Cisco Secure Firewall Reviews

We primarily use this firewall for IPS, IAM, threat defense, and NAT.

I am from the networking department.

We are using the Firepower Management Center (FMS) and the management capabilities are okay. I would not say that they are good. The current version is okay but the earlier versions had many issues. The deployment also takes a long time. It takes us hours and in some cases, it took us days. The latest version 6.6.1, is okay and the deployment was quick.

I have tried to compare application visibility and control against Fortinet FortiGate, but so far, I don't see much difference. As I try to determine what is good and what is bad, I am seeking third-party opinions.

The most valuable feature is the threat defense. This product works well for threat defense but for everything else, we use Cisco ASA.

This product has a lot of issues with it. We are using it in a limited capacity, where it protects our DR site only. It is not used in full production.

The main problem we have is that things work okay until we upgrade the firmware, at which point, everything changes, and the net stops working. As a financial company, we have a lot of transactions and when the net suddenly stops working, it means that we lose transactions and it results in a huge loss.

We cannot research or test changes in advance because we don't have a spare firewall. If we had a spare then we would install the new firmware and test to see if it works, or not. The bottom line is that we shouldn't have to lose the network. If we upgrade the firmware then it should work but if you do upgrade it, some of the networks stop working. 

We have been using the Cisco Firepower NGFW Firewall for three years.

Cisco's technical support is the best and that's why everybody implements their products. But, when it comes to Firepower, we have had many delays with their support. For all of the other Cisco products, things are solved immediately.

Nowadays, they're doing well for Firepower also, but initially, there was no answer for some time and they used to tell us that things would be fixed in the next version. That said, when comparing with other vendors, the support from Cisco is good.

We use a variety of tools in the organization. There is a separate department for corporate security and they use tools such as RedSeal.

In the networking department, we use tools to analyze and report the details of the network. We also create dashboards that display things such as the UP/DOWN status.

We have also worked with Cisco ASA, and it is much better. Firepower has a lot of issues with it but ASA is a rock-solid platform. The reason we switched was that we needed to move to a next-generation firewall.

The initial setup was not easy and we were struggling with it.

In 2017, we bought the Firepower 2100 Series firewalls, but for a year, there was nothing that we could do with them. In 2018, we were able to deploy something and we had a lot of difficulties with it.

Finally, we converted to Cisco ASA. When we loaded ASA, there was a great difference and we put it into production. At the time, we left Firepower in the testing phase. In December 2018, we were able to deploy Firepower Threat Defense in production, and it was used only in our DR site.

We do our own maintenance and there are three or four of us that are responsible for it. I am one of the network administrators. We can also call Cisco if we need support.

From the perspective of return on investment, implementing the Firepower 2100 series is a bad decision.

Firepower has a very high cost and you have to pay for the standby as well, meaning that the cost is doubled. When you compare Fortinet, it is a single cost only, so Fortinet is cheaper.

Prior to Firepower, we were Cisco customers and did not look to other vendors.

Given the problems that we have had with Cisco, we are moving away from them. We are now trying to implement FortiGate and have started working with it. One thing that we have found is that the Fortinet technical support is very bad.

I would rate this solution a five out of ten.

This solution is a next-generation firewall. We use it to inspect our traffic going through the internet edges. This solution blocks Tor nodes or botnets that try to invade the system using various methods for intrusion. 

This solution helped us to identify the key areas where we need to focus to block traffic that is malicious to our organization. We can complete a layer 7 inspection and take a deep dive into the packets and block the traffic accordingly.

It took approximately six months to a year to realize the benefits of deploying this solution. It's an arduous process that is still ongoing.

This tool offers great value with regard to cyber security due to its integration with different tools like Splunk and other cloud-based solutions.

Within an application, you can block traffic at a granular level instead of relying on HTTPS traffic.

The application detection feature of this solution could be improved as well as its integration with other solutions. 

I have been using this solution for five years. 

There is room for improvement when it comes to stability. We have encountered a lot of bugs using this solution.

This is a scalable solution. 

I would rate the customer support for this solution an eight out of ten. 

Positive

We previously used Check Point. We had an option to connect all of our security products from the endpoint to the firewalls to SASE-based solutions. This is why we changed solutions.

The initial setup is straightforward because it is supported by good documentation. We did not experience many issues and deployment took a couple of months.

We first deployed the solution in monitoring mode before moving into protection mode. We required four or five engineers for this. It takes a lot of time to do any maintenance or upgrades. This is one of my key pain points for this product.

Maintenance requires two people; one to focus on the upgrade and one to monitor the traffic.

We have experienced a return on investment in terms of security that has added value. 

This solution offers smart licensing that is comparable to other solutions on the market. 

I would rate this solution a seven out of ten. 

There are multiple data planes that run within this solution. My advice is to unify those data planes into a single data plane, so that traffic is sectioned and can be handled effectively. If you need a next-generation firewall, this is a good product.

We mainly use it for ICS security.

We definitely feel more secure. We have more control over things going in and out of our network.

Cybersecurity has been our top priority because of the last few attacks on our peers in the oil and gas industry.

The IPS solution helps us to not only navigate north-south traffic, but also east-west traffic.

Third-party integrations could be improved.

Not everything works out-of-the-box. Sometimes, you have to customize it to your needs. 

I have been using it for two years.

It is stable for the most part.

There is maintenance needed for software, firmware, and updates. Three or four people keep up with the updates, etc. 

It is pretty scalable. We can add as many devices as we want.

The technical support is good. I would rate them as 10 out of 10.

Positive

We previously had a different platform. We wanted to converge multiple platforms into one.

I switched companies. So, I have more experience with Palo Alto.

We saw immediate benefits after deployment from having more control and visibility.

Pretty much everything is included in the price for what we are using.

We looked at Check Point, Palo Alto, Fortinet, and a bunch of others. The management and support for the CIsco product is better.

Listen to your customers and see what their needs are.

The whole stack provided by Cisco is a holistic solution for cybersecurity experts, like myself, and companies who are looking to secure their network.

You should partner up with a good team to view all products available, which cater and are customized to your needs.

We haven't found any gaps where it is lacking.

I would rate this product as eight or nine out of 10.

We use it for remote access VPN. That means the folks at home can work from home using AnyConnect.

For our very specific use case, for remote access for VPN, ASAs are very good.

Cisco also introduces new features and new encryption techniques.

Cisco wasn't first-to-market with NGFWs. That is one of the options now. They did make an acquisition, but other vendors got into that space first. I would tell Cisco to move faster, but everything moves at the speed of light and it's hard to move faster than that. But they should look at what other vendors are doing and try not only to be on the same wavelength but a little bit better. It's hard to be critical of Cisco given that they pave the way a lot, but they should see what their peers are doing and try to emulate that.

In terms of additional features, perhaps there could be some form of integration with the cloud. I don't know how much appetite we would have for that given the principle of keeping a lot of the sensitive data on-prem. But some integration with the cloud might be useful, given that the cloud is everything you see these days. We have our on-premises devices, but maybe they could provide an option where it fails over to a cloud in a worst-case scenario.

I've been using Cisco ASA Firewalls from the time I was in school. I learned it when I was in the academic setting. I joined Cisco and worked there for six years there as a sales engineer before joining my current company.

The stability of the solution is a 10 out of 10.

Scalability is probably a 10 out of 10 for what we're looking at.

Their technical support is very good. Maybe I view them with rose-colored glasses since I was there for six years, but they really do try hard. Cisco cracks the whip on them. They do a lot of work. There's no downtime.

Positive

The challenge we wanted to address was scale. We're growing and we needed something a little more robust, something that could hold a big boy. We've got a lot more employees and we were using an older version of the hardware, so we upgraded to the newest version of the hardware, given that we're familiar with it. It solves our use case of allowing employees to work from home.

I was involved in the design, deployment, and operations. Our team is very special in the fact that we don't delegate to other folks. We're responsible for what we eat and what we design. We actually do the hands-on work and then we maintain it. We tend not to hire out because they come, they wash their hands clean of it, leave, and then there's all this stuff that needs fixing. If we get paged at 3:00 AM it might be our fault, and the lessons are learned.

Our network engineering team consists of about 12 people.

The pricing is fair.

My advice to others would be to design it well and get it validated by the Cisco team or by a consulting company. Don't be afraid of the solution because they have skin in the game. It's been in the market for so long, it's like buying a Corolla, as odd as that sounds. If you have a use case for your car where you're just driving from A to B, then get that Corolla and it will suit you well. It will last you 100 million miles.

Cyber security resilience is super important. We have super important data and we need to secure it. We're regulated and audited by the government and we're audited all the time. I get audited when I breathe. We have to make sure everything is super transparent and make sure that we have all of the fail-safes in place and done well. We have to be very accountable so that there are no "gotchas."

We use it to protect our DMZs and externals, to protect our network from our other city partners who manage their own networks to which we have direct connections, like VPNs, and to manage the security parameters between inside and outside connectivity and vice versa.

Cisco Firepower NGFW Firewall was introduced as a migration of many firewalls into one. Just having one firewall with one place of security and one place to look for your packets has really helped.

The features I've found most valuable are the packet captures and packet traces because they help me debug connections. I like the logs because they help me see what's going on.

The security correlation events and the network map help me to drill down on a host at will.

I really like the flexibility of the policies such as those you can use and the layer three policies with which you can block applications. It's really versatile. I like the security zones.

Cybersecurity resilience is our main focus right now. Because we're a government organization, everybody's really nervous about security and what the ramifications are. My device generates all the logs that our security team goes through and correlates all the events, so it's really important right now.

I think they need to review their whole UI because it feels like it was created by a whole bunch of different teams of developers who didn't fully talk to each other. The net policy screen is just a mess. It should look like the firewall policy screen, and they should both act the same, but they don't. I feel like it's two different buildings or programming, that don't talk to each other, and that really annoys me.

They should either build an application or get away from the web. They need to do something that's uniform and more streamlined.

We have a multi-person firewall team, and I can't look at a policy while somebody else is in it. It'll kick me out. I might be working on something that the other guy has to modify. I know that in the next versions they will be dealing with it with a soft lock, but it should've already been there.

One of Cisco's strengths is the knowledge depth of their staff. The solutions engineer we worked with knew the routing and each protocol. If he didn't know something, he would reach out to someone else at Cisco who did. He would even talk to a developer if he needed to.

I've been using Firepower for about three years.

There are some stability issues. We ran CheckPoint for years and didn't have problems with the firewall itself. However, with Firepower, in the past two years, we've had two major crashes and a software bug switchover.

We were debugging NAT rules. I did a show xlate for the NAT translation, and the firewall rebooted itself.

It has only been three instances in two years, but when I compare the stability to that of CheckPoint, it seems higher. CheckPoint just seemed to run.

We have about 8000 end users. Scalability-wise, it's already handling a large amount of traffic.

I like that Cisco's technical support will help me recover the firewall when everything falls apart. I'd give them a nine out of ten. They've really been consistently good, and they go after the problem.

Positive

We previously used CheckPoint and Fortinet. We switched from CheckPoint because it was unsupported, and we wanted to move to a next-generation firewall.

We went to Fortinet, and when we switched over, it caused a huge network outage. The Cisco engineers helped fish us out of that. Our GM at the time preferred Cisco, and we switched to Cisco Firepower NGFW Firewall.

Setting up the machines was straightforward, but exporting was complex. That is, it wasn't a complex deployment as far as the hardware goes. It was more of a complex deployment as far as transferring all the rules go because of our routing architecture.

Firepower is our main interface out to the outside world. We have about eight DMZs that are interface-based. You can do a logical DMZ or you can have an interface and a logical DMZ. We have about eight that are on interfaces. Then, we have our cloud providers and the firewall. We have rules so that our cloud providers can't ingress into our network.

I've found that Firepower does need a lot of maintenance. It needs a lot more software updates than other solutions. We have three people to maintain the solution.

For the deployment, we had about 18 team members including firewall administrators, Cisco firewall engineers, and techs.

The licensing scheme is completely confusing, and they need to streamline it. They have classic licensing and a new type of licensing now. Also, the licensing for the actual firewall is separate from the one for TAC support.

My advice to leaders who want to build more resilience within their organizations is that they should help make policies. Leaders don't want to make policies; they don't want to put their names on policies or write policy documents. I as a firewall administrator am the one saying what the policy should be. I tell them what should happen, and sometimes, they resist.

Also, because the system is just too big to really manage without TAC, you would need TAC along with Firepower.

My advice would also be to go with HA or a cluster up front and not to be cheap. You really need to go in with a robust solution up front.

I would rate Firepower an eight on a scale from one to ten because the firewall and tech support together make it a very robust solution.

We have the Cisco 5585-X in our data center for perimeter security, internet protection, and for applications behind Cisco ASA DMZs. The challenges we wanted to address were security and segregating the internal networks and the DMZs.

Security-wise, it's given us the protection that we were looking for. Obviously, we're using an in-depth type of design, but the Cisco ASA has been critical in that stack for security.

The Packet Tracer is a really good tool. If someone calls because they're having problems, you can easily create fake traffic without having to do an extended packet capture. You can see, straight away, if there's a firewall rule allowing that traffic in the direction you're trying to troubleshoot. As a troubleshooting tool, Packet Tracer is one of the things that I like. It comes up in all my interviews. When I want to figure out if someone knows how to use the ASA, I ask them about use cases when they use the Packet Tracer.

One of the challenges we've had with the Cisco ASA is the lack of a strong controller or central management console that is dependable and reliable all the time. There was a time I was using what I think was called CMC, a Cisco product that was supposed to manage other Cisco products, although not the ASA. It wasn't very stable.

The controller is probably the biggest differentiator and why people are choosing other products. I don't see any other reason.

I've used the Cisco ASA going back to the 2014 or 2015 timeframe.

The ASA has been very stable for us. Since I deployed the ASA 5585 in our data center, we've not had to resolve anything and I don't even recall ever calling TAC for an issue. I can't complain about its stability as a product.

Our Cisco ASA deployment is an Active-Standby setup. That offers us resilience. We've never had a case where both of them have gone down. In fact, we have never even had the primary go down. We've mainly used that configuration when we're doing code upgrades or maintenance on the network so that we have full network connectivity. When we're working on the primary, we can switch over to the standby unit. That type of resiliency works well for our architecture.

TAC is good, although we've had junior engineers who were not able to figure things out or fix things but, with escalations, we have eventually gotten to the right person. We also have the option to call our sales rep, but we have never used that option. It seems like things are working.

Neutral

In the old days, we used Check Point. We did an evaluation of the Cisco ASA and we liked it and we brought it on board.

At that time, it was easy for our junior operations engineers to learn about it because they were already familiar with Cisco's other products. It was easier to bring it in and fit it in without a lot of training. Also, the security features that we got were very good.

The one we deployed in the data center was pretty straightforward. I also deployed the Cisco ASA for AnyConnect purposes and VPN. I didn't have to call TAC or any professional services. I did it myself.

We used a Cisco reseller called LookingPoint. I would recommend them. We've done a lot of other projects with them as well.

It's a great investment and there's a lot of value for your money if you're a CSO or a C-leader. As an engineer, personally, I have seen it work great wonders for us. When we're doing code upgrades or other maintenance we are able to keep the business going 100 percent of the time. We have definitely seen return on our investment.

I don't look at the pricing side of things, but from what I hear from people, it's a little pricey.

At the time, we looked at Juniper and at Palo Alto. We didn't get a feeling of confidence with Palo Alto. We didn't feel that it offered the visibility into traffic that we were looking for.

We use Cisco AnyConnect and we've not had any issues with it. During COVID we had to scale up and buy licenses that supported the number of users we had, and we didn't have any problems with it.

We pretty much use it as our edge firewall and data center firewall.

We have a colocation that is the center for all our campuses. That is where our edge firewall is. We use that for VPN as well, and it was a great thing during the pandemic because we were already ready to go with VPN. We didn't have to do anything extra on that part.

The solution has really enabled us to ensure our university is secure.

Cybersecurity resilience has been paramount. Because there is a threat of losing everything if ransomware or another sort of attack were to happen, the cybersecurity resilience has been top-notch.

The multi-context feature is the most valuable, especially in our data center. Having different needs for different departments is part of our organization. We can have five firewalls in one.

I would like it if they made the newer generation a bit simpler. You can do ASA code and FXOS. It is just a bit confusing with the newer generational equipment on what it can do.

I have been using this solution for five years.

I would rate the stability as 10 out of 10.

We do maintenance for software updates, etc. I don't think we have had any major hardware failures.

We haven't had to really scale up too much.

The technical support is excellent. Every time that we have ever had an issue, we got a result very quickly. I would rate them as nine out of 10.

Positive

We have always had ASA since I have been at the company. The ASAs were in place and we have upgraded to newer ASA Next-Generation Firewalls.

I am not a huge fan of Cisco licensing in general. However, I wasn't really involved with the pricing. That decision was made a little higher than me.

We are in the middle of an upgrade to the newer Firepowers.

We have used Palo Alto for another solution and they have a better firewall. It is a whole new GUI to learn. With Palo Alto, you simply get one code, then that is your firewall. With the newer Firepowers, there are two or three different ways that you can run it. So, we currently have our data center running in ASA code, then we are doing it a different way with our edge ASA. My supervisor has complained about all the different ways that the new hardware can be configured and installed.

Stay more up-to-date with equipment. The old equipment is what will get you, e.g., leaving Windows 7 machines on your network or 15-year-old switches.

Heavily research what can do cluster mode, HA pairs, etc. That is where we ran into the "gotchas". You have to run it in certain ways to have it clustered and run it another way to have it as an HA pair.

I would rate ASA Firewall as nine out of 10.

We are using it for border firewalls, VPN access, and site-to-site VPN tunnels.

It is deployed at a single location with about 2,500 users.

So far, the remote VPN access has been a perfect solution for our company.

The user interface is a little clunky and difficult to work with. Some things aren't as easy as they should be.

I have been using it for five years.

So far, it has been very stable.

It does require maintenance. There is a team of two who manage it.

We haven't scaled it much at this point.

The technical support has been good so far. I would rate them as eight out of 10.

Positive

The VPN solution works much better than our previous solutions.

We previously used Palo Alto. The switch was driven by Cisco's pitch.

It was fairly straightforward. We stood it up side by side with our nesting firewalls. We did some testing during an outage window, then migrated it over.

We used a partner, CDW, to help us with the deployment. Our experience with CDW was good.

Internally, it was just me for the deployment.

The pricing seems fair. It is above average.

Take the time to really learn it, then it becomes a lot easier to use.

I would rate the solution as eight out of 10.