Cisco Secure Firewall Reviews

We use it for basic firewalling, building VPN tunnels, and for some remote VPN connections.

We have two ASAs servicing external remote connectivity sessions for about 300 users.

It has definitely improved our organization. It gives us remote connectivity, helps workers connect remotely, and also gives us good connectivity to our other branches.

It would be nice if it had the client to actually access the firewall. Though, web-based access over HTTPS is actually a lot nicer than having to put on a client just to access the device.

For Firepower Threat Defense and ASAs, I would like it if there was a centralized way to manage policies, then sticking with the network functions on the actual devices. That is probably the thing that frustrates me the most. I want a way that you can manage multiple policies at several different locations, all at one site. You then don't have to worry about the connectivity piece, in case you are troubleshooting because connectivity is down.

I have been using ASA for about three years.

It is stable.

We just run updates on them. I don't know if we have had to do any hardware maintenance, which is good.

We have been just using ASAs for a smaller environment.

I don't know if I have ever worked with ASA in a highly scalable environment.

I haven't really gotten involved with the technical support for ASAs.

I work with a lot of different companies and a number of different firewalls. A lot of times it is really about the price point and their specific needs. 

This solution was present when I showed up.

The pricing is pretty standard. 

I wish there was an easier way to license the product in closed environments. I have worked in a number of closed environments, then it is a lot of head scratching. I know that we could put servers in these networks and that would help with the licensing. I have never been in a situation where we connected multiple networks, i.e., having an external network as well as an internal network, as those kinds of solutions are not always the best. I think licensing is always a headache for everyone, and I don't know if there is a simple solution.

We can build GRE tunnels. Whereas, Firepower can't route traffic nor do a bit more traffic engineering within the VPN tunnels. This is what I like about using ASAs over Firepower.

Firepower Threat Defense has a mode where you can manage multiple firewalls through a single device. 

I really like how Palo Alto does a much better job separating the network functions from the firewalling functions.

I would consider if there is a need to centralize all the configurations. If you have many locations and want to centrally manage it, I would use the ASA to connect to a small number of occasions. As that grew, I would look for a solution where I could centrally manage the policies, then have a little more autonomous control over the networking piece of it.

Know specifically what you want out of the firewall. If you are looking for something that will build the GRE tunnel so you can route between different sites, I would go with ASA over Firepower Threat Defense.

I like the ASA. I would probably rate it as eight or nine out of 10, as far as the firewalls that I have worked with.

It has been great for blocking incoming bad actors. The new Firepower modules have been a welcome additive to that.

Cybersecurity resilience has helped us be able to react and respond in a quick fashion to anything that may be happening or any anomalies within the environment.

The solution has provided us a sense of security, reliability, and trustworthiness.

The most valuable feature would be the IP blocking. It gets rid of things that you don't need in your environment.

Its resilience helps offer being able to react and self-heal.

The solution is overcomplicated in some senses. Simplifying it would be an improvement.

I have used the ASA solutions for a better part of 10 years.

The stability is unparalleled.

All solutions require maintenance, and we do that routinely. Anywhere from three to four people from the network teams to application owners are involved in the maintenance. This is a firewall in production, so we need to do maintenances after hours, but it would be nice if we didn't need to do it after hours

Scalability is unparalleled. It is easy to scale.

We don't have plans to increase our usage at this time.

In previous years, Cisco's tech support has been great. Although, I have seen it declining. I would rate their support as seven out of 10.

Neutral

We have used the Check Point firewalls as well as several different vendors.

It secures the network. The ROI is really incalculable at this point as keeping our data secure is keeping the company's assets secure.

We did evaluate other vendors.

You need to be always looking ahead and proactively developing to build resilience.

I would rate the solution as eight out of 10. It is a world-class firewall.

It is the primary data firewall for our organization and our data centers.

We have faced multiple issues regarding bugs with Cisco Firepower products. A running product is hit with bugs most of the time, and we had a lot of challenges in using the Cisco Firepower product, actually. In the future, we are planning to replace it, or at least use it instead as a secondary firewall.

The content filtering is good. 

The maturity needs to be better. The product is not yet mature. A running product is hit with the software bugs most of the time, and whenever we then log a case with the tech team, they're sometimes helpless with that. They have to involve the software development team to fix that bug in the next release. It's not ideal. Being an enterprise product, it should be mature enough to handle these types of issues.

I've been using the solution for the last three years. 

The performance is okay, however, the product is not stable. It is all hit with CVL software bugs routinely. That portion requires attention from Cisco and the tech support in this area is somewhat delayed. An open ticket can sometimes take more than two to three months to resolve. For the production setup, it is tough to rely on the tech team alone for the closure of the case.

The solution is very scalable. 

Cisco support is always available. However, multiple times, it has been tough for them to fix the software bugs in the product. They have to then deploy their development team for the same ticket.

Earlier we used the Cisco ASA Firewall. Now, it has been phased out. Firepower is categorized as the next-generation firewall, however, we haven't found the utility of that level in this product. It lacks maturity at many levels.

We have two data centers at two geographical locations. We have two firewalls - one in one data center, at the perimeter, and another at a different location.

The initial setup was okay. We had more of an in-between partner doing the installation part since the product was also new to us. The product was part of my overall product solution. We procured a firewall and another ACL fabric portion for the data center. Overall, the solution installation took over seven to eight months.

We had two people assist with the deployment process. 

We used an integrator for deployment. Overall, the experience was positive. 

There is no ROI. It is functioning as a normal firewall, as a data center perimeter, however, we expected much more than that. At times, there has been downtime with the firewall, and our custom modifications have won at a very high level. The product has to be mature when it is being used at the enterprise level.

The solution offers mid-range pricing. We can get a cheaper product like Fortinet, and we can get a costlier product like Palo Alto, and these are all in the same category.

There's only one license based on the support. Cisco Firepower is priced on the support of the product that we require: with SSL and without SSL. Currently, we are not doing any SSL inspection. We have an ATP report firewall.

When we were looking for a product, we put it through tender and we put out specifications of the product that we required. Cisco had the lowest price. We evaluated the L1 after it was technically qualifying. That is how we acquired it.

We looked at Palo Alto, however, it was far too costly.

We are a customer and an end-user. 

It was earlier named Sourcefire. Cisco acquired that company and rebranded it as Firepower.

We are actually a public cloud provider. We offer data center services to clients.

I'd advise others considering the solution that, for implementation, the product needs some stability and maturity to be offered as a next-generation firewall at an enterprise level. If a company is in need of an enterprise-level solution, they need to be aware of this.

I'd rate the solution a five out of ten. 

The product needs maturity in terms of running without hitting a bug. We have used other products also. A running product is never hit with a bug. It is normally some vulnerability or something that needs to be attended to, however, a running product is seldom hit with a bug and the operation gets stalled. We rarely find this kind of thing in an enterprise scenario. That is what we ask from Cisco, to build a stable product before offering it to customers.

We are a payment switch and we deal with cardholder data and information. Our primary goal is to ensure the security of customers' payment data, that they are protected.

Our security maturity is now at a good level compared to the past. To be accepted to drive Visa and Mastercard, you have to pass security assessment audits and we have managed to pass all of them now, for some years.

Apart from our firewall, we have three security tools. We have a NAC, we have a SIEM, and our syslogs.

It's easy now because we have many Cisco devices in a central point. We don't need to log in to each device and apply rules to them. We can do it from the management control and apply them to the specific firewalls that we want to apply them to.

In addition, compared to our previous firewall solution, the security is much better. Through our monitoring, we now see all the information that we require on security, in terms of PCI. We can see exactly what is happening in our environment. We know what is going, what is going in and out. If an incident happens, it provides a notification so that we can do an analysis.

Web filtering is a big improvement for us. The previous version we used, the AC520, did not have that feature included. It was not very easy for us, especially because the environment had to be isolated and we needed to get updates from outside, such as Windows patches. That feature has really helped us when we are going outside to pull those patches.

Another important feature for us is user access. Now, we can base access on rules and specify that this or that user has privilege on the NG firewall. That was not available before. 

The IDS also makes it easy to detect abnormal traffic. When it sees such traffic in the environment, it sends a notification.

We have been using Cisco Firepower NGFW Firewall for about two months.

The solution is stable. It's not hanging. With the firewalls from Cisco we are not facing a situation where devices are hanging because of too much traffic.

The scalability is fine.

We're getting support but there's a big delay until we get a response from their technical team. They're in the USA and we're in Africa, so that's the difficulty. When they're in the office, they respond.

We migrated from Cisco AC520 to the Cisco NGFW. We have also used HPE and IBM switches, as well as FortiGate firewalls. We are now completely Cisco.

Previously, we were also using AlienVault and it was easy to integrate with Cisco devices.

The initial setup is 50/50, between straightforward and complex. Migrating from Cisco to another Cisco product is okay, but migrating to Cisco from other network devices, like an IBM switch, is a bit tricky. You can't test the configuration to see if it's the same as what you're going to. But we managed with support from Cisco.

It took a month to complete the deployment.

Our implementation strategy was based on not upgrading everything at the same time. It was phased. We deployed a specific device and then we monitored everything to make sure everything looked okay, and then we moved on to the next one.

It requires a minimum of two people for deployment and maintenance, from our network and security teams.

We used internal resources with support from Cisco.

We have gotten exactly what we're looking for, based on the company's requirements.

The pricing is high.

Cisco NGFW's ability to provide visibility into threats is good compared to other solutions. The visibility is quite impressive and gives us what we're looking for, based on our security requirements.

The scalability, the performance of the devices, the features, and the support, when looking at them combined, make the product a nine out 10.

We're planning the deployment of Cisco ISE soon, to be like our NAC.

We were using ASA 5585 without firepower. We were using it just as a stateful firewall. We also had an IPS module on it. So, we were also using it for network segmentation and network address translations for hosting some of the services or giving access to the internet for our end users.

Initially, it was good. At the time we bought it, usually, IPS was in a different solution, and the firewall was in a different solution. You had to kind of correlate between the events to find the attacks or unwanted behavior in the network, but it had everything in a kind of single platform. So, the integration was great.

Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. Cisco ASA was able to handle a lot of traffic or concurrent connections at that time. We had almost 5 million per week. We didn't have to worry about it not having enough memory and stuff like that. It was a powerful machine.

The configuration was kind of straightforward from the command line and also from the ASDM. It was very easy to manage by using their software in Java. 

High throughput, high concurrent connections, easy site-to-site VPN were also valuable. It also had the capability to do double network translations, which is really useful when you are integrating with other vendors for site-to-site VPN.

When we bought it, it was really powerful, but with the emerging next-generation firewalls, it started to lack in capabilities. We couldn't put application filtering, and the IPS model was kind of outdated and wasn't as useful as the new one. For the current state of the network security, it was not enough.

One thing that we really would have loved to have was policy-based routing. We had a lot of connections, and sometimes, we would have liked to change the routing depending on the policies, but it was lacking this capability. We also wanted application filtering and DNS filtering.

We have been using it for around eight years.

Its stability is really great. It is very stable. We didn't have to worry about it. In the IT world, every time you go on holiday, you think that something might break down, but that was not the case with Cisco ASA.

Initially, we had just a single firewall, and then we moved to high availability. Even when it was just one hardware without high availability, we didn't have any problems. Apart from the planned maintenance, we never had any downtime.

We feel we didn't even try to make it scalable. We had 30,000 end users.

We haven't interacted a lot with them because we have our own network department. We were just handling all the problem-solving. So, there were only a couple of cases. Initially, when one of the first devices came, we had some problems with RAM. So, we opened the ticket. It took a bit of time, and then they changed it. I would rate them an eight out of 10.

Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. We had some really old D-link firewalls. They were not enterprise-level firewalls.

After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. They didn't provide us with the new license. Therefore, we decided to move to Palo Alto. The procurement process is taking time, and we are waiting for them to arrive.

It was straightforward. Cisco is still leading in the network area. So, there are lots of resources where you can find information. There are community forums and Cisco forums, where you can find answers to any questions. You don't even have to ask. You can just Google, and you will find the solution. Apart from that, Cisco provides a lot of certification that helps our main engineers in learning how to use it. So, the availability of their resources was great, and we just followed their best-case scenarios. We could easily configure it.

The deployment took around two or three weeks because we had different firewalls. We had a couple of them, and we migrated all to Cisco. We also had around 30,000 rules. So, the data input part took a lot of time, but the initial installation and the initial configuration were done in a matter of days.

It took us one week to set up the management plane. It had different ports for management and for the data. After finishing with the management part, we slowly moved segments to Cisco. We consolidated the rules from other firewalls for one zone. After Cisco verified that it was okay, we then moved on to the next segment.

We did it ourselves. We had about five network admins for deployment and maintenance.

We definitely got a return on investment with Cisco ASA. We have been using it for eight years, which is a long time for IT. We only had one capital expenditure. Apart from that, there were no other costs or unexpected failures. It supported us for a long time.

When we bought it, it was really expensive. I'm not aware of the current pricing.

We had problems with licensing. After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. So, they didn't provide us with the new license.

I am not sure about it because back then, I was just an engineer. I didn't have decision-making authority, so I wasn't involved with it.

We recently have done pilots with Check Point and FortiGate for a couple of months. They were next-generation firewalls. So, they had much more capability than ASA, but because of being a pilot, we didn't get full-scale throughput like big enterprise-level firewalls. The throughput was not enough, and their memory cache was always filling up. They were smaller models, but both of them had the features that ASA was lacking. Traffic shaping in ASA is not as good, but these two had good traffic shaping.

I wouldn't recommend this solution because it is already considered to be a legacy firewall.

I would rate Cisco ASA Firewall a strong eight out of 10. It is powerful, but it lacks some of the capabilities.

They were placed in a company on the perimeter near the ISP. There were two clusters. One cluster was at the front, and one cluster was near the data center to filter the traffic from the users to the data center and from the data center to the users and outside.

Our clients were completely satisfied with this firewall in terms of protection from attacks, filtering of the traffic that they wanted, being able to see inside the zip files, etc.

I have experience with URL filtering, and it is very good for URL filtering. You can filter URLs based on the categories, and it does a good job. It can also do deep packet inspection.

Its IPS engine also works very fine. I don't have much experience with it because I am an IT integrator, and we only configured it, but the company for which we configured these firewalls used this feature, and they say that IPS works very fine. They were also very pleased with its reporting. They said that its reporting is better than other firewalls they have had.

When you make any changes, irrespective of whether they are big or small, Firepower takes too much time. It is very time-consuming. Even for small changes, you have to wait for 60 seconds or maybe more, which is not good. Similarly, when you have many IPS rules and policies, it slows down, and there is an impact on its performance.

In terms of tracking users, the Palo Alto Networks firewall is better than Cisco Firepower.

It is very stable because it is based on the Cisco ASA Firewall hardware, which is an old-generation firewall. I have had Cisco ASA Firewall for more than 10 years, and they have been working fine till now. So, Cisco Firepower NGFW Firewall's performance and stability are the best. I have never seen any issues or heard from anyone that it is bad.

Its scalability is very good. It was a small implementation. Traffic was maximum of 150 megabits per second. 

I haven't worked with Cisco support.

I have had experience with the Fortinet FortiGate firewall. It is very easy, and it does its job very well. Both Firepower and FortiGate do their job very well, but I like the Palo Alto Networks firewall the most. I have not experienced it in a real environment. I have placed it in my lab. It is a very complex firewall, and you need to know how to configure it, but it is the best firewall that I have seen in my life.

As compare to the Palo Alto Networks firewall, both Firepower and FortiGate are simpler. You can just learn which button to use and how to write rules, policies, etc. In Palo Alto, you can not guess this. You should know where each button is, how it works, and what it does. If you don't know, you cannot get the performance you want from Palo Alto. So, Firepower and FortiGate are easier to learn.

Firepower is very good for a small implementation. If you are doing a Cisco setup, you can place kind of 16 devices in one cluster. When it comes to the real environment, you need to have maybe three devices in one cluster. If two of them are in one data center and the third one is in another data center, the third firewall does not work very well when it comes to traffic flow because of the MAC address. When you want to implement Firepower in small infrastructures, it is very good, but in big infrastructures, you would have some problems with it. So, I won't use it in a large environment with five gigabits per second traffic. I will use the Palo Alto firewall for a large environment.

It is straightforward. For me, it is very simple. The menu is quite impressive. Everything that you want to do can be done from the web user interface. You don't need to access the CLI if you don't like it. It is very easy to make rules with its web user interface.

Its deployment took two days. In terms of the implementation strategy, the first cluster was in the data center, and its main job was to filter user traffic going to the data center. The second cluster was on the edge. Its main job was to mitigate attacks on the inside network and to capture the traffic that could have viruses, malicious activities, etc.

I deployed it myself, and it took me two days to deploy two clusters of Cisco Firepower NGFW Firewall. 

I think our client did get an ROI. They are very satisfied with what they can do with these firewalls. It fits all of their needs.

Its price is in the middle range. Both Firepower and FortiGate are not cheap. Palo Alto and Check Point are the cheapest ones.

I don't remember any costs in addition to the standard licensing fees.

Our client didn't implement dynamic policies for dynamic environments because they were a small company, and they didn't need that kind of segmentation. I am not sure if it reduced their firewall operational costs because they were a small company, and the traffic was not so high.

I would rate Cisco Firepower NGFW Firewall an eight out of 10.

We helped a customer to configure a new data center network. We provided the core firewalling. Between virtual routing instances, or virtual networks, we had two Firepower 2130s in HA. We did the routing and firewalling between the VRS and, in the same data center, we have an internet edge firewall also set in HA that provided the routing and firewalling to the internet and to Azure. In the same data center we had two ASAs for out-of-band management. If an error occurred in the data center, we could VPN into the ASA and troubleshoot the routing issues in the data center.

I have customers that have migrated from Cisco ASA to Cisco Firepower. They have benefited from the change because they have much more visibility into the network. An ASA is often used as a Layer 3 to 4 firewall. We allow networks and ports. But a Firepower firewall has the default intrusion prevention engine, so you can allow it to https on port 443, but it can also look into the packet, with deep packet inspection, and see if there is malicious code that is trying to be pushed into your system. It's a much more secure product than just having a Layer 3 to 4 firewall. It is a Layer 3 to 7 firewall.

We also use Cisco Talos, and when we configure a Firepower, we set the automatic update to get the latest vulnerabilities and databases, Snort rules, geolocation database, and security intelligence from Talos. Our customers aren't benefiting directly from Cisco Talos, but they are benefiting from having a product like Firepower that has connections to Talos.

The dynamic access policy functionality, and the fact that in Firepower 7.0 the feature has one-to-backward compatibility with the Cisco ASA Firewall, is a game-changer. Our customers have begun to transition from Cisco ASA to Cisco Firepower and because they get this capability, there are more and more VPN features. And when they shift from ASA to Firepower, they go from Layer 3 to Layer 7 visibility, instead of only going from Layer 3 to 4. They gain through the visibility they get from a next-generation firewall. They get more visibility and a more secure solution.

For Firepower the most important features are the intrusion prevention engine and the application visibility and control. The Snort feature in Firepower is also valuable.

For ASA, the most valuable feature is definitely the remote access VPN solution. The AnyConnect solution is very scalable and stable—there are no errors or flaws—which is necessary in today's world when we're all working remotely. The remote access VPN for ASA is very good.

When it comes to application visibility and control, both ASA and Firepower can provide them but the AVC feature is mostly used in Firepower. You can allow or disallow many applications through Firepower, through the access control policy.

If you configure Firepower correctly, it is good when it comes to threat visibility. It is proficient. It is the state of the art when it comes to blocking threats, network-wise. If you use it with an SSO encryption, and use your own features, blacklists, security intelligence, intrusion prevention, and access control points—if you are using it with every feature—Firepower can block most threats on your network. But it can't stand alone. It is necessary for the clients to have AMP for Endpoints, Cisco Umbrella, and Cisco ISE. If you're using Firepower as a standalone device, it can block, say, 20 or 30 percent more than the ASA can. But if you're using all of the security features from Cisco, you get much more security. It's like an onion's layers. The more layers you have, the more protection you have.

The ease of use with the new version of Firepower is more or less the same when compared to other versions of Firepower. But the dashboard has received a refresh and it's easier to use now than before. Overall, the ease of use has been increased.

On the VPN side, Firepower could be better. It needs more monitoring on VPNs. Right now, it's not that good. You can set up a VPN in Firepower, but you can't monitor it. 

Firepower Management Center is slow. It could be better. And the Firepower Device Manager doesn't have all the features that the ASA has, and that's despite the fact that it's almost the same product. Cisco could use many more features from ASA in Firepower Device Manager.

I have used Firepower for two years and I have worked with all Firepower models: Firepower 1000 Series, 2000 Series, Firepower 4000. I have never had my hands on a Firepower 9300, but it's mostly the same as the 4000 and 9000 Series. I have also used Firepower Management Center, virtual, the 1000 Series, and the 1600. I have also used Firepower virtual devices, the Firepower Next-Generation Firewall Virtual (NGFWv).

I was using Firepower 7.0 for around 10 weeks on a beta program. I was using it more or less every other day. I have been using it quite a lot.

If you stay on the recommended releases, Firepower is very stable. Cisco has had a lot of trouble and issues with Firepower since they acquired Sourcefire, and some of the issues or problems are still there. But if you stay on the recommended releases you shouldn't hit that many errors or bugs. It can be stable, but it can also be very unstable if you jump on the newest release every time.

Firepower scales well if you have the 4100 Series or 9300 Series. They can scale and you can cluster the devices. Otherwise, you can only add one device, but that's more for the small customers. But if you get up to the high-end series of Firepower, it scales very well. 

We have customers that have 100 or 200 clients but we also have customers that have 20,000 endpoints. They are using several different appliances. Two devices for internet edge, two devices for core infrastructure, and two devices for VPN. We help customers of all sizes.

First you have to configure the Firepower Device Manager, or Firepower Management Center. When you bootstrap it or do the initial config, you type in the IP address, host name, and DNS. When you have the IP configuration in place, you can log in to the Firepower Management Center and start building policies that suit your needs. When you have all the policies, you can add or join Firepower devices to the Firepower Management Center. After adding the devices to the Firepower Management Center, you can then apply the policies that you built in the first place, through the devices, and that will affect the behavior on the devices.

ASA is best for VPN solutions, site to site, remote access VPN. It's for everything that is connected with VPN solutions. For every other feature, Firepower is better. While Firepower is getting better for VPN, it's not where it should be yet.

I have tried configuring Zyxel firewalls. I have never logged in to Check Point or Palo Alto. From my point of view, Firepower is better than Xyxel when it comes to application visibility and control.

I did use competitive solutions many years ago, so things might have changed with them. But I would say that Cisco Firepower is a bit more complicated if you are an inexperienced user. If you are setting up a firewall for the first time, other vendors have an approach that makes it easier. Cisco Firepower it's more detailed and you can do more complicated configurations than you can with some competitors. It is easier for us to approach customers with Cisco Firepower, because we can do more detailed configurations compared to what customers can get from other vendors.

With SecureX, you can get more value out of the product, especially if you're using all the security features from Cisco. In that situation, you will definitely get more out of SecureX. When you do that you can integrate all of your Cisco products into SecureX and you can correlate all the data in one place, with a single pane of glass. In that way, you get a lot more value for money with Cisco Firepower and SecureX. You will get the full value if you combine it with other products, but if you only have Cisco Firepower then SecureX will not provide that much added value.

Have a plan. Find out how much bandwidth and throughput you need before you implement it because if you don't scale it well from the start, it can slow down your environment. Keep in mind that it adds so much security that the total data throughput can take a hit. 

We have many customers, but in general, many of our customers are using all the tools they can to secure their infrastructure, such as AMP, Umbrella, and Firepower. Many companies are doing what they can to secure their network and their infrastructure. But there are also customers that only have a firewall. In today's world that's not enough to secure the network at all, but that's a decision the customer has to live with. We have tried to push them in the right direction. But the majority of our customers have a secure infrastructure.

The other Cisco products or services our customers are using in conjunction with their firewall include AMP, AnyConnect, cloud mail Email Security Appliances, Cisco ISE, and Web Security Appliances. We are only a Cisco partner. We don't do HP or Check Point or Palo Alto, so our customers do have a lot of Cisco features. For regular use, the integration among these Cisco products is pretty easy, but I have also worked with these products a lot. But it's easy to implement a firewall solution on Firepower and you can tweak it as much as you like. ASA is also easy to set up and configure, in my opinion, but I'm a security professional. For a regular user, both products can be pretty cumbersome.

Firepower 7.0 gives you visibility into how it inspects the packets, but it's tough to say how deep or how much visibility you get. However, if you have a Layer 4 firewall, it is clear that a Layer 7 firewall gives you more visibility, and you can see the packets that the application connection is using, meaning which application is using them. It's not how much visibility you get but, rather, the fact that you get Layer 7 visibility.

Cisco Secure Firewall has reduced our operational costs because it is faster to deploy configurations to firewalls. But when using it, it's more or less the same as it was before 7.0. The amount of time it saves when deploying configurations depends on how often you deploy policies or how many changes you have. But if you compare 7.0 to earlier versions, deployment time has been reduced from five to 10 minutes down to two to five minutes. If you make all the changes at once and only do one deployment, the time saved is not that big of a deal. But if you do one change and deploy, and another change and deploy, and another change and deploy, you will save more time.

We use it to segment the east and the west traffic in our data center. We also use it on the internet edge and for VPN termination.

We use its multiple versions. We use the virtual and the physical ones. We have multiple Cisco Firepower 9300, and we also have a few Cisco Firepower 4100.

It helps in protecting against threats from outside and within our data center. With the enhancement in the newest version 7.0, visibility is where we always wanted it to be. The introduction of the Unified Events feature really helps us out daily.

It enables us to implement dynamic policies for dynamic environments. With the recently added Dynamic Attributes feature, we are able to create more dynamic and fast-changing policies. In our data center, workloads tend to go up and down very quickly, and that's why dynamic policies are important. Because the workloads in our data center are fast-moving, we need to be able to change our firewall policy accordingly and quickly. That's what makes it a very important feature for us.

Snort 3 IPS allows us to maintain performance while running more rules. Our performance has
definitely increased after migrating to Snort 3. Rules are easier to implement. We also like the underlying antivirus advancements that they made with the new architecture, which increases its benefit for us.

The VPN and the login enhancements that were introduced in version 7.0 are invaluable to us. That was something that was missing before. 

Feature-wise, we mostly use IPS because it is a security requirement to protect against attacks from outside and inside. This is where IPS helps us out a bunch.

It is good in terms of the overall ease to use in managing it. Some of the things need some tuning, but overall, it is good.

The visibility for VPN is one big part. The policy administration could be improved in terms of customizations and flexibility for changing it to our needs.

I have been using this solution for about six years.

Its stability is quite good. We couldn't find any issues.

Its scalability is very good due to clustering. 

In terms of our plans to increase its usage, it has everything we need. We don't plan to add anything more because it has all that we need as of now.

Their support is not perfect. Sometimes, you get the feeling that some of the support engineers don't have a deep knowledge of the product, but there are some engineers who are able to help.

Most of our clients were on Cisco ASA.

I wouldn't call it extremely straightforward, but I wouldn't call it complex either. Its deployment took about a day.

In terms of the deployment strategy, we create our deployment plans for ourselves and our customers. The deployment plan depends on the environment.

We deploy it ourselves.

It is very hard to say because we don't measure that. It is also very difficult to measure if it has helped in reducing our firewall operational costs.

Its pricing is good and competitive. There is a maintenance cost.

It includes SecureX that makes it cost-effective as compared to the other solutions where you have to pay for XDR and SOAR capabilities.

Technically, it is a very good firewall, but some improvements need to be done on the management side. I would advise getting a consultant or someone from Cisco to help you in implementing and using this firewall to its fullest extent.

We don't use workload integration as of now. We also don't use its dynamic policy capabilities to enable tight integration with a secure workload at the application workload level. Similarly, we don't use the solution's tags for VMware, AWS, or Azure for dynamic policies implementation in the cloud.

I would rate Cisco Firepower NGFW Firewall an eight out of 10.