Cisco Secure Firewall Reviews

I especially value Change Management and Compliance. They are most valuable because we are required to comply with regulations regarding credit card processing (PCI) and protecting patient data (HIPAA).

This product has made visible some areas that were previously hidden.

There are many areas for improvement despite the fact that we love the product, but because it is a newer version we’ve been working out lots of issues. Some of those issues are based on our environment.

I have used the product for 1.5 years with nearly a year for this version.

We did not have any problem with the previous (v7) version but when we upgraded to (v8) the new version, we were well aware that there would be some bugs and issues that would require resolution.

We have had no scalability issues.

Tech Support is awesome. I never get someone who has no clue what they are doing. These guys are well trained and know their stuff.

We did not use a previous solution. FireMon was implemented as part of a security mandate and we chose this product over its competitors.

Setup was pretty simple, because we implemented the single server model.

We purchased licenses for our High Availability (HA) devices as well but they were not really needed.

I was not the researcher and decision maker. I inherited the tool.

To make sure they have the cooperation of the networking team that supports the firewalls. It has been difficult for us to get the tool working to its full potential because our network team is resistant to some of the things we want to monitor.

Cisco ASA has a well-written command-line interface. Cisco’s AnyConnect SSL VPN is by far the best client VPN technology I’ve ever had to deploy and manage. Upgrades are a breeze. Failovers between units are flawless. FirePower add-ons deepen security with intrusion prevention (IPS), anti-malware protection (AMP), and URL filtering. These particular services can run as a hardware or software module within the ASA. Unlike ASA with CSM, these modules are managed by FireSight, a single pane for all of your FirePower nodes. It’s intuitive and easy to use, but still lacks some automation capabilities (e.g., bulk edits, etc.).

Cisco is a huge name in the networking world. Having a solution that includes their firewall technology adds value from an operability and support perspective. Cisco, although sometimes considered to be "behind the times" with firewall technology, continues to prove it has momentum in the industry through acquisitions such as Sourcefire and OpenDNS, with rapid integration into their systems. Additionally, ASA is synergistic with other security offerings from Cisco, such as ISE, remote tele-office workers, etc.

When running multiple firewalls in your network, you need someone to manage them from a central point. Cisco’s answer is Cisco Security Manager (CSM). Unfortunately, this is a suite of applications that is in much need of an overhaul. It is riddled with bugs and lacks the intuitive experience found in competing vendor offerings. The counter-intuitive interface makes configuration management cumbersome and prone to mistakes. There are software defects within certain modules of the application, resulting in a frustrating experience. Reporting is almost useless. The best part about it is the logging component, but it still is lacking, compared to what you get from other competing vendors.

Aside from management, I think Cisco needs to become more application-focused, something that a few of their competitors shine in.

I've deployed and managed Cisco ASA's for over a decade. I've used the X-series models for about three years now.

I have not encountered any stability issues; this is a solid firewall platform. Stability is where it shines.

The newer clustering capabilities have introduced some solid scalability design options. From a cost perspective, scalability is quite intimidating.

Cisco's TAC engineers are competent, responsive and typically resolve issues in a timely fashion. Do not use them for "best practice"; this is what channel partners are for.

I previously used Check Point. Check Point relied on a thick, Windows-based client and, at the time, did not support transparent contexts. However, Check Point has a solid management platform, which is something Cisco should take some pointers from.

Initial setup is complex for a new user, straightforward for a seasoned user. Tons of documentation is available, but you can easily get lost for days if you've never touched one. Cisco offers ASDM, a GUI wizard that can help set up the firewalls. This is nice for newer folks.

Work very closely with your channel partners to verify you have all the licensing you need (VPN, Firepower, etc.). Pricing is always a challenge. Buy closer to Cisco's EOY and you might save a few bucks.

Before choosing this product, I also evaluated Palo Alto. I really liked their firewall platform, their Panorama management platform, and wildfire technology. Their SSL VPN was seriously lacking. This is a decent option to consider as well.

Read the Cisco Validated Designs (CVDs) regarding ASAs. Find some decent blogs, discuss topologies and scenarios with a seasoned engineer, and get your final design validated by Cisco. Your Cisco SE should be able to assist with this. If you need assistance implementing, work with your channel partner.

Robustness

Reliability

No idea -- I learn a lot from them

From 2000 until 2014

Learning at the beginning

Nope -- If well planed you should be alright

Price maybe...

Excellent

Excellent

Not reliable for long term -- seem inferior quality

Depends on the product and the knowledge. Cisco firewalls can be difficult at first but once learned it's fine.

Me, I implemented the firewalls, Cisco switches and routers.

100% in some installations it exceeded the time predicted to keep up with the work load.

Netscreen, Netgear, Checkpoint, others..

Plan well the hardware requirements for future growth and heavy usage.

Firewalling is the most valuable feature. We wanted a back-end/internal firewall solution, and the Cisco ASA 5525 was great.

It has taken the pressure off of the IS engineer.

• URL
• AVC
• Advanced malware protection

We've used it for two years.

There was an issue, but it was rectified promptly after troubleshooting the device's configuration.

There were no issues with the scalability.

We've not had any issues scaling yet.

I think it is great but did not use them for this deployment.

I've not had to use them yet for this deployment.

There was no other solution in place.

It was straightforward.

I did the implementation with my colleagues.

It's not really quantified, but we have not experienced downtime due to attacks.

There were no other solutions looked at.

• It provides our company with security and protection on all our devices.
• It's highly available.

We're able to implement best security practices to secure our company data.

We've used it for over seven years.

We had some issues during deployment.

No issues encountered.

No issues encountered.

Customer service is excellent.

Technical support is excellent.

It was a little complex, but not so much that we couldn't figure it out.

I was the implementor for a client.

It's excellent.

Depends on the customer's budget, but we evaluate all vendors that meet the them. It's a mission-critical product.

I give it a thumbs up.

It gives us the ability to do lan-to-lan VPN.

So far it has proven to be rock solid and relatively easy to maintain.

• Support for automation tools (Puppet)
• More granular logging

I've used ASA for four years.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

8/10

We moved our VPN termination from a Cisco ASR to an ASA. We switched because the ASR was not scalable and we realized it was a bad idea to use the same device for routing and VPN termination.

The most complex part was figuring out the failover and what NAT mode to implement.

We did it in-house.

Licenses and prices are pretty high. I understand the validity of the product, so I can't complain much.

No options were evaluated. We heavily rely on Cisco hardware for our infrastructure

I'd say it would be very beneficial to posses certification such as CCNP Security, at least, to get the most out of it. It's a complex product which requires good knowledge of procedures and best practices. Being a CCIE R&S I know the value of those certifications, and I wish I had a CCNP Security to better handle the task.

Cisco ASA's CLI is very effective and fast to configure the firewall and make changes, but monitoring logs and connections can be eye bothering by reading all the line outputs. ASDM, however, have improved the overall ASA configuration from an GUI standpoint. I really enjoy the log monitor where I can see live logs in a more user friendly interface. The down side of ASDM is that it is build with JAVA and that means a lot vulnerabilities and it does not always work with the latest JAVA version and/or patches.

The packet tracer function, which I use the most, have provided me a packet flow through the firewall and see which rule or policy can cause a drop. Also, I can see if my NAT statement is working properly. This has allowed me to quickly troubleshoot potential firewall related issues for my organization.

L7 firewall is a key for the ASA to be competitive in the current and future market place. By integrating with SourceFire, now call FirePower, on the ASA has helped it to get into the next-generation firewall segment.

It blocks all outside to inside traffic and only permits the specific internet traffic from the outside. VPN functionality is very useful, we can create remote access and tunnel VPN in the simplest way.

It blocked all kinds of internet attacks from outside like DOS or DDOS and avoided any down time. We created a remote tunnel from head office to data center network for easy access of servers that make working fast and they are easily manageable.

It would be great if they would add web filtering functionality to this product.

5 years

No

No

No

Excellent

Good

It is a little difficult in newer IOS versions where the use of the NAT command is different. Otherwise its straightforward to configure.

I deployed it in-house with my team.

This solution reduces any downtime therefore business continuity is not disturbed - that is ultimately ROI.

It is one time cost of about $10,000 and there is no day to day cost.

Yes, I evaluated Fortigate, SonicWall and Juniper but found Cisco ASA to be the best solution for us above all of the others.

Cisco ASA is a reliable product and it benefits you a lot in your network.