Cisco Secure Firewall Reviews

The primary use of Cisco ASA (Adaptive Security Appliances) for us it to protect from external threats to our network as a firewall and VPN solution.

Cisco ASA serves a purpose more than it improves us. It is good at what it does. We are using other vendors and splitting the traffic to different devices based on what they do best. Even though we use other products the trend at our company is that we will increase the traffic through Cisco ASA.

It's difficult to say what features are most valuable because ASA is not a cutting-edge device. It's rather more stable and proven than modern. It's difficult to suggest adding features because with new features we are adding something new, and that means it could be less stable and. New features are not the reason we use the solution — it is almost the opposite. The most valuable part of the solution is dependability.

It's already a mature and stable product. I prefer to not to use the newest software — even if Cisco suggests using the newest — because this is a critical security device.

My opinion is that the new direction Cisco is taking to improve its product is not correct. They want to make the old ASA firewall into a next-generation firewall. FirePower is a next-generation firewall and they want to combine the two solutions into one device. I think that this combination — and I know that even my colleagues who work with ASA and have more experience than me agree — everybody says that it's not a good combination. 

They shouldn't try to upgrade the older ASA solution from the older type Layer 4 firewall. It was not designed to be a next-generation firewall. As it is, it is good for simple purposes and it has a place in the market. If Cisco wants to offer a more sophisticated Layer 7 next-generation firewall, they should build it from scratch and not try to extend the capabilities of ASA.

Several versions ago they added support for BGP (Border Gateway Protocol). Many engineers' thought that their networks needed to have BGP on ASA. It was a very good move from Cisco to add support for that option because it was desired on the market. Right now, I don't think there are other features needed and desired for ASA.

I would prefer that they do not add new features but just continue to make stable software for this equipment. For me, and for this solution, it's enough. 

It is a stable solution. It is predictable when using different protocol and mechanics.

We've used several models of the product, from the smallest to the biggest. I think that this family of the ASAs is scalable enough for everything up to an enterprise environment. I think the family of products is able to handle small and large company needs.

Cisco is a well-known vendor and its support is good. In my previous company, we sometimes used a vendor rather than direct Cisco support, but sometimes we used Cisco. For ASA in my current company, we have additional support from the local vendor. If we have a problem we can also initiate a ticket directly on the Cisco support site.

About one-and-a-half years ago we implemented a different solution to handle certain situations like BGP. But when we upgraded our Cisco devices just few months ago, we could have BGP on ASA. Now our devices from Cisco have enhanced capability, not just something new and maybe less dependable. Implementing BGP on ASA was a late addition. It had been tested, the bugs were worked out and engineers wanted the solution. The stability of ASA as an older solution is what is important.

I think it is not the simplest solution to set up because it is sophisticated equipment. For engineers to work with vendors and incorporate totally different solutions, it could be difficult. It is also different from the other Cisco devices like Cisco Router IOS. It differs in a strange way, I would say, because the syntax or CRI differs. If you are used to other OSs, it is not easy to switch to ASA because you have to learn the syntax differences. 

It's common for there to be differences in syntax between vendors. But, I would say that this is more complex. The learning curve for start-up and configuration of ASA is at mid-level when it comes to the difficulty of implementation.

I did the implementation myself. ASA is not the newest solution for Cisco or the newest equipment. You can use the vendor and ask for help if you need it during the installation and for support. Because it was an older solution, it was already somewhat familiar to me.

My current company has been using ASA for quite a long time, so I was not involved in the choices.

I have been participating in choosing a new vendor and new equipment for some specific purposes as we go forward. For a next-generation firewall, Cisco's product — a combination of ASA and Firepower — is not the best solution. We are choosing a different vendor and going with Palo Alto for next-generation solutions because we feel it is better.

I think I can rate this product as an eight out of ten. A strong eight. The newest version of software and solutions often have bugs and functional problems because they have not been rigorously tested in a production environment. It is not the modern, next-generation firewall, but it solidly serves simple purposes. For simple purposes, it's the best in my opinion. I am used to its CRI (Container Runtime Interface) and its environment, so for me, familiarity and stability are the most important advantages.

We are using the Cisco ASA NGFW as a next-generation firewall. We are using the 5516-X version. Our primary use case of this is as an X firewall for external connections.

Cisco ASA NGFW significantly improves our bank. It protects any high-value products that we use from hackers, viruses, malware, and script-bots. It gives us metrics on network traffic as well as what kind of attacks we are getting from the outside.

The most valuable features are the firewall capabilities, filtering, and intrusion prevention. 

I respect the capability of the Cisco firewall. We fully use it all as a complete firewall solution. Cisco also has excellent anti-malware detection and other similar features.

Cisco should improve its user interface design. There is a deep learning curve to the product if you are a newcomer.

Stability is excellent.

It can easily scale. If you want, you can scale it to a lot of traffic. It's an X file, so all of our users are going through it.

We only require one administrator for the solution. For deployment and maintenance, it depends on how many developers you have. We require two dedicated staff at a minimum. 

Naturally, we employ both security technicians and administrators. Cisco ASA NGFW is being used at all our branches, and we'll continue using it in the future.

The technical support from Cisco is excellent.

We have only been using Cisco solutions.

The initial setup of the Cisco ASA NGFW is not easy, but at the same time also it is not complex. It's somewhere in the middle. It took about 4 weeks, then it was activated.

We used a reseller consultant for the deployment.

Our licensing costs for this solution is on a yearly basis. Just for the firewall, it's about $1.5 million USD.

We evaluated Palo Alto Networks, Fortinet FortiGate, and Checkpoint products.

For the Cisco ASA NGFW, it is a bit more expensive than other products, but their method is a lot more stable in my experience. It has all the features that you would need in a next-generation firewall. They are always developing new features and introducing them.

I don't have anything that I'm currently missing with Cisco. On a scale from one to ten, I would rate the product at eight.

Primarily, we are just using it as a firewall, mostly to protect our internal SQL network (our primary network). At the moment, we are not using Cisco Firepower for our services. We just use it as a firewall.

We have multiple secure internal networks linked with our plants. We are from a oil company, so we have multiple plant areas which need to have restricted network access. Therefore, we are using it for restricting access to the plant area, where they cannot directly connect onto the Internet.

It does not have a web access interface. We have to use Cisco ASDM and dial up network for console access, mostly. This needs a bit of improvement.

Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems.

It should have multiple features available in single product, e.g., URL filtering and a replication firewall.

It is very stable. We have routers entirely from Cisco, which are still working after ten years of deployment. I would rate the stability as a nine out of ten.

We have two people maintaining it. It does not require intensive work. We have an expert in switching technology, and another person who is knowledgeable in routing and network security.

The scalability is good.

The technical support of Cisco is very good. Nowadays, you can get anything over the Internet. They provide help over the Internet. There is a very full forum, which is manually supported.

The initial setup was completely straightforward. 

However, we have to rely on Cisco ASDM to access the firewall interface. This needs improvement. Because we have a web-based interface, and it is a lot more user-friendly.

Deployment takes two or three days. We are continuously deploying the solution to our plants over time.

We do the deployment in-house.

ROI is part of the infrastructure costs. The product has saved us a lot of time, and once we deployed the solution, it worked.

The cost is a big factor for us. This is why we are using it only in our restricted area. They are very much higher than their competitors in the market.

I would rate the cost as a six or seven out of ten.

Nine or ten years ago, there were few options at the time.

Currently, we are using Barracuda for our more general Internet access. We use Cisco for our more protected environment.

I would recommend the product, but cost is a big factor. Some companies cannot afford expensive products, like Cisco and Palo Alto.

We use remote desktop services from our data center. We can clean the client and the remote desktop server and from there we can establish a VPN channel. 

We can create a profile and we can give them access depending on the access level they need to be on. All the way from level one to level 16. I just create the user and from the dropdown, I select what access level they need to be on and that's it. I don't need to go individually to each and every account and do the configuration.

I like the user interface because the navigation is very easy and straightforward. On the left side pane, you have all the sites that you need to browse. Unlike any other firewalls, it's pretty straightforward.

If I need to download AnyConnect in a rush, it will prompt me for my Cisco login account. Nobody wants to download a client to a firewall that they don't own. 

I would definitely love to have a much nicer web interface compared to the systems interface that it has now. I also would like to download utilities without having to login into the system. Nobody would want to download a client unless they're going to use it with a physical firewall. I don't understand the logic. If I was a hacker, I could get someone to download it for me and then I can use the client. There's no logic behind it.

I would rate their stability a nine out of ten. It's pretty stable. I never come across a situation where the firewall hangs and then I need to reboot it.

Cisco is expensive and when you want to grow, it means you're going to need to spend some money but you can justify it.

We have closer to 50 users on the firewall at the moment and do have plans to increase usage.

We were previously using Sophos firewall but it had a lot of issues. 

The initial setup is a little difficult compared to other firewalls but once you get it right, especially the assistant control list, it's fine. It's a little difficult compared to other firewalls. 

The deployment took us about three days because we did some testing and we also did certain attacks and checked some hackers which is why it took some time. We wanted to make sure that it was at least 99.99% protected.

We implemented through a UK company called Rackspace. 

Licensing is expensive compared to other solutions. Especially in other regions because people are very careful when it comes to spending on IT infrastructure. My suggestion is, first test it, once you see how good it is you will definitely want to renew it. 

I would advise someone considering this solution to just go for it. It's expensive but it's a robust solution. The only thing is that you have to convince your finance guy to go for it.

I would rate it a nine out of ten. 

• Reliability
• Security
• Flexibility
• Functionality
• Availability - controllability anywhere and with different methods

I can tell that when we have started using the Cisco AnyConnect for remote access to business apps it makes the work for remote staff much simpler. It's also easier to provide remote IT support. Aside from this, the security officers can sleep better now.

The ASA is an almost perfect device.

I've used it for two years.

I have had no problems deploying it.

Occasionally, the packet rate falls unexpectedly.

I currently do not need to scale on my network.

9/10 - the regional online support could be better.

10/10.

We use MySQL and Nagios devices alongside the ASA as our network infrastructure needs expanding and required more serious hardware solutions.

When Cisco was installed, it did not go as expected.

It is not simple to calculate for IT hardware. To calculate the ROI for using the ASA, I would need to have a lot of statistics on the quality of services, both before and after.

Cisco ASA 5512-X was bought for $3,000, and a further $1,000 was needed for installation and pre-configuration.

• Fortinet
• Juniper

As a rule, any device upon delivery is obsolete. Pick up the solution for your business, based on your specific needs.

We have a lot of use cases of FirePower. In one of the use cases, we have two offices, and we use FirePower on our two sites. One of them works through the site-to-site VPN, and we have a controller on this site.

I work with Cisco and other partners, but the Cisco team is the best team in our country. When I call them, they always help us. 

I started to configure the device with version 7.2. After that, I had a problem. It was not a physical problem. It was a software problem. They advised me to install 7.0. I uninstalled and reinstalled everything. It took time, but it started to work normally.

I am not a programmer, but on the business side, they should fix all such issues in the future. We are Cisco partners, and when we recommend Cisco FirePower to customers, they always think that FirePower is bad. For a single installation of FirePower, if I have to write about 18 tickets to Cisco, it's a big problem. There was an issue related to Azure. We had Active Directory in Azure. The clients had to connect to FirePower through Azure. We had a lot of group policies. After two group policies, we had to make groups in Azure, and they had to sign in and sign back. It was a triple-layer authentication, and there was a big problem, so we didn't use it.

We have been using this solution for about two years.

It's very stable now. Everything is fine for me.

I use just two devices. I've not tested anything else.

Their customer support is very good. We also work with other vendors, but Cisco's support is still the best. I'd rate them a 10 out of 10.

Positive

For me, it was very easy because I solved all problems, but I had to install it two times. 

We are a reseller, and for us, it's a 10 out of 10 because if we sell it, we will earn money, but customers have to agree with us.

We are a payment switch and we deal with cardholder data and information. Our primary goal is to ensure the security of customers' payment data, that they are protected.

Our security maturity is now at a good level compared to the past. To be accepted to drive Visa and Mastercard, you have to pass security assessment audits and we have managed to pass all of them now, for some years.

Apart from our firewall, we have three security tools. We have a NAC, we have a SIEM, and our syslogs.

It's easy now because we have many Cisco devices in a central point. We don't need to log in to each device and apply rules to them. We can do it from the management control and apply them to the specific firewalls that we want to apply them to.

In addition, compared to our previous firewall solution, the security is much better. Through our monitoring, we now see all the information that we require on security, in terms of PCI. We can see exactly what is happening in our environment. We know what is going, what is going in and out. If an incident happens, it provides a notification so that we can do an analysis.

Web filtering is a big improvement for us. The previous version we used, the AC520, did not have that feature included. It was not very easy for us, especially because the environment had to be isolated and we needed to get updates from outside, such as Windows patches. That feature has really helped us when we are going outside to pull those patches.

Another important feature for us is user access. Now, we can base access on rules and specify that this or that user has privilege on the NG firewall. That was not available before. 

The IDS also makes it easy to detect abnormal traffic. When it sees such traffic in the environment, it sends a notification.

We have been using Cisco Firepower NGFW Firewall for about two months.

The solution is stable. It's not hanging. With the firewalls from Cisco we are not facing a situation where devices are hanging because of too much traffic.

The scalability is fine.

We're getting support but there's a big delay until we get a response from their technical team. They're in the USA and we're in Africa, so that's the difficulty. When they're in the office, they respond.

We migrated from Cisco AC520 to the Cisco NGFW. We have also used HPE and IBM switches, as well as FortiGate firewalls. We are now completely Cisco.

Previously, we were also using AlienVault and it was easy to integrate with Cisco devices.

The initial setup is 50/50, between straightforward and complex. Migrating from Cisco to another Cisco product is okay, but migrating to Cisco from other network devices, like an IBM switch, is a bit tricky. You can't test the configuration to see if it's the same as what you're going to. But we managed with support from Cisco.

It took a month to complete the deployment.

Our implementation strategy was based on not upgrading everything at the same time. It was phased. We deployed a specific device and then we monitored everything to make sure everything looked okay, and then we moved on to the next one.

It requires a minimum of two people for deployment and maintenance, from our network and security teams.

We used internal resources with support from Cisco.

We have gotten exactly what we're looking for, based on the company's requirements.

The pricing is high.

Cisco NGFW's ability to provide visibility into threats is good compared to other solutions. The visibility is quite impressive and gives us what we're looking for, based on our security requirements.

The scalability, the performance of the devices, the features, and the support, when looking at them combined, make the product a nine out 10.

We're planning the deployment of Cisco ISE soon, to be like our NAC.

We use the platform to provide secure perimeter internet access for customers and also to provide secure networks or secure SANs for customers. We have a global partnership with Cisco and I'm a re-sales and security manager of IT services.

The top features for me are the filtering, the intrusion prevention system, and the AMP on small operations. 

To configure the FirePower it is required an external console. It would be nice to have the console embedded in the Firewall so you don't require an extra device. I'd like to see some kind of SD-WAN included as a feature. 

I've been using this solution for six years. 

The solution is very stable and we feel very secure with it. 

The scalability is no problem. 

The technical support is excellent. 

The initial setup is quite straightforward. I think someone who knows the iOS platform and knows about firewalls can setup the device. If you don't have experience, it will be somewhat complicated. If you know the platform, implementation is very quick. We've installed over 1,000 firewalls for different customers.

This is a very stable platform, and you can adjust the engine for malware protection. It is one of the best and a very reliable solution.

I would rate this solution a 10 out of 10.