The features that we use are:
- The stateful firewall
- VPN with AnyConnect
- Site-to-site IPSEC solutions
- High availability
Senior Network Architect/Owner with 51-200 employees
We have the ability to control our VPN users as well as use two-factor authentication if needed, but I would love to see application specific control.
Pros and Cons
- "The ASA gives us a secure appliance at the perimeter and allows us to provide VPN connectivity to our users."
- "The ASA has room for improvement in the areas of layers four through seven."
What is most valuable?
How has it helped my organization?
The ASA gives us a secure appliance at the perimeter and allows us to provide VPN connectivity to our users. We have the ability to control our VPN users as well as use two-factor authentication if needed (using an outside Radius source).
What needs improvement?
The ASA has room for improvement in the areas of layers four through seven. I would love to see application specific control, e.g.Facebook, Gmail, etc.
For how long have I used the solution?
I have used this solution for five years.
Buyer's Guide
Cisco Secure Firewall
June 2026
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
902,417 professionals have used our research since 2012.
What was my experience with deployment of the solution?
No issues with the deployment of the ASA as long as you are using it for what it is intended for.
What do I think about the stability of the solution?
No issues encountered.
What do I think about the scalability of the solution?
As long as you buy the correct model for your company, in regards to throughput, licenses etc., you will be fine.
How are customer service and support?
Customer Service:
8/10.
Technical Support:8/10.
How was the initial setup?
I believe it is straightforward, but again it depends on what you are trying to accomplish.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Federal Civ/Intel Engineering Lead at a tech vendor with 1,001-5,000 employees
Real User
Apr 9, 2015
Shortcomings of Cisco ASA 5500-X with FirePOWER Services
Pros and Cons
- "Apart from those four things, the Cisco ASA with FirePOWER Services solution works well, provides great insight, applies Advanced Malware Protection strongly, and shuts down a ton of illegitimate connections before they can attack."
- "This "Module" should actually be packaged and marketed as a "Starter Kit" or an entry-level, feature-limited offering (with no building-block upgrade path; it's a hardware ceiling)."
I started to title this a "Review" of the Cisco ASA with FirePOWER, but my objective is to highlight a few limitations of the integrated solution so that potential customers understand the product. It may turn out to be a review after all, but that's the focus.
Let's set some product context. Cisco completed its acquisition of Sourcefire on October 7, 2013, and its initial integration into the Cisco Security family on November 10, 2014. That makes this union very fresh--think of Cisco FirePOWER as newlyweds. They're starting to share the same roof, but carry a lot of individuality and his/her domain around with them.
Next, let's zoom in on the word, "Services", or as you may see elsewhere, "Module". Sourcefire makes a number of standalone, independent intrusion prevention system and application firewall appliances (i.e. 7000 series, 8000 series). When Cisco and Sourcefire united, they introduced the ability to put a dependent Sourcefire module into the Cisco ASA 5500-x next-generation firewall family. One Cisco partner described it as functioning like a virtual machine within the ASA (of sorts). Summation: it needs the host (ASA) to survive.
This "Module" should actually be packaged and marketed as a "Starter Kit" or an entry-level, feature-limited offering (with no building-block upgrade path; it's a hardware ceiling). And perhaps it is by some Cisco VARs, but it's new, so I think many are still coming up to speed with what it brings to the table.
o justify my above assertion, I'll highlight four characteristics that have affected or disappointed me in my deployment, and that have motivated a new set of quotes to move to the hardware/standalone solution.
1. SSL Inspection
Oftentimes you don't know what you don't know and thus you lack the wisdom to ask about it. That was me with this feature. I didn't know that the integrated module only supported a subset of features, so I didn't know to ask about its ability to decrypt inbound SSL traffic.
We host a number of public HTTPS services, though, so one goal of implementing FirePOWER was to protect against intrusion via that conduit.
While reading the Online Help and attempting configuration, I ran across references saying that it was only supported on "Series 3" devices, yet I couldn't quite find how Cisco categorized FirePOWER services. FireSight Management Center (a.k.a. "Defense Center") also gives the illusion of hope in this matter, because it reveals all features as configurable, being that it can manage the largest of Sourcefire appliances. The rubber meets the road, though, when you try to apply a policy with SSL inspection to unsupported devices. And yep, the module is one of those.
Summary: SSL traffic remains cloaked to FirePOWER services. IPS can only treat the headers (read: source/destination IP and port).
2. User Control
This one was less important to me, but still an unfortunate discovery. FirePOWER (all devices) support "User Awareness" through LDAP integration and user agents installed on endpoints, but the ability to control traffic based on the identity of the user as another hardware-only feature. Thus, you can see who is doing what, but control must be applied through hardware or traffic identity, not user.
3. Fail-Close Design
I may butcher the explanation here, but because of the integrated nature of the FirePOWER module and services, if FirePOWER inside of an ASA firewall goes down (crashes, restarts Snort, etc), traffic through the ASA stops. This is regardless of the "sfr fail-open" command, which only practically applies to standalone appliances.
I discovered this with Cisco TAC on a Webex where they put the Sourcefire into software bypass to troubleshoot traffic flow and attempt to take it out of line. That didn't work so well. Alarms and alerts started flying as the ASA clamped down on all new sessions (existing ones seemed to hold--very thankful as I was remote). Anyways, TAC didn't know of this design either until they asked engineering about a potential bug and were told it was "by design".
Major Warning/PSA: Adding FirePOWER Services to your ASA will introduce a new network availability risk. You will be very secure, though, since traffic will stop if the IPS is down. Blessing? Curse? Depends on you.
4. Bug: Active FTP is blocked by FirePOWER Services (CSCze96017)
Cisco was still working on this one when I closed my case regarding it, and their internally-published workaround wasn't accurate at the time. The practical impact, though, is that Active FTP traffic is blocked by Sourcefire due to network address translation (NAT) confusion. The ASA handles it fine, but when the FTP server initiates the new data channel outbound to the client, Sourcefire gets confused and blocks it.
The workaround, which sounds like it may become the "solution" (not fixable), is to deny FTP traffic in your Sourcefire policy:
access-list Outside_SFR extended deny tcp any any eq ftp access-list Outside_SFR extended permit ip any any
class-map Outside-class match access-list Outside_SFR
policy-map Outside-policy class Outside-class sfr fail-open
Note: the last line still contains "sfr fail-open", but it won't apply until we replace the module with the full appliance.
This bug means that Sourcefire cannot inspect or provide any services (not even against IP headers) to FTP traffic. It will not show up in FireSight (Defense Center). Only the ASA will be able to treat it based on standard ACLs, etc.
Alright, let's end on a high note. Apart from those four things, the Cisco ASA with FirePOWER Services solution works well, provides great insight, applies Advanced Malware Protection strongly, and shuts down a ton of illegitimate connections before they can attACK ;).
If you're looking to get your feet wet, and if SSL inspection isn't critical, I recommend giving FirePOWER a shot.
Originally posted at: http://www.thegurleyman.com/shortcomings-of-cisco-asa-5500-x-with-firepower-services/
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Cisco Secure Firewall
June 2026
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
902,417 professionals have used our research since 2012.
Cloud Engineer at a tech services company with 1,001-5,000 employees
It's a straightforward setup with easy to follow instructions, however, some IDS/IPS appliances can be too complicated and too time consuming to properly deploy.
Pros and Cons
- "The ease of use and ease of deployment were the most important features."
- "ROI: Lousy! $250K/year just for maintenance and licensing costs for a defense center and five sensors? This is insane!"
Consulting Engineer at a tech services company with 5,001-10,000 employees
It makes the discovery of applications and classification of user traffic simple but I'd like to see a roadmap for SSL decryption.
Pros and Cons
- "With SourceFire, we've been able to detect malicious files and stop them at the network edge before internal systems are compromised."
- "There are scalability limitations with FirePOWER on the ASA, so determining anticipated throughput requirements is critical."
Senior Network Engineer at a tech services company with 1,001-5,000 employees
The new NAT configuration is difficult to understand. The ASDM has significantly improved over the years.
Pros and Cons
- "Firewall rules are easy to understand, and enable or disable."
- "The new NAT configuration is difficult to understand especially for people familiar with the pre v8.3 code."
Senior Network Engineer at a aerospace/defense firm with 51-200 employees
Setup can be complex if you don't have previous experience with ASA but it's an excellent product.
Pros and Cons
- "Excellent product and excellent customer support."
Network Consultant at a tech consulting company with 51-200 employees
I'd like the ability to use IPS & CX modules simultaneously but overall it provides peace-of-mind against cyber-attacks.
Pros and Cons
- "The most valuable features are the IPS and Botnet software modules."
- "Since most features are license based and some licenses are time-based, there should be a way for the device to alert via SNMP that licenses are about to expire."
Security Consultant at Webernetz.net - Network Security Consulting
Consultant
Mar 11, 2015
Cisco ASA vs. Palo Alto Networks
Cisco ASA vs. Palo Alto: Management Goodies
You often have comparisons of both firewalls concerning security components. Of course, a firewall must block attacks, scan for viruses, build VPNs, etc. However, in this post I am discussing the advantages and disadvantages from both vendors concerning the management options: How to add and rename objects. How to update a device. How to find log entries. Etc.
Cisco ASA
- Fast Management Suite: The ASDM GUI is really fast. You do not have to wait for the next window if you click on a certain button. It simply appears directly. On the Palo, each entry to add, e.g., an application inside a security rule, takes a few seconds.
- Better “Preview CLI Commands”: I am always checking the CLI commands before I send them to the firewall. On the Cisco ASA, they are quite easy to understand. I know, Palo Alto also offers the “Preview Changes”, but it takes a bit more time to recognize all XML paths.
- Better CLI Commands at all: For Cisco admins it is very easy to parse a “show run” and to paste some commands into another device. This is not that easy on a Palo Alto firewall. First, you must change the config-output format, and second, you cannot simply paste many lines into another device, since the ordering of these lines is NOT correct by default. That is, it simply doesn’t work.
- ACL Hit Count: I like the hit counts per access list entry in the GUI. It quickly reveals which entries are used very often and which ones are never used. On the Palo, you can only highlight the never used ones. Furthermore, the CLI on the ASA splits each ACL into the real objects with individual counters. Great!
- Many SNMP OIDs: There are many options to monitor the ASA via SNMP. On the Palo Alto, e.g., you can not monitor sub-interfaces. This is really bad. Only the bare metal ethernet ports reveal counters.
Palo Alto PA
- Out-of-Band Management Interface: Even the smallest PA-200 device has its own management interface with its own routing table (default route). This makes it easier to permit/deny admin accesses to this host. E.g., there is no confusion between an access to the SSL VPN and an access to the management GUI since they reside on different interfaces and IP addresses.
- Browser-based GUI: No Java, no client. Just a simple browser. It is also manageable through SSL VPN portals.
- In-Band Interface Management Profiles: On the ASA, every access through different interfaces and different protocols needs its own line to be configured (Management Access -> ASDM/HTTPS/Telnet/SSH). Management access is denied per default, while ping is allowed by default. Both must be set in different menus. Not on the Palo: Interface Mgmt with a few clicks and optional IP addresses, configurable on several interfaces.
- –> Single Security Policy: All interfaces AND site-to-site VPNs are in zones. All security policies between these zones are in one security policy. On the ASA, you don’t have the ACLs for the VPNs in the ACL view of the interfaces since you must specify extra ACLs to the group policy of the VPN.
- Zone Based Security Policies: A policy from zone A to zone B only takes effect for this pair of zones. The “incoming interface” policies on the ASA always have a destination of “any” zone. Though the destination addresses can be limited, it is more complicate to configure the policies if there are several interfaces in use (and not only inside and outside).
- Network Objects in Slash-Notation: Add a host or a network object by typing “1.2.3.0/24″. On the ASA, you have three fields for the same object: host or network, IP address of the network, and netmask (in 255.x.x.x notation!) for the network.
- Tags: A simple but useful feature are the coloured tags that can be used in policies and objects. With these tags, temporary policies or the like can easily be marked.
- –> Managing all Un-Commited Changes: One of the best features! Configuration changes can be done in any menu of the Palo Alto, showing the candidate config in all other menus right now, even without a commit. If you rename an object here, it is visible with this new name there. (Try to change the IP-address and the default gateway on a remote Cisco ASA firewall by one step. You won’t succeed until you are using the CLI.)
- Simple Renaming of almost Everything: (Except subinterfaces) Address objects, address groups, zones, security profiles, IPsec tunnels – everything can be renamed. Try to rename an IPsec connection profile on the ASA. Or an interface name. It won’t work or you will get tons of CLI changes.
- History of Configuration Changes: Ever tried to revert to the config from last day? No problem: Load configuration version.
- Configuration Log: Ever wondered who changed something? Here it is: Monitor -> Logs -> Configuration. An exact list of all configuration changes with the name of the administrator.
- Config Audit: Comparison of two configurations, such as of the running-config and any other historical config on the device. Great feature to find certain configuration changes.
-
–> Traffic Log Filtering: This is one of the MAJOR advantages of a Palo Alto GUI. It is really simple to click some objects to filter the traffic log. Or to build more precise filters. “eq” and “neq” are your friends.
Forget the Real-Time Log Viewer from Cisco. - Adjust Columns: Or even the possibility to adjust the columns. On the ASDM GUI from Cisco, some pages are per default to small to show the relevant values, e.g., the Monitoring -> Routing -> Routes pane.
- Application Command Center: A simple but useful monitoring tool within the GUI. You are searching for the IP that generates high traffic load during the last hour? Here you will find it. What source country is responsible for the attacks during the last week? Here you go.
- –> Route-Based VPN: A site-to-site VPN connection is built by two gateways, independent of the traffic being routed through the tunnel. Numbered tunnel-interfaces can be used to ping the tunnel endpoint of the other side. The decision where to route the traffic is based on the routing table and not on a policy. The Cisco firewall uses policy-based VPNs in which the Proxy-IDs per connection define the tunneled networks. A bit unhandy.
- –> IKE Policy per VPN: Every gateway has its own IKE profile configured. Different IKE settings can be used for different VPNs. The Cisco has global IKE parameters.
- Own Zones for VPNs: Site-to-Site VPNs can be in extra zones. On the ASA, VPNs are always associated with the “outside” interface, which is complicated for using NAT policies.
- Reasonable Default Crypto Settings: The default groups for the IPsec phase 1 and phase 2 crypto profiles have almost secure settings. Very good compared to the Cisco ASA, which really installs a view default profiles, e.g., an IKE policy with an encryption algorithm of “DES”. Yes, not 3DES, but only simple DES! Oh oh.
- Retrieve License Keys from Server: Really cool feature. And very easy to use for the customer. Once the authorization code is added in the Palo Alto support portal, the firewall can retrieve its license via https. No need for any further activation keys.
- Built-In Software Archive: Firmware versions can be downloaded directly through the GUI. No need for further logins, downloads from the vendor page and uploads to the unit. Just “Download” and “Install”.
- Enough Disk Space for several Softwares: On my (small) Cisco ASA 5505, the built-in flash disk has only 128 MB. That is, I cannot even do a simple software upgrade because the free disk space does not fit for two ASA images. (I have an ASA and ASDM image as well as three AnyConnect images on the fash memory.) What a mess!
- Sync Software to HA Member: Every software that is downloaded on the primary firewall can automatically be synced to the secondary device. This is not true on the Cisco ASA, which is really annoying when it comes to AnyConnect remote access VPN client images. If these are not uploaded manually on the second device, the other HA unit will not terminate VPN tunnels in case of a HA active-unit swap. Oh oh!
- HA Status in GUI: With the High Availability widget, the status of the HA is visualized with green/orange/red bubbles. It shows which unit is the active/standby one. Since the PA has a real OoB management, the admin can access both devices simultaneously and can see which hardware is the active and the passive one. The Cisco ASA swaps its IP addresses and has no OoB management, so it is harder to see which hardware is the primary and the secondary one, since its IP addresses swap, too.
- NTP Servers with Names: I know that NTP servers should be set via IP addresses to not rely on another service (DNS), but it is much more easier to use names such asde.pool.ntp.org or the like. This can be done on the Palo Alto, but not on the Cisco firewall.
- No “bring to top” GUI: During the start of Cisco’s ASDM, it always brings its GUI to the top of all windows. In my opinion, this is annoying. During the 30-60 seconds until the whole device config is loaded into the GUI, I am working on other things. But these are generally disrupted from the highlighting of the ASDM GUI. This does not happen with the Palo Alto GUI which is in one tab of my browser.
(The major advantages are marked with an –> arrow.)
Summary
In summary, I really love the management GUI from the Palo Alto. Not hard due to the list of more than 20 advantages over the Cisco ASA platform. Though it is slower than the ASDM GUI from Cisco, it offers much more useful capabilities for the daily work. Great!
Originally published on blog.webernetz.net.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Senior Network Engineer at a tech services company with 501-1,000 employees
The features are quite powerful and it's easy to set-up
Pros and Cons
- "The features are quite powerful, easy to set-up and for ease of use end user too is excellent."
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2026
Popular Comparisons
Fortinet FortiGate
Netgate pfSense
Sophos Firewall
Cisco Umbrella
Palo Alto Networks NG Firewalls
Cisco Identity Services Engine (ISE)
WatchGuard Firebox
Check Point Quantum Force (NGFW)
Check Point Harmony SASE (formerly Perimeter 81)
Cisco Meraki MX
Check Point Cloud Firewall (formerly CloudGuard Network Security)
Azure Firewall
Cisco Secure Network Analytics
Cisco Duo
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What Is The Biggest Difference Between Cisco ASA And Fortinet FortiGate?
- Cisco Firepower vs. FortiGate
- How do I convince a client that the most expensive firewall is not necessarily the best?
- What are the biggest differences between Cisco Firepower NGFW and Fortinet FortiGate?
- What Is The Biggest Difference Between Cisco Firepower and Palo Alto?
- Would you recommend replacing Cisco ASA Firewall with Fortinet FortiGate FG 100F due to cost reasons?
- What are the main differences between Palo Alto and Cisco firewalls ?
- A recent reviewer wrote "Cisco firewalls can be difficult at first but once learned it's fine." Is that your experience?
- Which Cisco firewall model is the latest: ASA or NGFW?
- Which is better - Fortinet FortiGate or Cisco ASA Firewall?
In our POC we have found that Cisco does not provide Centralized Firewall Policy Manager in cloud. We have to buy appliance only.