Cisco Secure Firewall Reviews

• Cisco IPSec VPn
• VPN Client
• Port Restrictions

We could connect data securely from outside the company.

I need application user-IP blocking, Intrusion Prevention, QoS; I can't do these with Cisco and have to change it.

Five years.

No.

No.

I have never needed support from Cisco.

I couldn’t meet all my needs with the Cisco 5505 so I changed it with a next-generation firewall.

Actually it was simple, making port based policies more simple than PA.

Cisco price-performance is very successful.

I evaluated Sophos UTM, Checkpoint, Cisco and PA. PA is the best fit for my company because Sophos acquired Cyberoam and their software wasn’t successful for domain user restrictions. Checkpoint was very slow for me and too many licences and it was complicated. Cisco acquired Sourcefire and they need to improve next-gen features. So I chose PA.

I know that Cisco acquired Sourcefire and they re-introduced next-generation firewall features and I think they’ll improve NX features.

Security, Routing and NAT.

Gives flexibility and several deployment options.

Some default inspection rules need better tuning. Focus development on CLI version.

11 years.

Rarely.

Yes, before Clustering was introduced.

Nine out of 10.

Yes. We changed for no special reason, just to mix things up.

Yes, but you need to read and understand how the device functions before deployment.

Like with all vendors, know what options you require and request the proper license accordingly. Prices are on the same level as competitors.

Not really, as all firewalls do most of what enterprises look for. What matters most is the after sales support.

Read, read, read and understand your requirements beforehand.

I love its CLI mode of working, it gives plenty of information with a single line of command.

This feature allows its administrator to perform advanced level tasks with much ease.

These products provide much stability which, in return, any organization demands to run its functions properly and smoothly.

This product lacks in GUI format; that needs to be more mature and composed.

10 years +

No issues.

Rarely, due to software issues.

As of now, no.

Excellent but if non-Indian engineer is assigned.

We have almost 99% Cisco based infrastructure.

Pretty straightforward.

Usually yes. We did like Huawei and Juniper.

Cisco has done great job in introducing new features in their security product by acquiring specialized companies in the past. However, they still need to improve their unique feature products as they are in a challenger position, but not on top, at various product review portals.

It helped us and our customers implement more granular and flexible connections to and from our/their environments, building a trust relation between all of us, having the confidence that our exchanged information is occurring in a highly secure manner.

The most valuables feature of this product are given by the comprehensive VPN solutions it offers and its tools for troubleshooting and debugging. You can provide complex and flexible way to securely access private environments. And its troubleshooting and debugging tools allow you to identify, in the fastest time possible, where some potential issues could have been occurred.

It should have an additional “operating mode”, like a “candidate configuration mode”, where you would have the possibility to test the changes you are going to implement and also the possibility to validate these changes.

In addition, a "testing" feature should be performed to let you know what would be the consequences of applying these new changes. Only after you would see the tests’ results (if they do not create any unwanted effect) would you go and commit them.

There were some issues with stability prior to code version 9.2.x, more related to Clientless SSL and Client RA VPN solutions. Some bugs affected the integrity of these type of features.

There were no problems in terms of scaling an existing solution, though very expensive.

I would give a rating of eight out of 10, compared to others vendors. The technical support is much better than most vendors, but let's say not as good as F5 Networks technical support.

I've only worked for integrator or ISP organizations. Over the years I’ve worked with multiple solutions offered by different vendors due to my customers’ budgets or preferences. What makes it the best of all the solutions I’ve worked on is the stability and its hardware.

The initial setup configurations differ from customer to customer, from very simple to highly complex solutions. Depends on the customer’s needs.

I have to admit that the price is high. But I think it's worth it if the stability of your solution counts for you.

Choose it if you aim to have a stable environment.

The front page of device manager is the most valuable feature because it makes it easy to know the system status.

It’s hard to say because our equipment was EoS.

I have used Cisco ASA for three years.

We suffered an attack and the firewall was down repeatedly.

We have to buy more licenses to get more VPN connections.

I rate support 7/10.

We didn’t have a previous solution. I actually searched after another solution.

Setup was complex because we had not taken a course previously.

Sincerely, I prefer other products with no limit on licensing of VPNs, for example.

You have to find more confidentiality, integrity and availability.

Centralized policy creation for URL, application, IPS, etc. It simplifies matters more than previously.

It provides centralized management. I would also add that URL, Malware and IPS built-in has been a great help as well. Where we used to need several products for all these features, we now only need the ASAs with the additional licensing. So now, it is more a matter of license management over hardware and licensing management.

More centralization and simplification of product lines would help most engineers, but I think licensing is the key here. Most organizations won’t pay the money to have ELA licensing, so all the individual licenses for these products can be overwhelming. Plus, they never really synch for expiration time.

This is mainly due to reliance on other Cisco products and licensing. For example, Palo Alto includes several features in one whereas Cisco requires multiples. However, I still think Cisco offers great products but to get a "10" they might consolidate devices or simplify licensing.

I have used this for two years, but company has used Cisco solutions for many years.

We did somewhat have stability problems. Upgrading the ASA, ASDM, and SFR can be a pain if you have as many firewalls as we do (21). Once you can get them to fall under FPMC management it can be a little easier, but it is a battle to get to that point.

There have been no scalability issues from my point of view. I was handed the solution, so some of the initial work was done.

I rate support 10/10. TAC has always done a great job with answering my questions and providing remote support when needed.

Previously, I used ASAs without FirePower; and unsure what my company used prior to that.

For me, setup was half-and-half. In one update run I missed the step that discusses how the ASA and ASDM need to be on a specific patch prior to upgrading the SFR. FPMC attempted to push the new update to the devices regardless of this mismatch that caused FPMC to loose communication. I had to downgrade the SFR all the way back to v5.4.1 before I could install the latest version. You also have to step through several updates before you are done, so that can be tedious as well.

Read everything and track all your licenses. Research all options and maybe pick a few to PoC. It doesn’t hurt to trial others. Maybe they are a better fit for your environment.

We are moving forward with ELA 5.0 for all Cisco security devices. Prior to that decision, we did a PoC with Palo Alto 3020 and 220 firewalls and Panorama. Those are some great products, but we are so Cisco centric that the cost of ELA isn’t much more than we are spending now.

Do research. FPMC is great for us but it requires a lot of time and attention.

Its security features are the most valuable aspect. It has the ability to detect and prevent intrusions.

The product has helped organizations secure their infrastructure and data. Most organizations are happy to adopt the technology.

The equipment is too expensive compared with other firewall products.

I have used ASA for about three months. I just bought and configured it for a client.

Since I installed and configured it, the client has never called with complaints.

I have not had scalability issues at all. Maybe it is because I have not used it quite extensively.

I haven't had a chance to interact with the support team.

The previous product was limited in throughput and security.

The initial setup was quite complex.

As much as there is value for money, there is a need to make it affordable.

I tried Sophos.

It is a very good device to use for those who value their network security.

Class-based policing is the most important part of the ASA, and was its differentiator.

It gave us more organized DMZs and logical segments.

I’m not a fan of the new modular licensing model. Cisco moved from a base license to an a la carte SaaS model a couple of years back, wherein the customer is required to pay for feature sets on a case-by-case basis. This makes it difficult for people who want to study and trial new technologies and features.

I’ve been using ASA technology since it was PIX, so since 1999.

We have not had stability issues.

We have not had scalability issues.

Support with Cisco TAC, or with VARs like WWT and Trace3 is usually pretty good.

I have used both ASA and PAN. Different strokes for different folks.

Initial setup is straightforward. You can get as granular and complex as you want, but out of the box, ASAs provide a secure FW solution.

We evaluate all other options.

ASAs are a solid solution. Cisco provides more training and learning materials than any other vendor, which is critical if an organization wants to take true ownership of a technological solution. Documentation and use cases alone tend to make me a fan of Cisco's way of engineering, and they have come a long way over the last few years when it comes to integrating their solutions into comprehensive security communications platforms using tools like PRIME and ISE. FirePOWER and AMP make Cisco an even better overall contender for top FW status.