Cisco Secure Firewall Reviews

We had legacy Sourcefire Sensors and ASA state full firewalls.

Cisco offered the FTD NGFW solution, but the implementation of the two systems was not successful.

The firepower sensors have been great; they do a good job of dropping unwanted traffic.

The VDB updates run on schedule, so less hands-on configuration is needed.

The software was very buggy, to the point it had to be removed.

We are moving completely away from Cisco NGFW.  The product was pushed out before it was ready.

It's hard to judge how much time it saves our organization because it's doing things you don't realize. For example, when it's blocking web advertisements, when it's blocking phishing, when it's blocking geolocation, the time it saves is because of the things you might have had to deal with that, now, you don't. Any time we have some kind of internet-related event, it's definitely going to take us hours worth of time. We have to do an investigation, we have to report on it, we have to write something up. By protecting our environment it probably saves our security analysts a fair number of hours during the week.

It's the brick wall that keeps us from the bad guys. It does a lot of things. In the beginning when you just have a firewall, of course, it's your NAT and it's your Access Control List. It's the thing that allows traffic in and out. There is some routing involved in that too. But once you add Firepower onto to it and you start enabling some of its features, you get some IDS/IPS involved with it and you can even do web filtering.

We used to do some web filtering on the Firepower but we moved into Umbrella once we started. We do use Firepower for one piece of web filtering because Umbrella has yet to provide it: advertisement blocking. We don't allow our end-users to go into advertisements. If they're going to go to a site, they have to know what the site is, not just try to hit some kind of Google ad to get to it because those can be dangerous.

In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth. It's definitely usable, though. You can get a lot of good information out of it.

It's hard to stay on the bleeding edge on firewalls because you have to be careful with how they integrate with Firepower. If you update one you have to update the other. They definitely have some documentation that says if you're at this version you can go to this version of Firepower, but you need to be careful with that.

We've been using Firepower for two to three years.

It's pretty stable. There are times where I'll get an email saying a process has stopped. But a few seconds later, they'll say it restarted it on its own. It's hardy enough that if it is having problems, it's bringing things back up. For the most part, it's been very reliable.

It's been really good. And even so, if I've had to reboot the actual appliance, I'll bring it back up and it's good to go.

We haven't hit that issue of scalability. We have increased the amount of traffic through it and it's handled it, but I think that's also a product of the ASA as well. If the ASA is going to choke, Firepower is going to choke as well.

We're going to be bringing in two new firewalls, as early as the fourth quarter or first quarter of 2020, and those are going to be pure FTD appliances. We'll probably be using those a little bit more extensively. I don't think we're going to be using the SSL portion, but we'll probably have the IDS/IPS, and we'll probably have the AMP turned on. That's because with the endpoints, we're not sure if we're going to be able to install an antivirus, so we can at least watch that. We'll probably use most of the suite on it.

I've always liked Cisco support. We're a pretty big Cisco shop, so you're not going to hear a lot of complaints from me about support. And not only that, but if I do have a problem with Cisco support, we get ahold of somebody - our customer-success people and the salespeople from Cisco who are focused on our organization - and we get help. It's very good.

Sometimes, I'll have to contact the first tier of tech support. I'll still open up a case. But in case that, for whatever reason, is not going to our satisfaction, at least we have a chain of command we can go through and talk to some different people. We might get it escalated if we're just not getting something fixed on time. But Cisco has very top-notch support.

We've been with Cisco and haven't had anything else yet. We haven't had a desire to move in a different direction. We've stayed with it because of how good it is.

We were initially introduced to Firepower by a consultant. At that time, it was for the web filtering because the web filtering we had was awful. We were using Sophos. Without getting too derogatory, it was just awful. There was no alerting and it was very hard to manage, whereas this is really easy to manage. With Cisco, it was very easy to set up content groups, to allow some users to get to some stuff and other users to not get to it. That's where it really started. There weren't any pros to Sophos that weren't in Firepower. We got rid of Sophos.

Our organization is a big believer in training, So I attended a five-day class on this. From that, I was able to set it up pretty easily.

We have a virtual appliance. Once it actually installs and we set IPs and got some of the base set up, it was done within about a day. But the time it takes will depend. We're not an organization that has 10,000 users. We're probably a medium enterprise, of about 400+ users, rather than a large enterprise, so our ruleset is comparatively small. As a result, it didn't take me as long as it might for some, a total of two or three days, and that's even with fine-tuning. But because we're still using the ASA and the ASDM, we still have those rules in the firewall. We're not really at the FTD point where all the rules are in there. If we were, to migrate it would probably take some time.

For me, it was relatively simple because of the valuable training I had. There are some good resources online, don't get me wrong. It was just nice to be able to do something hands-on at a place, in training, and then come back and be able to do it.

The neat thing is that the gentleman who taught us, instead of just teaching us the material from a book or even, "This is how you can pass the Firepower test," taught us how he would go into a Fortune 100 and set up an organization. I had almost a step-by-step lesson on how to keep going through the configurations to get to a finished product.

With a firewall, you're always coming back to it to tweak it a little bit. You might find, "Oh, I'm not getting the logging a lot," or, "Oh boy, this rule is doing this, but maybe I want to tighten it down a little bit more." But to get the base configuration, to get the objects in, it takes about a couple of days. At that point, you can at least have traffic going through it. You may not be blocking anything, but you can be monitoring things.

It was just me.

The return on investment would be the fact that I'm just not spending a lot of time either searching for things or trying to stop what's coming in and out of our network. The return on investment is the time I would have to spend during the day looking at things versus it proactively doing its job.

We're going to get to a point, not this year and not the coming year, probably going into 2021, where we're going to want to replace the ASA appliances with either virtuals or actual physicals. But the Firepower series of appliances is not cheap.

I just got a quote recently for six firewalls that was in the range of over half-a-million dollars. That's what could push us to look to other vendors, if the price tag is just so up there. I'm using these words "fictitiously," but if it's going to be outlandish, as a customer, we would have to do our due diligence and look at other solutions at that point.

In addition to that cost, there are licensing fees for some of the individual things like AMP, the IPS/IDS piece. It depends on what you want to use, such as the SSL piece and the VPN piece, which we don't use.

We haven't evaluated any other options. The only thing that may ever force us in that direction would be cost. Only if the cost of the solution got so large would we have to look at something comparable.

The neat part about this is how Cisco continues to evolve its product line and help us stay secure, while still doing our day-to-day business.

My advice would depend on how you want to use it. What are you looking for Firepower to do?

Firepower added features that, until we introduced into our environment, we could not have done. We probably could have added a third-party product but we would hate to keep doing all that. It's nice to be able to have our products from the same organization because then, if something's really wrong, we can talk to the same organization as we're trying to troubleshoot something through our environment. We use Cisco switches, Cisco routers, we use ISE, and Umbrella. We have a lot of products through Cisco.

We use the ACLs. We use the intrusion side, just to watch traffic. We have used the malware and have actually caught stuff in there. We do have a DNS policy so that at least we can check to make sure someone's not going to a bogus site; things can get blocked for that, but Umbrella is really good at what it does. We also have it connected to our Active Directory so I can see which users are going where, and that is valuable. But I can also see that in Umbrella, so there's some overlap.

For managing the solution it's me and at least one other person. I'm the primary resource on it.

We used to use AMP for endpoints through the Firepower but we decided to discontinue that. We have AMP on all our endpoints but with all the other things we have, such as Umbrella, we were satisfied enough with the security we have. We didn't want two different things possibly stopping files instead of having one console area to be able to see those kinds of things.

Overall, I would rate Firepower at eight out of ten. Every product can improve. But for what we're looking to do, it does a very good job.

The primary use case is to protect our departments. We have sub-departments or sites categorized by the number of users and types of applications. We categorize the latter in terms of small, medium, or large. Based on that, we select a firewall in terms of throughput and the number of concurrent sessions it can handle. We then deploy the firewall with a predefined set of rules which we require for inbound and outbound traffic.

We are in operations delivery and we need to support multiple clients. We have different departments where our primary responsibility is to protect our organization's assets and data and to store them in a centralized data center. Apart from that, we have responsibility to support our clients in terms of infrastructure.

All the devices are on-premise. Nothing is on the cloud or is virtualized.

One of the most valuable features in the current version is the dashboard where we have a complete analytical view of the traffic behavior. We can immediately find anomalies. 

The most important point is the detection engine which is now part of the next-generation firewalls and which is supported by Cisco Talos.

Most users do not have awareness of this product's functionality and features. Cisco should do something to make them aware of them. That would be quite excellent and useful to organizations that are still using legacy data-center-security products.

The product's stability is perfect. From my observation, the mean time to failure is once in seven years or eight years. All the hardware in the device is quite stable. I haven't seen any crashing of the operating system.

Scaling is quite easy. 

On a scale of one to ten, I would evaluate Cisco support as a ten. I get support in a fraction of time. There is no problem in getting support.

Since I have worked in this organization, Cisco has been the primary product that has been deployed.

The initial setup is quite straightforward. It's quite simple, without any complexities. Whenever we find any issue during the primary phase, we reach out to the Cisco technical support team for assistance and within a short period of time we get support from them.

The most recent deployment we did took about three weeks.

In terms of deployment plan, we go with a pre-production consultation. We create a virtual model, taking into account all the rules, all the cabling, and how it should work in the environment. Once everything on the checklist and the prerequisites are in place, then we migrate the existing devices into production.

As consultants, most of the time we deploy ASA by ourselves. If there is any complexity or issue, we get in touch with a system integrator or we open a ticket with the technical support team.

There would definitely be return on investment by going with Cisco products. They are stable.

For any organization looking for a secure solution that can be deployed in their domain or infrastructure, my advice is to go with Cisco Next-Generation Firewalls because they have a complete bundle of security features. There is a single pane of glass with complete management capabilities and analytic features to understand and gather information about the traffic.

The lessons that most of our clients have learned is that in deployment it is easy to configure and it is easy to manage. It's quite stable and they do not get into difficulties in terms of day-to-day operations. 

We haven't faced any problems with this product.

Compared to other OEMs, such as Juniper and Fortinet, Cisco's product is excellent. There are no bugs and I don't see any lack in terms of backend and technical support. In my opinion, at the moment, there is no room for product enhancement.

Most of the users are system administrators working on their own domains. The minimum number of users among our clients is a team of 15 to 20 we have clients with up to 700 users at the largest site.

The product is quite extensively used in each department, to protect assets and data centers. We are using the attack prevention engine and URL filtering is also used at most of our sites. We are also using it for data center connectivity and for offloading transactions.

I would rate Cisco at ten out of ten for the functionality and the features they provide.

We are a reseller and system integrator, and this is one of the solutions that we provide for our end users. We have experience with many firewall products from different vendors.

The specific use case depends on the customer and their environment. They design the firewalls, and we supply the appropriate equipment.

The majority of deployments are on private networks.

The most valuable feature of the Firepower solution is FireSIGHT, which can be easily managed and is user-friendly.

The performance and the level of throughput need to be improved. This would make things easier for us.

I would like to see the inclusion of more advanced antivirus features in the next release of this solution.

Adding internet accounting features would also be a good improvement.

This solution is completely stable, and we have not had any issues.

Scalability of this solution is ok. They have the IPS (Intrusion Prevention System), online updates, and signature updates.

One customer might have, for example, two hundred and fifty users, whereas another might have one hundred users. There are different models for different numbers of end-users.

Technical support is ok, and we have had no problem with them.

The initial setup of this solution is straightforward.

The price of this solution is not good or bad. It is ok.

This is a solution that I recommend.

The biggest lesson that I have learned from working with this solution is to always update the firewall. If you do not have the latest updates then it will not function well, so always keep it up to date.

I would rate this solution an eight out of ten.

Our primary use case for this solution is to protect data from unauthorized access.

The most valuable feature of this solution is AMP (Advanced Malware Protection), as this is really needed to protect against cyber threats.

The IPS is a must for a firewall.

The firewall throughput is limited to something like 1.2 Gbps, but sometimes we require more. Cisco makes another product, Firepower Threat Defence (FTD), which is a dedicated appliance that can achieve more than ten or twenty gigabits per second in terms of throughput.

I have found that Cisco reporting capabilities are not as rich as other products, so the reporting could be improved.

This is a reliable solution.

We started with version 5.4, but there were many releases available on the website and we were obliged to aggregate, step by step, to reach the current version.

This solution is really scalable and reliable. In my opinion, Cisco products are always scalable.

Cisco has a very good team for support. They are always available, and they give you a flexible solution. It is not just about getting a solution. We are learning, as well, when we request assistance. They also have a knowledge base that we can access in order to find resolutions for problems.

We were using the SonicWall solution prior to this one, but it reached end-of-life because we had updated our architecture. This is why we migrated to a next-generation firewall. We had also been using Fortinet FortiGate.

The initial setup of this solution was a bit complex because it was a new technology for us. We did find documentation on the vendor's website, and it also helped that we found some videos on how to do the configuration.

Our initial deployment took approximately three months because we were learning from scratch. We still had some service requests open because we could not fine-tune the solution, and ultimately it took a full year to fully deploy.

This solution is managed by the qualified people in our network engineering team. 

We tried to deploy this solution by ourselves, but our team was not quite qualified to implement this solution. It was a good opportunity for us to learn about it. 

We are in the process of renewing our three-year license, which costs approximately $24,000 USD for the thirty-six months. In terms of licensing, this product costs a lot, but this cost can save my assets that could be millions for my company. There is no choice.

We did have knowledge of other products, but we chose this solution because it facilitates the sharing of information with their knowledge base. It helps you learn from scratch.

My advice to anybody who is considering this solution is not to think twice about it. There are a lot of features that come with the cost. These institutions secure our network and they have to do research. The price of this solution is justified when you consider that it secures our network and protects our valuable assets.

This is a very good solution but it is not perfection.

I would rate this solution a nine out of ten.

This solution is running behind the infrastructure and behind the hypervisor itself. We have two firewalls and two nodes in the cluster environment.

This solution is suitable for both cloud and hybrid-cloud deployments. I have implemented a cloud project, and one hybrid as well. The hybrid was between a public and a local cloud.

The Cisco security rules are very strict and very strong.

I like the Cisco ASDM (Adaptive Security Device Manager), which is the configuration interface for the Cisco firewall.

When comparing this solution to other products, the Fortinet UTM bundle has some better features in their most receive product. For example, there are better configuration features, the Sandbox is better, and so is the web censoring. These are currently in the Cisco solution, but they are better in Fortinet. The Sandbox and the Web Censoring in this solution need to be improved.

This solution has to be more secure from the cloud. The current trend is moving towards private cloud and hybrid cloud, so it is very important to consider the cloud security aspects when the solution is installed. This includes things such as IoT and the existence of user connectivity on the cloud.

The stability of this solution is great. The Cisco name and hardware are enough. The product is used in tier four data centers, so it is very trusted and very dependable. If you compare Cisco to others, the high industry and high workload have gone to Cisco. Stability is very, very high.

This is a scalable solution.

In terms of the number of users, it depends on the customer. A small customer may have less than twenty users. A larger customer can be complicated by having different branches with different users and different security rules. This means that you can reach up to the hundreds. 

Technical support for this solution is good. Most of the technicians are technical people that have certifications such as CCNA, CCNP, CCIE, and CCISP. I think that they are well knowledged and well educated about the Cisco culture, industry, and products.

The Cisco distributors are everywhere, even if I'm speaking about the Middle East. I can find distributors everywhere in Dubai. Here in Dubai, the support is great, including for firmware updates, and even replacing the hardware when the firewalls crash.

The initial setup of this solution is straightforward.

The deployment does not take much time. It is just a matter of installing the firewall and configuring the basic system to get it up and running. That's it.

There are, of course, different models of deployment, like deploying customers, that have to be considered. However, for the most part, deployment time is not an issue at all.

The pricing for Cisco products is higher than others, but Cisco is a very good, strong, and stable technology. If we compare Huawei or FortiGate or others then the prices are lower, but the higher Cisco price is acceptable because of the stability, trust, and reliability.

This is my first recommendation for firewalls, and my second recommendation is Fortinet FortiGate.

This is the number one firewall product that I recommend.

I would rate this solution an eight out of ten.

Our primary use case of this program is network protection.

Up until now we haven't been down due to issues with the internet connection or denial of service, so the program does what it claims to do.

The firewalls of this program protects my internet from dangerous internet sites. For us, Cisco is the number one in firewall protection. We are seeking to buy another UTM solution for band management.

The program is very expensive.

We haven't had any problems with the stability so far.

We have 500 users working on the solution and I believe it may increase, so I believe the program is scalable.

The technical support from the company is very good. They are always available when we have problems.

We did use another UTM solution before for firewall, URL and band management. We didn't switch, we just have two layers now. If we want to use Cisco for band management or URL safety, we have to pay a license fee and it is very expensive.

The initial setup was straightforward and it took the company about a day to deploy the firewalls.

The licensing is very expensive.

In the future, I would like to see friendlier configuration and only one license because everything needs a license. You need a URL license, security license, everything is based on a license. I would like to have one license that covers everything. But I am really impressed by the program and my rating is nine out of ten.

We primarily use the solution for internet access firewalls.

The solution allows you to be more agile and react faster.

The Sourcefire stuff itself is the most valuable feature. Signature detection, intrusion detection, IDS, and IPS are all very good. AMP is very useful. I like that you can put it onto devices as well.  The aggregated views in FMC that you get when you're a global shop which is centralized, and then offers gateways per region. In Europe, America and APAC, you have all the data coming together in the FMC. That's quite nice.

The FMC could be a little bit faster.

It will be nice if they had what you traditionally would use a web application scanner for. If the solution could take a deeper look into HTTP and HTTPS traffic, that would be nice.

The stability of the solution is very good. We can see that it gets even better with every release.

For us, the scalability is good, because we sized everything right, right from the beginning. If you size it right, it's very good. We don't plan on adding more firewalls, unless we suddenly grow exponentially, which we're not expecting to do at this point.

We only contacted technical support during initial implementation and that was all handled by the consultant. I have a lot of other Cisco related tickets open, so we're used to the process.

I would say, however, that we're also using Meraki, and the Meraki support is way better, in my opinion. 

Cisco support tends to take longer, and I mean really long given the fact that subject matter is sometimes also more complicated, so it really depends. When you compare that directly to Meraki, Meraki answers the same day, and I cannot say that about the legacy Cisco support items. I can understand that the market for the legacy service is so much bigger for Cisco, so I can see why it takes longer.

The initial setup was complex because we had to migrate old ASA firewalls. The ACLs, or rather the policies, are very different now, and way more elaborate, so that that took some tweaking, and some consulting and some time. 

Deployment took two months. We had to make sure that our old ACL base settings from the ASAs were correctly translated and implemented into the new FTD setups.

We used a consultant to assist with implementation.

We've looked at a few options, but we have an internal policy that says, unless noted otherwise, network equipment has to be Cisco based. We had to go with a Cisco product.

We are using the on-premises deployment model.

My advice for those considering the solution is this: if you want to migrate something, plan enough time for testing before you come over to the solution. You should also watch as many webinars as you can about that solution, or get a consultant and do a proper lab set up and go through the whole thing with them. It's is definitely worthwhile, given the complexity of the whole product.

I would rate the solution nine out of ten.