Cisco Secure Firewall Reviews

E-commerce environment, Enterprise data center.

It has improved the security posture and visibility of our traffic. It has been proven very reliable on the hardware finishing and network portion. Since Cisco have been very experience in networking.                                                                                                                                                                                   

• Snort IPS with recommendation template
• Extendable hardware module
• Straightforward licensing
• Cisco product integration

• I would like to see more improvements made to the dashboard and UI, as well as to the reporting, the reporting is quite limited and not user friendly. 
• I would like them to consider offering more predefined security templates.
• Technical support product knowledge, licensing portal, activation process will need to be improved. 
• The configuration is not straightforward, Cisco will need to improve this so the user can easily pick up the product.
• Bugs are more than other firewall competitors, some bugs are quite serious. 

One to three years.

Yes, we found some firmware bugs and Cisco took some time to fix them. We needed to escalate the issue to the account manager to expedite the escalation process.

No.

A five out of 10.

Cisco ASA.

Complex in configuration and understanding. It would be very challenging for a non-Cisco trained engineer.

We implemented ourselves with some assistance from the vendor. Some vendor are not expertise in this deployment, possible because of the complexity of the product.

Base hardware cost are average. Additional hardware modules are priced higher than the base module. They also offer very clear licensing and pricing.

Check Point, FortiGate, Palo Alto, SonicWall, Huawei, and Sophos.

Cisco is still a very good hardware manufacture, but they need to catch up on the software portion. We used the Cisco product because we know they tried very hard to get back into the market and we were willing to give them a chance since we are still using a lot of Cisco product. For those who are non-Cisco trained, it would be very hard to pick up.

The primary use case is for edge firewall at multiple locations and remote access VPN. We use these for security and have them integrated with Splunk/QRadar.  

Edge security and Sourcefire have been nice. Sourcefire was a major improvement over the legacy IDS that it previously had. 

Sourcefire has been a great addition. The visibility and control have been nice. 

I also like the active/standby HA. 

The solution has two separate GUIs and at least three different CLIs (ASA CLI, Sourcefire CLI, and Firepower Management Center CLI). In addition, ASDM plus Firepower Management Center GUIs. If Cisco could stop rebranding, combine all the CLIs/GUIs, and give a consistent experience, this would be great. 

Also, AnyConnect is very difficult to manage and use. 

Cisco ASA is born as an hardware firewall. The user case is security check on company's external connections (Internet and VPN access).

Most recent versions include antivirus and intrusion prevention to add security layers (including the above scenarios and the internal network) 

Cisco ASA have been the main security device for many years, slowly replaced with Check Point on the main datacentre.

ASA is stable and with a low level of work required on the maintenance side. It is a dedicated firewall, so you do not have to manage additional topics like spam, web sites filtering and so on.The routing part is high level as usual with Cisco products.  

You have to know the ASA command line very well because not all operations are available in the graphical interface (or let's say that sometimes it is better to operate with the ASA CLI).If you are searching for an "all in one product" it is not for you

No, stability is a really strong point with ASA.

No, an assessment about the workload is important to select the right device.

Over many year, the only kind of support we needed directly from Cisco was (really seldom) for parts replacement

The previous solution was based on software firewalls that where not able to perform as the Cisco ASA

Setup of a firewall, on a medium / large deployment is always a complex work.

Cisco ASA (more than other vendors' solutions) require a lot of know-how and real world expertise to be configured properly.

More than one external team (Cisco partners) has been involved over time.

All of them were outstanding in their work.

Positive. The devices serves thousands of users for many years, outliving other vendors solutions.

Cisco devices are for sure costly and budget could be an important constrain on selecting them as our security solution. 

When the choice was made, some comparison was made with other market leaders but integration with the existing Cisco network was a really important positive side in the final decision.

ASA is one of the the state-of-the-art firewall devices for security.
It is affordable and not too complicated to use if you are doing standard operations (modifying ACLs, natting and so on) on an existing deployment.

There are a lot of features which are good and can be implemented, especially in the latest IOS version of the product.

They saved me a lot of time thinking how to solve different scenarios with other solutions.

Cisco AnyConnect for remote access is one of them. It is supported on most of the platforms, which business users use. They can gain access to the network, via functions like PBR, Security groups, contexts, and DNS doctoring. This gives a lot of flexibility to the product.

It gave us a more secure environment and a lot of flexibility to the business.

The next generations part of these products need a better approach. A lot of vendors are definitely a step or two in front of them.

I have worked with these types of firewalls for more than 10 years.

I can say that this product is one of the most stable products I have ever worked with.

In terms of scalability, this always depends on how the product was chosen and what purpose it will work for. I haven't experienced any issues with the scalability of the product.

In terms of technical support, it depends on the different cases. I would surely give Cisco technical support a rating of 9/10.

I used to work with open source solutions, but the support and complication behind them was definitely not OK. If you want to have flexibility and stability, you have to move on to something that receives more development in that specific area.

The initial setup was straightforward and there was a lot of documentation that can help out with specific cases.

This is definitely not a cheap solution, but I think it is worth the investment.

We evaluated other solutions like Juniper, but we chose Cisco, since our network was becoming more and more Cisco oriented.

I would recommend that you understand the needs of the business case before choosing the product and start implementing it. It is very important to choose the right licenses from the beginning.

We use them for VPNs and as firewalls, of course. We wanted to protect the network and have secure communication with our peers.

They secure the network and ensure our network is always available.

They are easy to maintain.

I would like to see them add more next-generation features so that you don't need a lot of appliances to do just one task. It should be a single solution.

I have been using Cisco ASA Firewalls for nine years.

In terms of stability, it is a really good product and platform. Overall, it's great.

It's not really cost-effective when it comes to scalability. It is a really expensive product if you go to the modular firewalls. You need to get new appliances to get new features.

Tech support is good but it could be improved on some points.

Neutral

I have used Fortinet, Check Point, and Palo Alto firewalls. Most of those solutions have everything integrated into them so you don't need multiple appliances. You get a single solution for your network. It would be better to have a centralized firewall, from Cisco, that can do everything.

The initial deployment was straightforward. The last implementation of an ASA took us about one to two weeks.

Our implementation strategy was to have good architecture and to have all the requirements for the project beforehand. Everything went really smoothly because of that.

We needed four or five people for deployment, including field techs and network engineers.

For clean and easy protection of an enterprise, it is a really good product. It can be also deployed as a virtualized solution in data centers.

We are using the solution for airports.

The Cisco NGFW is an excellent fit for purpose for our network security.

I have been using the solution for five years.

We have not had to deal with stability issues.

The support of the solution is great, their staff is perfect.

My team tells me that other solutions such as Fortinet and Palo Alto are easier to implement.

People have said that Palo Alto is a less expensive solution than Cisco, but in my experience, at least from today, Cisco is cheaper than Palo Alto. 

I do not hear anything bad about the competition. I am difficult to change my ways and learn a new product. Unless somebody comes and makes a SWOT analysis and shows me the evidence of how the alternative is better, I am fine with Cisco.

I would recommend this solution to others. 

I rate Cisco Firepower NGFW Firewall an eight out of ten.

I am a consultant and when clients ask for white papers or studies, I do the research. At that point, they do whatever change processes they have; I give them all of the numbers and other relevant data, but that's the extent of what we do in my organization.

They are just using it as a stateful packet inspection firewall, traditional firewalling.

At this point, my client is looking for their next solution so something may not be working.

The most valuable features for my client are the ASDM and monitoring.

They have familiarity with the Cisco CLI.

Cisco ASA is not a next-generation firewall product.

My client has been using the Cisco ASA solution for approximately five years.

They've been using it for five years and my assumption is that it's been good for what they needed it t do. However, they were consulting to move forward with something different.

The scalability is very limited because as a traditional firewall, it's a step behind. As far as the scale goes, my assumption is that you just buy a bigger model.

I was not consulting with this client when they implemented the Cisco ASA.

This is a hardware-based device, versus a virtual one, so it's maxed out.

My assumption is that it's a typical HA, basic setup.

My client is looking for a next-generation firewall solution to replace the Cisco ASA.

What they need is a step up from what they already have that includes application-controlled firewall rules, as well as other features that ASA doesn't currently have.

My suggestion for anybody who is looking at Cisco ASA is to work with the vendor, as they have newer products.

I would rate this solution a seven out of ten.

I use Firepower for all kind of customers; healthcare, government, banks etc. All all of them have different use cases and requirements. In most cases, I would mostly end up with enterprises or government organizations. If you are already have all Cisco gears, I would suggest to consider it as it will allow you to have a more integrated approach toward other network components.                                                                                      

I will definitely recommend it to any customer. But, it all depends on the requirements and money you have. But the Intrusion Prevention and anti-malware is really good with this solution. Overall, it is a really good product.

I remember a customer who was using another firewall product and they had serious issues in intrusion and malware detection and prevention. Plus, the reporting was not that detailed. I did a demo with these people with FTDv and FMCv and they were amazed with the solution.

The Firepower+ISE+AMP for endpoint integration is something that really stands it out with other vendor solutions. They have something called pxGrid and i think it is already endorsed by IETF.  This allows all devices on the network to communicate. I find it to be a more proactive approach as all devices collaborate with ISE in real time. I did a demo for a customer and there were no second thoughts in the usability of the solution. You should give it a try to find out more about how this works.

The product line does not address the SMB market as it is supposed to do. Cisco already has an on-premises sandbox solution. They should include a cloud-based sandbox as part of the security subscription service. In my experience, apart from the expensive price, SMB customers are lured away by other vendor solutions because of these reasons.                      

I work for a systems integrator, who is also a partner for Cisco and other security vendors. I have a reasonable hands-on with different firewall products. I have been doing it since v6.1 release. Firepower is a bit difficult and takes time to learn.

I did use and deploy different firewall solutions for various customers. But every customer has his own pain points. For example, for one of the customers, he was purely looking for URL filtering. We went with Sangfor IAM in that case. They have a very strong focus on application and URL filtering and user behavior management. Plus, reporting was very extensive. 

In my country, deployment may be charged from USD 1K to USD 10K depending on setup cost. There are different types of licenses:

• Threat
  
• URL
• Anti-malware

I would suggest going with an all-in-one bundle. You will end up saving money. Also, Cisco has a better discount on a 3YR subscription plan. Discuss this with your Cisco AM.

Yes, this included firewalls from Huawei, Fortinet, Sangfor, and Sophos. Most of the customers end up with:

• Fortinet,
  
• Sophos
• Sangfor