Executive Vice President, Head of Global Internet Network (GIN) at a tech services company with 10,001+ employees
Real User
Top 20
The analysis tools and encrypted traffic analysis save time but the licensing is complicated
Pros and Cons
  • "Application inspection, network segmentation, and encrypted traffic detection or encrypted traffic analysis (ETA) are valuable for our customers."
  • "The usability of Cisco Firepower Threat Defense is an issue. The product is still under development, and the user interface is very difficult to deal with."

What is our primary use case?

We have all kinds of use cases. Our customers are large enterprises, and they need perimeter security. Zero trust, network access control, and network segmentation are quite important these days.

We are a partner and reseller. We implement, and we resell. As a Cisco Secure reseller, we have all the expertise. Our customers are usually overworked and have no time to learn how to implement these things and get some expertise. That's what we bring in. We help them select the right solution, select the proper design and architecture, and implement it. They basically lack the time and expertise, and we are a trusted advisor who helps them with their issues.

How has it helped my organization?

I'm working with security. It improves the security posture of our customers and protects them from threats. We recently saw a bunch of hacks in Germany and our customers are concerned. We help to protect our customers from that, and that's very important.

The analysis tools and encrypted traffic analysis save time. They help detect security threats and incidents that can cause outages for customers. It's a great improvement.

What is most valuable?

Application inspection, network segmentation, and encrypted traffic detection or encrypted traffic analysis (ETA) are valuable for our customers. I'm from Germany, and in Germany, people are very concerned about privacy. We have a bunch of public customers, and they have an issue with decrypting traffic, even if it's only for security analysis. They have some fears. So, they are quite interested in the capability to detect threats without decrypting traffic.

What needs improvement?

The usability of Cisco Firepower Threat Defense is an issue. The product is still under development, and the user interface is very difficult to deal with. That's one area where it should be improved. Another area for improvement, which is also related to the firewall, is stability. We are having stability issues, and we had some cases where customers had a network down situation for about one or two days, which is not great.

Buyer's Guide
Cisco Secure Firewall
March 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
763,955 professionals have used our research since 2012.

For how long have I used the solution?

As a partner, I have been working here for about nine years, but we offered this solution all the time. The company has probably been doing that for at least 15 years.

What do I think about the stability of the solution?

Cisco Firepower Threat Defense has improved a lot over the last few years, but we sometimes still have really big issues.

How are customer service and support?

Their support is pretty awesome. It doesn't really matter if you have a hardware issue or a software issue. If it's a hardware issue, you get a replacement quickly, and if you have a software issue, you get quick support. There are also some bad examples. I have one from wireless where after a problem was acknowledged, it needed about one year to get fixed. It depends a little bit on how complex the issue is, but in general, it's quite okay.

Which solution did I use previously and why did I switch?

We are also selling Fortinet, Palo Alto, and Check Point. We sell all solutions, but I'm quite focused on Cisco. It's mostly because I have the most expertise and experience with it over the years. I've been working with Cisco security solutions for 15 to 20 years. That's where my expertise is, and with Cisco, you have a solution for everything. It's not always the best of breed, but in the overall solution frame, you have something for everything, and they interact nicely with each other, which is great.

How was the initial setup?

The deployment model is totally customer dependent. The way we work, we look at the customer environment and develop a proper deployment model for them. Some of them are using enterprise agreements. It's becoming more and more common, so they can use several solutions at once or with some kind of added use price and other benefits.

I'm not always involved in the deployment. I work as an architect. I do not implement all the solutions I design, but I implement some of them. For me, it's important because, for one, I like it, and second thing is that I need to have some kind of hands-on experience to understand the solution so that I can make better designs.

If you do the initial setup for the first time, it's somewhat complex., but over time, you get the experience, and then it's more or less straightforward. 

Our clients rarely used the firewall migration tool. It gives you a starting point for the configuration, but usually, there are so many things you need to rework afterward. We use it sometimes, but it only does a part of the job.

It does require maintenance. The clients have maintenance contracts for that.

What about the implementation team?

In our company in Germany, just for the security solutions, we have about 20 to 30 engineers. They are experienced in different areas. For the firewalls, we have 10 engineers.

What's my experience with pricing, setup cost, and licensing?

Cisco was never a cheap solution. Compared to other vendors, it's more or less at the same level, except maybe Fortinet which is fairly cheap.

In terms of licensing, we still have issues with the subscription model. Many of our customers are used to buying a solution and owning it. It takes time to convince people to go for the subscription model. That's still an issue for us.

What other advice do I have?

We have Cisco Firepower Threat Defense, email security, web security, and Cisco Umbrella. Most of the time, I am working with Identity Services Engine for identity-related things. That's the main product I work with all the time. I have almost no direct contact with Talos, but I know that below the hood, it just improves all their security solutions.

To those evaluating this solution, I would advise being a little bit careful with it. It interfaces well with other Cisco solutions, so it has value, but it's not always the best solution.

At the moment, I would rate it a six out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
DavidMayer - PeerSpot reviewer
Solution Architect at a energy/utilities company with 1,001-5,000 employees
Video Review
Real User
Top 20
Best support and good detection capabilities, but needs improvement in stability and functionality
Pros and Cons
    • "The most valuable features of the product are the VPN and the NextGen firewall features such as application control, URL filtering, etc."
    • "There is room for improvement in the stability or software quality of the product. There were a few things in the past where we had a little bit of a problem with the product, so there is room for improvement."

    What is our primary use case?

    I'm working as a Solution Architect for an energy provider in Austria. We have approximately 1,500 people working in Austria and also in some neighboring countries.

    We are using Cisco Secure Firewall. We started with Cisco ASA long ago, and now, we have Cisco Firepower or Cisco Secure Firewall. We are using the product as a perimeter firewall and for remote access VPN and site-to-site VPN tunnels with other partner companies. So, the primary use case of Cisco Secure Firewall is to secure our perimeter, but it's also for the remote access VPN for employees in the home office or if they are outside the company.

    How has it helped my organization?

    The benefit of using Cisco Secure Firewall is that there is a lot of integration with other Cisco products like Cisco ISE or even with third-party systems. It's important to have these integrations with other systems. On one hand, you get more visibility, and on the other hand, you can also use the information that you have from the firewall in other systems, such as a SIEM or other similar things. You overall get better visibility and better security.

    In terms of securing our infrastructure from end to end so that we can detect and remediate threats. When it comes to detection, it's pretty good because you have the background of Cisco Talos. I can't say if it's the truth, but they probably are one of the top players in threat hunting, so it's pretty good at detecting known things that are outside.

    What is most valuable?

    The most valuable features of the product are the VPN and the NextGen firewall features such as application control, URL filtering, etc. These features are especially valuable because nowadays, it's not enough to just filter for source and destination IPs. You need more insights or visibility to see which applications are passing your perimeter, which applications you want to allow, and which ones you want to block. Without this visibility and these features, it's a little bit hard to secure your network.

    What needs improvement?

    There is room for improvement in the stability or software quality of the product. There were a few things in the past where we had a little bit of a problem with the product, so there is room for improvement. In the past, we had problems with new releases. 

    Also, from the beginning, some functionalities or features have not worked properly. There are bugs. Every product has such problems, but sometimes, there are more problems than other products, so it's definitely something that can be improved, but Cisco seems to be working on it.

    What do I think about the stability of the solution?

    There is room for improvement in the stability of the product.

    What do I think about the scalability of the solution?

    I know that there are several models for every type of scale that you need. For small branches up to the data center or even for the cloud, there are models, but so far, we only have one cluster. Among all these different types, we found the perfect matching size for our company.

    How are customer service and support?

    The Cisco support with Cisco TAC is pretty good. With the TAC Connect Bot that you have with WebEx, you can easily open a case or escalate the case through the WebEx app. That's pretty cool. Also, the engineers that are working for Cisco TAC are really good. Among all the vendors that we have in place, it's the best support that we have experienced. I'd rate them a 10 out of 10 because compared to the other vendors that we have in place, it's definitely the best support.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We have a multi-vendor strategy for the firewall so that if there is some security issue in the software or something like that, you are not directly impacted, and there is another vendor in between. If I compare Cisco Secure Firewall with the other vendor that we have in place, the pro for Cisco Secure Firewall is that detection is better with the database of Talos. The con that comes to my mind is the deployment time when you deploy a change. With the other vendor, the change is more or less deployed immediately, whereas, with Cisco Secure Firewall, you have to wait for a few minutes until the change is deployed. This is one of the biggest cons on this side because if there's a misconfiguration, you are not able to correct the issue as fast as with the other vendor.

    How was the initial setup?

    We migrated from Cisco ASA to Cisco Firepower, and it was straightforward because there were some migration tools to export the old ASA rule set and import it into Cisco Secure Firewall. With these tools and the documentation that you find on Cisco's site, it was pretty straightforward, and we had nearly no problems with the migration to Cisco Secure Firewall.

    In terms of the deployment model, we have one high-availability cluster, and, of course, FMC to manage this cluster. These are physical clusters, and we have them on-prem in our data center.

    What about the implementation team?

    For deployment, we worked with our partner who helped us a little bit with the migration. Our partner's engineer had good knowledge and supported us when we had questions. When we didn't know how to do something, they helped us with that.

    What's my experience with pricing, setup cost, and licensing?

    The licensing models that are available for Cisco Secure Firewall are okay. You have nearly every option that you need. You can pick filtering, advanced malware protection, or all the available features. It's sufficient.

    In terms of pricing, there are, for sure, some cheaper vendors, but overall, it's nearly the same. It has a fair price.

    What other advice do I have?

    To those evaluating Cisco Secure Firewall, I'd advise thinking about what are your use cases and what's your goal to achieve with this product. It's also a good idea to talk to other customers or a partner and ask them what's their experience and what they think about it, and if it's suitable for this use case or not. And, of course, it's also a good idea to do a proof of concept or something like that.

    At the moment, I'd rate Cisco Secure Firewall a six out of ten. The reason for that is that we are having some problems with the stability and functionality of the product, but there are also features, such as VPN, that are working from day one without a problem. So, there are good parts, and there are parts that are not working as well as we would like them to, but we and Cisco TAC will solve this in the future, and then the rating will go up.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Cisco Secure Firewall
    March 2024
    Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
    763,955 professionals have used our research since 2012.
    Product Owner at a manufacturing company with 10,001+ employees
    Real User
    Top 20
    Protects our landscape, secures segments, and has good support
    Pros and Cons
    • "Protecting our landscape in general and being able to see logging when things aren't going as set out in policies are valuable features. Our security department is keen on seeing the logging."
    • "The integration between the on-prem proxy world and the cloud proxy would benefit us. One single policy setting would make sense."

    What is our primary use case?

    We use WSA proxy and Cisco Firepowers with the FMC suite and Cisco Umbrella. We mainly use WSAP for on-premises data centers to get traffic outbound to the internet. Cisco Umbrella is for our endpoints, and Cisco firewalls are to protect our perimeter but also internal choke points to secure segments on our LAN.

    Currently, we don't have any integrations between the three of them. They all run in isolation. 

    How has it helped my organization?

    Our external partner does the day-to-day management. We are not using it on a day-to-day basis. We position the products from within my team, but the detection mechanism is different per platform. We mainly trust the policy, and our security department is checking logs for anomalies in the patterns.

    In terms of cost savings, we've been using this mechanism for years on end, so we haven't been able to see a real cost reduction between using our own personnel versus our external partner for management. It has been like that for 10 years or so.

    In terms of time savings, it doesn't put too much burden on day-to-day activities to go over the details. The policies are rather straightforward, and anything not configured is not allowed. In that sense, it's easy.

    What is most valuable?

    Protecting our landscape in general and being able to see logging when things aren't going as set out in policies are valuable features. Our security department is keen on seeing the logging. 

    What needs improvement?

    If WSAP remains to be an active product, it might be an idea to integrate the configuration policy logic between Umbrella and WSAP. There should be one platform to manage both.

    The integration between the on-prem proxy world and the cloud proxy would benefit us. One single policy setting would make sense.

    How are customer service and support?

    That's great. Sometimes, you need to be clear on the severity levels, but once determined, we have a good experience with tech support.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    That was long ago, but we had Blue Coat proxies before. We switched because of our strategy to go for Cisco as an ecosystem.

    We chose Cisco products because we have a Cisco-first strategy. We typically check first with the Cisco product portfolio and then make up our minds. Historically speaking, it serves our interests best.

    How was the initial setup?

    I am not involved firsthand in its deployment. We have an oversight role within our company, so we ask our external supplier to do the implementation, and when needed, to have it validated via Cisco, but I've no real hands-on experience.

    What was our ROI?

    I would expect that we have seen an ROI because our sourcing department would make sure we get the best price for the solution.

    What's my experience with pricing, setup cost, and licensing?

    Licensing is quite difficult to get your head around. My biggest challenge is to understand the details, the inner relations. Luckily, to some extent, we have enterprise agreements, but licensing for me is a real black box.

    What other advice do I have?

    I'd rate it an eight out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Paul Nduati - PeerSpot reviewer
    Assistant Ict Manager at a transportation company with 51-200 employees
    Real User
    Top 10
    Includes multiple tools that help manage and troubleshoot, but needs SD-WAN for load balancing
    Pros and Cons
    • "I love the ASDM (Adaptive Security Device Manager) which is the management suite. It's a GUI and you're able to see everything at a glance without using the command line. There are those who love the CLI, but with ASDM it is easier to see where everything is going and where the problems are."
    • "A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition."

    What is our primary use case?

    We have two devices in Active-Active mode, acting as a perimeter firewall. It is the main firewall that filters traffic in and out of our organization. This is where there are many rules and the mapping is done to the outside world. We use it as a next-generation firewall, for intrusion detection and prevention.

    It's also linked also to Firepower, the software for network policies that acts as our network access control. 

    How has it helped my organization?

    I find it very useful when we're publishing some of our on-prem servers to the public. I am able to easily do the NATing so that they are published. It also comes in very handy for aspects of configuration. It has made things easy, especially for me, as at the time I first started to use it I was a novice.

    I have also added new requirements that have come into our organization. For example, we integrated with a server that was sitting in an airport because we needed to display the flight schedule to our customers. We needed to create the access rules so that the server in our organization and the server in the other organization could communicate, almost like creating a VPN tunnel. That experience wasn't as painful as I thought it would be. It was quite dynamic. If we had not been able to do that, if the firewall didn't have that feature, linking the two would have been quite painful.

    In addition, we have two devices configured in an Active-Active configuration. That way, it's able to load balance in case one firewall is overloaded. We've tested it where, if we turn off one, the other appliance is able to seamlessly pick up and handle the traffic. It depends on how you deploy the solution. Because we are responsible for very critical, national infrastructure, we had to ensure we have two appliances in high-availability mode.

    What is most valuable?

    I love the ASDM (Adaptive Security Device Manager) which is the management suite. It's a GUI and you're able to see everything at a glance without using the command line. There are those who love the CLI, but with ASDM it is easier to see where everything is going and where the problems are.

    The ASDM makes it very easy to navigate and manage the firewall. You can commit changes with it or apply them before you save them to be sure that you're doing the right thing. You can perform backups easily from it.

    It also has a built-in Packet Tracer tool, ping, and traceroute, all in a graphical display. We are really able to troubleshoot very quickly when there are issues. With the Packet Tracer, you're able to define which packet you're tracing, from which interface to which other one, and you're able to see an animation that shows where the traffic is either blocked or allowed. 

    In addition, it has a monitoring module, which also is a very good tool for troubleshooting. When you fill in the fields, you can see all the related items that you're looking for. In that sense, it gives you deep packet inspection. I am happy with what it gives me.

    It also has a dashboard when you log in, and that gives you a snapshot of all the interfaces, whether they're up or down, at a glance. You don't need to spend a lot of time trying to figure out issues.

    What needs improvement?

    Our setup is quite interesting. We have a Sophos firewall that sits as a bridge behind the Cisco ASA. Once traffic gets in, it's taken to the Sophos and it does what it does before the traffic is allowed into the LAN, and it is a bridge out from the LAN to the Cisco firewall. The setup may not be ideal, but it was deployed to try to leverage and maximize what we already have. So far, so good; it has worked.

    The Cisco doesn't come with SD-WAN capabilities which would allow me to load balance two or three ISPs. You can only configure a backup ISP, not necessarily an Active-Active, where it's able to load balance and shift traffic from one interface to the other.

    When I joined the organization, we only had one ISP. We've recently added a second one for redundancy. The best scenario would be to load balance. We plan to create different traffic for different kinds of users. It's capable of doing that, but it would have been best if it could have done that by itself, in the way that Sophos or Cisco Meraki or even Fortigate can.

    A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition. While I'm able to configure it as a backup, the reality is that in a modern workplace, you can't rely on one service provider for the internet and your device should be able to give you optimal service by load balancing all the connections, all the IPSs you have, and giving you the best output.

    I know Cisco has deployed other devices that are now capable of SD-WAN, but that would have been great on the 5516 as well. It has been an issue for us.

    For how long have I used the solution?

    I have been using Cisco ASA Firewalls since November 2019.

    What do I think about the stability of the solution?

    Cisco products are quite resilient. We've had problems due to power failures and our UPSs not being maintained and their batteries being drained. With the intermittent on and off, the Cisco ASAs, surprisingly, didn't have any issue at all. The devices really stood on their own. We didn't even have any issue in terms of losing configs. I'm pretty satisfied with that.

    I've had experience with some of the new Cisco devices and they're quite sensitive to power fluctuations. The power supply units can really get messed up. But the ASA 5516 is pretty resilient. We've deployed in a cluster, but even heating up, over-clocking, or freezing, has not happened.

    We also have the Sophos as a bridge, although it's only a single device, it is not in a cluster or in availability mode, but we've had issues with it freezing. We have had to reboot it.

    What do I think about the scalability of the solution?

    It's easy to scale it up and extend it to other operations. When we merged with another company, we were able to extend its usage to serve the other company. It became the main firewall for them as well. It works and it's scalable.

    It's the main perimeter firewall for all traffic. Our organization has around 1,000 users spread across the country. It's also our MPLS solution for the traffic for branch networks. It's able to handle at least 1,000 connections simultaneously, give or take.

    Which solution did I use previously and why did I switch?

    Prior to my joining the organization, there was a ransomware attack that encrypted data. It necessitated management to invest in network security.

    When I joined the project to upgrade the network security infrastructure in our organization, I found that there was a legacy ASA that had been decommissioned, and was being replaced by the 5516. Being a type-for-type, it was easy to pick up the configs and apply them to the new one.

    How was the initial setup?

    When I joined this organization, the solution had just been deployed. I was tasked with administrating and managing it. Managing it has been quite a learning curve. Prior to that, I had not interacted with ASAs at all. It was a deep-dive for me. But it has been easy to understand and learn. It has a help feature, a floating window where you can type in whatever you're looking for and it takes you right there.

    We had a subsidiary that reverted back to our organization. That occurred just after I started using the 5516 and I needed to configure the integration with the subsidiary. That was what I would consider to be experience in terms of deployment because we had to integrate with Meraki, which is what the subsidiary was using.

    The process wasn't bad. It was relatively easy to integrate, deploy, and extend the configurations to the other side, add "new" VLANs, et cetera. It wasn't really difficult. The ASDM is a great feature. It was easy to navigate, manage, and deploy. As long as you take your backups, it's good.

    It was quite a big project. We had multiple solutions, including Citrix ADC and ESA email security among others. The entire project from delivery of equipment to commissioning of the equipment took from July to November. That includes the physical setup and racking.

    Two personnel are handling the day-to-day maintenance.

    What was our ROI?

    We have seen ROI with the Cisco ASA, especially because we've just come to the end of the three-year subscription. We are now renewing it. We've not had any major security incident that was a result of the firewall not being able to detect or prevent something. That's a good return on investment.

    Our device, the 5516, has been declared end-of-life. The cost of upgrading is almost equivalent to deploying a new appliance. But having had it for three years, it has served its purpose.

    As with any security solution, the return on investment must be looked at in terms of what could happen. If you have a disaster or a cyber attack, that is when you can really see the cost of not having this. 

    What's my experience with pricing, setup cost, and licensing?

    Cost-wise, it's in the same range as its competitors. It's likely cheaper than Palo Alto. Cisco is affordable for a large organization of 500 to 1,000 users and above.

    You need a Cisco sales partner or engineer to explain to you the licensing aspects. Out-of-the-box, Firepower is the module that you use to handle your network access policy for the end-user. It's a separate module that you need to include, it's not bundled. You need to ensure you have that subscription.

    A Cisco presales agent is key for you to know what you need. Once they understand your use cases, they'll be able to advise you about all the licenses you need. You need guidance. I wouldn't call it straightforward.

    With any Cisco product, you need a service level agreement and an active contract to maximize the support and the features. We have not had an active service contract. We just had the initial, post-implementation support.

    As a result, we've wasted a bit of time in terms of figuring out how best to troubleshoot things here and there. It would be best to ensure you are running an active contract with SLAs, at least with a Cisco partner. 

    Also, we were not able to use its remote VPN capabilities, Cisco AnyConnect, because of a licensing limitation.

    What other advice do I have?

    I would encourage people to go for the newer version of Cisco ASA. 

    When you are procuring that device, be sure to look at the use cases you want it for. Are you also going to use it to serve as your remote VPN and, in that case, do you need more than the out-of-the-box licenses it comes with? How many concurrent users will you need? That is a big consideration when you're purchasing the device. Get a higher version, something that is at least three years ahead of being declared end-of-life or end-of-support.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Augustus Herriot - PeerSpot reviewer
    Senior Infrastructure Engineer at a insurance company with 10,001+ employees
    Real User
    You can consolidate technology and equipment with this product
    Pros and Cons
    • "The technical support is excellent. I would rate it as 10 out of 10. When there has been an issue, we have had a good response from them."
    • "When we first got it, we were doing individual configuring. Now, there is a way to manage from one location."

    What is our primary use case?

    We were looking to consolidate some of our equipment and technology. When we switched over, ASA was a little bit more versatile as firewalls or VPN concentrators. So, we were able to use the same technology to solve multiple use cases.

    We have data centers across the United States as well as AWS and Azure. 

    We use it at multiple locations. We have sites in Dallas and Nashville. So, we have them at all our locations as either a VPN concentrator or an actual firewall.

    How has it helped my organization?

    Cybersecurity resilience is very much important for our organization. We are in the healthcare insurance industry, so we have a lot of customer data that goes through our data center for multiple government contracts. Making sure that data is secure is good for the company and beneficial to the customer.

    It provides the overall management of my entire enterprise with an ease of transitioning. We have always been a Cisco environment. So, it was easy to transition from what we had to the latest version without a lot of new training.

    What is most valuable?

    • Speed
    • Its capabilities
    • Versatility

    What needs improvement?

    When we first got it, we were doing individual configuring. Now, there is a way to manage from one location. We can control all our policies and upgrades with a push instead of having to touch every single piece.

    For how long have I used the solution?

    We have been using ASAs for quite a number of years now. 

    What do I think about the stability of the solution?

    We have other things around it going down, but we really don't have an issue with our ASAs going down. They are excellent for what we have.

    There is rarely maintenance. We have our pushes for updates and vulnerabilities, but we have never really had an issue. 

    What do I think about the scalability of the solution?

    It is very scalable with the ability to virtualize, which is really easy. We do it during our maintenance window. Now, if we plan it, we know what we are doing. We can spin up another virtual machine and keep moving. 

    How are customer service and support?

    The technical support is excellent. I would rate it as 10 out of 10. When there has been an issue, we have had a good response from them.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We were previously using a Cisco product. We replaced them awhile back when I first started, and we have been working with ASAs ever since.

    We did have Junipers in our environment, then we transitioned. We still have a mix because some of our contracts have to be split between vendors and different tiers. Now, we mostly have Apollos and ASAs in our environment.

    How was the initial setup?

    I was involved with the upgrades. Our main firewall was a Cisco module, so we integrated from that because of ASA limitations. This gave us a better benefit.

    The deployment was a little complex at first because we were so used to the one-to-one. Being able to consolidate into a single piece of hardware was a little difficult at first, but once we got past the first part, we were good.

    What was our ROI?

    We have seen ROI. When I first started, everything was physical and one-to-one. Now, with virtualization, we are able to leverage a piece of hardware and use it in multiple environments. That was definitely a return on investment right out of the gate.

    What's my experience with pricing, setup cost, and licensing?

    The licensing has definitely improved and got a lot easier. It is customizable depending on what the customer needs, which is a good benefit, instead of just a broad license that everybody has to pay.

    What other advice do I have?

    It is a good product. I would rate it as 10 out of 10.

    Resilience is a definite must. You need to have it because, as we say, "The bad guys are getting worse every day. They are attacking, and they don't care." Therefore, we need to make sure that our customers' data and our data is secure.

    It depends on what you need. If there is not a need for multiple vendors or pieces of equipment per contract, you should definitely look at what ASAs could be used for. If you are splitting, you can consolidate using this product.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Senior Information Security Analyst at a manufacturing company with 10,001+ employees
    Real User
    Useful access controls, reliable, and good support
    Pros and Cons
    • "I have found the most valuable feature to be the access control and IPsec VPN."
    • "When comparing the graphical interface of this solution to other vendors it is more difficult to configure. There is a higher learning curve for administrators in this solution."

    What is our primary use case?

    I am using this solution for monitoring incoming and outgoing network traffic. This includes many types of traffic, such as VPN users.

    What is most valuable?

    I have found the most valuable feature to be the access control and IPsec VPN. There are a lot of people moving towards the next-generation versions of firewalls which have some advanced features such as this one. You can define rules based on the application instead of how they are traditionally are done. There are more general and traffic controls, and additional features for intrusion prevention for malware analysis.

    What needs improvement?

    When comparing the graphical interface of this solution to other vendors it is more difficult to configure. There is a higher learning curve for administrators in this solution.

    A lot of vendors, such as Palo Alto, are going toward cloud-based systems and Cisco should follow.

    For how long have I used the solution?

    I have been using this solution for approximately two years.

    What do I think about the stability of the solution?

    The solution is stable.

    What do I think about the scalability of the solution?

    Since this is a hardware solution it does not scale as well as cloud versions. We have approximately 20,000 people using this solution in my organization.

    How are customer service and technical support?

    The support of this solution is very good.

    What about the implementation team?

    We have security specialists to manage the solution.

    Which other solutions did I evaluate?

    I have previously used FortiGate and Palo Alto solutions. When comparing them to this solution they have more standard features in their normal firewall this one does not.

    What other advice do I have?

    My advice to those wanting to implement the solution is to look at their use case and see if it meets those requirements for what they are looking for. There are a lot of security features that people may not be aware of and do not use. Explore the solution and all its features which will help you understand the configurations.

    I rate Cisco ASA Firewall an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    reviewer1448693099 - PeerSpot reviewer
    Senior Network Engineer at a comms service provider with 1-10 employees
    Real User
    Top 20
    Great visibility and control, improved IPS, and easy to troubleshoot
    Pros and Cons
    • "The ASA has seen significant improvement due to the IPS."
    • "Managing various product integrations, such as Umbrella, is challenging."

    What is our primary use case?

    We are a Cisco partner and we are currently using Cisco Firepower for our internet edge, intrusion prevention systems, and filtering.

    We use virtual appliances in the cloud and hardware appliances on-premises.

    How has it helped my organization?

    Cisco Secure Firewall has improved usability in our environment.

    The application visibility and control are great. Cisco Secure Firewall provides us with visibility into the users and the applications that are being used.

    We are capable of securing our infrastructure from end to end, enabling us to detect and address threats. We have excellent visibility into the traffic flows, including those within the DMZs.

    Cisco Secure Firewall has helped save our IT staff a couple of hours per month of their time because it is much easier to use the GUI instead of attempting to manage things through the CLI, which we have to access from the CRM.

    We have several clients who had larger security stacks that they were able to consolidate because they were using separate products for IPS or URL filtering. With Firepower, we were able to consolidate all of those into a single solution.

    The ability of Cisco Secure Firewalls to consolidate tools or applications has had a significant impact on our security infrastructure by enabling us to eliminate all the additional tools and utilize a single product.

    Cisco Talos helps us keep on top of our security operations.

    Cisco Secure Firewall has helped our organization enhance its cybersecurity resilience. We can generate periodic reports that are shared with the security teams to keep them informed.

    What is most valuable?

    The ASA has seen significant improvement due to the IPS. 

    The ability to troubleshoot more easily through the gate is valuable.

    What needs improvement?

    The integration with all the necessary products needs improvement. Managing various product integrations, such as Umbrella, is challenging.

    For how long have I used the solution?

    I have been using Cisco Secure Firewall for four years. My organization has been using Cisco Secure Firewall for a much longer period of time. 

    What do I think about the stability of the solution?

    We experienced stability issues when transitioning to version 7.2, particularly related to operating Snort from Snort Two to Snort Three. In some cases, the firewalls necessitated a reboot, but we ultimately reverted back to using Snort Two.

    How are customer service and support?

    The technical support is responsive. In most cases where I've opened a ticket, they have promptly worked on figuring out the actual problem and assisting me in resolving it.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We have had clients who switched to Cisco Secure Firewall from Check Point, Palo Alto, and WatchGuard due to the features and support that Cisco offers.

    How was the initial setup?

    The initial setup is straightforward. Since we were transitioning from ASA to Firepower, a significant portion of our work involved transferring the access control lists to the power values in the GUI. After that, we began adding additional features, such as IPS.

    What's my experience with pricing, setup cost, and licensing?

    The pricing and licensing structure of the firewall is fair and reasonable.

    Which other solutions did I evaluate?

    The closest competitor that matches Cisco Firepower is Palo Alto, and the feature sets are quite comparable for both of them. One issue I have noticed with Cisco's product is the SSL decryption when used by clients connecting from inside to outside the Internet. 

    Cisco lacks the ability to check CRLs or OCSP certificate status unless we manually upload them, which is impractical for a large number of items like emails. On the other hand, Palo Alto lacks the ability to inspect the traffic within the firewall tunnel, which is a useful feature to have. 

    What other advice do I have?

    I rate Cisco Secure Firewall eight out of ten.

    I recommend taking advantage of the trial by downloading virtual next-gen firewalls provided by OBA, deploying them in a virtual environment, and testing their performance to evaluate their effectiveness. This is a crucial step.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
    Flag as inappropriate
    PeerSpot user
    Network Engineer at a healthcare company with 10,001+ employees
    Real User
    Fantastic reliability, easy to understand, and works very well for policy-based VPN
    Pros and Cons
    • "Being able to use it as a policy-based VPN is valuable. It's very easy to understand. It's very easy to troubleshoot."
    • "For what we use it for, it ends up being the perfect product for us, but it would help if they could expand it into some of the other areas and other use cases working with speeding up and the reliability of the pushes from the policy manager."

    What is our primary use case?

    We mainly use it for policy-based VPNs to IPSec one of the businesses. We also use it as a firewall solution for remote VPN users. We have vendors who have access to our VPN solution, and they get a dedicated network.

    How has it helped my organization?

    We can automate the VPN. The build process and how we've standardized it makes it very easy for us to focus on other tasks. We know that an end user can push a button, and the VPN will get built. They only bring us in for troubleshooting or higher-level issues with the other vendor. Because of that program, the ability to use Cisco ASA every time, in the same way, makes our job easy.

    Once we started standardizing and using the same solution, we've been able to correlate that so we know what we are doing. We can train even less experienced and newer guys to do the tasks that in turn frees up the higher-level engineers. It has cut out the VPN work for higher-level engineers. They may have been spending ten hours a week previously, and now they may spend ten hours in the quarter.

    It has improved our cybersecurity resilience. It has allowed us to see some differences with partners using weaker ciphers, which allows us to validate what we're using and reevaluate it. We put exceptions in cases where we have to. The security risk team is as well aware of those, and they can essentially go back on a buy-in or see if the vendor has upgraded to plug in a security hole. It has given us that visibility to see where we are weak with our vendors.

    What is most valuable?

    Being able to use it as a policy-based VPN is valuable. It's very easy to understand. 

    It's very easy to troubleshoot. It may be because I'm comfortable with it or because I've used it for so long, but it's easy to use for me. I don't have any problems with how to set it up or use it.

    What needs improvement?

    For what we use it for, it ends up being the perfect product for us, but it would help if they could expand it into some of the other areas and other use cases working with speeding up and the reliability of the pushes from the policy manager.

    For how long have I used the solution?

    We've been using Cisco ASA at least for the last six years. That's how long I've been in this organization, but my organization has been using it longer. 

    What do I think about the stability of the solution?

    We don't open bugs for it. It just works for what we've used it for. The last time we opened up an ASA bug would have probably been three years ago. From a reliability standpoint of what we're using it for, it's fantastic.

    What do I think about the scalability of the solution?

    We've had no problems with scaling our business. We went from using probably 200 active VPNs an hour to over 600 VPNs without blinking an eye at that.

    How are customer service and support?

    I enjoy Cisco's tech support. Just like any tech support out there, you could get a great or fantastic engineer, or you may get somebody who has just learned, so you just have to work with it. However, working with Cisco TAC, you find less of that than you do with other companies. 

    Just to give them a shout-out, whenever we hit the Australian TAC, they're absolutely fantastic. Sometimes I feel that we should wait our hours when we open a ticket just so that we get one of them. They know their stuff. They absolutely do, so whoever they're hiring there, they got to keep that up and spread that out. I'd rate them a nine out of ten.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I've worked with Check Point's firewall, and I've worked with Palo Alto's firewall. Things like packet capturing and packet tracing that I can manipulate to pretend I'm doing traffic through the firewall are a lot easier to do with ASAs than with other products.

    We have other firewalls in our environment. We still use Palo Alto. We do have a little bit of a mix with Palo Alto in our environment, but in terms of VPN specifically, the way that Palo Alto does route-based VPN by default doesn't flow well with most people out there. It works great with cloud providers. Cisco can do route-based VPNs too. We have a route-based VPN solution with Cisco as well. We just use an ISR for that instead of a firewall.

    How was the initial setup?

    I've been part of the deployment. Specifically, how NATTING and the firewalls work, that part is not difficult at all, but there are some challenges when you take any product and manipulate the order of operations, but that's not a Cisco challenge. You're pairing different information. There are some tools that usually try to help with those conversions, but most of the time, I find it just easier to develop what you need and just build it from scratch.

    What about the implementation team?

    We implemented it on our own.

    What was our ROI?

    We've seen an ROI in terms of our high-level engineers having to work less on the product. I've been able to provide it to the NOC because of the use of the solution. They see value in that.

    What's my experience with pricing, setup cost, and licensing?

    Pricing is more for my leadership, but I give them the quotes, and if they approve, they're happy. They've never wavered, so I wouldn't say it's out of the realm where they're considering another product. It must be in the direct price range for our leadership to not blink an eye when we give it to them.

    What other advice do I have?

    To those evaluating this solution, I'd say that it's a solid product. It works. It does what we need. It gives us peace of mind to sleep at night. I'd definitely put it up there with some of the other firewalls to consider.

    I'd rate Cisco ASA a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.
    Updated: March 2024
    Buyer's Guide
    Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.