in the days with ASA when I was [with] Cisco. I was [with] Cisco for 12 years. I started as a TAC engineer, and one of the teams I was leading was the ASA team, firewall, and across VPN, AAA. it became like a cross-border team or cross-architecture, and it's been long enough. I've been working with ASAs for about 12 or more years now.

From the stability standpoint, it's way better. Is there a scope for improvement? Of course. There always is. But I can just speak from my experience. What it was and what it is today, it is way better.

We look at scalability for any product of Cisco. I cannot be confined to the ASAs. We have physical, virtual, and cloud deployments. Everything is possible, so scalability is no issue.

Support, when you look at any product from Cisco, has been top-notch. I was a TAC guy myself for 10 years and I can vouch for it like anyone would do from TAC.

Support has always been extensive. There is great detail in root cause analysis. Going back into my Cisco TAC experience, it's always the story that if you know the product well, you know the things that you need to collect for TAC or for any other junior SME to work with you collectively, to get down to the solutions sooner. Otherwise, they have to let you know what you need to collect. It's better to know the product, get the right knowledge transfer, work towards those goals, and then, collectively, we can work as a great team.

I have mostly been involved in the pre-sales stage, and then eventually the post-sales as well. But we do the groundwork of making sure that we have set the stage for the customer to get the initial onboarding. And at times, I do it with other engineers or other colleagues who take it over from there. In my experience, it has been pretty straightforward.

It's not just the implementation, but [it's] also managing or maintaining [the ASA]. It would depend on how complex a configuration is, a one-box versus cluster versus clusters at different sites. Depending on the amount of configuration complexity and the amount of nodes that you have, you would need to look at staff from there. It's hard to put a number [on it and] just say you need a couple of guys. It could be different for different use cases and environments.

[In terms of maintenance] it's about a journey: the journey from having the right knowledge transfer, knowing how to configure a product, knowing how to deploy it, and then how to manage it. Now, of course, from the manageability standpoint, there are some basic checks that you have to do, like firmware upgrades, or backup restores, or looking at the sizing—how much your customer needs: a single node versus multiple nodes, physical versus virtual, cloud versus on-prem. But once you are done with that, it also depends on how much the engineers or SMEs know about configuring the product, because if they know about configuring the product, that's when they would know if something has been configured incorrectly. That also comes in [regarding] maintenance [of] or troubleshooting the product. Knowledge transfer is the key, and making sure that you're up to date and you have your basic checks done. Then, [the] manageability is like any other product, it's going to be easy.

The return on investment is not going to be restricted to just the box, because nowadays, if you look at the integrated security that Cisco has been heavily investing into, it's not just about ASA doing the firewalling functions. Now, these genres have been expanded to cyber, to third-party integrations, having integrated logging, having integrated micro and macro segmentations. The scope has been widened, so the ROI, eventually, has multiplied.

Being a partner, we work with customers who already have different vendor solutions as well. At times, there are a mix of small SMB sites, which could be, let's say, a grocery. There are smaller stores and there are bigger stores, and at times, they do local DIAs or local internet breakouts. [That's where] you do see some cloud-based or very small firewalls as well, but when you look at the headquarters or bigger enterprises, that is where we would probably position Cisco.

[My advice] would depend [on] if they are comfortable with a particular product, if they've been working with a particular vendor. If it's a Cisco shop, or if they've been working on Cisco, or the customers are quite comfortable with Cisco, I would say this is the way to go. Unless they have a mixed environment. It will still depend on the SME's expertise, how comfortable they are, and then looking at the use cases and which products would nullify or solve them. That is where we should position it.

My lessons are endless with ASA, but my lessons are mostly toward product knowledge. When you look at the deployment side of things, or for me, personally, when I was TAC, to know how things work internally within ASA—like an A to Z story, and there are 100 gaps between and you need to know those gaps—and then, eventually, you will get to the problem and solve it in minutes rather than hours.

We are an insurance company. The core of what we do is service. We manage people and security. We have all the implementation for security. 

We have one ERP running on-prem and another one is running on the GCP cloud. We have a cloud service that runs that ERP on GCP. Our other service is running with Microsoft 365. So, we have an in-house AD that syncs with the cloud AD, but it is the firewall that is managing the communication process in between. The on-prem AD sync with the cloud AD is managed by the firewall. It is like a gateway. 

A vendor implemented this system for us to use and manage the process. We have an integration with the GCP. We've integrated this system with our network in such a way that you cannot access the GCP applications or infrastructure if you are not on-premises. This integration with the GCP and our virtual network online has been done locally.

In general, the management of our infrastructure is now easy. I can manage remotely. I can manage on-prem. I can always log in. I have a couple of users who work remotely via VPN because of the license. Not everybody works remotely in my organization. For people who work remotely, we have licenses for them to log in remotely from where they are and use the service. So, managing people, resources, and devices is easy. It has been a good experience. I don't intend to change it because it's giving me the service I need.

In terms of money, it has saved a lot of money. A lot of other organizations that don't have this kind of easy-to-manage layer of security are going through different kinds of attacks. We have a culture of being careful, even though you cannot be a hundred percent careful. When I hear that people have some security issues, I come and check my devices, and I notice that my firewall has actually blocked a lot of things. It gives me rest and peace. So, it saves a lot when you consider the cost of the organization's operations going down, even for one, two, or three hours. We would lose a lot if that happens. It probably saves us over a million dollars a year. The investment is totally worth it.

Our network is a little bit flat. We have a load balancer before getting into our network. We have configured the load balancer on the device itself. We have two major service providers. We have a core business application, and there are some people who use the core business application. We also have some light users. We have set up criteria to give priority to the people who use the core business application. I have a provider that gives me 300 MB to 500 MB, and I have another provider that gives me 20 MB to 25 MB as a backup. I have set priority based on the usage. If you're using the core business application, it pushes you to the fast network. Otherwise, it sends you to the other network. All that has been done on the firewall. It has been very good for this. I have no complaints.

It enables us to implement dynamic policies for dynamic environments, which is important for us. We can control the network based on different kinds of users. We can quickly and easily define the policies. We can set priorities based on different applications, systems, and users on our network.

Its security and filtering are most valuable. Every layer of data that comes into the organization goes through it. After setting up the criteria, it automatically filters the traffic. We don't have to check it often. Sometimes, when users complain that they are not able to see a particular thing, we log in to check the scan and see what it has scanned and filtered. It is usually something it has filtered out. It works perfectly.

It is easy to use. There is a GUI, and there is a backend that is being managed by our consultant. When we log in to the GUI, we are able to do anything we want to do. Its user interface is good, but it could be better. Currently, you have to know what to do before you can manage a device. If you don't know what to do, you can mess things up. There are some devices that are easier, such as FortiGate. The user interface of FortiGate is more intuitive. It is very easy to log in and configure things. With Cisco, there is also a lower limit on virtual accounts. In FortiGate, they could be in thousands. Cisco is also more expensive. 

I have been using this solution for about three to four years.

It is very stable. I've not had any thought of reconfiguring it. I have just applied my criteria, and I'm good.

Scalability is not a problem because I still have a span of five to seven more years. After that, I might have to go for a bigger device. For now, I have no issues. I can scale up or down. I'm good with that.

Their support is very good. We had an issue where the OS got corrupted. We got Cisco to log in. They did the reset on it, reformatted it, and sent it back to us. Because of the subscription we have with Cisco, we got a copy back in no time. We're now good. We've not been calling their tech support very often. We only call them when we have a very serious issue. I would rate them a nine out of ten.

Positive

It wasn't simple. Its implementation doesn't take much time, but we had to get a consultant in. Implementing a Cisco solution from scratch is harder than implementing FortiGate. With FortiGate, I can do my implementation and put all the criteria easily, but with Cisco, I need to do a lot more research, and I need to get someone to help me, but after implementation, it just works.

We had a consultant from a local vendor here called Incognito. Our experience with him was good. I can refer him to anybody.

When we have issues and we need improvement, he comes in. There was a time we noticed that we had lag on our network. We were trying to figure out the cause for it. We were using two service providers but the same backbone. We called him to make the required modifications.

It is more expensive than the other solutions. 

I'm the CIO here. When I came here, I did an audit of the IT infrastructure to see what was there. I looked at what was existing and thought of improvement. I got in all the vendors and had a meeting with them. I also got in a Cisco vendor and sat down with him and told him about the implementation I wanted. Because of the cost, I didn't change any equipment. So, he did the implementation. At any other place, I would look at the users and implement what is easy for them to manage. For a big enterprise with a whole crew, I would definitely consider Cisco. For any other place, I would go for Fortinet. Cisco is harder to implement and manage, but its stability is good. It is also more expensive. There are other cheaper solutions I would have gone for, but I had to focus on what was existing and improve. I had to make sure I worked with what was existing. We also have Cisco switches.

What it's been configured to do, it does it well. I would rate this solution a nine out of ten.

We were looking to consolidate some of our equipment and technology. When we switched over, ASA was a little bit more versatile as firewalls or VPN concentrators. So, we were able to use the same technology to solve multiple use cases.

We have data centers across the United States as well as AWS and Azure. 

We use it at multiple locations. We have sites in Dallas and Nashville. So, we have them at all our locations as either a VPN concentrator or an actual firewall.

Cybersecurity resilience is very much important for our organization. We are in the healthcare insurance industry, so we have a lot of customer data that goes through our data center for multiple government contracts. Making sure that data is secure is good for the company and beneficial to the customer.

It provides the overall management of my entire enterprise with an ease of transitioning. We have always been a Cisco environment. So, it was easy to transition from what we had to the latest version without a lot of new training.

• Speed
• Its capabilities
• Versatility

When we first got it, we were doing individual configuring. Now, there is a way to manage from one location. We can control all our policies and upgrades with a push instead of having to touch every single piece.

We have been using ASAs for quite a number of years now. 

We have other things around it going down, but we really don't have an issue with our ASAs going down. They are excellent for what we have.

There is rarely maintenance. We have our pushes for updates and vulnerabilities, but we have never really had an issue. 

It is very scalable with the ability to virtualize, which is really easy. We do it during our maintenance window. Now, if we plan it, we know what we are doing. We can spin up another virtual machine and keep moving. 

The technical support is excellent. I would rate it as 10 out of 10. When there has been an issue, we have had a good response from them.

Positive

We were previously using a Cisco product. We replaced them awhile back when I first started, and we have been working with ASAs ever since.

We did have Junipers in our environment, then we transitioned. We still have a mix because some of our contracts have to be split between vendors and different tiers. Now, we mostly have Apollos and ASAs in our environment.

I was involved with the upgrades. Our main firewall was a Cisco module, so we integrated from that because of ASA limitations. This gave us a better benefit.

The deployment was a little complex at first because we were so used to the one-to-one. Being able to consolidate into a single piece of hardware was a little difficult at first, but once we got past the first part, we were good.

We have seen ROI. When I first started, everything was physical and one-to-one. Now, with virtualization, we are able to leverage a piece of hardware and use it in multiple environments. That was definitely a return on investment right out of the gate.

The licensing has definitely improved and got a lot easier. It is customizable depending on what the customer needs, which is a good benefit, instead of just a broad license that everybody has to pay.

It is a good product. I would rate it as 10 out of 10.

Resilience is a definite must. You need to have it because, as we say, "The bad guys are getting worse every day. They are attacking, and they don't care." Therefore, we need to make sure that our customers' data and our data is secure.

It depends on what you need. If there is not a need for multiple vendors or pieces of equipment per contract, you should definitely look at what ASAs could be used for. If you are splitting, you can consolidate using this product.

We use it to control the traffic between our inside and outside networks. 

We use the same firewall for the vendor by creating an IPv6 HyperSec VPN between the company and the vendor. 

It is a security solution. We needed to protect our traffic from the outside to inside. That is why we are using this firewall.

Cisco ASA is pretty good. We use it for Layer 3 and as our main firewall, protecting the entire organization. All our Internet traffic goes through it.

Their CLI is pretty good. 

In order to do an upgrade, we need to upload the software to the firewall, then upgrade the secondary and do a failover. Uploading this software into the firewall is old technology. For example, if you look at the Cisco Meraki firewall, you can schedule the software upgrade. Whereas, here we can't.

Recently, we have been having an issue with the ASA firewall. We haven't found the root cause yet and are still working on it. We failed over the firewall from active to passive and suddenly that resolved the issue. We are now working to find the root cause.

I have been using the Cisco ASA firewall for the last four years.

It is pretty stable. I haven't seen many issues during the past four years.

It has the scalability to replace the firewall with a higher model number.

The scalability meets our needs and future needs.

The technical support is really good. If we open up a case, they are pretty good. As soon as we open up a case, they assign a case manager. Also, they have an engineer on call. I would rate them as nine out of 10.

Positive

They had this firewall when I joined the company.

We also have Palo Alto that we use as a firewall for Layer 2.

I haven't really used the GUI features that much.

We have not integrated with any other Cisco solutions yet, but we have been thinking about integrating with Cisco Umbrella.

I would rate the solution as eight out of 10.

We mainly use it for site-to-site VPNs, connecting to other businesses. I work in manufacturing and hospitals.

We connect to remote networks: manufacturing-to-businesses and hospital-to-hospital.

It was deployed in our data center across multiple sites. At the hospital where I last worked, it was deployed at 18 sites, then we did VPNs between our hospital and clinics.

We don't have to worry about when something goes down. Instead of saying, "Oh my gosh, this went down and now we have a gap here," it has automatic failovers and built-in redundancy. So, it says, "I don't have a gap anymore." This is one less thing to worry about, which was a big benefit for me. If our security group comes back, and says, "Hey, this is down." Then, it is like, "Yeah, we got it covered."

Our security groups are always very adamant that things stay up. If something went down, they say, "Why did it go down? How do we prevent it?" Since resiliency is already built-in on its initial design, we don't have to go back in every time, and say, "Here, this is what we did. This is why it was done like this." Instead, it is just, "Yes, they blessed it, and it's approved," and we don't have to go back and keep reinventing the wheel every time.

I like the ASDM for the firewall because it is visual. With the command line, it is harder to visualize what is going on. A picture is worth a thousand words.

Sometimes, it is not easy to troubleshoot. You need to know where to go. It took me quite awhile. It's like, "Okay, if it doesn't go smoothly here, then go find the documentation." Once you do it, it is not so bad. However, it is sometimes a steep learning curve on the troubleshooting part of it.

I have been using this solution for more than 20 years.

I have never had any problems with stability. In the 20-plus years that I have used them, I don't think I have ever had a failure on them. They have always been rock-solid.

We haven't done much with scalability. We have always just done active standby. However, it scales once you figure out how to do it. If there are site-to-site VPNs within your own location, it is easier because there is a template, where it is, "Here, change this IP address. Change this IP address. There, it's done." 

Third-parties weren't bad. Once my side was done, then we could easily cut and paste it, and say, "Okay, here's what my side's configured for. If you have something that is not working, then you can tell me what it is and I will help you." However, we never really had anything that we couldn't fix. It was also possible to scale on the other side.

I haven't called tech support very often. When I did call them, they could tell me what the problem was. That is where I started learning, "Here are the commands that you should be using to debug this." They have been very helpful. I would rate them as nine out of 10.

Positive

I have used Palo Alto and Fortinet. We switched mainly because we were trying to unify all our products. Instead of using multiple systems, everything with the Cisco solution is end-to-end with different views of security. Some of them wanted to be diverse, keeping things separate. For others, it was easier if everything was just with one vendor. Also, if you are Cisco-centric, it is also easier.

Since I have been using this solution, I have seen it grow. When they first started doing it, it was more like, "Here's the command line. Here's what you got to do." Now, it's easier for a new engineer to come on, and say, "Okay. Here, you are going to start supporting this, and here is how you do it," which has made life easier. Since it is a repeatable thing, no matter which company you go to, it is the same. If you get somebody who is doing it on the other side of the VPN, it is a lot easier. So, I like the Cisco product. I have used several different ones, and it's like, "Well, this is the easiest one." It might be just the easiest one because I have used it long enough, but it is also a good product. It just helps us be consistent.

We did a lot of site-to-site VPNs. We also did a third-party, which is Palo Alto or something. Though, some of them were SonicWall. It is like, "Okay, I don't know how the site is configured, then I spend hours trying to troubleshoot a VPN." The more you use it, the easier it gets. It used to take days to do it. Whereas, the last one that I built took about 30 minutes. The more we use it, the better the outcome is and the faster we can do it. Now, I am not spending days building a VPN, which should only take 10 to 15 minutes.

There is ROI when you use it more.

Once you know what the product is, it is not that bad. Yes, it is expensive. When you try to get a license, it is like, "Well, I don't know which one of these I need. And, if I don't buy it now, then I will probably be back later. Now, I have to justify the money." Typically, you end up just buying everything that you don't use most of the time. It is one of those solutions where you get what you pay for. If you don't know what you need, just buy everything. We have additional licenses that we don't use.

Take your time with it. Actually, read the documentation. Don't just assume you know what stuff means since that will sometimes come back and bite you. I have done that too many times. If you go from version to version, it changes a little bit, and so it is like, "Well I don't know why it doesn't work." Then, you go read the notes, "Oh, yeah. This changed and it is done over here now."

Building more resiliency should be a priority, and it's going to take money to do that. So, you need to actually believe and invest in it. Otherwise, it's an idea. It's great, because we all want redundancy, but nobody typically wants to spend the money to do it. Or, they want to do it as cheaply as possible. It's like, "Okay, I can do that," but you're going to have more gaps. Then, it is not really worth it. Therefore, invest the money the first time and do it right.

I would rate it as nine out of 10.