Cisco Secure Firewall Reviews

We use it to protect our DMZs and externals, to protect our network from our other city partners who manage their own networks to which we have direct connections, like VPNs, and to manage the security parameters between inside and outside connectivity and vice versa.

Cisco Firepower NGFW Firewall was introduced as a migration of many firewalls into one. Just having one firewall with one place of security and one place to look for your packets has really helped.

The features I've found most valuable are the packet captures and packet traces because they help me debug connections. I like the logs because they help me see what's going on.

The security correlation events and the network map help me to drill down on a host at will.

I really like the flexibility of the policies such as those you can use and the layer three policies with which you can block applications. It's really versatile. I like the security zones.

Cybersecurity resilience is our main focus right now. Because we're a government organization, everybody's really nervous about security and what the ramifications are. My device generates all the logs that our security team goes through and correlates all the events, so it's really important right now.

I think they need to review their whole UI because it feels like it was created by a whole bunch of different teams of developers who didn't fully talk to each other. The net policy screen is just a mess. It should look like the firewall policy screen, and they should both act the same, but they don't. I feel like it's two different buildings or programming, that don't talk to each other, and that really annoys me.

They should either build an application or get away from the web. They need to do something that's uniform and more streamlined.

We have a multi-person firewall team, and I can't look at a policy while somebody else is in it. It'll kick me out. I might be working on something that the other guy has to modify. I know that in the next versions they will be dealing with it with a soft lock, but it should've already been there.

One of Cisco's strengths is the knowledge depth of their staff. The solutions engineer we worked with knew the routing and each protocol. If he didn't know something, he would reach out to someone else at Cisco who did. He would even talk to a developer if he needed to.

I've been using Firepower for about three years.

There are some stability issues. We ran CheckPoint for years and didn't have problems with the firewall itself. However, with Firepower, in the past two years, we've had two major crashes and a software bug switchover.

We were debugging NAT rules. I did a show xlate for the NAT translation, and the firewall rebooted itself.

It has only been three instances in two years, but when I compare the stability to that of CheckPoint, it seems higher. CheckPoint just seemed to run.

We have about 8000 end users. Scalability-wise, it's already handling a large amount of traffic.

I like that Cisco's technical support will help me recover the firewall when everything falls apart. I'd give them a nine out of ten. They've really been consistently good, and they go after the problem.

Positive

We previously used CheckPoint and Fortinet. We switched from CheckPoint because it was unsupported, and we wanted to move to a next-generation firewall.

We went to Fortinet, and when we switched over, it caused a huge network outage. The Cisco engineers helped fish us out of that. Our GM at the time preferred Cisco, and we switched to Cisco Firepower NGFW Firewall.

Setting up the machines was straightforward, but exporting was complex. That is, it wasn't a complex deployment as far as the hardware goes. It was more of a complex deployment as far as transferring all the rules go because of our routing architecture.

Firepower is our main interface out to the outside world. We have about eight DMZs that are interface-based. You can do a logical DMZ or you can have an interface and a logical DMZ. We have about eight that are on interfaces. Then, we have our cloud providers and the firewall. We have rules so that our cloud providers can't ingress into our network.

I've found that Firepower does need a lot of maintenance. It needs a lot more software updates than other solutions. We have three people to maintain the solution.

For the deployment, we had about 18 team members including firewall administrators, Cisco firewall engineers, and techs.

The licensing scheme is completely confusing, and they need to streamline it. They have classic licensing and a new type of licensing now. Also, the licensing for the actual firewall is separate from the one for TAC support.

My advice to leaders who want to build more resilience within their organizations is that they should help make policies. Leaders don't want to make policies; they don't want to put their names on policies or write policy documents. I as a firewall administrator am the one saying what the policy should be. I tell them what should happen, and sometimes, they resist.

Also, because the system is just too big to really manage without TAC, you would need TAC along with Firepower.

My advice would also be to go with HA or a cluster up front and not to be cheap. You really need to go in with a robust solution up front.

I would rate Firepower an eight on a scale from one to ten because the firewall and tech support together make it a very robust solution.

We have the Cisco 5585-X in our data center for perimeter security, internet protection, and for applications behind Cisco ASA DMZs. The challenges we wanted to address were security and segregating the internal networks and the DMZs.

Security-wise, it's given us the protection that we were looking for. Obviously, we're using an in-depth type of design, but the Cisco ASA has been critical in that stack for security.

The Packet Tracer is a really good tool. If someone calls because they're having problems, you can easily create fake traffic without having to do an extended packet capture. You can see, straight away, if there's a firewall rule allowing that traffic in the direction you're trying to troubleshoot. As a troubleshooting tool, Packet Tracer is one of the things that I like. It comes up in all my interviews. When I want to figure out if someone knows how to use the ASA, I ask them about use cases when they use the Packet Tracer.

One of the challenges we've had with the Cisco ASA is the lack of a strong controller or central management console that is dependable and reliable all the time. There was a time I was using what I think was called CMC, a Cisco product that was supposed to manage other Cisco products, although not the ASA. It wasn't very stable.

The controller is probably the biggest differentiator and why people are choosing other products. I don't see any other reason.

I've used the Cisco ASA going back to the 2014 or 2015 timeframe.

The ASA has been very stable for us. Since I deployed the ASA 5585 in our data center, we've not had to resolve anything and I don't even recall ever calling TAC for an issue. I can't complain about its stability as a product.

Our Cisco ASA deployment is an Active-Standby setup. That offers us resilience. We've never had a case where both of them have gone down. In fact, we have never even had the primary go down. We've mainly used that configuration when we're doing code upgrades or maintenance on the network so that we have full network connectivity. When we're working on the primary, we can switch over to the standby unit. That type of resiliency works well for our architecture.

TAC is good, although we've had junior engineers who were not able to figure things out or fix things but, with escalations, we have eventually gotten to the right person. We also have the option to call our sales rep, but we have never used that option. It seems like things are working.

Neutral

In the old days, we used Check Point. We did an evaluation of the Cisco ASA and we liked it and we brought it on board.

At that time, it was easy for our junior operations engineers to learn about it because they were already familiar with Cisco's other products. It was easier to bring it in and fit it in without a lot of training. Also, the security features that we got were very good.

The one we deployed in the data center was pretty straightforward. I also deployed the Cisco ASA for AnyConnect purposes and VPN. I didn't have to call TAC or any professional services. I did it myself.

We used a Cisco reseller called LookingPoint. I would recommend them. We've done a lot of other projects with them as well.

It's a great investment and there's a lot of value for your money if you're a CSO or a C-leader. As an engineer, personally, I have seen it work great wonders for us. When we're doing code upgrades or other maintenance we are able to keep the business going 100 percent of the time. We have definitely seen return on our investment.

I don't look at the pricing side of things, but from what I hear from people, it's a little pricey.

At the time, we looked at Juniper and at Palo Alto. We didn't get a feeling of confidence with Palo Alto. We didn't feel that it offered the visibility into traffic that we were looking for.

We use Cisco AnyConnect and we've not had any issues with it. During COVID we had to scale up and buy licenses that supported the number of users we had, and we didn't have any problems with it.

We pretty much use it as our edge firewall and data center firewall.

We have a colocation that is the center for all our campuses. That is where our edge firewall is. We use that for VPN as well, and it was a great thing during the pandemic because we were already ready to go with VPN. We didn't have to do anything extra on that part.

The solution has really enabled us to ensure our university is secure.

Cybersecurity resilience has been paramount. Because there is a threat of losing everything if ransomware or another sort of attack were to happen, the cybersecurity resilience has been top-notch.

The multi-context feature is the most valuable, especially in our data center. Having different needs for different departments is part of our organization. We can have five firewalls in one.

I would like it if they made the newer generation a bit simpler. You can do ASA code and FXOS. It is just a bit confusing with the newer generational equipment on what it can do.

I have been using this solution for five years.

I would rate the stability as 10 out of 10.

We do maintenance for software updates, etc. I don't think we have had any major hardware failures.

We haven't had to really scale up too much.

The technical support is excellent. Every time that we have ever had an issue, we got a result very quickly. I would rate them as nine out of 10.

Positive

We have always had ASA since I have been at the company. The ASAs were in place and we have upgraded to newer ASA Next-Generation Firewalls.

I am not a huge fan of Cisco licensing in general. However, I wasn't really involved with the pricing. That decision was made a little higher than me.

We are in the middle of an upgrade to the newer Firepowers.

We have used Palo Alto for another solution and they have a better firewall. It is a whole new GUI to learn. With Palo Alto, you simply get one code, then that is your firewall. With the newer Firepowers, there are two or three different ways that you can run it. So, we currently have our data center running in ASA code, then we are doing it a different way with our edge ASA. My supervisor has complained about all the different ways that the new hardware can be configured and installed.

Stay more up-to-date with equipment. The old equipment is what will get you, e.g., leaving Windows 7 machines on your network or 15-year-old switches.

Heavily research what can do cluster mode, HA pairs, etc. That is where we ran into the "gotchas". You have to run it in certain ways to have it clustered and run it another way to have it as an HA pair.

I would rate ASA Firewall as nine out of 10.

We are using it for border firewalls, VPN access, and site-to-site VPN tunnels.

It is deployed at a single location with about 2,500 users.

So far, the remote VPN access has been a perfect solution for our company.

The user interface is a little clunky and difficult to work with. Some things aren't as easy as they should be.

I have been using it for five years.

So far, it has been very stable.

It does require maintenance. There is a team of two who manage it.

We haven't scaled it much at this point.

The technical support has been good so far. I would rate them as eight out of 10.

Positive

The VPN solution works much better than our previous solutions.

We previously used Palo Alto. The switch was driven by Cisco's pitch.

It was fairly straightforward. We stood it up side by side with our nesting firewalls. We did some testing during an outage window, then migrated it over.

We used a partner, CDW, to help us with the deployment. Our experience with CDW was good.

Internally, it was just me for the deployment.

The pricing seems fair. It is above average.

Take the time to really learn it, then it becomes a lot easier to use.

I would rate the solution as eight out of 10.

We are using it for our VPN. We have a remote VPN and then a VPLS connection. Overall, it is a pretty big design.

We were looking for an opportunity to integrate our Firepower with Cisco ASA.

We mainly have these appliances on the data center side and in our headquarters.

It did help my organization. The firewall pretty much covers most stuff. They have next-gen firewalls as well, which have more threat analysis and stuff like that. 

The firewall solution is really important, not just for our company, but for every organization. It keeps away threats trying to come into my organization.

With the pandemic, people began working from home. That was a pretty big move, having all our users working from a home. More capacity needed to be added to our remote VPN. ASA did this very well.

The most valuable features are the remote VPN and site-to-site VPN tunnels.

I use the solution to write policies and analyze the data coming in via the firewalls.

It can be improved when it comes to monitoring. Today, the logs from the firewalls could be improved a bit more without integrating with other devices.

I would like to see more identity awareness.

I have been using it for over six years.

The stability is pretty good. They are keeping up the good work and making updates to the current platform. 

The support is good. They have been there every time that we need them. I would rate them as nine out of 10.

Positive

We have used Check Point and Palo Alto. We are still using those but for more internal stuff. For external use, we are using the Cisco client.

The initial deployment was straightforward. We have worldwide data centers. For one data center, it took three days from design to implementation. 

It was a self-deployment. It took eight people to deploy.

It was pretty good and not expensive on the subscription side. Cisco is doing a good job on this.

We also evaluated Zscaler, which is more cloud-based. It was pretty new and has a lack of support on the system side.

They have been keeping up by adding more features to the next-gen and cooperating with other vendors.

I would rate this solution as nine out of 10. It is pretty good compared to its competitors. Cisco is doing well. They have kept up their old traditional routing and fiber policies while bringing on new next-gen features.

We use it as a security solution. It is our firewall.

We run three data centers and have three ASAs at each data center.

It is pretty user-friendly and straightforward to use.

It is secure and very reliable.

I like the heartbeat between the two devices that we have. Because if something fails, it immediately fails over.

I have been using ASAs for 15 years at two different companies.

Cybersecurity resilience has been outstanding because it is very stable. There are not a whole lot of upgrades that we need to do for the firmware.

Four engineers support it. From time to time, there are firmware upgrades that we need to keep up to date with. Sometimes, we need to run debugs to figure out what's going on with it, and if it needs a patch, then we will figure it out. Usually, Cisco has been really good about getting us that.

Scalability is actually pretty exponential. In the grand scheme of things, we are a small network. We only have 15,000 subscribers. However, if we need to expand, it is reasonable.

The TAC is always very helpful. We pay for Tier 1 support, so we get whatever we need from them. They always give us a solution. If they can't give us an answer that day, they get back to us within at least 24 hours with a solution or fix. I have never had a problem with the TAC. I would rate them as 10 out of 10.

Positive

We haven't really used anything different. The only thing that we run inline with Cisco ASAs is Barracuda Networks. We kind of run that in tandem with this firewall, and it works really well.

We wanted to integrate Firepower with our solution, but it didn't have the capability to accommodate our bandwidth since they only had two 10 gig interfaces on the box. We run way more than that through our network because we are a service provider, providing Internet to our customers.

Do your homework and know what you are doing. Know how to use your product, stay current, and hire smart people.

I would rate the solution as eight out of 10.

For our customers, Firepower is a classic perimeter firewall. Sometimes it's also for branch connections, but for those cases, we prefer Meraki because it's simpler. If a customer has Meraki and requires advanced security features, we will offer Firepower as a perimeter solution for them. Meraki is for SD-WAN and Firepower is for the perimeter.

Firewalls are not a new technology but they have a very distinct role in an enterprise for defending the perimeter. Firepower is for organizations that have traditional infrastructures, rather than those that are heavily utilizing cloud services. For us, the clients are government agencies and ministries, and we have a lot of them as our customers in Latvia.

Most firewalls do the same things, more or less. Because we have to compete with other vendors, it's the things that are different that are important. With Cisco, it's the security intelligence part. It's quite simple to configure and it's very effective. It cuts down on a lot of trouble in the early phases.

IPS and Snort are very important because they also differentiate Cisco from other vendors and competitors.

I also like that, in recent years, they have been developing the solution very quickly and adding a lot of new, cool features. I really love the new web interface of Cisco Secure Firewall Management Center. It looks like a modern web-user interface compared to the previous one. And the recent release, 7.2, provided even more improvements. I like that you have the option to switch between a simplified view and the classic view of firewall policies. That was a good decision.

A major area of improvement would be to have more functionality in public clouds, especially in terms of simplifying it. The high availability doesn't work right now because of the limitations in the cloud. Other vendors find ways to make it work differently than with on-prem solutions.

This is very important because we have customers that build solutions in the cloud that are like what they had on-prem. They have done a lift-and-shift because it's easier for them. They lift their on-prem physical boxes and shift them to the cloud, convert them to virtual, and it continues to work that way. Many times it's not the most efficient or best way to do things, but it's the easiest. The easiest path is probably the way to go.

I have been using Cisco Firepower NGFW Firewalls for four or five years now, but before that, I worked with ASA Firewalls a lot. It was just a transition. I have been using Firepower almost from day one.

We are an integrator and we resell as well as provide professional services. We do everything from A to Z.

There are a lot of things that can be improved. As a Cisco partner, I usually take the first hit if something doesn't work. In recent years, the solution has improved and is more stable. But it has to continue to improve in that direction.

A Firepower firewall is a very important point of exit and entry to a network. It's a critical piece of infrastructure. They should have high availability.

By comparison, I am also a huge fan of Stealthwatch (Cisco Secure Network Analytics) and I use it everywhere. I've been working with that solution for 15 years but it's not mission-critical. If it doesn't work, your boss is not calling you. If it doesn't work, it is not collecting telemetry and it doesn't do its job, but you are not stressed to fix it. With firewalls, it's a little different.

Tech support really depends on how lucky you are. It depends on when you create a TAC case and in which time zone the case is created. That determines which part of TAC takes ownership of your case. I have had a few unpleasant cases but, at the end of the day, they were resolved. I didn't feel like I was alone in the field with an angry customer.

Positive

We made a gradual transition from ASA to Firepower because they first had this as Sourcefire services. That is what we used to install first for our customer base. Then Firepower defense appliances and firmware came out. It was a natural process.

My view may be a little bit biased because I do a lot of Cisco deployments, and I have a lab where I play all the time. But overall the deployment is not too complicated.

The deployment time depends on what type of deployment you have. If it's a physical deployment, it may be a little bit faster because you don't have to set up virtual machines. But I recently had a project in AWS, and I used Terraform Templates and it was easy. I still had to configure some additional things like interfaces, IP addresses, and routing. 

Because I know where everything is in the UI, the deployment is okay. One thing I miss a little bit is being able to configure things, like routing, via the command line, which is how it used to be done with the ASA Firewalls. But I understand why they've taken that ability away.

With ASA Firewalls, even when you were upgrading them, the experience was much better because it didn't have those advanced Snort features and you could usually do an upgrade in the middle of day and no one would notice. You didn't have any drops. With Firepower, that's not always the case.

It's hard to talk about pricing when you compare firewalls because firewall functionality is almost the same, regardless of whether it's a small box or a large box. The difference is just the throughput. Leaving aside things like clustering, what you have to look at are the throughput and the price.

Cisco's pricing is more or less okay. In other areas where we work with Cisco solutions, like other security solutions and networking, Cisco is usually much more expensive than others. But when it comes to firewalls, Cisco is cheaper than Check Point although it is not as cheap as Fortigate. But with the latest improvements in hardware and speed, the pricing is okay.

To me, as a partner, the licensing is quite simple. I'm responsible for providing estimates to my sales guys and, sometimes, as an architect, I create solutions for my customers and give them estimates. There are other Cisco solutions that have much more complicated licensing models than Firepower. In short, the licensing is quite okay.

Not all of our customers use Cisco and that means we have competition inside our company with Check Point. We also made some attempts with Palo Alto Firewalls, long before we became Cisco partners, but somehow it didn't work for us.

I enjoy working with Cisco because it's more of a networking-guy approach. It reminds me a lot of all the other Cisco equipment, like their switches and routers. The experience is similar.

I haven't worked a lot with Checkpoint firewalls, but I like how they look. What I don't really like is the way you configure them because it's very different from what networking guys are used to doing. I'm not saying it's bad, it's just different. It's not for me. Maybe it appeals more to server guys. Cisco has a more network-centric approach.

Cisco Secure Firewall is a next-generation firewall that can be used for various security applications. 

The advantage of using Cisco is its integration within the Cisco fabric, which allows for effective threat detection and mitigation.

Cisco could improve its score by developing more features that integrate seamlessly with various applications and investing in hardware acceleration to enhance performance.

The product is stable with minimal glitches or latency issues.

The solution is easy to install, requiring minimal expertise. Deployment time varies, but it can take about two days for a medium-sized company with 200-300 users to configure and install.

After five years of product usage, the high return on investment and low total cost of ownership can be observed.

Pricing depends on partnerships and certifications. The engineering team's certifications can qualify it for seven to eight percent discounts.

The platform's integration capabilities depend on the project context. In some cases, integrating Palo Alto may provide better performance, but Cisco can still be effective.

However, its classification in industry comparisons, such as those from Gartner, is lower than that of competitors like FortiGate and Palo Alto.

Overall, I rate it seven out of ten.