Cisco Secure Firewall Reviews

This product protects our computer systems. I use it as a traditional firewall service. I don't have any special use cases for it.

Firepower has reduced our firewall operational costs by about 25 percent.

Sometimes there is a lack of performance. One of my colleagues is using the firewall as an IPS, but he is worried about Firepower's performance. It is much lower than we expected. They need to improve the performance a lot. With the 10 Gb devices, when it gets to 5 Gbps, the CPU usage goes up a lot and he cannot manage the IPS.

I have been using Cisco Firepower NGFW Firewall for more than two years.

The most valuable property is the stability. It doesn't crash.

When I have had issues with the software, I don't think they have given me the right answers. The support for the software isn't that good, but support for the hardware is very good.

Neutral

Although I work in Korea, I needed a means of deploying computer systems in other countries. Two or three years ago I was looking for a proper solution that would cover global sites. I chose Cisco products because Cisco has a very large presence all over the world.

Once I got used to this product, it was easy to use other products, but it was not easy for me the first time.

Firepower is a little bit expensive, although there are no additional costs beyond the standard ones.

We have several brands of firewalls in our organization. Compared to them, the ease of management of the Cisco firewalls is pretty good.

When you calculate the capacity you need, you should add a buffer for performance.

There are 25 users of the solution on my team and they are all network security specialists.

We use the Firepower as a perimeter firewall to protect from the outside network.

We are using Firepower to protect a number of services.

We are using it in a dynamic environment. This is important for our company's policies. The dynamic policy capabilities enable tight integration with Secure Workload at the application workload level.

The most valuable feature is the IPS. We also like the AnyConnect feature.

We monitor daily the final inspection activities and intelligence on Firepower. We also send logs from Firepower to our monitoring server, which is a nice feature.

The reporting and other features are nice, but there is an issue with applying the configuration. That part needs some improvement.

Services from the outside, like financial services that are critical, should be protected by the NGFW. There are cyber attacks on these services. Therefore, adding this NGFW in front of those services will reduce our costs for cyber crime.

We started using this next-generation firewall two years ago.

It is stable, but there are issues with the hybrid when you do the activation.

It is scalable. All our users utilize this firewall. We have more than 30,000 users who are end users, admins, and developers.

Cisco technical support team is perfect in their specific area, but they could improve their support for Cisco integration issues between products. I would rate them as eight out of 10.

Positive

We were previously using Cisco ASA for eight years. Now, we are using Firepower NGFW. We hope to continue using this product in the future, as long as there are no discouraging issues.

We are also using Check Point in conjunction with Cisco. We use Checkpoint for our internal networks and Secure Firewall for our outside network.

Installation wasn't that difficult, but there were some challenges on the integration. Sometimes, we face issues from the integration between another Cisco product's API and Firepower NGFW. We just integrated with our existing networks.

The firewall takes no more than two weeks to install. The integration with the API takes about six months.

We implemented ourselves. 

Two technical guys deployed it and now maintain it.

If we didn't use this NGFW, our company might have been charged by a number of attackers. Therefore, the firewall reduces our costs and operational expenses by around 40%.

Since the product is stable, we do not have to spend additional money to buy other firewalls. Once deployed, we can use the product for a long time. Thus, it is cost effective.

Pricing for Cisco is expensive. There are additional costs for the licensing part, support, and even the hardware part. The device cost is very high. I would be very happy with an improvement on the price.

From the user perspective, the reporting and other features are easy to use and user-friendly, but the Control feature of Firepower needs improvement, especially when comparing Firepower to Check Point NGFW.

For digital banking, this solution's firewalls have greatly improved our economy. Most enterprises in our country are using Cisco products because Cisco has worldwide support and cable devices.

I would rate this solution as eight out of 10.

I work for an engineering company that has multiple sites located in different locations, overseas and domestically in Pakistan. There are 30 to 35 sites connected to our network. We restrict the website at these locations using the Cisco Firepower module.

The main thing that I love the most is its policy and objects. Whenever I try to give access to a user, I can create an object via group creation in the object fields. This way, I am not able to enter a user in the policy repeatedly. 

Cisco Firepower is not completely integrated with Active Directory. We are trying to use Active Directory to restrict users by using some security groups that are not integrated within the Cisco Firepower module. This is the main issue that we are facing. 

There are some other issues related to their reports where we want to extract some kind of user activity. When a user tries to connect to our website, we are unable to read its logs in a proper manner and the report is not per our requirement. These are two things that we are facing.

Per my requirements, this product needs improvement. For example, I want to use and integrate with Active Directory groups. 

We have been using it since last year.

It is a stable product.

I haven't tried to work with Cisco support.

In the last 10 years, we were using the Barracuda Web Security. Compared with that product, I would give this solution six or seven out of 10 when compared to Barracuda. Barracuda has one of the best web security features, giving access to users by deploying a web agent on client computers at different sites. 

Barracuda Web Security's hardware was obsolete so our management never tried to renew its license. That is why we are trying to use the Cisco Firepower module. We want to understand their web security gateways, web security logs, what it provides, and the kind of reporting it has. We are currently doing research and development regarding what features and facilities it provides us compared to our requirements.

I am happy with the web security. However, I am not happy with the groups, reports, and integration with Active Directory.

We are using the web security, and only the web security feature. Therefore, if someone asked me to give them advice about the Cisco product, then I will definitely not recommend it since it is not fulfilling our requirement. We have different sites located domestically and at overseas sites, which is about 30 to 35 sites. It is not locating any of the clients. This is compared to the Barracuda web agent on the client computer, which is always connected to Barracuda with live IP addresses, pushing and pulling all the procedures and policies to that client and computer. This is why I will not recommend the product to anyone who has a similar situation to ours. .

I would love to use the product in the future, if my requirements are met.

I would rate the product as four out of 10.

We primarily use it as a corporate, perimeter firewall for traffic to the internet and back, for surfing. We also have some site-to-site connections with customers.

So far, there hasn't been any breach, so we are very happy.

It has also helped to reduce the operational costs of our firewall. There is a report that is automatically generated. You don't have to search for and prepare everything by yourself. You don't need staff to prepare the information because it is automated. We only go through this report once a week and if there are some special events, we can take care of them.

The next-generation features, like IPS, among others, are the most valuable. IPS is mandatory in modern networks for protection against malicious attacks and network anomalies.

Also, it gives you great visibility when doing deep packet inspection, but you have to do HTTP inspection. If you don't do HTTP inspection, the visibility is not complete. That is the case for every firewall vendor.

The ease of use, when it comes to managing Cisco Firepower NGFW Firewalls, is getting better because the UI is improving. It was a bit cumbersome in previous versions. Checkpoint, for example, has one of the most intuitive user interfaces, and now Cisco is really improving.

The only drawback of the user interface is when it comes to policies. When you open it and click on the policies, you have to move manually left and right if you want to see the whole field within the cell. Checkpoint has a very detailed user interface. Cisco is getting better and becoming more and more user-friendly.

Cisco needs a more intuitive user interface. When you know what to do, it's easy. Otherwise, you need training. You can install it and do the initial configuration, but if you don't have the proper training it's also possible to configure it the wrong way. If that happens, some things might pass through that you don't know about.

We have been using Cisco Secure Firewall for about five years, from the beginning of the Cisco Firepower 2100 Series.

We were on version 6.2.2 but now we're up to version 7.7.0, and it has really improved. It was not hard to implement but there were many bugs in the earlier version and some were serious, but now it's stable. There are no more bugs. It's really getting better. I would recommend Firepower to every customer now because it's stable. It's a really nice firewall.

The model we have is okay for our environment, so it's scalable. We haven't seen any problems in that regard. There are 50 or 60 devices behind it and about 500 clients. It is used in a very specific environment for a large Slovenian system.

The device has achieved its purpose. We won't implement any other features.

Cisco support is the best, especially if you compare it to other vendors. Cisco may be a bit expensive compared to other vendors, but the support is really good. When you open a case they're really responsive and they resolve every case. This is my personal experience, not only when it comes to Firepower but for the whole Cisco portfolio, which I have been working with since 2005.

Positive

The initial configuration was done within a few hours, but getting all the policies in place took about a month. That was not related to the firewall, it was related to all the requirements from management and from other people as well. But the configuration to get it set up initially was straightforward, nothing special.

My colleagues and I did the deployment. We are an internal team. We are integrators, so we were able to do it by ourselves.

When it comes to XDR, the cost-effectiveness of this firewall depends on the use case because you don't always need XDR functionality. SecureX is included free of charge, so from that point of view, maybe Cisco is not that expensive compared to other vendors.  Other vendors' XDR products are not free of charge. 

But if you just look at just the firewall functionality, Checkpoint is expensive but Cisco is not the cheapest. Fortinet is cheaper.

Where we have seen ROI is due to the support, time savings, ease of management, and the reporting.

Aside from the user interface, which is getting better, Cisco is at the top for functionality and in all other respects. We work with Fortinet, Checkpoint, and we used to work with Juniper, in addition to Cisco.

With Cisco, there are a lot of features such as the network map. Cisco builds the whole network map of the machines you have behind your firewall and gives you insight into the vulnerabilities and attributes that the host has. Checkpoint and Fortinet don't have that functionality directly on the firewall. They don't give you that direct visibility into the host, such as which operating the host has.

We don't work with Juniper anymore because its user interface is really not okay. You only have the CLI or you have to use Security Director for management, which is very complex and not user-friendly. That is why we abandoned Juniper as a product.

I would rate Cisco at eight out of 10 overall, and Check Point would be a seven. Check Point fields a great solution in this space, but they have very bad support, and support is one of the most important things. Having great blogs doesn't help if support doesn't come through when you need it.

Remote access through the VPN wasn't available in the old firewall that we used, so that was a value-add. That's one way Cisco ASA has impacted our company. Also, from an administrator's perspective, newcomers have a shorter learning curve working with the ASA firewalls.

Also, when we deployed it on the data center firewalls, we did some microsegmentation using different subnets for the whole environment, including UAT and production. We didn't have segmentation before, but with the growing security needs, we segmented the servers. For each of the subnets we made different gateways on the firewall. That helped us achieve the requirements of the latest standards.

Thanks to the IPS, the malicious traffic has dropped. Initially, when we deployed the IPS, it gave us some problems. But after a week or two, it worked very well. I used a balanced security policy when I integrated it with the FMC server. On the FMC, the GUI gives me a very good, extensive view of what traffic is getting dropped and at what time. It gives me all the visibility that I need.

• The normal firewalling features are very good. You can easily create objects and work with them. 
• The AnyConnect software for remote VPN is an added feature on the firewall that works very well in our environment.
• The IPS is another important feature that I use. It doesn't impact the overall performance of the ASAs.

All of these features work fine.

Cisco ASA works very nicely from an administration perspective. The management of the device is very nice. The ASDM (Adaptive Security Device Manager) is the software that we use and it is very easy to configure using the GUI. If you are familiar with the ASDM software, it's very easy for anyone to handle. The CLI isn't different from other Cisco CLIs, so that makes it easy as well.

Also, the visibility when doing packet inspection on the ASA, using the ASDM GUI, works well. You can go to the monitoring part and see the live logs, the syslogs. All the traffic events are displayed in the syslog. You can filter on whatever event you are interested in and it is visible to you in no time. It provides a real-time display of the traffic. Troubleshooting issues is very easy using ASDM. 

In addition, if you want to do some captures at the interface level, there's a packet tracer, a tool within the ASDM and the ASA, which is available on both the GUI and the CLI. That is on the newer firewalls as well and it's very nice. It shows you the life cycle of a packet within the firewall, from entry to the exit, and how many steps it goes through. It really helps while troubleshooting. I'm very satisfied with that.

The operation of the ASA is good but the problem is that whenever you require an upgrade, there are multiple pieces of software that you have to upgrade. Extensive planning is required, because if you upgrade one piece of the software it has to be compatible with the others as well. You always need to check the compatibility metrics.

For example, if the ASA Firewall's software has to be upgraded, it has to be compatible with the IPS software—the FireSIGHT software. So that has to be upgraded as well, in addition to the ASDM software that you use to manage the firewall using the GUI. Besides that, if you are using the remote VPN part of the firewall, there is the AnyConnect hidden software that also requires an update.

So upgrading is a very extensive exercise, both when you're planning it and when you are doing it. The upgrades are very lengthy. Then Cisco introduced FTD as a unified approach, and that was a leap forward, but it has its own issues.

I've been working as a Cisco partner for about four years. Before that, I was using Cisco firewalls as a network admin. I've been engaged with Cisco firewalls since 2015.

On the FTD (Firepower Threat Defense) model, I've been working with version 6.7. I haven't tried the latest 7.0 version.

The robustness of the ASA is very good. Whenever you upgrade it, it does very well. There are no hiccups or hitches, post-upgrade.

Cisco's TAC provides very good support. If you have any issues, you can contact them and they provide assistance. You need a subscription for that. The subscription comes with a notable cost but you get great value from it. I'm very satisfied with it. 

The tech support of Cisco is unparalleled if I compare it to any other product that I have used. I've been using Citrix, Juniper, and even Palo Alto, but the support that I get from Cisco is very good. It's easy to get support and the engineers get engaged. Sometimes they provide more than you need. For example, if there are design-level issues, they will tell you that it isn't implemented well and that there are things that need to be corrected. That's not their responsibility but they'll provide that feedback.

I consider Cisco support to be the industry standard.

Positive

I've seen Cisco deployed for five to seven years. The product life cycle is good and they're continuing to support things. If you add more features and utilize it to the maximum, using the remote VPN and the like, it becomes more cost-effective. 

Having the IPS part within one box also saves you on costs. Back in 2015, the IPS was a different box that had to be deployed separately. At that time, it cost more if I had to buy another IPS and a box.

Before ASA, we were using Juniper. It had a GUI, but the CLI part of Juniper was difficult. The network administrators required a little bit of a different type of expertise. Juniper was very good, but its CLI wasn't as simple as Cisco's. When somebody new comes into the company to work on the firewall, the Cisco learning curve is relatively short and easy.

Nowadays, everybody is working with Cisco. Juniper has almost been phased out. Some people use Juniper for certain reasons, but there's a very specific clientele for it.

We went with Cisco because it is very easy to operate. It provided next-generation firewalling when it came out with ASA plus Sourcefire IPS. That was very effective at that time, compared to the others.

These days, Palo Alto is matching Cisco and, in some ways, Palo Alto is better. From 2015 to 2018/19, Cisco was considered to be the best. The security leaders are always preferred and Cisco was a leader. That's why we preferred it.

We were also always happy with Cisco support. It was very convenient to get to Cisco support, and it was very prompt and effective. They really solved our problems.

The Nextgen firewalls have a good IPS, but that IPS part wasn't very configurable using the ASDM. Later, they introduced the FMC (Firewall Management Center) and we could integrate the ASA with the FMC and get the IPS configured from the FMC GUI. That was good, but you needed two things to monitor one box. For the IPS you needed an FMC server, and for the firewalls, you needed the ASDM or the CLI.

In terms of integration with other solutions, it is a simple firewall that is integrated with the syslog servers and the SNMP monitoring from the NMS. Those types of simple things work very well. I haven't worked with much integration beyond that. You can't attach that many feeds to it. That's more a function of the Next-Generation Firewall with the IPS and FMC.

SecureX is a relatively new cloud-based solution. It's been around for one or two years. It's offered for free if you have any Cisco security solution. It encompasses ADR and NDR. The clients I work with in Pakistan are mostly financial institutions. Because it's a cloud-based security solution, they are not interested. They want on-prem solutions.

One of the things that we have solved the most with this solution is the P2P connection that we have with different clients. It gives us greater connection security with good management of the configured rules. 

Likewise, it has made it easier for us to have this type of equipment under monitoring, and, since we have implemented them, we have not been presented with any performance problems in the equipment as they have not presented CPU or RAM saturation or that for some reason it fails without any cause. We all have them managed and monitored. We always receive an email notifying us if there's something that the equipment has detected as well.

The ASA firewalls have undoubtedly helped us to improve our infrastructure throughout the corporation and currently we have just over 50 firewalls - all of them in different parts of Mexico. 

This infrastructure has been improved since, in our corporation, we handle the dynamic EIGRP protocol, which Cisco owns, and this solution has given us a geo-redundancy in our company. In case of presenting a problem with a firewall or a link, it performs an immediate convergence where end-users do not detect a failure, helping us to maintain a 99.99% operational level at all times.

I am very happy to use this type of Cisco equipment in my infrastructure. It has given us the most value is the management of dynamic routing, in this case, EIGRP. This protocol, together with a series of additional configurations, has helped us to maintain an automatic redundancy in all our infrastructure, keeping us with very high numbers of operability and without failures that take more than 1 minute or that have not been resolved automatically. With this solution, we only speak with our suppliers either for a link or equipment report, and even if the box or circuit is out of operation, the operation continues to work without problems.

Today, ASA firewalls are leaving the market and are being replaced by firepower equipment - a technology with which I am not very familiar. However, in the training or research, I have done on this new product, I see that it has many additional tools such as centralization of the administration through a single team (in the case the firepower management). It is something that we do not have, yet we are already considering it since this type of technology will help us to have better management and better administration of the equipment through a single platform. The management of additional services with this new module will certainly help us to have the internet network much more secure with connections to the outside.

I've used the solution for more than seven years.

The solution is great in terms of stability.

The scalability is great.

Technical support is great.

We previously used Fortigate.

The initial setup was not complex.

We handled the implementation in-house. 

We've seen an 80% ROI.

Cisco is not cheap, however, it is worth investing in these technologies.

We always evaluate various other options.

We are using it as a firewall for our data center and headquarter. We are also using it for DR. We are using Cisco ASA 5500 Series.

It is a security device, and it is useful for securing our environment. It provides role-based access and other features and helps us in easily securing our environment.

It provides visibility. It has been helpful for packet inspection and logging activities for all kinds of packets, such as routing packets, denied packets, and permitted packets. All these activities are visible on Cisco ASA. There are different commands for logging and visibility.

We use Cisco ASA for the integration of the network. Our company is a financial company, and we are integrating different organizations and banks by using Cisco ASA. We are using role-based access. Any integration, any access, or any configuration is role-based. 

The remote access, VPN, and ACL features are valuable. We are using role-based access for individuals.

IPS is also valuable for intrusion detection and prevention. It is a paid module that can be added. I'm using it for security, VLAN management, segregation management, and so on.

It is easy to use. In our region and our country, Cisco is well known, and most of the companies are using Cisco products. We have been using Cisco devices for a while, and our company primarily has Cisco devices. So, we are familiar with it, which makes it very easy to use for us. Even when we compare it with other products, it is easier to use.

It is easy for us to manage it because it is a familiar product, and it has been a part of our environment. Now, other products are providing free training, free access, and free license, because of which things are changing. So, you can easily become familiar with other products.

Its licensing cost and payment model can be improved. Cisco doesn't provide training and certification for engineers without payments. Other companies, such as Huawei, provide the training for free. Their subscription and licenses are also free and flexible. Other products are breaking the market by providing such features. 

It doesn't support all standard interfaces. It is also not suitable for big companies with high bandwidth traffic. Its capacity should be improved.

Other products are becoming easier to access and configure. They are providing UI interfaces to configure, take backup, synchronize redundant machines, and so on. It is very easy to take backup and upgrade the images in those products. Cisco ASA should have such features. If one redundant machine is getting upgraded, the technology and support should be there to upgrade other redundant machines. In a single window, we should be able to do more in terms of backups, restores, and upgrades.

We have been using this solution for almost eight years.

It is stable. It needs to be configured based on the standards and functionality. We have one device that has been working for more than 10 years, which indicates it is stable, but it requires licenses to upgrade features.

It doesn't have an expansion card. So, it may not scalable for huge buildings. It also lacks a lot of standard interfaces. Other products are providing capacity for a data center. Other technologies are expanding their interface bandwidth from 10 gigs. In my opinion, Cisco ASA doesn't have this capability.

Their support is very good. We have a support license, so their support is very good. They are tracing us and following up with us to solve the problem on time.

Its setup is easy. We are familiar with Cisco ASA and other Cisco products, and they are easy to configure. A lot of resources are available on the internet, so it is easy to set up for anyone with basic training. It is easy in different types of environments, such as universities and colleges.

It generally doesn't take more than a day, but it also depends on the size of the organization. If an organization is very big and if you need a line-by-line configuration for access role and VPN, it can take a bit more time.

Cisco is constantly upgrading and providing features based on current requests. We usually plan deployments at the end of the year and at the beginning of the year. Everyone plans for new products, new configurations, and new expansions based on that.

Any security product provides a return on investment. Any gap in security may cost an organization more.

It is expensive. There is a cost for everything. There is per year license cost and support cost. There is also a cost for any training, any application, and any resource. Things are very costly to do with Cisco.

Other brands are cheaper. They are also more flexible in terms of training, subscription, and licensing. They give lots and lots of years free. They provide more than Cisco.

I would advise understanding its features, advantages, and disadvantages as compared to other solutions. It is simple, but its cost is a negative point. 

I would rate Cisco ASA Firewall an eight out of 10.

We are using it for firewall and intrusion prevention.

I have deployed it into different environments: retail, commercial, law, real estate, and the public sector. Retail is the biggest environment that I have deployed this firewall into, with 43 different sensors and a range up to 10 GbE throughput.

I am using up to version 7.0 across the board as well as multiple models: 1000 Series or 2100 Series.

The integration of network and workload micro-segmentation help us provide unified segmentation policies across east-west and north-south traffic. It is important to have that visibility. If you can't detect it, then you can't protect it. That is the bottom line.

The solution has enabled us to implement dynamic policies for dynamic environments. These are important because they give us flexibility and more granular control of access.

• Ease of operability
• Security protection

It is usually a central gateway into an organization. Trying to keep it as secure as possible and have easy to use operability is always good. That way, you can manage the device.

The solution has very good visibility when doing deep packet inspection. It's great because I can get packet captures out of the device. Because if an intrusion fires, I can see the packet that it fired in. So, I can dive into it and look at what is going on, what fired it, or what caused it.

Cisco Secure Firewall is fine and works when it comes to integration of network and workload micro-segmentation. 

The integration of network and workload micro-segmentation is very good when it comes to visibility in our environment. It is about how you set it up and the options that you set it up for, e.g., you can be as detailed as you like or not at all, which is good.

Its Snort 3 IPS has better flexibility as far as being able to write rules. This gives me better granularity.

It needs better patching and testing as well as less bugs. That would be nice.

I would like it to have faster deployment times. A typical deployment could take two to three minutes. Sometimes, it depends on the situation. It is better than it was in the past, but it could always use improvement.

I have been using it for seven years.

Stability has been good so far. It has been much better than in the past. In the past, there were times where there were known issues or bugs.

Scalability has been fine. I haven't had an issue with it. I just haven't had a need to deal with scalability yet.

I would rate Cisco's support for this solution as nine out of 10 for this solution. The support has been very good. We got the job done. Sometimes, why it wasn't perfect, the challenge was getting a hold of someone.

I have used this solution to replace different vendors, usually Cisco ASA that is reaching end of life.

The initial setup is straightforward for me at this point. That is just because of the experience that I have in dealing with it. for a new person, it would be a little bit more complex. They have gotten better with some of the wizards. However, if you are not familiar with it, then that makes it a little more challenging.

Depending on the situation, we will go through the typical setups. We know what we want to configure and sort of follow a template.

We have seen ROI with a better, more secure environment. 

Cisco Secure Firewall has helped us to reduce our firewall operational costs. This is based on the fact that the newer models, where we have been replacing older models, have better throughput, capacity, and performance overall.

Pricing is the same as other competitors. It is comparable. The licensing has gotten better. It has been easier with Smart Licensing.

There are additional costs, but that depends on the feature sets that you get. However, that is the same with any firewall vendor at this point.

I have also worked with Check Point and Palo Alto. The support is much better with Cisco than Check Point. Check Point had a little bit better of a central management station. Whereas, Cisco with the FMC is a little different as far as there are still some features that are being added to the FMC, which is good. As far as Palo Alto goes, they are quite comparable as far as their functionality and feature sets. Cisco wins for me because it has Snort, which is a known standard for IPS, which is good. Also, Cisco has the Talos group, which is the largest group out there for security hunting.

Check Point was the easiest as far as user-friendliness and its GUI. After that, Cisco and Palo Alto would be kind of tied for ease of use.

Definitely do your research, e.g., how you want to set it up and how deep you want to go in with it. This will actually help you more. When we say Cisco Secure Firewall, is it Next-Generation, running ASA, or running Firepower? Or, does Meraki actually fit in there? So, there are different scales based on what you are trying to look for and how deep security-wise you want to go into it.

SecureX is a nice feature, but it has to be for the right environment. It is nice that we get it, but most people don't take advantage of it.

The dynamic policy capabilities can enable tight integration with Secure Workload at the application workload level, but I am not using much with Secure Workload at this point.

I would rate Cisco Secure Firewall as nine out of 10. I would not give it a 10 because of bugs.