Cisco Secure Firewall Reviews

It provides the firewall and security for our edge network.

We are using a really old ASA device that is at end-of-life, so we're replacing it.

The most valuable feature is the access control list (ACL). 

This is an older product and has reached end-of-life.

We have been using Cisco ASA for probably ten years.

This is a very stable product.

We're just a small company, so we have not had to scale it.

The technical support is definitely very good.

The initial setup was very straightforward.

Just one person is required for maintenance.

My advice for anybody who is implementing Cisco ASA is that it is not very difficult to deploy and not very difficult to understand how to continue adding more rules to it.

I would rate this solution an eight out of ten.

We are using Cisco ASAv in our company and have deployed it for many of our customers. They are in both government and the private sector.

The deployment method varies depending on the customer's needs. For the government, it's through the government cloud while others are on-premises.

It is very stable compared to other firewall products.

It has good security features.

The firewall features make it easy for the users to work on it.

The interface needs improvement. I would like a better interface for Cisco. Other solutions such as Palo Alto have a user-friendly dashboard.

They need a user-friendly interface that we could easily configure.

It would be beneficial to have some of the features that Cisco has, integrating with other types of security.

I have been using this solution for approximately eight years.

It's a very stable solution out of the box and we have not had any issues in our deployment.

We have 86% of the devices being used simultaneously.

It's scalable based on the type of license and modules that you require.

We don't have the option to update the box, but we can add features such as antivirus protection.

We have contacted technical support for some issues outside our technical expertise, mostly for updating the license.

We have a team that handles our issues.

We work on a case-by-case basis and are have good offers by Cisco.

It's very competitive with other products.

They should incorporate it with FortiGate, or Sophos firewalls. 

If they are looking for a layer 7 type of security then they need to go with another solution.

I would rate Cisco ASAv a nine out of ten.

The primary use case is to have full visibility over our Web & Application behavior on the local network and over the internet. On the other hand, reporting is one of the main needs so that we can monitor and evaluate our consumption and according to that, build up our policies and security.

Cisco NGFW had the needs that were required by us but unfortunately, was very primitive.

There was no added value and every feature requires license thus extra HIDDEN cost despite a large number of renewals. Paying that much compared to what other vendors can give is out of the negotiation. For this reason we dropped it.

Unfortunately in Cisco, only the hardware was good. As for the features and services it was less than the others. Having all of the features means higher specs of hardware and intelligence processing so that it can handle all the logs proactively. Now, what is needed from the Information security, is to be proactively aware of any threat that might expose our data and at the same time have full visibility over our information sharing endpoints.

In NGFW, Cisco should be aligned with the new technology and inspection intelligence because Cisco is far behind in this pipeline. Nowadays IoT, Big Data, AI, Robotics, etc. are all evolving and shifting from automatic to intelligent. All brands that do not follow will be extinct.

I have been using this solution for three years.

good

I was using a different solution prior to this one. I shifted because I found that it can heal my pain at least partially. By the end, it did the job and more.

Not that simple, but anyone who have the knowledge can configure it.

Through a vendor and they have good tech

Always look for the history of the products and their evolution, as this will reflect their prices. As for the licenses, be smart and choose the ones you are going to use AS PER YOUR NEED.

More features=More Licenses=More work time=Increase in Cost.

Always consider what you might need to reduce your wasted time and invest it in other solutions (i.e. "If it takes you three hours to do an analysis report and the solution you are getting has this feature to reduce your time to five minutes then you can consider this license. But, if there is a feature where you can have access to the machine from the cloud and you are always connected to the company by VPN, there is no need to buy this license").

Whenever I go for a new solution, I test many leaders "NOT RELYING ON GARTNER", yet going for sites that are related to technical evaluations and real case studies. The vendors were Sophos Cyberoam, Barracuda, FortiGate, Websense, & Check Point.

Think before you buy, as this solution can be your success or failure. Always work with professionals and not promoters.

We are an ISP, so it's primarily for customer firewalls that we help customers setup and maintain. While we do use Cisco ASA in our company, we mostly configure it for customers. Our customers use it as a company firewall and AnyConnect VPN solution.

A lot of people trust Cisco. Just by its name, they feel more secure. They know it's a quality solution, so they feel safer.

The most valuable feature must be AnyConnect. We have quite a few customers who use it. It is easy to use and the stablest thing that we have. We have experienced some issues on all our VPN clients, but AnyConnect has been the stablest one.

It is one of the easiest firewalls that I've worked with. Therefore, if you're not comfortable with command line, it probably is one of the best solutions on the market.

One of the problems that we have had is the solution requires Java to work. This has caused some problems with the application visibility and control. When the Java works, it is good, but Java wasn't a good choice. I don't like the Java implementation. It can be difficult to work with sometimes.

If you use Cisco ASDM with the command line configuration, it can look a bit messy. We have some people who use them both. If you use one, it's not a problem. If you use both, it can be an issue.

For five or six years.

We haven't had any issues with the firewalls.

The maturity of our company's security implementation is good. We are very satisfied as long as we maintain the software. It has needed to be updated quite a few times.

We don't have any firewalls that can handle more than a couple of gigabits, which is pretty small. I think the largest one we have is the 5525-X, though we haven't checked it for scalability.

In my company, there are probably 16 people (mostly network engineers) working with the solution: seven or eight from my group and the others from our IT department.

I haven't worked with Cisco's technical support. We haven't had real issues with these firewalls.

This was the first firewall solution that I worked with.

The initial setup has been pretty straightforward. We have set up a lot of them. The solution works.

The deployment takes about half an hour. It takes a little longer than if we were using their virtual firewalls, which we could implement in a minute.

We have a uniform implementation strategy for this solution. We made some basic configurations with a template which we just edited to fit a customer's needs. 

We haven't notice any threats. The firewalls is doing its job because we haven't noticed any security issues.

The licensing is a bit off because the physical firewall is cheaper than the virtual one. We only have the physical ones as they are cheaper than the virtual ones. We only use the physical firewalls because of the price difference.

Our company has five or six tools that it uses for security. For firewalls, we have Check Point, Palo Alto, Juniper SRX, and CIsco ASA. Those are the primary ones. I think it's good there is some diversity. 

The GUI for Cisco ASA is the easiest one to use, if you get it to work. Also, Cisco ASA is stable and easy to use, which are the most important things.

We use this solution with Cisco CPEs and background routers. These work well together. 

We have some other VPN options and AnyConnect. We do have routers with firewalls integrated, using a lot of ISR 1100s. In the beginning, we had a few problems integrating them, but as the software got better, we have seen a lot of those problems disappear. The first software wasn't so good, but it is now.

We have disabled Firepower in all of our firewalls. We don't use Cisco Defense Orchestrator either. We have a pretty basic setup using Cisco ASDM or command line with integration to customers' AD.

I would rate the product as an eight (out of 10).

The first time I deployed Cisco ASA was for one of our clients. This client had a Palo Alto firewall and he wanted to migrate. He bought an ASA 2505, and he wanted us to come in and deploy it and, after that, to put in high-availability. We deployed it and the high-availability means that in case one fails, there is a second one to take over.

I have deployed Cisco ISE and, in the same environment, we had a Cisco FTD. In that environment, we were using the ASA for VPN, and we were using the FTD like an edge device. The ASA was deployed as VPN facilitator and for the wireless part too, so that the wireless network was under the ASA firewall.

If we look at the Cisco ASA without Firepower, then one of the most valuable features is the URL filtering.

Also, it's easy to integrate ASA with other Cisco security products. When you understand the technology, it's not a big deal. It's very simple.

When it comes to threat visibility, the ASA is good. The ASA denies threats by using common ACLs. It can detect some DoS attacks and we can monitor suspicious ICMP packets using the ASA. It helps you know when an attack is detected.

Cisco Talos is good. It provides threat intelligence. It updates all the devices to be aware of the new threats and the new attacks out there, so that is a good thing. It's like having God update all the devices. For example, even if you have FTD in your company, malware can be very difficult to detect. There is a new type of malware called polymorphic malware. When it replicates, it changes its signature which makes it very difficult for a firewall to detect. So if your company encounters one type of malware, once, it is automatically updated in your environment. And when it is updated, Talos then updates every firewall in the world, so even if those other firewalls have not yet encountered those particular types of malware, because Talos automatically updates everything, they're able to block those types of malware as well. Talos is very beneficial.

When it comes to managing, with FMD (Firepower Management Device) you can only manage one device, but when you work with FMC (Firepower Management Center) you can manage a lot of sensors, meaning FTDs. You can have a lot of FTDs but you only have one management center and it can manage all those sensors in your company. It is very good.

One area where the ASA could be improved is that it doesn't have AMP. When you get an ASA with the Firepower model, ASA with FTD, then you have advanced malware protection. Right now, threats and attacks are becoming more and more intense, and I don't think that the ASA is enough. I think this is why they created FTD.

Also, Cisco is not so easy to configure.

I have been using and deploying Cisco ASA for two to three years. 

Cisco ASA is stable.

It's scalable. You can integrate AD, you can integrate Cisco NAC. You can integrate quite a lot of things so that makes it scalable.

When you configure the ASA, there is already a basic setup there. Based on your environment, you need to customize it. If you understand security and firewalls very well, you can create your own setup.

For me, the initial setup is easy, but is it good? Because from a security perspective, you always need to customize the initial setup and come up with the setup that fits with your environment. So it's always easy to do the initial setup, but the initial setup is for kids in IT.

The time it takes to set up the ASA depends on your environment. For a smaller deployment, you just have the one interface to configure and to put some policies in place and that's all. If you are deploying the ASA for something like a bank, there are a lot of policies and there is a lot of testing to do, so that can take you all night. So the setup time really depends on your environment and on the size of the company as well.

When it comes to Cisco, the price of everything is higher.

Cisco firewalls are expensive, but we get support from Cisco, and that support is very active. When I hit an issue when I was configuring an FTD, as soon as I raised a ticket the guy called me and supported me. Cisco is very proactive.

I had the same kind of issue when I was configuring a FortiGate, but those guys took two or three days to call me. I fixed the issue before they even called me.

I have used firewalls from Fortinet, Palo Alto, and Check Point. To configure an ASA for VPN, there are a lot of steps. When it comes to the FortiGate, it's just a few clicks. FortiGate also has built-in templates for configuring VPN. When you want to create a VPN between FortiGate and FortiGate, the template is already there. All you need to do is enter an IP address. When you want to configure a VPN with a third-party using the FortiGate, and say the third-party is Cisco, there is a VPN template for Cisco built into the FortiGate. So FortiGate is very easy to configure, compared to Cisco. But the Cisco firewall is powerful.

Check Point is something like Cisco but if I have to choose between Cisco and Check Point firewalls, I will choose Cisco because of all the features that Cisco has. With Cisco you can do a lot of things, when it comes to advanced malware protection and IPS. Check Point is very complicated to manage. They have recently come out with Infinity where there is a central point of management.

Palo Alto has a lot of functionality but I haven't worked on the newer models.

Cisco firewalls are not for kids. They are for people who understand security. Now I know why people with Cisco training are very good, because they train you to be competent. They train you to have ability. And when you have ability, their firewall becomes very easy to configure.

When Cisco is teaching you, Cisco teaches you the concept. Cisco gives you a concept. They don't focus on how to configure the device. With Fortinet, for instance, Fortinet teaches you how to configure their device, without giving you the concepts. Cisco gives you the concepts about how the technology is working. And then they tell you how you are going to configure things on their box. When you are an engineer and you understand the technology from Cisco, it means that you can drive everything, because if you understand Cisco very well, you can work with FortiGate. If you understand security from Cisco, it means that you can configure everything, you can configure every firewall. This is why I like Cisco.

When it comes to other vendors, it's easy to understand and it's easy to configure, but you can configure without understanding. And when you configure without understanding, you can't troubleshoot. To troubleshoot, you need understanding. 

I'm a security analyst, so I deal with everything about firewalls. I'm talking about ASA firewalls, and I'm talking about ASA with Firepower, FTD, and Cisco Meraki MX. When it comes to security tools I am comfortable with Cisco and everything Cisco.

One of our clients was using Cisco ASA. They got attacked, but I don't think that this attack came from outside their company. They were managing their firewall and configuring everything well, but they were still getting attacks. One of their employees had been compromised and his laptop was infected. This laptop infected everything in the organization. So the weakest link can be your employees.

Some are being used as edge firewalls and others are for our server-farm/data center. So some are being used as transparent firewalls and others are used as a break between the LAN and WAN.

In addition to the firewalls, we have Mimecast for email security as we're using Office 365. We're also using IBM's QRadar for SIEM. For antivirus we're just using Microsoft Windows Defender. We also have an internet proxy for content and for that we're using NetScaler.

Automated policies definitely save us time. I would estimate on the order of two hours per day.

On the network side, where you create your rules for allowing traffic — what can come inside and what can go out — that works perfectly, if you know what you want to achieve. It protects you. Once you get all your rules in place, done correctly, you have some sort of security in terms of who can have access to your network and who has access to what, even internally. You're secure and your authorization is in place for who can access what. If someone who is trying to penetrate your network from the outside, you know what you've blocked and what you've allowed.

It's not so difficult to pull out reports for what we need.

It comes with IPS, the Intrusion Prevention System, and we're also using that.

I've been using Cisco ASA NGFW for five years.

The stability is quite good. We haven't had issues. I've used them for five years now and I haven't seen any hardware failures or software issues. They've been running well. I would recommend them for their reliability.

You can extend your network. They are cool. They are good for scalability.

We have a Cisco partner we're working with. But if they're struggling to assist us then they can log a ticket for us. Our partner is always a 10 out of 10.

Given that we have been upgrading with Cisco firewalls, I would say that our company has seen a return on investment with Cisco. We would have changed to a different product if we were not happy.

The response time from the tech and the support we get from our partner is quite good. We have never struggled with anything along those lines, even hardware RMAs. Cisco is always there to support its customers.

The pricing is quite fair for what you get. If you're comparing with other products, Cisco is expensive, but you do get benefits for the price.

The firewall that I was exposed to before was Check Point.

It's very good to get partner support if you're not very familiar with how Cisco works. Cisco Certified Partner support is a priority.

For application visibility and control we're using a WAN optimizer called Silver Peak.

To replace the firewalls within our data center we're planning to put in FMCs and FTDs. With the new FMCs what I like is that you don't need to log in to the firewalls directly. Whatever changes you do are done on your FMCs. That is a much needed improvement over the old ASAs. You can log in to the management center to make any configuration changes. 

There are two of us managing the ASAs in our company, myself and a colleague, and we are both network specialists. We plan to increase usage. We're a company of 650 employees and we also have consultants who are coming from outside to gain access to certain services on our network. We need to make provisions on the firewall for them.

I use Firepower for all kind of customers; healthcare, government, banks etc. All all of them have different use cases and requirements. In most cases, I would mostly end up with enterprises or government organizations. If you are already have all Cisco gears, I would suggest to consider it as it will allow you to have a more integrated approach toward other network components.                                                                                      

I will definitely recommend it to any customer. But, it all depends on the requirements and money you have. But the Intrusion Prevention and anti-malware is really good with this solution. Overall, it is a really good product.

I remember a customer who was using another firewall product and they had serious issues in intrusion and malware detection and prevention. Plus, the reporting was not that detailed. I did a demo with these people with FTDv and FMCv and they were amazed with the solution.

The Firepower+ISE+AMP for endpoint integration is something that really stands it out with other vendor solutions. They have something called pxGrid and i think it is already endorsed by IETF.  This allows all devices on the network to communicate. I find it to be a more proactive approach as all devices collaborate with ISE in real time. I did a demo for a customer and there were no second thoughts in the usability of the solution. You should give it a try to find out more about how this works.

The product line does not address the SMB market as it is supposed to do. Cisco already has an on-premises sandbox solution. They should include a cloud-based sandbox as part of the security subscription service. In my experience, apart from the expensive price, SMB customers are lured away by other vendor solutions because of these reasons.                      

I work for a systems integrator, who is also a partner for Cisco and other security vendors. I have a reasonable hands-on with different firewall products. I have been doing it since v6.1 release. Firepower is a bit difficult and takes time to learn.

I did use and deploy different firewall solutions for various customers. But every customer has his own pain points. For example, for one of the customers, he was purely looking for URL filtering. We went with Sangfor IAM in that case. They have a very strong focus on application and URL filtering and user behavior management. Plus, reporting was very extensive. 

In my country, deployment may be charged from USD 1K to USD 10K depending on setup cost. There are different types of licenses:

• Threat
  
• URL
• Anti-malware

I would suggest going with an all-in-one bundle. You will end up saving money. Also, Cisco has a better discount on a 3YR subscription plan. Discuss this with your Cisco AM.

Yes, this included firewalls from Huawei, Fortinet, Sangfor, and Sophos. Most of the customers end up with:

• Fortinet,
  
• Sophos
• Sangfor

My primary use case is to have as VPN hardware. I have 2,000 providers. I am a reseller and as such, I am connected to telcos. I use ASA because our providers use Cisco in their core network as well. 

We had a situation where our network was down and the telecom providers at Cisco support helped us to resolve those issues. The downtime was brought down to a minimum.

The most valuable feature is that the encryption is solid. 

I have been using Cisco ASA for thirteen years. 

What I use now is sufficient based on the traffic that we are generating. We won't have to expand.  

We have two providers for ASA. There is only one administrator. We have about 1.2 million connections going through one ASA per month.

Their technical support is very good. 

I didn't previously use a different solution. We used Cisco and then we upgraded to ASA. 

The initial setup was straightforward. To set up the VPN we are able to set up the feature key networks that are going to talk to each other. We can set up what access is going to be used. The connection was set up in one or two days. 

We set it up twice. The first time it took four hours and the second time took ten hours spread out over two days. 

I have seen ROI. We use ASA because our provider uses it and they have support. The provider initiates the support with Cisco. The support is good. The license for the support is expensive. 

It is expensive. 

I would recommend this solution. If you have the money, it's a very stable product. Make sure to keep critical spare parts. You might have for instance some modules that will need acceleration cards and those types of things.

I would rate it a nine out of ten.