Cisco Secure Firewall Reviews

We have all kinds of use cases. Our customers are large enterprises, and they need perimeter security. Zero trust, network access control, and network segmentation are quite important these days.

We are a partner and reseller. We implement, and we resell. As a Cisco Secure reseller, we have all the expertise. Our customers are usually overworked and have no time to learn how to implement these things and get some expertise. That's what we bring in. We help them select the right solution, select the proper design and architecture, and implement it. They basically lack the time and expertise, and we are a trusted advisor who helps them with their issues.

I'm working with security. It improves the security posture of our customers and protects them from threats. We recently saw a bunch of hacks in Germany and our customers are concerned. We help to protect our customers from that, and that's very important.

The analysis tools and encrypted traffic analysis save time. They help detect security threats and incidents that can cause outages for customers. It's a great improvement.

Application inspection, network segmentation, and encrypted traffic detection or encrypted traffic analysis (ETA) are valuable for our customers. I'm from Germany, and in Germany, people are very concerned about privacy. We have a bunch of public customers, and they have an issue with decrypting traffic, even if it's only for security analysis. They have some fears. So, they are quite interested in the capability to detect threats without decrypting traffic.

The usability of Cisco Firepower Threat Defense is an issue. The product is still under development, and the user interface is very difficult to deal with. That's one area where it should be improved. Another area for improvement, which is also related to the firewall, is stability. We are having stability issues, and we had some cases where customers had a network down situation for about one or two days, which is not great.

As a partner, I have been working here for about nine years, but we offered this solution all the time. The company has probably been doing that for at least 15 years.

Cisco Firepower Threat Defense has improved a lot over the last few years, but we sometimes still have really big issues.

Their support is pretty awesome. It doesn't really matter if you have a hardware issue or a software issue. If it's a hardware issue, you get a replacement quickly, and if you have a software issue, you get quick support. There are also some bad examples. I have one from wireless where after a problem was acknowledged, it needed about one year to get fixed. It depends a little bit on how complex the issue is, but in general, it's quite okay.

We are also selling Fortinet, Palo Alto, and Check Point. We sell all solutions, but I'm quite focused on Cisco. It's mostly because I have the most expertise and experience with it over the years. I've been working with Cisco security solutions for 15 to 20 years. That's where my expertise is, and with Cisco, you have a solution for everything. It's not always the best of breed, but in the overall solution frame, you have something for everything, and they interact nicely with each other, which is great.

The deployment model is totally customer dependent. The way we work, we look at the customer environment and develop a proper deployment model for them. Some of them are using enterprise agreements. It's becoming more and more common, so they can use several solutions at once or with some kind of added use price and other benefits.

I'm not always involved in the deployment. I work as an architect. I do not implement all the solutions I design, but I implement some of them. For me, it's important because, for one, I like it, and second thing is that I need to have some kind of hands-on experience to understand the solution so that I can make better designs.

If you do the initial setup for the first time, it's somewhat complex., but over time, you get the experience, and then it's more or less straightforward. 

Our clients rarely used the firewall migration tool. It gives you a starting point for the configuration, but usually, there are so many things you need to rework afterward. We use it sometimes, but it only does a part of the job.

It does require maintenance. The clients have maintenance contracts for that.

In our company in Germany, just for the security solutions, we have about 20 to 30 engineers. They are experienced in different areas. For the firewalls, we have 10 engineers.

Cisco was never a cheap solution. Compared to other vendors, it's more or less at the same level, except maybe Fortinet which is fairly cheap.

In terms of licensing, we still have issues with the subscription model. Many of our customers are used to buying a solution and owning it. It takes time to convince people to go for the subscription model. That's still an issue for us.

We have Cisco Firepower Threat Defense, email security, web security, and Cisco Umbrella. Most of the time, I am working with Identity Services Engine for identity-related things. That's the main product I work with all the time. I have almost no direct contact with Talos, but I know that below the hood, it just improves all their security solutions.

To those evaluating this solution, I would advise being a little bit careful with it. It interfaces well with other Cisco solutions, so it has value, but it's not always the best solution.

At the moment, I would rate it a six out of ten.

I'm working as a Solution Architect for an energy provider in Austria. We have approximately 1,500 people working in Austria and also in some neighboring countries.

We are using Cisco Secure Firewall. We started with Cisco ASA long ago, and now, we have Cisco Firepower or Cisco Secure Firewall. We are using the product as a perimeter firewall and for remote access VPN and site-to-site VPN tunnels with other partner companies. So, the primary use case of Cisco Secure Firewall is to secure our perimeter, but it's also for the remote access VPN for employees in the home office or if they are outside the company.

The benefit of using Cisco Secure Firewall is that there is a lot of integration with other Cisco products like Cisco ISE or even with third-party systems. It's important to have these integrations with other systems. On one hand, you get more visibility, and on the other hand, you can also use the information that you have from the firewall in other systems, such as a SIEM or other similar things. You overall get better visibility and better security.

In terms of securing our infrastructure from end to end so that we can detect and remediate threats. When it comes to detection, it's pretty good because you have the background of Cisco Talos. I can't say if it's the truth, but they probably are one of the top players in threat hunting, so it's pretty good at detecting known things that are outside.

The most valuable features of the product are the VPN and the NextGen firewall features such as application control, URL filtering, etc. These features are especially valuable because nowadays, it's not enough to just filter for source and destination IPs. You need more insights or visibility to see which applications are passing your perimeter, which applications you want to allow, and which ones you want to block. Without this visibility and these features, it's a little bit hard to secure your network.

There is room for improvement in the stability or software quality of the product. There were a few things in the past where we had a little bit of a problem with the product, so there is room for improvement. In the past, we had problems with new releases. 

Also, from the beginning, some functionalities or features have not worked properly. There are bugs. Every product has such problems, but sometimes, there are more problems than other products, so it's definitely something that can be improved, but Cisco seems to be working on it.

There is room for improvement in the stability of the product.

I know that there are several models for every type of scale that you need. For small branches up to the data center or even for the cloud, there are models, but so far, we only have one cluster. Among all these different types, we found the perfect matching size for our company.

The Cisco support with Cisco TAC is pretty good. With the TAC Connect Bot that you have with WebEx, you can easily open a case or escalate the case through the WebEx app. That's pretty cool. Also, the engineers that are working for Cisco TAC are really good. Among all the vendors that we have in place, it's the best support that we have experienced. I'd rate them a 10 out of 10 because compared to the other vendors that we have in place, it's definitely the best support.

Positive

We have a multi-vendor strategy for the firewall so that if there is some security issue in the software or something like that, you are not directly impacted, and there is another vendor in between. If I compare Cisco Secure Firewall with the other vendor that we have in place, the pro for Cisco Secure Firewall is that detection is better with the database of Talos. The con that comes to my mind is the deployment time when you deploy a change. With the other vendor, the change is more or less deployed immediately, whereas, with Cisco Secure Firewall, you have to wait for a few minutes until the change is deployed. This is one of the biggest cons on this side because if there's a misconfiguration, you are not able to correct the issue as fast as with the other vendor.

We migrated from Cisco ASA to Cisco Firepower, and it was straightforward because there were some migration tools to export the old ASA rule set and import it into Cisco Secure Firewall. With these tools and the documentation that you find on Cisco's site, it was pretty straightforward, and we had nearly no problems with the migration to Cisco Secure Firewall.

In terms of the deployment model, we have one high-availability cluster, and, of course, FMC to manage this cluster. These are physical clusters, and we have them on-prem in our data center.

For deployment, we worked with our partner who helped us a little bit with the migration. Our partner's engineer had good knowledge and supported us when we had questions. When we didn't know how to do something, they helped us with that.

The licensing models that are available for Cisco Secure Firewall are okay. You have nearly every option that you need. You can pick filtering, advanced malware protection, or all the available features. It's sufficient.

In terms of pricing, there are, for sure, some cheaper vendors, but overall, it's nearly the same. It has a fair price.

To those evaluating Cisco Secure Firewall, I'd advise thinking about what are your use cases and what's your goal to achieve with this product. It's also a good idea to talk to other customers or a partner and ask them what's their experience and what they think about it, and if it's suitable for this use case or not. And, of course, it's also a good idea to do a proof of concept or something like that.

At the moment, I'd rate Cisco Secure Firewall a six out of ten. The reason for that is that we are having some problems with the stability and functionality of the product, but there are also features, such as VPN, that are working from day one without a problem. So, there are good parts, and there are parts that are not working as well as we would like them to, but we and Cisco TAC will solve this in the future, and then the rating will go up.

We use WSA proxy and Cisco Firepowers with the FMC suite and Cisco Umbrella. We mainly use WSAP for on-premises data centers to get traffic outbound to the internet. Cisco Umbrella is for our endpoints, and Cisco firewalls are to protect our perimeter but also internal choke points to secure segments on our LAN.

Currently, we don't have any integrations between the three of them. They all run in isolation. 

Our external partner does the day-to-day management. We are not using it on a day-to-day basis. We position the products from within my team, but the detection mechanism is different per platform. We mainly trust the policy, and our security department is checking logs for anomalies in the patterns.

In terms of cost savings, we've been using this mechanism for years on end, so we haven't been able to see a real cost reduction between using our own personnel versus our external partner for management. It has been like that for 10 years or so.

In terms of time savings, it doesn't put too much burden on day-to-day activities to go over the details. The policies are rather straightforward, and anything not configured is not allowed. In that sense, it's easy.

Protecting our landscape in general and being able to see logging when things aren't going as set out in policies are valuable features. Our security department is keen on seeing the logging. 

If WSAP remains to be an active product, it might be an idea to integrate the configuration policy logic between Umbrella and WSAP. There should be one platform to manage both.

The integration between the on-prem proxy world and the cloud proxy would benefit us. One single policy setting would make sense.

That's great. Sometimes, you need to be clear on the severity levels, but once determined, we have a good experience with tech support.

Positive

That was long ago, but we had Blue Coat proxies before. We switched because of our strategy to go for Cisco as an ecosystem.

We chose Cisco products because we have a Cisco-first strategy. We typically check first with the Cisco product portfolio and then make up our minds. Historically speaking, it serves our interests best.

I am not involved firsthand in its deployment. We have an oversight role within our company, so we ask our external supplier to do the implementation, and when needed, to have it validated via Cisco, but I've no real hands-on experience.

I would expect that we have seen an ROI because our sourcing department would make sure we get the best price for the solution.

Licensing is quite difficult to get your head around. My biggest challenge is to understand the details, the inner relations. Luckily, to some extent, we have enterprise agreements, but licensing for me is a real black box.

I'd rate it an eight out of ten.

As a manufacturing company, we have to use many different concepts of firewalls. That's one reason we had to use a trusted firewall for security and trust reasons.

We use a top-down architectural level mostly. For this reason, Cisco Secure Firewall is the top product for us.

I would say that this solution has saved our organization's time because we are certified engineers and experts. It helps us to connect quite well with our customers on a professional level.

The features I have found most valuable are the ASA firewalls. I like to have features like most integrated systems in ACI.

I think that the solution can be improved with the integration of application-centric infrastructure. It could be used to have better solutions in one box.

I have been using this solution for around seven or eight years.

I've used different concepts of solutions before Cisco. Cisco is much better than Juniper, Brocade, or Foundry, as it is much easier to use and get directions from. It is also easier to integrate Cisco if you compare it with other customer concepts, such as Juniper, Brocade, or Aruba.

I am not involved in all Cisco firewall deployments. We also have an architectural team. We deploy based on a top-down level architecture and implementation structure.

When it comes to pricing, quality is important to us. When looking at products, we prefer quality over speed. Cisco is on that quality side mostly.

We are currently using the Cisco Firepower firewall, which is dependent on the situations in the data center and regional data center concepts. 

The way that this solution helps secure our infrastructure end-to-end is by enabling us to easily integrate all end-to-ends for monitoring.

Whether this solution saves us time depends on the situation. We use highly secure networks on the national security level and that's why it helps to use different products as Cisco is one of the best.

Overall, I would rate this solution a nine, on a scale from one to ten, with one being the worst and ten being the best.

We use Cisco ASA and Firepower.

ASA is used for AnyConnect connections, that is, for users to connect to the office. It is very reliable and works fine.

We use Firepower in some sites as firewalls to control inbound/outbound access. We use it as a software protection layer. However, because most users are now working from home, few users need it in the office. As a result, in some places, we have switched to SD-WAN.

The network products help save time if they are well configured at the beginning. They help increase security and protect the company's data.

Firepower's user experience should be a little bit better.

I've been using Cisco Firepower for six months.

There are some hiccups here and there, but compared to the technical support from other vendors, I have had the best experience with Cisco's technical support. I would rate them at nine out of ten.

Positive

The initial setup was somewhat easy because we had previous experience with implementation. We copied that strategy or tried to align it to that implementation, but there were some challenges.

We have a hybrid cloud deployment. We have our own data centers and a lot of branches. In the data centers, most Cisco technologies start with ACI. With firewalls for big branches, we find that it's easier to break out to the internet globally rather than to use data centers.

Cisco's prices are more or less comparable to those of other products.

Compared to other vendors' firewalls, Cisco's firewalls are a bit behind. Overall, however, I would rate Cisco Firewall at eight on a scale from one to ten.

The main use cases are firewalling, routing, site-to-site VPN, and remote access. We have some older 5585-X ASAs in place. We do have Firepower 2000 Series and 4000 Series. 

For most setups, we do have high availability in place. We've at least two devices in active-active or active-standby. If it's a highly secure setup, we sometimes have two firewalls.

Cisco has a huge variety of products and features. It's a benefit to have the knowledge of all those things and also put it in the firewalling products. The knowledge that comes from other products or solutions that Cisco is selling is finding a place in security as well, and that's one of the key benefits.

There are time savings when you have a good solution in place for stopping or preventing security risks. In general, it isn't saving me time on a daily basis, but there is peace of mind knowing that you are being protected.

Basic firewalling is obviously the most valuable. In addition to that, secure access and remote access are also very useful for us. When COVID came, a lot of people had to stay at home, and that was the basic use case for having remote access.

One con of Cisco Secure Firewalls is that Java is used a lot for the older generation of these firewalls. Java is used for the ASA and the ASDM tool for administration. It's an outdated way of administering, and it's also a security risk to use this kind of solution. This is a pro of Firepower or the newer generation of firewalls because they are using HTML for administration.

In general, they can make it easier to manage the solutions. They can make it easier in terms of administration and provide a single tool for different firewalling solutions. They have different tools to manage different firewalls, such as Firepower or ASA. Sometimes, both are on the same thing. You have ASA with Firepower modules, so you manage some of the things via HTML, and then you manage some of the things via another management tool. It's not seamless. It should be bundled together in one solution.

I have been using this solution for six to seven years.

They have been very stable. I did not have any cases where a network was down due to firewalling. Fortunately, I did not have any hacker attacks, but that's being lucky. It's not something I would point out to firewalling or configuration. It's just that sometimes you're lucky and sometimes you're not.

It's very scalable. Cisco is for mid to large businesses. For small businesses, there are solutions that are cheaper, but that's not the main focus. 

A large environment comprises several thousand users. We have small to large size environments, but we mostly have mid to large.

Cisco's tech support is good in general. It varies and depends on with whom you're speaking and how the knowledge on the other side is. That's basically the same for our company. I'd rate them an eight out of ten. A ten would be perfect, and no one is perfect. You can reach maybe a nine, but no one can reach a ten.

Positive

For more security, we sometimes have two firewalls. We have other vendors in place, such as FortiGate or Palo Alto. We have Cisco at the front or at the end, and another vendor on the other side so that there is more security, and if there is a security breach in one solution, we still have the other one. These firewalls differ mostly in administration and how you configure things but not so much in terms of features. They may differ in small things, but in the end, they are all doing the same things.

I deploy and manage them afterward. I'm not only in the designing and implementing; I'm also in the operational business. Its deployment is not more complicated than other solutions. It's fine. When it comes to documentation, in general, Cisco is very good.

We mostly try to do it ourselves. Our approach is to have knowledge or any certification of the topic we are trying to take.

I'm not a salesperson. I'm more from the technical perspective, and I don't know if there are any savings at the end, but I believe that all that was bought in the past was used the way we wanted it to use. So, the money was well spent.

Licensing is not only for Secure Firewalls, and it's too complicated.

To someone evaluating or considering Cisco Secure Firewall, I'd advise having a good greenfield approach regarding what component to use. If there is no greenfield, you should evaluate what solutions you need and what type of use case you have and then decide based on that.

I'd rate Cisco Secure Firewall an eight out of ten. Cisco is a big player in networking and security, and that's basically the pro on their side.

Our primary use case for Cisco Secure Firewall is protection in our OT network. We have our OT network behind the commercial network and we do dual firewalls. The Cisco Secure Firewall is on the commercial network side and a different vendor and management group are on the OT network side.

Cisco Secure Firewall has not necessarily improved our organization as much as it has protected it against the impact of cyber threats. Our organization runs manufacturing plants that have hazardous material and we don't want that manufacturing process to be impacted by break-in exposure and cyber threats.

Cisco Secure Firewall is a good solution. In some ways, it is a reactive solution and we have it sitting in a whitelist mode rather than a blacklist mode. It seems to work fairly well for us.

It would be better if we could manage all of our firewalls as a set rather than individually. I would like to see a single pane of glass type of option. We also use another vendor's firewalls and they have a centralized management infrastructure that we have implemented. This infrastructure is a bit easier to manage.

We have used Cisco Secure Firewall for probably 10 years.

Cisco Secure Firewall has been a very stable solution for us. In general, if you keep it up to date and do sensible management on it, it will be a very stable solution.

Cisco Secure Firewall has met our scalability requirements as far as traffic and management goes.

We have an excellent account team and they go to bat for us inside of Cisco. We have access to TAC and Smart Net and that all seems to be working out very well. Cisco has a good team in place.

We did not previously use a different solution for this particular use case. 

I was not involved in the initial deployment of the solution. 

In this specific use case, the biggest return on investment is that we do not have incidents. This ultimately – in some of our factories – ends up being a health and human-safety use case.

We have all smart licensing and that works well. 

We ultimately chose Cisco Secure Firewall because it came with a strong recommendation from one of our strong partners.

My advice to those evaluating the solution right now is this: understand what you're trying to protect and what you're trying to protect it from. Also, understand how the solution is managed.

Cisco Secure Firewall has not necessarily freed up our staff's time as much as it has secured the infrastructure and the OT network behind it. Cisco Secure Firewall was not built as a time-saver. It is not a cost solution. It is a solution meant to isolate and control access to and from a specific set of infrastructure.

Cisco Secure Firewall has not helped us consolidate tools and applications. It allows us to get access. What we're seeing more and more of is business systems like SAP looking to get access to OT systems and this is how our systems get that way.

Cisco Secure Firewall requires the sort of maintenance that any software product would: updates, asset management, etc. Worldwide, we probably have 30 to 40 people managing the solution on the OT side on the various sites and then probably 10 to 15 people on our account team with our outside partner.

It's deployed in multiple ways, depending on the use case. Generally speaking, we have them as edge firewalls, but I have some customers who use them as data center firewalls, and some customers who use them as VPN firewalls. And in some places, they're the east-west firewalls, as they would be called in a core network. We do have some that are for cloud firewalling, that we're using in Azure and AWS. But generally speaking, they're deployed as edge firewalls and on-prem.

In some cases that I'm aware of, when moving from specific platforms like Check Point, Firepower has offered a much easier way of working with the platform and deploying changes. For the customer, it's a lot easier in the newer platform than it was in the previous one.

I've done network assessments, where we wanted to get visibility into all flows. I used Firepower boxes for some of those, where we tapped a line and let Firepower see all the traffic. It was incredibly helpful in picking up all of the flows of data. As a result, I was able to give information to the customer, saying, "This is what it's doing and this is what it's seeing in your network." I find it very helpful to get all that type of data. It's got a lot more information than NetFlow-type systems.

There have also been use cases where I'm doing east-west and north-south in the same firewall box. That is possible with SGTs and SD-Access and Firepower. That ability has been critical in some of the designs we've done. A scenario would be that we have an underlay, a corporate network, and a guest network VRF-routed zone; big macro security zones. We are doing micro-segmentation at the edge with SD-Access, but the macro-segmentation between the zones is handled by the firewall. Because we didn't want to split up our east-west and north-south, because there really wasn't a budget for it, they're on the same box. That box is able to do both flows that go towards the internet and flows that go between the different interfaces on the firewall. We're using SGTs in those policies and we're able to extend the logic from the SD-Access environment into the firewall environment, which creates a very unified approach to security.

We're also able to implement dynamic policies for dynamic environments with 7.0. That's becoming more and more important every day. IPs are becoming less important; names and locations and where things live in the cloud mean things are becoming a lot more fluid in the world of security. It's very helpful to have objects and groups that can follow that fluidity along, as opposed to me trying to do it old school and static everything up. No one has time for that. Dynamic policy capabilities enable tight integration with Secure Workload at the application workload level. The IP is less relevant and the application or the VMware tag can be tied to a specific ruleset. It's very helpful to be able to have it be so dynamic now. We're using more and more of those dynamic group concepts.

When it comes to the solution’s tags for dynamic policy implementation in cloud environments, VMware is the primary one I'm seeing these days, but I expect Azure to pick up significantly. The use of these tags for dynamic policy implementation in cloud environments simplifies things. We don't have to have so much static stuff pinned up. We can just have a single rule that says, "If it's this tag, then do this," as opposed to, "If it's this IP and this IP and this other IP, then you're allowed to do this thing." By disconnecting it from the IP address, we've made it very flexible.

It may sound a bit strange, but one of the most valuable features of Firepower 7.0 is the "live log" type feature called Unified Event Viewer. That view has been really good in helping me get to data faster, decreasing the amount of time it takes to find information, and allowing me to fix problems faster. I've found that to be incredibly valuable because it's a lot easier to get to some points of data now.

Also, the new UI is always getting better from version to version. In the beginning, when it came to managing Cisco Secure Firewall, it wasn't always the easiest, but with 6.7 and 7.0, it's gotten easier and easier. It's a pretty easy system to manage. It's especially beneficial for people who are familiar with ASA logic because a lot of the Firepower logic is the same. For those people, they're just relearning where the buttons are, as opposed to having to figure out how to configure things.

I've used the backup VTI tunnel and that's a feature that lets me create some redundancy for my route-based stuff and it works pretty well. I haven't had any issues with it

Firepower 7.0 also has fantastic Dynamic Access Policies that allow me to replicate a lot of the configurations that were missing and that made it difficult to move off the old ASA platform for some customers. The addition of that capability has removed that limitation and has allowed me to move forward with implementing 7.0. 

Snort 3 is one of the biggest points on Firepower 7.0. I've been using Snort 3 for quite a while and, while I don't have a ton of customers on it, I do have some who are running on it and it's worked out pretty well. In their use cases, there wasn't a lot of risk, so that's why we started with it. Snort 3 has some huge advantages when it comes to performance and policy and how it's applying things and processing the flows.

Dynamic Objects have also been really critical. They're very valuable. Version to version, they're adding a lot more features onto Dynamic Objects, and I'm a big fan. 

I've also used the Upgrade Wizard quite a bit to upgrade the firmware. 

And on the management side, there are the health modules. They added a "metric ton" of them to the FMC [Firepower Management Center]. In version 6.7 they released this new health monitor which makes it a lot easier to see data and get to information faster. It's quite nice looking, as opposed to CLI. The new health modules really do stand out as a great way to get to some of that health data quickly—things like interface information, statistics, drops—that were harder to get to before. I can now see them over time, as opposed to at just a point in time. I've used that a lot and it has been very helpful.

In addition, there is the global search for policy and objects. I use that quite a bit in the search bar. It's a great way to get some information faster. Even if I have to pivot away from the screen I'm on, it's still great to be able to get to it very quickly there. 

In a lot of ways, they've addressed some of the biggest complaints, like the "housekeeping" stuff where you have to move around your management system or when it comes to making configuration changes. That has improved from version to version and 7.0 is different. They've added more and have made it easier to get from point A to point B and to consume a lot of that data quickly. That allows me to hop in and do some data validation much faster, without having to search and wait and search and wait. I can get to some of that data quicker to make changes and to fix things. It adds to the overall administrator experience. When operating this technology I'm able to get places faster, rather than it being a type of bottleneck.

There is also the visibility the solution gives you when doing deep packet inspection. It blows up the packet, it matches application types, and it matches web apps. If you're doing SSL decryption it can pinpoint it even further than that. It's able to pull encrypted apps apart and tell me a lot about them. There's a lot of information that 7.0 is bringing to the forefront about flows of data, what it is, and what it's doing. The deep packet inspection and the application visibility portion and Snort are really essential to managing a modern firewall. Firepower does a bang-up job of it, by bringing that data to the forefront.

It's a good box for visibility at the Layer 7 level. If you need Layer 7 visibility, Firepower is going to be able to do that for you. Between VLANs, it does a good job. It's able to look at that Layer 7 data and do some good filtering based on those types of rules.

I'd like to see Cisco continue its approach to making it easier to navigate the UI and FMC and make it easier to get from point A to point B. Generally, the room for improvement is going to be all UI-related. The platform, overall, is solid.

I'd also like them to continue to approach things from a policy-oriented perspective. They are moving more and more in that direction. 

Also, the change-deployment time can always be improved. Even at 50 seconds, it's longer than some of its competitors. I would challenge Cisco to continue to improve in that area. It's very reasonable at 50 seconds, it's not like it used to be in early versions of Firepower, where it was around seven minutes. Still, it could be quicker. The faster we can deploy changes, the faster we can roll back changes if we have messed something in the configuration. Low deploy times are really good to have. 

I would also like to see more features that will help us connect things to the cloud dynamically, and connect things to other sites dynamically. There should be more SD-WAN features in the boxes. If I can use one box to solve cloud connectivity problems, and not have to do stuff so statically, the way I have to do things today on them, that would be helpful.

I am a Cisco partner and reseller and I actually beta test for the Firepower team. I work on Firepower boxes and have done so since the beginning. I have customers on Firepower 7.0 and I have been using Firepower 7.0 since its release.

I haven't really had any major complaints or issues with Firepower 7.0 stability.

It scales, but it depends on the growth rate of the customer and the amount of bandwidth. It's usually a speed and feed problem: Is the firewall box big enough to handle the traffic? Snort 3 has made some improvements there and it's even given some life back to older boxes because of improvements in code and in how Snort processes data. But, overall, the box just has to be big enough for the amount of traffic you're trying to shove through it.

I've been doing this a long time and I don't usually need to call tech support. But when I do need to call TAC, after working with a lot of the other vendors out there, Cisco TAC is still one of the best technical resources in the market. I do like TAC. That's not to say that every TAC engineer is great, but comparatively, they're one of the best support organizations.

Neutral

The initial setup is straightforward, with the caveat that I've been doing this for a long time, so for me it is simple and makes sense. But it is pretty straightforward. You have overall policies that wrap up into your access policy, which is the base policy. You have DNS policies that will roll right up into it. Likewise, platform policies get attached to devices. Generally speaking, it's a lot of working through the logic of the rules: How do you want to block stuff, and how do you want to permit stuff? A lot of that is normal firewalling. When I say the setup is simple, it's because it involves normal firewalling issues. You have to deal with routing, NAT rules, ACLs, and VPNs. It's a matter of just kind of working through those same things that every firewall has to solve.

The deployment time depends on the customer and how many rules. If we're building out all their rule sets, it could range from 40 hours to hundreds of hours. It also depends on what we're coming from. We're not generally walking into environments that are green, meaning there's no box there today. It's almost always that there's something else there that we're replacing. We have to take what we're coming from, convert it, and then put it on Firepower. Small businesses might have a couple of rules, enterprises might have hundreds of rules.

Our implementation strategy is to go in, document the current state of the environment, and then work on a future state. We then work through all the in-between stuff. When we have the old firewall configuration, we determine what it will look like on the new firewall configuration. Does the firewall configuration need to be cleaned up? Are there things that we can optimize and improve or modify? A lot of it involves copying configuration from the old platform to the new one. We're usually not trying to change a ton in a firewall project because it increases the risk of problems arising. Usually, customers' networks are operating when we get into them. We prefer to do a cleanup project after implementation, but sometimes they coincide.

In our company, one person can usually do a firewall cutover. And maintenance of Firepower 7.0 usually requires one person. Maintenance will usually involve a firmware upgrade.

There is a lot of value with SecureX. Other customers struggle to bring all the data back to one place, the way you can with SecureX, across a product portfolio. The value of that capability is incredible. I don't know how to put a monetary value on it, but from an operational perspective, it's very helpful to have it all back in one place because you're not having to hop around to multiple UIs to find the data you're looking for.

With any vendor, prices are often a little bit negotiable. There are things like discounted rates. There's a list price and then, as a partner, we get a discounted rate based on how much product we're purchasing and our relationship with the vendor. 

But on the list-price side of things, there are three big licenses on an FTD [Firepower Threat Defense] box. There are the malware license, the threat license, and the URL filtering license. You can license them in one-year, three-year, and five-year increments. Each license will enable different features on the box. The malware license will enable AMP filtering or AMP detection. The threat detection enables use of the IPS solution, which is really Snort's bread and butter. And the URL filtering enables filtering based on URL categories.

Sometimes we use URL filtering and sometimes we don't. It depends on the customer and on whether they have a different URL filtering strategy, like Umbrella. The two big ones that we sell are malware and threat detection, with threat detection probably being the license we sell the most.

SMARTnet, the technical support component, covers the box. When you purchase the hardware, you buy it with SMARTnet. Licenses cover features, SMARTnet covers support.

We continue to support, integrate, and sell three out of the major four vendors: Palo Alto, Fortinet, and Cisco. Every vendor has been a great partner with us, so I don't want to showcase one firewall platform over another.

Palo Alto is arguably the most mature out of the group when it comes to the firewall in general, but they've also been developing on the same platform for quite a long time.

FortiGate, on the other hand, is great in a lot of use cases.

Cisco's strength is how it integrates with the security portfolio at Cisco. When you have a lot of other security products or integrations, Firepower really stands out above the rest. Palo Alto and Fortinet, although they can integrate with SDA to some degree, they don't integrate to the same depths as Firepower. You really start to see the benefits of Firepower in your organization when you're looking at the Cisco security stack. That's what I would argue is one of the biggest benefits of Cisco in general, that stack of products.

With Cisco, it's not necessarily about a single piece, it's definitely about how they all can communicate and talk to each other, and how information is shared between the components, so that you can create a unified approach to security. Their SecureX product is an integration point. It brings together a lot of that information from different product lines in one place. That's really Cisco's game. Some of the other security vendors struggle to keep up with the breadth and depth of what Cisco is doing in all those different spaces.

In terms of ease of management, Firepower is an enterprise product. While FDM [Firepower Device Manager] is really easy to use, FMC has a lot more knobs to turn. Comparing FortiGate to FMC, a lot of the capabilities of FortiGate are still at the CLI level only. Palo Alto is 100 percent UI-based, not that you can't configure a Palo Alto from CLI, but I don't think anybody does that.

My advice is that you need to know your flows. If you're upgrading to Firepower, you should know what traffic matters and what traffic doesn't matter. If you really want to be successful, you should know all the flows of traffic, how they function, what they do. That way, when you get the box up and running, you know exactly how it should operate.

You can split Firepower users into two buckets: help desk and admin. Help desk will usually be read-only and admin will be read-write. If there's one engineer at a customer, he might have admin rights. If there's a help desk and one senior firewall guy, he might have admin rights where his help desk has read-only. It varies by the size of the customer. Most midsize organizations have one or two firewall guys. When you get into the big enterprises, the number goes up.

Regarding Firepower's Snort 3 IPS allowing you to maintain performance while running more rules, the "book answer" is yes, it's supposed to. We're not really running Snort 3 a ton on those yet because of some of the risk and because some of those customers haven't upgraded to 7.0 yet. Those that are on Snort 3 are just not running policy sets that are large enough that to notice any major or even minor improvements. I have seen an uptick in performance improvements with Snort 3, even on firewalls that are not 100,000-rule firewalls. We are seeing improvements with Snort 3. It's just that Snort 2 performance hasn't really affected the box overall, it just runs a little hotter.

When I mentioned the risk for Snort 3 for our larger clients, what I meant is that with new things come new risks. Snort 3 is one of those new things and we have to evaluate, when we upgrade a customer to it, whether the risk of the upgrade warrants doing it for the customer. In some cases, the answer is no, because of burn-in time. With some of our riskier locations or locations that require 24/7, it makes more sense to run Snort 2, which has been out there since forever on the Firepower platform. It's a lot more stable on Snort 2 and the problems are known problems, from a design perspective. We've mitigated those and worked around them. With Snort 3, there could be new bugs or problems, and in some environments, we want to mitigate that risk.

My expectation is that by 7.1 or 7.2 we will upgrade more generally to Snort 3. It's not that it's far away. It's just that with 7.0 being the first release of Snort 3, and 7.0 only having one or two patches under its belt, we thought it better to remove some risk and just use Snort 2.

Cisco Secure Firewall helps to reduce firewall operational costs, depending on the firewall vendor it's replacing. In some cases, customers are coming from old platforms where the security wasn't nearly at the same level as a next-gen firewall, so the advantage of moving to a next-gen firewall is the increase in security. But that comes with an operational burden no matter the firewall type. There is a lot more visibility and capability out of the NGFW platform, but it comes at a cost. There's more data to work through and more things to configure. Still, in most cases, Cisco Secure Firewall is going to decrease operational usage with the caveat that it has to be an "apples-to-apples" situation, which is very hard to come across these days.