Cisco Secure Firewall Reviews

We use it for basic firewalling, building VPN tunnels, and for some remote VPN connections.

We have two ASAs servicing external remote connectivity sessions for about 300 users.

It has definitely improved our organization. It gives us remote connectivity, helps workers connect remotely, and also gives us good connectivity to our other branches.

It would be nice if it had the client to actually access the firewall. Though, web-based access over HTTPS is actually a lot nicer than having to put on a client just to access the device.

For Firepower Threat Defense and ASAs, I would like it if there was a centralized way to manage policies, then sticking with the network functions on the actual devices. That is probably the thing that frustrates me the most. I want a way that you can manage multiple policies at several different locations, all at one site. You then don't have to worry about the connectivity piece, in case you are troubleshooting because connectivity is down.

I have been using ASA for about three years.

It is stable.

We just run updates on them. I don't know if we have had to do any hardware maintenance, which is good.

We have been just using ASAs for a smaller environment.

I don't know if I have ever worked with ASA in a highly scalable environment.

I haven't really gotten involved with the technical support for ASAs.

I work with a lot of different companies and a number of different firewalls. A lot of times it is really about the price point and their specific needs. 

This solution was present when I showed up.

The pricing is pretty standard. 

I wish there was an easier way to license the product in closed environments. I have worked in a number of closed environments, then it is a lot of head scratching. I know that we could put servers in these networks and that would help with the licensing. I have never been in a situation where we connected multiple networks, i.e., having an external network as well as an internal network, as those kinds of solutions are not always the best. I think licensing is always a headache for everyone, and I don't know if there is a simple solution.

We can build GRE tunnels. Whereas, Firepower can't route traffic nor do a bit more traffic engineering within the VPN tunnels. This is what I like about using ASAs over Firepower.

Firepower Threat Defense has a mode where you can manage multiple firewalls through a single device. 

I really like how Palo Alto does a much better job separating the network functions from the firewalling functions.

I would consider if there is a need to centralize all the configurations. If you have many locations and want to centrally manage it, I would use the ASA to connect to a small number of occasions. As that grew, I would look for a solution where I could centrally manage the policies, then have a little more autonomous control over the networking piece of it.

Know specifically what you want out of the firewall. If you are looking for something that will build the GRE tunnel so you can route between different sites, I would go with ASA over Firepower Threat Defense.

I like the ASA. I would probably rate it as eight or nine out of 10, as far as the firewalls that I have worked with.

We use it as a security solution. It is our firewall.

We run three data centers and have three ASAs at each data center.

It is pretty user-friendly and straightforward to use.

It is secure and very reliable.

I like the heartbeat between the two devices that we have. Because if something fails, it immediately fails over.

I have been using ASAs for 15 years at two different companies.

Cybersecurity resilience has been outstanding because it is very stable. There are not a whole lot of upgrades that we need to do for the firmware.

Four engineers support it. From time to time, there are firmware upgrades that we need to keep up to date with. Sometimes, we need to run debugs to figure out what's going on with it, and if it needs a patch, then we will figure it out. Usually, Cisco has been really good about getting us that.

Scalability is actually pretty exponential. In the grand scheme of things, we are a small network. We only have 15,000 subscribers. However, if we need to expand, it is reasonable.

The TAC is always very helpful. We pay for Tier 1 support, so we get whatever we need from them. They always give us a solution. If they can't give us an answer that day, they get back to us within at least 24 hours with a solution or fix. I have never had a problem with the TAC. I would rate them as 10 out of 10.

Positive

We haven't really used anything different. The only thing that we run inline with Cisco ASAs is Barracuda Networks. We kind of run that in tandem with this firewall, and it works really well.

We wanted to integrate Firepower with our solution, but it didn't have the capability to accommodate our bandwidth since they only had two 10 gig interfaces on the box. We run way more than that through our network because we are a service provider, providing Internet to our customers.

Do your homework and know what you are doing. Know how to use your product, stay current, and hire smart people.

I would rate the solution as eight out of 10.

It has been great for blocking incoming bad actors. The new Firepower modules have been a welcome additive to that.

Cybersecurity resilience has helped us be able to react and respond in a quick fashion to anything that may be happening or any anomalies within the environment.

The solution has provided us a sense of security, reliability, and trustworthiness.

The most valuable feature would be the IP blocking. It gets rid of things that you don't need in your environment.

Its resilience helps offer being able to react and self-heal.

The solution is overcomplicated in some senses. Simplifying it would be an improvement.

I have used the ASA solutions for a better part of 10 years.

The stability is unparalleled.

All solutions require maintenance, and we do that routinely. Anywhere from three to four people from the network teams to application owners are involved in the maintenance. This is a firewall in production, so we need to do maintenances after hours, but it would be nice if we didn't need to do it after hours

Scalability is unparalleled. It is easy to scale.

We don't have plans to increase our usage at this time.

In previous years, Cisco's tech support has been great. Although, I have seen it declining. I would rate their support as seven out of 10.

Neutral

We have used the Check Point firewalls as well as several different vendors.

It secures the network. The ROI is really incalculable at this point as keeping our data secure is keeping the company's assets secure.

We did evaluate other vendors.

You need to be always looking ahead and proactively developing to build resilience.

I would rate the solution as eight out of 10. It is a world-class firewall.

The use case is protecting our building. We have one office and we use it to protect the network.

The fact that we can use Firepower Management Center gives us visibility. It allows us to see and manage the traffic that is going through the network.

We have an older version of the ASA and there are always improvements that could be made. Nowadays, nobody is in the office, so I need to figure out how to put the firewall outside. If I could have a centralized firewall that also receives information from external locations, like peoples' home offices, that would help us consolidate everything into one appliance.

I have been using Cisco ASA Firewalls for over 10 years.

We've had issues with it because we always run it in pairs for high availability. We've had issues with the unit, but not in the last five or six years. It's pretty, pretty stable.

The product we have has some limitations when it comes to scalability. That's one of the things we're looking to address with a new solution.

Technical support was good when I used it, but I haven't needed support for the solution lately. I know people complain about support, but I don't have experience with it for this device because I haven't needed support recently.

We do pay the annual fee for support and I expect them to be there in four hours with a new device, if we need one, as they've done in the past.

Positive

We didn't have a previous solution.

My system engineer did the initial setup and he's the person who manages it, day in and day out.

I don't think we've tracked enough data points to see ROI data points, but the value comes from the fact that it's still running and that we are still happy with it. That is definitely a good return on our investment.

The pricing is too high and the licensing is too confusing.

Go for it.

For our customers, Firepower is a classic perimeter firewall. Sometimes it's also for branch connections, but for those cases, we prefer Meraki because it's simpler. If a customer has Meraki and requires advanced security features, we will offer Firepower as a perimeter solution for them. Meraki is for SD-WAN and Firepower is for the perimeter.

Firewalls are not a new technology but they have a very distinct role in an enterprise for defending the perimeter. Firepower is for organizations that have traditional infrastructures, rather than those that are heavily utilizing cloud services. For us, the clients are government agencies and ministries, and we have a lot of them as our customers in Latvia.

Most firewalls do the same things, more or less. Because we have to compete with other vendors, it's the things that are different that are important. With Cisco, it's the security intelligence part. It's quite simple to configure and it's very effective. It cuts down on a lot of trouble in the early phases.

IPS and Snort are very important because they also differentiate Cisco from other vendors and competitors.

I also like that, in recent years, they have been developing the solution very quickly and adding a lot of new, cool features. I really love the new web interface of Cisco Secure Firewall Management Center. It looks like a modern web-user interface compared to the previous one. And the recent release, 7.2, provided even more improvements. I like that you have the option to switch between a simplified view and the classic view of firewall policies. That was a good decision.

A major area of improvement would be to have more functionality in public clouds, especially in terms of simplifying it. The high availability doesn't work right now because of the limitations in the cloud. Other vendors find ways to make it work differently than with on-prem solutions.

This is very important because we have customers that build solutions in the cloud that are like what they had on-prem. They have done a lift-and-shift because it's easier for them. They lift their on-prem physical boxes and shift them to the cloud, convert them to virtual, and it continues to work that way. Many times it's not the most efficient or best way to do things, but it's the easiest. The easiest path is probably the way to go.

I have been using Cisco Firepower NGFW Firewalls for four or five years now, but before that, I worked with ASA Firewalls a lot. It was just a transition. I have been using Firepower almost from day one.

We are an integrator and we resell as well as provide professional services. We do everything from A to Z.

There are a lot of things that can be improved. As a Cisco partner, I usually take the first hit if something doesn't work. In recent years, the solution has improved and is more stable. But it has to continue to improve in that direction.

A Firepower firewall is a very important point of exit and entry to a network. It's a critical piece of infrastructure. They should have high availability.

By comparison, I am also a huge fan of Stealthwatch (Cisco Secure Network Analytics) and I use it everywhere. I've been working with that solution for 15 years but it's not mission-critical. If it doesn't work, your boss is not calling you. If it doesn't work, it is not collecting telemetry and it doesn't do its job, but you are not stressed to fix it. With firewalls, it's a little different.

Tech support really depends on how lucky you are. It depends on when you create a TAC case and in which time zone the case is created. That determines which part of TAC takes ownership of your case. I have had a few unpleasant cases but, at the end of the day, they were resolved. I didn't feel like I was alone in the field with an angry customer.

Positive

We made a gradual transition from ASA to Firepower because they first had this as Sourcefire services. That is what we used to install first for our customer base. Then Firepower defense appliances and firmware came out. It was a natural process.

My view may be a little bit biased because I do a lot of Cisco deployments, and I have a lab where I play all the time. But overall the deployment is not too complicated.

The deployment time depends on what type of deployment you have. If it's a physical deployment, it may be a little bit faster because you don't have to set up virtual machines. But I recently had a project in AWS, and I used Terraform Templates and it was easy. I still had to configure some additional things like interfaces, IP addresses, and routing. 

Because I know where everything is in the UI, the deployment is okay. One thing I miss a little bit is being able to configure things, like routing, via the command line, which is how it used to be done with the ASA Firewalls. But I understand why they've taken that ability away.

With ASA Firewalls, even when you were upgrading them, the experience was much better because it didn't have those advanced Snort features and you could usually do an upgrade in the middle of day and no one would notice. You didn't have any drops. With Firepower, that's not always the case.

It's hard to talk about pricing when you compare firewalls because firewall functionality is almost the same, regardless of whether it's a small box or a large box. The difference is just the throughput. Leaving aside things like clustering, what you have to look at are the throughput and the price.

Cisco's pricing is more or less okay. In other areas where we work with Cisco solutions, like other security solutions and networking, Cisco is usually much more expensive than others. But when it comes to firewalls, Cisco is cheaper than Check Point although it is not as cheap as Fortigate. But with the latest improvements in hardware and speed, the pricing is okay.

To me, as a partner, the licensing is quite simple. I'm responsible for providing estimates to my sales guys and, sometimes, as an architect, I create solutions for my customers and give them estimates. There are other Cisco solutions that have much more complicated licensing models than Firepower. In short, the licensing is quite okay.

Not all of our customers use Cisco and that means we have competition inside our company with Check Point. We also made some attempts with Palo Alto Firewalls, long before we became Cisco partners, but somehow it didn't work for us.

I enjoy working with Cisco because it's more of a networking-guy approach. It reminds me a lot of all the other Cisco equipment, like their switches and routers. The experience is similar.

I haven't worked a lot with Checkpoint firewalls, but I like how they look. What I don't really like is the way you configure them because it's very different from what networking guys are used to doing. I'm not saying it's bad, it's just different. It's not for me. Maybe it appeals more to server guys. Cisco has a more network-centric approach.

Typically, we use them on the internet edge for protecting customer networks from the internet. It's a delimiter between the local area network and the wider internet. Other use cases include securing data centers or protecting certain areas within a network. It's not particularly internet-based, but it gives you that added layer of security between networks or between VLANs and your network, rather than using a Layer 3 switch.

Ultimately, it's about securing data. Data is like your crown jewels and you need to be able to secure it from different user groups. Obviously, you need to protect your data from the internet and that's why we generally deploy Cisco ASAs.

The usability, with the GUI front end, certainly helps and it means you don't have to be a command-line person. We have to get away from that now because if you put the typical IT admin in front of a CLI they might struggle. Having something graphical, where they can click in logs to see what's going through the firewall— what's been denied, what's being allowed—very quickly, helps to get to a diagnosis or know something has been blocked. And when it comes to making changes within the environment, that can be done very quickly as well. I've seen something be blocked within a couple of minutes, and any IT admin can make a change through the GUI.

One of the most valuable features is the GUI front end, which is very easy to use. But I'm also a command-line guy, and being able to access the device via command-line for advanced troubleshooting is quite important.

One area that could be improved is its logging functionality. Your logs are usually displayed on the screen, but if you want to go back one or two days, then you need another solution in place because those logs are overwritten within minutes. 

To have that kind of feature, it's more than likely there would need to be some kind of storage on the device, but those boxes were designed a number of years ago now. They weren't really designed to have that built-in. Having said that, if you do reflash into the FTD image, and you've got the Firepower Management Center to control those devices, then all that logging is kept within the Firepower Management Center.

I've been using Cisco ASA Firewalls since they came out. Before ASA, I used Cisco PIX Firewalls. I've been using them since about 1999 or 2000.

I'm involved in the presale events as well as the implementation and post-sale support. We do everything. That is probably different from a lot of organizations. We are quite a small company, so we have to be involved at all levels. I see it from all angles.

One of the reasons I've stuck with Cisco all these years is that you always get excellent support. If a network goes down due to major issues, I know I can raise a case with TAC and get through to subject matter experts very quickly.

Obviously, you need a SMARTnet contract. That means if a device has completely failed, you can get a box replaced according to the SLAs of that contract. That's very important for customers because if you have an internet edge failure and you just have a single device, you want to know that the replacement box is going to be onsite within four hours.

When a network goes down, you're going to know about it. You want to be safe in the knowledge that someone is going to be there for you and have your back. Cisco do have your back on those kinds of things.

Cisco support is a major selling point.

Positive

In terms of deployment, a lot of organizations are moving to the cloud. People are looking at the ASAv image for deploying into the public cloud on Azure or AWS. But there are still a lot of organizations that use ASAs as their internet edge.

The on-prem and the cloud-based deployments are very similar. When you're designing a solution, you need to look at the customer's business requirements and what business outcomes they actually want from a solution. From there, you develop architecture. Then it's a matter of selecting the right kinds of kits to go into the architecture to deliver those business outcomes. We talk to customers to understand what they want and what they're trying to achieve, and we'll then develop a solution to hopefully exceed their requirements. 

Once we've gotten that far, we're down to creating a low-level design and fitting the components that we're going to deploy into that design, including the ASA firewalls and the switches, et cetera. We then deploy it for the customer.

Your investments are protected because of the innovations over time and the fact that you're able to migrate to the latest and greatest technology, through Cisco. 

There are also a lot of Cisco ASA skills out there in the marketplace, so if you have ASAs deployed and you get a new employee, it's more than likely they have had experience with ASAs and that means you're not having to retrain people.

We do deploy other manufacturers' equipment as well, but if I were to deploy a solution with firewalling, my number-one choice would probably be Cisco ASA or the FTD image or Cisco Meraki MX.

The flexibility you have in a Cisco ASA solution is generally much greater than that of others in the marketplace. 

For any Cisco environment, we choose Cisco because it comes down to support. If the network is Cisco, then you have one throat to choke. If there is a network issue, there's no way that Cisco can say, "It's the HP switch you've got down in the access layer."

ASA morphed from being just a traditional firewall, when they introduced the Firepower Next-Generation Firewall side. There has also been progress because you can reflash your old ASAs and turn them into an FTD (Firepower Threat Defense) solution. So you've got everything from your traditional ASA to an ASA with Firepower.

Cisco ASA has been improved over time, from what it was originally to what it is now. Your investments are being protected by Cisco because it has moved from a traditional firewall through to being a next-gen firewall. I'm a fan of ASA.

I think ASAs are coming towards the end of their lifespan and will be replaced by the FTDs. It's only a matter of time. But there are still a lot of Cisco customers who use ASAs, so migrating that same level of knowledge those customers have of the ASA platform across to the FPR/FTD image, will be a challenge and will require investment.

This product protects our computer systems. I use it as a traditional firewall service. I don't have any special use cases for it.

Firepower has reduced our firewall operational costs by about 25 percent.

Sometimes there is a lack of performance. One of my colleagues is using the firewall as an IPS, but he is worried about Firepower's performance. It is much lower than we expected. They need to improve the performance a lot. With the 10 Gb devices, when it gets to 5 Gbps, the CPU usage goes up a lot and he cannot manage the IPS.

I have been using Cisco Firepower NGFW Firewall for more than two years.

The most valuable property is the stability. It doesn't crash.

When I have had issues with the software, I don't think they have given me the right answers. The support for the software isn't that good, but support for the hardware is very good.

Neutral

Although I work in Korea, I needed a means of deploying computer systems in other countries. Two or three years ago I was looking for a proper solution that would cover global sites. I chose Cisco products because Cisco has a very large presence all over the world.

Once I got used to this product, it was easy to use other products, but it was not easy for me the first time.

Firepower is a little bit expensive, although there are no additional costs beyond the standard ones.

We have several brands of firewalls in our organization. Compared to them, the ease of management of the Cisco firewalls is pretty good.

When you calculate the capacity you need, you should add a buffer for performance.

There are 25 users of the solution on my team and they are all network security specialists.

I work for an engineering company that has multiple sites located in different locations, overseas and domestically in Pakistan. There are 30 to 35 sites connected to our network. We restrict the website at these locations using the Cisco Firepower module.

The main thing that I love the most is its policy and objects. Whenever I try to give access to a user, I can create an object via group creation in the object fields. This way, I am not able to enter a user in the policy repeatedly. 

Cisco Firepower is not completely integrated with Active Directory. We are trying to use Active Directory to restrict users by using some security groups that are not integrated within the Cisco Firepower module. This is the main issue that we are facing. 

There are some other issues related to their reports where we want to extract some kind of user activity. When a user tries to connect to our website, we are unable to read its logs in a proper manner and the report is not per our requirement. These are two things that we are facing.

Per my requirements, this product needs improvement. For example, I want to use and integrate with Active Directory groups. 

We have been using it since last year.

It is a stable product.

I haven't tried to work with Cisco support.

In the last 10 years, we were using the Barracuda Web Security. Compared with that product, I would give this solution six or seven out of 10 when compared to Barracuda. Barracuda has one of the best web security features, giving access to users by deploying a web agent on client computers at different sites. 

Barracuda Web Security's hardware was obsolete so our management never tried to renew its license. That is why we are trying to use the Cisco Firepower module. We want to understand their web security gateways, web security logs, what it provides, and the kind of reporting it has. We are currently doing research and development regarding what features and facilities it provides us compared to our requirements.

I am happy with the web security. However, I am not happy with the groups, reports, and integration with Active Directory.

We are using the web security, and only the web security feature. Therefore, if someone asked me to give them advice about the Cisco product, then I will definitely not recommend it since it is not fulfilling our requirement. We have different sites located domestically and at overseas sites, which is about 30 to 35 sites. It is not locating any of the clients. This is compared to the Barracuda web agent on the client computer, which is always connected to Barracuda with live IP addresses, pushing and pulling all the procedures and policies to that client and computer. This is why I will not recommend the product to anyone who has a similar situation to ours. .

I would love to use the product in the future, if my requirements are met.

I would rate the product as four out of 10.