Cisco Secure Firewall Reviews

The primary use case for this solution is on the client side. PCS stands for
Perfect Computer Systems. We are an integration company, we specialize in solution integration, bringing together component subsystems into a whole and ensuring that those subsystems function together.

Cisco ASA NGFW has improved our organization by providing more internet protection. Also, for the end user, it provides easy access from outside for users accessing the site.

The feature that I found the most valuable is the overall stability of the product. 

The two areas that need improvement are the URL filtering and content filtering features.

These features are both very crucial to the end user environment. One of my main concerns and an area that could use some major improvement is the need to pay for licensing in order to enable necessary additional features. Included in the next release, I would like to see these features integrated into the products' functionality without having to pay for them on an individual basis.  

My impression of the stability of this solution is that it's great, excellent! 

As far as scalability, I haven't had any performance issues so far. There really isn't high utilization coming from the operations environment, so I don't need to upgrade the tier at the moment.

I don't have much experience with technical support since contacting tech support incurs additional costs. I have been relying on my technical knowledge and experience so far.

The initial setup was straightforward, though I find as we proceed we need an extra feature or two to enable all the functionalities and protection of the tool. It's an ongoing process. We have to be quick and agile to provide client support.

We implemented through an in-house team. 

The stability is the greatest ROI for this solution. 

My advice, since I have to pay for licensing each feature that I need to enable, like URL filtering, is to look at a pfSense. That is what we are doing because you have to pay for greater protection, a total solution can be very costly. We are looking at a pfSense, to bring down the total cost. The correct price point, in comparison to other platforms, is the main factor here.

During our initial decision-making process, we evaluated other options but the distinctions between all the options were quite minimal.

I am satisfied with the current facility and the management environment of the Cisco ASA, it's great for me.

I think that the cost would be the main factor when evaluating solutions since some of the companies or some of our clients ask about costs upfront. Once the client has made their initial request and inquired about any subsequent subsystem connectivity integration ideas, they always want to know how much everything will cost. The deciding factor is mainly based on the price point of the total user solution.

Overall, the criteria that we consider when constructing an integration decision depends largely on the client company we are working with. We evaluate clients based according to their size, industry function, and the total budget that would be recommended for an effective solution.

I would give this product a rating of 9 out of 10!

It's our firewall for our AWS VPC on the internal side that connects our VPC to headquarters.

I have been using the product for two years, but it has been installed in my company for four years.

Even on a smaller scale, people are finding you need HA pairs, and there's no way that the ASA can do that, at least in the virtual version. We needed the ability to failover to one of the others to do maintenance, and this is a glaring issue. However, it is one of their cheaper products, so its understandable. It is just that we would hope by now, because it has been in use in a lot of different environments, for even moderately sized companies, the ability to have HA pairs would be extremely useful.

It has been relatively stable, in the sense that it stays up. It doesn't die on us.

Scalability has been a pain point for us. 

It's great for what it does. Just make sure you know whatever environment you are using it in is not going to have to scale. Just use it for sandbox. As long as they stay competitive, use the ASA, but make sure you have a plan to grow out of it.

We have definitely made some calls to Cisco regarding issues. While it is time consuming, they are thorough. Sometimes depending on the urgency, if there is a real P1 problem going on, it would be more helpful to go straight to the chase than to have to go through troubleshooting steps that are mandated. A lot of times, it is understandable why they're there, but I wish they had a different, expedited process, especially when they're dealing with our senior network engineer who has already ruled out some things. Cisco tends to make you go through the steps, which is part of any normal troubleshooting. However, when you're dealing with an outage, it can be very frustrating.

The integration and configuration were pretty straightforward.

We purchased the product through the AWS Marketplace. While I wasn't part of the buying process for Cisco ASA, I have used it to purchase AMIs.

The AWS Marketplace been great, but it could be a bit more user-friendly from an aesthetic perspective. It is fully functional and easy to figure out once you are in it. However, the layout of the AMIs has a lot missing, e.g., you have to side click to find the area for community AMIs. It would be awesome if AWS Marketplace would put up a wider range of AMIs.

With the Cisco ASA, you do get what you pay for. What would really be awesome is to see Cisco blow out a real cheap version where you can use the sandbox, but leave it step-wise and go to another product relatively easily, like getting you hooked on candy. The problem is that we already paid for the ASAs, and we grew quickly. Now, we have found ourselves in a situation where we have to wait for next year's budget and everyone is using it. We've gone from a sandbox model to full production. If Cisco was a bit more on the ball with this type of thing, such as pay a smaller lump sum, then scale as a pay by use or have an option to switch models. This would be good because then we could actually leverage this type of model.

Right now, we want to go to the rocket stuff, and our people who make the decisions financially will just have a heart attack. They will choke on it. However, if we can roll it into our AWS bill, and slowly creep it in, it is usually more palatable. As crazy as that sounds, even if its more expensive to do it this way.

Our network guy looked at alternatives and settled on Cisco ASA. It was the cheapest available option, virtualized, and he was familiar with Cisco, like many people are because it's a great company. It made the most sense at the time, because our VPC was a sandbox at first. Now, it has grown, which is where the pain point is: the scalability of the ASA. We have sort of wedged ourselves into a corner.

We are now looking into Cisco Meraki, the CSR stuff, and the SD-WAN technology.

The ASA 55-x range is a solid and reliable firewall. It secures the traffic for normal purposes.

If you ask how a firewall can improve our business: It can’t. It is securing our business IT network.

But if you want to know what the ASA5520 can do to secure our network:
Not much more than any firewall. It is a solid port firewall, nothing more, nothing less.

The Cisco ASDM management tool was helpful.

Firewalls, in general, were not really designed for normal IT personnel, but for firewall and network experts. Therefore, they missed a lot of options and did not provide any good reporting or improvement options.

For example, to update or add a feature, you end up buying new support and licenses. The process is complex and changes so rapidly that you won't find a salesperson who will offer you the right products.

New generation firewalls are cloud managed or provide a good interface. They integrate into the environment. They are application aware and come with security features that are especially designed for the purpose.

There were no stability issues.

You need to buy a new product if you want to scale. I once tried to put in another network card and ended up in a support nightmare. I had to buy more support, licenses, and it was more expensive than buying a new one.

Customer Service:

Customer service is non-existent. You need to go through a very complex and annoying approval system before you can get any help. The support then gets asked a question and you get one word answers. It takes you hours to find out what version of an update you need to install, and then another day to find out how to install it.

Technical Support:

I would give technical support a rating of zero out of 10. It is clear that Cisco is not for the end-customer, but rather for resellers and providers. They might have better contracts and get more technical support.

I usually have to take what is there. If I had a choice, I would now take something newer.

You can start very easy and set up the network cards, but it also has many traps to find out the right setting for your environment.

For example, you need fixed network settings on your switch to connect with full duplex 100Mb/s. There is no autonegotiation nor other settings. This is the same problem with the WAN connection. You need to know exactly what to configure to match the WAN, or it will not work.

I once had support from a reseller and once from a provider. Both depended on the level of the person you speak with. Most have some knowledge.

Once installed, they last a long time. I would recommend replacing them after some years to get better security features.

If you look for user internet access, many new products can help with filtering and rules or procedures, like Meraki. This replaces the purpose of proxy servers.

If you have to secure web servers from the internet, you need a decent firewall with web features to process the requests and redirect traffic to web servers.

Cisco is no longer the only vendor offering these features. With Microsoft TMG out of the race, others have to push in. But firewalls are also no longer the first frontier of security. Cloud services are in there as well.

I had no choice.

Get someone to help you plan and set up the firewall concept, as well as the initial setup and testing. Waiting for later is not the time to test or change anything without an outage.

We have a lot of use cases of FirePower. In one of the use cases, we have two offices, and we use FirePower on our two sites. One of them works through the site-to-site VPN, and we have a controller on this site.

I work with Cisco and other partners, but the Cisco team is the best team in our country. When I call them, they always help us. 

I started to configure the device with version 7.2. After that, I had a problem. It was not a physical problem. It was a software problem. They advised me to install 7.0. I uninstalled and reinstalled everything. It took time, but it started to work normally.

I am not a programmer, but on the business side, they should fix all such issues in the future. We are Cisco partners, and when we recommend Cisco FirePower to customers, they always think that FirePower is bad. For a single installation of FirePower, if I have to write about 18 tickets to Cisco, it's a big problem. There was an issue related to Azure. We had Active Directory in Azure. The clients had to connect to FirePower through Azure. We had a lot of group policies. After two group policies, we had to make groups in Azure, and they had to sign in and sign back. It was a triple-layer authentication, and there was a big problem, so we didn't use it.

We have been using this solution for about two years.

It's very stable now. Everything is fine for me.

I use just two devices. I've not tested anything else.

Their customer support is very good. We also work with other vendors, but Cisco's support is still the best. I'd rate them a 10 out of 10.

Positive

For me, it was very easy because I solved all problems, but I had to install it two times. 

We are a reseller, and for us, it's a 10 out of 10 because if we sell it, we will earn money, but customers have to agree with us.

Our clients use Cisco Secure Firewall to protect them from data breaches. They also use it for site-to-site VPN connections and remote access.

The most valuable features are remote access, site-to-site VPN, and next-generation features.

The management of the firewalls could be improved because there are a lot of bugs.

I've been selling this solution for three years.

Most of our clients have deployed the solution on-premises and are slowly migrating to hybrid and to SaaS models.

When you configure it, it's very stable.

Cisco Secure Firewall is a scalable solution.

Cisco's technical support is good.

We used to sell Palo Alto firewalls and switched to Cisco because it was more cost-effective for clients.

As a Cisco reseller, I try to give our customers the best possible solutions for their problems.

The initial setup is straightforward for smaller organizations, but it can be complex when companies are larger.

Migrating certain components of a client's previous firewall configurations to Cisco Secure Firewall with the migration tool is simple, easy, and quick. However, it would be really nice if we could migrate complete ASA configurations to FTD with the migration tool and not just the policies and objects.

Maintenance-wise, we troubleshoot and make changes if required.

I deployed it myself with, and perhaps with one person from the client's end.

On a scale from one to ten, I would rate Cisco Secure Firewall at seven.

The Cisco Secure Firewall is placed between the separate VLANs. It's a common and effective method of protecting VLANs against internal risks such as Checkpoints and external parameters.

It certainly saves time. You can detect anything if you have nothing. This is why, in the end, it saves time.

Collaboration with other Cisco products such as ISE and others is the most valuable feature.

it is difficult to say what it needs in terms of what needs to be improved. I don't work with it on a daily basis.

I haven't heard anything negative about it.

While this applies to all vendors, pricing can be always lower. In my opinion, Cisco is the most expensive. 

The pricing can be reduced.

Our organization has been working with Cisco Secure Firewall for three to five years.

There are no complaints about performance or stability.

There are no issues with the scalability. It works fine.

It is simple to upgrade.

We only need one person to maintain the product.

My colleague has experience with technical support. I'm not sure if it was with Cisco's technical support directly or through Conscia in between.

This was the first solution we were using.

We are primarily Cisco housed, and I believe that practically everything is Cisco. 

It might be part of the contract for a small fee. I don't think there's any particular reason.

I am familiar with CheckPoint, as well as Microsoft ISA.

We have an implementation partner.

It's a hands-on job with a colleague of mine.

I don't know if it is particularly easy or not.

There was also some learning involved, such as knowing the traffic. This took some time. It took six months to deploy.

With the implementation partner, everything was written out. It was the best-case scenario for us.

We did not use the Cisco Firewall Migration tool.

Conscia assisted us with implementation.

They are one of the best in the Netherlands.

I am not aware of the pricing. 

It's an all-in-one contract.

I would rate Cisco Secure Firewall an eight out of ten.

We are a payment switch and we deal with cardholder data and information. Our primary goal is to ensure the security of customers' payment data, that they are protected.

Our security maturity is now at a good level compared to the past. To be accepted to drive Visa and Mastercard, you have to pass security assessment audits and we have managed to pass all of them now, for some years.

Apart from our firewall, we have three security tools. We have a NAC, we have a SIEM, and our syslogs.

It's easy now because we have many Cisco devices in a central point. We don't need to log in to each device and apply rules to them. We can do it from the management control and apply them to the specific firewalls that we want to apply them to.

In addition, compared to our previous firewall solution, the security is much better. Through our monitoring, we now see all the information that we require on security, in terms of PCI. We can see exactly what is happening in our environment. We know what is going, what is going in and out. If an incident happens, it provides a notification so that we can do an analysis.

Web filtering is a big improvement for us. The previous version we used, the AC520, did not have that feature included. It was not very easy for us, especially because the environment had to be isolated and we needed to get updates from outside, such as Windows patches. That feature has really helped us when we are going outside to pull those patches.

Another important feature for us is user access. Now, we can base access on rules and specify that this or that user has privilege on the NG firewall. That was not available before. 

The IDS also makes it easy to detect abnormal traffic. When it sees such traffic in the environment, it sends a notification.

We have been using Cisco Firepower NGFW Firewall for about two months.

The solution is stable. It's not hanging. With the firewalls from Cisco we are not facing a situation where devices are hanging because of too much traffic.

The scalability is fine.

We're getting support but there's a big delay until we get a response from their technical team. They're in the USA and we're in Africa, so that's the difficulty. When they're in the office, they respond.

We migrated from Cisco AC520 to the Cisco NGFW. We have also used HPE and IBM switches, as well as FortiGate firewalls. We are now completely Cisco.

Previously, we were also using AlienVault and it was easy to integrate with Cisco devices.

The initial setup is 50/50, between straightforward and complex. Migrating from Cisco to another Cisco product is okay, but migrating to Cisco from other network devices, like an IBM switch, is a bit tricky. You can't test the configuration to see if it's the same as what you're going to. But we managed with support from Cisco.

It took a month to complete the deployment.

Our implementation strategy was based on not upgrading everything at the same time. It was phased. We deployed a specific device and then we monitored everything to make sure everything looked okay, and then we moved on to the next one.

It requires a minimum of two people for deployment and maintenance, from our network and security teams.

We used internal resources with support from Cisco.

We have gotten exactly what we're looking for, based on the company's requirements.

The pricing is high.

Cisco NGFW's ability to provide visibility into threats is good compared to other solutions. The visibility is quite impressive and gives us what we're looking for, based on our security requirements.

The scalability, the performance of the devices, the features, and the support, when looking at them combined, make the product a nine out 10.

We're planning the deployment of Cisco ISE soon, to be like our NAC.

We were using ASA 5585 without firepower. We were using it just as a stateful firewall. We also had an IPS module on it. So, we were also using it for network segmentation and network address translations for hosting some of the services or giving access to the internet for our end users.

Initially, it was good. At the time we bought it, usually, IPS was in a different solution, and the firewall was in a different solution. You had to kind of correlate between the events to find the attacks or unwanted behavior in the network, but it had everything in a kind of single platform. So, the integration was great.

Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. Cisco ASA was able to handle a lot of traffic or concurrent connections at that time. We had almost 5 million per week. We didn't have to worry about it not having enough memory and stuff like that. It was a powerful machine.

The configuration was kind of straightforward from the command line and also from the ASDM. It was very easy to manage by using their software in Java. 

High throughput, high concurrent connections, easy site-to-site VPN were also valuable. It also had the capability to do double network translations, which is really useful when you are integrating with other vendors for site-to-site VPN.

When we bought it, it was really powerful, but with the emerging next-generation firewalls, it started to lack in capabilities. We couldn't put application filtering, and the IPS model was kind of outdated and wasn't as useful as the new one. For the current state of the network security, it was not enough.

One thing that we really would have loved to have was policy-based routing. We had a lot of connections, and sometimes, we would have liked to change the routing depending on the policies, but it was lacking this capability. We also wanted application filtering and DNS filtering.

We have been using it for around eight years.

Its stability is really great. It is very stable. We didn't have to worry about it. In the IT world, every time you go on holiday, you think that something might break down, but that was not the case with Cisco ASA.

Initially, we had just a single firewall, and then we moved to high availability. Even when it was just one hardware without high availability, we didn't have any problems. Apart from the planned maintenance, we never had any downtime.

We feel we didn't even try to make it scalable. We had 30,000 end users.

We haven't interacted a lot with them because we have our own network department. We were just handling all the problem-solving. So, there were only a couple of cases. Initially, when one of the first devices came, we had some problems with RAM. So, we opened the ticket. It took a bit of time, and then they changed it. I would rate them an eight out of 10.

Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. We had some really old D-link firewalls. They were not enterprise-level firewalls.

After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. They didn't provide us with the new license. Therefore, we decided to move to Palo Alto. The procurement process is taking time, and we are waiting for them to arrive.

It was straightforward. Cisco is still leading in the network area. So, there are lots of resources where you can find information. There are community forums and Cisco forums, where you can find answers to any questions. You don't even have to ask. You can just Google, and you will find the solution. Apart from that, Cisco provides a lot of certification that helps our main engineers in learning how to use it. So, the availability of their resources was great, and we just followed their best-case scenarios. We could easily configure it.

The deployment took around two or three weeks because we had different firewalls. We had a couple of them, and we migrated all to Cisco. We also had around 30,000 rules. So, the data input part took a lot of time, but the initial installation and the initial configuration were done in a matter of days.

It took us one week to set up the management plane. It had different ports for management and for the data. After finishing with the management part, we slowly moved segments to Cisco. We consolidated the rules from other firewalls for one zone. After Cisco verified that it was okay, we then moved on to the next segment.

We did it ourselves. We had about five network admins for deployment and maintenance.

We definitely got a return on investment with Cisco ASA. We have been using it for eight years, which is a long time for IT. We only had one capital expenditure. Apart from that, there were no other costs or unexpected failures. It supported us for a long time.

When we bought it, it was really expensive. I'm not aware of the current pricing.

We had problems with licensing. After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. So, they didn't provide us with the new license.

I am not sure about it because back then, I was just an engineer. I didn't have decision-making authority, so I wasn't involved with it.

We recently have done pilots with Check Point and FortiGate for a couple of months. They were next-generation firewalls. So, they had much more capability than ASA, but because of being a pilot, we didn't get full-scale throughput like big enterprise-level firewalls. The throughput was not enough, and their memory cache was always filling up. They were smaller models, but both of them had the features that ASA was lacking. Traffic shaping in ASA is not as good, but these two had good traffic shaping.

I wouldn't recommend this solution because it is already considered to be a legacy firewall.

I would rate Cisco ASA Firewall a strong eight out of 10. It is powerful, but it lacks some of the capabilities.