Cisco Secure Firewall Reviews

We performed an in-house evaluation of Cisco ASA NGFW for use as an Internet Gateway Firewall and internal East-West traffic firewall between security zones. We are historically a Cisco shop and were planning on it being the top contender for our NGFW solution.

Cisco ASA NGFW running in "Firepower" mode - aka the actual NGFW mode was not "fully baked", so it didn't meet all our requirements to fit our network architecture. It requires a completely different language than ASA and we found it to be difficult compared to other top firewall vendor offerings.

Integration with all the other Cisco tools is valuable. However, we've moved away from all Cisco security tools since this evaluation. Firewall choice was key to what direction we went and we found not only was the competing firewall solution superior, but their endpoint protection solution was as well.

The first thing that needs to be done is to finish building out Cisco ASA "Firepower Mode" in order for all features to work correctly in complex enterprise networks. It also needs a usable GUI like Palo Alto and FortiGate. There are lots of bug fixes to be done, and Cisco should consider performing a complete rebuild of the underlying code from the ground-on-up.

With regards to stability, we had a critical bug come out during our evaluation.

It should be well scalable. However, we didn't see a good centralized management/monitoring system like the one that Palo Alto has.

Customer support was decent, although we definitely don't feel like you get the value of the mandatory support/maintenance fees.

We used Fortinet FortiGate, but as an early gen "NGFW" it was outdated. We have issues we don't believe would be resolved with their latest offering, so we didn't even evaluate it.

We found the initial setup much more difficult to do even simple things, like setting up VPN tunnels.

Our in-house team tested and evaluated the solution.

Watch out for hidden licensing and incredibly high annual maintenance costs. We bought much beefier Palo Altos for a less expensive one-time and annual cost.

Palo Alto Networks NGFW Firewall was compared in-house using the same configuration and testing, and it won hands-down.

Watch out for the marketing hype vs objective reality. Do the advertised features actually work correctly/effectively?

We chose a different solution after performing in-house testing.

Our primary use case for this solution is to protect the Internet Edge, and our VPN (Virtual Private Network).

We moved from a Legacy firewall to the ASA with Firepower, increasing our internet Edge defense dramatically.

The most valuable features for us are Firepower and the VPN concentration. These are easy to use and have good insights.

The product would be improved if the GUI could be brought into the 21st Century.

We are using the Cisco ASA NGFW as a next-generation firewall. We are using the 5516-X version. Our primary use case of this is as an X firewall for external connections.

Cisco ASA NGFW significantly improves our bank. It protects any high-value products that we use from hackers, viruses, malware, and script-bots. It gives us metrics on network traffic as well as what kind of attacks we are getting from the outside.

The most valuable features are the firewall capabilities, filtering, and intrusion prevention. 

I respect the capability of the Cisco firewall. We fully use it all as a complete firewall solution. Cisco also has excellent anti-malware detection and other similar features.

Cisco should improve its user interface design. There is a deep learning curve to the product if you are a newcomer.

Stability is excellent.

It can easily scale. If you want, you can scale it to a lot of traffic. It's an X file, so all of our users are going through it.

We only require one administrator for the solution. For deployment and maintenance, it depends on how many developers you have. We require two dedicated staff at a minimum. 

Naturally, we employ both security technicians and administrators. Cisco ASA NGFW is being used at all our branches, and we'll continue using it in the future.

The technical support from Cisco is excellent.

We have only been using Cisco solutions.

The initial setup of the Cisco ASA NGFW is not easy, but at the same time also it is not complex. It's somewhere in the middle. It took about 4 weeks, then it was activated.

We used a reseller consultant for the deployment.

Our licensing costs for this solution is on a yearly basis. Just for the firewall, it's about $1.5 million USD.

We evaluated Palo Alto Networks, Fortinet FortiGate, and Checkpoint products.

For the Cisco ASA NGFW, it is a bit more expensive than other products, but their method is a lot more stable in my experience. It has all the features that you would need in a next-generation firewall. They are always developing new features and introducing them.

I don't have anything that I'm currently missing with Cisco. On a scale from one to ten, I would rate the product at eight.

Cisco has a new general firewall: the Firepower NGFW. If you take a look at the Cisco Firepower product line, they have three models available:

1. A low-scale model: the 2000 series
2. A high-end model: the 4000 series
3. The carrier-grade model: the 9000 series

We have already used the 4000 and 2000 series over here. We've been using this solution in Bangladesh for some customers over the last eight months. 

We've been using FPR 2110, 2120, 2130, & 2140. We also employ the FPR 4130 and 4140. We have been using this equipment on our last few projects. We used it as a transfer and for firewalling. The most recent one we are using for firewall support as well.

I have a two-part business. First, we provide solution services as a vendor for multiple customers working as a consulting firm. I'm providing multiple customers with support on-premises for Cisco products right now.

We are not able to use these products internally in our company. The second part of the business is my status or core business which is basically operating as a software solution provider.

I have personally engineered these Cisco firewall solutions for clients. When we implemented it, it was easy. We have to maintain high-end abilities in order to ensure the availability of high-end support for the clients. I generally have to look at everything. Later on, we were able to upgrade the Cisco Firepower NGFW easily. We were able to connect from the beginning to implement the complete number of files in the system. 

Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching.

I would say the Cisco Firepower NGFW actually gives superior intelligent behavior to transfer its active/passive infrastructure. Overall, Cisco Firepower NGFW has been a good power element in our systems due to its central location.

I would say when Cisco is selling something called a firewall, they put a lot of services together to make a single box solution. When a company develops a firewall, they need to develop certain features like intrusion control and offer it pre-loaded in the product. 

On the mix of projects that I am responsible for, I feel comfortable using the Cisco firewall for management. One feature lacking is superior anti-virus protection, which must be added.

I have to say I am very proud of the Cisco Firepower 41400 as it can give you multiple layers of four-degree connectivity in operations. 

We do not use the Cisco 9000, but even the lower level firewalls are pretty expensive, considering the features and software included.

In summary, we would like Cisco to provide more features inside regarding network trafficking forecasting. Ideally, the belief is that this would add an immediate resolution.

So far we haven't encountered any stability problems. You should have a lot of patches to apply to update the firmware. You can understand the firewall in less than a week.

We had some fraud introduced with our last box when Cisco produced an upgrade. The updated policy agreement was based on the wrong purchase date information. 

The faster integration that is available in our region is pretty smooth for the Cisco firewall right now. I haven't found that much of a limitation to any service. 

I used to have a lot of issues with firewall support. Now, I keep a good state of mind with Cisco. I can expect my capabilities going out of range eventually if we don't upgrade. 

Cisco has its own cloud platform. I am able to see a single dashboard with all of my firewall activities and network performance under diagnostics, which is really helping us out.

I would put the Cisco Firepower NGFW firewall into Transport mode, as you can do with most firewall systems for scalability. We used to have about 60% of our users on hold during six-week events. We still have certain problems without a firewall, but these days with the Cisco Firepower, we have over 80% of the load working.

As the customer integrator for enterprise contracts, we've been able to introduce Cisco Firepower to around 10 of our new customers in Bangladesh. At least 50 of the previous Cisco customers are still using the firewall solution right now under our support.

These are enterprise customers who require Cisco firewall support. We used to have a specialty in that which is really like the holy grail in rocket science. It used to be like that but now with Cisco's enterprise user base, we offer operational system support to reduce complexity a lot. It's really easy. It's not like you have to be a specialist.

In Bangladesh, we had a little issue with Cisco technical support. We run our own sidebar operations, so I am not so satisfied with Cisco customer support. 

Cisco Firepower devices have created a lot of differences with due dates over our service contract. Consequently, we don't really bother anymore with Cisco technical support. Bangladesh has a really good tech scene. That is the reason we are not that concerned about Cisco product support anymore. It's okay. We handle it our own.

We previously used Cisco ASA as a firewall.

The setup with the Cisco Firepower NGFW is very easy. I have used other networking and firewall equipment previously, including Juniper. I've implemented other solutions and those were really tricky compared to Cisco.

The Cisco firewall system has eliminated all our network setup problems. Earlier when we used other products for firewalls, it was very complex to set up. Cisco firewalls from the beginning have eliminated all of the difficult parts of the initial deployment. 

All you have to do is pull your management together and communicate to your team to follow the documentation provided by Cisco. Altogether, it is easy for our team to install the Cisco firewall products.

I did the installation myself and it took 48-50 hours, approximately, in the Transfer mode. We had a further two-hour window of augmenting and transforming the data. We were able to do that successfully. Eventually, we were able to transform the entire network setup.

The license in my country is available to subscribe for three years or one year. We wanted to go with the solutions for embedding a two-year subscription, but this was not possible.

The Cisco licensing agreement in Bangladesh is different than the one in India and in Dubai. It is not a problem, but if you want to subscribe to the yearly subscription, the original cost is really high. Also, if you go for an anti-virus, you pay for an additional yearly subscription. 

When we push customers to implement Cisco solutions, they can manage the subscription cost of Cisco internally to access these important solutions long term. Our clients have been able to secure surprisingly efficient service with the Cisco Firepower NGFW firewall solution.

This fall, we evaluated firewall equipment from Juniper Networks. This is a limitation for Cisco, as their pricing is too high. The fact is when I need to install and manage an enterprise network, Cisco has the capability of having support for the IC Treadway standards. Furthermore, I can actually manage my entire enterprise network in one dashboard. 

If I bring in tech from the outside, like Palo Alto Networks equipment, that won't be able to integrate with my regular Cisco environment. 

With Cisco devices, it was easier for me to grab the assets required on the network for installation. With other solutions providers, good luck managing that with any ease.

In my opinion, I would rather ask everyone to have a simple network. If you need multiple networking lines, like for the Cisco ASA or the Firepower NGFW, make sure you have ample tech support. 

There are many issues with connectivity in firewall systems, but Cisco quality is good. The connectivity of your network can really reduce your complexity over firewalls. 

I would suggest if you want to configure a complicated network scenario, go for a next-generation firewall. I would also suggest making your firewall options go to Cisco as they have some influential products right now. 

Once you are pushing the Cisco firewall, you'll be able to actually monitor and confirm each and every traffic coming in or going out of your network. 

Palo Alto Networks or Juniper Networks firewalls are ideal, slightly better than Cisco. They are not as easy as Cisco to use right now, but considering the cost and everything else, Juniper Networks equipment is really good. 

The fact is you need to consider just what you're achieving when you put in Cisco firewalls and implement Cisco routers.  For those on the verge of a new purchase, I would say that going for an expired model of firewall is definitely a good buy.

I would rate the Cisco Firepower NGFW with an eight out of ten points.

I have been using the Cisco ASA NGFW for about four months. Everything works fine right now. We have only been using this device for a very short period of time. 

• We have about 500 registered users and about 400-600 static users. 
• For 400 to 600 users with wireless devices, we use Cisco ASA NGFW to control device traffic. We're using the new web filters. 
• We use Cisco ASA NGFW as the bit application.

Thus far, we are using it as a web filter to filter the data against incoming traffic. We are an educational organization, so there is no gambling allowed. We don't want to allow students access to gambling sites or adult sites, etc. We use lots of web filters. That's the primary reason I installed the Cisco firewall. 

We are also happy with the Cisco ASA NGFW router firewall. It protects your small server infrastructure, but it's not complete. We purchased the Cisco ASA NGFW for the web filter. That's why we moved to the firewall.

Right now, Cisco ASA NGFW has given us a lot of improvement. We are planning to move to a new facility and will be a much larger organization. 

We have an opportunity to grow now. The Cisco ASA NGFW firewall can be upgraded to another version, so it's better for us long term. It is much better because we can control the traffic that students are accessing and downloading. There are still a lot of improvements that can be done. 

For organization security, Cisco ASA NGFW has robust cyber-security features. We are planning to increase the number of firewalls installed, especially for wireless connections.

We installed a Cisco path a month ago. There was a new update for the Cisco firewall and there were security issues.

We like Cisco filtering as a firewall, but in the current market, Cisco's passive firewall is not unique. We don't have any warranty problems with Cisco. 

I asked our carrier several times to provide the exact gap code for me, but there is no Cisco dealer in our region. There is also no software accessibility with Cisco ASA NGFW. You can't always access the product that way. I also tried pfSense.

There is no support here in Georgia. If something goes wrong, support is not always very helpful with the other firewalls or other products. 

Cisco products are more supported by lots of companies who are producing technical services for cloud platforms. The certification is very easy in Georgia now. There are lots of people using Cisco in Georgia because their accessibility is better than the other products on the market. I also talked to several guys about the Barracuda firewall.

The Barracuda firewall is very expensive. You need to pay three or four thousand dollars every three months, so it's very expensive for us. We are not a big company.

For our users, there are rules for the students and staff have another RF for authorization. There are small file servers also within the domain controller. 

There is no special restriction for the students. They can print. They can visit outside websites online, but there is no gambling allowed at other sites.The students can access whatever they want over email or HTTP. Only the gambling and the betting sites, they cannot install the software. There are restrictions. 

The students can use their own mobile phones or wireless devices, whatever they want. They are using the shared public key authorization. Our institution doesn't have any restrictions about accessing legal data. Except in Georgia, we have a very big problem with gambling websites. There are a lot of gambling websites, so we are trying to restrict all of the gambling sites at our company. We have a contract for the next year. 

We are growing. In the next two years, we will have an additional 600 users, so we will double the capacity. We will see even more in the next three years. 

It will be like very tough. In about five-year cycles, you need to update the firewall and add other new Cisco devices for the next generation of innovation.

In five years, we will be ready for a complete upgrade cycle for everything. The stability and scalability of the Cisco ASA NGFW are good for when we need to grow. 

For the next five years, everything is fine. After that, we will see because there will be a lot of changes.

Technical support with Cisco is very good. We feel the company is very reliable and very competent. I have very good feelings about the future for project operations.

We had the old version of the Kerio firewall, but because in our country, there is no official dealer for Kerio, we moved to the Cisco ASA NGFW. This is the main reason why we moved to the Cisco firewall.

We announced the tender and bought this product with the installation plus setup included in the price. I was not involved in the installation or in the setup. 

The company just asked a consultant to do it. The whole process, after we announced the tender, took about one to two weeks. The consultant company installed the software. They also helped us to optimize other parts of the network such as the routers and switches.

The setup of the Cisco ASA NGFW was complex, not only for us as a firewall. We have now submitted another tender for a device router with two-node switchless support. We updated almost everything on the Cisco ASA NGFW with the core and distribution level software upgrades.

We paid about $7,000 for the Cisco firewall, plus another small Cisco router and the lead switch. It was under the combined license. It's a final agreement.

The Cisco license was not yearly. It was a yearly license for the firewall. For the router and switch, it was a lifetime license.

The other option we considered was Kerio. I tried to contact their office in Russia, but it is in the UK. I wanted to communicate with them because we cannot buy things without a warranty.

We considered buying Kerio products with the warranty, but they said we needed to send the device to them to repair it. This meant it would take too much time to replace it. In Georgia, we need a local distributor, i.e. a local representative here who we can work with, so that's the problem.

In Georgia, there is no problem using the Cisco firewall, because it's accessible. You cannot use other products, because they are not accessible. That's the whole problem.

I would rate Cisco ASA NGFW an 8 out of 10.

The primary use case for this solution is on the client side. PCS stands for
Perfect Computer Systems. We are an integration company, we specialize in solution integration, bringing together component subsystems into a whole and ensuring that those subsystems function together.

Cisco ASA NGFW has improved our organization by providing more internet protection. Also, for the end user, it provides easy access from outside for users accessing the site.

The feature that I found the most valuable is the overall stability of the product. 

The two areas that need improvement are the URL filtering and content filtering features.

These features are both very crucial to the end user environment. One of my main concerns and an area that could use some major improvement is the need to pay for licensing in order to enable necessary additional features. Included in the next release, I would like to see these features integrated into the products' functionality without having to pay for them on an individual basis.  

My impression of the stability of this solution is that it's great, excellent! 

As far as scalability, I haven't had any performance issues so far. There really isn't high utilization coming from the operations environment, so I don't need to upgrade the tier at the moment.

I don't have much experience with technical support since contacting tech support incurs additional costs. I have been relying on my technical knowledge and experience so far.

The initial setup was straightforward, though I find as we proceed we need an extra feature or two to enable all the functionalities and protection of the tool. It's an ongoing process. We have to be quick and agile to provide client support.

We implemented through an in-house team. 

The stability is the greatest ROI for this solution. 

My advice, since I have to pay for licensing each feature that I need to enable, like URL filtering, is to look at a pfSense. That is what we are doing because you have to pay for greater protection, a total solution can be very costly. We are looking at a pfSense, to bring down the total cost. The correct price point, in comparison to other platforms, is the main factor here.

During our initial decision-making process, we evaluated other options but the distinctions between all the options were quite minimal.

I am satisfied with the current facility and the management environment of the Cisco ASA, it's great for me.

I think that the cost would be the main factor when evaluating solutions since some of the companies or some of our clients ask about costs upfront. Once the client has made their initial request and inquired about any subsequent subsystem connectivity integration ideas, they always want to know how much everything will cost. The deciding factor is mainly based on the price point of the total user solution.

Overall, the criteria that we consider when constructing an integration decision depends largely on the client company we are working with. We evaluate clients based according to their size, industry function, and the total budget that would be recommended for an effective solution.

I would give this product a rating of 9 out of 10!

We use Cisco ASA with Firepower. Currently, we have been implementing the solution for around four years. Our company has been around for a long time, more than ten years. We cover the solutions for Network Direct Turbo ATM at the moment, it's a lot of the security work.

Cisco ASA is best at the technical part of the business, related to our selling and management services. We have to improve the technical functionality of the product as part of making an efficient service for the customer. We need to improve the customer's technical experience with Cisco ASA & Firepower.

There are two main ways that using Cisco ASA & Firepower has improved our organization:

1. Technical features
2. Our Sales team

With Cisco ASA, we used the SMB of the model. The customers are usually satisfied, but I am going to recommend that all clients upgrade to Firepower management.

For Cisco ASA Firepower, I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility.

The stability of Cisco ASA is excellent compared to other products on the market. The performance is good. Compared to Fortinet on the watchband firewall, it is indispensable. Because of our customer experience as an integration company, our clients never report any performance problems. We have good performance from Cisco ASA.

ASA is limited in terms of its scalability because of our customer environments. They are in the banking and microfinance sector. Our clients always want to move to the next generation firewall so they like FirePOWER. When we move clients to Firepower, they need to integrate with Sourcefire and move into more complicated management.

We have the staff perform the migrations to Firepower. We redirected traffic with Sourcefire and also require the use of FMC by our management center with Firepower.

I've been exploring the technical support for Cisco ASA. I haven't had any problems with it.

The initial setup is straightforward. 

I always encourage our existing customers to move to the Cisco ASA Firepower version, i.e. the next generation Firepower like 2100, 4000, or 9300.

I would rate Cisco ASA an eight out of ten. An eight and not a ten because some of the features are limited and some are awful. We had to install other solutions for security and had to spend a lot on other hardware. Other vendors like Fortinet or Palo Alto Networks focus more on offering complete solutions.

I am a banker. I'm working in the bank and our equipment is mostly based on Cisco for the moment. We have some incoming projects to deploy from Fortigate to firewalls.

Cisco ASA is that something I used when I was preparing for my CCNP exams. I've been using it on the incoming project that we want to do right now. 

It is easy to deploy Cisco ISP solution in the bank I'm working in, i.e. Cisco Identity Services Engine. We're already used Cisco ISSO. 

I have three Cisco ASA modules:

1. Security for perimeters
2. Security for data centers
3. Data center recovery

I have been using Cisco ASA since I've been at the bank for more than two years now. The model is 5515X. I have two modules of 5515X and the third one is the old 55105. 

My primary use of Cisco ASA is to take advantage of all the features. I use it to enforce security policy and also to take advantage of the Firepower module.

I have a firewall module on my two instances of 5515X. On the Firepower side, I use all features on Firepower modules that are included in the AMP.

The biggest improvement has been in the internet features. We have been asked to prohibit internet access for all users except the bank services division and that is improved. 

For AMP features, we use Cisco ASA to track traffic in inbound and outbound patterns, so we can set expectations for network traffic. I also used the exception for encrypted traffic. 

One problem: Before installing encrypted traffic, I had to decrypt it first. Before setting it back, I encrypt it again. That's just the way Cisco ASA functions.

I would say the Firepower module is most valuable. I'm trying more to transition to this kind firewall. I had to study a little of the Palo Alto Networks equipment. There is a lot I have to learn about the difference. 

Based on my certification, I had to do a lot of lab work, a lot of projects, a lot of technical work with Cisco ASA. Now, I'm moving to other vendors, like Palo Alto Networks and Fortinet so that I can empower my level of technical experience.

• All my change requests are for Cisco ASA to work more on ease of management. 
• All of the features of Cisco ASA are used by all of the other vendors on the market. 
• The firewall solutions are all based on the same network equipment. 

The difference is why each business chooses to use it and how they implement the architecture for their solution using Cisco ASA and Firepower features.

The installation and integration of Cisco ASA with Firepower can be improved. I used Fortigate as well and I can say that Fortigate's features are more usable. 

The management with Fortigate is easier than Cisco ASA on Firepower. The management side of Cisco ASA can be improved so it can be more easily configured and used.

The stability of the Cisco ASA platform is okay. I know that Palo Alto is the first rated one, followed by Fortinet.

The scalability is based on module support. We have a stand-alone version. It is not 100% applicable to talk about scalability at this point. 

There is another Cisco ASA module available that is more scalable than ours. For the module I have, the stand-alone, the scalability is not as good as on the higher model. 

The 5585 model, allocated for data center security, can be facilitated into the switching spot or the working spot in our data center. We can recommend the scalability there. 

For the module I have, I'm using it as a stand-alone. I don't think it is scalable too much at this point. 

I'm using Cisco ASA in my organization to support about 150 staff. For maintenance, I do all of the work myself.

I do everything if you need a Cisco ASA solution to be deployed for an infrastructure requirement. We are just a team of three. There is just me and my colleagues. 

I'm in charge of all the infrastructure system, including the network and security infrastructure. On all tasks related to the system security and network infrastructure, I'm in charge of it.

I had to work with Cisco customer support two or three times, a long time ago. I had to work with them based on a problem with my call manager. We had a good ability to work together with Cisco customer support. It was normal. 

They asked about the information on the installation. I had to upload it to them. They took that and came back to my problem with the results. I had a good experience with them.

I didn't use a different solution in my bank, but on some other enterprise jobs, I used some unique firewall solutions. 

Since I have been at the bank, only Cisco ASA has been deployed. We just added two new modules. In the bank, we only use Cisco ASA solutions.

I will say Cisco ASA has a complex setup just based on the security policy we have to enforce (asked by the chief, the CIO). For me, it's not complex. 

Cisco ASA is not difficult because I am in it for a year so it's easy for me to understand. I have no problem on the technical side. I always manage to do what I'm asked to do on security-side enforcement. I have no problem with that. It's normal for me. 

It was 2 years ago that we were trying to deploy our facility equipment. We took advantage to deploy the Cisco ASA firewall (model 5515X). 

For now, it's the only one. Since then, we're using it in an upcoming project. I will have to deploy some Fortigate and Cisco ISL as well.

I don't have a technical problem implementing Cisco ASA. I am a double CCNNP and I'm preparing for my CCIE. On the technical side, I don't need help.

I had to work with external partners because they provide us with uptake equipment. They're available to follow up on the project with us. 

We just had to make some tests to deploy some labs. However, when it comes to configuring Cisco ASA for production, I was alone. 

On a security basis, we couldn't let the partner know the details of our address space. This is prohibited within our organization by security policies. 

I had to re-do everything from scratch. For this implementation of Cisco ASA & Firepowe, I was alone.

The licensing for Cisco ASA is on a yearly basis. We have to renew the Firepower module license. We are in the process of renewing this one. 

I just made the demand. They have the management who is charge asking about the price and payment terms on different offers. 

We are just a branch bank. The decision is not made here and the branches just have to follow the central policy.

Cisco ASA is a good solution. I never had a problem with. I will say that I mostly recommend Fortinet because of their ease of management and Palo Alto Networks because of their reputation for business efficiency.

I would rate Cisco ASA with an 8 out of 10 points.