Cisco Secure Firewall Reviews

It's a great solution that amalgamates a firewall and VPN into one device. It also has a well organized GUI- ASDM.

• Easy to setup VPNs
• Firewall ACL
• Easy to modify
• Easy to perform maintenance

The ADSM is incompatible with different versions of Java.

I've used it for six years.

I have issues with some versions of Java and ASDM.

It's high.

It's high.

I used a Cisco 881 router as a firewall and VPN solution. ASA allows conformity and various amounts of functionality in work.

It can be complex, since a lot of CLI commands are different with respect to the CLI of IOS routers.

We implemented ASA without vendor support. For first time implementation, it is good to have someone with ASA experience involved.

Prices could be a little bit lower to make the product more accessible.

NGFW: VPN (IPSec, SSL), NAT (provides great flexibility)

NGIPS: Application visibility, file policies (store files), network discovery, correlation features

SSL decryption for modules. Although I think it is better to separate SSL decryption as a service from the software module since it requires additional hardware, but I think it would be great if there is an option to use the ASA (not the software module) to decrypt the SSL.

Ex: Add a license to decrypt SSL traffic on the ASA itself. The ASA already supports SSL VPN. So if SSL decryption can be integrated that would be nice.

5 years+

Basic setup is easy, but if you need to do some advanced stuff, it can be intuitive, but some things require some kind of tutorial to understand how it can be done. Good thing is that this device is becoming popular and there are many 3rd party free tutorials and guides that can help.

I heard about defect that were encountered by my colleagues, but not something that cannot be fixed using an upgrade.

Clustering is available for ASA with firepower services.

Also for firepower appliances, there is stacking available for some models.

Great support. The engineers know what they are doing.

10/10

No

Well, it is straight forward as long as you understand the components available.

ASA can be configured using the CLI or ASDM.

For the Firepower you will need to use a FireSIGHT as a management solution.

Since you will be using two GUIs, I wouldn't call it straight forward.

The fact that it's a full inspection firewall.

In fact there is no relevant improvement, but this is the kind of device that every company must have.

• Recognition of appliances
• UTM features

I've used it for five years.

It was mainly issues regarding the management and VPN setup.

No issues encountered.

No issues encountered.

8/10.

8/10.

We previously used IPtables, and switched because there was a lack of technical support, RMA, etc.

It was an easy initial set-up.

We did it in-house.

No other options were looked at.

• Site-to-site IPsec VPN
• Remote IPsec VPN
• Reverse route injection

Cisco Context gave us the feature of creating a virtual firewall, which is good. It provides us with maximum network isolation. Also impressive is the ISP redundancy.

WCCP, and URLs, in the Cisco ASA Context both need work. When changing from single mode to multiple mode or back, the commands must be done from the command line (CLI) and cannot be done via the ASDM GUI interface. ASA context should be able to support site-to-site VPN, but the current Cisco Context does not support VPN

I've used them for six years.

During the deployment of WCCP, we noted some loopholes like it only supports ports 80 & 443. Application which is running on multiple ports doesn't work with WCCP and to make it work we need to allow respective traffic outside the firewall.

Sometimes there is an issue with the site-to-site VPN.

In certain cases, like an any access-list, if we add a URL the Cisco ASA access-list does not resolve that URL while this can be done in Juniper, and Fortinet.

9/10.

9/10,

I have migrated some set-ups from Cisco to Juniper, but not from Juniper to Cisco.

We have multiple ASA firewalls for different clients now we migrated to Cisco Context.

It was done in-house.

It's 8/10.

If it is for a banking domain, your organisation should use Cisco which can assure better security than any other vendors' products. Also, they have the best documentation, reliability and support.

• Firewall mode
• AnyConnect gateway
• Client-less SSL VPN

The versatility of the product has allowed us to solve a number of perimeter requirements without having to seek out different products or companies for solutions. It has allowed for a single management mechanism, and by having a single platform solution, it has allowed for simpler training.

The configuration/management interface is complex and can be confusing. Technical documentation is often sparse and can be incomplete when covering specific implementations.

I've used Cisco PIX and ASA firewalls since 2003.

Not with the ASAs, with some early version PIX products.

Not with the ASAs, with some early version PIX products.

The ASAs offer several different technologies for HA and we have used all of them successfully.

It's excellent.

Excellent, we have always been able to get the specific expertise needed to solve our challenges with the products.

Checkpoint Firewalls - the primary reason we switched was cost and limited support options.

It's pretty straightforward. I came at these products already having considerable firewall experience.

It was all in-house, as we all had 10 years plus experience when we moved to PIX firewalls and then a few years later we brought in the ASAs.

• Watchguard
• Sonicwall
• Checkpoint

The product line offers tremendous capability. Please look into all of the solutions it can provide for you to maximize your investment.

• Reliability
• Security
• Flexibility
• Functionality
• Availability - controllability anywhere and with different methods

I can tell that when we have started using the Cisco AnyConnect for remote access to business apps it makes the work for remote staff much simpler. It's also easier to provide remote IT support. Aside from this, the security officers can sleep better now.

The ASA is an almost perfect device.

I've used it for two years.

I have had no problems deploying it.

Occasionally, the packet rate falls unexpectedly.

I currently do not need to scale on my network.

9/10 - the regional online support could be better.

10/10.

We use MySQL and Nagios devices alongside the ASA as our network infrastructure needs expanding and required more serious hardware solutions.

When Cisco was installed, it did not go as expected.

It is not simple to calculate for IT hardware. To calculate the ROI for using the ASA, I would need to have a lot of statistics on the quality of services, both before and after.

Cisco ASA 5512-X was bought for $3,000, and a further $1,000 was needed for installation and pre-configuration.

• Fortinet
• Juniper

As a rule, any device upon delivery is obsolete. Pick up the solution for your business, based on your specific needs.

• Network firewall
• FirePOWER services (URL filtering, IPS)

With the new FirePOWER services, Cisco has given the ASA new valuable features like URL filtering and a more simple and efficient IPS. With FirePOWER services, we have been able to have more insight of our network, something that we never had before, now we can see all the applications that our users are using the most and we can see if there is malware on our network.

The FirePOWER defense system has no integration with the firewall management of the ASA, I mean you can’t create ACLS, rules, VPNS NAT, and so on. All of this has to be done with the ASDM which, from my point of view, is very complex if you are not used to it, you should be able to manage the entire solution from one central software like Defense system, but right now you can’t. This is one of the biggest problems I see right now

I've used it for two years.

The FirePOWER deployment has to be done from the management port of the ASA. This port has to be dedicated because all the communication from the defense system to the appliance goes by that port, so you need to have different networks (inside and management port) to be able to implement this feature. It would be nice again if you can just configure this from one single point and not two (defense system and ASDM).

No, I have never had any problems with Cisco equipment regarding stability.

No issues encountered.

8/10.

6/10 - I mean you need luck when you open a case with Cisco to have someone with expertise on the product. I’ve had great TAC experiences and the worst ones too, if you have a loss of service they put you with people that know what they are doing, but if you want to configure something extra and you just ask the TAC how to do it, sometimes you get someone that appears to be learning the solution. Many times, I´ve been able to solve it by myself sooner than the TAC.

We previously used Microsoft ISA and switched because it's no longer supported.

In our case straightforward, because we do not have many rules on our firewall, but I’ve seen cases where the migration from one firewall to another can be very tedious.

We did it in-house.

If you are using Cisco, then you will be very familiar with the product, and maybe you won't encounter any problems at all. However, if Cisco is a new solution, you should ask for a demo to see the interface of the ASDM and the defense system in action, and then decide if this is the kind of insight you need of your network.

VPN - Both site to site (IPsec) and remote access (IPsec and SSL).

Through the use of VPNs, we were able to connect our branches together through the internet without the any additional cost.

• Throughput
• Price

Since 2008, so seven years, and I have been a heavy/daily user, and all of my jobs were related to network security.

No issues encountered.

Sometimes, due to software bugs, but in the long run the ASA is a very stable product when compared to other vendors firewall solutions.

One of the major disadvantages with the ASAs is the throughput, while the network evolves, the ASA was usually causing the bottle neck.

It's very good when compared to other vendors.

It's very good when compared to other vendors.

Mainly switching from the old Cisco PIX to a new Cisco ASA. The reason for switching is to get a higher throughput, and due to the fact the that the Cisco PIX went EoL.

It requires training, but after that it is straight forward.

I work for a vendor, and we implement the solution for multiple customers.

Yes, and we chose Cisco ASA mainly due to the fact that they have a very good, reliable and very responsive technical customer support.

I have worked on the best firewalls in the market, and Cisco ASA is one of the best.

The below screenshots are taken from a demo of ASDM.