Cisco Secure Firewall Reviews

Starting in version 9.7 you could track a login history for audit purposes and, in 9.8, you are able to do active/backup HA with ASAv (Adaptive Security Virtual Appliance) deployed on MS Azure.

There is always room for improvement in virtually anything. However, the relatively new Firepower Threat Defense image (mix of ASA and Sourcefire network security) fills a lot of gaps and features that were missing on ASA. Moreover, with FMC (Firepower Management Console) you can complement it with even more admin and reporting capabilities for the entire platform.

No stability issues.

No scalability issues.

Excellent.

New version comes with initial setup tutorial, with very nice security policies baseline, set up by default.

Be sure of what features you are going to utilize to add/remove some from new bundles.

Best value will always be delivered by adding FMC (Firepower Management Console); at least their virtual edition.

It’s too early to say anything about this, as it’s still under implementation.

Management Console and user profiling to define activities.

As it’s a GenX firewall, expertise for both implementation and troubleshooting the pain points can be a challenge. This could be a concern when companies are thinking about buying this product.

Yes, unexpected failure and no RCA provided by the OEM.

Still working on this.

Technical support from OEM is a six out 10, as RCA report has still not been shared to date.

Check Point. We moved to Firepower as an internal firewall to manage internal access and other network load.

Straightforward, two-tire setup.

All our requirements which we need performed by the firewall (e.g. VPN, URL white-listing, or IP based white-listing, etc.) have separate licenses and costs.

Yes, a couple of other of OEMs: Fortinet, Barracuda, etc.

I rate it an eight out of 10, as it’s a new platform. Compared to Cisco ASA, it’s far better, per my usage to date.

Make sure you have an expert resource or subscribe to OEM technical support.

It helps us to identify key, persistent threats so we can set policies accordingly.

In-depth monitoring and analysis. It helps us to make better decisions and policies.

• Integration aspects
• Traffic shaping

Initially there were some stability issues, but in the long-run no.

It requires additional licensing to enable 10G ports.

Technical support is very good.

It is complex. We have to set up ASA, SFR module, and FMC separately, which sometimes requires extensive troubleshooting, even for smaller issues.

We evaluated Huawei, briefly.

It is a good datacenter firewall, as they have now overcome integration issues with latest versions.

Malicious URLs are being blocked.

Advanced malware protection, it blocks malicious attacks.

• Bandwidth allocation.
• SSL decryption (avoid installing the intermediate device certificate in the client) should happen from Firepower itself.
• Critical bugs need to be addressed before releasing the version.
• Need to reduce the time to for detection of new threats.
• Enable a feature for importing/exporting logs when required for analysis.
• Dynamic IP address in client systems mapping with respect to OS change or device change should be updated periodically in FireSIGHT management.
• Virtual patching would be helpful for servers that are not able to update patches due to compatibility issues.

Yes, there were stability issues due to memory issues in the cluster environment and Firepower misbehaved due to non-responding of service/process.

No scalability issues.

Good support.

We switched from our previous solution because of scalability issues.

It was straightforward, even though we migrated from a third-party to Cisco.

Price should be judged based on the above answers, among the most capable vendors.

FortiGate.

We are using ASA5585-X with Firepower SSP-20 (ASA version 9.6(1)3, Firepower version 6.1.0.5).

When looking at different solutions, take a deep look at the features.

Secured our network from outside and inside intruders.

• Network attack detection
• DoS and DDoS attack prevention
• Signature-based detection
• User-defined signatures with regular expressions
• Integrated URL and content filtering
• Custom URL categories filtering
• Integarted antrivirus
• Protocols scanning

License capacity needs to be extended and the vendor needs to work on the pricing.

No stability issues.

No scalability issues.

10 out of 10.

No, Cisco was part of our solution from the start.

Straightforward.

Value for your money, but bit a costly.

Good product, give it a chance.

This is our perimeter router. We used it purposely for NAT and to port forward traffic. Other essential features of a firewall are handled separately by a UTM.

The ASA needs to incorporate the different modules you have to integrate to achieve UTM functions, especially for small businesses.

No stability issues at all, the most stable firewall I’ve ever worked with.

No scalability issues.

Quite good.

We’ve always used ASA from the get go. We added the UTM is to compliment it.

Straightforward.

Pricing is why we had to go for a UTM. For us to achieve what we needed, if we had gone with the ASA, the cost would have been high compared to getting one box (UTM).

Juniper, Check Point, Astaro

Go for it. I really like how, once you get the ASA set up properly, it can run for a whole year without any major issues, apart from the normal daily administration.

We have been using this model for three years, to place a firewall between ISPs and our corporate network. As of now, we have configured some SSL VPNs on our end for our convenience.

Three years ago we encountered malicious attacks from the internet, most of which were Chinese attackers, so we deployed Cisco ASA to strengthen our network. Since the deployment, we haven't seen the risk we encountered before.

Manageability of Cisco ASA. It has a GUI interface, unlike the most of Cisco IOS. For beginners they can "sneak in" and apply the command and see the actual commands that the GUI launches. In addition, Cisco has the reputation regarding security.

There are more powerful firewalls, other than the Cisco NGFW, like Fortinet, Palo Alto and so on. I can't say Cisco is the leading firewall brand as of now, as the technology innovates. 

No stability issues yet.

No scalability issues yet.

Awesome.

I rate it an eight out of 10. 

I am only handling or supporting the ASA 5520 model in our company.

If you compare it with other products, other firewall products in the market, at this moment, it doesn't have that many features, no impressive feature in it, in fact. 

The one thing I like about the product is the logging features, the way it logs, the way it forwards the logs in Syslog. It generates the particular Syslog. Compared to other products, that is the only feature, I feel, that is good. I have worked with other firewall products, so I know it very well. The logs are pretty good. Then it forwards. When it forwards the logs to a third-party syslog server, it then writes the Syslog very well. That is the only feature I like about it.

It doesn't have a proper GUI to do troubleshooting, so most people have to rely on the command line.

Its a sort of legacy product nowadays. The firewalls which are the next generation have loads of features added to them, and they are all in one box.

It should have packets, deep level inspections and controls, like the features which other IPS solutions have. It just doesn't have any. It's just a box which does firewalling. 

Threat management features also should be added into it. 

So, the first thing is that the GUI has to be improved. The second thing is that the UTM features have to be added to it in a much broader way; not by relating to other third-party solutions which is how it is done right now. It should have built-in UTM features like other firewalls have now. Plus it should have the ability to analyze any packets which have malicious behaviors. Currently it doesn't have anything like that. It's just a layer-3 firewall.

Regarding the GUI, it's a very childish sort of attempt. It hasn't been improved since I started working with it. Yes, it shows the logs as they are but it doesn't have any option to do proper reporting.

Stability is really good, actually.

Scalability is not that good, I think. Other firewalls, upgrading is a very easy task; from the graphical user interface, you just need to import the firmware versions into it and install it. In this firewall, you need to have a third-party solution in both. It's a process. It's a procedure, a hard procedure, actually, so there is no straightforward procedure for upgrading.

I have never called the tech support, apart from a hardware issue, but that is done through the vendor, a third-party support team.

I was actually using ASA and I switched to another one.

I actually have lots of experience working on multiple firewalls and technical solutions, so for me I don't have any problem doing things by the command line. But for others, for a person who has two years of experience or one year of experience in general, they will definitely face issues working in the command line. You have to remember all of the commands, to search for the commands. If you're in a graphical user interface, you can go search somewhere and find some options. So I would say in that way it is complex.

If I were to advise others who are looking into implementing this product I would say I don't think they will like it. They would be able to meet business requirements better with other products, other vendors' firewalls. That's what I think, that's what I know from my own experience, from dealing with customers.

If those features, which I mentioned above in the first few questions, if they can add those features into the firewall as a standalone box, it can definitely become a player on the stage. They already have a good platform, even if it's a legacy product, it has that bit of maturity. So if, on top of that very good platform, they can add those features - security, threat intelligence features - they can get back into the market.