Cisco Secure Firewall Reviews

I primarily use the solution for the IPsec only. 

The user interface, the UI, is excellent on the solution. Let's say you want to check the real-time locker - you can create it by the UI using ADSM.

The VPN portion of the solution isn't the greatest.

The stability is not the best.

The solution is far too expensive.

I've been working with the solution for about six months, or maybe a little bit less than that.

I haven't found the stability to be very good. The IPsec stability leaves a lot to be desired. They really need to work on the solution's stability capabilities.

In ASA, I built the IPsec between ASA and Fortigate due to the fact that most of the time I have to restart the timer to flow the data.

We only have two to three users who directly deal with the solution within our company. Overall, we have between 100-200 employees. We haven't really scaled it.

I personally would prefer not to use ASA going forward. However, I don't know if the company itself has any plans to increase usage or not.

While I've dealt with Cisco technical support in the past on other solutions, I have not contacted them in regards to this specific product.

That said, my past experience with Cisco technical support has been very positive and I found them to be very helpful in general. I just can't speak to this specific product.

I was pretty junior when the solution was initially implemented in the organization. For that reason, I did not take an active role in implementing the solution. I wouldn't be able to really discuss the setup specifics or the level of difficulty.

I'm not exactly sure who handles maintenance, if any, within our organization.

The licensing is quite expensive. I don't have the exact amount, however, it's my understanding that it's a very pricey solution. There's a lot of competition out there, including from Fortigate, which offers just as good, if not better products.

I'm not overly familiar with ASA. I only work with it on an administration level.

I work with the latest version and I use the ASDM version server.

I wouldn't recommend that an organization choose ASA as a solution. They should look into other options.

Overall, I would rate the solution at a six out of ten. We haven't had the greatest experience.

We are a solution provider and the Cisco ASA Firewall is one of the security products that we implement for our customers. My clients use it for security, and also to establish VPN connections.

My client is in the financial sector and all of the connections are doing using the VPN. This type of access makes the connections more secure.

The most important feature is the VPN connection.

My clients also use the antimalware features and the scan is very good. It also supports packet inspection and IPS.

Cisco ASA is easy to configure.

The integration with the security features is something that I like.

The SecureX ASA administration platform should be improved.

The orchestration of modules should be improved.

I would like to see the inclusion of a protocol that can be used to protect databases. This would be a good feature to have added.

We have been working with the Cisco ASA Firewall for approximately three years.

I have not had problems with stability, although I have had some small issues with bugs. In general, I can operate without a problem. 

It is very easy to scale this product. With SMC, you can control all levels of ASA in a central console. You can simply add a new ASA firewall to protect your network, and you will be able to control it.

We have approximately 300 users.

My clients for this solution are medium-sized organizations.

I have not been in contact with technical support but I use the implementation guide. I have also used the community support and I think that it's okay. The information that I received about the configuration was good.

Prior to Cisco ASA, my client was using Fortinet FortiGate. They switched because there were complaints about the connection being slow.

The complexity of the setup depends on the needs and requirements of the client.

When a client does not know exactly what is needed, the complexity increases because the configuration is not clear. You really have to have a good understanding of what the client needs before configuring it.

If the model does not have SMC then it is complex to configure.

The length of time for deployment also depends on the requirements, but it will usually take between three days and one week.

This is an expensive product, although when you buy this solution, you can do many things so it provides good value for the investment.

My clients did evaluate other options but ultimately chose this product. Other than the VPN connection, I don't know the reasons for this decision.

I can recommend this product because it is one of the most stable firewalls on the market. The suitability, however, depends on the environment and what is needed.

I would rate this solution an eight out of ten.

We are using Cisco ASAv in our company and have deployed it for many of our customers. They are in both government and the private sector.

The deployment method varies depending on the customer's needs. For the government, it's through the government cloud while others are on-premises.

It is very stable compared to other firewall products.

It has good security features.

The firewall features make it easy for the users to work on it.

The interface needs improvement. I would like a better interface for Cisco. Other solutions such as Palo Alto have a user-friendly dashboard.

They need a user-friendly interface that we could easily configure.

It would be beneficial to have some of the features that Cisco has, integrating with other types of security.

I have been using this solution for approximately eight years.

It's a very stable solution out of the box and we have not had any issues in our deployment.

We have 86% of the devices being used simultaneously.

It's scalable based on the type of license and modules that you require.

We don't have the option to update the box, but we can add features such as antivirus protection.

We have contacted technical support for some issues outside our technical expertise, mostly for updating the license.

We have a team that handles our issues.

We work on a case-by-case basis and are have good offers by Cisco.

It's very competitive with other products.

They should incorporate it with FortiGate, or Sophos firewalls. 

If they are looking for a layer 7 type of security then they need to go with another solution.

I would rate Cisco ASAv a nine out of ten.

One of the important aspect when deploying Ciso ASA firewall, it’s oblige you at the beginning to define your security level, which will make it easier when making your security policy ( traffic allow From Source to Destination)

A security level will define how trusted is an interface in relation to another interface on the Cisco ASA.

The Higher is the security level, is the more trusted is the interface.

The highest security level is , “ Security Level 100” .

Nowadays other Firewall manufacturer try to adopt the same deployment principle as the Cisco ASA with security level, however the Cisco ASA do have other interesting features which I think are very useful:

- Firepower services

- Security context

- Firepower management

Normally in terms of design, the user prefers to use Cisco ASAv as a border router or a border firewall, because you have two different kinds of firewalls. You have a firewall when the data communication enters the network, and then you have a firewall, for when you've been inside the network. So, for the inside network firewall, Check Point is better because it can make a better notation of your network infrastructure. But, for the incoming data, or border firewall, ASAv is better. In terms of improving the interface, if you compared to the Check Point file, then I think that ASAv should be better. They should improve the interface so that it's similar to the Check Point firewall.

The Cisco ASAv is really stable, especially if you compare it to Check Point. Not long ago Check Point did release one virtual firewall, and the virtual firewall of Check Point is not stable.

The hardware version of the firewall is more stable than the virtual one. In terms of the data center, many companies have a virtual data center in a group environment. Many companies want to have a virtual firewall, but the one from Check Point, in comparison to Cisco, is not stable at the moment. 

The solution is really scalable.

I haven't dealt with technical support. We just check online, and if we have to contact Cisco about major issues, it's an internal department dealing with that. I don't know how technical support is, because our technical support team is located in Sofia, and I am in the Netherlands, so I don't have any view on that.

The setup is always different. If you have a small company, the setup is quite easy, but if you have a bigger company the setups are quite complex. Cisco is pretty good in routing. So in bigger situations, configuring the ASAv file is pretty straightforward.

The deployment also depends on the customer's site. So, the time changes because most of the time we have to do a migration. For example, some customers have an old firewall, and you have to migrate things to a new one. And sometimes, it's just copy/paste, but in some situations, we cannot migrate all firewall configurations to a new one.

In terms of how many people you need for deployment and maintenance, again, it's dependent on the company strategy around the help desk. You should have a maintenance engineer who should be part of a team. The deployment will be done in a team. You can have one person to do the deployment but usually, you always have a backup, so it would be two. And then, for the maintenance, it can be one person or two. The maintenance can be done on the site desk, operating after office hours, so it depends.

It's difficult to give specific advice on the solution because it always depends on the design solution and the strategy. So what I would recommend is to use different firewalls and to use Cisco ASAv as a border firewall.

I would rate this solution as 7.5 out of 10. I wish the Cisco interface was not so granular. Check Point was easier to create specific rules than on ASAv, so that's why I say this. If you want to make things easier for an engineer, you always have to work on the interface. But the product, in and of itself, there's nothing wrong with it.

The use case has been for the banking sector, for one of our banking customers. According to them, it's working perfectly.

Monitoring, of course - the dashboard. It enables you to see what is happening.

It's lacking one feature: VPN. That is a feature we're looking for. Otherwise, the new devices have very good support, and the performance is quite good.

Also, the 2100 Series lacks a DDoS feature. If they could add that to those platforms, that would be good.

So far, since we installed it, there have been no issues.

In terms of scalability, it is really expensive. It is scalable, but when it comes to pricing, the upgrading is a bit high.

It's not straightforward. You need to know what you're doing, you need to be trained. I don't know for other vendors whether it's the same issue, but for Cisco you have to be trained on the system.

Check Point and Fortigate. Generally, our customers choose Firepower because they've seen the system work somewhere before, and they see it is stable and working perfectly. Those are the reasons they opt for Firepower.

There are other solutions, like Fortigate, which are very good solutions, and cheaper for the customer. Even the support via subscription is favorable, in terms of pricing. I would really advise the customer to do some research first and come up with the best solution for their needs

I rate Firepower as an eight out of 10. It is a good solution but it is expensive compared to other products, like Fortigate. Still, some of our customers do prefer Firepower over the others.

Service Provider Operations manipulating thousands of firewall rules deploying Network Access Translations (NAT) for various multiservice networks.

• Easy and fast to deploy.
• User-friendly GUI
• REST API offering with rich capabilities which makes the product very robust.

Clustering architecture which offers zero downtime upgrades, keeping uptime close to 99.999%. This creates less stress on operations and network stability throughout the various maintenance tasks.

ASDM needs to be able to customize applets.

REST API stability needs improvement in order for customizing resource allocation available to the user rather than just being there transparently. This way users can customize REST API and tailor it to their needs.

The security features are valuable because it is easy to use and it has an important role as a firewall.

It has improved our access control.

It would be useful to gather all security features in one box. For example, certain features like URL filtering and application control licenses need to be purchased separately and it depends on the hardware spec, as not all models are supporting these two features. This causes the user to be highly dependent on the pre-sales person.

We have been using the solution for six years.

We did not encounter any issues with stability.

We had a scalability issue, as each feature is based on license or hardware support.

I would rate the technical support at 8/10.

We did not use a previous solution.

The setup was straightforward with two layers of firewall.

It is too pricey if you want to activate more features in a box, which necessitates you to purchase a license.

We evaluated Palo Alto and CheckPoint.

Know what features are needed, and then purchase the necessary hardware and license.

It gives us the ability to do lan-to-lan VPN.

So far it has proven to be rock solid and relatively easy to maintain.

• Support for automation tools (Puppet)
• More granular logging

I've used ASA for four years.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

8/10

We moved our VPN termination from a Cisco ASR to an ASA. We switched because the ASR was not scalable and we realized it was a bad idea to use the same device for routing and VPN termination.

The most complex part was figuring out the failover and what NAT mode to implement.

We did it in-house.

Licenses and prices are pretty high. I understand the validity of the product, so I can't complain much.

No options were evaluated. We heavily rely on Cisco hardware for our infrastructure

I'd say it would be very beneficial to posses certification such as CCNP Security, at least, to get the most out of it. It's a complex product which requires good knowledge of procedures and best practices. Being a CCIE R&S I know the value of those certifications, and I wish I had a CCNP Security to better handle the task.