Cisco Secure Firewall Reviews

We primarily use this firewall for IPS, IAM, threat defense, and NAT.

I am from the networking department.

We are using the Firepower Management Center (FMS) and the management capabilities are okay. I would not say that they are good. The current version is okay but the earlier versions had many issues. The deployment also takes a long time. It takes us hours and in some cases, it took us days. The latest version 6.6.1, is okay and the deployment was quick.

I have tried to compare application visibility and control against Fortinet FortiGate, but so far, I don't see much difference. As I try to determine what is good and what is bad, I am seeking third-party opinions.

The most valuable feature is the threat defense. This product works well for threat defense but for everything else, we use Cisco ASA.

This product has a lot of issues with it. We are using it in a limited capacity, where it protects our DR site only. It is not used in full production.

The main problem we have is that things work okay until we upgrade the firmware, at which point, everything changes, and the net stops working. As a financial company, we have a lot of transactions and when the net suddenly stops working, it means that we lose transactions and it results in a huge loss.

We cannot research or test changes in advance because we don't have a spare firewall. If we had a spare then we would install the new firmware and test to see if it works, or not. The bottom line is that we shouldn't have to lose the network. If we upgrade the firmware then it should work but if you do upgrade it, some of the networks stop working. 

We have been using the Cisco Firepower NGFW Firewall for three years.

Cisco's technical support is the best and that's why everybody implements their products. But, when it comes to Firepower, we have had many delays with their support. For all of the other Cisco products, things are solved immediately.

Nowadays, they're doing well for Firepower also, but initially, there was no answer for some time and they used to tell us that things would be fixed in the next version. That said, when comparing with other vendors, the support from Cisco is good.

We use a variety of tools in the organization. There is a separate department for corporate security and they use tools such as RedSeal.

In the networking department, we use tools to analyze and report the details of the network. We also create dashboards that display things such as the UP/DOWN status.

We have also worked with Cisco ASA, and it is much better. Firepower has a lot of issues with it but ASA is a rock-solid platform. The reason we switched was that we needed to move to a next-generation firewall.

The initial setup was not easy and we were struggling with it.

In 2017, we bought the Firepower 2100 Series firewalls, but for a year, there was nothing that we could do with them. In 2018, we were able to deploy something and we had a lot of difficulties with it.

Finally, we converted to Cisco ASA. When we loaded ASA, there was a great difference and we put it into production. At the time, we left Firepower in the testing phase. In December 2018, we were able to deploy Firepower Threat Defense in production, and it was used only in our DR site.

We do our own maintenance and there are three or four of us that are responsible for it. I am one of the network administrators. We can also call Cisco if we need support.

From the perspective of return on investment, implementing the Firepower 2100 series is a bad decision.

Firepower has a very high cost and you have to pay for the standby as well, meaning that the cost is doubled. When you compare Fortinet, it is a single cost only, so Fortinet is cheaper.

Prior to Firepower, we were Cisco customers and did not look to other vendors.

Given the problems that we have had with Cisco, we are moving away from them. We are now trying to implement FortiGate and have started working with it. One thing that we have found is that the Fortinet technical support is very bad.

I would rate this solution a five out of ten.

It has been great for blocking incoming bad actors. The new Firepower modules have been a welcome additive to that.

Cybersecurity resilience has helped us be able to react and respond in a quick fashion to anything that may be happening or any anomalies within the environment.

The solution has provided us a sense of security, reliability, and trustworthiness.

The most valuable feature would be the IP blocking. It gets rid of things that you don't need in your environment.

Its resilience helps offer being able to react and self-heal.

The solution is overcomplicated in some senses. Simplifying it would be an improvement.

I have used the ASA solutions for a better part of 10 years.

The stability is unparalleled.

All solutions require maintenance, and we do that routinely. Anywhere from three to four people from the network teams to application owners are involved in the maintenance. This is a firewall in production, so we need to do maintenances after hours, but it would be nice if we didn't need to do it after hours

Scalability is unparalleled. It is easy to scale.

We don't have plans to increase our usage at this time.

In previous years, Cisco's tech support has been great. Although, I have seen it declining. I would rate their support as seven out of 10.

Neutral

We have used the Check Point firewalls as well as several different vendors.

It secures the network. The ROI is really incalculable at this point as keeping our data secure is keeping the company's assets secure.

We did evaluate other vendors.

You need to be always looking ahead and proactively developing to build resilience.

I would rate the solution as eight out of 10. It is a world-class firewall.

The use case is protecting our building. We have one office and we use it to protect the network.

The fact that we can use Firepower Management Center gives us visibility. It allows us to see and manage the traffic that is going through the network.

We have an older version of the ASA and there are always improvements that could be made. Nowadays, nobody is in the office, so I need to figure out how to put the firewall outside. If I could have a centralized firewall that also receives information from external locations, like peoples' home offices, that would help us consolidate everything into one appliance.

I have been using Cisco ASA Firewalls for over 10 years.

We've had issues with it because we always run it in pairs for high availability. We've had issues with the unit, but not in the last five or six years. It's pretty, pretty stable.

The product we have has some limitations when it comes to scalability. That's one of the things we're looking to address with a new solution.

Technical support was good when I used it, but I haven't needed support for the solution lately. I know people complain about support, but I don't have experience with it for this device because I haven't needed support recently.

We do pay the annual fee for support and I expect them to be there in four hours with a new device, if we need one, as they've done in the past.

Positive

We didn't have a previous solution.

My system engineer did the initial setup and he's the person who manages it, day in and day out.

I don't think we've tracked enough data points to see ROI data points, but the value comes from the fact that it's still running and that we are still happy with it. That is definitely a good return on our investment.

The pricing is too high and the licensing is too confusing.

Go for it.

We mainly use it for site-to-site VPNs, connecting to other businesses. I work in manufacturing and hospitals.

We connect to remote networks: manufacturing-to-businesses and hospital-to-hospital.

It was deployed in our data center across multiple sites. At the hospital where I last worked, it was deployed at 18 sites, then we did VPNs between our hospital and clinics.

We don't have to worry about when something goes down. Instead of saying, "Oh my gosh, this went down and now we have a gap here," it has automatic failovers and built-in redundancy. So, it says, "I don't have a gap anymore." This is one less thing to worry about, which was a big benefit for me. If our security group comes back, and says, "Hey, this is down." Then, it is like, "Yeah, we got it covered."

Our security groups are always very adamant that things stay up. If something went down, they say, "Why did it go down? How do we prevent it?" Since resiliency is already built-in on its initial design, we don't have to go back in every time, and say, "Here, this is what we did. This is why it was done like this." Instead, it is just, "Yes, they blessed it, and it's approved," and we don't have to go back and keep reinventing the wheel every time.

I like the ASDM for the firewall because it is visual. With the command line, it is harder to visualize what is going on. A picture is worth a thousand words.

Sometimes, it is not easy to troubleshoot. You need to know where to go. It took me quite awhile. It's like, "Okay, if it doesn't go smoothly here, then go find the documentation." Once you do it, it is not so bad. However, it is sometimes a steep learning curve on the troubleshooting part of it.

I have been using this solution for more than 20 years.

I have never had any problems with stability. In the 20-plus years that I have used them, I don't think I have ever had a failure on them. They have always been rock-solid.

We haven't done much with scalability. We have always just done active standby. However, it scales once you figure out how to do it. If there are site-to-site VPNs within your own location, it is easier because there is a template, where it is, "Here, change this IP address. Change this IP address. There, it's done." 

Third-parties weren't bad. Once my side was done, then we could easily cut and paste it, and say, "Okay, here's what my side's configured for. If you have something that is not working, then you can tell me what it is and I will help you." However, we never really had anything that we couldn't fix. It was also possible to scale on the other side.

I haven't called tech support very often. When I did call them, they could tell me what the problem was. That is where I started learning, "Here are the commands that you should be using to debug this." They have been very helpful. I would rate them as nine out of 10.

Positive

I have used Palo Alto and Fortinet. We switched mainly because we were trying to unify all our products. Instead of using multiple systems, everything with the Cisco solution is end-to-end with different views of security. Some of them wanted to be diverse, keeping things separate. For others, it was easier if everything was just with one vendor. Also, if you are Cisco-centric, it is also easier.

Since I have been using this solution, I have seen it grow. When they first started doing it, it was more like, "Here's the command line. Here's what you got to do." Now, it's easier for a new engineer to come on, and say, "Okay. Here, you are going to start supporting this, and here is how you do it," which has made life easier. Since it is a repeatable thing, no matter which company you go to, it is the same. If you get somebody who is doing it on the other side of the VPN, it is a lot easier. So, I like the Cisco product. I have used several different ones, and it's like, "Well, this is the easiest one." It might be just the easiest one because I have used it long enough, but it is also a good product. It just helps us be consistent.

We did a lot of site-to-site VPNs. We also did a third-party, which is Palo Alto or something. Though, some of them were SonicWall. It is like, "Okay, I don't know how the site is configured, then I spend hours trying to troubleshoot a VPN." The more you use it, the easier it gets. It used to take days to do it. Whereas, the last one that I built took about 30 minutes. The more we use it, the better the outcome is and the faster we can do it. Now, I am not spending days building a VPN, which should only take 10 to 15 minutes.

There is ROI when you use it more.

Once you know what the product is, it is not that bad. Yes, it is expensive. When you try to get a license, it is like, "Well, I don't know which one of these I need. And, if I don't buy it now, then I will probably be back later. Now, I have to justify the money." Typically, you end up just buying everything that you don't use most of the time. It is one of those solutions where you get what you pay for. If you don't know what you need, just buy everything. We have additional licenses that we don't use.

Take your time with it. Actually, read the documentation. Don't just assume you know what stuff means since that will sometimes come back and bite you. I have done that too many times. If you go from version to version, it changes a little bit, and so it is like, "Well I don't know why it doesn't work." Then, you go read the notes, "Oh, yeah. This changed and it is done over here now."

Building more resiliency should be a priority, and it's going to take money to do that. So, you need to actually believe and invest in it. Otherwise, it's an idea. It's great, because we all want redundancy, but nobody typically wants to spend the money to do it. Or, they want to do it as cheaply as possible. It's like, "Okay, I can do that," but you're going to have more gaps. Then, it is not really worth it. Therefore, invest the money the first time and do it right.

I would rate it as nine out of 10.

We use it as a next-generation firewall for the perimeter. I generally use it on-premises.

It helps protect my servers from hackers.

The most valuable feature is the Intrusion Prevention System.

Most of the features don't work well, and some features are missing as well. The completeness of the solution is most important for me. It should be complete, but some parts are missing. Cisco should improve it.

Every part of the features should be developed. That includes the next-generation firewall parts, such as application recognition.

I have been using Cisco Firepower NGFW Firewalls for about five years. I am an integrator and reseller of multiple vendors' products.

The stability is getting better day by day, but I would expect a more stable solution, to be honest. It is stable now, but we have solutions that are more stable.

Technical support is nice, but most of the limitations or problems are caused by the product itself. There's nothing that a technical engineer can do about them.

The licensing package is good, but the licensing fee should be decreased.

I have used CheckPoint, Palo Alto, Juniper, and FortiGate. The Palo Alto solution is complete. 

If I choose Cisco Firepower it is mostly because of its integration with other solutions. When the customer has several Cisco solutions, I put Cisco Firepower on top of them. But if the customer has a complex environment, I generally prefer other solutions.

For specific needs, like VPN, you can use Cisco Firepower. But our expectation is for a next-generation Firewall or UTM solution that includes all the features. I cannot recommend Firepower to others, at the moment, as a unified threat management solution.

Generally, if the customer's number of users is greater than 100, that's when the Cisco solution is more likely to be effective.

Maintenance of the solution requires one or two people.

The primary use is as edge firewalls to the Internet.

We are only on-premise. There is still no cloud plan.

It provides visibility and information to the organization about what is being accessed on the Internet as well as the applications that it is protecting.

It is part of our security strategy.

• Anti-malware protection
• Web Filtering
• VPN Remote-Access

The most valuable feature is the anti-malware protection. It protects the endpoints on my network.

We use the application visibility and control feature of Cisco firewalls.

The ease of use needs improvement. It is complex to operate the solution. The user interface is not friendly.

I have been using it for eight to 10 years.

We have 200 users using this solution.

The technical support is good, but it could be better. I would rate them as six out of 10.

Neutral

The setup is not too complex. We implemented it on all our ports.

We have five people on our cybersecurity team.

The solution's ability to provide visibility into threats is fine, but the Fortinet and Check Point solutions have better dashboards and information about visibility.

We are also using Cisco AnyConnect, Umbrella (as a cloud proxy), and ISE. We have between five or six antivirus, proxy, anti-malware, data loss prevention, VPN client, and firewall tools.

I would rate this Cisco product as six out of 10.

We provide IT solutions. We provide solutions to our customers based on their requirements. We support them from the beginning and do the installation and configuration in the head office and front office.

We installed Cisco ASA to support a customer in a WAN environment. They used it for site-to-site VPN and remote VPN. They used it for accessing remote office locations via the remote VPN feature. They had Cisco ASA 5500.

It made our customer's network more secure. They also have customers outside the office, and they are able to use the remote VPN feature to log in securely.

The high-availability and remote VPN features are most valuable.

It is easy to configure. It has a GUI and a CLI.

It doesn't have Layer 7 security.

I used this solution for maybe a year.

It is stable.

It is scalable.

For any issues, we contact the local support. They are very easy to deal with.

I have also worked with Fortigate.

It was easy to configure. The site-to-site VPN configuration didn't take too much time. It was complete in three to four hours.

Its price is moderate. It is not too expensive.

I would rate Cisco ASA Firewall a nine out of 10.

We use it for intrusion prevention and in our VPN that is connected to our head office. It provides protection and security and node clustering. It gives us all the security features that we need within our environment.

The features that are most valuable within the firewall are the IPS as well as the Unified Communications. We also really like the dynamic grouping.

An area for improvement is the graphical user interface. That is something that is coming up now. They could make the product more user-friendly. A better GUI is something that would make life much easier. Traditionally, Cisco products have been command-line-based.

The Cisco ASA Firewall has been in our environment for the past seven years.

The product is very stable. We've not had any challenges with it in all this time. It performs very well.

We have 2,000 users who connect through this product. We are planning to increase use as we go, toward the end of the year.

The technical support has been excellent. When there have been any issues, they've always been there for us.

The initial configurations were straightforward, not complex at all. It took us just two days to finalize things.

We did most of the setup in-house, but we also had assistance from our partner.

We pay annually and there are no costs in addition to the standard fees.

When you compare Cisco ASA Firewall with Sophos, they are more or less the same in terms of functionality.

Cisco ASA Firewall is very stable and very reliable. It requires very minimal support, once you configure it and put it in your environment. You don't need to attend to faults or issues. Once you install it and plug it in, it is good to go.

We have been using the ASA Firewall for a long time, and it is an advanced product for our current use. In terms of improvement, there's not much that can be done to it. It is a solid product, very effective, and it does its job well.