Cisco Secure Firewall Reviews

Our customers for the most part use this solution in data centers. 

The feature my customers find the most valuable is the exportability. They also appreciate that the IPS features are easily migrated from Cisco SA to FTDs. 

We have seen some bugs come up with Cisco Secure Firewall in terms of high availability. The solution should be improved to avoid these bugs. 

We have been using Cisco Secure Firewall for almost a decade. 

Cisco's support is much better than other vendors' support. In my opinion, this is a big advantage for Cisco. The support Cisco offers is upper-level. 

Positive

We previously sold Fortinet devices. However, many of our clients switched over to Cisco because of the price as they are quite cheap. 

We are in the middle of a migration plan to Cisco right now in our company. I am not directly involved. We are working with a Cisco partner but I have been communicating our needs to them. However, I believe the migration process will be smooth for our company. It is crucial to have a solid migration plan in place because we are a core data center, so we have to be careful. 

We are deploying with the help of a partner. 

We do see a lot of ROI from Cisco Secure Firewall. We are in the process of migrating a lot of end-of-support devices with some new ones and the return on investment is there.

Price is a big selling point for Cisco Secure Firewall. They are quite affordable and many clients chose them precisely for this reason. 

This solution helped my clients save money and time. My clients save 50% on time thanks to automation and processing brought on by this solution. 

I have only good things to say about Cisco Talos. It has been quite helpful to our customers.

This is an SSL that can decrypt and encrypt SSL traffic. 

The ability to encrypt and decrypt is great.

The dashboards are excellent.

We really like the reporting aspect of the product. 

It is stable. 

We found the initial setup to be easy.

Maybe the dashboard could be a bit better. There are some reports where we don't get it. We need a deep dive into a particular URL, however, it provides the URL and the IP address, and there is no more information that can show more details. Basically, the report models can be improved.

With their console, we have to build a separate VM. In some of the products, the management console comes along with the box itself. It'll be one solution to take the backup and keep it. Even if you want to build a DR, it'll be easy. However, the challenge we had is if that VM is down, my team may not able to access the Firepower remotely. Therefore, the management console itself should be built within the Firepower box itself, rather than expecting it to be built in a separate VM.

I've been using the solution for more than four years. 

We have not, as of now (touch wood) faced any issues. It's stable, and we don't face any performance issues as well. It's reliable. There are no bugs or glitches. It doesn't crash or freeze.

At this moment, we have not thought through scaling. The model which we use is less than 60%. What I heard from them is you can cascade it to another box, and scaling can be done.

We have between 400 to 450 concurrent users on a daily basis accessing this box. Overall, we have 2,000 devices that could be easily communicated via Firepower.

Technical support is good. We've found it to be quite good in general. 

Positive

The initial setup is great. It's very easy and quite straightforward. If you understand the process, it is very easy. I'd rate it a 4.5 out of five in terms of ease of implementation. 

I don't manage licensing. I can't speak to the actual cost of the product. 

We're a customer and end-user.

I'd recommend the solution to organizations that have around 1,500 people that need to access the solution. 

I would rate the solution a nine out of ten. 

We use ASA Firewall to protect 250 to 300 devices, including workspaces and servers.

All the rules are secure and we haven't had a significant malware attack in the five years that we've been using ASA Firewall. It is a tremendous improvement for our network. However, I can't quantify the benefits in monetary terms. 

I like the ease of administration and the overall speed of processing web traffic. The modules help protect and administer web traffic. ASA Firewall's deep packet inspection gives me visibility regardless of whether I have the agent installed on all the workstations. I can see incoming web traffic and control access to suspicious or dangerous sites. I can apply a filter or make rules to restrict categories of websites.

Setting firewall network rules should be more straightforward with a clearer graphical representation. The rule-setting method seems old-fashioned. The firewall and network rules are separate from the Firepower and web access rules. You can access the firewall rules through the Cisco ASDM application, not the web client. I'm using an older version, and I'm sure this issue will improve in the next edition.

Micro-segmentation is somewhat complex. It's not easy, but it's not too difficult, either, so it's somewhere in the middle. I used micro-segmentation for 10 or 15 VLANs, and ASA Firewall acts as a router for those VLANs. The visibility offered by micro-segmentation is pretty poor. It's not deep enough. 

I have been using ASA Firewall for five years.

ASA Firewall is a stable solution.

I don't think ASA Firewall is very scalable. It depends on the models and the license. However, it's pretty simple to update and upgrade the models, so I would say it's moderately scalable. 

I worked with Cisco's technical support from the beginning and it was excellent. I rate Cisco support 10 out of 10. 

Positive

Previously, I used some Linux Servers with a software firewall for 20 years.
It was a Microsoft firewall, but I don't remember the name. It was a server that I had to install on the gateway.

Deploying ASA Firewall was complex because I needed to install an ESXi machine to implement the Firepower module. That was relatively complicated, and it took two or three days to complete the installation and verification.

I worked with a consultant who sold me the product and helped me with minor issues as needed. 

In the past, the company experienced multiple ransomware attacks, but we haven't seen any since installing ASA Firewall. It was a huge improvement. It's hard to quantify that in financial terms, but we had 40 or 50 machines damaged. 

I'm not sure precisely how much ASA Firewall costs, but I know it's a little more expensive than other solutions. I rate it seven out of ten for affordability. 

I learned about Fortinet and Palo Alto firewalls. I think FortiGate is easier to set up and manage. At the same time, Cisco firewalls are pretty secure and reliable. I think the ASA Firewall is in the top five.

I rate Cisco ASA Firewall eight out of ten. 

We're a partner so we work with all sorts of different end-users to deploy them for their use cases, including a lot of internet edge, some data center segmentation, east-west firewalls, and not so much in the cloud, but mostly on-prem today.

We use them for securing the internet perimeter and preventing malware from coming into the environment, as well as providing content filtering for CIPA compliance or other sorts of compliance out there. That's a big use case with our customers. 

The integration with the other Cisco products is something that a lot of our customers are looking forward to, with SecureX and ISE and Secure Endpoint. Things like that are a lot of the use cases that customers bring to us to help them solve. It integrates really well.

It's allowed them (our clients) to feel or know that their network is secure, and to put those guidelines in place, or those controls in place, to prevent their users from going out and unintentionally doing something dumb by clicking on the wrong link. It's able to prevent malware. And the Umbrella integration prevents them from getting to those websites if they do happen to be too busy and click on a phishing link or something like that.

As far as metrics or examples, I don't have any that I can specifically say off the top of my head. I will say I definitely have lots of happy customers that are running it and they feel it's a stable solution and one that they can rely on.

I'm a big fan of SecureX, Cisco's platform for tying together all the different security tools. It has a lot of flexibility and even a lot of third-party or non-Cisco integration. I feel like that's a really valuable tool.

From the Firepower solution, all the features that you would think of when you're thinking about a Firewall [are valuable], including some that I stated: content filtering, the IPS, IDS, and malware prevention. All of those are big use cases and great features that work well.

I've been using Cisco Firewalls and Cisco Firepower for at least 10 years.

It's stable. I have multiple clients that run it. There are always going to be some bugs and issues that we run into, but that's where their TAC definitely jumps in and helps and recommends code versions and things like that. Overall, the stability is pretty good.

In terms of scalability, they've got all different sizes of firewalls for different scales. Being able to understand how to size the firewalls appropriately is definitely key in that. That's where a partner can help, or even the customer Cisco account team can help with the scalability. They have the big multi-instance 9300 chassis down to the small 1000 series. There's a lot of scalability within the portfolio.

Cisco has a huge TAC organization. Experiences can differ. Sometimes it's really good, sometimes you get a newer TAC engineer who needs to start at step one to investigate the issue. But they're always there. They always pick up the phone and there's always a person, a TAC engineer to escalate to, who can provide really good support. You know that they've got someone in there. It's a matter of getting to the right individual.

They could improve by having more skilled, high-level engineers that are available around the clock. I know that's an easy thing to say and a hard thing to do. 

We have engineers that do the deployments. They're very skilled and have done many Firepower deployments. The methodology that Cisco has, the documentation they have out there on how to install it and how to configure it, are top-notch. That really helps us install it for a customer and get the customer up to speed on how well it works. A firewall is never a super simple thing to install and configure, but Cisco does a really good job with some of their automation tools and the documentation.

Usually, we assign a single engineer to a firewall deployment project and he's able to complete that. The amount of time it takes to deploy will vary. A small branch, may be several hours' worth of work to deploy a firewall. A large corporate site, obviously, that's going to be much more time-consuming, with lots of policies to configure and talk through with the customers and things like that. It varies depending on the size and application.

In terms of return on investment, I have multiple clients that have been through multiple generations of ASA to Firepower to the next generation of Firepower. They definitely find the return on investment there. They find it's a valuable product to have in their network. It definitely checks that ROI box for them.

Cisco is known as a premier product and it comes with a premier price point sometimes. Sometimes that makes it challenging for some customers to bite off. They see the value when we get into a proof-of-value scenario. Price points can tend to be high, but the new line of the 3000 series Firepowers definitely solves that issue and it's very attractive.

In terms of improving it, they're doing a really good job in a competitive landscape against some of the other vendors out there. The new Firepower 3000 series was a great addition to the portfolio and really stacks up, price-wise, well against some of the other vendors out there. A year ago, that was one thing that I would've commented on, but they've done a pretty good job of filling that niche.

There are some other good solutions out there. There are a lot of other successful firewall vendors. But when I compare a Palo Alto, or a Fortinet, or SonicWall, or something like that against Cisco, it's a tough comparison. Cisco has the ecosystem of security products that all tie in together, integrate really well together. There are lots of good dashboards and observability built into the product. That's where they've got a leg up on their competition. 

My advice for others looking to use the solution is to get [together] with a good partner, someone who's got engineers and architects that know the product well, and get their thoughts on it. We can always help compare and contrast against other options out there in the market. My job is knowing the market landscape and being able to help differentiate.

And always take advantage of a proof of value. It's always best to get that box into your network, see how it works with your particular traffic mix and your set of policies. I would always put a PoC/PoV as a checkbox in a buying decision.

I would rate the product somewhere between a seven or eight out of 10. Sometimes there are stability issues, as I referenced before, or just the general TAC support, while good, could be better. There's always room for improvement there. But I feel like it's a really good product that Cisco has definitely improved as time has gone on.

I typically deploy firewalls to set up VPNs for remote users, and, in general, for security. I have a number of use cases.

With theUI basedpandemic, the customer really didn't have a VPN solution for their remote users, so we had to go in and deploy a high-availability cluster with Firepower. And I set up single sign-on with SAML authentication and multi-factor authentication.

We deploy for other organizations. I don't work on our own corporate firewalls, but I do believe we have some. But it definitely improved things. It enabled my clients to have remote users, thousands of them, and they're able to connect seamlessly. They don't have to come into the office. They can go home, connect to the VPN, log on, and do what they need to do.

I like that you can get really granular, as far as your access lists and access control go. 

You can also put everything into a nice, neat, little package, as far as configuration goes. I was formerly a command-line guy with the ASA, and I was a little nervous about dealing with a GUI interface versus a command line, but after I did my first deployment, I got a lot more comfortable with doing it GUI-based.

I'm not a big fan of the FDM (Firepower Device Manager) that comes with Firepower. I found out that you need to use the Firepower Management Center, the FMC, to manage the firewalls a lot better. You can get a lot more granular with the configuration in the FMC, versus the FDM that comes out-of-the-box with it.

FDM is like Firepower for dummies. I found myself to be limited in what I can do configuration-wise, versus what I can do in the FMC. FMC is more when you have 100 firewalls to manage. They need to come out with something better to manage the firewall, versus the FDM that comes out-of-the-box with it, because that set me back about two weeks fooling around with it.

I have been using Cisco Firepower NGFW Firewall for two or three years now.

It's good. It's stable. I haven't heard anything [from my customer]. No news is good news.

It scales because you can deploy a cluster. You could have up to 16 Firepowers in a cluster, from the class I [was learning] in yesterday. I only had two in that particular cluster. It scales up to 16. If you have a multi-tenant situation, or if you're offering SaaS, or cloud-based firewall services, it's great that it can scale up to 16.

They're always great to me. They're responsive, they're very knowledgeable. They offer suggestions, tell you what you need to do going forward, [and give you] a lot of helpful hints. It was good because I had to work with them a lot on this past deployment. 

Now I can probably do it by myself, without TAC's help.

Positive

The deployment was complex because that was my first time doing a Firepower. I did ASAs prior, no problem. I had to get used to the GUI and the different order of deploying things. I had to reset it to factory defaults several times because I messed something up. And then I had to get with Cisco TAC, for them to help me, and they said, "Okay, you need to default it and start over again".

But now, going forward, I know I need to deploy the FMC first, and then you deploy the Firepowers, and tell them where the FMC is, and then they connect, and then you can go in and configure it. I had it backward and it was a big thing. I had to keep resetting it. It was a good learning experience, though, and thankfully, I had a patient customer.

[In terms of maintenance] I've not heard anything back from my customer, so I'm assuming once it's in, it's in. It's not going to break. It's an HA pair. My customer doesn't really know too much about it. I don't know that they would know if one of them went down, because it fails over to the other one. I demonstrated to them, "Look, this is how it fails over. If I turn one off, it fails over." VPN doesn't disconnect, everything's good. Users don't know that the firewall failed over unless they're actually sitting there looking at AnyConnect. I don't think they know. So, I'll wait for them to call me and see if they know if something's broken or not.

As far as return on investment [goes], I would imagine there is some. For the users, as far as saving on commuting costs, they don't have to come into the office. They can stay home and work, and connect to the enterprise from anywhere in the world, essentially.

I've done a Palo Alto before, and a Juniper once, but mostly ASAs and Firepowers.

Naturally, I prefer Cisco stuff. [For the Palo Alto deployment] they just said, "Oh, you know, firewalls", and that's why the customer wanted Palos, so that's what I had to do. I had to figure it out. I learned something new, but my preference is Cisco firewalls.

I just like the granularity of the configuration [with Cisco]. I've never had any customers complain after I put it in, "Hey, we got hacked," or "There are some holes in the firewall," or any type of security vulnerabilities, malware, ransomware, or anything like that. You can tighten up the enterprise really well, security-wise.

Everything is GUI-based now, so to me, that's not really a difference. The Palos and the Junipers, I don't know what improvements they have made because [I worked on] those over five or six years ago. I can't even really speak to that.

Because I don't like the management tool that comes out-of-the-box with it, the FDM, I'll give the Firepower an eight out of 10. That was a real pain dealing with, until they said, "Okay, let's get him an FMC." That was TAC's suggestion, actually. They said, "You really need FMC. The FDM is really trash."

We have two devices in Active-Active mode, acting as a perimeter firewall. It is the main firewall that filters traffic in and out of our organization. This is where there are many rules and the mapping is done to the outside world. We use it as a next-generation firewall, for intrusion detection and prevention.

It's also linked also to Firepower, the software for network policies that acts as our network access control. 

I find it very useful when we're publishing some of our on-prem servers to the public. I am able to easily do the NATing so that they are published. It also comes in very handy for aspects of configuration. It has made things easy, especially for me, as at the time I first started to use it I was a novice.

I have also added new requirements that have come into our organization. For example, we integrated with a server that was sitting in an airport because we needed to display the flight schedule to our customers. We needed to create the access rules so that the server in our organization and the server in the other organization could communicate, almost like creating a VPN tunnel. That experience wasn't as painful as I thought it would be. It was quite dynamic. If we had not been able to do that, if the firewall didn't have that feature, linking the two would have been quite painful.

In addition, we have two devices configured in an Active-Active configuration. That way, it's able to load balance in case one firewall is overloaded. We've tested it where, if we turn off one, the other appliance is able to seamlessly pick up and handle the traffic. It depends on how you deploy the solution. Because we are responsible for very critical, national infrastructure, we had to ensure we have two appliances in high-availability mode.

I love the ASDM (Adaptive Security Device Manager) which is the management suite. It's a GUI and you're able to see everything at a glance without using the command line. There are those who love the CLI, but with ASDM it is easier to see where everything is going and where the problems are.

The ASDM makes it very easy to navigate and manage the firewall. You can commit changes with it or apply them before you save them to be sure that you're doing the right thing. You can perform backups easily from it.

It also has a built-in Packet Tracer tool, ping, and traceroute, all in a graphical display. We are really able to troubleshoot very quickly when there are issues. With the Packet Tracer, you're able to define which packet you're tracing, from which interface to which other one, and you're able to see an animation that shows where the traffic is either blocked or allowed. 

In addition, it has a monitoring module, which also is a very good tool for troubleshooting. When you fill in the fields, you can see all the related items that you're looking for. In that sense, it gives you deep packet inspection. I am happy with what it gives me.

It also has a dashboard when you log in, and that gives you a snapshot of all the interfaces, whether they're up or down, at a glance. You don't need to spend a lot of time trying to figure out issues.

Our setup is quite interesting. We have a Sophos firewall that sits as a bridge behind the Cisco ASA. Once traffic gets in, it's taken to the Sophos and it does what it does before the traffic is allowed into the LAN, and it is a bridge out from the LAN to the Cisco firewall. The setup may not be ideal, but it was deployed to try to leverage and maximize what we already have. So far, so good; it has worked.

The Cisco doesn't come with SD-WAN capabilities which would allow me to load balance two or three ISPs. You can only configure a backup ISP, not necessarily an Active-Active, where it's able to load balance and shift traffic from one interface to the other.

When I joined the organization, we only had one ISP. We've recently added a second one for redundancy. The best scenario would be to load balance. We plan to create different traffic for different kinds of users. It's capable of doing that, but it would have been best if it could have done that by itself, in the way that Sophos or Cisco Meraki or even Fortigate can.

A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition. While I'm able to configure it as a backup, the reality is that in a modern workplace, you can't rely on one service provider for the internet and your device should be able to give you optimal service by load balancing all the connections, all the IPSs you have, and giving you the best output.

I know Cisco has deployed other devices that are now capable of SD-WAN, but that would have been great on the 5516 as well. It has been an issue for us.

I have been using Cisco ASA Firewalls since November 2019.

Cisco products are quite resilient. We've had problems due to power failures and our UPSs not being maintained and their batteries being drained. With the intermittent on and off, the Cisco ASAs, surprisingly, didn't have any issue at all. The devices really stood on their own. We didn't even have any issue in terms of losing configs. I'm pretty satisfied with that.

I've had experience with some of the new Cisco devices and they're quite sensitive to power fluctuations. The power supply units can really get messed up. But the ASA 5516 is pretty resilient. We've deployed in a cluster, but even heating up, over-clocking, or freezing, has not happened.

We also have the Sophos as a bridge, although it's only a single device, it is not in a cluster or in availability mode, but we've had issues with it freezing. We have had to reboot it.

It's easy to scale it up and extend it to other operations. When we merged with another company, we were able to extend its usage to serve the other company. It became the main firewall for them as well. It works and it's scalable.

It's the main perimeter firewall for all traffic. Our organization has around 1,000 users spread across the country. It's also our MPLS solution for the traffic for branch networks. It's able to handle at least 1,000 connections simultaneously, give or take.

Prior to my joining the organization, there was a ransomware attack that encrypted data. It necessitated management to invest in network security.

When I joined the project to upgrade the network security infrastructure in our organization, I found that there was a legacy ASA that had been decommissioned, and was being replaced by the 5516. Being a type-for-type, it was easy to pick up the configs and apply them to the new one.

When I joined this organization, the solution had just been deployed. I was tasked with administrating and managing it. Managing it has been quite a learning curve. Prior to that, I had not interacted with ASAs at all. It was a deep-dive for me. But it has been easy to understand and learn. It has a help feature, a floating window where you can type in whatever you're looking for and it takes you right there.

We had a subsidiary that reverted back to our organization. That occurred just after I started using the 5516 and I needed to configure the integration with the subsidiary. That was what I would consider to be experience in terms of deployment because we had to integrate with Meraki, which is what the subsidiary was using.

The process wasn't bad. It was relatively easy to integrate, deploy, and extend the configurations to the other side, add "new" VLANs, et cetera. It wasn't really difficult. The ASDM is a great feature. It was easy to navigate, manage, and deploy. As long as you take your backups, it's good.

It was quite a big project. We had multiple solutions, including Citrix ADC and ESA email security among others. The entire project from delivery of equipment to commissioning of the equipment took from July to November. That includes the physical setup and racking.

Two personnel are handling the day-to-day maintenance.

We have seen ROI with the Cisco ASA, especially because we've just come to the end of the three-year subscription. We are now renewing it. We've not had any major security incident that was a result of the firewall not being able to detect or prevent something. That's a good return on investment.

Our device, the 5516, has been declared end-of-life. The cost of upgrading is almost equivalent to deploying a new appliance. But having had it for three years, it has served its purpose.

As with any security solution, the return on investment must be looked at in terms of what could happen. If you have a disaster or a cyber attack, that is when you can really see the cost of not having this. 

Cost-wise, it's in the same range as its competitors. It's likely cheaper than Palo Alto. Cisco is affordable for a large organization of 500 to 1,000 users and above.

You need a Cisco sales partner or engineer to explain to you the licensing aspects. Out-of-the-box, Firepower is the module that you use to handle your network access policy for the end-user. It's a separate module that you need to include, it's not bundled. You need to ensure you have that subscription.

A Cisco presales agent is key for you to know what you need. Once they understand your use cases, they'll be able to advise you about all the licenses you need. You need guidance. I wouldn't call it straightforward.

With any Cisco product, you need a service level agreement and an active contract to maximize the support and the features. We have not had an active service contract. We just had the initial, post-implementation support.

As a result, we've wasted a bit of time in terms of figuring out how best to troubleshoot things here and there. It would be best to ensure you are running an active contract with SLAs, at least with a Cisco partner. 

Also, we were not able to use its remote VPN capabilities, Cisco AnyConnect, because of a licensing limitation.

I would encourage people to go for the newer version of Cisco ASA. 

When you are procuring that device, be sure to look at the use cases you want it for. Are you also going to use it to serve as your remote VPN and, in that case, do you need more than the out-of-the-box licenses it comes with? How many concurrent users will you need? That is a big consideration when you're purchasing the device. Get a higher version, something that is at least three years ahead of being declared end-of-life or end-of-support.

We use it for data center security for both the north-south and east-west.

With Firepower, you get the next-generation functionality and the next-generation firewall features. Traditionally, when you have a layer three access list, it's really tricky to get the flexibility you need to allow staff to do what they need to do with their apps without being too prescriptive with security. When Firepower comes in, you get much more flexibility and deeper security. They were mutually exclusive previously but are not so much anymore.

We have, probably, 20,000 to 25,000 end users going through the firewalls. Physical locations-wise, there are four data centers in Northern Europe, and the other locations are in the public cloud, that is, Azure and AWS.

It has improved the organization because we now have more flexibility with deployment, and we can deploy solutions quickly and more securely. As a result, we're improving the time to implement change.

The deep packet inspection is useful, but the most useful feature is application awareness. You can filter on the app rather than on a static TCP port.

Licensing is complex, and I'd like it to be simplified. This is an area for improvement.

If we could create a Firepower solution that became like an SD-WAN or a SASE solution in a box, then perhaps we could exploit that on remote sites. We've already kind of got that with Meraki, but if we could pull out some of the features from ASA Firepower and make those available in SD-WAN in SASE, then it would be pretty cool.

I've been using this solution for probably six years as Firepower and for about 10 to 15 years before Firepower came in.

It's very stable. We've seen very few issues that aren't human-related. If I were to rate the stability, it would have to be 10 out of 10 because we haven't seen any failures.

It's tough to scale because it's a firewall appliance, but in terms of the ability to deploy it virtually, it's inherently scalable. That is, as far as a firewall can scale, it's very scalable.

I'd give technical support an eight out of ten.

Positive

We used Check Point previously, and the reason we switched to Firepower was that it would be a common vendor and a commonly supported solution by our team. The consistency with Cisco is why we went with Firepower.

Our deployment model is both public cloud and private cloud. The physical devices are on-premises at a data center or virtual in an on-premises data center, and the network virtual appliances are in distributed public cloud platforms including AWS, Azure, Google, and private cloud.

We have between 20 and 50 people who are responsible for the maintenance of the solution through a various mix of ticketing systems and troubleshooting. Their responsibilities are operating the platform, that is, making sure that the connectivity works, analyzing the security, the posture that those firewalls are protecting, and implementing change.

There was no specific investment to make because there was a requirement to implement data center security. That's certainly been fulfilled, and the benefits now versus those previously are time to deliver change and having a more secure, rounded posture. Both of these are being realized.

The pricing was fairly reasonable. It was competitive and was slightly more than Check Point was. However, when we looked at the usability and the features that we would get out of Firepower, it was certainly reasonable.

Licensing is complex, and I'd like it to be simplified.

We evaluated Check Point. One of the pros was that we're a Cisco house, so having Cisco Firepower is useful.

Also, the architectural differences between Check Point and Firepower lend themselves to Firepower. The Check Point architecture is a bit more complicated.

It's a bit more complex to deploy and a bit more difficult to troubleshoot. I think troubleshooting with Firepower is much more intuitive, so it's easy for the operations guys to manage, and it's easy for people to consume.

My advice would be to compare equitable vendors and see where Cisco is strong and where they're not as strong. However, take into account your wider environment. If you've got a Cisco house and the solution has the same look and feel, those who are managing the service will say that it's Cisco and that they know it. That carries a huge weight, so pay careful attention to the rest of your environment.

Overall, I'd give this product a nine out of ten.

A lot of them are used for campuses. Basically, it is HA pairs so it is just used to firewall off different networks from the internal network, i.e., security. 

We also use them for DMZs, where there are untrusted networks coming into trusted networks, managing traffic between the two zones.

Currently, we have almost 100 firewalls spread out all across our county. Our ASAs could be anywhere in any building, wherever there is a purpose. So, if we need to firewall off a network that we don't want touching our internal network, where we want it controlled, then it would be there. All our campuses have some form of that.

It is easier to protect our internal network and identify unknown networks. We can put descriptions on what they are, thus we are able to see different traffic coming from different networks. So, there is better visibility.

The user interface is very easy to manage and find rules. You can do object searches, which are very easy. Also, the logging is very simple to use. So, it is a lot easier to troubleshoot and find items inside the firewall.

The one thing that the ASAs don't have is a central management point. We have a lot of our environments on FTD right now. So, we are using a Firewall Management Center (FMC) to manage all those. The ASAs don't really have that, but they are easy to use if you physically go into them and manage them. 

I would like ASAs to be easier to centrally manage. Currently, in our central management, we have almost 100 firewalls in our environment, and it is almost impossible to manage them all. ASAs are now about 20% of them. We have been slowly migrating them out, but we still have some. Normally, what we would do with ASAs is physically go into those devices and do what we need from there, whether it is find rules, troubleshoot, or upgrade.

We have had ASAs in our environment for 10 years.

The ASAs are solid. They have been around a long time, so there is a lot of documentation out there. They are easy to manage and make it easy to look at logs.

They have been in the environment for 10 years. They are still running and doing their job. 

The only time that we really touch them is if we need to do a rule or code upgrade. We check vulnerabilities a lot to make sure that nothing major has come out. If something has, then we go ahead and patch the firewalls. This is done by network groups, e.g., network engineers or analysts. We usually look at security. We are alerted to any new security advisories that come out from Cisco. For anything that is critical or high, we definitely will address it if we need to. Sometimes, we go three months or months without an upgrade. Other times, we could upgrade in a month. It just depends on what comes out.

We use them for smaller campuses. Though, if we need to upgrade a model, then we go ahead and do that. For example, with our bigger campuses, we need to have a bigger model. They have specs out there that you can kind of line up with what you need.

Cisco tech support is spotty. Sometimes, we get good support. Other times, it is not so good. It is very up and down.

It seems like they have been short staffed recently. We have been waiting a long time for some of our tickets now, though they aren't critical tickets. However, that is one of the big issues which Cisco has going on right now - their staff shortage. We can open a ticket and keep following up, following up, and following up, but it might take weeks to resolve an issue. These aren't critical issues. For critical issues, we escalate and they are able to help us right away.

They handle it appropriately. Though, it depends on the time and on what they need. Sometimes, in one session, issues are resolved. Other times, you need to do multiple sessions for them to resolve it. However, for anything critical, those are resolved pretty fast.

I would rate the technical support as seven out of 10.

Neutral

Before I started, they also had Juniper SRXs. The big issue with them was the logging. It wasn't as good. We switched to ASAs for better stability, better management, and easier logging.

The initial setup was pretty straightforward. It was very simple to deploy and replace. We did a lot of replacing, which was just copying the rules over from the old one, then deploying it in kind of the same manner.

The pricing was pretty comparable to other solutions when we purchased it.

We looked at what we had and saw that Cisco was much better.

I would rate them as nine out of 10.