Cisco Secure Firewall Reviews

We use it for content management and filtering. We wanted to separate DMZ traffic from normal customer traffic. We were also looking to set up portals for outside interests that needed to come in. We have our firewall set up for VPN and, with COVID breaking out, that became more important. We also use it for remote access control.

It improved our security. It keeps the outsiders on the outside and enables us to monitor the content that's going out from within the organization.

The ASDM (Adaptive Security Device Manager) which is the graphical user interface, works out, and Cisco keeps it current.

Cisco still has a lot of work to do. You can convert an ASA over to a Firepower, but the competitors, like Palo Alto and Juniper, are coming in. And believe it or not, they are a little bit more intuitive. Cisco has a little bit more work to do. They're playing catch up.

There is also content filtering. The bad actors are so smart nowadays, that they can masquerade as the data for a given port, and they can actually transfer data through that port. The only thing that the older firewalls know about is the port. They can't read the data going across it. That's where content filtering comes in, like Palo Alto has, with next-generation firewalls.

I have been using Cisco ASA Firewalls from the beginning, when they moved over from the PIX.

They're pretty reliable. Even from a hardware perspective, we haven't lost any power supplies or the like. An ASA works until we remove it. The maintenance is very minimal. 

It's very scalable. Every organization sets it up differently, but we've been able to perform upgrades with minimal service disruption. We have ASAs in multiple locations.

Being a government-supported organization, the technical support is great. They send us equipment. It's top-notch.

Positive

Cisco has been a leader in firewalls, and the US government primarily chooses Cisco first, before it chooses competitors.

We have a variety of providers from Juniper to Palo Alto, et cetera. But the Cisco GUI is pretty consistent, so most individuals catch on. But when it comes to the Firepower, we're going to need some more training on that, as we're upgrading and moving to the Firepower.

I like the ASA product, maybe because I'm an old guy, more so than the transition to the Firepower. The ASAs have worked ever since the PIX days and they work very reliably. Even with the upgrades, your rules don't change. That's true even with a major OS upgrade.

Things are changing and the ASAs are becoming dated. People want content filtering and so on now.

The way we've installed Firepower was for the migration process. For example, there was a data center consolidation, and therefore we had to move everything. We offer data center products to our customers across VPN funnels. We had to move away from older ASAs, so it's a lift and shift. We move older ASAs, which were dispersed in many sites, and we consolidated a couple of services in a single site. Firepower was left there in place. I came in and I took over the administration duties, and now I'm trying to put everything together in a way that it makes sense.

With Firepower, they have better hardware. It's fitted for more throughput, more load. I'm trying to centralize service delivery on this high-availability pair and move all the remote access to Firepower. Then, it's all part of a transition process from a hybrid cloud to a full cloud deployment on a cloud provider. It's mostly just a necessary pain, until we move away from our on-prem deployments. Currently, I'm working with Azure, etc. and I try to look at the main design of the whole process, even though it's going to take two years. 

COVID has also made everything very, very slow for us as we try to move away from our initial plan.

The 2100 models are extremely useful for us.

It's got the capabilities of amassing a lot of throughput with remote access and VPNs. 

They need a VTI. I know it's going to be available in the next software version, which is the 6.7 version. However, the problem with that is that the 6.7 is going to deprecate all the older IKEv1 deployment tunnels. Therefore, the problem is that we have a lot of customers which are using older encryptions. If I do that, update it, it's not going to work for me.

We've been using the solution for about a year.

The solution is pretty solid in terms of stability, however, I prefer Palo Alto. For the enterprise world, it's better to have Palo Alto. For the service provider field, Firepower is quite well suited, I'd say. That said, Palo Alto, is definitely the enterprise way to go. For a smaller deployment, you can also go with FortiGate. It's simple, however, it works for smaller offices.

The scalability of the product is pretty good. If you need to expand it, you can do so with relative ease.

The technical support is amazing. They do reply quickly, and often within an hour. It's been great. I've worked at Cisco before, however, with the type of contract we are in, I find it super fast right now. We're quite satisfied with the level of support.

I don't have any knowledge as to what the product costs. It's not part of the business I deal with.

Palo Alto, it's my understanding, is a little more expensive, however, it depends on the users and on the design. It always depends on the contract

We're just customers. We don't have a business relationship with Cisco.

It's a solid, reliable product, however, if it's right for a company depends on the use case and the size of the organization. For a startup, this might not be a suitable option.

Overall, I'd rate this solution nine out of ten. As a comparison, if I was rating Palo Alto, I would give it a ten out of ten.

My primary use case with Cisco Firepower NGFW is implementing, configuring, maintaining, and troubleshooting lab and customer devices in both lab and production environments.

Using best practices for configuration, as well as fine-tuning intrusion policies and utilizing as many of the features that the firewall has to offer, which are feasible in said environment.

Overall, I am confident to say that I have worked with every flavor of Cisco Firepower NGFW, be it their older IPS-only sensors, ASA with Firepower services, as well as the FTD sensor itself.

Cisco Firepower NGFW has improved our organization by giving us the opportunity to protect both our network and our customer's environments. Being able to work with the device in a lab environment and utilizing the whole feature set is really easy with the Evaluation licenses of 90 days on the FMC. The only thing that you need is an environment with enough resources to virtualize both the FMC and FTD sensors.

I would like to emphasize the easy-to-use evaluation period of the Cisco Firepower NGFW because many other firewall vendors lack this and it is a real pain having to test everything in production environments because you cannot build a good lab environment without paying for licenses.

The most valuable feature that Cisco Firepower NGFW provides for us is the Intrusion policy. 

Again, with that being said, I cannot shy away from giving kudos to all of the other features such as AVC (Application Visibility and Control), SSL Decryption, Identity policy, Correlation policy, REST API, and more.

All of the features that are incorporated in the Cisco Firepower NGFW are awesome and easy to configure if you know what you are doing. Things almost always work, unless you hit a bug, which is fixed with a simple software update.

I believe that the current feature set of the device is very good and the only thing that Cisco should work on is improving the user experience with the device. 

Also, they need to ensure that all of the implemented features are working as they should, and able to integrate with more third-party software in an easier manner.

As it stands currently, Cisco is doing this, but I am not confident enough to say that their QA team is doing as good a job as they should as there have been software releases that were immediately pulled back the same day as they were released.

I have been working with Cisco NGFW for almost five years as of 2020.

I have seen devices working without any issues and/or without a reboot of the device for many years (although I do not recommend this) running on base versions of the software, and I have seen an out-of-the-box fresh install having many stability issues. However, overall my impression is that the most recent software versions are very stable without any evident underlying issues.

Keep your software up-to-date and the solution should be stable.

Cisco Firepower NGFW has a large variety of devices that are able to accommodate every company's needs, be they small or large. Overall, the scalability of the devices is very good.

Experience with Cisco TAC has been awesome almost always. The SLAs are kept every time, which is very hard to get from any of the other firewall vendors. I have not seen any other vendor get you a proficient engineer on the phone within 15 minutes.

Cisco ASA and Firepower NGFW is the first firewall solution that I have and am still using.

Once you deploy a few of these devices, the initial setup is really straightforward and easy to do unless the position of the firewall on the network needs you to do some connectivity magic in order for it to work.

All of the implementations that we have done are with in-house teams, so I have no overview of the vendor team.

Cisco, as we all know, is expensive, but for the money you are paying, you know that you are also getting top-notch documentation as well as support if needed. In some cases, this may save you a lot of money or stress, which is why everyone who uses Cisco solutions loves them.

I have worked with many other firewall vendors in both production and lab environments such as CheckPoint, Palo Alto, Fortinet, Juniper, but to be honest I find Cisco's firewall solutions and Palo Alto's firewall solution to be the best.

I believe that Cisco Firepower NGFW is the future leader in NGFW, with only maybe Palo Alto being the main competitor. This is very good, as we all know that having a rival is good for us, the users :) 

Our business requirements are URL filtering and threat protection. We're using the Cisco 5525 and 5510 series. We have eight to 10 firewalls.

Our company is looking for vendors who can protect from the current, advanced technologies. We are looking for any technology that protects from the most threats, and that covers things like DDoS protection, spyware, and SSL.

We feel secure using Cisco firewalls. That's why we're using them. Cisco has never disappointed us, from a business point of view.

Cisco provides the most solutions.

We use some of our Cisco firewalls offsite. They provide DDoS  protection and multi-factor authentication. That is a good option as it enables work-from-home functionality. That is a feature that makes our customers happy.

Cisco needs to work more on the security and tech parts. Palo Alto gives a complete solution. Customers are very happy to go with Cisco because they have been around a long time. But that's why we are expecting from Cisco to give us a solution like Palo Alto, a complete solution. 

Cisco provides us with application visibility and control, although it's not a complete solution compared to other vendors. Cisco needs to work on the application behavior side of things, in particular when it comes to the behavior of SSL traffic. There is a focus on SSL traffic, encrypted traffic. Cisco firewalls are not powerful enough to check the behavior of SSL traffic. Encrypted traffic is a priority for our company.

In addition, while Cisco Talos is good, compared to the market, they need to work on it. If there is an attack, Talos updates the IP address, which is good. But with Palo Alto, and possibly other vendors, if there is an attack or there is unknown traffic, they are dealing with the signature within five minutes. Talos is the worst around what an attacker is doing in terms of updating bad IPs. It is slower than other vendors.

Also, Cisco's various offerings are separate. We want to see a one-product, one-box solution from Cisco.

I have been working on the security side for the last one and a half years. The company has been using Cisco ASA NGFW for three to four years.

The stability is good. It's the best, around the world.

The scalability is also good. But in terms of future-proofing our security strategy, it depends on the points I mentioned elsewhere that Cisco needs to work on.

We are getting the best support from Cisco and we are not getting the best support from Palo Alto.

In terms of costs, other solutions are more expensive than Cisco. Palo Alto is more expensive than Cisco.

Cisco is the most tested product and is more reliable than others. But Cisco needs to work on the security side, like website protection and application behavior. We have more than 40 locations around the world and all our customers are expecting Cisco. If Cisco provides the best solution, we can go with Cisco rather than with other vendors.

Palo Alto gives the best solution these days, but the problem is that documentation of the complete solution is not available on their site. Also, Palo Alto's support is not as good as Cisco's. We don't have a strong bond with Palo Alto. The longer the relationship with any vendor, the more trust you have and the more it is stable. We are more comfortable with Cisco, compared to Palo Alto.

If you're looking for a complete solution, such as URL filtering and threat protection, we recommend Palo Alto firewalls, but this Cisco product is also good.

We are using three to four security tools: one for web security, and another tool for application security, and another for email security. For email we have an Office 365 email domain so we are using other tools for that. For firewall security we are using Cisco ASA, Palo Alto, and Fortinet for protecting our business.

We have about 15 people on my team managing the solutions. They are network admins, and some are in security.

We use it for our university department firewall. It replaced our 12-year-old Cisco ASA 5520, which used to protect web servers, mail servers, SVN repositories, office computers, research computers, and computer labs. It was used for blocking the internet for exams. It was not used for IPS, so we did not buy the new threat protection or malware license. We connected it to a Layer 3 switch for faster Inter-VLAN routing.

It works better through specs than our old ASA 5520. It seems to perform the same functionality unless you buy the additional threat protection licenses, so this is a disappointment. I found a bug where the ASDM could not be used with Windows 2016, but it did work with Windows 10.  

• Most of same old ASA 5520 config could be used for the new 5516-X model. The ASDM interface is improved and can also be configured to the Firepower settings. 
• I am used to the ASA syntax, therefore it is quite easy to make up new rules. I have found that DNS doctoring rules are useful, and I am not sure how other firewalls handle the issue of internal versus external DNS, so this was a reason to keep the same type of firewall.
• Customizing logging event of syslog to feed into Splunk is very useful for management and monitoring just for the importance events instead of a huge stream of thousands of unneeded events.
• I found it quite easy to block computers from the internet, e.g, in a computer lab with students doing an exam using software for the course when needed.
• I use access to a list to block IPs which have attacked our web servers on the outside interface, since I do not have IPS.
• I found that setting up rules for HTTPS and SSH access to the management interface are straightforward, including setting the cypher type.
• It is very useful to use the command line interface for modifying or adding to the config because sometimes the ASDM interface is hard to find when the setting is more complicated.
• The text config file is great to have, to know what is in the config, instead of having to check every setting in the GUI.
• While the CLI is used the most, sometimes the ASDM is faster and easier to use to set some settings.
  

• It is confusing to have two management interfaces, e.g., ASDM and Firepower Management Center. It would be nice to have a Windows program instead of a virtual appliance for the Firepower Management Center.  The ASA and Firepower module seem redundant, not sure which one to set the rules in, but maybe that was for backward compatibility. I am not sure that is very useful.
• It is surprising that you need to have a virtual appliance for the Firepower Management Center. It is not good if you have to setup a VMware server just for it.
  
• 10Gb interfaces should be available on more models. 
  

ASA pricing seems high compared to other firewalls, such as the Sophos XG models. 

The licensing features are getting more complicated. These should be simplified. 

I deployed the Cisco Secure Firewall at the Internet Edge for the most part.

We use the solution for deep packet inspection, Internet Edge functionality, IDS, and IDP.

The solution’s GUI could be better.

I have been using Cisco Secure Firewall for six years.

Cisco Secure Firewall is a scalable solution that allows you to add capacity.

The solution’s initial setup is straightforward.

The solution’s pricing is competitive.

I rate the solution's ease of management and configuration an eight out of ten. I would recommend Cisco Secure Firewall to other users based on what they want it for and a combination of price point and supportability.

Overall, I rate the solution an eight out of ten.

We use Cisco Secure Firewall for remote VPN.

Cisco Secure Firewall played a crucial role in enabling all our users to establish remote connections from their homes.

Cisco Secure Firewalls' application visibility and control are beneficial because they provide a management console that allows us to view logging and sessions.

It enhances our organization's cybersecurity resilience by enabling us to deploy multiple instances of it both in Azure and on-premises. This redundancy ensures that in the event of an outage or any other issues, we can seamlessly switch to alternative locations.

Cisco Secure Firewall is reliable, which is why we opted for it during the pandemic for our remote users.

The cloud does not precisely mimic what is on-premises. There are some new challenges with the features in Azure. Due to Azure limitations, we cannot synchronize configurations between an active standby. This aspect makes it difficult to perform such tasks in the cloud, requiring manual intervention.

I have been using Cisco Secure Firewall ASA for ten years.

In my current role, I have not encountered any stability issues.

Cisco Secure Firewall is scalable.

Cisco's technical support is excellent, and its personnel are knowledgeable. I consistently receive prompt and satisfactory responses from them. However, there are occasions when we need to reach out to them for feedback follow-up.

Positive

We encountered some issues with the deployment because we run on Azure now. 

Although I am not directly involved in dealing with the pricing aspect of the Cisco Secure Firewall, I know that the licensing has improved over the years.

I rate Cisco Secure Firewall a nine out of ten.

The Cisco Secure Firewall is not a remediation tool but rather designed for secure remote sessions.

We use the same ASAs for firewall functionality as we do for VPN functionality.

Our organization is currently considering Palo Alto as an alternative to Cisco. However, I am not involved in the decision-making process.

We are using these firewalls for edge security or different zones of security. We use them throughout the whole organization, but they vary in size, depending on if it's a small office in Spain or a large office in another country. We have offices in many countries.

It saves time. It protects us from experiencing big or small attacks. If we are vulnerable to attacks, it would take us a lot of time to fix that and put out all the fires. Hopefully, we won't need that when we have several layers of security.

We feel that we can trust the security, and our assets and business are well protected. We need to have trust in it, but we also see that it works. We have a security company that has tested that it works.

They have already improved it to some degree. It has become easier, but I've not drilled down much myself. I mostly use CLI, but I can see that it's a little bit more GUI-based. So, improvement is already there. It's a good thing that we now have GUI-based control over the details, and that would be the way to go.

It integrates with other security products from Cisco, but sometimes, there can be glitches or errors.

I have been using Cisco firewalls for the last 20 years. We are now mostly using FPRs, but we also have some old Cisco firewalls that we need to change to newer technologies.

It has been a while since I used it myself. My experience was good. You get the correct engineer for the task. I'd rate them an eight out of ten.

Positive

We have firewalls from other vendors, but we will be moving over to Cisco. When we have the same vendor, it would take less time to train people to do their job because there is one technology rather than four or five different ones.

I was involved in its deployment, but that was a few years ago. It was not an in-depth technical installation; it was more of a physical installation. It was easy. We are a big company, so we need to plan the downtime and get approval from the business to take down systems and upgrade them. 

I'd rate Cisco Secure Firewall a seven out of ten.