Cisco Secure Firewall Reviews

Our main use case for Cisco Secure Firewall is helping clients who want to upgrade from an old firewall and move to a next-generation firewall. We also get a lot of clients who have a next-generation firewall provider, but the firewall is not up to the task. It doesn't have all the feature sets that they need, and Cisco Secure Firewall ticks those boxes.

Cisco Secure Firewall has improved our customers' security posture because it offers Next-Gen features, granularity, and reporting on the back of it. You can see the amount of users accessing Office 365, for example, and whether they're having a good or bad experience. You can see the threats that come into your network. You can see anyone who is compromised from within your network.

If customers already have Cisco solutions such as Cisco ISE, Duo, Umbrella, and Endpoint, Cisco Secure Firewall will integrate well with all of them. Our clients will be able to get more data and automate tasks. They can have Secure Firewall automatically shut things down if a threat is detected.

Without a doubt, the best features are the reporting and analytics. Some vendors provide the same feature set, but their product won't give you the power to figure out what's going on in your network. Whereas with Cisco Secure Firewall, especially with the management platform on top, you can have all of the analytics and see exactly what is going on. You can see not only the source and destination but also the application, the URL, the type of policy it's hitting, the specific rule it's hitting, and the amount of data transferred from it. Apart from that, you get all of the risk reports. You can see how much bad stuff is coming into the network at present and whether there's anything you need to act on immediately. That data is at your fingertips, and it's by far the best feature and the best selling point of Cisco Secure Firewall.

Cisco Secure Firewall has reduced our clients' mean time to repair because they are able to find possible issues quickly. The power of the reporting, the dashboards, and all of the analytics in the background also helps to alert and quickly act on the threat.

My impression of Cisco Talos is that it's well-regarded in the industry. Cisco is so well regarded that we know their security intelligence is up-to-date. Our clients have peace of mind because they have Cisco Talos in the background and know that Cisco Secure Firewall is up-to-date with the latest threats. They can be sure that they're acting on the best available data.

I would like to see more configurable feature parity with Cisco ASA, which is the legacy product that Cisco is moving away from. When configuring remote access VPN, not all of the options are there. You have to download another tool, which means that the configuration takes a little bit longer with Cisco Secure Firewall. Though it's getting there, there are still some features lagging behind.

We've been offering Cisco Secure Firewall since its first iteration 10 years ago.

We are resellers, and the value we add to our customers as resellers is our knowledge. We have 10 years' worth of experience deploying Cisco Secure Firewall. We can deploy it the correct way. We also know whether you would need the management platform, the level of licensing you may require, and the number of VPN licenses you may need. We add value by knowing how the solution should be deployed and installed in a network.

Secure Firewall's stability is good. I think the management platform needs a little bit of work. It's not as robust from a stability point of view. Deployment times of configuration have got better over the years, but there's still some work needed so that it deploys every time when you click that button.

The scalability of Cisco Secure Firewall is really good. That's down to the management platform and the way it structures your access policies, what allows traffic in and what allows traffic out. You can easily add multiple regions, locations, and types of firewalls to the management platform. As soon as you do, they get all of those policies. Previously, you'd have had to configure each one time and time again. With this version, you import it, and it's ready to go. Thus, for scalability it's easy.

Cisco's technical support across all their products is always good and reliable. If someone says they're going to get back to you in four hours, they do. They're always there with the right level of support. If we need a Secure Firewall engineer, that's whom we'll get. We won't get someone who's never seen the product before. As far as vendors go, Cisco's technical support is probably the gold standard. I would rate them at ten out of ten.

Positive

Secure Firewall is more complex to deploy than previous Cisco Firewall products. However, it's not so complex that it's not achievable. There are some products out there that require a lot of reading to be able to deploy them. Cisco Secure Firewall has not reached that level yet, but it is a complex product.

Our clients' Secure Firewall deployment models are edge firewalls, internal firewalls, and, most often, perimeter firewalls. Sometimes, our clients ask us to help them with deployment because we have the experience.

We've used the Cisco Firewall migration tool quite a few times to migrate to Cisco Secure Firewall. It has come on a long way, and it's a lot better than it used to be. When it initially came in, there wasn't as much trust that the tool would give you everything you needed, but where it is now is great. If you've got a firewall that you want to migrate, you'll feel confident using the Cisco Firewall migration tool.

We spend a lot of time developing our consultants and our sales staff to know the product and learn how to sell the product. As a result, our ROI is that we get more clients deploying Cisco Secure Firewall.

The licensing is not as complicated as that for some other Cisco products. There are a couple of tiers of licensing, but the price point is a little too high for the market. There are other vendors that come in lower and offer more for fewer licensing options. They may offer URL filtering or malware filtering with a single license rather than requiring two or three licenses. I think Cisco could do a bit more in this area.

I deal with a lot of other vendors who also offer the same features, but Cisco Secure Firewall stands out on the analytics. It is the best for analytics and getting the reporting data.

If you're a client evaluating Cisco Secure Firewall, my advice would be to put real-world data through it to get useful data out of it. You can't see the benefits of the solution if you just turn it on and look at the device as it is. It's when you see the traffic going through it that you'll see the power of the analytics and reporting and the event data that comes through. A technical team member will understand how much easier it's going to be to troubleshoot with this platform compared to that with any other platform they've had before. With regard to reporting, a report on how many malware attacks have occurred in a particular month takes one click to generate. That data can be stored for a long time.

Overall, I would rate Cisco Secure Firewall an eight out of ten because of the feature parity. It's not quite there in terms of being able to do everything on the GUI platform. The price point is still a bit too high as well.

Our primary use case for Cisco Secure is through Cisco FMC, which we have automated using Cisco's Terraform provider for FMC. Our automation journey began with the Cisco ACI fabric, where we leveraged the Terraform provider for ACI. Eventually, we realized we could also automate firewalls and our HA clusters using the Terraform provider for FMC. This allowed us to create DMZ networks, specify IPS and IDS rules, and follow the infrastructure as a code concept. Our cross-common security team can review the repository in GitLab and approve it with a simple click of a button. This is the primary benefit we get from automation. Additionally, we can use the infrastructure as a code concept with the management center. Cisco FMC also has a great API, which makes it easy to integrate with our code, ACI, and other systems.

Cisco Security and Cisco Firewalls have been effective in protecting our organization from external threats, such as DDoS attacks.

We have several integrations. One of them is between Cisco ISE and FMC, which allows us to monitor and control our users. Additionally, we integrated Cisco ISE with FTDs to function as a remote VPN server and control the traffic and behavior in our VPN network. We also use ISE as a TACAC server and integrated it with Cisco ACI and all of our devices. Furthermore, we use NetBox as a source of truth for our ISE, which helps us track all of our devices from the network and ISE.

The primary benefits of using Cisco Secure solutions are time-saving, a robust API, and convenience for the security team. 

Cisco Secure Firewall could benefit from enhancements in its API, documentation, and automation tools. Additionally, we've noticed that the Terraform provider for FMC has only two stars, few contributors, and hasn't been updated in a year. It only has 15 to 20 resources, which limits our capabilities. We'd love to update it and add more resources. For example, we currently can't create sub-interfaces with the provider, so we have to add Python code to our Terraform provider and use local provisioners. Additionally, improvement in the API would be helpful so that we can create ACL on the GUI with a simple click, but at this time we cannot create requests via the API.

I have used Cisco Secure Firewall within the last 12 months.

Cisco TAC support is excellent. Having worked with other support companies in the past. Cisco TAC is much more helpful and friendly. They always seem eager to assist with any issues and are particularly responsive in urgent situations. For example, if there is a problem in my production zone, they are quick to reassure and assist. Overall, I have a great appreciation for their support.

I rate the support from Cisco Secure a ten out of ten.

Positive

In our business, we have implemented a number of Cisco Secure products in our network infrastructure, including Cisco ISE as a AAA server, Cisco FMC Management Center for our firewalls, and Cisco FTD for Firepower Threat Defenses. We also use a TACACS+ server for our hardware. Cisco products make up the entirety of our infrastructure, including Cisco Nexus Switches, Cisco ACI fabric for our data centers, Cisco ASR Routers, and Cisco Wireless Solutions, which include WLC controllers, access points, and other relevant hardware. In our organization, Cisco is strongly preferred.

There has been a positive return on investment observed with the implementation of Cisco Secure solutions. The use of these solutions as our primary security products has been beneficial in terms of cost and security measures.

In the past, I encountered several difficulties and misunderstandings with Cisco licensing, but now the situation has improved. The Cisco Smart Software portal is an excellent resource for keeping track of, upgrading, and researching information related to Smart Licensing and other relevant topics. It is extremely helpful. Unfortunately, since it is not my money and there is only one vendor, I am unable to provide any comments on the prices. Nevertheless, the system, along with its provision through the Cisco Smart Software portal, as well as the traditional license and subscription models, are excellent and highly beneficial.

I rate Cisco Secure a seven out of ten.

My rating of seven out of ten for the Cisco Secure is because it's not excellent, but not poor either. It was enjoyable and overall satisfactory.

We started with the old ASA 5510 and migrated to Firepower, first using ASA as the basic operating system. Lately, we've been using FTD because it simplifies operations a lot. We are a very small networking team, and being able to push one policy to many firewalls eases our workload.

We are a global company, and we don't always have IT staff in all corners of the world. Therefore, having one place to do everything is very nice.

Cisco Secure Firewall has made it easier so that more than one person can handle things. We are able to have a bigger team that can handle simple tasks and have a smaller team focus on the deep-dive needs.

We have the same basic policies everywhere now, which makes it more flexible for us to manage.

I like the central management and IPS features. Having everything in one place is very valuable.

Cisco Secure Firewall is very good at detecting threats. We see a lot getting blocked by the IPS in our DMZ, that is, our internet-facing web service.

It helped free up IT staff time. Before, we would have to manually configure every single firewall. Every time we configure something on a firewall, it takes five to ten minutes, and we have more than 50 firewalls around the globe. We do changes every week, and the automated policy and upgrades saved us a lot of time.

In terms of the organization, we have been able to save time by getting things out faster. However, the only downside is that the policy push takes quite a while. Thus, a quick fix still takes at least 15 minutes, and troubleshooting can take time as well.

Some of our problems are related to software updates in remote sites where the internet connection is not stable. Sometimes, the image push just gets disrupted and fails.

The most annoying thing is having to replace the hardware so often. It's very difficult for us to do.

The integration between different tools could be improved. For example, with SecureX, I am yet to find out how to forward security events to different tools such as Microsoft Sentinel, which is what we use for log detection.

We've been using Cisco Secure Firewalls for a very long time.

We had to get in touch with technical support a few times, and our experience was good. I would give them a rating of nine out of ten. 

Positive

The initial deployment is easy, and I have not had any issues.

The solution is deployed on-premises. We have an on-premises FMC that connects everything.

The cost of the firewalls versus the ROI is okay.

We are quite Cisco-centric because of the performance we get for the price range. We have a lot of smaller sites, and we are not a very big organization. The price fits us perfectly.

Overall, I would rate Cisco Secure Firewall at nine on a scale from one to ten.

I typically deploy firewalls to set up VPNs for remote users, and, in general, for security. I have a number of use cases.

With theUI basedpandemic, the customer really didn't have a VPN solution for their remote users, so we had to go in and deploy a high-availability cluster with Firepower. And I set up single sign-on with SAML authentication and multi-factor authentication.

We deploy for other organizations. I don't work on our own corporate firewalls, but I do believe we have some. But it definitely improved things. It enabled my clients to have remote users, thousands of them, and they're able to connect seamlessly. They don't have to come into the office. They can go home, connect to the VPN, log on, and do what they need to do.

I like that you can get really granular, as far as your access lists and access control go. 

You can also put everything into a nice, neat, little package, as far as configuration goes. I was formerly a command-line guy with the ASA, and I was a little nervous about dealing with a GUI interface versus a command line, but after I did my first deployment, I got a lot more comfortable with doing it GUI-based.

I'm not a big fan of the FDM (Firepower Device Manager) that comes with Firepower. I found out that you need to use the Firepower Management Center, the FMC, to manage the firewalls a lot better. You can get a lot more granular with the configuration in the FMC, versus the FDM that comes out-of-the-box with it.

FDM is like Firepower for dummies. I found myself to be limited in what I can do configuration-wise, versus what I can do in the FMC. FMC is more when you have 100 firewalls to manage. They need to come out with something better to manage the firewall, versus the FDM that comes out-of-the-box with it, because that set me back about two weeks fooling around with it.

I have been using Cisco Firepower NGFW Firewall for two or three years now.

It's good. It's stable. I haven't heard anything [from my customer]. No news is good news.

It scales because you can deploy a cluster. You could have up to 16 Firepowers in a cluster, from the class I [was learning] in yesterday. I only had two in that particular cluster. It scales up to 16. If you have a multi-tenant situation, or if you're offering SaaS, or cloud-based firewall services, it's great that it can scale up to 16.

They're always great to me. They're responsive, they're very knowledgeable. They offer suggestions, tell you what you need to do going forward, [and give you] a lot of helpful hints. It was good because I had to work with them a lot on this past deployment. 

Now I can probably do it by myself, without TAC's help.

Positive

The deployment was complex because that was my first time doing a Firepower. I did ASAs prior, no problem. I had to get used to the GUI and the different order of deploying things. I had to reset it to factory defaults several times because I messed something up. And then I had to get with Cisco TAC, for them to help me, and they said, "Okay, you need to default it and start over again".

But now, going forward, I know I need to deploy the FMC first, and then you deploy the Firepowers, and tell them where the FMC is, and then they connect, and then you can go in and configure it. I had it backward and it was a big thing. I had to keep resetting it. It was a good learning experience, though, and thankfully, I had a patient customer.

[In terms of maintenance] I've not heard anything back from my customer, so I'm assuming once it's in, it's in. It's not going to break. It's an HA pair. My customer doesn't really know too much about it. I don't know that they would know if one of them went down, because it fails over to the other one. I demonstrated to them, "Look, this is how it fails over. If I turn one off, it fails over." VPN doesn't disconnect, everything's good. Users don't know that the firewall failed over unless they're actually sitting there looking at AnyConnect. I don't think they know. So, I'll wait for them to call me and see if they know if something's broken or not.

As far as return on investment [goes], I would imagine there is some. For the users, as far as saving on commuting costs, they don't have to come into the office. They can stay home and work, and connect to the enterprise from anywhere in the world, essentially.

I've done a Palo Alto before, and a Juniper once, but mostly ASAs and Firepowers.

Naturally, I prefer Cisco stuff. [For the Palo Alto deployment] they just said, "Oh, you know, firewalls", and that's why the customer wanted Palos, so that's what I had to do. I had to figure it out. I learned something new, but my preference is Cisco firewalls.

I just like the granularity of the configuration [with Cisco]. I've never had any customers complain after I put it in, "Hey, we got hacked," or "There are some holes in the firewall," or any type of security vulnerabilities, malware, ransomware, or anything like that. You can tighten up the enterprise really well, security-wise.

Everything is GUI-based now, so to me, that's not really a difference. The Palos and the Junipers, I don't know what improvements they have made because [I worked on] those over five or six years ago. I can't even really speak to that.

Because I don't like the management tool that comes out-of-the-box with it, the FDM, I'll give the Firepower an eight out of 10. That was a real pain dealing with, until they said, "Okay, let's get him an FMC." That was TAC's suggestion, actually. They said, "You really need FMC. The FDM is really trash."

It is primarily our VPN solution. Initially, it was used in our firewalling. Then, we transitioned it into just our standalone VPN service for the company.

It is on-prem. We have it in two different data centers: our main data center and our backup data center.

With what is going on in the world, e.g., hybrid work and work from home, and everything that happened, VPN was everything to us. Without it, we wouldn't have been able to operate.

Typically, before COVID hit, we were a very much work-in-the-office type of environment with five to 10 people on our VPN solution. We quickly ramped up to 500 people when COVID happened, which is the majority of our full-time users. Onboarding our entire company onto this solution was pretty cool.

It is very good at what it does. It is a very dependable, long-standing product that you can trust. You know exactly how it works. It has been in the market for a lot longer than I have. So, it is great at its core functionality.

We are still running the original ASAs. The software that you are running for the ASDM software and Java application has never been a lot of fun to operate. It would have been nice to see that change update be redesigned with modern systems, which don't play nicely with Java sometimes. Cybersecurity doesn't seem to love how that operates. For us, a fresher application, taking advantage of the hardware, would have been a better approach.

I have been with the company for seven years, and we have had it the entire time. Cisco Advanced Services came in in 2013, which was two years before I joined. They did a deployment and installed it then.

There is your regular day-to-day maintenance, e.g., the patches and updates. Because it sits at the edge, it is exposed to the world. With threats always being of concern, you often have to patch and update. However, it is nothing more than regular maintenance

We have never had to ramp up more than a small- to medium-business use case. For that, it has been great. Limitation-wise, we would run into challenges if we ever hit 2,000 to 2,500 users. We would then have to move onto hardware. Its scalability is only limited by the size of the appliance. So, if you ever have to exceed that, then you just have to buy a new box.

ASA has always been great because it has been such a longstanding product. There is a lot of knowledge in-house with Cisco. I always know if we call to get help, it is great. I do wonder in the future, as the product gets close to the end of its life, if those people will move onto other things and it gets lost a bit. However, it has always been easy enough to find that help.

For the ASA specifically, probably nine.

Positive

We were just looking for a different feature set. We found that ASA was rock-solid as a VPN piece. We wanted to separate the VPN from our firewall policy management, so we just moved it over to VPN as a solution.

We had a partnership with Cisco. They came in and redid the entire environment. Before that, there was no Cisco environment whatsoever. So, they came in with the Nexus switching and Catalyst Wireless solution, then the VPN came with that as well as the ASA.

I have never found it hard to deploy. We didn't have a BCP solution set up as our secondary when COVID hit, which was something that we had to scramble to put together. However, it was something like a couple of days' work. It wasn't really a big deal or really complicated. It was a fairly straightforward system to separate and manage.

It brings us the ability to work from anywhere and has allowed us to work remotely without having to incur a lot of other costs. If we didn't have this type of solution, since we have so many on-prem services that are required, we would have likely lost money and been unable to deliver. We have a video services team who helped build the content for our sporting events. When you are watching a Leaf game and those swipes come by as well as the clips and things, those are all generated in-house. Without the ability to access our on-premise resources, we would have been dead in the water. So, the return on that is pretty impressive.

We integrate it with our ISE solution, TACACS+, etc. We have a Windows NPS server for MFA through Azure. We don't have any challenges with it. It has always worked well. I can't think of a time when we have ever had problems with either of those things. It has worked just fine.

I would rate the solution as nine out of 10.

We were looking to consolidate some of our equipment and technology. When we switched over, ASA was a little bit more versatile as firewalls or VPN concentrators. So, we were able to use the same technology to solve multiple use cases.

We have data centers across the United States as well as AWS and Azure. 

We use it at multiple locations. We have sites in Dallas and Nashville. So, we have them at all our locations as either a VPN concentrator or an actual firewall.

Cybersecurity resilience is very much important for our organization. We are in the healthcare insurance industry, so we have a lot of customer data that goes through our data center for multiple government contracts. Making sure that data is secure is good for the company and beneficial to the customer.

It provides the overall management of my entire enterprise with an ease of transitioning. We have always been a Cisco environment. So, it was easy to transition from what we had to the latest version without a lot of new training.

• Speed
• Its capabilities
• Versatility

When we first got it, we were doing individual configuring. Now, there is a way to manage from one location. We can control all our policies and upgrades with a push instead of having to touch every single piece.

We have been using ASAs for quite a number of years now. 

We have other things around it going down, but we really don't have an issue with our ASAs going down. They are excellent for what we have.

There is rarely maintenance. We have our pushes for updates and vulnerabilities, but we have never really had an issue. 

It is very scalable with the ability to virtualize, which is really easy. We do it during our maintenance window. Now, if we plan it, we know what we are doing. We can spin up another virtual machine and keep moving. 

The technical support is excellent. I would rate it as 10 out of 10. When there has been an issue, we have had a good response from them.

Positive

We were previously using a Cisco product. We replaced them awhile back when I first started, and we have been working with ASAs ever since.

We did have Junipers in our environment, then we transitioned. We still have a mix because some of our contracts have to be split between vendors and different tiers. Now, we mostly have Apollos and ASAs in our environment.

I was involved with the upgrades. Our main firewall was a Cisco module, so we integrated from that because of ASA limitations. This gave us a better benefit.

The deployment was a little complex at first because we were so used to the one-to-one. Being able to consolidate into a single piece of hardware was a little difficult at first, but once we got past the first part, we were good.

We have seen ROI. When I first started, everything was physical and one-to-one. Now, with virtualization, we are able to leverage a piece of hardware and use it in multiple environments. That was definitely a return on investment right out of the gate.

The licensing has definitely improved and got a lot easier. It is customizable depending on what the customer needs, which is a good benefit, instead of just a broad license that everybody has to pay.

It is a good product. I would rate it as 10 out of 10.

Resilience is a definite must. You need to have it because, as we say, "The bad guys are getting worse every day. They are attacking, and they don't care." Therefore, we need to make sure that our customers' data and our data is secure.

It depends on what you need. If there is not a need for multiple vendors or pieces of equipment per contract, you should definitely look at what ASAs could be used for. If you are splitting, you can consolidate using this product.

I use the solution in my company for some internal testing purposes, so I don't use it in a real environment. I use it in my dummy lab environment.

The product's user interface is an area with certain shortcomings where improvements are required.

From an improvement perspective, the product's price needs to be lowered.

I have been using Cisco Secure Firewall for three years. I am a customer of Cisco.

I have faced no issues with the stability of the product. Stability-wise, I rate the solution an eight out of ten.

The product offers good scalability.

I rate the technical support a nine out of ten.

Positive

I have experience with Sophos.

The product's initial setup phase is a little difficult.

The product's deployment phase is a good and easy process.

The solution is deployed on the cloud.

The product is expensive.

I can't describe a particular scenario where the product has improved security, but I can say that the devices from Cisco are much more trustworthy and reliable compared to other devices in the market.

The most effective feature of the product for threat prevention stems from the granularity of the control that the devices from Cisco provide to its users.

The product offers great integration capabilities.

For our company's daily operations, the user interface provided by Sophos is much better and interactive compared to the one offered by Cisco.

You can choose Sophos if you want a low-budget or budget-friendly product. You can choose Cisco if you want a high-end and highly scalable tool with great integration capabilities, especially if budget is not an issue.

I rate the overall tool an eight out of ten.

I use the solution mostly to separate internal networks.

Being able to create and apply new policies to the firewall has been helpful. It is an object-oriented way of doing things that helps a lot because we can build and apply new policies. We can also test it and revert to the old one if it doesn't work.

The monitoring dashboard is valuable to us for troubleshooting. It lets us see if the packets get from the source to the destination correctly.

With the new FTD, there is a little bit of a learning curve. The learning curve could probably be simplified a little bit. I've come around that learning curve, and I'm able to get around it.

I have been using the solution for 15 years.

Cisco is known for its general stability.

The solution’s scalability is excellent. I don't know if the scalability has a downside or even a limit.

The support is really good. I have a good team that supports us, and I'm able to always reach out to them. It's nice to have somebody on the cell phone and just be able to reach out to them.

Positive

Years ago, I used different firewalls like Juniper, but mostly, it's been fixed to ASA and FTD. We switched to Cisco because our customers were using Cisco.

The initial setup had a little bit of a learning curve, especially because I came from ASA. I needed some help from Cisco. However, I knew what I was doing once it was set up, especially with FMC and Firepower.

We used Cisco’s support to deploy the product.

In general, we have seen an ROI on the product. Using it, applying policies, setting it up, and leaving it alone is helpful. It helps save resources.

I don't use the product for application visibility and control. I tend to worry more about blocking or allowing certain things versus looking deep into the servers and applications and how they work.

The product is great for securing our infrastructure from end to end. I'd like to be able to test out some of the other products, like dashboards and IPS/IDS, that work with it. For the most part, I set up a firewall, and I set up the rules. If things don't work, I monitor it through the monitoring dashboard and try to figure it out.

Cisco Secure Firewall has helped free up a lot of time for our IT staff. Apart from monitoring, unless somebody needs a firewall rule change or anything like that, there's no need to mess with it. Once we set it up, it just runs.

The solution has helped our organization to improve its cybersecurity resilience. Being a firewall, by definition of the term, the product has improved our organization’s security.

People should always evaluate other products. If you’re looking for a solid firewall, Cisco makes the choice so much simpler, especially now with FMC. We are able to apply policies easily and control different firewalls at the same time.

Overall, I rate the solution a nine out of ten.