Cisco Secure Firewall Reviews

With the ASA there are multiple products depending on your needs based on the two generations of the ASA. Roughly split-up there are 4 products.

1. 5500 Series basic/standard firewall - This I would rate as 7/10 due to the fact that it's easy to use, manage and deploy. Its scalable SSL, and IPSec VPN options, and is lacking throughput
2. 5500-X Series basic/standard firewall - This I would rate as 8/10 due to the fact that it's easy to use, manage and deploy. Its scalable SSL, and IPSec VPN options, and it has high throughput
3. ASA5500 Series with firewall and CX - This I would rate as 5/10 due to fact that even though the firewall and VPN part is easy to manage and deploy, the CX is lacking in stability, and features. Also, it is rather complex to deploy. Add to this the CX lowers the throughput even further
4. 5500-X Series with firewall and Sourcefire - This I would rate as 9/10 because it's easy to use, manage and deploy the firewall, VPN, and also the SourceFIRE. SourceFIRE works rather well and is by far the most advanced IPS system available. But it decreases the throughput more than you´d like

In general, I like both the SSL VPN and SourceFIRE. Firstly, for the VPN, both the client and client-less versions are very scalable, flexible, and dynamic in configuration and probably the best SSL VPN solution available in the marked. Secondly, SourceFIRE has improved the IPS functionality and stability of the ASA to a point where you can begin to enjoy the fruits of your solution and root out the bad seed in you network.

For many of my customers, the SourceFIRE solution has been an eye opener of exactly what their users are generating of traffic. Some customers, after reviewing the traffic application usage reports are astounded by the amount of traffic used, for example by Facebook and YouTube. My customers like the visibility into their network usage, and not necessarily wanting to block it, but just to know that they can control the network traffic and utilization if needed.

Definitely the throughput could use an upgrade when running the SourceFIRE/AMP with the ASA. Also, it could use better troubleshooting capabilities. You are, most of the time, bound to have access to TAC for troubleshooting advanced problems.

Customers where I have deployed these solutions have had them for three plus years, and most of them have, at the present moment have first generation solutions, or are planning an upgrade to the second generation ones (NGFW or NGIPS),

There are always issues when implementing key equipment like firewalls, especially if you are converting from an unfamiliar platform, activating SourceFIRE, or doing a general maintenance rule clear-up. If you don’t follow best practice, you can seriously impact network performance or unintentionally shut-down services.

In general the ASA has a great software stability reputation, and even though SourceFIRE for ASA is still young, the stability seems to be rather good. Of course you can’t avoid all issues, and you might have to reinstall the SourceFIRE software on the modules. If you're upgrading the ASA from pre code 8.3, you will need to redo the NAT and access rules of the ASA.

License scalability for SourceFIRE is really not good if you have an ASA in HA as you need two licenses of everything, which is really bad as you wont get double SourceFIRE other than that you need to remember to buy your ASA based on the SourceFIRE's throughput and not the inspection throughput.

If you have a service contract with Cisco you can have TAC assistance, software upgrades and next-business-day RMA (or faster) otherwise you are left to yourself or your Cisco partner. Basically without a Cisco service contract, you can't get any help or software from Cisco.

Should you have a Cisco service contract, you get access to TAC that will provide you technical assistance towards solving your issue. The TAC experience can vary a lot. In general I would rate it as very good, 4/5.

Mainly customers switch from other vendor because of VPN features, ease-of-management, and good consultant/partner relationship.

The initial setup is fairly easy and there are wizards for almost all the basic needs, including the initial setup and all types of VPN technologies that the ASA supports.

I am the vendor, and I am an expert with ASA.

Make sure you get the right product/license to do the job you need done. If you are in doubt ask a consultant or a Cisco Partner. I have seen cases where a firewall wasn't the right hardware for the job and you can't just switch off the firewall/inspector for some interfaces or networks.

• Modular scalability
• High availability
• VPN services

It provided more secure access to the resources of my organization and created a more stable environment for the business activities between us and our partners.

Security through integrated cloud and software based services.

I've used it for two years.

There were a few problems with the interaction between the ASDM client and ASA device.

No issues encountered.

No issues encountered.

10/10.

9/10.

I previously used a Fortinet solution. I switched to Cisco because Fortinet lacked
stability and robust troubleshooting features.

It was complex because I had to put the ASA directly into the production environment.

I implemented the solution in-house.

I also evaluated Juniper and CheckPoint solutions.

You should try it without restraints, and it is worth every penny.

It was a valuable firewall some years ago but then Palo Alto created the next generation firewall and Cisco needed too much time to create ASA CX. At the moment it has, basically, the same features. In my opinion the most valuable features now are the layer seven capabilities and the new FirePOWER.

I've used the devices for over 10 years.

I have never had an issue with my deployments.

One of the best things about ASA's is that they are very stable.

With ASA, you can scale to the largest deplyments. As an example, I have installed an ASA in an environment with 80.000 users.

Cisco Support is very good, you don't have problems using it.

10/10.

I have migrated customers from Cisco's competitors to ASA's.

Once you have the knowledge it is not complex to install an ASA, but it does depend on the network of the customer.

Our customers also evaluate PaloAlto.

• Firewall
• VPN
• FirePOWER mobile

They should make the ASA accessible via the web instead of ASDM. Also, a big improvement is needed on the transparent mode.

I've used it for over six months.

There were some issues.

There have been some issues with Java.

There were some issues.

8/10.

8/10.

It was straightforward.

Make sure to plan your network carefully.

The filter with NAT mode is valuable.

Not really, as we are a subcontractor we install and configure it for other companies.

Speed of execution and security options needs to be improved.

I've used the devices for, more or less, one year.

No issues so far.

No issues so far.

No issues so far.

3.5/5.

3/5.

Yes we did, but we switched due to Ciscos ASA's ability to support big data stream in some networks.

It's not too complex, but it depends on the customers' network architecture.

As a vendor, we find IT experts with CCIE certifications.

I haven't, and my first experience working with ASA, was a project with the specifications already defined

You must specify your needs and choose the right options depending on the network requirements.

• NAT
• IPSec
• ACL

It solved an IPSec issue we had with a customer. We have moved from Linux IPSec to Cisco.

• Routing
• It needs GRE supports
• Application visibility
• Context

I have used Cisco ASA products since 2010.

No, it's very easy to deploy.

With versions 8.4.4 and version 8.4.6, they had a lot of bugs. Also, after I moved to 8.4.5, route lookup changed to NAT divert and that kicked me.

No issues encountered.

No service.

No service.

Yes we previously used Linux and we moved because Cisco is great.

It was straightforward as Cisco Asia integrated it into OSPF, another router on the stack, and for NAT IPSec.

I implemented it by myself.

It's good.

No other options were evaluated.

It's a great product.

The ability to intercept unwanted traffic, and prevent attacks without interrupting everyday work, and the stability of this product are the key functionalities in our deployment.

This product, and our implementation, are not directly correlated with the core business of our company. It is designed to protect our company from outside threats and reduce impact on other network elements, such as the backend firewall, DMZ zone and VPN concentrators.

Cisco ASA lacks some functionalities, when compared with other vendors’ products. Cisco need to implement some more functionalities, like client-less VPN (HTML5), but I expect that Cisco will continue to add, and improve, features of the product. One of the features that should be improved is the URL filtering engine, as currently it has limited functionality. For full functionality, you will need an external URL filtering server, like Websense.

We have used it for more than five years, and have implemented it for perimeter network protection. It is designed for basic network protection for our corporate environment.

No issues during the deployment, as we had good planning.

No issues with stability. The device is designed for hard work 24/7. I never have a lack of resources like RAM or CPU. The only reason I need to restart the device is during a software upgrade.

In our deployment, we did not have a scalability issue.

It is very high.

We did not have any technical problems with this product, so we have not had need of technical support

We implemented ASA after a complete redesign of our network, and we believe that Cisco ASA is the right solution for our needs.

The initial setup is straightforward, as there is a lot of documentation available on the Cisco site, and other sites, which makes planning and deployment pass without any problems. However, the ASA is a complex device, with a lot of features and further tuning is complex and you must have the right knowledge to do it. Configuration can be done through a Java based application called ASDM or through the CLI interface. Using ASDM is much more simple and easy, but ASDM is not compatible with the newer Java version, so before implementation you must read the compatibility notes. Also, keep in mind that when upgrading ASA software, you must also upgrade the ASDM package.

Initial implementation was through a vendor. I would rate their experience and expertise as 9/10.

Calculating the ROI for network security or IT security is complex and dependent on many factors, like the implementation, role, expectation etc. IT security cannot be compromised, but on the other hand, we must ask how much is enough. In our case, we do not have a defined ROI for this product.

The cost of the setup was only the product price, local vendor support for the implementation, and employee training. This product is set it and forget it, so we do not have day to day costs.

We did not evaluate other products. One reason was that we believe that the ASA is a reliable product and fits our needs. Another reason, was the lack of local support for other solutions.

Unfortunately, the ASA 5500 is EoS and EoL, and I hope that Cisco’s NGF 5500-X series will be a worthy successor. This does not mean that Cisco will stop software support and will continue to release new software versions with new and improved features for the ASA 5500 series.

As with any other product, the main things for a successful implementation are to decide what you want to achieve, and what your main goal is, and then, you need good planning, not only for your current needs, but you also need to keep in mind further grow and needs. Good planning is, at least, 80% of successful implementation.

It has very advanced security features including FirePOWER threat management, which is the most valuable, but also URL filtering, FireSIGHT, and advanced malware protection.

The cost of this product should be reconsidered.

I've used it for almost a year.

So far, I have found this model very smooth.

We had a slight issue with IPS, as the signature update was, sometimes, getting stuck.

I believe this product is very scalable with our current needs and requirements.

Yes, I used a normal model of Cisco ASA and found it a  very successful experience. Therefore we have it to a more advanced ASA box for improved, and more advanced, security management.

Cisco implementations are always very straightforward.

Evaluation is mandatory in IT, and we have found this device has better features and reliability when compared to other products.

I would suggest implementing this product ascand has advanced security features.