No more typing reviews! Try our Samantha, our new voice AI agent.
Robert LaCroix - PeerSpot reviewer
Network Engineer at Red River
Video Review
Real User
Aug 8, 2023
I can click and be on to the next firewall in a few seconds
Pros and Cons
  • "Firewall help with cybersecurity resilience. I really like this Cisco product. It's user-friendly. I don't like some other vendors. I've tried those in the past. Cisco is pretty easy. A caveman could do it."
  • "I wouldn't give them a ten. Nobody is perfect. I'll give them a nine because they help me with any issues I've had."

What is our primary use case?

I use it every day. It's something that's part of my daily tasks every day. I log in, look at logs, and do some firewall rule updates. 

We have a managed services team. I'm not part of that team, I use it for our company. I look at why things are being dropped or allowed. 

I'm using an older version. They got rid of EIGRP out of FlexConfig, which was nice. Now there's policy-based routing, which is something that I have to update my firewalls or my FMC so I can utilize that product.

Right now I use the Cisco-recommended version of FMC which is 7.0.5.

How has it helped my organization?

I like the GUI base of Secure Firepower Management Center. Coming from an ASA where it was the ASDM, I like the FMC where you can see everything is managed through one pane of glass. 

It's a single pane of glass, we have multiple firewalls. I can click and be on to the next firewall in a few seconds, really. 

What is most valuable?

As far as securing our infrastructure from end to end, I'm a big fan of Cisco products. I haven't used other products in the past, but I love the Cisco products. It helps a lot in the end. 

We have firewalls on the edge, internally, and then on the cloud now, so I feel we're pretty secure. 

Firewall helps with cybersecurity resilience. I really like this Cisco product. It's user-friendly. I don't like some other vendors. I've tried those in the past. Cisco is pretty easy. A caveman could do it.  

I've used Check Point and Palo Alto, and I like Cisco better. It's what I'm comfortable with. Hopefully, I'll use it until I retire. 

What do I think about the stability of the solution?

It runs forever. I haven't had any problems with any Secure Firewall. It just runs. You don't have to worry about it crashing. All Cisco products run forever. They run themselves. You need to update them. 

Buyer's Guide
Cisco Secure Firewall
July 2026
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: July 2026.
904,748 professionals have used our research since 2012.

What do I think about the scalability of the solution?

I'm a team of two. Either I'm looking at it, the other guy's looking at it, or no one's looking at it. It's part of my daily routine as I get in there and I make sure that I have the status quo before I move on to other projects or other tickets for the day. It's a daily process. They log the information right in.

I'll find out about scalability in a few weeks. I need to change out some firewalls that are a lower model to a higher model because of the VPN limitations. I'm going to have to do some more work and see how long it takes. 

How are customer service and support?

They're awesome. I talked to the guys here, I had a couple of problems that keep me up at night. I was able to come here and they're going to help me out with some different ideas. Anybody I talk to has a solution, and the problem is fixed. So it's nice. I've never had any problem with TAC. They're awesome.

I wouldn't give them a ten. Nobody is perfect. I'll give them a nine because they help me with any issues I've had. I could put a ticket in a day, and then it gets taken care of in a speedy, efficient manner, and then I'm able to move on to other things that I need to worry about.

Which solution did I use previously and why did I switch?

Palo Alto seems clumsy to me. I don't like it. It shouldn't be a guessing game to know where stuff is. Cisco is laid out in front of you with your devices, your policies, and logging. You point and click and you are where you need to be. 

I haven't used Check Point in a while. It's been some time but it's an okay product.

How was the initial setup?

For deployment, we have different locations on the east coast, on-prem, and in the data centers. We introduced a couple of firewalls, AWS, and Azure and we're implementing those in the cloud.  

On-prem is pretty easy to implement. I could lab up an FTD on my own time. It's super easy to download and install. You get 90 days to mess around in a lab environment. I'm new to the cloud stuff. I've built firewalls there, but there were other limitations. I didn't quite understand that I have to get some practice and learn about the load balancers.  

What's my experience with pricing, setup cost, and licensing?

We're a Cisco partner, so we get 80% off. That's a big discount and companies are always looking at ways to save money these days.

What other advice do I have?

I don't really look at Talos. It's in the background. I don't really look at it. It's there and it works. 

Nothing is perfect so I would rate Cisco Secure Firewall a 9.2 out of ten. I love the product. It's part of my daily routine. I'll hopefully use it until I retire. 

Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
reviewer1448693099 - PeerSpot reviewer
Senior Network Engineer at a comms service provider with 1-10 employees
Real User
Jul 9, 2023
Great visibility and control, improved IPS, and easy to troubleshoot
Pros and Cons
  • "The ASA has seen significant improvement due to the IPS."
  • "Managing various product integrations, such as Umbrella, is challenging."

What is our primary use case?

We are a Cisco partner and we are currently using Cisco Firepower for our internet edge, intrusion prevention systems, and filtering.

We use virtual appliances in the cloud and hardware appliances on-premises.

How has it helped my organization?

Cisco Secure Firewall has improved usability in our environment.

The application visibility and control are great. Cisco Secure Firewall provides us with visibility into the users and the applications that are being used.

We are capable of securing our infrastructure from end to end, enabling us to detect and address threats. We have excellent visibility into the traffic flows, including those within the DMZs.

Cisco Secure Firewall has helped save our IT staff a couple of hours per month of their time because it is much easier to use the GUI instead of attempting to manage things through the CLI, which we have to access from the CRM.

We have several clients who had larger security stacks that they were able to consolidate because they were using separate products for IPS or URL filtering. With Firepower, we were able to consolidate all of those into a single solution.

The ability of Cisco Secure Firewalls to consolidate tools or applications has had a significant impact on our security infrastructure by enabling us to eliminate all the additional tools and utilize a single product.

Cisco Talos helps us keep on top of our security operations.

Cisco Secure Firewall has helped our organization enhance its cybersecurity resilience. We can generate periodic reports that are shared with the security teams to keep them informed.

What is most valuable?

The ASA has seen significant improvement due to the IPS. 

The ability to troubleshoot more easily through the gate is valuable.

What needs improvement?

The integration with all the necessary products needs improvement. Managing various product integrations, such as Umbrella, is challenging.

For how long have I used the solution?

I have been using Cisco Secure Firewall for four years. My organization has been using Cisco Secure Firewall for a much longer period of time. 

What do I think about the stability of the solution?

We experienced stability issues when transitioning to version 7.2, particularly related to operating Snort from Snort Two to Snort Three. In some cases, the firewalls necessitated a reboot, but we ultimately reverted back to using Snort Two.

How are customer service and support?

The technical support is responsive. In most cases where I've opened a ticket, they have promptly worked on figuring out the actual problem and assisting me in resolving it.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We have had clients who switched to Cisco Secure Firewall from Check Point, Palo Alto, and WatchGuard due to the features and support that Cisco offers.

How was the initial setup?

The initial setup is straightforward. Since we were transitioning from ASA to Firepower, a significant portion of our work involved transferring the access control lists to the power values in the GUI. After that, we began adding additional features, such as IPS.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing structure of the firewall is fair and reasonable.

Which other solutions did I evaluate?

The closest competitor that matches Cisco Firepower is Palo Alto, and the feature sets are quite comparable for both of them. One issue I have noticed with Cisco's product is the SSL decryption when used by clients connecting from inside to outside the Internet. 

Cisco lacks the ability to check CRLs or OCSP certificate status unless we manually upload them, which is impractical for a large number of items like emails. On the other hand, Palo Alto lacks the ability to inspect the traffic within the firewall tunnel, which is a useful feature to have. 

What other advice do I have?

I rate Cisco Secure Firewall eight out of ten.

I recommend taking advantage of the trial by downloading virtual next-gen firewalls provided by OBA, deploying them in a virtual environment, and testing their performance to evaluate their effectiveness. This is a crucial step.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Reseller
PeerSpot user
Buyer's Guide
Cisco Secure Firewall
July 2026
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: July 2026.
904,748 professionals have used our research since 2012.
Cybersecurity Designer at a financial services firm with 1,001-5,000 employees
Video Review
Real User
Aug 8, 2023
Has gone from a week to less than half a day to implement a change
Pros and Cons
  • "The greatest benefit that this has provided to our organization is that we've been able to adjust the time that it takes to implement firewall changes. It's gone from a week to less than half a day to implement a change, which means that our DevOps team can be much more agile, and there is much less overhead on the firewall team."
  • "When we're looking at full-stack visibility, it can be difficult to get the right information out of Firepower."

What is our primary use case?

I'm a Cybersecurity Designer working for a financial services company in London, England with about 4,500 employees. We've been using Cisco Secure Firewall for about a decade now.

Currently, our deployment is entirely on-premise. We do use a hybrid cloud, although we don't have any appliances in the cloud just yet, that is something that we're looking to do over the next five years. 

The primary use case is to provide the ability to silo components of our internal network. In the nature of our business, that means that we have secure enclaves within the network and we use Cisco Secure Firewall to protect those from other aspects of the network and to control access into those parts of the network. 

How has it helped my organization?

The greatest benefit that this has provided to our organization is that we've been able to adjust the time that it takes to implement firewall changes. It's gone from a week to less than half a day to implement a change, which means that our DevOps team can be much more agile, and there is much less overhead on the firewall team. 

I would say that the Cisco firewall has helped us to improve cyber resilience, particularly with node clustering. We're now much more confident that a firewall going offline or being subject to an attack won't impact a larger amount of the network anymore, it will be isolated to one particular element of the network. 

We use Cisco Talos to a limited extent. We are keen to explore ways that we could use more of the services that they offer. At the moment, the services that we do consume are mostly signatures for our Firepower systems, and that's proven invaluable. 

It sometimes gives us a heads-up of attacks that we might not have considered and would have written our own use cases for. But also the virtual patching function has been very helpful. When we look at Log4j, for example, it was very difficult to patch systems quickly, whereas having that intelligence built into our IDS and IPS meant that we could be confident that systems weren't being targeted. 

What is most valuable?

I would say the most valuable aspect of Cisco Secure Firewall is how scalable the solution is. If we need to spin up a new environment, we can very easily and quickly scale the number of firewall instances that are available for that environment. Using clustering, we just add a few nodes and away we go. 

In terms of time-saving or cost of ownership, the types of information that we can get out of the Cisco Secure Firewall suite of products means that our security responders and our security operations center are able to detect threats much faster and are able to respond to them in a much more comprehensive and speedy manner. 

In terms of application visibility, it's very good. There is still room for improvement, and we tend to complement the Cisco Secure Firewall with another tool link to help us do some application discovery. That said, with Firepower, we are able to do the introductory part of the discovery part natively. 

In terms of detecting and remediating threats, I would say on the whole, it is excellent. When we made the decision to go with the Cisco Secure Firewall compared to some other vendors, the integration with other third-party tools, and vulnerability management, for example, was a real benefit. It meant that we could have a single view of where those three threats were coming from and what type of threats would be realized on our network.

In recent years through the integration of Firepower threat defense to manage some of the firewalls. We were able to do away with some of our existing firewall management suite. We do still need to use some third-party tools, but that list is decreasing over time. 

What needs improvement?

In terms of ways that the firewall could be improved, third-party integration is already reasonable. We were able to integrate with our vulnerability management software, for example. 

However, I would say that when we're looking at full-stack visibility, it can be difficult to get the right information out of Firepower. For example, you may need to get a subset of it into your single pane of glass system and then refer back to Firepower, which can add time for an analyst to look at a threat or resolve a security incident. It would be nice if that integration was a little bit tighter. 

What do I think about the stability of the solution?

The stability of Cisco Secure Firewall was one of the primary reasons that we looked to Cisco when we were replacing our existing firewall estate. I would rate it very highly. We have not had any significant problems with outages. The systems are stable and very good. 

What do I think about the scalability of the solution?

The scalability of the firewall is one of the main reasons why we looked to Cisco. The ability to add nodes and remove nodes from clusters has been hugely important, particularly in some of our more dynamic environments where we may need to speed up a few hundred machines just for a few days to test something and then tear it all back down again. 

Within our data centers, we have around 6,000 endpoints, and then our user estate is around 4,500 endpoints and all of that connectivity is controlled by Cisco Secure Firewall.

How are customer service and support?

Tech support has been very good. There are occasions where it would be nice to be able to have a consistent engineer applied to our tickets, but on the whole, the service has been very good. We haven't had any real problems with the service. I would rate them an eight out of ten.

The areas that could be improved would be if we could have dedicated support, that would bring them up from an eight. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Prior to using the Cisco Secure Firewall, we were using another vendor. The Secure Firewall was a big change for us. The legacy firewalls were very old and not particularly usable. We do still use another vendor's products as well. We believe in in-depth defense. 

Our perimeter firewall controls are a different vendor, and then our internal networks are the Cisco Secure Firewall. 

Comparing Cisco Secure Firewall to some other vendors, I would say that because we use a lot of other Cisco technologies, the integration piece is very good. We can get end-to-end visibility in terms of security. In terms of the cons, it can be quite difficult to manage firewall changes using the Cisco standard tools. So we do rely on third-party tools to manage that process for us. 

How was the initial setup?

The firewall platform itself was not at all difficult to deploy in our environment. I would say that we do have a very complex set of requirements. So migrating the policy from our existing firewall estate to the new estate was quite difficult. The third parties helped us to achieve that. 

What was our ROI?

We've seen a good return on investment. The primary return that we have seen is fewer outages due to firewall issues, and also the time to detect and respond to security incidents has come down massively. That's been hugely useful to us. 

What other advice do I have?

On a scale of one to ten, I would say Cisco Secure Firewall rates very highly. I'd give it an eight. There are still some places to improve. 

If we look at what some of the other vendors are doing, like Fortinet, for example, there are some next-gen features that it would be interesting to see introduced into the product suite. That said, there are other capabilities that other vendors do not have such as the Firepower IPS systems, which are very useful to us. On the whole, Cisco Secure Firewall is a great fit for us. 

If you were considering Cisco Secure Firewall, I would say your main considerations should be the size of your environment and how frequently it changes. If you're quite a dynamic environment that changes very frequently, then Cisco Secure Firewall is good, but you might want to consider complimenting it with some third-party tools to automate the policy distribution. 

Your other consideration should be around clustering and adding nodes quickly. If you have a dynamic environment, then it is quite hard to find a better product that can scale as quickly as the Cisco firewalls.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer2212707 - PeerSpot reviewer
Security Engineer at a government with 501-1,000 employees
Real User
Jun 25, 2023
Helped us consolidate tools and applications and provides excellent documentation and support
Pros and Cons
  • "The product is easy to manage and simple. It works with the rest of our Cisco products. You can drop in new ones if you need more performance. The training and documentation provided are good."
  • "There's a little bit of a disconnect between Firepower’s management and the rest of the products, like DNA and Prime. The solution should have fewer admin portals for network, security, and firewalls."

What is our primary use case?

I'm in network security, so I care more about security than the network architecture. I mostly just pull all the data out and throw it into Splunk. I use threat intelligence and some of the integrations like Talos. My company uses the product for east-west traffic, data center, and Edge.

What is most valuable?

The product is easy to manage and simple. It works with the rest of our Cisco products. You can drop in new ones if you need more performance. The training and documentation provided are good.

What needs improvement?

There's a little bit of a disconnect between Firepower’s management and the rest of the products, like DNA and Prime. The solution should have fewer admin portals for network, security, and firewalls.

For how long have I used the solution?

I have been using the solution for a year and a half. My company has been using it for at least five years.

What do I think about the stability of the solution?

I haven’t had a product die. The products failover really fast, and we can cluster them. The product is definitely many nines of reliability.

How are customer service and support?

I have contacted support in my previous jobs for things beyond firewalls, like servers, switches, and call centers. It's always been pretty good. They know their stuff. Sometimes we have to have a few calls to get really deep down into the issue. Eventually, we’ll get an engineer who's a senior and knows how to fix it. They do a pretty good job finding a resource that can be helpful.

Which solution did I use previously and why did I switch?

In my previous jobs, I used Palo Alto and Fortinet. My current organization chose Cisco Secure Firewall because we use Cisco for the rest of our network, and it just made sense.

What was our ROI?

We have definitely seen a return on investment. It works pretty well. It is important to have everything work together. Our time is probably more valuable than our money. We're not going to go out and grab ten other network engineers to set up another complicated platform when we can just save the hassle.

What other advice do I have?

The solution has improved our organization. I think my company was using Check Point back in the day. My company has 12 Cisco products. We used Palo Alto in my old organization. It’s what I'm most familiar with.

The application visibility and control with Secure Firewall are not bad. The product’s alerting is pretty good. There were a couple of things that surprised me about the solution. It works really well because we use it with Secure Client and Secure Endpoint. Sometimes the solutions can cross-enrich each other, which we wouldn’t get with a dedicated, standalone firewall.

The solution has helped free up our IT staff for other projects. We don't even have a dedicated firewall person. I sometimes do some stuff. Mostly the dedicated network admins run it, and they have time to do the rest of their job. Our whole network infrastructure team's only five to six people, and they can manage multiple sites across all different firewalls. It's not unreasonable to demand at all.

The product has helped us consolidate tools and applications. If we were using another solution, we would have had their firewall, management plane, and other appliances to back that up. Having a product in the Cisco universe definitely does help. It's all right there when we're using Secure Client and Umbrella. I want more of what Cisco Identity Services Engine and DNA do. I don't like switching tabs in my browser.

We use a relatively basic subset of Cisco Talos for general threat intel. It's definitely helpful. It's mostly about just getting the Talos definitions into the firewall so it can do all the heavy lifting so we don't have to. Now that Cisco has the XDR product, it will probably make it even more useful because then we can combine the network side, the security operations, and the threat intelligence into one thing to work harder for us.

Cisco Secure Firewall has definitely helped our organization improve its cybersecurity resilience. I like the IDS a lot. The definitions work really well. Making custom ones is pretty trivial. We don't have to do complicated packet captures or anything of that kind.

My advice would be to lean really hard on your sales engineer to explain the stack to you. There's definitely a learning curve to it. Cisco does things in a very particular way that's maybe a little bit different than other firewall vendors. Generally, it's pretty helpful talking to post-sales about what you need because you're probably not going to be able to figure it out. It's definitely a pretty top-shelf tool. If an organization already uses Cisco, they probably want to invest in the solution.

Overall, I rate the solution an eight out of ten.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Director & CIO of IT services at Connectivity IT Services Private Limited
Real User
Aug 1, 2022
The micro-segmentation features are helpful for access control layers and virtual LAN policy enforcement
Pros and Cons
  • "ASA integrates with FirePOWER, IPS functionality, malware filtering, etc. This functionality wasn't there in the past. With its cloud architecture, Cisco can filter traffic at the engine layer. Evasive encryptions can be entered into the application, like BitTorrent or Skype. This wasn't possible to control through a traditional firewall."
  • "Cisco ASA Firewall is reliable, especially in the Indian context."
  • "There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so you need to be slightly careful, especially on the site track."
  • "Cisco support is okay, but not great. The response time is too long."

What is our primary use case?

I'm a solution architect specializing in IT infrastructure designs. I create solutions for clients using Cisco and other products. I've developed solutions with various Cisco Firewall models. I may use an entry-level solution for smaller businesses, like the Cisco 555 Series or 5500. If it's a large enterprise, I may use the 4000 Series, or an ISR router integrated with a firewall for a branch office, and maybe an ISR router, which is integrated with the firewall.

I work with businesses of all sizes, but I see Cisco more often in medium-sized companies or large enterprises. Small businesses often pick Sophos or FortiGate because of the pricing. Large enterprises use Cisco and other products like Palo Alto or Check Point, especially for managing cloud architectures like GCP and AWS. 

If the customer only needs a plain firewall, Cisco ASA is sufficient. It can compete with FortiGate or Sophos. When I talk about a next-gen firewall, the basics include malware protection, instruction prevention, URL filtering, etc. Firepower is integrated to address these next-gen requirements. 

I may use the tabs for dynamic policy implementation in cloud environments depending on the clients' needs, but not typically VMware. I might get a false positive with the VMware operator and platform layer. If I stop some surveys, my production will stop. In such cases, I cannot just go by dynamic classification blindly. It would be better for the application layer, not the platform layer.

How has it helped my organization?

I don't have any metrics about how ASA has improved operations for my clients, but I can look at their market share relative to Check Point and other competitors. Cisco has a decent footprint today, and it reduced my customers' CapEx. I don't have the numbers. I'm just speaking relatively. Cisco can reduce operational expenditures by around 40 percent. I'm just giving a vague estimate, but I don't have any specific metrics.

Cisco offers two architectures. I can choose the Meraki track if I want an OpEx model or the traditional track, which is a CapEx model. Due to Cisco's tech acquisitions, I have various feature options within the same product. The DNA of Cisco combines the traditional Cisco architecture with the next-generation firewall.

Segmentation can be helpful for some clients. Let's use a financial organization as an example. We have traffic moving through the branch to the core banking. This is where we can employ segmentation. We can do security policy restrictions for branch employees to prevent them from accessing certain financial reporting systems. We can limit them to the branch level. 

I can enforce certain policies to prevent all branch traffic from reaching one layer of a particular segment by minimizing the overall traffic on the network. I can always control the traffic when I segment it. This set of capabilities is beneficial when a lot of financial algorithms are done.

What is most valuable?

ASA integrates with Firepower, IPS functionality, malware filtering, etc. This functionality wasn't there in the past. With its cloud architecture, Cisco can filter traffic at the engine layer. Evasive encryptions can be entered into the application, like BitTorrent or Skype. This wasn't possible to control through a traditional firewall. 

Deep Packet Inspection looks at the header information and inspects the contents of a particular packet. We can also look at traffic management. It can control end-user applications, and we can check device performance when we do this type of regression on our resources. This is what we look at with a DPI. It can help us reduce the overall OpEx and CapEx.

Traditionally, we needed multiple software and hardware tools. With these features, we can snoop into our network and understand each packet at a header level. That's called the service control engine.

Within Cisco's Service Control Engine Architecture, there's something called the Preferred Architecture, which has a supervisor engine. It's more of a network management tool. Cisco makes it more convenient to manage our resources. It has a nice UI, or we can go into the command-line level. 

Cisco's micro-segmentation features are helpful for access control layers and virtual LAN policy enforcement. That's how we segregate it. Micro-segmentation is focused on the application layer. When we design a policy that is more automated or granular, and we have a specific business requirement, we get into micro-segmentation. Otherwise, the majority of the implementation will be generic network segmentation.

Dynamic classification is also essential given the current security risks and the attacks. We cannot wait for it to tell us if it's a false positive or a real threat. In those cases, dynamic classification is essential, especially at a MAC level.
When using WiFi, we may have a suspicious guest, and we cannot wait for someone to stop it manually. The firewall needs to at least block the traffic and send an alert.

In cases like these, integration with Cisco ISE is handy. If the firewall alone doesn't help, you must redesign your architecture to include various associated products as you increase your requirements. For example, you may have to get into multiple servers, so you'll need an ISE for identity management. 

As you start scaling up your requirements, you go beyond a firewall. You start from an L1 layer and go to the L7 sitting at the organization's gateway. When you talk about dynamic policy implementation, that's where you start to get serious about your operations and can change things suddenly when an attack is happening.

With ISE integration, you get another dynamic classification if an endpoint connects immediately. ISE has a lot of authorization rules, so it applies a filter. The dynamic policy capabilities enable tighter integration at the application workload level. Snort 3 IPS enables you to run more rules without sacrificing performance, and IPS puts you one step ahead of any threats to the organization.

What needs improvement?

There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so we need to be slightly careful, especially on the site track. 

We face challenges with Cisco when implementing some security vulnerability assessments, including the algorithms and implementing SSL 3.0. I may change the entire product line because traditional product lines don't support that.

Integration isn't typically a problem because the network is compatible, but Cisco could upgrade the threat database. They could integrate the threat database of the on-premise firewall with the cloud. Check Point has cloud integration with a market database of all the vulnerabilities. Cisco could add this to its roadmap to make the product more effective.

For how long have I used the solution?

I have been working with firewalls for about 20 to 25 years, but I've been using Cisco for around 12 to 15 years.

What do I think about the stability of the solution?

Cisco ASA Firewall is reliable, especially in the Indian context. For example, I had a couple of banks with around 5,000 branches and ATMs. It was easy to deploy remotely or send it to each branch. 

What do I think about the scalability of the solution?

Cisco ASA Firewall is scalable to a certain extent.

How are customer service and support?

Cisco support is okay, but not great. I rate Cisco support five out of ten. The response time is too long. We need an instant response to security issues. They follow some legacy processes.

In some cases, I think they're good, but they have hundreds of questions and steps to go through before the ticket is escalated. The local partner adds a lot of value in that case.

How would you rate customer service and support?

Neutral

How was the initial setup?

The standard setup is straightforward and takes around four hours. You can also do more customization and adjustments to deploy it in a particular environment.
I design a custom implementation strategy for each customer. It depends on whether I'm migrating an existing environment or doing a fresh deployment. I try to understand the customer's security footprint and all the issues I need to address before installation. 

What's my experience with pricing, setup cost, and licensing?

I think Cisco's price is in the right space now. They have discounts for customers at various levels. I think they're in the right spot. However, Cisco can be expensive when you factor in these additional features. 

If you add SecureX, Cisco's cost will definitely jump. We started with the standard ASA, then we added segmentation and micro-segmentation, and now we're talking about automation and unified architecture. SecureX is an integrated security portfolio. It gives a vertical and 360-degree algorithm with an open, integrated platform that can scale.

Which other solutions did I evaluate?

In most next-generation products, the UA itself will manage a lot of things, but it's easier to find people with expertise. If you put 10 firewall experts in the room, six will be talking about Cisco, but you can hardly find one or two people talking about Check Point or Palo Alto. Others would be more talking about Sophos, FortiGate, etc.

What other advice do I have?

I rate Cisco ASA Firewall seven out of ten. If you're implementing a Cisco firewall, you must be crystal clear about your business requirements and how a Cisco ASA firewall will address your problem. You need to understand whether this product line contains all the features you need. 

Can it pass a security audit? Does it integrate with your network device? How scalable is it? Will this solution you're implementing today be adequate in the next three years? These are the questions that you should ask.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer. Integrator
PeerSpot user
ArunSingh7 - PeerSpot reviewer
Computer Operator at a retailer with 5,001-10,000 employees
Real User
Nov 21, 2023
A tool that offers protection and security features that needs to improve its price
Pros and Cons
  • "The solution's dashboard is fine, and in terms of support, Cisco is better than other OEMs in the market."
  • "If you need to reschedule a call with the support team when you face a new issue with the product, then it may get a bit of a problem to get a hold of someone from the support team of Cisco."

What is our primary use case?

My company uses Cisco Secure Firewall for its protection and security features.

What is most valuable?

I won't be able to speak about the strong points of the product. I will need the input from my team to be able to speak about the advantages of the product. The solution's dashboard is fine, and in terms of support, Cisco is better than other OEMs in the market.

What needs improvement?

The solution's price can be lowered because, currently, it is pricier than the tool its competitors offer in the market. If the product's prices are lowered, it may help Cisco to expand its market base.

If Cisco reduces the price of its product, then it can gain more advantage and become much more competitive in a market where there are solution providers like Fortinet FortiGate.

For how long have I used the solution?

I have been using Cisco Secure Firewall for five years.

I don't remember the version of the solution since there is a support team in my company to manage it. My company has a partnership with Cisco.

What do I think about the stability of the solution?

Stability-wise, I rate the solution an eight out of ten.

What do I think about the scalability of the solution?

Scalability-wise, I rate the solution an eight out of ten.

Around 2,500 people use the solution in my company.

How are customer service and support?

Most of the time, the solution's technical support is helpful and responsive. There have been a few cases where a few black spots have been noticed, which I think is because Cisco opted for localization of support because, during holidays, nighttime, or weekends, it becomes difficult for users to reach the support team, though the rest of the time the support is good.

If you have already scheduled a call with the support team of Cisco, then it is good. If you need to reschedule a call with the support team when you face a new issue with the product, then it may get a bit of a problem to get a hold of someone from the support team of Cisco. Earlier, there were no problems with Cisco's support team. Recently, there have been a few issues cropping up related to the technical team of Cisco. Technically speaking, the support team is good, but the availability offered by the technical team has deteriorated.

I rate the technical support a seven out of ten.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I work with Palo Alto, Fortinet, and Check Point for different parts of our IT environment.

How was the initial setup?

The product's initial setup phase was taken care of by another team in my company before I joined my current company.

On our company's core payroll, we have a very small support team, but we do have a support team in my company for the product. The support team in my company consists of around 20 to 25 engineers who work around the clock.

The solution is deployed on an on-premises model.

What's my experience with pricing, setup cost, and licensing?

I rate the product's price a seven on a scale of one to ten, where one is expensive, and ten is cheap. If we compare Cisco with other OEMs available in the market, Cisco needs to work on price improvement. Nowadays, there is a lot of competition in the market with newer solutions, like Fortinet, gaining popularity, amongst a few other names like Cyberoam, a product from a local Indian vendor. Palo Alto has also gained a lot of market share in recent years.

Which other solutions did I evaluate?

From a security perspective, generally, there are only three solutions that our company looks at, which include Check Point in the last four or five years, among other options like Palo Alto and Cisco.

What other advice do I have?

I recommend the solution for SMB businesses.

I rate the overall tool a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer2212692 - PeerSpot reviewer
Network Engineer at a tech services company with 5,001-10,000 employees
Real User
Jun 21, 2023
The monitoring dashboard lets us see if the packets get from the source to the destination correctly
Pros and Cons
  • "The monitoring dashboard is valuable to us for troubleshooting."
  • "With the new FTD, there is a little bit of a learning curve."

What is our primary use case?

I use the solution mostly to separate internal networks.

How has it helped my organization?

Being able to create and apply new policies to the firewall has been helpful. It is an object-oriented way of doing things that helps a lot because we can build and apply new policies. We can also test it and revert to the old one if it doesn't work.

What is most valuable?

The monitoring dashboard is valuable to us for troubleshooting. It lets us see if the packets get from the source to the destination correctly.

What needs improvement?

With the new FTD, there is a little bit of a learning curve. The learning curve could probably be simplified a little bit. I've come around that learning curve, and I'm able to get around it.

For how long have I used the solution?

I have been using the solution for 15 years.

What do I think about the stability of the solution?

Cisco is known for its general stability.

What do I think about the scalability of the solution?

The solution’s scalability is excellent. I don't know if the scalability has a downside or even a limit.

How are customer service and support?

The support is really good. I have a good team that supports us, and I'm able to always reach out to them. It's nice to have somebody on the cell phone and just be able to reach out to them.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Years ago, I used different firewalls like Juniper, but mostly, it's been fixed to ASA and FTD. We switched to Cisco because our customers were using Cisco.

How was the initial setup?

The initial setup had a little bit of a learning curve, especially because I came from ASA. I needed some help from Cisco. However, I knew what I was doing once it was set up, especially with FMC and Firepower.

What about the implementation team?

We used Cisco’s support to deploy the product.

What was our ROI?

In general, we have seen an ROI on the product. Using it, applying policies, setting it up, and leaving it alone is helpful. It helps save resources.

What other advice do I have?

I don't use the product for application visibility and control. I tend to worry more about blocking or allowing certain things versus looking deep into the servers and applications and how they work.

The product is great for securing our infrastructure from end to end. I'd like to be able to test out some of the other products, like dashboards and IPS/IDS, that work with it. For the most part, I set up a firewall, and I set up the rules. If things don't work, I monitor it through the monitoring dashboard and try to figure it out.

Cisco Secure Firewall has helped free up a lot of time for our IT staff. Apart from monitoring, unless somebody needs a firewall rule change or anything like that, there's no need to mess with it. Once we set it up, it just runs.

The solution has helped our organization to improve its cybersecurity resilience. Being a firewall, by definition of the term, the product has improved our organization’s security.

People should always evaluate other products. If you’re looking for a solid firewall, Cisco makes the choice so much simpler, especially now with FMC. We are able to apply policies easily and control different firewalls at the same time.

Overall, I rate the solution a nine out of ten.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Jordan De Sousa - PeerSpot reviewer
Network Manager at a computer software company with 501-1,000 employees
Real User
Mar 6, 2023
Helped with the consolidation of tools and has a great dashboard
Pros and Cons
  • "The most valuable Cisco Secure Firewall features are options, features, and ease of deployment because it's an appliance."
  • "Cisco Secure Firewall's integration with cloud providers has room for improvement. We could do more in terms of integration, for example, if we had a tag on an instance."

What is our primary use case?

Our primary use case is filtering as we have a filtering strategy. We are trying to filter a destination and do not have a centralized filtering strategy. So we have MX and on the other end filtering on the firewalls, but not in the middle. This means that both ends of the connectivity do all the security on the firewalls.

What is most valuable?

The most valuable MX features are the ease of deployment and a great dashboard. The most valuable Cisco Secure Firewall features are options, features, and ease of deployment because it's an appliance.

What needs improvement?

Cisco Secure Firewall's integration with cloud providers has room for improvement. We could do more in terms of integration, for example, if we had a tag on an instance. 

I would also like to see tag rules with cloud objects. This would be a great improvement for Cisco Secure Firewall. 

As far as MX is concerned, I would like to see more interconnection. We would also like to be able to do BGP.

For how long have I used the solution?

Our organization has been using this solution for about 10 years.

What do I think about the stability of the solution?

We had MX when it was launched initially and it was not as stable as it is now. The stability of the solution has improved. 

I would rate the stability of this solution three years ago a 3 and today's stability an eight, on a scale from one to 10, with one being the worst and 10 being the best.

How are customer service and support?

I think that their tech support is quite good. I would rate them an eight, on a scale from one to 10, with one being the worst and 10 being the best.

How would you rate customer service and support?

Positive

What other advice do I have?

We have used different types of solutions. We had Cisco ASA for about 10 years, and then we switched to an on-site firewall to MX from Meraki, Cisco. For our cloud, we have Cisco Services Routers.

The migration to the cloud has been a lot of work. Not all of our systems were compliant with being on the cloud so we had to work on some applications and delete some of them. For the old systems, we had to do extra work but for the newer systems, it was fine. The migration took around 18 months to migrate 99%.

We had more than 2,000 on-prem firewall sites.

Cisco helped with the migration to the cloud with the migration tool. Migrating MX was really easy and the tools helped us to migrate from the old ASA we had to the new MX. The cloud, firewalling, and CSR helped us from the data center on-premise approach to the cloud because at the time we didn't have a lot of experience with the cloud. It was easy to use the Cisco appliances in that space.

I think that this solution has saved our IT staff time because of the ease of deployment. When I first started as a network engineer, it took a whole day to configure a firewall because of all the particularities you could potentially have at a site.

I think that this solution saved our organization's time because security saves money because. At the end of the day, firewalls block threats.

This solution helped with the consolidation of tools as we had all the observability tools in the solutions. Some 10 years ago we all had third-party solutions doing the observability. Now, we have the whole package and not only the firewall.

We choose Cisco 10 or 20 years ago mostly because it was a market-leading solution. I also think it's because of MX's user-friendly solution that you can get on board easily. As far as CSA goes, I believe it's because you have a lot of features on the firewalls and it's the stability of course.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
DonaldFitzai - PeerSpot reviewer
Network Administrator at Cluj County Council
Real User
Aug 15, 2022
I like the ease of administration and the overall speed of processing web traffic
Pros and Cons
  • "All the rules are secure and we haven't had a significant malware attack in the five years that we've been using ASA Firewall. It has been a tremendous improvement for our network. However, I can't quantify the benefits in monetary terms."
  • "In the past, the company experienced multiple ransomware attacks, but we haven't seen any since installing ASA Firewall."
  • "Setting firewall network rules should be more straightforward with a clearer graphical representation. The rule-setting method seems old-fashioned. The firewall and network rules are separate from the Firepower and web access rules."

What is our primary use case?

We use ASA Firewall to protect 250 to 300 devices, including workspaces and servers.

How has it helped my organization?

All the rules are secure and we haven't had a significant malware attack in the five years that we've been using ASA Firewall. It is a tremendous improvement for our network. However, I can't quantify the benefits in monetary terms. 

What is most valuable?

I like the ease of administration and the overall speed of processing web traffic. The modules help protect and administer web traffic. ASA Firewall's deep packet inspection gives me visibility regardless of whether I have the agent installed on all the workstations. I can see incoming web traffic and control access to suspicious or dangerous sites. I can apply a filter or make rules to restrict categories of websites.

What needs improvement?

Setting firewall network rules should be more straightforward with a clearer graphical representation. The rule-setting method seems old-fashioned. The firewall and network rules are separate from the Firepower and web access rules. You can access the firewall rules through the Cisco ASDM application, not the web client. I'm using an older version, and I'm sure this issue will improve in the next edition.

Micro-segmentation is somewhat complex. It's not easy, but it's not too difficult, either, so it's somewhere in the middle. I used micro-segmentation for 10 or 15 VLANs, and ASA Firewall acts as a router for those VLANs. The visibility offered by micro-segmentation is pretty poor. It's not deep enough. 

For how long have I used the solution?

I have been using ASA Firewall for five years.

What do I think about the stability of the solution?

ASA Firewall is a stable solution.

What do I think about the scalability of the solution?

I don't think ASA Firewall is very scalable. It depends on the models and the license. However, it's pretty simple to update and upgrade the models, so I would say it's moderately scalable. 

How are customer service and support?

I worked with Cisco's technical support from the beginning and it was excellent. I rate Cisco support 10 out of 10. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Previously, I used some Linux Servers with a software firewall for 20 years.
It was a Microsoft firewall, but I don't remember the name. It was a server that I had to install on the gateway.

How was the initial setup?

Deploying ASA Firewall was complex because I needed to install an ESXi machine to implement the Firepower module. That was relatively complicated, and it took two or three days to complete the installation and verification.

What about the implementation team?

I worked with a consultant who sold me the product and helped me with minor issues as needed. 

What was our ROI?

In the past, the company experienced multiple ransomware attacks, but we haven't seen any since installing ASA Firewall. It was a huge improvement. It's hard to quantify that in financial terms, but we had 40 or 50 machines damaged. 

What's my experience with pricing, setup cost, and licensing?

I'm not sure precisely how much ASA Firewall costs, but I know it's a little more expensive than other solutions. I rate it seven out of ten for affordability. 

Which other solutions did I evaluate?

I learned about Fortinet and Palo Alto firewalls. I think FortiGate is easier to set up and manage. At the same time, Cisco firewalls are pretty secure and reliable. I think the ASA Firewall is in the top five.

What other advice do I have?

I rate Cisco ASA Firewall eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Engineering Services Manager at a tech services company with 201-500 employees
Reseller
Oct 24, 2021
The ability to implement dynamic policies for dynamic environments is important, given the fluidity in the world of security
Pros and Cons
  • "One of the most valuable features of Firepower 7.0 is the "live log" type feature called Unified Event Viewer. That view has been really good in helping me get to data faster, decreasing the amount of time it takes to find information, and allowing me to fix problems faster. I've found that to be incredibly valuable because it's a lot easier to get to some points of data now."
  • "Firepower does a bang-up job of it, by bringing that data to the forefront."
  • "The change-deployment time can always be improved. Even at 50 seconds, it's longer than some of its competitors. I would challenge Cisco to continue to improve in that area."

What is our primary use case?

It's deployed in multiple ways, depending on the use case. Generally speaking, we have them as edge firewalls, but I have some customers who use them as data center firewalls, and some customers who use them as VPN firewalls. And in some places, they're the east-west firewalls, as they would be called in a core network. We do have some that are for cloud firewalling, that we're using in Azure and AWS. But generally speaking, they're deployed as edge firewalls and on-prem.

How has it helped my organization?

In some cases that I'm aware of, when moving from specific platforms like Check Point, Firepower has offered a much easier way of working with the platform and deploying changes. For the customer, it's a lot easier in the newer platform than it was in the previous one.

I've done network assessments, where we wanted to get visibility into all flows. I used Firepower boxes for some of those, where we tapped a line and let Firepower see all the traffic. It was incredibly helpful in picking up all of the flows of data. As a result, I was able to give information to the customer, saying, "This is what it's doing and this is what it's seeing in your network." I find it very helpful to get all that type of data. It's got a lot more information than NetFlow-type systems.

There have also been use cases where I'm doing east-west and north-south in the same firewall box. That is possible with SGTs and SD-Access and Firepower. That ability has been critical in some of the designs we've done. A scenario would be that we have an underlay, a corporate network, and a guest network VRF-routed zone; big macro security zones. We are doing micro-segmentation at the edge with SD-Access, but the macro-segmentation between the zones is handled by the firewall. Because we didn't want to split up our east-west and north-south, because there really wasn't a budget for it, they're on the same box. That box is able to do both flows that go towards the internet and flows that go between the different interfaces on the firewall. We're using SGTs in those policies and we're able to extend the logic from the SD-Access environment into the firewall environment, which creates a very unified approach to security.

We're also able to implement dynamic policies for dynamic environments with 7.0. That's becoming more and more important every day. IPs are becoming less important; names and locations and where things live in the cloud mean things are becoming a lot more fluid in the world of security. It's very helpful to have objects and groups that can follow that fluidity along, as opposed to me trying to do it old school and static everything up. No one has time for that. Dynamic policy capabilities enable tight integration with Secure Workload at the application workload level. The IP is less relevant and the application or the VMware tag can be tied to a specific ruleset. It's very helpful to be able to have it be so dynamic now. We're using more and more of those dynamic group concepts.

When it comes to the solution’s tags for dynamic policy implementation in cloud environments, VMware is the primary one I'm seeing these days, but I expect Azure to pick up significantly. The use of these tags for dynamic policy implementation in cloud environments simplifies things. We don't have to have so much static stuff pinned up. We can just have a single rule that says, "If it's this tag, then do this," as opposed to, "If it's this IP and this IP and this other IP, then you're allowed to do this thing." By disconnecting it from the IP address, we've made it very flexible.

What is most valuable?

It may sound a bit strange, but one of the most valuable features of Firepower 7.0 is the "live log" type feature called Unified Event Viewer. That view has been really good in helping me get to data faster, decreasing the amount of time it takes to find information, and allowing me to fix problems faster. I've found that to be incredibly valuable because it's a lot easier to get to some points of data now.

Also, the new UI is always getting better from version to version. In the beginning, when it came to managing Cisco Secure Firewall, it wasn't always the easiest, but with 6.7 and 7.0, it's gotten easier and easier. It's a pretty easy system to manage. It's especially beneficial for people who are familiar with ASA logic because a lot of the Firepower logic is the same. For those people, they're just relearning where the buttons are, as opposed to having to figure out how to configure things.

I've used the backup VTI tunnel and that's a feature that lets me create some redundancy for my route-based stuff and it works pretty well. I haven't had any issues with it

Firepower 7.0 also has fantastic Dynamic Access Policies that allow me to replicate a lot of the configurations that were missing and that made it difficult to move off the old ASA platform for some customers. The addition of that capability has removed that limitation and has allowed me to move forward with implementing 7.0. 

Snort 3 is one of the biggest points on Firepower 7.0. I've been using Snort 3 for quite a while and, while I don't have a ton of customers on it, I do have some who are running on it and it's worked out pretty well. In their use cases, there wasn't a lot of risk, so that's why we started with it. Snort 3 has some huge advantages when it comes to performance and policy and how it's applying things and processing the flows.

Dynamic Objects have also been really critical. They're very valuable. Version to version, they're adding a lot more features onto Dynamic Objects, and I'm a big fan. 

I've also used the Upgrade Wizard quite a bit to upgrade the firmware. 

And on the management side, there are the health modules. They added a "metric ton" of them to the FMC [Firepower Management Center]. In version 6.7 they released this new health monitor which makes it a lot easier to see data and get to information faster. It's quite nice looking, as opposed to CLI. The new health modules really do stand out as a great way to get to some of that health data quickly—things like interface information, statistics, drops—that were harder to get to before. I can now see them over time, as opposed to at just a point in time. I've used that a lot and it has been very helpful.

In addition, there is the global search for policy and objects. I use that quite a bit in the search bar. It's a great way to get some information faster. Even if I have to pivot away from the screen I'm on, it's still great to be able to get to it very quickly there. 

In a lot of ways, they've addressed some of the biggest complaints, like the "housekeeping" stuff where you have to move around your management system or when it comes to making configuration changes. That has improved from version to version and 7.0 is different. They've added more and have made it easier to get from point A to point B and to consume a lot of that data quickly. That allows me to hop in and do some data validation much faster, without having to search and wait and search and wait. I can get to some of that data quicker to make changes and to fix things. It adds to the overall administrator experience. When operating this technology I'm able to get places faster, rather than it being a type of bottleneck.

There is also the visibility the solution gives you when doing deep packet inspection. It blows up the packet, it matches application types, and it matches web apps. If you're doing SSL decryption it can pinpoint it even further than that. It's able to pull encrypted apps apart and tell me a lot about them. There's a lot of information that 7.0 is bringing to the forefront about flows of data, what it is, and what it's doing. The deep packet inspection and the application visibility portion and Snort are really essential to managing a modern firewall. Firepower does a bang-up job of it, by bringing that data to the forefront.

It's a good box for visibility at the Layer 7 level. If you need Layer 7 visibility, Firepower is going to be able to do that for you. Between VLANs, it does a good job. It's able to look at that Layer 7 data and do some good filtering based on those types of rules.

What needs improvement?

I'd like to see Cisco continue its approach to making it easier to navigate the UI and FMC and make it easier to get from point A to point B. Generally, the room for improvement is going to be all UI-related. The platform, overall, is solid.

I'd also like them to continue to approach things from a policy-oriented perspective. They are moving more and more in that direction. 

Also, the change-deployment time can always be improved. Even at 50 seconds, it's longer than some of its competitors. I would challenge Cisco to continue to improve in that area. It's very reasonable at 50 seconds, it's not like it used to be in early versions of Firepower, where it was around seven minutes. Still, it could be quicker. The faster we can deploy changes, the faster we can roll back changes if we have messed something in the configuration. Low deploy times are really good to have. 

I would also like to see more features that will help us connect things to the cloud dynamically, and connect things to other sites dynamically. There should be more SD-WAN features in the boxes. If I can use one box to solve cloud connectivity problems, and not have to do stuff so statically, the way I have to do things today on them, that would be helpful.

For how long have I used the solution?

I am a Cisco partner and reseller and I actually beta test for the Firepower team. I work on Firepower boxes and have done so since the beginning. I have customers on Firepower 7.0 and I have been using Firepower 7.0 since its release.

What do I think about the stability of the solution?

I haven't really had any major complaints or issues with Firepower 7.0 stability.

What do I think about the scalability of the solution?

It scales, but it depends on the growth rate of the customer and the amount of bandwidth. It's usually a speed and feed problem: Is the firewall box big enough to handle the traffic? Snort 3 has made some improvements there and it's even given some life back to older boxes because of improvements in code and in how Snort processes data. But, overall, the box just has to be big enough for the amount of traffic you're trying to shove through it.

How are customer service and support?

I've been doing this a long time and I don't usually need to call tech support. But when I do need to call TAC, after working with a lot of the other vendors out there, Cisco TAC is still one of the best technical resources in the market. I do like TAC. That's not to say that every TAC engineer is great, but comparatively, they're one of the best support organizations.

How would you rate customer service and support?

Neutral

How was the initial setup?

The initial setup is straightforward, with the caveat that I've been doing this for a long time, so for me it is simple and makes sense. But it is pretty straightforward. You have overall policies that wrap up into your access policy, which is the base policy. You have DNS policies that will roll right up into it. Likewise, platform policies get attached to devices. Generally speaking, it's a lot of working through the logic of the rules: How do you want to block stuff, and how do you want to permit stuff? A lot of that is normal firewalling. When I say the setup is simple, it's because it involves normal firewalling issues. You have to deal with routing, NAT rules, ACLs, and VPNs. It's a matter of just kind of working through those same things that every firewall has to solve.

The deployment time depends on the customer and how many rules. If we're building out all their rule sets, it could range from 40 hours to hundreds of hours. It also depends on what we're coming from. We're not generally walking into environments that are green, meaning there's no box there today. It's almost always that there's something else there that we're replacing. We have to take what we're coming from, convert it, and then put it on Firepower. Small businesses might have a couple of rules, enterprises might have hundreds of rules.

Our implementation strategy is to go in, document the current state of the environment, and then work on a future state. We then work through all the in-between stuff. When we have the old firewall configuration, we determine what it will look like on the new firewall configuration. Does the firewall configuration need to be cleaned up? Are there things that we can optimize and improve or modify? A lot of it involves copying configuration from the old platform to the new one. We're usually not trying to change a ton in a firewall project because it increases the risk of problems arising. Usually, customers' networks are operating when we get into them. We prefer to do a cleanup project after implementation, but sometimes they coincide.

In our company, one person can usually do a firewall cutover. And maintenance of Firepower 7.0 usually requires one person. Maintenance will usually involve a firmware upgrade.

What was our ROI?

There is a lot of value with SecureX. Other customers struggle to bring all the data back to one place, the way you can with SecureX, across a product portfolio. The value of that capability is incredible. I don't know how to put a monetary value on it, but from an operational perspective, it's very helpful to have it all back in one place because you're not having to hop around to multiple UIs to find the data you're looking for.

What's my experience with pricing, setup cost, and licensing?

With any vendor, prices are often a little bit negotiable. There are things like discounted rates. There's a list price and then, as a partner, we get a discounted rate based on how much product we're purchasing and our relationship with the vendor. 

But on the list-price side of things, there are three big licenses on an FTD [Firepower Threat Defense] box. There are the malware license, the threat license, and the URL filtering license. You can license them in one-year, three-year, and five-year increments. Each license will enable different features on the box. The malware license will enable AMP filtering or AMP detection. The threat detection enables use of the IPS solution, which is really Snort's bread and butter. And the URL filtering enables filtering based on URL categories.

Sometimes we use URL filtering and sometimes we don't. It depends on the customer and on whether they have a different URL filtering strategy, like Umbrella. The two big ones that we sell are malware and threat detection, with threat detection probably being the license we sell the most.

SMARTnet, the technical support component, covers the box. When you purchase the hardware, you buy it with SMARTnet. Licenses cover features, SMARTnet covers support.

Which other solutions did I evaluate?

We continue to support, integrate, and sell three out of the major four vendors: Palo Alto, Fortinet, and Cisco. Every vendor has been a great partner with us, so I don't want to showcase one firewall platform over another.

Palo Alto is arguably the most mature out of the group when it comes to the firewall in general, but they've also been developing on the same platform for quite a long time.

FortiGate, on the other hand, is great in a lot of use cases.

Cisco's strength is how it integrates with the security portfolio at Cisco. When you have a lot of other security products or integrations, Firepower really stands out above the rest. Palo Alto and Fortinet, although they can integrate with SDA to some degree, they don't integrate to the same depths as Firepower. You really start to see the benefits of Firepower in your organization when you're looking at the Cisco security stack. That's what I would argue is one of the biggest benefits of Cisco in general, that stack of products.

With Cisco, it's not necessarily about a single piece, it's definitely about how they all can communicate and talk to each other, and how information is shared between the components, so that you can create a unified approach to security. Their SecureX product is an integration point. It brings together a lot of that information from different product lines in one place. That's really Cisco's game. Some of the other security vendors struggle to keep up with the breadth and depth of what Cisco is doing in all those different spaces.

In terms of ease of management, Firepower is an enterprise product. While FDM [Firepower Device Manager] is really easy to use, FMC has a lot more knobs to turn. Comparing FortiGate to FMC, a lot of the capabilities of FortiGate are still at the CLI level only. Palo Alto is 100 percent UI-based, not that you can't configure a Palo Alto from CLI, but I don't think anybody does that.

What other advice do I have?

My advice is that you need to know your flows. If you're upgrading to Firepower, you should know what traffic matters and what traffic doesn't matter. If you really want to be successful, you should know all the flows of traffic, how they function, what they do. That way, when you get the box up and running, you know exactly how it should operate.

You can split Firepower users into two buckets: help desk and admin. Help desk will usually be read-only and admin will be read-write. If there's one engineer at a customer, he might have admin rights. If there's a help desk and one senior firewall guy, he might have admin rights where his help desk has read-only. It varies by the size of the customer. Most midsize organizations have one or two firewall guys. When you get into the big enterprises, the number goes up.

Regarding Firepower's Snort 3 IPS allowing you to maintain performance while running more rules, the "book answer" is yes, it's supposed to. We're not really running Snort 3 a ton on those yet because of some of the risk and because some of those customers haven't upgraded to 7.0 yet. Those that are on Snort 3 are just not running policy sets that are large enough that to notice any major or even minor improvements. I have seen an uptick in performance improvements with Snort 3, even on firewalls that are not 100,000-rule firewalls. We are seeing improvements with Snort 3. It's just that Snort 2 performance hasn't really affected the box overall, it just runs a little hotter.

When I mentioned the risk for Snort 3 for our larger clients, what I meant is that with new things come new risks. Snort 3 is one of those new things and we have to evaluate, when we upgrade a customer to it, whether the risk of the upgrade warrants doing it for the customer. In some cases, the answer is no, because of burn-in time. With some of our riskier locations or locations that require 24/7, it makes more sense to run Snort 2, which has been out there since forever on the Firepower platform. It's a lot more stable on Snort 2 and the problems are known problems, from a design perspective. We've mitigated those and worked around them. With Snort 3, there could be new bugs or problems, and in some environments, we want to mitigate that risk.

My expectation is that by 7.1 or 7.2 we will upgrade more generally to Snort 3. It's not that it's far away. It's just that with 7.0 being the first release of Snort 3, and 7.0 only having one or two patches under its belt, we thought it better to remove some risk and just use Snort 2.

Cisco Secure Firewall helps to reduce firewall operational costs, depending on the firewall vendor it's replacing. In some cases, customers are coming from old platforms where the security wasn't nearly at the same level as a next-gen firewall, so the advantage of moving to a next-gen firewall is the increase in security. But that comes with an operational burden no matter the firewall type. There is a lot more visibility and capability out of the NGFW platform, but it comes at a cost. There's more data to work through and more things to configure. Still, in most cases, Cisco Secure Firewall is going to decrease operational usage with the caveat that it has to be an "apples-to-apples" situation, which is very hard to come across these days. 

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.
Updated: July 2026
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.