Cisco Secure Firewall Reviews

We have an offshore development center with around 1,400 users (in one location) where we have deployed this firewall.

The maturity of our organization’s security implementation is a four out of five (with five being high). We do have NOC and SOC environments along with in-built access to our systems. 

We use Acunetix as one of our major tools. We do have some open source. There are a couple of networks where we are using the Tenable tool. We have implemented an SIEM along with a Kaspersky at the cloud level. In the Cisco firewall, we installed Kaspersky in the firewall logs which upload to Kaspersky for us to review back.

Being able to determine our active users vs inactive users has led us to increased productivity through visibility. Also, if an issue was happening with our throughput, then we wouldn't know without research. Now, notifications are more proactively happening.

The advance malware protection (AMP) is valuable because we didn't previously have this when we had an enterprise gateway. Depending on the end user, they could have EDR or antivirus. Now, we have enabled Cisco AMP, which give us more protection at the gateway level. 

The application visibility is also valuable. Previously, with each application, we would prepare and develop a report based on our knowledge. E.g., there are a couple business units using the SAS application, but we lacked visibility into the application layer and usage. We use to have to configure the IP or URL to give us information about usage. Now, we have visibility into concurrent SAS/Oracle sessions. This solution gives us more visibility into the inbound/outbound traffic being managed. This application visibility is something new for us and very effective because we are using Office 365 predominantly as our productivity tool. Therefore, when users are accessing any of the Office 365 apps, this is directly identified and we can see the usage pattern. It gives us more visibility into our operations, as I can see information in real-time on the dashboards.

The solution has positively affected our organization’s security posture. I would rate the effects as an eight (out of 10). There is still concern about the engagement between Cisco Firepower and Cisco ASA, which we have in other offices. We are missing the visibility between these two products.

We would like more application visibility and an anti-malware protection system, because we don't have this at the enterprise level.

The central management tool is not comfortable to use. You need to have a specific skill set. This is an important improvement for management because I would like to log into Firepower, see the dashboard, and generate a real-time report, then I question my team.

Nearly a year.

So far, it has been stable.

We have around 32 people for maintenance. Our NOC team works 24/7. They are the team who manages the solution.

Scalability is one of our major business requirements. We are seeing 20 percent growth year-over-year. The plan is to keep this product for another four years.

We contacted Cisco directly when issues happened during the implementation, e.g., the management console was hacked.

We used Fortinet and that product was coming to end of life. We had been using it continuously for seven years, then we started to experience maintenance issues.

Also, we previously struggled to determine who were all our active users, especially since many were VPN users. We would have to manually determine who was an inactive user, where now the process is more automated. It also had difficult handling our load.

The initial setup was complex. We engaged NTT Dimension Data as there were a couple things that needed to be done for our requirements and validation. This took time to get signed off on by quality team. However, the configuration/implementation of the system did not take much time. It was a vanilla implementation.

We did face performance issues with the console during implementation. The console was hacked and we needed to reinstall the console in the virtual environment. 

We were engaged with a local vendor, NTT Dimension Data, who is a Cisco partner. They were more involved on the implementation and migration of the firewall. Some channels were reconfigured, along with some URL filtering and other policies that we used for configuration or migration to the new server.

Our experience with NTT Dimension Data has been good. We have been using them these past four to five years.

We have seen ROI. Our productivity has increased.

The change to Cisco Firepower has reduced the time it takes for our network guy to generate our monthly report. It use to take him many hours where he can now have it done in an hour.

Cisco pricing is premium. However, they gave us a 50 to 60 percent discount.

There are additional implementation and validation costs.

We also evaluated Check Point, Palo Alto, Sophos, and Cisco ASA. In the beginning, we thought about going for Cisco ASA but were told that Firepower was the newest solution. We met with Cisco and they told us that they were giving more attention going forward to Firepower than the ASA product.

We did a small POC running in parallel with Fortinet. We evaluated reports, capability, and the people involved. Palo Alto was one of the closest competitors because they have threat intelligence report in their dashboard. However, we decided not to go with Palo Alto because of the price and support.

We are using Cisco at a global level. We have internally integrated this solution with Cisco Unified Communications Manager in a master and slave type of environment that we built. It uses a country code for each extension. Also, there is Jabber, which our laptop users utilize when connecting from home. They call through Jabber to connect with customers. Another tool that we use is Cisco Meraki. This is our all time favorite product for the office WiFi environment. However, we are not currently integrating our entire stack because then we would have to change everything. We may integrate the Cisco stack in the future. It should not be difficult to integrate since everything is a Cisco product. The only issue may be compliance since we have offices in the US and Europe.

We are now using a NGFW which helps us deep dive versus using a normal firewall.

Overall, I would rate Cisco Firepower as an eight (out of 10).

Our primary use cases for FTD are IPS, intrusion detection, and to get visibility into the network and the traffic that is going on in some sites. We always have them in-line, meaning that they're between two networking connections, and we analyze the traffic for the purposes of internal detection.

In production, from the FTD line, we mostly have 2110s and 2130s because we have a lot of small sites, and we are starting to put in some 4110s. We only have FirePOWER here, but we don't use them most of the time as next-gen firewalls but more as an IPS.

Everything is on-premises. We don't use public clouds for security reasons.

When you put FTD between your internet and network units, you can get valuable insights about your encrypted traffic on the web, DNS traffic, and the like. It gives us statistics up to Layer 7.

Although I can't go into the details, the way the solution has helped our organization is more on the root-cause side when there is an incident, because we get very detailed information.

FTD's ability to provide visibility into threats is very good, if the traffic is clear. Like most companies, we have the issue that there is more and more encrypted traffic. That's why we use Stealthwatch instead, because we can get more information about encrypted traffic. But FTD is pretty good. It gives us a lot of details.

We put them in in-line and in blocking mode and they have stopped some weird things automatically. They help save time every day. We have 150,000 people all over the world, and there are times when computers get infected. It helps save time because those infections don't propagate over the network.

The fact that we can centrally manage clients for our IPS, and that we can reuse what we type for one IPS or one firewall, makes it easy to expand that to multiple sites and multiple devices. Overall, it has been a great improvement.

The IPS, as well as the malware features, are the two things that we use the most and they're very valuable.

Cisco Talos is also very good. I had the chance to meet them at Cisco Live and during the Talos Threat Research Summit. I don't know if they are the leader in the threat intelligence field but they are very competent. They are also very good at explaining complicated things easily. We use all of their blacklist, threat intelligence, and malware stuff on our FTDs. We also use the website from Talos where you can get web reputation and IP reputation.

For the new line of FTDs, the performance could be improved. We sometimes have issues with the 41 series, depending on what we activate. If we activate too many intrusion policies, it affects the CPU. We have great hopes for the next version. We have integrated Snort 3.0, the new Snort, because it includes multi-threading. I hope we will get better performance with that.

The stability depends on the version. The latest versions are pretty good. Most of the time, we wait for one or two minor version updates before using the new major version because the major versions go through a lot of changes and are still a bit unstable. For example, if you take 6.3, it started to be pretty stable with 6.3.03 or 6.3.04.

Scalability depends on the site. At some sites we have ten people while at others we have a data center with a full 10 Gig for all the group. We have had one issue. When there are a lot of small packets — for example, when our IPS is in front of a log server or the SNMP servers — sometimes we have issues, but only when we get a peak of small packets.

We've got a little history with tech support. We have very good knowledge within our team about the product now. We have a lab here in Montreal where we test and assess all the new versions and the devices. Sometimes we try to bypass level-one tech support because they are not of help. Now, we've have someone dedicated to work with us on complex issues. We use them a lot for RMAs to return defective products.

In our company, we have used another firewall which we developed based on FreeBSD.

I, personally, used to work with Juniper, Check Point, and Fortinet. I used Fortinet a lot in the past. If you use the device only for pure firewall, up to Layer 4, not as an application or next-gen firewall, Fortinet is a good and cheaper option. But when it comes to a UTM or next-gen, Cisco is better, in my opinion. FortiGate can do everything, but I'm not sure they do any one thing well. At least with Cisco, when you use the IPS feature, it's very good.

Setting up an FTD is a bit more complex with the new FTD line. They integrated the FXOS, but the OS is still not fully integrated. If you want to be able to fully manage the device, you still need to use two IP addresses: One for FXOS and one for the software. It's complicating things for the 4110 to have to, on the one hand manage the chassis and the hardware on one, and on the other hand to manage the logical device and the software from another one.

But overall, if you take them separately, it's pretty easy to set up and to manage.

The time it takes to deploy one really depends. I had to deploy one in Singapore and access the console remotely. But most of the time, once I get my hands on it, it can be very quick because we have central management with FMC. Setting up the basic configuration is quick. After that, you have to push the configuration that you use for your group IPS and that's it. My experience is a bit different because I lose time trying to get my hands on it since I'm on the other side of the world. But when I get access to it, it's pretty easy to deploy. We have about 62 of them in production, so we have a standard for how we implement them and how we manage them.

We have Professional Services and consultants who work with us on projects, but not for the deployment. We have our own data centers and our own engineers who are trained to do it. We give them the instructions so we don't need Cisco help for deployment. We have help from Cisco only for complex projects. In our case, it requires two people for deployment, one who will do the configuration of the device, and one who is physically in the data center to set up the cables into the device. But that type of setup is particular to our situation because we have data centers all around the world.

For maintenance, we have a team of a dozen people, which is based in India. They work in shifts, but they don't only work on the FTDs. They work on all the security devices. FTD is only a part of their responsibilities. Potentially we can be protecting 140,000 people, meaning all the employees who work on the internal network. But mostly, we work for international internal people, which would be roughly 12,000 people. But there are only three people on my team who are operators.

ROI is a difficult question. We have never done the calculations, but I would say we see ROI because of some security concerns we stopped.

Cisco changed its price model with the new FTD line, where the appliances are a bit cheaper but the licensing is a bit more expensive. But that's not only Cisco, a lot of suppliers are doing that. I don't remember a lot of the licensing for Fortinet and Check Point, but Cisco's pricing is high, at times, for what they provide.

FTD is pretty good. You can stop new threats very quickly because you can get the threat intelligence deployed to all your IPSs in less than two hours. Cisco works closely with Talos and anything that Talos finds is provided in the threat intelligence of the FTDs if you have the license. It's pretty good to have the Cisco and Talos teams working closely. I know Palo Alto has an similar arrangement, but not a lot of suppliers get that chance.

Our organization's security implementation is pretty mature because we try to avoid the false positives and we try to do remediation. We try to put threat intelligence over a link to our IPS next-gen firewalls.

Overall, we have too many tools for security in our organization — around a dozen. It's very complicated to integrate all of them. What we have done is to try to use the Elastic Assist Pack over all of them, as a main point of centralization of log information. The number of tools also affects training of teams. There are issues because one tool can't communicate with the another one. It can be very hard, in terms of technical issues and training time, to have everybody using all these processes.

We also use Cisco Stealthwatch, although not directly with the FTD, but we hope to make them work together. There is not enough integration between the two products.

Overall, FTD is one part of our security strategy. I wouldn't rely only on it because we've got more and more issues coming from the endpoints. It lets you decipher everything but sometimes it is very complicated. We try to use a mix and not rely only on the FTDs. But for sure it's great when you've got a large network, to give you some visibility into your traffic.

I rate it at eight out of ten because it's pretty good technology and pretty good at stopping threats, but it still needs some improvement in the management of the new FTD line and in performance.

We have a lot of use cases of FirePower. In one of the use cases, we have two offices, and we use FirePower on our two sites. One of them works through the site-to-site VPN, and we have a controller on this site.

I work with Cisco and other partners, but the Cisco team is the best team in our country. When I call them, they always help us. 

I started to configure the device with version 7.2. After that, I had a problem. It was not a physical problem. It was a software problem. They advised me to install 7.0. I uninstalled and reinstalled everything. It took time, but it started to work normally.

I am not a programmer, but on the business side, they should fix all such issues in the future. We are Cisco partners, and when we recommend Cisco FirePower to customers, they always think that FirePower is bad. For a single installation of FirePower, if I have to write about 18 tickets to Cisco, it's a big problem. There was an issue related to Azure. We had Active Directory in Azure. The clients had to connect to FirePower through Azure. We had a lot of group policies. After two group policies, we had to make groups in Azure, and they had to sign in and sign back. It was a triple-layer authentication, and there was a big problem, so we didn't use it.

We have been using this solution for about two years.

It's very stable now. Everything is fine for me.

I use just two devices. I've not tested anything else.

Their customer support is very good. We also work with other vendors, but Cisco's support is still the best. I'd rate them a 10 out of 10.

Positive

For me, it was very easy because I solved all problems, but I had to install it two times. 

We are a reseller, and for us, it's a 10 out of 10 because if we sell it, we will earn money, but customers have to agree with us.

We mainly use it in the data center. We are obliged to use a firewall. It's a necessity.

It has helped in securing our infrastructure from end to end so that we can detect and remediate threats. There is another office in my company that does threat detection, but it has been helpful.

It hasn't freed up any time. We still have to manage the firewall. It's something we have to do.

All the features except IPS are valuable. IPS is not a part of my job.

It's already pretty good. In terms of functionality, there isn't much to improve. There could be more bandwidth and better interface speed.

I've been using Cisco firewalls for 20 years.

Its stability is very good.

It's better to have a higher speed. I'd rate it an eight out of ten in terms of scalability.

We have multiple locations and multiple departments. We are a big company, and we have a lot of remote sites. We have about 6,000 of them.

They are very good. From time to time, Cisco employees come to us and provide information about the latest features and new products. I'd rate them a ten out of ten.

Positive

We have other firewalls, and it hasn't helped to consolidate other solutions. We have to use the Cisco firewall and other vendors because of internal law. We have to use two firewalls, one from vendor A and the other one from vendor B.

We went for Cisco because it's affordable. It's something you can trust. It's something you know. It's a valued product. 

I've been involved in configuring it and assessing and ensuring that the configuration is up to date and there are no bugs, etc.

Its initial setup is not at all complex. I've been working with Cisco firewalls for 20 years, so I know them very well. It's not complicated for me.

We have all deployment models. We have on-premises and cloud deployments. We have everything. I belong to a big organization.

We had a consultant for integrating the product. Our experience with the consultant was good.

The number of people required for deployment varies, but one person can deploy the solution. It's quite easy to implement. It doesn't require a lot of staff.

It requires normal maintenance.

It's affordable.

Try it. You will be happy. 

I'd rate Cisco Secure Firewall a ten out of ten.

We use this solution to provide firewall solutions for clients. We have been transitioning from ASA to FTD, since FTD has come out with new versions or upgrades.

This solution is very flexible and offers different functionality including firewalls and VPN connectivity. It checks a lot of boxes. It is an easy solution to learn how to use and the positive impact on our organization was apparent as soon as we implemented it. 

The CLI is the most valuable feature. We are moving towards FTD, which is more GUI based. The value of this solution lies in the fact that it is a standard platform that's been around for years and is always improving. This is important to us due to the necessity of ensuring cyber security. 

We are replacing ASA with FTD which offers many new features. 

We have been using this solution since 2009. 

This is a stable solution. 

This is a very scalable solution as long as you get the right hardware. 

Over the last two years, getting a response from the support engineers has been challenging. This could be due to the impact of COVID. 

We sell a lot of different firewall varieties including SonicWall, Cisco ASA, and FTD. 

When setting up the solution for our clients, we ensure they have the bandwidth they need and consider what their throughput needs are. The solution does require maintenance in terms of patching. This requires approximately six team members depending on how many moving parts there are for clients. 

We have seen a return on investment using this solution based on the fact that we are spending less money overall. 

The pricing for this solution is pretty fair. 

If it is possible, I would advise others to try out a demo with Cisco to test their firewalls. The biggest lesson I learned from using this solution is that there are many ways to achieve the same outcome. 

I would rate this solution a nine out of ten. 

Our primary use case includes basic firewalls, VPNs, NAT, and our connections to customers.

It's used in our data centers to protect the network and customer circuits.

Cisco ASA Firewall has improved our organization by allowing connectivity to the outside world and into different places.

Cybersecurity resilience is very important to our organization. There are always threats from the outside, and the firewall is the first line of defense in protecting the network.

Cisco ASA Firewall is a well-known product. They're always updating it, and you know what they're doing and that it works.

It would be good if Cisco made sure that the solution supports all routing protocols. Sometimes it doesn't.

I've been using it for probably 10 to 15 years.

For the most part, it's stable.

It's a very scalable solution.

The technical support is very good, and I would give them a nine out of ten.

Positive

The pricing and licensing are getting more complicated, and I'd like that to be simpler.

We evaluated some Palo Alto and Juniper solutions, but Cisco ASA Firewall is better in terms of ease of use. You could get certified in it.

To leaders who want to build more resilience within their organization, I would say that the ASA, along with its features, is a good product to have as one of the lines of defense.

The solution does require maintenance. We have four network engineers who
are responsible for upgrading code and firewall rules, and for new implementations.

On a scale from one to ten, I would rate Cisco ASA Firewall a nine. Also, it's a very good product, and it compares well to others.

The use case is protecting our building. We have one office and we use it to protect the network.

The fact that we can use Firepower Management Center gives us visibility. It allows us to see and manage the traffic that is going through the network.

We have an older version of the ASA and there are always improvements that could be made. Nowadays, nobody is in the office, so I need to figure out how to put the firewall outside. If I could have a centralized firewall that also receives information from external locations, like peoples' home offices, that would help us consolidate everything into one appliance.

I have been using Cisco ASA Firewalls for over 10 years.

We've had issues with it because we always run it in pairs for high availability. We've had issues with the unit, but not in the last five or six years. It's pretty, pretty stable.

The product we have has some limitations when it comes to scalability. That's one of the things we're looking to address with a new solution.

Technical support was good when I used it, but I haven't needed support for the solution lately. I know people complain about support, but I don't have experience with it for this device because I haven't needed support recently.

We do pay the annual fee for support and I expect them to be there in four hours with a new device, if we need one, as they've done in the past.

Positive

We didn't have a previous solution.

My system engineer did the initial setup and he's the person who manages it, day in and day out.

I don't think we've tracked enough data points to see ROI data points, but the value comes from the fact that it's still running and that we are still happy with it. That is definitely a good return on our investment.

The pricing is too high and the licensing is too confusing.

Go for it.

We use it as a next-generation firewall for the perimeter. I generally use it on-premises.

It helps protect my servers from hackers.

The most valuable feature is the Intrusion Prevention System.

Most of the features don't work well, and some features are missing as well. The completeness of the solution is most important for me. It should be complete, but some parts are missing. Cisco should improve it.

Every part of the features should be developed. That includes the next-generation firewall parts, such as application recognition.

I have been using Cisco Firepower NGFW Firewalls for about five years. I am an integrator and reseller of multiple vendors' products.

The stability is getting better day by day, but I would expect a more stable solution, to be honest. It is stable now, but we have solutions that are more stable.

Technical support is nice, but most of the limitations or problems are caused by the product itself. There's nothing that a technical engineer can do about them.

The licensing package is good, but the licensing fee should be decreased.

I have used CheckPoint, Palo Alto, Juniper, and FortiGate. The Palo Alto solution is complete. 

If I choose Cisco Firepower it is mostly because of its integration with other solutions. When the customer has several Cisco solutions, I put Cisco Firepower on top of them. But if the customer has a complex environment, I generally prefer other solutions.

For specific needs, like VPN, you can use Cisco Firepower. But our expectation is for a next-generation Firewall or UTM solution that includes all the features. I cannot recommend Firepower to others, at the moment, as a unified threat management solution.

Generally, if the customer's number of users is greater than 100, that's when the Cisco solution is more likely to be effective.

Maintenance of the solution requires one or two people.