Cisco Secure Firewall Reviews

VPN (site to site VPN and remote access ), NAT policies, modular policy framework, detailed troubleshooting methods.

The throughput and reliability of the product improve the network stability of our organization.

Area : URL filtering and content filtering.

When Cisco ASA is presented as an enterprise firewall, that should be capable doing IPS/IDS, firewalling, VPN concentrator, application filtering, URL filtering and content filtering.

Of course, the last three technologies can do by a proxy. But nowadays, all next generation firewalls like Fortinet, Check Point, and Palo Alto are each bundling the UTM features into a single box with multiple separate content processors (hardware) to do these jobs.

This would enable single pane glass for management. No need to look at different devices for change management and troubleshooting.

I would say Cisco ASA is the best except for its URL and content filtering module. And these modules in ASA are not straightforward, rather complex in managing the device.

I've been using this solution since 2007.

No.

All product-based firewalls will encounter scalability issues. The firewall sizing is important during the sizing.

Good.

I used to work with most of the hardware firewalls, Cisco ASA is reliable and few technologies are good enough to compete for the market (VPN, Modular policy framework, NAT, etc.).

Straightforward -- console or via the interface.

Expensive when compared to other products.

Yes, all.

If you are looking into implementing VPN or advanced features, I recommend using this product. URL or content filtering is not good as much as the NGFWs are.

I have 15 years’ experience with Cisco products and I've had very, very little problems with them. Also, for resolving appeared issues Cisco was a good partner.

Crescendo (www.crescendo.ro) is an IT&C integrator and this product (based on Cisco Partnership) helped us to grow our business, and Cisco ASA was one of most sold product in our solutions portfolio.

Stability, high availability of services, and very high MTBU were the most valuable features for me -- because in my work as network and security consultant, it is very important to guarantee to my customer the security of his business.

The ability to integrate (as options) all-in-one features -- like anti-spam, anti-virus, etc.

With Cisco ASA firewall, no.

No. Based on their recent acquisition of Firepower, Cisco added "multi 10Gbps" NGFW performance in their solutions portfolio, which can be used by us, as a Gold Partner with Advance Security Architecture Specialization, in our network architecture proposals.

Very satisfied.

I haven' t used another solution.

Initial setup was very straightforward because the training and certification provided by the vendor helped us to solve rapidly any configuration issues.

To discuss with Cisco Systems or their partners to gain the optimal price and to not consider, without verifying, the false information that Cisco ASA is very expensive.

We evaluated other solutions, like Fortinet, HPE, Juniper, Check Point, but Cisco ASA was what we need.

To test the product in their network and to evaluate other products. I am sure that the Cisco ASA Firewall will be the winner.

Our complete relationship is based on the following partner competencies:
Certifications:

• Gold Certified Partner
Specializations:
• Advanced Collaboration Architecture Specialization
• Advanced Data Center Architecture Specialization
• Advanced Enterprise Networks Architecture Specialization
• Advanced Security Architecture Specialization

Cloud Partners:
• Storage: EMC
• Virtualization: VMware
• Cloud Management: VMware
• Cloud Professional Services
• SaaS Simple Resale

Other Authorizations:
• Registered Partner
• Cisco Certified Refurbished Equipment
• Cisco Developer Network Cisco Products Marketplace
• Cisco Meeting Server formerly Acano
• PSPP Defense
• Smart Care Registered Partner
• ATP - Unified Contact Center Enterprise

Partner since:

• More than 10 years

The context aware module gave us good visibility and control over the ingress and egress communications. Allowing us to filter unnecessary communications like streaming video, allowing us to control bandwidth utilization.

IPSec Tunnel and AnyConnect (of course), the context awareness was a good feature, but clumsy at the beginning. I think it's better now.

The packet tracer command is a great tool for troubleshooting IPSec Tunnel, which I miss in the Palo Alto and other firewalls.

Also, the IP access list counter is a good feature while troubleshooting.

ASDM can be improved.

Also, a rollback option to a previous config in time will be a great option. Logging can be improved to a vast extent, I think Palo Alto has a pretty good logging structure.

Yep, more than once, but only on one box out of the three we purchased. Suppose we got a lemon, because once replaced, everything was fine.

We never had an infrastructure that required scalability.

An eight out of 10. TAC was very good but some engineers were quite slow and I ended up figuring out the issue myself.

But overall, I like Cisco TAC a 1000 times more than Juniper TAC. Arista is the best TAC so far in my experience, they have the best talent pool.

Quite straightforward for the most part, since I had TAC on call while setting it up.

Everything with Cisco is expensive. My advice is that there are a lot better options out in the market now.

Palo Alto is pretty decent for example, but support is the best with Cisco, hands down. All other TACs do not come close, except Arista, but they do not make firewalls.

None. My old company was a complete Cisco shop.

Do look at Palo Alto for comparison, SonicWall is also on the market. But before anything, you need to know your infrastructure really well.

For example, we brought a PAN firewall for east-west traffic control so we could implement a zero trust network. But our business traffic is a bidding traffic which has extremely small packet size and huge connection size per seconds happening, which sent the PAN firewall into a tailspin. Since we bought the device without a POC, we had to eat the cost. So make sure to do a PoC with all the vendor equipment before you purchase it.

The AnyConnect remote access VPN gives us an easy way to deploy remote working for our users.

It all depends on the deployment scenario, as I have used ASA for specific purposes. In general, the stateful firewall feature, site to site VPN, and AnyConnect remote access VPN are always useful.

It's not perfect, and does have room for improvement with certain features.

The SSL VPN is, and always has been, painful to configure and the Java plugin does not guarantee a uniform deployment.

Certain documentation on the newer models of ASA (specifically, ASA 5500-X with FirePower services) is a little out of date and in some cases incorrect, although this may have been corrected since my last deployment.

I've never seen a firewall that didn't need an RMA at some point! And that is true of the ASA, however, the failure rate (in my experience) has always been very low with ASA's (and Cisco equipment in general).

Nope.

With Cisco TAC, you can always get an answer to technical issues, and with the thriving Cisco support forum, you can always get answers to questions even if you don't have TAC.

Not in my current organization.

I would say it's only complex if you're not familiar with either the CLI or ASDM.

So for me, it was easy, for those without Cisco CLI (or ASDM) experience, deployment can be a little daunting.

That being said, there are plenty of configuration documents available on the Cisco website that will "hold your hand" through any deployment.

Hardware and licensing can be expensive, and licensing can be a complicated affair. I would strongly recommend you speak with your distributor to ensure you choose the right license for your needs, and read the hardware comparison guide to make sure you spec the correct hardware for your specific needs.

It's great buying the latest and greatest equipment, but no so great if your engineers don't know how to operate it!

From experience, hardware purchasing is normally dependent on the technical expertise of engineers, so if all your engineers are Cisco trained, it makes no sense to buy another vendor firewall.

Spec the right hardware model and choose the right license for your needs.

There are a lot of features which are good and can be implemented, especially in the latest IOS version of the product.

They saved me a lot of time thinking how to solve different scenarios with other solutions.

Cisco AnyConnect for remote access is one of them. It is supported on most of the platforms, which business users use. They can gain access to the network, via functions like PBR, Security groups, contexts, and DNS doctoring. This gives a lot of flexibility to the product.

It gave us a more secure environment and a lot of flexibility to the business.

The next generations part of these products need a better approach. A lot of vendors are definitely a step or two in front of them.

I have worked with these types of firewalls for more than 10 years.

I can say that this product is one of the most stable products I have ever worked with.

In terms of scalability, this always depends on how the product was chosen and what purpose it will work for. I haven't experienced any issues with the scalability of the product.

In terms of technical support, it depends on the different cases. I would surely give Cisco technical support a rating of 9/10.

I used to work with open source solutions, but the support and complication behind them was definitely not OK. If you want to have flexibility and stability, you have to move on to something that receives more development in that specific area.

The initial setup was straightforward and there was a lot of documentation that can help out with specific cases.

This is definitely not a cheap solution, but I think it is worth the investment.

We evaluated other solutions like Juniper, but we chose Cisco, since our network was becoming more and more Cisco oriented.

I would recommend that you understand the needs of the business case before choosing the product and start implementing it. It is very important to choose the right licenses from the beginning.

Some of the valuable features are detecting malware and blocking blacklisted URLs.

It has enhanced the security in every network over time.

As of now, I can't find any flaws with the device or any improvement that I can suggest.

I have been working with the device for the past two years.

The upgrade is a bit of a pain in the neck.

There were no issues with the stability

Scalability has been all-star perfect.

I would give customer service a rating of 10/10.

I would give technical support a rating of 10/10.

We have only used Cisco security devices.

The setup was smooth and simple.

We implemented it by ourselves and with some support from the Cisco TAC.

Cisco next-generation firewalls are mainly used either for data center protection - north-south traffic - or internet traffic.

The application and user-visibility and control, along with very powerful IPS and malware protection, enables our clients to secure their data centers and internet perimeter in a much better way. It provides them with traffic visibility and reporting as well.

The main advantage is when you put it between users and servers internally or between different VLANs in the network. You have full visibility over the traffic, over all the internal applications. Usually, there's a lot of traffic that is not very clear and no one knows what is on their network. So, once deploy it internally, you have full visibility over the internal traffic, who's accessing what, which protocol. It can directly detect all kinds of malicious traffic, traffic that abuses bandwidth. 

It makes different kinds of internal behavior that is useful to a network admin. And for security of course: Any kind of file infection, any kind of internal scanning, internal attacks; it gives you full visibility.

Finally, you have communication of VLANs, internally, in the network, of course. So you have a granular access control based on user and application, instead of IP and port as you would have with a traditional firewall.

During the first phase of use, it was an extra module on standard Cisco ASA firewalls. It then became a standalone solution known as FTD, Firepower Threat Defense.

The Firepower IPS, based on Snort technology, has an amazing detection engine and historical analysis capability of files that eases threat investigations a lot.

I value the integration with other products (Cisco ISE, Cisco Endpoint AMP) which increases the protection intelligence within the enterprise by sharing security info between different products, which function on different layers. It furnishes fully connected security.

It also provides detection of the client operating system, which gives very good reporting and correlation with the signatures. It can relay the signature IP to the client operating system, to give a better correlation decision.

Some ASA known features are still missing, but are being added bit by bit in each new version release, such as:

• Remote Access VPN (the last release only supported the 2100 series): The next firewall model version is expected to support Remote Access VPN in the next software release in July 2017.
• Virtualization of the appliance (multiple contexts) is still missing.
• You always need an external management system, the onboard one is not very good. You have to use FMC, FirePOWER Management Center, as external software. There's always an add-on, whereas all the competition has an onboard management interface.

I would like to see more integration with third-party devices in general. There is great integration with Cisco devices, but there's not much integration with third-party devices.

We did not encounter any issues with stability. Cisco Firepower FW is very stable in all of the deployments we have made.

The scalability is very good. They have a clustering mechanism, so you can start with an appliance and then cluster, adding more bandwidth and nodes into your cluster. If you don't have a big budget you can start with a medium appliance and then cluster appliances. Or if you want to buy it all in one shot, there is a big range.

Although it allows scaling by adding multiple firewalls together (clustering), we have never used that, as all new hardware supports high-performance throughput and connections at a reasonable price.

Technical support is perfect. Cisco is always known for its good technical support. We have never had any issues with them.

As a Cisco Gold Partner, we always proposed Cisco firewalls for our clients.

The setup was straightforward. A new Cisco FTD can be set up and running in a couple of hours. If you're used to firewalls you can quickly get along with it. There is nothing complicated.

The time deploy is short. But the time to tune and create the policies involves a learning phase. Traffic changes over time, so the tuning for firewall rules has to be as granular as possible takes a bit of time. But to deploy you can go live is fast.

The strategy is to start with high-level security policies and then monitor the traffic and the applications affected. Then on the detection logs, create more granular rules.

It has a great performance-to-price value, compared to competitive solutions. Subscriptions are annual. The licensing fee and standard support are the only costs we pay for.

We did not evaluate any alternative solutions.

Make sure you tune your rules very well, as some clients just leave the firewall as it is and don't maintain the access rules or tighten them to be more granular and efficient.

In terms of maintenance, you need one person for security analysis and one to create rules and for daily support.

The security features are valuable because it is easy to use and it has an important role as a firewall.

It has improved our access control.

It would be useful to gather all security features in one box. For example, certain features like URL filtering and application control licenses need to be purchased separately and it depends on the hardware spec, as not all models are supporting these two features. This causes the user to be highly dependent on the pre-sales person.

We have been using the solution for six years.

We did not encounter any issues with stability.

We had a scalability issue, as each feature is based on license or hardware support.

I would rate the technical support at 8/10.

We did not use a previous solution.

The setup was straightforward with two layers of firewall.

It is too pricey if you want to activate more features in a box, which necessitates you to purchase a license.

We evaluated Palo Alto and CheckPoint.

Know what features are needed, and then purchase the necessary hardware and license.