Cisco Secure Firewall Reviews

We have two devices in Active-Active mode, acting as a perimeter firewall. It is the main firewall that filters traffic in and out of our organization. This is where there are many rules and the mapping is done to the outside world. We use it as a next-generation firewall, for intrusion detection and prevention.

It's also linked also to Firepower, the software for network policies that acts as our network access control. 

I find it very useful when we're publishing some of our on-prem servers to the public. I am able to easily do the NATing so that they are published. It also comes in very handy for aspects of configuration. It has made things easy, especially for me, as at the time I first started to use it I was a novice.

I have also added new requirements that have come into our organization. For example, we integrated with a server that was sitting in an airport because we needed to display the flight schedule to our customers. We needed to create the access rules so that the server in our organization and the server in the other organization could communicate, almost like creating a VPN tunnel. That experience wasn't as painful as I thought it would be. It was quite dynamic. If we had not been able to do that, if the firewall didn't have that feature, linking the two would have been quite painful.

In addition, we have two devices configured in an Active-Active configuration. That way, it's able to load balance in case one firewall is overloaded. We've tested it where, if we turn off one, the other appliance is able to seamlessly pick up and handle the traffic. It depends on how you deploy the solution. Because we are responsible for very critical, national infrastructure, we had to ensure we have two appliances in high-availability mode.

I love the ASDM (Adaptive Security Device Manager) which is the management suite. It's a GUI and you're able to see everything at a glance without using the command line. There are those who love the CLI, but with ASDM it is easier to see where everything is going and where the problems are.

The ASDM makes it very easy to navigate and manage the firewall. You can commit changes with it or apply them before you save them to be sure that you're doing the right thing. You can perform backups easily from it.

It also has a built-in Packet Tracer tool, ping, and traceroute, all in a graphical display. We are really able to troubleshoot very quickly when there are issues. With the Packet Tracer, you're able to define which packet you're tracing, from which interface to which other one, and you're able to see an animation that shows where the traffic is either blocked or allowed. 

In addition, it has a monitoring module, which also is a very good tool for troubleshooting. When you fill in the fields, you can see all the related items that you're looking for. In that sense, it gives you deep packet inspection. I am happy with what it gives me.

It also has a dashboard when you log in, and that gives you a snapshot of all the interfaces, whether they're up or down, at a glance. You don't need to spend a lot of time trying to figure out issues.

Our setup is quite interesting. We have a Sophos firewall that sits as a bridge behind the Cisco ASA. Once traffic gets in, it's taken to the Sophos and it does what it does before the traffic is allowed into the LAN, and it is a bridge out from the LAN to the Cisco firewall. The setup may not be ideal, but it was deployed to try to leverage and maximize what we already have. So far, so good; it has worked.

The Cisco doesn't come with SD-WAN capabilities which would allow me to load balance two or three ISPs. You can only configure a backup ISP, not necessarily an Active-Active, where it's able to load balance and shift traffic from one interface to the other.

When I joined the organization, we only had one ISP. We've recently added a second one for redundancy. The best scenario would be to load balance. We plan to create different traffic for different kinds of users. It's capable of doing that, but it would have been best if it could have done that by itself, in the way that Sophos or Cisco Meraki or even Fortigate can.

A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition. While I'm able to configure it as a backup, the reality is that in a modern workplace, you can't rely on one service provider for the internet and your device should be able to give you optimal service by load balancing all the connections, all the IPSs you have, and giving you the best output.

I know Cisco has deployed other devices that are now capable of SD-WAN, but that would have been great on the 5516 as well. It has been an issue for us.

I have been using Cisco ASA Firewalls since November 2019.

Cisco products are quite resilient. We've had problems due to power failures and our UPSs not being maintained and their batteries being drained. With the intermittent on and off, the Cisco ASAs, surprisingly, didn't have any issue at all. The devices really stood on their own. We didn't even have any issue in terms of losing configs. I'm pretty satisfied with that.

I've had experience with some of the new Cisco devices and they're quite sensitive to power fluctuations. The power supply units can really get messed up. But the ASA 5516 is pretty resilient. We've deployed in a cluster, but even heating up, over-clocking, or freezing, has not happened.

We also have the Sophos as a bridge, although it's only a single device, it is not in a cluster or in availability mode, but we've had issues with it freezing. We have had to reboot it.

It's easy to scale it up and extend it to other operations. When we merged with another company, we were able to extend its usage to serve the other company. It became the main firewall for them as well. It works and it's scalable.

It's the main perimeter firewall for all traffic. Our organization has around 1,000 users spread across the country. It's also our MPLS solution for the traffic for branch networks. It's able to handle at least 1,000 connections simultaneously, give or take.

Prior to my joining the organization, there was a ransomware attack that encrypted data. It necessitated management to invest in network security.

When I joined the project to upgrade the network security infrastructure in our organization, I found that there was a legacy ASA that had been decommissioned, and was being replaced by the 5516. Being a type-for-type, it was easy to pick up the configs and apply them to the new one.

When I joined this organization, the solution had just been deployed. I was tasked with administrating and managing it. Managing it has been quite a learning curve. Prior to that, I had not interacted with ASAs at all. It was a deep-dive for me. But it has been easy to understand and learn. It has a help feature, a floating window where you can type in whatever you're looking for and it takes you right there.

We had a subsidiary that reverted back to our organization. That occurred just after I started using the 5516 and I needed to configure the integration with the subsidiary. That was what I would consider to be experience in terms of deployment because we had to integrate with Meraki, which is what the subsidiary was using.

The process wasn't bad. It was relatively easy to integrate, deploy, and extend the configurations to the other side, add "new" VLANs, et cetera. It wasn't really difficult. The ASDM is a great feature. It was easy to navigate, manage, and deploy. As long as you take your backups, it's good.

It was quite a big project. We had multiple solutions, including Citrix ADC and ESA email security among others. The entire project from delivery of equipment to commissioning of the equipment took from July to November. That includes the physical setup and racking.

Two personnel are handling the day-to-day maintenance.

We have seen ROI with the Cisco ASA, especially because we've just come to the end of the three-year subscription. We are now renewing it. We've not had any major security incident that was a result of the firewall not being able to detect or prevent something. That's a good return on investment.

Our device, the 5516, has been declared end-of-life. The cost of upgrading is almost equivalent to deploying a new appliance. But having had it for three years, it has served its purpose.

As with any security solution, the return on investment must be looked at in terms of what could happen. If you have a disaster or a cyber attack, that is when you can really see the cost of not having this. 

Cost-wise, it's in the same range as its competitors. It's likely cheaper than Palo Alto. Cisco is affordable for a large organization of 500 to 1,000 users and above.

You need a Cisco sales partner or engineer to explain to you the licensing aspects. Out-of-the-box, Firepower is the module that you use to handle your network access policy for the end-user. It's a separate module that you need to include, it's not bundled. You need to ensure you have that subscription.

A Cisco presales agent is key for you to know what you need. Once they understand your use cases, they'll be able to advise you about all the licenses you need. You need guidance. I wouldn't call it straightforward.

With any Cisco product, you need a service level agreement and an active contract to maximize the support and the features. We have not had an active service contract. We just had the initial, post-implementation support.

As a result, we've wasted a bit of time in terms of figuring out how best to troubleshoot things here and there. It would be best to ensure you are running an active contract with SLAs, at least with a Cisco partner. 

Also, we were not able to use its remote VPN capabilities, Cisco AnyConnect, because of a licensing limitation.

I would encourage people to go for the newer version of Cisco ASA. 

When you are procuring that device, be sure to look at the use cases you want it for. Are you also going to use it to serve as your remote VPN and, in that case, do you need more than the out-of-the-box licenses it comes with? How many concurrent users will you need? That is a big consideration when you're purchasing the device. Get a higher version, something that is at least three years ahead of being declared end-of-life or end-of-support.

We use it for data center security for both the north-south and east-west.

With Firepower, you get the next-generation functionality and the next-generation firewall features. Traditionally, when you have a layer three access list, it's really tricky to get the flexibility you need to allow staff to do what they need to do with their apps without being too prescriptive with security. When Firepower comes in, you get much more flexibility and deeper security. They were mutually exclusive previously but are not so much anymore.

We have, probably, 20,000 to 25,000 end users going through the firewalls. Physical locations-wise, there are four data centers in Northern Europe, and the other locations are in the public cloud, that is, Azure and AWS.

It has improved the organization because we now have more flexibility with deployment, and we can deploy solutions quickly and more securely. As a result, we're improving the time to implement change.

The deep packet inspection is useful, but the most useful feature is application awareness. You can filter on the app rather than on a static TCP port.

Licensing is complex, and I'd like it to be simplified. This is an area for improvement.

If we could create a Firepower solution that became like an SD-WAN or a SASE solution in a box, then perhaps we could exploit that on remote sites. We've already kind of got that with Meraki, but if we could pull out some of the features from ASA Firepower and make those available in SD-WAN in SASE, then it would be pretty cool.

I've been using this solution for probably six years as Firepower and for about 10 to 15 years before Firepower came in.

It's very stable. We've seen very few issues that aren't human-related. If I were to rate the stability, it would have to be 10 out of 10 because we haven't seen any failures.

It's tough to scale because it's a firewall appliance, but in terms of the ability to deploy it virtually, it's inherently scalable. That is, as far as a firewall can scale, it's very scalable.

I'd give technical support an eight out of ten.

Positive

We used Check Point previously, and the reason we switched to Firepower was that it would be a common vendor and a commonly supported solution by our team. The consistency with Cisco is why we went with Firepower.

Our deployment model is both public cloud and private cloud. The physical devices are on-premises at a data center or virtual in an on-premises data center, and the network virtual appliances are in distributed public cloud platforms including AWS, Azure, Google, and private cloud.

We have between 20 and 50 people who are responsible for the maintenance of the solution through a various mix of ticketing systems and troubleshooting. Their responsibilities are operating the platform, that is, making sure that the connectivity works, analyzing the security, the posture that those firewalls are protecting, and implementing change.

There was no specific investment to make because there was a requirement to implement data center security. That's certainly been fulfilled, and the benefits now versus those previously are time to deliver change and having a more secure, rounded posture. Both of these are being realized.

The pricing was fairly reasonable. It was competitive and was slightly more than Check Point was. However, when we looked at the usability and the features that we would get out of Firepower, it was certainly reasonable.

Licensing is complex, and I'd like it to be simplified.

We evaluated Check Point. One of the pros was that we're a Cisco house, so having Cisco Firepower is useful.

Also, the architectural differences between Check Point and Firepower lend themselves to Firepower. The Check Point architecture is a bit more complicated.

It's a bit more complex to deploy and a bit more difficult to troubleshoot. I think troubleshooting with Firepower is much more intuitive, so it's easy for the operations guys to manage, and it's easy for people to consume.

My advice would be to compare equitable vendors and see where Cisco is strong and where they're not as strong. However, take into account your wider environment. If you've got a Cisco house and the solution has the same look and feel, those who are managing the service will say that it's Cisco and that they know it. That carries a huge weight, so pay careful attention to the rest of your environment.

Overall, I'd give this product a nine out of ten.

A lot of them are used for campuses. Basically, it is HA pairs so it is just used to firewall off different networks from the internal network, i.e., security. 

We also use them for DMZs, where there are untrusted networks coming into trusted networks, managing traffic between the two zones.

Currently, we have almost 100 firewalls spread out all across our county. Our ASAs could be anywhere in any building, wherever there is a purpose. So, if we need to firewall off a network that we don't want touching our internal network, where we want it controlled, then it would be there. All our campuses have some form of that.

It is easier to protect our internal network and identify unknown networks. We can put descriptions on what they are, thus we are able to see different traffic coming from different networks. So, there is better visibility.

The user interface is very easy to manage and find rules. You can do object searches, which are very easy. Also, the logging is very simple to use. So, it is a lot easier to troubleshoot and find items inside the firewall.

The one thing that the ASAs don't have is a central management point. We have a lot of our environments on FTD right now. So, we are using a Firewall Management Center (FMC) to manage all those. The ASAs don't really have that, but they are easy to use if you physically go into them and manage them. 

I would like ASAs to be easier to centrally manage. Currently, in our central management, we have almost 100 firewalls in our environment, and it is almost impossible to manage them all. ASAs are now about 20% of them. We have been slowly migrating them out, but we still have some. Normally, what we would do with ASAs is physically go into those devices and do what we need from there, whether it is find rules, troubleshoot, or upgrade.

We have had ASAs in our environment for 10 years.

The ASAs are solid. They have been around a long time, so there is a lot of documentation out there. They are easy to manage and make it easy to look at logs.

They have been in the environment for 10 years. They are still running and doing their job. 

The only time that we really touch them is if we need to do a rule or code upgrade. We check vulnerabilities a lot to make sure that nothing major has come out. If something has, then we go ahead and patch the firewalls. This is done by network groups, e.g., network engineers or analysts. We usually look at security. We are alerted to any new security advisories that come out from Cisco. For anything that is critical or high, we definitely will address it if we need to. Sometimes, we go three months or months without an upgrade. Other times, we could upgrade in a month. It just depends on what comes out.

We use them for smaller campuses. Though, if we need to upgrade a model, then we go ahead and do that. For example, with our bigger campuses, we need to have a bigger model. They have specs out there that you can kind of line up with what you need.

Cisco tech support is spotty. Sometimes, we get good support. Other times, it is not so good. It is very up and down.

It seems like they have been short staffed recently. We have been waiting a long time for some of our tickets now, though they aren't critical tickets. However, that is one of the big issues which Cisco has going on right now - their staff shortage. We can open a ticket and keep following up, following up, and following up, but it might take weeks to resolve an issue. These aren't critical issues. For critical issues, we escalate and they are able to help us right away.

They handle it appropriately. Though, it depends on the time and on what they need. Sometimes, in one session, issues are resolved. Other times, you need to do multiple sessions for them to resolve it. However, for anything critical, those are resolved pretty fast.

I would rate the technical support as seven out of 10.

Neutral

Before I started, they also had Juniper SRXs. The big issue with them was the logging. It wasn't as good. We switched to ASAs for better stability, better management, and easier logging.

The initial setup was pretty straightforward. It was very simple to deploy and replace. We did a lot of replacing, which was just copying the rules over from the old one, then deploying it in kind of the same manner.

The pricing was pretty comparable to other solutions when we purchased it.

We looked at what we had and saw that Cisco was much better.

I would rate them as nine out of 10.

We use the Firepower as a perimeter firewall to protect from the outside network.

We are using Firepower to protect a number of services.

We are using it in a dynamic environment. This is important for our company's policies. The dynamic policy capabilities enable tight integration with Secure Workload at the application workload level.

The most valuable feature is the IPS. We also like the AnyConnect feature.

We monitor daily the final inspection activities and intelligence on Firepower. We also send logs from Firepower to our monitoring server, which is a nice feature.

The reporting and other features are nice, but there is an issue with applying the configuration. That part needs some improvement.

Services from the outside, like financial services that are critical, should be protected by the NGFW. There are cyber attacks on these services. Therefore, adding this NGFW in front of those services will reduce our costs for cyber crime.

We started using this next-generation firewall two years ago.

It is stable, but there are issues with the hybrid when you do the activation.

It is scalable. All our users utilize this firewall. We have more than 30,000 users who are end users, admins, and developers.

Cisco technical support team is perfect in their specific area, but they could improve their support for Cisco integration issues between products. I would rate them as eight out of 10.

Positive

We were previously using Cisco ASA for eight years. Now, we are using Firepower NGFW. We hope to continue using this product in the future, as long as there are no discouraging issues.

We are also using Check Point in conjunction with Cisco. We use Checkpoint for our internal networks and Secure Firewall for our outside network.

Installation wasn't that difficult, but there were some challenges on the integration. Sometimes, we face issues from the integration between another Cisco product's API and Firepower NGFW. We just integrated with our existing networks.

The firewall takes no more than two weeks to install. The integration with the API takes about six months.

We implemented ourselves. 

Two technical guys deployed it and now maintain it.

If we didn't use this NGFW, our company might have been charged by a number of attackers. Therefore, the firewall reduces our costs and operational expenses by around 40%.

Since the product is stable, we do not have to spend additional money to buy other firewalls. Once deployed, we can use the product for a long time. Thus, it is cost effective.

Pricing for Cisco is expensive. There are additional costs for the licensing part, support, and even the hardware part. The device cost is very high. I would be very happy with an improvement on the price.

From the user perspective, the reporting and other features are easy to use and user-friendly, but the Control feature of Firepower needs improvement, especially when comparing Firepower to Check Point NGFW.

For digital banking, this solution's firewalls have greatly improved our economy. Most enterprises in our country are using Cisco products because Cisco has worldwide support and cable devices.

I would rate this solution as eight out of 10.

We primarily use it as a corporate, perimeter firewall for traffic to the internet and back, for surfing. We also have some site-to-site connections with customers.

So far, there hasn't been any breach, so we are very happy.

It has also helped to reduce the operational costs of our firewall. There is a report that is automatically generated. You don't have to search for and prepare everything by yourself. You don't need staff to prepare the information because it is automated. We only go through this report once a week and if there are some special events, we can take care of them.

The next-generation features, like IPS, among others, are the most valuable. IPS is mandatory in modern networks for protection against malicious attacks and network anomalies.

Also, it gives you great visibility when doing deep packet inspection, but you have to do HTTP inspection. If you don't do HTTP inspection, the visibility is not complete. That is the case for every firewall vendor.

The ease of use, when it comes to managing Cisco Firepower NGFW Firewalls, is getting better because the UI is improving. It was a bit cumbersome in previous versions. Checkpoint, for example, has one of the most intuitive user interfaces, and now Cisco is really improving.

The only drawback of the user interface is when it comes to policies. When you open it and click on the policies, you have to move manually left and right if you want to see the whole field within the cell. Checkpoint has a very detailed user interface. Cisco is getting better and becoming more and more user-friendly.

Cisco needs a more intuitive user interface. When you know what to do, it's easy. Otherwise, you need training. You can install it and do the initial configuration, but if you don't have the proper training it's also possible to configure it the wrong way. If that happens, some things might pass through that you don't know about.

We have been using Cisco Secure Firewall for about five years, from the beginning of the Cisco Firepower 2100 Series.

We were on version 6.2.2 but now we're up to version 7.7.0, and it has really improved. It was not hard to implement but there were many bugs in the earlier version and some were serious, but now it's stable. There are no more bugs. It's really getting better. I would recommend Firepower to every customer now because it's stable. It's a really nice firewall.

The model we have is okay for our environment, so it's scalable. We haven't seen any problems in that regard. There are 50 or 60 devices behind it and about 500 clients. It is used in a very specific environment for a large Slovenian system.

The device has achieved its purpose. We won't implement any other features.

Cisco support is the best, especially if you compare it to other vendors. Cisco may be a bit expensive compared to other vendors, but the support is really good. When you open a case they're really responsive and they resolve every case. This is my personal experience, not only when it comes to Firepower but for the whole Cisco portfolio, which I have been working with since 2005.

Positive

The initial configuration was done within a few hours, but getting all the policies in place took about a month. That was not related to the firewall, it was related to all the requirements from management and from other people as well. But the configuration to get it set up initially was straightforward, nothing special.

My colleagues and I did the deployment. We are an internal team. We are integrators, so we were able to do it by ourselves.

When it comes to XDR, the cost-effectiveness of this firewall depends on the use case because you don't always need XDR functionality. SecureX is included free of charge, so from that point of view, maybe Cisco is not that expensive compared to other vendors.  Other vendors' XDR products are not free of charge. 

But if you just look at just the firewall functionality, Checkpoint is expensive but Cisco is not the cheapest. Fortinet is cheaper.

Where we have seen ROI is due to the support, time savings, ease of management, and the reporting.

Aside from the user interface, which is getting better, Cisco is at the top for functionality and in all other respects. We work with Fortinet, Checkpoint, and we used to work with Juniper, in addition to Cisco.

With Cisco, there are a lot of features such as the network map. Cisco builds the whole network map of the machines you have behind your firewall and gives you insight into the vulnerabilities and attributes that the host has. Checkpoint and Fortinet don't have that functionality directly on the firewall. They don't give you that direct visibility into the host, such as which operating the host has.

We don't work with Juniper anymore because its user interface is really not okay. You only have the CLI or you have to use Security Director for management, which is very complex and not user-friendly. That is why we abandoned Juniper as a product.

I would rate Cisco at eight out of 10 overall, and Check Point would be a seven. Check Point fields a great solution in this space, but they have very bad support, and support is one of the most important things. Having great blogs doesn't help if support doesn't come through when you need it.

We are specifically using 7.0 Firepower in several different areas. We have them as an IPS within the core, IPS on the edge, and we're also using the AnyConnect Client as our basis for VPN connection into corporate and other applications.

Firepower NGFW has improved my organization in several ways. Before, we were trying to stamp out security threats and issues, it was a one-off type of way to attack it. I spent a lot of manpower trying to track down the individual issues or flare-ups that we would see. With Cisco's Firepower Management, we're able to have that push up to basically one monitor and one UI and be able to track that and stop threats immediately. It also gives us a little more granularity on what those threats might be. 

We were able to stop hundreds of threats. For killing threats, we were able to get several hundred now in comparison to the one-off that we used to be able to do.

Dynamic policies are very important for us because we do not have the manpower to really look at everything all the time. So having a dynamic way of really registering, looking at, and having certain actions tied to that are incredibly effective for us in slowing any kind of threat.

We're getting there as far as using the application, using it to go to the application level, we're at the infancy of that. We're looking at definitely tying that into our critical applications so that we can see exactly what they're doing, when they're doing it, and being able to track that.

Firepower's Snort 3.0 IPS allows us to maintain performance while running more rules with the advent of 3.0 comparatively to 2X, we have seen at least a 10 to 15% increase in speed where it seems to be more effective. The updates seem to be more effective in finding malicious information. We've definitely seen at least a 10 to 15% increase on tying policy to 3.0.

The features that we find the biggest bang for the buck are for Firepower overall. We're looking at AnyConnect, which is one of the big features. The other valuable features are IPS along with the Geotagging and the Geosync features, and of course the firewall, the basic subset of firewall infrastructure and policy management.

We've looked at other vendors, but Cisco by far has taken the lead with a holistic approach where we don't have to manage multiple different edges at one time. We can actually push policy out from our core out to the edge. The policy can be as granular as we need it to be. So the administration, also the upgradability of the edge is for us because we need to have it 24/7. The upgradability is also another piece of management, logging, and all the other little aspects of the monitoring part.

Using deep packet inspection, especially with 7.0, since it's just come out in 7.0, we're able to see much more granularly into the packet where before we could actually give a general overview using NetFlow. This gives us much more granularity into what is exactly happening on our network and snapping in the Cisco StealthWatch piece gives us the end-to-end way of monitoring our network and making sure that it's secure.

The overall ease of use when it comes to managing Cisco Secure Firewall is one of the reasons that we ended up going with Cisco because the ease of use, basically having one UI to be able to control all of our end devices, policy, geolocation, AnyConnect, all the different pieces of that in one area has been phenomenal.

Cisco Secure Firewall helped to reduce our firewall operational costs because previously if we were not using Cisco's Firepower, we would have had either Cisco ASA or another manufacturer, and we would have had those everywhere. We would have had still two at every site, several within our infrastructure, and the management of those is much more difficult because it's done by one-off.

As far as saving Adventist Health money, I would have to say that it's not necessarily the actual physical product, but the time, labor that we would have had to have to be able to monitor and administer that, and also the time to find malicious issues and security areas that we were unable to see before. So, it's tough to put a cost on that, but it would probably be several hundred thousand dollars overall if you're looking at whether we got hit with malware or with some of the other issues that we're seeing, especially within healthcare. If we were hacked, that would cost us millions.

One of the few things that are brought up is that for the overall management, it would be great to have a cloud instance of that. And not only just a cloud instance, but one of the areas that we've looked at is using an HA type of cloud. To have the ability to have a device file within a cloud. If we had an issue with one, the other one would pick up automatically.

The other part of that is that applying policy still takes longer than we expect. Every version that comes out, the speed is actually increased, but I would love to see that, even a little more as far as when we're actually deploying policy.

We have been using Firepower's series for at least the last six years.

We're staggered right now. The Firepower Management Console is at 7.0 and most of our Firepower units are at 6.6.

We have two areas for deployment. We have them as an edge at our markets, we term our hospitals as markets, but each one of the hospitals will have an HA Pair of the Firepower model. And we also have them in our core, within the ACI infrastructure. We use them as a core firewall along with an Edge firewall.

We've been using Firepower, the Threat Defense, and the Management Console for about six and a half years and I think we've had maybe two issues with it. And most of those were due to either our policy settings or something that we messed up. We've never had to return a box and we've never run into any major bugs that have actually hindered the actual security of the system.

Scalability so far has been fantastic because we started with four Firepower Threat Defense boxes, but really after that, now we have 14 and we're going to be pushing that to 44 to 46 devices. The implementation has been pretty seamless and pretty easy. It's been great.

We use it exclusively for edge and core for firewall and for policy and for IPS and AnyConnect. We plan on continuing to integrate that tighter. So in the future, we probably will not grow that many physical devices, but we plan on actually integrating those tighter into the system, tighter with integration, with Cisco's ISE, and tighter integration with our ACI infrastructure. So at the end of the day, we don't see us going any further away from using Firepower as our core security edge device.

My company has been using Cisco for many years. One of the huge pieces for us is, of course, the supportability and ongoing update, maintenance, and care. We've had a great relationship with Cisco. The tech is outstanding. Typically, we will open a tech case and they will know exactly what the issue is within two to three hours if it's a very difficult one. Typically they even know what it is when we actually open the case.

We've actually had a fantastic relationship working with Cisco. They've had a fast turnaround, great tech support, and we have not run into any issues thus far with the Firepower overall.

Prior to actually using Firepower, we were still a Cisco shop. We used Cisco ASA exclusively, and it was fantastic. But with the advent of Firepower, being able to manage, monitor, and upgrade has really cut back our time on those processes by less than half of what we had before. We were using the good old ASA for many years.

We found that the initial setup using Firepower products was actually very simple. The initial configuration for the Management Console was very straightforward. Adding devices usually takes a few minutes. And then once you've got them physically set up in your Management Console, it's streamlined. It's actually very simple.

One of the great features of having the Cisco Firepower Management Console is having the ability to group. So we have each one of our hospitals as a group, so we can actually do any device configuration within a group. They're HA so that when we do an upgrade, it is seamless because when it fires off the upgrade, it will actually force the HA over automatically as part of the upgrade. And the other part of that is policy management. We have several policies, but specifically, one for the general use at our hospitals has been phenomenal because you build out one policy and you can push that out to all of your end nodes with one push.

We require two staff members to actually implement and devise the initial configuration.

At my company, you have to be at least a senior or an architect in order to manage any type of firewalling, whether that's the IPS, the actual firewall itself, or AnyConnect. So we have senior network engineers that are assigned for that task.

We typically have one person that will actually rotate through the group for the maintenance. There's a senior network engineer that will maintain that on a daily basis. Typically, it doesn't take maintenance every day. The biggest maintenance for us comes to updating policy, verifying the geolocation information is correct, and any upgrades in the future. So typically that takes about one to two people.

We did not actually use any external authority as far as setting up, maintenance, and configuration. It all comes directly from Cisco because of our partnership with Cisco, we have had a fantastic cast of system engineers and techs when needed. We haven't had to go out of our partnership with Cisco to actually implement these, to upgrade, or update.

Cisco's pricing is actually pretty good. We get a decent discount, but when you look across the board, if you're looking at a Cisco firewall, Firepower device, a Palo Alto device, or a Juniper device, they're going to be pretty comparable. A lot of people say, "Oh, Cisco is so expensive." But when you boil it down, when you look at the licensing structure for Firepower, you look at the actual device cost and how much that costs over time, they pretty much are right in line, if not less, depending on what you're buying for Firepower. So we've actually had a great run with that, and we feel confident that we're getting the best price. I haven't seen anything better than the supportability of that.

We actually did look at another vendor when we were looking at initially grabbing Firepower, to bring in as our corporate firewall and our main inspection engine. So we did look at Palo Alto and we also looked at Juniper SRX series, but both of those didn't really have the overall manageability and tightness with the Cisco infrastructure as we would want it to. So there was nothing necessarily security-wise wrong with them, but they were not a good fit for our environment.

The biggest lesson that we've learned is in a couple of different ways. One is how to keep your policy clean. We've learned that we've really had to keep that from overextending what we want to do. It also has great feedback as you're building that out so that you can look at it and you figure out how you are going to be able to really implement this in a way that won't break something or that won't overshadow some other policy that you have. That's probably one of the biggest things that we've learned. The way that you build out your policy and the way that you use that on a daily basis is very intuitive. And it also gives you a lot of feedback as you're building that out.

The advice that I would give anybody looking at Firepower is to look at it from an overall standpoint. If you want something that you can monitor and administer well, that you can update very quickly, and that gives you all of the security aspects that anybody else can on the market, it's going to be really hard to beat because of the Management Console. With this, you've got one tool that you can actually do the device updates, device configuration and all the policy management in one area. So I would say, definitely take a look at it. It's got a great UI that is very straightforward to use. It is very intuitive and it works really well out-of-the-box. And it does not take math science to be able to implement it.

I would rate Firepower a nine out of ten. I can't think of anything that would be a 10. It's mature, it's effective and it's usable.

For companies prioritizing security, the optimal choice is one that offers a range of feeds to cater to diverse needs. This is particularly crucial for organizations implementing DDoS mitigation. The preferred solutions typically align with the top server vendors, with Cisco, Forti, and Barracuda consistently ranking among the top three vendors we collaborate with.

It's not unexpected, but it's a common scenario where customers request dual layers of security. For instance, when dealing with regulatory compliance, especially in financial sectors regulated by entities like the Central Bank, having two distinct units is often mandated. If a client predominantly uses a solution like Palo Alto, they may need to incorporate another vendor such as Cisco or Forti. Importantly, there's a significant disparity in interfaces and management platforms between these vendors, necessitating careful consideration when integrating them into the overall security architecture.

I have been using Cisco Secure Firewall for the past ten years. 

The solution is extremely scalable and based on my experience, I would rate it 7 out of 10.

Cisco is a well-established company, and it offers accessible support, both locally and through online resources. The abundance of information makes it easy to find the necessary details and assistance.

Positive

The implementation timeline for our firewall is contingent on the readiness of the policy. If the policy is prepared, the deployment can occur within a day. However, if the policy is not finalized, a brief meeting is convened to gather the necessary data for rule establishment. Once the information is ready, the implementation on VMware proceeds. Notably, there is a requisite waiting period, such as fine-tuning for optimal rule configuration, as each customer has unique requirements. It's crucial to tailor the rules to fit the specific needs of each customer, as there is no one-size-fits-all best practice in this context.

It is extremely expensive compared to its competitors and I would rate it 2 out of 10. 

I would recommend this solution and rate it 8 out of 10.

We mostly use Cisco Secure Firewall as a VPN concentrator and for its firewall features.

Using Cisco Secure Firewall has helped grow our familiarity with people that know Cisco.

The most valuable feature of Cisco Secure Firewall is its ease of configuration and that it's scalable for firewalls and VPNs.

Changes you make in the GUI sometimes do not reflect in the command line and vice versa.

We have been using the solution since its inception, so, for many years now.

We did not have any stability issues with Cisco Secure Firewall.

We did not see any limitations with Cisco Secure Firewall’s scalability.

We also use Aruba in our organization. We never have to factor in extra development time when we go to a new major version of Cisco. With Aruba, we have a pretty drawn-out development timeline for any upgrades or software improvements. Aruba and Cisco Secure Firewall are very different in their implementation and development.

The initial setup of the Cisco Secure Firewall is very straightforward. The average time it took to deploy the solution was very short. Deploying the VM and automating our configurations took a couple of minutes.

Cisco smart licensing is a hassle for a disconnected environment. However, I haven't licensed anything in a while. There have been many changes, making it easier to license disconnected devices connected to the internet.

ASAv uses the solution as a VPN concentrator and a firewall because it could be used for both. It can be used for landing AnyConnect clients on ASAv and as a firewall.

What sets Cisco Firewall apart from other products is that when we do an update, we know we're not going to break a lot of things, and there are not a lot of bugs. The integration on the Cisco side is pretty good.

Most of our team is familiar with Cisco, and everyone knows what to expect when they log in. So it's easy in that way.

I like the application visibility and control with Cisco Secure Firewall. My only complaint is that the changes made in the GUI sometimes do not reflect in the command line.

I haven't had any problems with Cisco Secure Firewall. It's very straightforward and reliable. Also, it's trustworthy because it has the Cisco name.

Cisco Secure Firewall has helped free up our IT staff for other projects. The product is quite heavy into automation. So with it being Cisco, it is very scalable in generating configs. The solution saves a week or two for implementation and integration.

Cisco Secure Firewall has helped our organization improve its cybersecurity resilience through the reliability aspect.

You know what you're getting when you use an ASAv from Cisco. Cisco Secure Firewall is a great product in terms of reliability and scalability.

Overall, I rate Cisco Secure Firewall ten out of ten.