Cisco Secure Firewall OverviewUNIXBusinessApplication

Cisco Secure Firewall is the #2 ranked solution in best firewalls. PeerSpot users give Cisco Secure Firewall an average rating of 8.2 out of 10. Cisco Secure Firewall is most commonly compared to Fortinet FortiGate: Cisco Secure Firewall vs Fortinet FortiGate. Cisco Secure Firewall is popular among the large enterprise segment, accounting for 53% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a comms service provider, accounting for 21% of all views.
Cisco Secure Firewall Buyer's Guide

Download the Cisco Secure Firewall Buyer's Guide including reviews and more. Updated: November 2022

What is Cisco Secure Firewall?

The Cisco Secure Firewall portfolio delivers greater protections for your network against an increasingly evolving and complex set of threats. With Cisco, you’re investing in a foundation for security that is both agile and integrated- leading to the strongest security posture available today and tomorrow.

    From your data center, branch offices, cloud environments, and everywhere in between, you can leverage the power of Cisco to turn your existing network infrastructure into an extension of your firewall solution, resulting in world class security controls everywhere you need them.

    Investing in a Secure Firewall appliance today gives you robust protections against even the most sophisticated threats without compromising performance when inspecting encrypted traffic. Further, integrations with other Cisco and 3rd party solutions provides you with a broad and deep portfolio of security products, all working together to correlate previously disconnected events, eliminate noise, and stop threats faster.

    Cisco Secure Firewall was previously known as Cisco ASA Firewall, Cisco Adaptive Security Appliance (ASA) Firewall, Cisco ASA NGFW, Cisco ASA, Adaptive Security Appliance, ASA, Cisco Sourcefire Firewalls, Cisco ASAv, Cisco Firepower NGFW Firewall.

    Cisco Secure Firewall Customers

    There are more than one million Adaptive Security Appliances deployed globally. Top customers include First American Financial Corp., Genzyme, Frankfurt Airport, Hansgrohe SE, Rio Olympics, The French Laundry, Rackspace, and City of Tomorrow.

    Cisco Secure Firewall Video

    Archived Cisco Secure Firewall Reviews (more than two years old)

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Group Information Technology Manager at a mining and metals company with 201-500 employees
    Real User
    Provides great VPN and firewall features; very stable
    Pros and Cons
    • "VPN and firewall are good features."
    • "Lacks a good graphical user interface."

    What is our primary use case?

    I'm the group information technology manager and we are customers of Cisco. 

    What is most valuable?

    The best feature for me is the VPN and I also like the firewall. 

    What needs improvement?

    In terms of improvement, we'd like to see a good graphical user interface. I'd also like to see the initial setup simplified. In comparison, if I were to implement the Fortigate firewall from scratch, it's a fairly simple set up. That is not the case with the ASA firewall, where you really need to have the skill and know what you're doing.

    For how long have I used the solution?

    I've been using this solution for 18 years. 

    Buyer's Guide
    Cisco Secure Firewall
    November 2022
    Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
    654,218 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    The solution is stable, we haven't had any issues. If we need something, we go to a consultant. In terms of product stability, it works very well.

    What do I think about the scalability of the solution?

    We haven't made any changes since implementing and we haven't tried scaling.  

    How are customer service and support?

    We get our support from the resellers, not from Cisco. 

    What other advice do I have?

    For those who have the technical know-how with Cisco products, I would recommend going with the ASA firewall, but if you're new to the field and running a smaller business, deployment will be complicated. 

    I would rate this solution a nine out of 10. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Mufeed Siaj - PeerSpot reviewer
    Network Security Presales Engineer at a tech services company with 51-200 employees
    MSP
    Good throughput, with one-of-a-kind support, that is scalable
    Pros and Cons
    • "The most valuable features of this solution are the integrations and IPS throughput."
    • "The price and SD-WAN capabilities are the areas that need improvement."

    What is our primary use case?

    I am a pre-sales engineer, and I do comparisons based on my customer's requests.

    What is most valuable?

    The most valuable features of this solution are the integrations and IPS throughput.

    What needs improvement?

    The price and SD-WAN capabilities are the areas that need improvement.

    In the next release, I would like to see more of the FortiGate features added. FortiGate is compatible with Cisco ACI, but I can't see Firepower with Security Fabric. For example, if I had Fortinet activated, could I integrate with it?

    For how long have I used the solution?

    I have familiar with the Next Generation firewalls for two years, and six years with firewalls in general.

    What do I think about the stability of the solution?

    It's a stable product.

    What do I think about the scalability of the solution?

    It's scalable indeed.

    Our clients are SMB Enterprise.

    How are customer service and technical support?

    It's just a fact, nothing is better than Cisco technical support.

    Which solution did I use previously and why did I switch?

    Previously, I was working with Fortinet. I would most likely recommend Fortinet, because of the price and the security fabric integration with other products. It's scalable as well, and all of the FortiGate features are useful.

    It's very easy to implement and it's very easy to administrate.

    How was the initial setup?

    The initial setup was straightforward. With other vendors, it is easier, but it was straightforward.

    What's my experience with pricing, setup cost, and licensing?

    This product is expensive.

    What other advice do I have?

    I would rate this solution an eight out of ten.

    Disclosure: My company has a business relationship with this vendor other than being a customer:
    PeerSpot user
    Buyer's Guide
    Cisco Secure Firewall
    November 2022
    Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
    654,218 professionals have used our research since 2012.
    Lead Network Engineer at a government with 1,001-5,000 employees
    Real User
    Top 20
    Stable and scalable with very responsive technical support
    Pros and Cons
    • "It's got the capabilities of amassing a lot of throughput with remote access and VPNs."
    • "They need a VTI. I know it's going to be available in the next software version, which is the 6.7 version. However, the problem with that is that the 6.7 is going to deprecate all the older IKEv1 deployment tunnels. Therefore, the problem is that we have a lot of customers which are using older encryptions. If I do that, update it, it's not going to work for me."

    What is our primary use case?

    The way we've installed Firepower was for the migration process. For example, there was a data center consolidation, and therefore we had to move everything. We offer data center products to our customers across VPN funnels. We had to move away from older ASAs, so it's a lift and shift. We move older ASAs, which were dispersed in many sites, and we consolidated a couple of services in a single site. Firepower was left there in place. I came in and I took over the administration duties, and now I'm trying to put everything together in a way that it makes sense.

    With Firepower, they have better hardware. It's fitted for more throughput, more load. I'm trying to centralize service delivery on this high-availability pair and move all the remote access to Firepower. Then, it's all part of a transition process from a hybrid cloud to a full cloud deployment on a cloud provider. It's mostly just a necessary pain, until we move away from our on-prem deployments. Currently, I'm working with Azure, etc. and I try to look at the main design of the whole process, even though it's going to take two years. 

    COVID has also made everything very, very slow for us as we try to move away from our initial plan.

    What is most valuable?

    The 2100 models are extremely useful for us.

    It's got the capabilities of amassing a lot of throughput with remote access and VPNs. 

    What needs improvement?

    They need a VTI. I know it's going to be available in the next software version, which is the 6.7 version. However, the problem with that is that the 6.7 is going to deprecate all the older IKEv1 deployment tunnels. Therefore, the problem is that we have a lot of customers which are using older encryptions. If I do that, update it, it's not going to work for me.

    For how long have I used the solution?

    We've been using the solution for about a year.

    What do I think about the stability of the solution?

    The solution is pretty solid in terms of stability, however, I prefer Palo Alto. For the enterprise world, it's better to have Palo Alto. For the service provider field, Firepower is quite well suited, I'd say. That said, Palo Alto, is definitely the enterprise way to go. For a smaller deployment, you can also go with FortiGate. It's simple, however, it works for smaller offices.

    What do I think about the scalability of the solution?

    The scalability of the product is pretty good. If you need to expand it, you can do so with relative ease.

    How are customer service and technical support?

    The technical support is amazing. They do reply quickly, and often within an hour. It's been great. I've worked at Cisco before, however, with the type of contract we are in, I find it super fast right now. We're quite satisfied with the level of support.

    What's my experience with pricing, setup cost, and licensing?

    I don't have any knowledge as to what the product costs. It's not part of the business I deal with.

    Palo Alto, it's my understanding, is a little more expensive, however, it depends on the users and on the design. It always depends on the contract

    What other advice do I have?

    We're just customers. We don't have a business relationship with Cisco.

    It's a solid, reliable product, however, if it's right for a company depends on the use case and the size of the organization. For a startup, this might not be a suitable option.

    Overall, I'd rate this solution nine out of ten. As a comparison, if I was rating Palo Alto, I would give it a ten out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    ICT Systems Engineer at a insurance company with 11-50 employees
    Real User
    Pretty stable, but it needs better reporting tools and improvements to the user interface
    Pros and Cons
    • "This product is pretty stable."
    • "I would like the ability to drill down into certain reports because currently, that cannot be done."

    What is our primary use case?

    The number one use for this product is security.

    What needs improvement?

    The management of the application can be improved with enhancements to the user interface.

    I would like the ability to drill down into certain reports because currently, that cannot be done. In fact, this is one of the reasons that we want to move away from Cisco. Better reporting tools would be an improvement.

    For how long have I used the solution?

    We have been using Cisco ASA for approximately seven years.

    What do I think about the stability of the solution?

    This product is pretty stable.

    What do I think about the scalability of the solution?

    Our current model is reaching its end of life, so it's not very scalable at the moment. We don't plan to increase usage.

    It is currently providing protection for about 30 users.

    How are customer service and technical support?

    The technical support is with our solution provider. I would say that it's average, rather than very good.

    How was the initial setup?

    The initial setup is complex. I would say that it took a maximum of a week to deploy.

    What about the implementation team?

    We had a service provider who took care of the installation for us.

    What's my experience with pricing, setup cost, and licensing?

    This is an expensive product. We pay about €2,000 ($2,400 USD) per year for licensing. 

    Technical support is in addition to the standard licensing fees.

    What other advice do I have?

    At this point, Cisco ASA is not a product that I recommend. My advice is that people should look at other solutions because there are other products available on the market that are just as good, if not even better.

    I would rate this solution a seven out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Security Consultant at a tech services company with 51-200 employees
    Consultant
    Quite stable with good technical support, but the reporting should be improved

    What is our primary use case?

    We are a service provider and we work on a variety of different projects for many customers. We do not use this product ourselves. Rather, we deploy it for different customers.

    The primary use case is to protect the organization from unauthorized use.

    What is most valuable?

    The most valuable feature is the access control list (ACL).

    What needs improvement?

    Report generation is an area that should be improved.

    For how long have I used the solution?

    I have been working with this product for two years.

    What do I think about the stability of the solution?

    This firewall is quite stable and we use it on a daily basis.

    What do I think about the scalability of the solution?

    The scalability is good.

    Which solution did I use previously and why did I switch?

    I have not worked with equipment from OEMs other than Cisco. It's the only vendor I use.

    How was the initial setup?

    The initial setup is straightforward. The length of time for deployment depends on whether it is the entire setup or just the basic installation.

    What about the implementation team?

    I deployed this product myself.

    What other advice do I have?

    This is a product that I can recommend for an internal firewall. It's good enough.

    I would rate this solution a seven out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: partner
    PeerSpot user
    Senior Solutions Consultant at a comms service provider with 10,001+ employees
    Consultant
    Stable with a straightforward setup and good overall features
    Pros and Cons
    • "The implementation is pretty straightforward."
    • "In a future release, it would be ideal if they could offer an open interface to other security products so that we could easily connect to our own open industry standard."

    What is our primary use case?

    The solution is primarily used for protecting the environment, or the cloud environments for our customers.

    What is most valuable?

    All the specific features you find within the NextGen firewall are quite useful. The touch intel feature is specifically useful to us. We deliberately choose this kind of product due to its set of features. 

    The implementation is pretty straightforward.

    What needs improvement?

    The security market is a fast-changing market. The solution needs to always check if the latest threats are covered under the solution. 

    It would always be helpful if the pricing was improved upon a bit.

    In a future release, it would be ideal if they could offer an open interface to other security products so that we could easily connect to our own open industry standard.

    For how long have I used the solution?

    We've been using the solution for about five or more years at this point.

    What do I think about the stability of the solution?

    The solution is stable. It's very reliable. It doesn't crash or freeze and doesn't seem to be plagued by bugs or glitches.

    What do I think about the scalability of the solution?

    The solution can scale quite well. A company that needs to expand it can do so easily.

    In our case, we have clients with anywhere between 1,000 and 10,000 users.

    How are customer service and technical support?

    We have our own in-house team that can assist our clients should they need technical support. They're quite knowledgeable and can handle any issues.

    Which solution did I use previously and why did I switch?

    I also have experience with Fortinet and Check Point.

    How was the initial setup?

    The implementation isn't complex. It's straightforward. However, it also depends on the specifications of the customer. Normally we check that out first and then we can make a judgment of how to best implement the solution.

    Typically, the deployment takes about two days to complete.

    In terms of maintenance, we have about five people, who are engineers, who can handle the job.

    What about the implementation team?

    We deliver the solution to our customers.

    What's my experience with pricing, setup cost, and licensing?

    You do need to pay for the software license. In general, it's a moderately expensive solution. It's not the cheapest on the market.

    What other advice do I have?

    We're a partner. We aren't an end-user. We are a managed security provider, and therefore we use this solution for our customers.

    We always provide the latest version of the solution to our clients.

    Typically, we use both cloud and on-premises deployment models.

    I'd recommend the solution to others. It's quite good.

    On a scale from one to ten, I would rate it at an eight.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Phosika Sithisane - PeerSpot reviewer
    Executive Director at ict training and development center
    Real User
    Good at blocking threats and pretty reliable but needs a better user interface such as web interface for easier create policy
    Pros and Cons
    • "It's pretty reliable and allows for isolation capabilities within the network."
    • "The user interface isn't as good as it could be. They should work to improve it. It would make it easier for customer management if it was easier to use."

    What is our primary use case?

    We primarily use the solution for basic firewall configurations such as NAT, FORWARD PORT and Block TCP-UDP Port.

       

    How has it helped my organization?

    My company is very small just built last year, i now am using cisco asa 5510 for NAT and Port Forward and limit users access directly from internet only via Remote-VPN.

    What is most valuable?

    The ability to block threats is its most valuable aspect.

    Most clients in Laos use the basic setup, which works quite well. It ensures that nothing can get onto the local network.

    It's pretty reliable and allows for isolation capabilities within the network.

    The ADSM is very good.

    I like that I can use the command line. I use a lot of Cisco and often work with this. If you are comfortable with the command line, it's quite good.

    What needs improvement?

    The user interface isn't as good as it could be. They should work to improve it. It would make it easier for customer management if it was easier to use.

    Cisco does not have a lot of web management. We have to use ASTM server management to make up for it.

    For how long have I used the solution?

    I've been using the solution, give or take, for around five years at this point.

    What do I think about the scalability of the solution?


    How are customer service and technical support?

    When we need assistance from technical support, we typically deal with the team in China. They've been very good. Whenever I have a problem, they can resolve it. They are knowledgeable and responsive. We're satisfied with the level of support we get.

    Which solution did I use previously and why did I switch?

    We typically offer clients a few different solutions. For example, we may recommend Fortinet.

    How was the initial setup?

    For a new user, the initial setup may be a bit difficult. For me, since I am comfortable with Cisco, it's pretty straightforward. A new connection has its own complexities. It may be a different thing on Java SDK. There may be some programs that may not be able to access it.

    What's my experience with pricing, setup cost, and licensing?

    In Laos, clients don't have much wiggle room when it comes to cost. The economy right now isn't very good. Most just choose the basic solution in order to avoid pricey licensing fees.

    Which other solutions did I evaluate?

    subscription payment  

    What other advice do I have?

    We're just customers. We use it in our office and suggest it to clients. However, we don't have a business relationship with Cisco.

    We try to adhere to our client's needs, and therefore, if they specify hardware they want to use, like Fortinet, we tend to accommodate them.

    That said, if they ask my opinion, I usually recommend Cisco ASA.

    I know a lot about the product and I'm good at controlling everything. I have a lot of knowledge and understanding after working with it so closely. That's why I tend to favor it when my customers ask for advice.

    Overall, I would rate the solution seven out of ten. If the user interface were a bit better, I'd rate it higher.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Cassio Maciel - PeerSpot reviewer
    Network Security Engineer at a financial services firm with 1,001-5,000 employees
    Real User
    Great for blocking attacks, best support, and very easy to use
    Pros and Cons
    • "The Adversity Malware Protection (AMP) feature is the most valuable. It is also very easy to use. Every technical user can operate this solution without any difficulty. The dashboard of Cisco Firepower has every tool that a security operator needs. You can find every resource that you need to operate through this dashboard."
    • "Its interface is sometimes is a little bit slow, and it can be improved. When you need to put your appliance in failover mode, it is a little difficult to do it remotely because you need to turn off the appliance in Cisco mode. In terms of new features, it would be good to have AnyConnect VPN with Firepower. I am not sure if it is available at the moment."

    What is our primary use case?

    I use it to protect my DMZ from external attacks.

    How has it helped my organization?

    Last year, we received a lot of linear service attacks in our environment during the Black Friday season. Cisco Firepower blocked every attack.

    What is most valuable?

    The Adversity Malware Protection (AMP) feature is the most valuable. 

    It is also very easy to use. Every technical user can operate this solution without any difficulty. The dashboard of Cisco Firepower has every tool that a security operator needs. You can find every resource that you need to operate through this dashboard.

    What needs improvement?

    Its interface is sometimes is a little bit slow, and it can be improved.

    When you need to put your appliance in failover mode, it is a little difficult to do it remotely because you need to turn off the appliance in Cisco mode. 

    In terms of new features, it would be good to have AnyConnect VPN with Firepower. I am not sure if it is available at the moment.

    For how long have I used the solution?

    I have been using Cisco Firepower for two years.

    What do I think about the scalability of the solution?

    We use it specifically for DMZ, so we don't need it to scale it up. Because we are using this solution for a specific environment, we don't plan to increase its usage.

    We have a few teams who use this solution. We have the information security team for reading the logs and policies. We have administrators, and we also have contractors for the network operation center to analyze some logs and reports. 

    How are customer service and technical support?

    We have used their technical support. They are amazing. Cisco's technical support is the best.

    Which solution did I use previously and why did I switch?

    We have used Check Point and one more solution. The main difference is in the IPS signatures. Cisco Firepower has precise and most updated IPS signatures.

    How was the initial setup?

    The initial setup is easy. The deployment took two months because we didn't have Firepower previously, and it took us some time to plan and implement.

    What about the implementation team?

    We used our reseller and contractor to deploy Cisco Firepower. They were good.

    What other advice do I have?

    I would recommend this solution. I would rate Cisco Firepower a nine out of ten. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Muhammed Eslami - PeerSpot reviewer
    Solution Architect at a tech services company with 11-50 employees
    Real User
    Top 10
    Powerful features include Snort and IPS, it is easy to deploy, and the technical support is good
    Pros and Cons
    • "I like the firewall features, Snort, and the Intrusion Prevention System (IPS)."
    • "This product is managed using the Firepower Management Center (FMC), but it would be better if it also supported the command-line interface (CLI)."

    What is our primary use case?

    We are a solution provider and Cisco NGFW is one of the products that we implement for our clients. My clients use it for internet access within the enterprise.

    What is most valuable?

    I like the firewall features, Snort, and the Intrusion Prevention System (IPS). 

    What needs improvement?

    This product is managed using the Firepower Management Center (FMC), but it would be better if it also supported the command-line interface (CLI). Cisco's FTD devices don't support the command-line interface and can only be configured using FMC.

    For how long have I used the solution?

    We have been using this product for the past four years.

    What do I think about the stability of the solution?

    This is a stable product and we plan to continue implementing it for clients in the future.

    What do I think about the scalability of the solution?

    Cisco NGFW is a scalable firewall. My client has more than 100 users.

    How are customer service and technical support?

    We have support from Cisco's TAC, the Technical Assistance Center, and they support this product well. We haven't had any issues with them.

    Which solution did I use previously and why did I switch?

    Prior to the Next Generation firewall, my clients were using Cisco ASA for more than 10 years.

    How was the initial setup?

    The initial setup is easy, with the installation and configuration taking about two hours.

    What about the implementation team?

    I did the deployment myself.

    What's my experience with pricing, setup cost, and licensing?

    This product requires licenses for advanced features including Snort, IPS, and malware detection.

    What other advice do I have?

    In summary, this is a good product and I recommend it.

    I would rate this solution a ten out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Implementer
    PeerSpot user
    Javed Hashmi - PeerSpot reviewer
    Chief Technology Officer at Future Point Technologies
    Real User
    Provides excellent integrations and reporting
    Pros and Cons
    • "Provides good integrations and reporting."
    • "Deploying configurations takes longer than it should."

    What is our primary use case?

    Our primary use case is as a data center firewall for internet firewalls and also as a VPN concentrator. I'm the chief technology officer and we are partners of Cisco. 

    What is most valuable?

    In terms of features there hasn't been much improvement but it's a very stable solution and a very good firewall with almost all of the features required for next generation firewall purposes. Almost all the firewalls on the market have the same features available, but if you take into account the integrations and reporting of Cisco, it's a little better than the others. In particular, the briefing reporting is better. With Fortinet we would probably have to use FortiAnalyzer as a separate reporting module for Fortinet, but here the reporting is good.

    What needs improvement?

    There needs to be an improvement in the time it takes to deploy the configurations. It normally takes two to four minutes and they need to reduce this. The deployment for any configuration should be minimal. It's possibly improved on the very latest version. 

    An additional feature I would like to have in Firepower would be for them to give us the data from the firewall - Cisco is probably working on that. 

    For how long have I used the solution?

    I've been using this solution for close to five years. 

    What do I think about the scalability of the solution?

    The scalability is very good. 

    How are customer service and technical support?

    We generally provide support but if we're not able to resolve an issue, we escalate it to Cisco and they're great. They are one of the best support services I've used and it's one of the reasons Cisco is doing so well in the market. 

    Which solution did I use previously and why did I switch?

    I also work with Fortinet and Palo Alto. Fortinet is also a really good product but Cisco is a leader in next generation firewalls and now that they are catching up to Fortinet, they have provided a lot of features and flexibility. I personally see Cisco as being good for large enterprise companies and Fortinet is better for families as well as small and medium size businesses. When it comes to Palo Alto, the high price point is one thing that is an issue, some companies are unable to afford it. Palo Alto is good but Cisco is catching up to them and I believe in a year or two, Cisco will probably match Palo Alto as well and be much better. 

    How was the initial setup?

    The initial setup is not too complex, but as with Fortinet, they have some detailed steps required which adds to the flexibility also. With flexibility comes a bit of complexity, but it's not too bad. Deployment time takes a few minutes. I am responsible for implementation and maintenance for our clients. We were previously deploying only for medium or large enterprise companies but Cisco has come up with the 1000 and 1100 series firewalls for smaller companies which is pretty good. They're a cost-effective solution and competitive in the market. 

    What's my experience with pricing, setup cost, and licensing?

    Cisco falls somewhere in the middle in terms of pricing, it's not very expensive and it's not very cheap. There is an additional accessory fee associated with Cisco but normally they have a separate subscription cost for different types of security to protect the firewall. There are separate bundles available inside the pricing and that's probably true for all of the firewalls. 

    What other advice do I have?

    Cisco is a large, good and reliable firewall. They are working on advanced features and catching up with the leaders in the market. I believe that's a score for them. A yearly subscription is cheaper than Palo Alto and Fortinet offer. They provide good support and once it's loaded, it doesn't give a lot of problems, that's very important.

    I would rate this solution an eight out of 10. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Principal Network Engineer at a manufacturing company with 501-1,000 employees
    Real User
    Good monitoring capability, but it lacks the next-generation firewall functionality
    Pros and Cons
    • "The most valuable features for my client are the ASDM and monitoring."
    • "Cisco ASA is not a next-generation firewall product."

    What is our primary use case?

    I am a consultant and when clients ask for white papers or studies, I do the research. At that point, they do whatever change processes they have; I give them all of the numbers and other relevant data, but that's the extent of what we do in my organization.

    They are just using it as a stateful packet inspection firewall, traditional firewalling.

    How has it helped my organization?

    At this point, my client is looking for their next solution so something may not be working.

    What is most valuable?

    The most valuable features for my client are the ASDM and monitoring.

    They have familiarity with the Cisco CLI.

    What needs improvement?

    Cisco ASA is not a next-generation firewall product.

    For how long have I used the solution?

    My client has been using the Cisco ASA solution for approximately five years.

    What do I think about the stability of the solution?

    They've been using it for five years and my assumption is that it's been good for what they needed it t do. However, they were consulting to move forward with something different.

    What do I think about the scalability of the solution?

    The scalability is very limited because as a traditional firewall, it's a step behind. As far as the scale goes, my assumption is that you just buy a bigger model.

    Which solution did I use previously and why did I switch?

    I was not consulting with this client when they implemented the Cisco ASA.

    This is a hardware-based device, versus a virtual one, so it's maxed out.

    How was the initial setup?

    My assumption is that it's a typical HA, basic setup.

    Which other solutions did I evaluate?

    My client is looking for a next-generation firewall solution to replace the Cisco ASA.

    What they need is a step up from what they already have that includes application-controlled firewall rules, as well as other features that ASA doesn't currently have.

    What other advice do I have?

    My suggestion for anybody who is looking at Cisco ASA is to work with the vendor, as they have newer products.

    I would rate this solution a seven out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Consulting Engineer at IV4
    Reseller
    Stable, good technical support, and the VPN feature works well
    Pros and Cons
    • "The most valuable features are the provision of internet access, AnyConnect, and VPN capabilities."
    • "I have worked with the new FTD models and they have more features than the ASA line."

    What is our primary use case?

    Our company sells Cisco Firewalls and the ASA is one of the products that we implement for our clients. The primary use cases are internet access, AnyConnect, and VPN.

    What is most valuable?

    The most valuable features are the provision of internet access, AnyConnect, and VPN capabilities. Because I primarily deal with the VPN functionality, I don't get very deep into the IPS or other capabilities.

    What needs improvement?

    I have worked with the new FTD models and they have more features than the ASA line.

    For how long have I used the solution?

    We have been dealing with Cisco ASA since about 2002.

    What do I think about the stability of the solution?

    I am very happy with its stability and the product in general.

    What do I think about the scalability of the solution?

    In our organization, we only have one in our data center that all of our people pass through. However, I've got clients that have thousands running through large Cisco firewalls.

    How are customer service and technical support?

    Cisco's technical support has always been excellent. They have great support.

    Which solution did I use previously and why did I switch?

    I have dealt with four or five others, but so far, I have the most experience with Cisco.

    Recently, I worked with the new FTD 1000 or 1100 series, and they do a lot.

    How was the initial setup?

    The complexity of the initial setup depends on the environment. Sometimes, it's brand new whereas other times, I install a replacement for an existing Cisco device or some other product.

    What about the implementation team?

    I am in charge of installing and configuring our Cisco Firewall solutions.

    What other advice do I have?

    I would rate this solution a ten out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    CEO & Co-Founder at a tech services company with 51-200 employees
    Real User
    Good configuration support but needs a few features and better pricing
    Pros and Cons
    • "The configuration support is very good. You can find a lot of configuration samples and troubleshooting tips on the internet, which is very good."
    • "You need to have a little bit of knowledge to be able to configure it. Otherwise, it would be very difficult to configure because there is no GUI. The latest software available in the market has a GUI and probably zero-touch provisioning and auto-configuration. All these things are not available in our version. You need to manually go and configure everything in the switch. In terms of new features, we would definitely want to have URL-based filtering, traffic steering, and probably a little bit steering in the bandwidth based on the per-user level and per-user group. We will definitely need some of these features in the near future."

    What is most valuable?

    The configuration support is very good. You can find a lot of configuration samples and troubleshooting tips on the internet, which is very good.

    What needs improvement?

    You need to have a little bit of knowledge to be able to configure it. Otherwise, it would be very difficult to configure because there is no GUI. The latest software available in the market has a GUI and probably zero-touch provisioning and auto-configuration. All these things are not available in our version. You need to manually go and configure everything in the switch.

    In terms of new features, we would definitely want to have URL-based filtering, traffic steering, and probably a little bit steering in the bandwidth based on the per-user level and per-user group. We will definitely need some of these features in the near future.

    For how long have I used the solution?

    I have been using this solution for the last one and a half years.

    What do I think about the stability of the solution?

    Stability-wise, it is pretty stable. It is probably not very feature-rich, but whatever features we are using, they are pretty stable.

    What do I think about the scalability of the solution?

    Scalability-wise, we did not have much problem because we have a single site. If we have two or more sites, and if we want to have a site-to-site VPN and more number of users, we are not sure about the scalability. We will have to go for an updated version of the new product line. 

    We have close to 80 plus users. We anticipate a huge increase in the number of users and plan to increase the usage of Cisco ASA Firewall. We may have to open a new center in a different city, which will lead to more sites, users, and usage.

    How are customer service and technical support?

    Their support is good, but the cost of support is very high. Next year onwards, we may not go for technical support because most of the time, they only do the configuration, and the configuration-related information is pretty much available on the internet.

    Which solution did I use previously and why did I switch?

    Initially, we started with some open-source alternatives, like Opium, but eventually, we thought of moving towards a proven solution. We just did a study. We didn't put the open-source solution into production. One of our customers was basically suggesting us to go with this one, and we went for it. We did not get time to go through, study, and explore different options because we didn't have the bandwidth for testing the complete features of the open-source alternatives. Therefore, we thought of going for a commercial solution. A lot of alternatives are available right now for this solution.

    How was the initial setup?

    The initial setup was not too complicated. It was good. 

    What about the implementation team?

    We took the help of a reseller for the initial configuration. 

    What's my experience with pricing, setup cost, and licensing?

    The product cost is a little high. It is a little bit on the high side, and it should be a little bit cost-friendly.

    What other advice do I have?

    I would rate Cisco ASA Firewall a seven out of ten. It needs improvement in terms of a few features and cost-friendliness. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    IT Administration at a healthcare company with 11-50 employees
    Real User
    A stable solution for protecting our edge network, with good technical support

    What is our primary use case?

    It provides the firewall and security for our edge network.

    We are using a really old ASA device that is at end-of-life, so we're replacing it.

    What is most valuable?

    The most valuable feature is the access control list (ACL). 

    What needs improvement?

    This is an older product and has reached end-of-life.

    For how long have I used the solution?

    We have been using Cisco ASA for probably ten years.

    What do I think about the stability of the solution?

    This is a very stable product.

    What do I think about the scalability of the solution?

    We're just a small company, so we have not had to scale it.

    How are customer service and technical support?

    The technical support is definitely very good.

    How was the initial setup?

    The initial setup was very straightforward.

    What about the implementation team?

    Just one person is required for maintenance.

    What other advice do I have?

    My advice for anybody who is implementing Cisco ASA is that it is not very difficult to deploy and not very difficult to understand how to continue adding more rules to it.

    I would rate this solution an eight out of ten.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
    PeerSpot user
    Ahmed El-Ghawabi - PeerSpot reviewer
    Technical Consultant at Zak Solutions for Computer Systems
    Real User
    Good stability, excellent technical support, and powerful intrusion detection
    Pros and Cons
    • "Technical support services are excellent."
    • "On firewall features, Fortinet is better. Cisco needs to become more competitive and add more features or meet Fortinet's offering."

    What is our primary use case?

    We primarily use the solution for the various firewalls.

    What is most valuable?

    Cisco is powerful when it comes to detecting intrusions. It's better than, for example, Fortinet.

    Cisco has multiple products - not just firewalls. The integration between other items provides a powerful end-to-end solution. It's nice and easy. There is one management system and visibility into all of the features. Using the same product is more powerful than using multiple systems. Cisco is known by most customers due to the fact that at least they have switches. However, when clients say "we need an end-to-end option" Cisco is there.

    The stability is very good.

    Technical support services are excellent.

    What needs improvement?

    Before an ASA, it was a live log. It was easy and comfortable to work with. After the next-generation firewall, Firepower, the live log became really slow. I cannot reach the information easily or quickly. This has only been the case since we migrated to next-generation firewalls.

    There is some delay between the log itself. It's not really real-time. Let's say there's a delay of more than 20 seconds. If they had a monitoring system, something to minimize this delay, it would be good.

    It would be ideal if I could give more bandwidth to certain sites, such as Youtube.

    I work with Fortinet also, and I find that Fortinet is easier now. Before it was Cisco that was easier. Now Fortinet is simpler to work with.

    On firewall features, Fortinet is better. Cisco needs to become more competitive and add more features or meet Fortinet's offering.

    For how long have I used the solution?

    I've been using the solution since about 2003, when I originally implemented it.

    What do I think about the stability of the solution?

    The solution is extremely stable. We don't have any issues whatsoever. It doesn't have bugs or glitches. It works well. Occasionally, it may need patches, however, there's very little downtime.

    What do I think about the scalability of the solution?

    The scalability of the solution is very good. We have no trouble expanding the solution.

    They have multiple products that fit in multiple areas. They also have virtual firewalls, which are working well in virtualization systems. They have the data center firewalls feature for data centers. It's scalable enough to cover most of the use cases that might arise.

    How are customer service and support?

    Cisco offers excellent technical support.  They're useful and very responsive - depending on the situation itself. Sometimes we require the support of agents and we've found Cisco to have one of the best support systems in the market.

    Which solution did I use previously and why did I switch?

    I also work with Fortinet, and it's my sense that, while Fortinet is getting easier to use, Cisco is getting harder to deal with.

    How was the initial setup?

    The initial setup is not complex at all. It's pretty straightforward.

    A full deployment takes between two and three days. It's pretty quick to set up.

    What's my experience with pricing, setup cost, and licensing?

    The pricing is neither cheap nor expensive. It's somewhere in the middle. If you compare it to Fortinet or Palo Alto, Fortinet is low and Palo Alto is very high. Cisco falls in the middle between the two.

    As far as deployment options go, they often have more wiggle-room with discounts, especially for larger deployments. Therefore, in general, it ranges closer to Fortinet's pricing.

    What other advice do I have?

    We're partners with Cisco, Fortinet, and Palo Alto.

    I work with on-premises deployments and virtual firewalls, however, I don't use the cloud.

    The solution works well for medium-sized enterprises.

    Overall, I would rate the solution nine out of ten.

    I'd recommend users to layer in solutions. At the perimeter, if they have two tiers, I'd recommend Palo Alto as the first and then Cisco ASA as the second. Cisco can work on the data center or Fortinet. In the case of Fortinet, they have the best backline throughput from all of the other products.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: partner
    PeerSpot user
    President at a tech vendor with 11-50 employees
    Real User
    Great diagnostics combined with a high-security VPN
    Pros and Cons
    • "I like them mostly because they don't break and they have great diagnostics."
    • "They should improve their interface."

    What is most valuable?

    I like them mostly because they don't break and they have great diagnostics. If something is awry, you can generally figure it out. And of course, everybody has a VPN, but I like the security of their VPN.

    What needs improvement?

    They should improve their interface and ensure that people actually know what they're doing before they start programming; that would make me happy. But that's never going to happen — it's a total pipe dream.

    Some of the next-generation stuff that Cisco is doing now allows you to add web filtering and provides more security inside the device. That's why we were looking at the Next-Generation Firewall.

    For how long have I used the solution?

    I have been using this solution since they developed it.

    What do I think about the stability of the solution?

    I've had a couple of issues. Way back, they had a power supply that had to be changed out. They also had some issues with the 5500 series. Other than that, they're pretty rock-solid.

    What do I think about the scalability of the solution?

    Within their limitations, yes, they're scalable. You don't want to put a 5506 in when you need a 5525 — you'll never get it there. If properly sized, they're scalable, but you can't make a 5506 a 5525 — there're different processors and everything. You have to know where you're going. You have to know your customer first.

    How are customer service and technical support?

    The tech support is good. The documentation is verbose almost to the point of being confusing if you don't know what it is you're looking for.

    It's only confusing if you have somebody who is not familiar with it. They give you every option in great detail, so you can spend time searching through a manual that you might not otherwise. Here's an example: take Sophos or SonicWall — let's say the manual for SonicWall is 25 to 30 pages; that same Cisco documentation is going to be three times that size or more.

    It's not that it needs to be simplified, the people using it need to be knowledgeable. It is not a novice box, we'll put it that way.

    Which solution did I use previously and why did I switch?

    We've been with Cisco for a long time. We've used their routers and gadgets for years and years.

    How was the initial setup?

    The initial setup is quite straightforward.

    What's my experience with pricing, setup cost, and licensing?

    I would guess that the market value of Cisco is going to be towards the higher-end. I don't know that it's the highest, but feature for feature, I'd say it's probably well-priced.

    What other advice do I have?

    Cisco ASA Firewall Is not as much of a plug and play solution as some of the others. You just need to make sure that you do your research.

    On a scale from one to ten, I would give Cisco ASA Firewall a rating of nine.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Zhulien Keremedchiev - PeerSpot reviewer
    Lead Network Security Engineer at TechnoCore LTD
    Real User
    Good evaluation period, support, and it has a powerful intrusion policy
    Pros and Cons
    • "The most valuable feature that Cisco Firepower NGFW provides for us is the Intrusion policy."
    • "I believe that the current feature set of the device is very good and the only thing that Cisco should work on is improving the user experience with the device."

    What is our primary use case?

    My primary use case with Cisco Firepower NGFW is implementing, configuring, maintaining, and troubleshooting lab and customer devices in both lab and production environments.

    Using best practices for configuration, as well as fine-tuning intrusion policies and utilizing as many of the features that the firewall has to offer, which are feasible in said environment.

    Overall, I am confident to say that I have worked with every flavor of Cisco Firepower NGFW, be it their older IPS-only sensors, ASA with Firepower services, as well as the FTD sensor itself.

    How has it helped my organization?

    Cisco Firepower NGFW has improved our organization by giving us the opportunity to protect both our network and our customer's environments. Being able to work with the device in a lab environment and utilizing the whole feature set is really easy with the Evaluation licenses of 90 days on the FMC. The only thing that you need is an environment with enough resources to virtualize both the FMC and FTD sensors.

    I would like to emphasize the easy-to-use evaluation period of the Cisco Firepower NGFW because many other firewall vendors lack this and it is a real pain having to test everything in production environments because you cannot build a good lab environment without paying for licenses.

    What is most valuable?

    The most valuable feature that Cisco Firepower NGFW provides for us is the Intrusion policy. 

    Again, with that being said, I cannot shy away from giving kudos to all of the other features such as AVC (Application Visibility and Control), SSL Decryption, Identity policy, Correlation policy, REST API, and more.

    All of the features that are incorporated in the Cisco Firepower NGFW are awesome and easy to configure if you know what you are doing. Things almost always work, unless you hit a bug, which is fixed with a simple software update.

    What needs improvement?

    I believe that the current feature set of the device is very good and the only thing that Cisco should work on is improving the user experience with the device. 

    Also, they need to ensure that all of the implemented features are working as they should, and able to integrate with more third-party software in an easier manner.

    As it stands currently, Cisco is doing this, but I am not confident enough to say that their QA team is doing as good a job as they should as there have been software releases that were immediately pulled back the same day as they were released.

    For how long have I used the solution?

    I have been working with Cisco NGFW for almost five years as of 2020.

    What do I think about the stability of the solution?

    I have seen devices working without any issues and/or without a reboot of the device for many years (although I do not recommend this) running on base versions of the software, and I have seen an out-of-the-box fresh install having many stability issues. However, overall my impression is that the most recent software versions are very stable without any evident underlying issues.

    Keep your software up-to-date and the solution should be stable.

    What do I think about the scalability of the solution?

    Cisco Firepower NGFW has a large variety of devices that are able to accommodate every company's needs, be they small or large. Overall, the scalability of the devices is very good.

    How are customer service and technical support?

    Experience with Cisco TAC has been awesome almost always. The SLAs are kept every time, which is very hard to get from any of the other firewall vendors. I have not seen any other vendor get you a proficient engineer on the phone within 15 minutes.

    Which solution did I use previously and why did I switch?

    Cisco ASA and Firepower NGFW is the first firewall solution that I have and am still using.

    How was the initial setup?

    Once you deploy a few of these devices, the initial setup is really straightforward and easy to do unless the position of the firewall on the network needs you to do some connectivity magic in order for it to work.

    What about the implementation team?

    All of the implementations that we have done are with in-house teams, so I have no overview of the vendor team.

    What's my experience with pricing, setup cost, and licensing?

    Cisco, as we all know, is expensive, but for the money you are paying, you know that you are also getting top-notch documentation as well as support if needed. In some cases, this may save you a lot of money or stress, which is why everyone who uses Cisco solutions loves them.

    Which other solutions did I evaluate?

    I have worked with many other firewall vendors in both production and lab environments such as CheckPoint, Palo Alto, Fortinet, Juniper, but to be honest I find Cisco's firewall solutions and Palo Alto's firewall solution to be the best.

    What other advice do I have?

    I believe that Cisco Firepower NGFW is the future leader in NGFW, with only maybe Palo Alto being the main competitor. This is very good, as we all know that having a rival is good for us, the users :) 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    EricHart - PeerSpot reviewer
    CEO at NPI Technology Management
    MSP
    Great support and extremely stable with an excellent command-line interface
    Pros and Cons
    • "Everything is all documented in the file or in the command line script that gets uploaded to the device. It gives us great visibility."
    • "I would say that in inexperienced hands, the interface can be kind of overwhelming. There are just a lot of options. Too much, if you don't know what you are looking for or trying to do."

    What is our primary use case?

    We primarily use it for our clients. We have one or more at each client site - or multiple locations if they have multiple locations.

    Typically our clients are up to about 500 users. Most of them are smaller than that, but they go as large as 500. They're using the solution for the full next-gen firewall stacks - intrusion protection, URL filtering, advanced malware protection, or so-called AMP. Those are the three subscription services that Cisco sells. All of our clients have those subscription services enabled at their main location. Typically, they're just protecting users that are behind the firewall. We also use it for site-to-site VPN, and we use it for client-to-site VPN.

    How has it helped my organization?

    In terms of our clients, security is one of those things that, ideally, nobody notices. It improves the functioning in the sense that you don't get hacked. However, from a noticeable, management point of view, the URL filtering is a pretty significant enhancement. People are able to block access to various websites by category. It isn't revolutionary. Lots of products do this. However, it's a nice sort of add-on to a firewall product.

    At the end of the day, the solution offers good productivity enhancement to a company.

    What is most valuable?

    Cisco's support is great. 

    For experienced users, they are pretty much able do anything they want in the interface with few restrictions.

    The command-line interface is really useful for us. We script basic installations and modifications through the command-line, which is considered sort of old school, and yet it allows us to fully document the changes that we're making due to the fact that we can save the exact script that was applied and say, "Here are the changes that we made." 

    We can have less experienced people do initial takes on an install. They can edit a template, and we can have a more experienced person review the template, and then apply it, and we don't have to worry about whether anyone inexperienced went into certain corners of the interface and made changes or whatever.

    Everything is all documented in the file or in the command line script that gets uploaded to the device. It gives us great visibility.

    What needs improvement?

    I would say that in inexperienced hands, the interface can be kind of overwhelming. There are just a lot of options. It's too much if you don't know what you are looking for or trying to do.  

    The GUI still uses Java, which feels out of date today. That said, it's an excellent GUI.

    The biggest downside is that Cisco has multiple firewall lines. The ASA line which is what we sell, and we sell most of the latest versions of it, are kind of two families. One is a little older, one's a little newer. We mostly sell the newer family. Cisco is kind of de-emphasizing this particular line of products in their firewall stable. That's unfortunate. 

    They have the ASA line, Meraki, which is a company they bought some years ago where all the management is sort of cloud interface that they provide rather than a kind of interface that you manage right on the box. They also bought Snort and they integrated the Snort intrusion detection into the ASA boxes. In the last couple of years, they've come out with a sort-of replacement to Snort, a line of firewalls that don't use IOS.

    It's always been that the intrusion prevention and the based firewalling features had separate interfaces within IOS. They've eliminated IOS in this new product line and built it from the ground up. We haven't started using that product yet. They have higher performance numbers on that line, and that's clearly the future for them, but it hasn't reached feature parity yet with the ASA. 

    The main downside is that it feels a little bit like a dead end at this point. One needs to decide to move to one of these other Cisco lines or a non-Cisco line, at some point. We haven't done the research or made the plunge yet.

    What I would like to see is a more inexpensive logging solution. They should offer either the ability to maintain longer-term logs right on the firewall or an inexpensive server-based logging solution. Cisco has logging solutions, however, they're very high end.

    For how long have I used the solution?

    We've been using the solution for 20 or more years. It's been well over two decades at this point.

    What do I think about the stability of the solution?

    The solution is solid. It's a big advantage of choosing Cisco. There are no worries about stability at all.

    What do I think about the scalability of the solution?

    The scalability of the solution is good. Within our customer base, it is absolutely scalable. You can go very large with it. However, if you really want the highest speeds, you have to move off of the IOS ASA line and onto the newer stuff.

    Typically our clients cap out at 500 employees.

    How are customer service and technical support?

    Technical support is excellent. They are extremely knowledgeable and responsive. It'd rate the ten out of ten. We're quite satisfied with the level of support Cisco provides.

    Which solution did I use previously and why did I switch?

    We did use Juniper's NetScreen product on and off for a while. We stopped using it about ten years ago now.

    We had previous experience with the Cisco gear, so we were comfortable with it, and Juniper bought the NetScreen product and sunsetted it. You had to move into a different firewall product that was based on their equivalent of IOS, something called Juno OS, and we didn't like those products. Therefore, when they sunsetted the Juniper products, we looked around and settled on Cisco.

    How was the initial setup?

    Due to the fact that we're experienced with it and we've scripted the command line, it's extremely simple for us. That said, I think it's complex for somebody that doesn't know the IOS platform.

    What other advice do I have?

    We're Cisco resellers.

    We're always on the latest version. I don't actually keep track of the version numbers myself, however, part of what the service that we provide for our clients is updating their firewalls to the latest version.

    We use multiple deployment models. We use both on-premises and cloud versions. They are also all different sizes, according to the requirements of the company.

    I'd advise other companies considering Cisco to be sure to factor in the cost of the ongoing security subscriptions and the ongoing SmartNet into the purchase price. Those things, over the years, represent more than the cost of the firewall itself - significantly more. However, I'd advise others to get the security subscriptions due to the fact that it really dramatically increases the security of the solution overall.

    On a scale from one to ten, I'd rate them at an eight. We love the product, however, we feel like it's not Cisco's future direction, which is the only reason I would downgrade its score. To bring it up to a 10, they'd have to make it their main product line again, which they aren't going to do.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Sr Network Administrator at Orient Petroleum Inc
    Real User
    Reliable and user-friendly with good technical support
    Pros and Cons
    • "The user interface is easy to navigate."
    • "The annual subscription cost is a bit high. They should try to make it comparable to other offerings. We have a number of Chinese products here in Pakistan, which are already, very cheap and have less annual maintenance costs compared to Cisco."

    What is our primary use case?

    We are primarily using the solution to protect our network.

    What is most valuable?

    The security the solution offers is very good. Security-wise, it's the top in the world.

    The product has excellent technical support.

    The user interface is easy to navigate.

    Everything is user friendly.

    What needs improvement?

    The annual subscription cost is a bit high. They should try to make it comparable to other offerings. We have a number of Chinese products here in Pakistan, which are already very cheap and have less annual maintenance costs compared to Cisco.

    For how long have I used the solution?

    I've been using the solution for a few years now.

    What do I think about the stability of the solution?

    The solution is reliable. We have been using it for more than a couple of years and we haven't had any problems. There's been no downtime and no hardware failures. It's pretty stable.

    What do I think about the scalability of the solution?

    We've never tried to scale. We have a pretty small set up in our country. It's unlikely we will have to scale.

    Currently, we have between 200 and 300 people on the solution.

    How are customer service and technical support?

    The technical support has been very good. They are helpful and knowledgeable. We're quite satisfied with their level of service.

    Which solution did I use previously and why did I switch?

    This is the first product of this nature that we have implemented. We didn't previously use a different solution.

    How was the initial setup?

    Initially, the preliminary set up took us some time. However, we did have some local expertise in Pakistan. Once, when we were stuck on something, we could manage to get help from Cisco online. It wasn't that tricky or complex. In the end, it was straightforward.

    What about the implementation team?

    We had some assistance with a local expert as well as Cisco.

    What's my experience with pricing, setup cost, and licensing?

    There's an annual subscription. It's not cheap. It's quite pricey if you compare it to other competitors in Pakistan. There aren't any extra costs beyond the yearly licensing.

    We pay about $200 yearly and we have two firewalls.

    What other advice do I have?

    We are the customer. We are in the oil and gas business. We don't have a business relationship with Cisco.

    I'd recommend the solution to others straight away. It's more or less a very standard option here in Pakistan.

    Overall, on a scale from one to ten, I'd rate the solution at an eight.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Shrijendra Shakya - PeerSpot reviewer
    C.T.O at Sastra Network Solution Inc. Pvt. Ltd.
    Real User
    Top 5Leaderboard
    Reliable and easy to use with good security features
    Pros and Cons
    • "It is very stable compared to other firewall products."
    • "They need a user-friendly interface that we could easily configure."

    What is our primary use case?

    We are using Cisco ASAv in our company and have deployed it for many of our customers. They are in both government and the private sector.

    The deployment method varies depending on the customer's needs. For the government, it's through the government cloud while others are on-premises.

    What is most valuable?

    It is very stable compared to other firewall products.

    It has good security features.

    The firewall features make it easy for the users to work on it.

    What needs improvement?

    The interface needs improvement. I would like a better interface for Cisco. Other solutions such as Palo Alto have a user-friendly dashboard.

    They need a user-friendly interface that we could easily configure.

    It would be beneficial to have some of the features that Cisco has, integrating with other types of security.

    For how long have I used the solution?

    I have been using this solution for approximately eight years.

    What do I think about the stability of the solution?

    It's a very stable solution out of the box and we have not had any issues in our deployment.

    We have 86% of the devices being used simultaneously.

    What do I think about the scalability of the solution?

    It's scalable based on the type of license and modules that you require.

    We don't have the option to update the box, but we can add features such as antivirus protection.

    How are customer service and technical support?

    We have contacted technical support for some issues outside our technical expertise, mostly for updating the license.

    We have a team that handles our issues.

    What's my experience with pricing, setup cost, and licensing?

    We work on a case-by-case basis and are have good offers by Cisco.

    It's very competitive with other products.

    What other advice do I have?

    They should incorporate it with FortiGate, or Sophos firewalls. 

    If they are looking for a layer 7 type of security then they need to go with another solution.

    I would rate Cisco ASAv a nine out of ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: My company has a business relationship with this vendor other than being a customer: partner
    PeerSpot user
    Sr. Network Engineer at a construction company with 10,001+ employees
    Real User
    The technical support is good, but there are issues with managing the client
    Pros and Cons
    • "The best features are stability and scalability."
    • "You shouldn't have to use the ASDM to help manage the client."

    What is our primary use case?

    We use Cisco ASAv as a firewall.

    What is most valuable?

    The best features are stability and scalability.

    What needs improvement?

    There are other solutions that are better such as Palo Alto.

    The management test needs improvement. The ACM requires Java and you need to know which version of Java is compatible with your Cisco version. It needs a client.

    The pricing could be reduced.

    I would like to see the issue with the client resolved. You shouldn't have to use the ASDM to help manage the client. Also, it should be subscription-based similar to Palo Alto.

    For how long have I used the solution?

    I have been working with Cisco ASAv for approximately eight years.

    What do I think about the stability of the solution?

    The stability is good, we have not had any issues.

    What do I think about the scalability of the solution?

    Cisco ASAv is scalable.

    How are customer service and technical support?

    We are satisfied with technical support. They are good.

    Which solution did I use previously and why did I switch?

    We are also using Palo Alto. It's very easy to manage, especially the UI system. You can do anything you want.

    What's my experience with pricing, setup cost, and licensing?

    Cisco is considered to be an expensive solution.

    When comparing to other vendors, it's quite expensive.

    What other advice do I have?

    I would rate Cisco ASAv a six out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Henry Pan - PeerSpot reviewer
    Technical Consulting Manager at a consultancy with 10,001+ employees
    Real User
    Provides us with application visibility and control and has improved our clients' end to end firewall functionality
    Pros and Cons
    • "Firepower has been used for quite a few enterprise clients. Most of our clients are Fortune 500 and Firepower is used to improve their end to end firewall functionality."
    • "The intelligence has room for improvement. There are some hackers that we haven't seen before and its ability to detect those types of attacks needs to be improved."

    What is our primary use case?

    Our primary use case for this solution is to improve network security. 

    The maturity of our company's security implementation depends on our clients. Some of our clients really need a lot of work but some of them are advantaged. We are major implementors for Cisco. 

    We implement it for our clients and we also use it internally. Our security maturity is advanced. We have been in IT business for over 75 years. We have major netowrk firewall experts in the company, so we know what to do. 

    Our company uses more than thirty security tools. Ideally, we would use an end to end unified tool. But network security is far from that so we need to use multiple tools. 

    How has it helped my organization?

    Firepower has been used for quite a few enterprise clients. Most of our clients are Fortune 500 and Firepower is used to improve their end to end firewall functionality. 

    What is most valuable?

    The most valuable feature is the intelligence. It sends a warning for a potential attack, a zero-day attack. It sends us an advanced warning. We really like this feature. 

    We use other Cisco tools for switches, routers, and AppDynamics. We also use their wireless tool. We are Cisco's biggest partner, so we use the majority of their solutions. This is one of the reasons people become a Cisco-shop, because of the integration. 

    The integration between these products isn't perfect. 

    Firepower provides us with application visibility and control. We have a standard evaluation procedure with around 136 criteria. We have a team that does the evaluation and there were viruses reported.

    In terms of its ability to provide visibility into threats, we put a different application to be tested. We check how much we can see. What kind of network traffic goes through different devices. We know what's going on. If something went wrong, we see the attack, we know where and which attack. We put it into our testing center. You can never get 100% visibility. Sometimes we can't detect until the damage is done. That is the danger of being in the firewall business. You never know what kinds of tricks a hacker will use. It's endless work.

    Talos is pretty decent. It offers smart intelligence. It helps my team detect what is going on. Without it, the ability of the power stations would be much less. Talos is one of the reasons that we go with Cisco. It is a big advantage.

    We use automated policy application and enforcement. Any of the networks are very complex. It has freed up a lot of our time. Now, it's much better but it's still far from enough. We have saved 90% of our time due to the automation. 

    Firepower has improved our enterprise defense ability by a lot. 

    We use the whole suite of Cisco device management options. Compared to ten years ago, I have seen a lot of improvement, but it's still far from enough. I wish the intelligence will be improved. There is a big learning curve now. If a new gear comes into place, then the first three months aren't so accurate. With machine learning, it is getting better. The intelligence should be there from day one. But it will still need to learn the environment and which attack is the most common.

    We are still trying to figure out the best practices for harmonizing policies and enforcement across heterogeneous networks. It's something new. More and more applications are going onto the cloud and we need the hybrid Firepower ability. 

    What needs improvement?

    The intelligence has room for improvement. There are some hackers that we haven't seen before and its ability to detect those types of attacks needs to be improved.

    There is a bit of an overlap in their offerings. Which causes clients to overpay for whatever they end up selecting. 

    For how long have I used the solution?

    I have been using Firepower for 3 years. 

    What do I think about the stability of the solution?

    I see a lot of improvement in terms of stability but it's still not 100%. We still have bugs and things will go wrong that will cause the system to not function and we will have to reboot and restart. That is something that Cisco should fix. 

    What do I think about the scalability of the solution?

    The scalability is reasonable and okay. 

    One of the clients we have has 21,000,000 node. 

    How are customer service and technical support?

    We use their support a lot. In my view, they need a lot of improvement. A lot of the representatives are far away and they don't have a lot of knowledge. You need to get to level two or three for them to be able to help. My team is very experienced so it takes a lot for us to make a call to technical support. We need to talk to the right person to work out the issue. The support structure is not able to reach the right level right away. This is a problem that Cisco needs to work a lot to improve one. 

    Which solution did I use previously and why did I switch?

    We also use Palo Alto, Check Point, Fortinet, Juniper, and Microsoft. 

    Cisco came into firewalls much later. I would say they're top ten but they're not number one yet. They need to do more work. Cisco does better than the smaller players. 

    The best firewall option is Palo Alto. 

    Considering the expertise and the way they detect an advanced attack, Palo Alto is better than Cisco. 

    How was the initial setup?

    Compared to many years ago, the configuration is much more simplified. It is still not one button to get it all done. It's not easy enough. It hasn't reached the level where a junior staff member can get the job done. 

    For my enterprise environment, the deployment goes wave by wave. It can take six to eight weeks. We do a rolling upgrade. It's not something that can be done in one action because the network is so huge and complex. 

    We have a uniform implementation strategy. We have a standard upgrading proceeding. We do testing and verify and then we put it into production.  

    What about the implementation team?

    We are the integrators and consultant team. 

    What was our ROI?

    18 months

    What's my experience with pricing, setup cost, and licensing?

    Be careful

    Which other solutions did I evaluate?

    Yes

    What other advice do I have?

    Get your homework done. Get to know in-depth what Cisco can do and compare it with Palo Alto. If you're happy with Cisco, go for it but Palo Alto is the safer choice. 

    I would rate it an eight out of ten. 

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Imad Awwad - PeerSpot reviewer
    Group IT Manager at a manufacturing company with 1,001-5,000 employees
    Real User
    Top 5Leaderboard
    Behind in technology with lots of hidden costs
    Pros and Cons
    • "Unfortunately in Cisco, only the hardware was good."
    • "In NGFW, Cisco should be aligned with the new technology and inspection intelligence because Cisco is far behind in this pipeline."

    What is our primary use case?

    The primary use case is to have full visibility over our Web & Application behavior on the local network and over the internet. On the other hand, reporting is one of the main needs so that we can monitor and evaluate our consumption and according to that, build up our policies and security.

    How has it helped my organization?

    Cisco NGFW had the needs that were required by us but unfortunately, was very primitive.

    There was no added value and every feature requires license thus extra HIDDEN cost despite a large number of renewals. Paying that much compared to what other vendors can give is out of the negotiation. For this reason we dropped it.

    What is most valuable?

    Unfortunately in Cisco, only the hardware was good. As for the features and services it was less than the others. Having all of the features means higher specs of hardware and intelligence processing so that it can handle all the logs proactively. Now, what is needed from the Information security, is to be proactively aware of any threat that might expose our data and at the same time have full visibility over our information sharing endpoints.

    What needs improvement?

    In NGFW, Cisco should be aligned with the new technology and inspection intelligence because Cisco is far behind in this pipeline. Nowadays IoT, Big Data, AI, Robotics, etc. are all evolving and shifting from automatic to intelligent. All brands that do not follow will be extinct.

    For how long have I used the solution?

    I have been using this solution for three years.

    How are customer service and technical support?

    good

    Which solution did I use previously and why did I switch?

    I was using a different solution prior to this one. I shifted because I found that it can heal my pain at least partially. By the end, it did the job and more.

    How was the initial setup?

    Not that simple, but anyone who have the knowledge can configure it.

    What about the implementation team?

    Through a vendor and they have good tech

    What's my experience with pricing, setup cost, and licensing?

    Always look for the history of the products and their evolution, as this will reflect their prices. As for the licenses, be smart and choose the ones you are going to use AS PER YOUR NEED.

    More features=More Licenses=More work time=Increase in Cost.

    Always consider what you might need to reduce your wasted time and invest it in other solutions (i.e. "If it takes you three hours to do an analysis report and the solution you are getting has this feature to reduce your time to five minutes then you can consider this license. But, if there is a feature where you can have access to the machine from the cloud and you are always connected to the company by VPN, there is no need to buy this license").

    Which other solutions did I evaluate?

    Whenever I go for a new solution, I test many leaders "NOT RELYING ON GARTNER", yet going for sites that are related to technical evaluations and real case studies. The vendors were Sophos Cyberoam, Barracuda, FortiGate, Websense, & Check Point.

    What other advice do I have?

    Think before you buy, as this solution can be your success or failure. Always work with professionals and not promoters.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Tier 2 Network Engineer at a comms service provider with 1,001-5,000 employees
    Real User
    A stable firewall that our customers use as their AnyConnect VPN solution
    Pros and Cons
    • "The most valuable feature must be AnyConnect. We have quite a few customers who use it. It is easy to use and the stablest thing that we have. We have experienced some issues on all our VPN clients, but AnyConnect has been the stablest one."
    • "One of the problems that we have had is the solution requires Java to work. This has caused some problems with the application visibility and control. When the Java works, it is good, but Java wasn't a good choice. I don't like the Java implementation. It can be difficult to work with sometimes."

    What is our primary use case?

    We are an ISP, so it's primarily for customer firewalls that we help customers setup and maintain. While we do use Cisco ASA in our company, we mostly configure it for customers. Our customers use it as a company firewall and AnyConnect VPN solution.

    How has it helped my organization?

    A lot of people trust Cisco. Just by its name, they feel more secure. They know it's a quality solution, so they feel safer.

    What is most valuable?

    The most valuable feature must be AnyConnect. We have quite a few customers who use it. It is easy to use and the stablest thing that we have. We have experienced some issues on all our VPN clients, but AnyConnect has been the stablest one.

    It is one of the easiest firewalls that I've worked with. Therefore, if you're not comfortable with command line, it probably is one of the best solutions on the market.

    What needs improvement?

    One of the problems that we have had is the solution requires Java to work. This has caused some problems with the application visibility and control. When the Java works, it is good, but Java wasn't a good choice. I don't like the Java implementation. It can be difficult to work with sometimes.

    If you use Cisco ASDM with the command line configuration, it can look a bit messy. We have some people who use them both. If you use one, it's not a problem. If you use both, it can be an issue.

    For how long have I used the solution?

    For five or six years.

    What do I think about the stability of the solution?

    We haven't had any issues with the firewalls.

    The maturity of our company's security implementation is good. We are very satisfied as long as we maintain the software. It has needed to be updated quite a few times.

    What do I think about the scalability of the solution?

    We don't have any firewalls that can handle more than a couple of gigabits, which is pretty small. I think the largest one we have is the 5525-X, though we haven't checked it for scalability.

    In my company, there are probably 16 people (mostly network engineers) working with the solution: seven or eight from my group and the others from our IT department.

    How are customer service and technical support?

    I haven't worked with Cisco's technical support. We haven't had real issues with these firewalls.

    Which solution did I use previously and why did I switch?

    This was the first firewall solution that I worked with.

    How was the initial setup?

    The initial setup has been pretty straightforward. We have set up a lot of them. The solution works.

    The deployment takes about half an hour. It takes a little longer than if we were using their virtual firewalls, which we could implement in a minute.

    What about the implementation team?

    We have a uniform implementation strategy for this solution. We made some basic configurations with a template which we just edited to fit a customer's needs. 

    What was our ROI?

    We haven't notice any threats. The firewalls is doing its job because we haven't noticed any security issues.

    What's my experience with pricing, setup cost, and licensing?

    The licensing is a bit off because the physical firewall is cheaper than the virtual one. We only have the physical ones as they are cheaper than the virtual ones. We only use the physical firewalls because of the price difference.

    Which other solutions did I evaluate?

    Our company has five or six tools that it uses for security. For firewalls, we have Check Point, Palo Alto, Juniper SRX, and CIsco ASA. Those are the primary ones. I think it's good there is some diversity. 

    The GUI for Cisco ASA is the easiest one to use, if you get it to work. Also, Cisco ASA is stable and easy to use, which are the most important things.

    What other advice do I have?

    We use this solution with Cisco CPEs and background routers. These work well together. 

    We have some other VPN options and AnyConnect. We do have routers with firewalls integrated, using a lot of ISR 1100s. In the beginning, we had a few problems integrating them, but as the software got better, we have seen a lot of those problems disappear. The first software wasn't so good, but it is now.

    We have disabled Firepower in all of our firewalls. We don't use Cisco Defense Orchestrator either. We have a pretty basic setup using Cisco ASDM or command line with integration to customers' AD.

    I would rate the product as an eight (out of 10).

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    CSD Manager at BTC
    Reseller
    Automated policy application and enforcement saves significant time when adding devices, users, or new locations
    Pros and Cons
    • "The traffic inspection and the Firepower engine are the most valuable features. It gives you full details, application details, traffic monitoring, and the threats. It gives you all the containers the user is using, especially at the application level. The solution also provides application visibility and control."
    • "Security generally requires integration with many devices, and the management side of that process could be enhanced somewhat. It would help if there was a clear view of the integrations and what the easiest way to do them is."

    What is our primary use case?

    We are a Cisco partner and we implement solutions for our customers who are generally in the banking sector and other private sectors.

    They are using it as a data center firewall and to secure their internet connections. Our customers usually integrate the firewall with ISE, with a Firepower module for IPS, and there are some NAC solutions.

    How has it helped my organization?

    The solution enhances the performance of the network. It blocks most of the threats and it updates attack signatures so it protects customer data better. The loss of data would be a crisis for any customer. With the deep inspection and analysis and the threat updates, it gives you more protection and safety.

    Our clients use automated policy application and enforcement. For example, when you have a very big deployment or a bank needs to deploy more branches, this saves a lot of time when doing the implementation. Similarly, when you add more users or you add more devices, when you create a profile of the policies, they will be available in a matter of minutes, regardless of the number of branches or users or applications. It reduces the time involved in that by 75 percent.

    What is most valuable?

    The traffic inspection and the Firepower engine are the most valuable features. It gives you full details, application details, traffic monitoring, and the threats. It gives you all the containers the user is using, especially at the application level. The solution also provides application visibility and control.

    The integration between the ASA and Cisco ISE is very easy because they are from the same vendor. We don't face any integration problems. This is one of the valuable points of Cisco firewalls. They can be easily integrated with different Cisco security products.

    Our clients also use other products with Cisco ASA, such as Aruba ClearPass and different NAC solutions. The integration of these other products is also easy with Cisco. 

    It integrates with email security and Firepower. For example, if you have an attached file infected or you have attacks through email, the traffic will be forwarded to the email security and it will be blocked by the firewall. It gives you a clear view of the file and it can be blocked at every stage, protecting your network from this threat.

    One of the best parts is the traffic management and the inspection of the traffic packets. The Device Manager is easy to use to supervise things, and the Firepower application gives you clear threat detection and blocking of all threats. Cisco also provides a better analysis of the traffic.

    In addition, Talos is an enhancement to Cisco firewalls, and provides a better view.

    The device management options, such as Firepower Device Manager (FDM), Cisco Firepower Management Center (FMC), or Cisco Defense Orchestrator (CDO) add a lot of enhancements in the initial deployment and configuration. In migrating, they can help to create the migration configuration and they help in managing encryption and automation. They add a lot enhancements to the device. They make things easier. In the past, you had to use the CLI and you could not control all this. Now you have a GUI which provides visibility and you can easily integrate and make changes.

    What needs improvement?

    When I deal with other firewalls like Palo Alto or Fortinet, I think there is some room for performance tuning and enhancement of the ASA. I'm not saying there is a performance issue with the product, but when compared to others, it seems the others perform a little bit better.

    There could be enhancements to the cloud part of the solution. It's good now, but more enhancements would be helpful.

    Finally, security generally requires integration with many devices, and the management side of that process could be enhanced somewhat. It would help if there was a clear view of the integrations and what the easiest way to do them is.

    For how long have I used the solution?

    I have been using Cisco ASA NGFW for more than 10 years.

    What do I think about the stability of the solution?

    The ASA is stable. There may be some small stability issues, when compared to others, but it is a stable product. There could be enhancements to the ASA in this area when compared to other vendors, but it is not a problem with the product.

    What do I think about the scalability of the solution?

    It is scalable, with virtualization and other features.

    In terms of future-proofing our customers' security, we recommend the ASA. We have tested it in large environments and it's working well. The lesson I have learned from using Cisco ASA is that Cisco's research is continuous. They provide enhancements every day. It's a product for the future.

    How are customer service and technical support?

    Technical support is a very strong point in Cisco's favor. I would rate it very highly. The support is excellent.

    How was the initial setup?

    The setup is of medium difficulty. It is not very complex. Generally, when working in the security field, things are a little bit complex because you are integrating with many vendors and you are defending against a lot of different kinds of attacks.

    The amount of time it takes to deploy the ASA depends on the complexity of the site where it is being set up. On average, it can take about a week. It could be that there are many policies that need to be migrated, and it depends on the integration. For the initial setup, it takes one day but the amount of time it takes beyond that depends on the security environment.

    What was our ROI?

    Our customers definitely see return on investment with Cisco ASA because when you protect your network there is ROI. If you lose your data you have a big loss. The ROI is in the security level and the protection of data.

    What's my experience with pricing, setup cost, and licensing?

    The value of the pricing needs to be enhanced from Cisco because there are a lot of competitors in the market. There is room for improvement in the pricing when compared to the market. Although, when you compare the benefits of support from Cisco, you can adjust the value and it becomes comparable, because you usually need very good support. So you gain value there with this device.

    What other advice do I have?

    My advice is to take care of and monitor your policies and be aware of the threats. You also have to be careful when changing policies. When you do, don't leave unused policies around, because that will affect performance. You should have audits of your firewall and its policies and follow the recommendations from Cisco support.

    Among the things I have learned from using Cisco ASA is that integration is easy, especially with Cisco products. And the support helps you to integrate with anything, so you can integrate with products outside of the Cisco family as well.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
    PeerSpot user
    Othniel Atseh - PeerSpot reviewer
    Network Security Consultant at a consultancy with 1-10 employees
    Consultant
    URL filtering and easy integration with other Cisco products are key features for us
    Pros and Cons
    • "If we look at the Cisco ASA without Firepower, then one of the most valuable features is the URL filtering."
    • "It's easy to integrate ASA with other Cisco security products. When you understand the technology, it's not a big deal. It's very simple."
    • "One area where the ASA could be improved is that it doesn't have AMP. When you get an ASA with the Firepower model, ASA with FTD, then you have advanced malware protection."

    What is our primary use case?

    The first time I deployed Cisco ASA was for one of our clients. This client had a Palo Alto firewall and he wanted to migrate. He bought an ASA 2505, and he wanted us to come in and deploy it and, after that, to put in high-availability. We deployed it and the high-availability means that in case one fails, there is a second one to take over.

    I have deployed Cisco ISE and, in the same environment, we had a Cisco FTD. In that environment, we were using the ASA for VPN, and we were using the FTD like an edge device. The ASA was deployed as VPN facilitator and for the wireless part too, so that the wireless network was under the ASA firewall.

    What is most valuable?

    If we look at the Cisco ASA without Firepower, then one of the most valuable features is the URL filtering.

    Also, it's easy to integrate ASA with other Cisco security products. When you understand the technology, it's not a big deal. It's very simple.

    When it comes to threat visibility, the ASA is good. The ASA denies threats by using common ACLs. It can detect some DoS attacks and we can monitor suspicious ICMP packets using the ASA. It helps you know when an attack is detected.

    Cisco Talos is good. It provides threat intelligence. It updates all the devices to be aware of the new threats and the new attacks out there, so that is a good thing. It's like having God update all the devices. For example, even if you have FTD in your company, malware can be very difficult to detect. There is a new type of malware called polymorphic malware. When it replicates, it changes its signature which makes it very difficult for a firewall to detect. So if your company encounters one type of malware, once, it is automatically updated in your environment. And when it is updated, Talos then updates every firewall in the world, so even if those other firewalls have not yet encountered those particular types of malware, because Talos automatically updates everything, they're able to block those types of malware as well. Talos is very beneficial.

    When it comes to managing, with FMD (Firepower Management Device) you can only manage one device, but when you work with FMC (Firepower Management Center) you can manage a lot of sensors, meaning FTDs. You can have a lot of FTDs but you only have one management center and it can manage all those sensors in your company. It is very good.

    What needs improvement?

    One area where the ASA could be improved is that it doesn't have AMP. When you get an ASA with the Firepower model, ASA with FTD, then you have advanced malware protection. Right now, threats and attacks are becoming more and more intense, and I don't think that the ASA is enough. I think this is why they created FTD.

    Also, Cisco is not so easy to configure.

    For how long have I used the solution?

    I have been using and deploying Cisco ASA for two to three years. 

    What do I think about the stability of the solution?

    Cisco ASA is stable.

    What do I think about the scalability of the solution?

    It's scalable. You can integrate AD, you can integrate Cisco NAC. You can integrate quite a lot of things so that makes it scalable.

    How was the initial setup?

    When you configure the ASA, there is already a basic setup there. Based on your environment, you need to customize it. If you understand security and firewalls very well, you can create your own setup.

    For me, the initial setup is easy, but is it good? Because from a security perspective, you always need to customize the initial setup and come up with the setup that fits with your environment. So it's always easy to do the initial setup, but the initial setup is for kids in IT.

    The time it takes to set up the ASA depends on your environment. For a smaller deployment, you just have the one interface to configure and to put some policies in place and that's all. If you are deploying the ASA for something like a bank, there are a lot of policies and there is a lot of testing to do, so that can take you all night. So the setup time really depends on your environment and on the size of the company as well.

    What's my experience with pricing, setup cost, and licensing?

    When it comes to Cisco, the price of everything is higher.

    Cisco firewalls are expensive, but we get support from Cisco, and that support is very active. When I hit an issue when I was configuring an FTD, as soon as I raised a ticket the guy called me and supported me. Cisco is very proactive.

    I had the same kind of issue when I was configuring a FortiGate, but those guys took two or three days to call me. I fixed the issue before they even called me.

    Which other solutions did I evaluate?

    I have used firewalls from Fortinet, Palo Alto, and Check Point. To configure an ASA for VPN, there are a lot of steps. When it comes to the FortiGate, it's just a few clicks. FortiGate also has built-in templates for configuring VPN. When you want to create a VPN between FortiGate and FortiGate, the template is already there. All you need to do is enter an IP address. When you want to configure a VPN with a third-party using the FortiGate, and say the third-party is Cisco, there is a VPN template for Cisco built into the FortiGate. So FortiGate is very easy to configure, compared to Cisco. But the Cisco firewall is powerful.

    Check Point is something like Cisco but if I have to choose between Cisco and Check Point firewalls, I will choose Cisco because of all the features that Cisco has. With Cisco you can do a lot of things, when it comes to advanced malware protection and IPS. Check Point is very complicated to manage. They have recently come out with Infinity where there is a central point of management.

    Palo Alto has a lot of functionality but I haven't worked on the newer models.

    What other advice do I have?

    Cisco firewalls are not for kids. They are for people who understand security. Now I know why people with Cisco training are very good, because they train you to be competent. They train you to have ability. And when you have ability, their firewall becomes very easy to configure.

    When Cisco is teaching you, Cisco teaches you the concept. Cisco gives you a concept. They don't focus on how to configure the device. With Fortinet, for instance, Fortinet teaches you how to configure their device, without giving you the concepts. Cisco gives you the concepts about how the technology is working. And then they tell you how you are going to configure things on their box. When you are an engineer and you understand the technology from Cisco, it means that you can drive everything, because if you understand Cisco very well, you can work with FortiGate. If you understand security from Cisco, it means that you can configure everything, you can configure every firewall. This is why I like Cisco.

    When it comes to other vendors, it's easy to understand and it's easy to configure, but you can configure without understanding. And when you configure without understanding, you can't troubleshoot. To troubleshoot, you need understanding. 

    I'm a security analyst, so I deal with everything about firewalls. I'm talking about ASA firewalls, and I'm talking about ASA with Firepower, FTD, and Cisco Meraki MX. When it comes to security tools I am comfortable with Cisco and everything Cisco.

    One of our clients was using Cisco ASA. They got attacked, but I don't think that this attack came from outside their company. They were managing their firewall and configuring everything well, but they were still getting attacks. One of their employees had been compromised and his laptop was infected. This laptop infected everything in the organization. So the weakest link can be your employees.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Jonathan Muwanga - PeerSpot reviewer
    Head of Information Communication Technology at National Building Society
    Real User
    Standard reports allow us to constantly monitor our environment and take corrective steps
    Pros and Cons
    • "The benefits we see from the ASA are connected to teleworking as well as, of course, having the basic functionality of a firewall in place and the prevention of attacks."
    • "If I want to activate IPS features on it, I have to buy another license. If I want Cisco AnyConnect, I have to buy another license. That's where we have challenges."

    What is our primary use case?

    We use the Cisco firewall for a number of things. We've got VPN tunnels, IPsec tunnels. We also use it for basic network layer filtering for our internal service, because we have a number of services that we offer out to clients, so that is the first device that they come across when they get into the network.

    We have a network of six remote sites and we use proxy to go to the internet, and from the internet Cisco is the first line of defense. We have internet banking services that we offer to our clients, and that also makes use of the Cisco firewall as the first line of defense. And we've got a number of servers, a Hyper-V virtual environment, and we've got a disaster recovery site.

    We had VAPT (vulnerability assessment and pen testing) done by external people to see our level of security from inside and outside and they managed to find some deficiencies inside. That's when they recommended that we should put in network access control. By integrating the ASA with Cisco ISE, that is what we are trying to achieve.

    The whole idea is to make sure that any machines that are not on our domain should not be able to connect to the network. They should be blocked.

    We also have Cisco switches deployed in our environment. All our active switches are Cisco. The ASA is integrated with them. This integration was done by a combination of our Cisco partner and in-house, because we did this at the time of setting up the infrastructure in 2016.

    How has it helped my organization?

    The benefits we see from the ASA are connected to teleworking as well as, of course, having the basic functionality of a firewall in place and the prevention of attacks. The VPN is also helpful.

    What is most valuable?

    Among the most valuable features are the reports which are generated according to the rules that we've put in place to either block traffic or report suspicious attempts to connect to our network. They would come standard with any firewall and we're always monitoring them and taking any corrective steps needed.

    What needs improvement?

    We have the ASA integrated with Cisco ISE for network access control. The integration was done by our local Cisco partner. It took them about a month to really get the solution up and running. I would like to believe that there was some level of complexity there in terms of the integration. It seems it was not very easy to integrate if the experts themselves took that long to really come up with a working solution. Sometimes we had to roll back during the process.

    Initially, when we put it up, we were having issues where maybe it would be barring things from users completely, things that we wanted the users to access. So we went through fine tuning and now I think it's working as we expect.

    For how long have I used the solution?

    We have been using Cisco ASA NGFW since 2016, when we launched.

    What do I think about the stability of the solution?

    The ASA is utilized 100 percent of the time. It's up all the time as it's a perimeter firewall. It's always up. It's our first line of defense. It's quite robust, we've never had issues with it. It's very stable.

    What do I think about the scalability of the solution?

    We haven't maxed it out in terms of its capacity, and we've got up to about 200 users browsing the internet at any given time. In terms of throughput, we've got an ASA 5525 so it handles capacity pretty well. There aren't any issues there.

    How are customer service and technical support?

    We have a Cisco partner, so if ever we did have issues we'd go through them, but up until now — this bank has been open for four years — we've never had an issue with the Cisco firewall.

    Which solution did I use previously and why did I switch?

    We went with Cisco because it's a reputable brand and we also have CCNP engineers in our team as well. It's the brand of choice. We were also familiar with it from our past jobs.

    What was our ROI?

    The ROI is the fact that we haven't been attacked.

    What's my experience with pricing, setup cost, and licensing?

    It's a brilliant firewall, and the fact that it comes with a perpetual license really does go far in terms of helping the organization in not having to deal with those costs on an annual basis. That is a pain point when it comes to services like the ones we have on FortiGate. That's where we really give Cisco firewalls the thumbs up.

    From the point of view of total cost of ownership, the perpetual licensing works well in countries like ours, where we are facing challenges with foreign exchange. Trying to set up foreign payments has been a challenge in Zimbabwe, so the fact that we don't have to be subscribed and pay licenses on an annual basis works well. If you look at FortiGate, it's a good product, but we are always under pressure when renewal time comes.

    Where Cisco falls a bit short is because of the fact that, if I want IPS, I have to buy another license. That's why I have my reservations with it. If I want Cisco AnyConnect, I have to buy another license. That's where we have challenges. That's unlike our next-gen FortiGate where everything comes out-of-the-box.

    What other advice do I have?

    My advice is "go for it," 100 percent. If ever I was told to implement a network, ASA would definitely be part and parcel of the solution.

    The biggest lesson we've learned from using the product is about the rapid growth of the product's offerings.

    In terms of the maturity of our organization's security implementation, I would like to believe that we are about midway. We still need to harden our security. We need to conduct penetration testing every two years and, resources permitting, maybe yearly. The guys out there who do cyber security crimes are becoming more and more advanced, so there is a need for us to also upgrade our security.

    We have a two-layer firewall setup, which is what is recommended as the standard for the payment card industry. We probably need solutions linked with cloud providers from the likes of Cisco, and to put in some bank-grade intrusion detection solutions. Because we have already adopted two technologies, Cisco and FortiGate, we might be looking at solutions from those two providers.

    We're also looking at end-point security solutions. We've been using the one which comes with our Office 365 and Microsoft product, Windows Defender. We are going to be trialing their new end-point management solution. We are trying to balance things from a cost point of view and providing the right level of security.

    In addition to Windows Defender and the firewalls — ASA and FortiGate — and the network access control, we also have SSL for the website.

    As for application visibility and control, currently we're just using logging. We don't have the Firepower installed, so it's just general logging and scheduled checks here and there. As for threat visibility, for us the ASA is a perimeter firewall. Behind that firewall we have an IDS and an IPA. We actually have the license for Firepower but we haven't implemented it; it was just an issue of priorities at the time.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Network Specialist at a financial services firm with 501-1,000 employees
    Real User
    Top 20
    Automated policies save us time
    Pros and Cons
    • "On the network side, where you create your rules for allowing traffic — what can come inside and what can go out — that works perfectly, if you know what you want to achieve. It protects you."

      What is our primary use case?

      Some are being used as edge firewalls and others are for our server-farm/data center. So some are being used as transparent firewalls and others are used as a break between the LAN and WAN.

      In addition to the firewalls, we have Mimecast for email security as we're using Office 365. We're also using IBM's QRadar for SIEM. For antivirus we're just using Microsoft Windows Defender. We also have an internet proxy for content and for that we're using NetScaler.

      How has it helped my organization?

      Automated policies definitely save us time. I would estimate on the order of two hours per day.

      What is most valuable?

      On the network side, where you create your rules for allowing traffic — what can come inside and what can go out — that works perfectly, if you know what you want to achieve. It protects you. Once you get all your rules in place, done correctly, you have some sort of security in terms of who can have access to your network and who has access to what, even internally. You're secure and your authorization is in place for who can access what. If someone who is trying to penetrate your network from the outside, you know what you've blocked and what you've allowed.

      It's not so difficult to pull out reports for what we need.

      It comes with IPS, the Intrusion Prevention System, and we're also using that.

      For how long have I used the solution?

      I've been using Cisco ASA NGFW for five years.

      What do I think about the stability of the solution?

      The stability is quite good. We haven't had issues. I've used them for five years now and I haven't seen any hardware failures or software issues. They've been running well. I would recommend them for their reliability.

      What do I think about the scalability of the solution?

      You can extend your network. They are cool. They are good for scalability.

      How are customer service and technical support?

      We have a Cisco partner we're working with. But if they're struggling to assist us then they can log a ticket for us. Our partner is always a 10 out of 10.

      What was our ROI?

      Given that we have been upgrading with Cisco firewalls, I would say that our company has seen a return on investment with Cisco. We would have changed to a different product if we were not happy.

      The response time from the tech and the support we get from our partner is quite good. We have never struggled with anything along those lines, even hardware RMAs. Cisco is always there to support its customers.

      What's my experience with pricing, setup cost, and licensing?

      The pricing is quite fair for what you get. If you're comparing with other products, Cisco is expensive, but you do get benefits for the price.

      Which other solutions did I evaluate?

      The firewall that I was exposed to before was Check Point.

      What other advice do I have?

      It's very good to get partner support if you're not very familiar with how Cisco works. Cisco Certified Partner support is a priority.

      For application visibility and control we're using a WAN optimizer called Silver Peak.

      To replace the firewalls within our data center we're planning to put in FMCs and FTDs. With the new FMCs what I like is that you don't need to log in to the firewalls directly. Whatever changes you do are done on your FMCs. That is a much needed improvement over the old ASAs. You can log in to the management center to make any configuration changes. 

      There are two of us managing the ASAs in our company, myself and a colleague, and we are both network specialists. We plan to increase usage. We're a company of 650 employees and we also have consultants who are coming from outside to gain access to certain services on our network. We need to make provisions on the firewall for them.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Maharajan S - PeerSpot reviewer
      VSO at Navitas Life Sciences
      Real User
      Top 5
      Gives us more visibility into the inbound/outbound traffic being managed
      Pros and Cons
      • "Being able to determine our active users vs inactive users has led us to increased productivity through visibility. Also, if an issue was happening with our throughput, then we wouldn't know without research. Now, notifications are more proactively happening."
      • "The central management tool is not comfortable to use. You need to have a specific skill set. This is an important improvement for management because I would like to log into Firepower, see the dashboard, and generate a real-time report, then I question my team."

      What is our primary use case?

      We have an offshore development center with around 1,400 users (in one location) where we have deployed this firewall.

      The maturity of our organization’s security implementation is a four out of five (with five being high). We do have NOC and SOC environments along with in-built access to our systems. 

      We use Acunetix as one of our major tools. We do have some open source. There are a couple of networks where we are using the Tenable tool. We have implemented an SIEM along with a Kaspersky at the cloud level. In the Cisco firewall, we installed Kaspersky in the firewall logs which upload to Kaspersky for us to review back.

      How has it helped my organization?

      Being able to determine our active users vs inactive users has led us to increased productivity through visibility. Also, if an issue was happening with our throughput, then we wouldn't know without research. Now, notifications are more proactively happening.

      What is most valuable?

      The advance malware protection (AMP) is valuable because we didn't previously have this when we had an enterprise gateway. Depending on the end user, they could have EDR or antivirus. Now, we have enabled Cisco AMP, which give us more protection at the gateway level. 

      The application visibility is also valuable. Previously, with each application, we would prepare and develop a report based on our knowledge. E.g., there are a couple business units using the SAS application, but we lacked visibility into the application layer and usage. We use to have to configure the IP or URL to give us information about usage. Now, we have visibility into concurrent SAS/Oracle sessions. This solution gives us more visibility into the inbound/outbound traffic being managed. This application visibility is something new for us and very effective because we are using Office 365 predominantly as our productivity tool. Therefore, when users are accessing any of the Office 365 apps, this is directly identified and we can see the usage pattern. It gives us more visibility into our operations, as I can see information in real-time on the dashboards.

      What needs improvement?

      The solution has positively affected our organization’s security posture. I would rate the effects as an eight (out of 10). There is still concern about the engagement between Cisco Firepower and Cisco ASA, which we have in other offices. We are missing the visibility between these two products.

      We would like more application visibility and an anti-malware protection system, because we don't have this at the enterprise level.

      The central management tool is not comfortable to use. You need to have a specific skill set. This is an important improvement for management because I would like to log into Firepower, see the dashboard, and generate a real-time report, then I question my team.

      For how long have I used the solution?

      Nearly a year.

      What do I think about the stability of the solution?

      So far, it has been stable.

      We have around 32 people for maintenance. Our NOC team works 24/7. They are the team who manages the solution.

      What do I think about the scalability of the solution?

      Scalability is one of our major business requirements. We are seeing 20 percent growth year-over-year. The plan is to keep this product for another four years.

      How are customer service and technical support?

      We contacted Cisco directly when issues happened during the implementation, e.g., the management console was hacked.

      Which solution did I use previously and why did I switch?

      We used Fortinet and that product was coming to end of life. We had been using it continuously for seven years, then we started to experience maintenance issues.

      Also, we previously struggled to determine who were all our active users, especially since many were VPN users. We would have to manually determine who was an inactive user, where now the process is more automated. It also had difficult handling our load.

      How was the initial setup?

      The initial setup was complex. We engaged NTT Dimension Data as there were a couple things that needed to be done for our requirements and validation. This took time to get signed off on by quality team. However, the configuration/implementation of the system did not take much time. It was a vanilla implementation.

      We did face performance issues with the console during implementation. The console was hacked and we needed to reinstall the console in the virtual environment. 

      What about the implementation team?

      We were engaged with a local vendor, NTT Dimension Data, who is a Cisco partner. They were more involved on the implementation and migration of the firewall. Some channels were reconfigured, along with some URL filtering and other policies that we used for configuration or migration to the new server.

      Our experience with NTT Dimension Data has been good. We have been using them these past four to five years.

      What was our ROI?

      We have seen ROI. Our productivity has increased.

      The change to Cisco Firepower has reduced the time it takes for our network guy to generate our monthly report. It use to take him many hours where he can now have it done in an hour.

      What's my experience with pricing, setup cost, and licensing?

      Cisco pricing is premium. However, they gave us a 50 to 60 percent discount.

      There are additional implementation and validation costs.

      Which other solutions did I evaluate?

      We also evaluated Check Point, Palo Alto, Sophos, and Cisco ASA. In the beginning, we thought about going for Cisco ASA but were told that Firepower was the newest solution. We met with Cisco and they told us that they were giving more attention going forward to Firepower than the ASA product.

      We did a small POC running in parallel with Fortinet. We evaluated reports, capability, and the people involved. Palo Alto was one of the closest competitors because they have threat intelligence report in their dashboard. However, we decided not to go with Palo Alto because of the price and support.

      What other advice do I have?

      We are using Cisco at a global level. We have internally integrated this solution with Cisco Unified Communications Manager in a master and slave type of environment that we built. It uses a country code for each extension. Also, there is Jabber, which our laptop users utilize when connecting from home. They call through Jabber to connect with customers. Another tool that we use is Cisco Meraki. This is our all time favorite product for the office WiFi environment. However, we are not currently integrating our entire stack because then we would have to change everything. We may integrate the Cisco stack in the future. It should not be difficult to integrate since everything is a Cisco product. The only issue may be compliance since we have offices in the US and Europe.

      We are now using a NGFW which helps us deep dive versus using a normal firewall.

      Overall, I would rate Cisco Firepower as an eight (out of 10).

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Sikander Ali - PeerSpot reviewer
      IT Infrastructure Engineer at Atlas Group
      Real User
      Meets my requirements regarding VPN, perimeter protection, and applications
      Pros and Cons
      • "One of the most valuable features is the AMP. It's very good and very reliable when it comes to malicious activities, websites, and viruses."
      • "One feature I would like to see, that Firepower doesn't have, is email security. Perhaps in the future, Cisco will integrate Cisco Umbrella with Firepower. I don't see why we should have to pay for two separate products when both could be integrated in one box."

      What is our primary use case?

      I protect my two servers with the help of Firepower. Both servers are connected to the Firepower and I monitor the traffic to both servers with it. I block traffic from all countries except the USA, for security purposes.

      How has it helped my organization?

      It meets my requirements regarding VPN, perimeter protection, and applications. I'm comfortable with what Firepower does for me. Firepower is the only security product deployed in my organization.

      The Talos team is very expert and does a good job. It is a great achievement by Cisco for Firepower. It analyzes all the websites and viruses that could create vulnerabilities. Talos helps us by providing major protection. They maintain everything and we don't need any other security appliances. In the future, we may go for an email security appliance, but right now Firepower is enough for us. Without the Talos team, the Firepower might not fulfill our requirements.

      For example, if I receive an email and it has a potentially malicious link, I can enter the link in the Talos website and it will provide me with all the details about the website link in the email, including which country and IP it is from. I always try to cross-check any potentially malicious links with Talos. It tells me whether I am vulnerable or not.

      What is most valuable?

      One of the most valuable features is the AMP. It's very good and very reliable when it comes to malicious activities, websites, and viruses.

      It also handles application vulnerabilities. I have blocked some applications in my Firepower. In addition, there are predefined policies that come with the Firepower and I have created my own policies as well.

      We also use Cisco switches, the 2920 for Layer 2 and the 3560 for Layer 3. The Firepower is integrated with the 3560. I have configured a gateway on the 3560 and all our traffic goes through the switch and is then passed on to the Firepower. The integration between the two was very easy.

      What needs improvement?

      One feature I would like to see, that Firepower doesn't have, is email security. Perhaps in the future, Cisco will integrate Cisco Umbrella with Firepower. I don't see why we should have to pay for two separate products when both could be integrated in one box.

      For how long have I used the solution?

      I have been using Cisco Firepower for two years.

      What do I think about the stability of the solution?

      It's a very mature product and runs smoothly.

      Which solution did I use previously and why did I switch?

      Before the Firepower I was using a traditional firewall, the ASA 5510. We went to the Firepower because the 5510 did not have port security, anti-malware protection, or IDS/IPS.

      I have seen a lot of events using the Firepower: vulnerability events, countries, and IPs. As a result, I feel I am secure when compared with other firewalls. With my previous firewall, I didn't have the option of blocking a country, website, or IP.

      What other advice do I have?

      I would advise using Firepower and not other products because other products do not have all the features available in Firepower.

      We are looking to integrate with Cisco Umbrella next year and we will integrate our switches and Cisco Firepower with it.

      It has been a good investment for my organization and I'm happy to be using it. All its features are good. It's a great firewall for a small business. But you really need to know what you are doing to get the most benefit from it. Overall, I don't think anybody can replace Firepower or Cisco.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Cisco Security Specialist at a tech services company with 10,001+ employees
      Real User
      Robust solution that integrates well with both Cisco products and products from other vendors
      Pros and Cons
      • "If you have a solution that is creating a script and you need to deploy many implementations, you can create a script in the device and it will be the same for all. After that, you just have to do the fine tuning."
      • "Cisco missed the mark with all the configuration steps. They are a pain and, when doing them, it looks as if we're using a very old technology — yet the technology itself is not old, it's very good. But the front-end configuration is very tough."

      What is our primary use case?

      The ASAs are a defense solution for companies. Many of them use the AnyConnect or the VPN licenses. They also use it to have a next-generation firewall and to be compliant with GDPR.

      The majority of our usage of the solution is on-prem or hybrid. The culture, here in Portugal — even knowing that the future is full cloud, in my opinion — is to only be on the way to full cloud.

      What is most valuable?

      All the features are very valuable. 

      Among them is the integration for remote users, with AnyConnect, to the infrastructure. All the security through that is wonderful and it's very easy. You connect and you are inside your company network via VPN. Everything is encrypted and it's a very good solution. This is a wonderful feature. You need to make sure your machine has the profile requested by the company. That means having the patches updated. Optionally, you should have the antivirus updated, but you can decide whatever you would like in order to enable acceptance of the end-device in the enterprise network. That can be done with AnyConnect for remote/satellite users, or with ISE for local users.

      The intrusion prevention system, the intrusion detection, is perfect. But you can also integrate Cisco with an IPS solution from another vendor, and just use the ASA with AnyConnect and as a firewall. You can choose from among many other vendors' products that the ASA will integrate with. Now, with Cisco SecureX, it's much easier than before. Cisco used to be completely blocked from other vendors but with SecureX they are open to other vendors. That was a massive improvement that Cisco probably should have made 10 years ago or seven years ago. They only released SecureX three or four months ago. 

      Cisco ASA also provides application control. You can block or prevent people from going to certain applications or certain content. But the ASA only acts as a "bodyguard." It doesn't provide full visibility of the network. For that, there are other solutions from Cisco, such as ISE, although that is more for identity. Stealthwatch or TrustSec is what you need for visibility. They are both for monitoring and providing full visibility of the network, and they integrate with ASA.

      Also, all of Cisco's security products are supported with Talos. Talos is in the background, handling all the improvements, all the updates. If something happens in Australia, for example, Talos will be aware of it and it will update the worldwide Talos network for all Cisco products. Within two minutes or three minutes, worldwide, Cisco products will be aware of that threat. Talos belongs to Cisco. It's like a Cisco research center.

      What needs improvement?

      My concern in the 21st century, with ASA, is the front-end. I think Cisco missed the mark with all the configuration steps. They are a pain and, when doing them, it looks as if we're using a very old technology — yet the technology itself is not old, it's very good. But the front-end configuration is very tough. They probably still make a good profit even with the front-end being difficult, but it's not easy. It's not user-friendly. All the configuration procedures are not user-friendly.

      Also, they launched the 1000 series for SMBs. They have all the same features as the enterprise solutions, but the throughput is less and, obviously, the price is less as well. It's a very nice appliance. However, imagine you buy one, take it out of the box to connect it and the device needs one hour or two hours to start up. That is a pain and that is not appropriate for the 21st century. They should solve that issue.

      Another issue is that when you integrate different Cisco solutions with each other, there is an overlap of features and you need to turn some of them off, and that is not very good.  If you don't, and you have overlap, you will have problems. Disabling the overlap can be done manually or the solution can identify that there is already a process running, and will tell you to please disable that function.

      For today's threats, for today's reality, you need to add solutions to the ASA, either from Cisco or from other vendors, to have a full security solution in an enterprise company.

      For how long have I used the solution?

      I've been using Cisco ASA NGFW for almost two years.

      What do I think about the stability of the solution?

      The stability of the ASA is perfect. There is no downtime. And you can have redundancy as well. You can have two ASAs working in Active-Passive or load balancing. If the product needs a restart, you don't have downtime because you use the other one. From that point of view it's very robust.

      What do I think about the scalability of the solution?

      You can go for other models for scalability and sort it out that way.

      My suggestion is to think about scalability and about your tomorrow — whether you'll increase or not — and already think about the next step from the beginning.

      How are customer service and technical support?

      Cisco's technical support for ASA is very good. I have dealt with them many times. They are very well prepared. If you have a Smart Account, they will change your device by the next business day. That is a very good point about Cisco. You have to pay for a Smart Account, but it's very useful.

      How was the initial setup?

      The initial setup is very complex. You need to set a load of settings, whether from the CLI or the GUI. It's not an easy process and it should be. That is one of the reasons why many retailers don't go for Cisco. They know Cisco is very good. They know Cisco does ensure security, that it is one of the top-three security vendors, but because of the work involved in the implementation, they decide to go with other solutions.

      There are two possibilities in terms of deployment. If we go to a client who is the ASA purchaser and they give us all their policies, all their permissions, and everything is organized, we can deploy, with testing, in one full day. But many times they don't know the policies or what they would like to allow and block. In that scenario, it will take ages. That's not from the Cisco side but because of the customer.

      One person, who knows the solutions well, is enough for an ASA deployment. I have done it alone many times. After it's deployed, the number of people needed to maintain the solution depends on their expertise. One expert could do everything involved with the maintenance.

      What's my experience with pricing, setup cost, and licensing?

      When it comes to security, pricing should not be an issue, but we know, of course, that it is. Why is an Aston Martin or a Rolls Royce very expensive? It's expensive because the support is there at all times. Replacement parts are available at all times. They offer a lot of opportunities and customer services that others don't come close to offering. 

      Cisco is expensive but it's a highly rated company. It's one of the top-three security companies worldwide.

      Which other solutions did I evaluate?

      I can see the differences between Cisco and Check Point. 

      Cisco has a solution called Umbrella which was called OpenDNS before, and from my point of view, Umbrella can reduce 60 percent of the attack surface because it checks the validity of the DNS. It will check all the links you click on to see if they are real or fake, using the signature link. If any of them are unknown, they will go straight to the sandbox. Those features do not exist with Check Point.

      What other advice do I have?

      Cisco ASA is a very robust solution. It does its job and it has all the top features. If you have a solution that is creating a script and you need to deploy many implementations, you can create a script in the device and it will be the same for all. After that, you just have to do the fine tuning. It lacks when it comes to the configuration steps and the pain that that process is. You need to spend loads of time with it at setup. Overall, it does everything they say it does.

      It's a very good solution but don't only go with the ASA. Go for Cisco Umbrella and join them together. If you have remote employees, go for AnyConnect to be more than secure in your infrastructure.

      You cannot do everything with Cisco Defense Orchestrator. You have a few options with it but cannot do everything from the cloud if you are connected with the console of a device. You don't have all the same options, you only have some options with it. For example, you can manage the security policies, all of them, from the cloud. However, not all the settings and all the things you can do when in front of the device are available with CDO. What you see is what you get.

      Most companies using ASA are big companies. They are not SMB companies. There are very few SMB companies using it. There are the banks and consulting companies, the huge ones. Usually the ASAs are for massive companies.

      Our reality in Portugal is a little different. I was at a Cisco conference here in Lisbon and the guy said, "Oh, we have this solution," — it was for multi-factor authentication — "and we have different licenses. We have a license for 40,000 and for 20,000 users. And I was thinking, "This guy doesn't know Portuguese reality. There are no companies in Portugal with 40,000 employees."

      Large companies who do use ASA use various security tools like IPS and Layer 7 control. From my experience, and from common sense, it's best to have solutions from different vendors joining together. The majority have defense products for the deterrent capacities they need to achieve security. Our clients also often have Cisco ISE, Identity Service Engine. It's a NAC solution that integrates perfectly with ASA and with AnyConnect as well.

      As for future-proofing your security strategy, ASA is the perfect solution if you integrate other Cisco solutions. But the ASA alone will not do it because it does not handle some of the core issues, like full visibility of the network, the users, the machines, the procedures, and the applications, in my opinion.

      Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
      PeerSpot user
      Syed Khalid Ali - PeerSpot reviewer
      Senior Solution Architect at a tech services company with 51-200 employees
      Real User
      pxGrid enables all devices on the network to communicate
      Pros and Cons
      • "The Firepower+ISE+AMP for endpoint integration is something that really stands it out with other vendor solutions. They have something called pxGrid and i think it is already endorsed by IETF. This allows all devices on the network to communicate."
      • "The product line does not address the SMB market as it is supposed to do. Cisco already has an on-premises sandbox solution."

      What is our primary use case?

      I use Firepower for all kind of customers; healthcare, government, banks etc. All all of them have different use cases and requirements. In most cases, I would mostly end up with enterprises or government organizations. If you are already have all Cisco gears, I would suggest to consider it as it will allow you to have a more integrated approach toward other network components.                                                                                      

      How has it helped my organization?

      I will definitely recommend it to any customer. But, it all depends on the requirements and money you have. But the Intrusion Prevention and anti-malware is really good with this solution. Overall, it is a really good product.

      I remember a customer who was using another firewall product and they had serious issues in intrusion and malware detection and prevention. Plus, the reporting was not that detailed. I did a demo with these people with FTDv and FMCv and they were amazed with the solution.

      What is most valuable?

      The Firepower+ISE+AMP for endpoint integration is something that really stands it out with other vendor solutions. They have something called pxGrid and i think it is already endorsed by IETF.  This allows all devices on the network to communicate. I find it to be a more proactive approach as all devices collaborate with ISE in real time. I did a demo for a customer and there were no second thoughts in the usability of the solution. You should give it a try to find out more about how this works.

      What needs improvement?

      The product line does not address the SMB market as it is supposed to do. Cisco already has an on-premises sandbox solution. They should include a cloud-based sandbox as part of the security subscription service. In my experience, apart from the expensive price, SMB customers are lured away by other vendor solutions because of these reasons.                      

      For how long have I used the solution?

      I work for a systems integrator, who is also a partner for Cisco and other security vendors. I have a reasonable hands-on with different firewall products. I have been doing it since v6.1 release. Firepower is a bit difficult and takes time to learn.

      Which solution did I use previously and why did I switch?

      I did use and deploy different firewall solutions for various customers. But every customer has his own pain points. For example, for one of the customers, he was purely looking for URL filtering. We went with Sangfor IAM in that case. They have a very strong focus on application and URL filtering and user behavior management. Plus, reporting was very extensive. 

      What's my experience with pricing, setup cost, and licensing?

      In my country, deployment may be charged from USD 1K to USD 10K depending on setup cost. There are different types of licenses:

      • Threat
      • URL
      • Anti-malware

      I would suggest going with an all-in-one bundle. You will end up saving money. Also, Cisco has a better discount on a 3YR subscription plan. Discuss this with your Cisco AM.

      Which other solutions did I evaluate?

      Yes, this included firewalls from Huawei, Fortinet, Sangfor, and Sophos. Most of the customers end up with:

      • Fortinet,
      • Sophos
      • Sangfor
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      KUMAR SAIN - PeerSpot reviewer
      Network Security Administration at Rackspace Technology
      Real User
      Provides DDoS protection and multi-factor authentication
      Pros and Cons
      • "They provide DDoS protection and multi-factor authentication. That is a good option as it enables work-from-home functionality."
      • "Cisco provides us with application visibility and control, although it's not a complete solution compared to other vendors. Cisco needs to work on the application behavior side of things, in particular when it comes to the behavior of SSL traffic."

      What is our primary use case?

      Our business requirements are URL filtering and threat protection. We're using the Cisco 5525 and 5510 series. We have eight to 10 firewalls.

      Our company is looking for vendors who can protect from the current, advanced technologies. We are looking for any technology that protects from the most threats, and that covers things like DDoS protection, spyware, and SSL.

      How has it helped my organization?

      We feel secure using Cisco firewalls. That's why we're using them. Cisco has never disappointed us, from a business point of view.

      What is most valuable?

      Cisco provides the most solutions.

      We use some of our Cisco firewalls offsite. They provide DDoS  protection and multi-factor authentication. That is a good option as it enables work-from-home functionality. That is a feature that makes our customers happy.

      What needs improvement?

      Cisco needs to work more on the security and tech parts. Palo Alto gives a complete solution. Customers are very happy to go with Cisco because they have been around a long time. But that's why we are expecting from Cisco to give us a solution like Palo Alto, a complete solution. 

      Cisco provides us with application visibility and control, although it's not a complete solution compared to other vendors. Cisco needs to work on the application behavior side of things, in particular when it comes to the behavior of SSL traffic. There is a focus on SSL traffic, encrypted traffic. Cisco firewalls are not powerful enough to check the behavior of SSL traffic. Encrypted traffic is a priority for our company.

      In addition, while Cisco Talos is good, compared to the market, they need to work on it. If there is an attack, Talos updates the IP address, which is good. But with Palo Alto, and possibly other vendors, if there is an attack or there is unknown traffic, they are dealing with the signature within five minutes. Talos is the worst around what an attacker is doing in terms of updating bad IPs. It is slower than other vendors.

      Also, Cisco's various offerings are separate. We want to see a one-product, one-box solution from Cisco.

      For how long have I used the solution?

      I have been working on the security side for the last one and a half years. The company has been using Cisco ASA NGFW for three to four years.

      What do I think about the stability of the solution?

      The stability is good. It's the best, around the world.

      What do I think about the scalability of the solution?

      The scalability is also good. But in terms of future-proofing our security strategy, it depends on the points I mentioned elsewhere that Cisco needs to work on.

      How are customer service and technical support?

      We are getting the best support from Cisco and we are not getting the best support from Palo Alto.

      What's my experience with pricing, setup cost, and licensing?

      In terms of costs, other solutions are more expensive than Cisco. Palo Alto is more expensive than Cisco.

      Which other solutions did I evaluate?

      Cisco is the most tested product and is more reliable than others. But Cisco needs to work on the security side, like website protection and application behavior. We have more than 40 locations around the world and all our customers are expecting Cisco. If Cisco provides the best solution, we can go with Cisco rather than with other vendors.

      Palo Alto gives the best solution these days, but the problem is that documentation of the complete solution is not available on their site. Also, Palo Alto's support is not as good as Cisco's. We don't have a strong bond with Palo Alto. The longer the relationship with any vendor, the more trust you have and the more it is stable. We are more comfortable with Cisco, compared to Palo Alto.

      What other advice do I have?

      If you're looking for a complete solution, such as URL filtering and threat protection, we recommend Palo Alto firewalls, but this Cisco product is also good.

      We are using three to four security tools: one for web security, and another tool for application security, and another for email security. For email we have an Office 365 email domain so we are using other tools for that. For firewall security we are using Cisco ASA, Palo Alto, and Fortinet for protecting our business.

      We have about 15 people on my team managing the solutions. They are network admins, and some are in security.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      CEO at a security firm with 1-10 employees
      Reseller
      Has solid encryption and the stability is good
      Pros and Cons
      • "The most valuable feature is that the encryption is solid."
      • "It is expensive."

      What is our primary use case?

      My primary use case is to have as VPN hardware. I have 2,000 providers. I am a reseller and as such, I am connected to telcos. I use ASA because our providers use Cisco in their core network as well. 

      How has it helped my organization?

      We had a situation where our network was down and the telecom providers at Cisco support helped us to resolve those issues. The downtime was brought down to a minimum.

      What is most valuable?

      The most valuable feature is that the encryption is solid. 

      For how long have I used the solution?

      I have been using Cisco ASA for thirteen years. 

      What do I think about the scalability of the solution?

      What I use now is sufficient based on the traffic that we are generating. We won't have to expand.  

      We have two providers for ASA. There is only one administrator. We have about 1.2 million connections going through one ASA per month.

      How are customer service and technical support?

      Their technical support is very good. 

      Which solution did I use previously and why did I switch?

      I didn't previously use a different solution. We used Cisco and then we upgraded to ASA. 

      How was the initial setup?

      The initial setup was straightforward. To set up the VPN we are able to set up the feature key networks that are going to talk to each other. We can set up what access is going to be used. The connection was set up in one or two days. 

      We set it up twice. The first time it took four hours and the second time took ten hours spread out over two days. 

      What was our ROI?

      I have seen ROI. We use ASA because our provider uses it and they have support. The provider initiates the support with Cisco. The support is good. The license for the support is expensive. 

      What's my experience with pricing, setup cost, and licensing?

      It is expensive. 

      What other advice do I have?

      I would recommend this solution. If you have the money, it's a very stable product. Make sure to keep critical spare parts. You might have for instance some modules that will need acceleration cards and those types of things.

      I would rate it a nine out of ten. 

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Girish Vyas - PeerSpot reviewer
      Architect - Cloud Serviced at a comms service provider with 10,001+ employees
      Real User
      Top 20
      Has next gen features like application awareness and intrusion protection but the CLI needs to be simplified
      Pros and Cons
      • "They wanted to leverage something which is equivalent that can give them the next gen features like application awareness and intrusion protection. So that is a major reason they were looking forward to this. The original ASA firewall did not have these features. This was the major reason the customer moved on to Cisco Firepower Threat Defense (FTD). Now they can go ahead and leverage those functionalities."
      • "I was just trying to learn how this product actually operates and one thing that I see from internal processing is it does fire-walling and then sends it to the IPS model and any other model that needs to be performed. For example, content checking or filtering will be done in a field processing manner. That is something that causes delays in the network, from a security perspective. That is something that can be improved upon. Palo Alto already has implemented this as a pilot passed processing. So they put the same stream of data across multiple modules at the same time and see if it is giving a positive result by using an XR function. So, something similar can be done in the Cisco Firepower. Instead of single processing or in a sequential manner, they can do something similar to pile processing. Internal function that is something that they can improve upon."

      What is our primary use case?

      Our primary use case is whatever is best for our customer. I'm the service provider. The customer's main purpose is to use the malware services protection and the firewall itself, as well as the application awareness feature.

      How has it helped my organization?

      My client company is Cisco Oriented. They wanted to leverage something which is equivalent that can give them the next gen features like application awareness and intrusion protection. That is a major reason they were looking forward to this. The original ASA firewall did not have these features. This was the major reason the customer moved on to Cisco Firepower Threat Defense (FTD). Now they can go ahead and leverage those functionalities.

      What is most valuable?

      Firepower is an okay product. However, it is better as a firewall than the IPS or other services it provides.

      What needs improvement?

      I was trying to learn how this product actually operates and one thing that I see from internal processing is that it does fire-walling and then sends it to the IPS model and any other model that needs to be performed. For example, content checking or filtering will be done in a field processing manner. That is something that causes delays in the network, from a security perspective. That is something that can be improved upon. Palo Alto already has implemented this as a pilot passed processing. They put the same stream of data across multiple modules at the same time and see if it is giving a positive result by using an XR function. Something similar can be done in Cisco Firepower. Instead of single processing or in a sequential manner, they can do something similar to pile processing. An internal function that is something that they can improve upon.

      They can also improve on cost because Cisco is normally expensive and that's the reason customers do not buy them.

      Also, if they could provide integration with Cisco Umbrella, that would actually improve the store next level. Integration is one thing that I would definitely want.

      From a technical perspective, maybe they could simplify the CLI. That is one thing that I would like to be implemented because Cisco ASA or Cisco, in general, is usually good at simple CLIs. That is one thing that I saw lacking in FTD. Maybe because they got it from another vendor. They're trying to integrate the product.

      For how long have I used the solution?

      Two years

      What do I think about the stability of the solution?

      From a stability diagnosis, once I did the deployment it did not give me any issue for at least six to eight months. Once it went to a stable support, I did not see major problems. I don't think there were issues with stability.

      However, the core upgrades frequently come in, so you need to be carefully devising that support management. From a stability perspective, if you are happy with your current stuff and you do not require past updates it would be very stable. If you're using an IPS, the only challenge would be past management. With Cisco having cloud integration and just firing one command and getting things done, it is still okay. It is a good stable product.

      What do I think about the scalability of the solution?

      We have only one or two firewalls as a site data center firewall.

      From what I have studied, they are scalable. You can have eight firewalls integrated with the FTP devices. I don't think scalability would be an issue but I do not have a first-hand answer on that.

      There are approximately 2,500 customer base users using Cisco Firepower. It's a data center firewall, so all the sites integrate for one data center.

      You do not need extra staff to maintain Firepower. One field technician engineer, FTE would be sufficient and should not be a problem. I don't think extra staff would be needed. For support, for instance, you need one person.

      How are customer service and technical support?

      They have very good documentation, so there's a small chance you will actually need technical support. I would give kudos to the Cisco documentation. That would be the answer.

      I have not tried the support because most of it has been solved with the documentation. Nevertheless, Cisco support has typically been a pleasant experience. I don't think that would be a problem with this.

      Which solution did I use previously and why did I switch?

      We did previously use a different solution. They had two different solutions. One was Cisco ASA itself and before that, they used Check Point.

      We are a Cisco company and that's the reason they are moving from one Cisco product to another Cisco product, which was better than the previous one. So, that was a major reason for the switch. I would say the other vendors are improving. This company was just Cisco oriented so they wanted something Cisco.

      How was the initial setup?

      The initial setup is a bit difficult. Other vendors are doing the app integration solution. The initial setup was medium in complexity.

      You need to install the Firepower CLI. You need to log into that and then you'll need to sit down to connect to the ASA and configure the ASA level services. You also need a Firepower management station for it to work appropriately. The setup is serious and a bit complex.

      What about the implementation team?

      In my scenario, because I had to learn the entire technology over there and then apply it, it took me around two weeks time to do it. Then the integration, improvisation, and stuff that normally happens took some extra time. You can safely say around two to four weeks period is what it normally takes for deployment. This is based on how the company evaluates the product. It depends on how much you know at that point.

      Usually, for the deployment, the company works with Cisco, so they only use Cisco products. I am a DIY person, I did the deployment myself.

      What's my experience with pricing, setup cost, and licensing?

      We normally license on a yearly basis.

      The hardware procurement cost should be considered. If you're virtual maybe that cost is eradicated and just the licensing cost is applied. If you have hardware the cost must be covered by you. 

      All the shipping charges will be paid by you also.

      I don't think there are any other hidden charges though.

      Which other solutions did I evaluate?

      We gave them Palo Alto as an alternative option. I think they were more into Cisco. They did not evaluate the Palo Alto though, they just opted for Cisco.

      What other advice do I have?

      If you're really looking into Cisco Firepower, they have a good product, but I would say study hard and look around. If you want an easier product, you can always use Palo Alto. If you are a Cisco guy and you want to be with Cisco, you'll need to get an integration service engineer from the Cisco side. That will actually help you out a lot. Alternatively, maybe you can go for Palo Alto. That would be the best thing to do.

      If you are not worried about the technical integration part and learning how it works and how well it can go with the environment, I would recommend you go ahead and take an integration engineer with you. Doing a POC could be troublesome for you. We have professional services. You can leverage that.

      If you do not want to invest much money on all that stuff you can go ahead and hire someone who's already aware. Or if not, you can use any other vendor like Palo Alto.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Lead Network Administrator at a financial services firm with 201-500 employees
      Real User
      Enables analysis, diagnosis, and deployment of fixes quickly, but the system missed a SIP attack
      Pros and Cons
      • "With the FMC and the FirePOWERs, the ability to quickly replace a piece of hardware without having to have a network outage is useful. Also, the ability to replace a piece of equipment and deploy the config that the previous piece of equipment had is pretty useful."
      • "We had an event recently where we had inbound traffic for SIP and we experienced an attack against our SIP endpoint, such that they were able to successfully make calls out... Both CTR, which is gathering data from multiple solutions that the vendor provides, as well as the FMC events connection, did not show any of those connections because there was not a NAT inbound which said either allow it or deny it."

      What is our primary use case?

      These are our primary edge firewalls at two data centers.

      How has it helped my organization?

      Today I was able to quickly identify that SSH was being blocked from one server to another, and that was impacting our ability to back up that particular server, because it uses SFTP to back up. I saw that it was blocking rule 22, and one of the things I was able to do very quickly was to take an existing application rule that says 22, or SSH, is allowed. I copied that rule, pasted it into the ruleset and edited it so that it applied to the new IPs — the new to and from. I was able to analyze, diagnose, and deploy the fix in about five minutes.

      That illustrates the ability to utilize the product as a single pane of glass. I did the troubleshooting, the figuring out why it was a problem, and the fix, all from the same console. In the past, that would have been a combination of changes that I would have had to make both on the ASDM side of things, using ASDM to manage the ASA rules, as well as having to allow them in the FMC and to the FirePOWER.

      Overall, as a result of the solution, our company's security posture is a lot better now.

      What is most valuable?

      With the FMC and the FirePOWERs, the ability to quickly replace a piece of hardware without having to have a network outage is useful. Also, the ability to replace a piece of equipment and deploy the config that the previous piece of equipment had is pretty useful. 

      The administration is a little easier on the FirePOWER appliances because we're not using two separate products. For example, in the ASAs with FirePOWER Services, we were using the FMC to manage the FirePOWER Services, but we were still using ASDM for the traditional Layer 2 and Layer 3 rulesets. That is all combined in FMC for the FirePOWER devices.

      Our particular version includes application visibility and control. Most next-gen firewalls do. The product is maturing with what they call FirePOWER Threat Defense, which is the code that runs on the firewalls themselves. The FirePOWER Threat Defense software has matured somewhat. There were some issues with some older versions where they didn't handle things in a predictable manner. Applications that we didn't have a specific rule for may have been allowed through until it could identify them as a threat. We reorganized our rules, because of that "feature," in a different way so that those extra packets weren't getting through and we weren't having to wait so long for the assessment of whether they should be allowed or not. We took a different approach for those unknowns and basically created a whitelist/blacklist model where applications on the list were allowed through.

      Then, as you progressed into the ruleset, some of those features became more relevant and we stopped this. We looked at it as "leaky" because it was allowing some packets in that we didn't want in, while it made the determination of whether or not those applications were dangerous. Our mindset was to assume they're dangerous before letting them in so we had to adjust our ruleset for that. As the product matures, they've come out with better best practices related to it. Initially, there wasn't a lot of best-practice information for these. We may have been a little early in deploying the FirePOWER appliances versus continuing on with the adaptive security appliances, the old PIX/ASA model of firewalls. Cisco proposed this newer model and our VAR agreed it would be a benefit to us.

      There was a bit of a transition. The way they handle the processing of applications is different between the ASAs and the FirePOWERs. There were growing pains for us with that. But ultimately, the ability to have this configured to the point where I could choose a specific user and create a rule which says this user can use this application, and they'll be able to do it from whatever system they want to, has been advantageous for our functionality and our ability to deliver services more quickly.

      There haven't been a lot of specific use cases for that, other than troubleshooting things for myself. But having the knowledge that that functionality is there, is helpful. Certainly, we do have quite a few rules now which are based on "this application is allowed, this whole set of applications is blocked." It does make that easier because, in the past, you generally did that by saying, "This port is allowed, this port is blocked." Now we can say, not the ports; we're doing it by the services, or instead of by the services we're doing it by the applications. It makes it a little bit easier. And Cisco has taken the step of categorizing applications as well, so we can block an entire group of applications that fall under a particular category.

      For the most part, it's very good for giving us visibility into the network, in conjunction with other products that give us visibility into users as well as remote items. It's really good at tracking internal things, really good at tracking people, and really good at giving us visibility as to what's hitting us, in most situations.

      In general, Cisco is doing a pretty good job. Since we started the deploy process, they've increased the number of best-practice and configuration-guidance webinars they do. Once a month they'll have one where they show how we can fix certain things and a better way to run certain things. 

      The product continues to improve as well. Some of the features that were missing from the product line when it was first deployed — I was using it when it was 6.2 — are in 6.4. We had some of them in ASDM and they were helpful for troubleshooting, but they did not exist on the FirePOWER side of things. They've slowly been adding some of those features. They have also been improving the integration with ISE and some of the other products that utilize those resources. It's getting better.

      What needs improvement?

      Regarding the solution's ability to provide visibility into threats, I'm not as positive about that one. We had an event recently where we had inbound traffic for SIP and we experienced an attack against our SIP endpoint, such that they were able to successfully make calls out. There is no NAT for that. So we opened a case with the vendor asking how this was possible? They had to get several people on the line to explain to us that there was an invisible, hidden NAT and that is how that traffic was getting in, and that this was by design. That was rather frustrating because as far as the troubleshooting goes, I saw no traffic.

      Both CTR, which is gathering data from multiple solutions that the vendor provides, as well as the FMC events connection, did not show any of those connections because there wasn't a NAT inbound which said either allow it or deny it. There just wasn't a rule that said traffic outside on SIP should be allowed into this system. They explained to us that, because we had an outbound PAT rule for SIP, it creates a NAT inbound for us. I've yet to find it documented anywhere. So I was blamed for an inbound event that was caused because a NAT that was not described anywhere in the configuration was being used to allow that traffic in. That relates to the behavior differences between the ASAs and the FirePOWERs and the maturity. That was one of those situations where I was a little disappointed. 

      Most of the time it's very good for giving me visibility into the network. But in that particular scenario, it was not reporting the traffic at all. I had multiple systems that were saying, "Yeah, this is not a problem, because I see no traffic. I don't know what you're talking about." When I would ask, "Why are we having these outbound calls that shouldn't be happening?" there was nothing. Eventually, Cisco found another rule in our code and they said, "Oh, it's because you have this rule, that inbound NAT was able to be taken advantage of." Once again I said, "But we don't have an inbound NAT. You just decided to create one and didn't tell us."

      We had some costs associated with those outbound SIP calls that were considered to be an incident.

      For the most part, my impression of Cisco Talos is good. But again, I searched Cisco Talos for these people who were making these SIP calls and they were identified as legitimate networks. They had been flagged as utilized for viral campaigns in the past, but they weren't flagged at the time as being SIP attackers or SIP hijackers, and that was wrong. Obviously Talos didn't have the correct information in that scenario. When I requested that they update it based on the fact that we had experienced SIP attacks for those networks, Talos declined. They said no, these networks are fine. They should not be considered bad actors. It seemed that Talos didn't care that those particular addresses were used to attack us.

      It would have protected other people if they'd adjusted those to be people who are actively carrying out SIP attacks against us currently. Generally speaking, they're top-of-the-game as far as security intelligence goes, but in this one scenario, the whole process seemed to fail us from end to end. Their basic contention was that it was my fault, not theirs. That didn't help me as a customer and, as an employee of the credit union, it certainly hurt me.

      For how long have I used the solution?

      We've been using the FMC for about five years. We've only been using the FTD or FirePOWER appliances for about a year.

      What do I think about the stability of the solution?

      The stability is pretty good. We went through several code revisions from being on the ASAs on 6.2, all the way through the new FirePOWERs, moving them to 6.4.

      Unfortunately, we had the misfortune of using a particular set of code that later was identified as a problem and we had a bit of an upgrade issue. We were trying to get off of 6.3.0 on to 6.3.0.3. The whole system fell apart and I had to rebuild it. I had to break HA. We ended up having to RMA one of our two FMCs. I'm only now, a couple of months later, getting that resolved.

      That said, I've had six or seven upgrades that went smoothly with no issues.

      What do I think about the scalability of the solution?

      The scalability is awesome. That's one of those features that this product adds. Not only does it scale so that we can add more firewalls and have more areas of deployment and get more functionality done, but we have the ability that we could replace a small-to-medium, enterprise firewall with a large enterprise firewall, with very little pain and effort. That's because that code is re-appliable across multiple FirePOWER solutions. So should a need for more bandwidth arise, we could easily replace the products and deploy the same rulesets. The protections we have in place would carry forward.

      We hairpin all of our internet traffic through the data centers. Our branch offices have Cisco's Meraki product and use the firewall for things that we allow outbound at that location. Most of that is member WiFi traffic which goes out through the local connections and out through those firewalls. We don't really want all of the member Facebook traffic coming through our main firewalls. I don't foresee that changing. I don't see us moving to a scenario where we're not hairpinning all of our business-relevant internet traffic through the data centers. 

      I don't foresee us adding another data center in the near future, but that is always an option. I do foresee us increasing our bandwidth requirements and, potentially, requiring an additional device or an increase in the device size. We have FirePOWER 2100s and we might have to go to something bigger to support our bandwidth requirements.

      Which solution did I use previously and why did I switch?

      The previous usage was with an ASA that had FirePOWER services installed.

      How was the initial setup?

      The transition from the ASA platform to the FirePOWER platform was a little difficult. It took some effort and there were some road bumps along the way. After the fact, they were certainly running all over themselves to assist us. But during the actual events, all they were trying to do was point out how it wasn't their fault, which wasn't very helpful. I wasn't interested in who was to blame, I was interested in how we could fix this. They wanted to spend all their time figuring out how they could blame somebody else. That was rather frustrating for me while going through the process. It wasn't as smooth as it should have been. It could have been a much easier process with better support from the vendor.

      It took about a month per site. We have two data centers and we tackled them one at a time.

      We set up the appliances and got them configured on the network and connected to the FirePOWER Management console. At that point we had the ability to deploy to the units, and they had the ability to get their code updates. At that point we utilized the Firewall Migration Tool that allowed us to migrate the code from an ASA to a FirePOWER. It was well supported. I had a couple of tickets I had to open and they had very good support for it. We were able to transition the code from the ASAs to the FirePOWERs.

      It deployed very well, but again, some of these things that were being protected on the ASA side were allowed on the FirePOWER side; specifically, that SIP traffic. We didn't have any special rules in the ASA about SIP and that got copied over. The lack of a specific rule saying only allow from these sites and block from these countries, is what we had to do to fix the problem. We had to say, "This country and that country and that country are not allowed to SIP-traffic us." That fixed the problem. There is a certain amount missing in that migration, but it was fairly easy to use the toolkit to migrate the code.

      Then, it was just that lack of knowledge about an invisible NAT and the lack of documentation regarding that kind of thing. As time has gone by, they've increased the documentation. The leaky packets I mentioned have since been added as, "This is the behavior of the product." Now you can Google that and it will show you that a few packets getting through is expected behavior until the engine makes a determination, and then it'll react retroactively, to say that that traffic should be blocked.

      Certainly, it's expected behavior that a few packets get through. If we'd known that, we might have reacted differently. Not knowing that we should have expected that traffic made for a little bit of concern, especially from the security team. They had third-party products reporting this as a problem, but when I'd go into the console, it would say that traffic was blocked. But it wasn't blocked at first, it was only blocked now, because that decision had been made. All I saw is that it was blocked. From their point of view, they were able to see, "Oh, well initially it was allowed and then it got blocked." We were a little concerned that it wasn't functioning correctly. When you have two products reporting two different things, it becomes a bit of a concern.

      What was our ROI?

      We have probably not seen ROI yet. These are licensed under Cisco ONE and you usually don't see a return on investment until the second set of hardware. We're still on our first set of hardware under this licensing.

      That said, our ASAs were ready to go end-of-life. The return on investment there is that we don't have end-of-life hardware in our data center. That return was pretty immediate.

      What other advice do I have?

      The biggest lesson I have learned from using this solution is that you can't always trust that console. In the particular case of the traffic which I was used to seeing identified in CTR, not seeing that traffic but knowing that it was actually occurring was a little bit of a concern. It wasn't until we actually put rules in that said "block that traffic" that I started to see the traffic in the console and in the CTR. Overall, my confidence in Cisco as a whole was shaken by that series of events. I have a little bit less trust in the brand, but so far I've been happy with the results. Ultimately we got what we wanted out of it. We expected certain capabilities and we received those capabilities. We may have been early adopters — maybe a little bit too early. If we had waited a little bit, we might've seen more about these SIP issues that weren't just happening to us. They've happened other people as well.

      The maturity of our company's security implementation is beyond the nascent stage but we're not what I would call fully matured. We're somewhere in the middle. "Fully matured" would be having a lot more automation and response capabilities. At this point, to a large extent, the information security team doesn't even have a grasp on what devices are connected to the network, let alone the ability to stop a new device from being added or quarantined in an automated fashion. From my point of view, posture control from our ISE system, where it would pass the SGTs to the FirePOWER system so that we could do user-based access and also automated quarantining, would go a long way towards our maturity. In the NISK model, we're still at the beginning stages, about a year into the process.

      Most of our tools have some security element to them. From the Cisco product line, I can think of about ten that are currently deployed. We have a few extras that are not Cisco branded, three or four other items that are vulnerability-scanning or SIEM or machine-learning and automation of threat detection.

      The stuff that we have licensed includes the AMP for Networks, URL filtering, ITS updates and automation to the rule updates, as well as vulnerability updates that the product provides. Additionally, we have other services that are part of Cisco's threat-centric defense, including Umbrella and AMP for Endpoints. We use Cisco Threat Response, or CTR, to get a big-picture view from all these different services. There's a certain amount of StealthWatch included in the product, as well as some of the other advantages of having the Cisco Talos security intelligence.

      The integration among these products is definitely better than among the non-Cisco products. It's much better than trying to integrate it with non-Cisco functionality. That is probably by design, by Cisco. Because they can work on both ends of, for example, integrating our AMP for Endpoints into our FirePOWER Management Console, they can troubleshoot from both ends. That probably makes for a better integration whereas, when we're trying to troubleshoot the integration with, say, Microsoft Intune, it's very hard to get Cisco to work together with Microsoft to figure out where the problem is. When you have the same people working on both sides of the equation, it makes it a little easier. 

      Additionally, as our service needs have progressed and the number of products we have from Cisco has increased, they've put us onto a managed security product-support model. When I call in, they don't only know how to work on the product I'm calling in on. Take FMC, for example. They also know how to work on some of those other products that they know we have, such as the Cisco Voice system or Jabber or the WebEx Teams configurations, and some of those integrations as well. So, their troubleshooting doesn't end with the firewall and then they pass us off to another support functionality. On that first call, they usually have in-house resources who are knowledgeable about all those different aspects of the Threat Centric defenses, as well as about routine routing and switching stuff, and some of the hardware knowledge as well. We're a heavy Cisco shop and it helps in troubleshooting things when the person I'm talking to doesn't know only about firewalls. That's been beneficial. It's a newer model that they've been deploying because they do have so many customers with multiple products which they want to work together.

      In most cases, this number of tools improves our security operations, but recent events indicate that, to a large extent, the tools and their utilization, beyond the people who deployed them, weren't very helpful in identifying and isolating a particular issue that we had recently. Ultimately, it ended up taking Cisco and a TAC case to identify the problems. Even though the security team has all these other tools that they utilize, apparently they don't know how to use them because they weren't able to utilize them to do more than provide info that we already had.

      We have other vendors' products as well. To a large extent, they're monitoring solutions and they're not really designed to integrate. The functionality which some of these other products provide is usually a replication of a functionality that's already within the Cisco product, but it may or may not be to the extent or capacity that the information security team prefers. My functionality is largely the security hardware and Cisco-related products, and their functionality is more on the monitoring side and providing the policies. From their point of view, they wanted specific products that they prefer for their monitoring. So it wasn't surprising that they found the Cisco products deficient, because they didn't want the Cisco products in the first place. And that's not saying they didn't desire the Cisco benefits. It's just they have their preference. They'd rather see Rapid7's vulnerability scan than ISE's. They'd rather see the connection events from Darktrace rather than relying on the FMC. And I agree, it's a good idea to have two viewpoints into this kind of stuff, especially if there's a disagreement between the two products. It never hurts to have two products doing the same thing if you can afford it. The best thing that can happen is when the two products disagree. You can utilize both products to figure out where the deficiency lies. That's another advantage.

      For deployment, upgrades, and maintenance, it's just me.

      We were PIX customers when they were software-based, so we've been using that product line for some time, other than the Meraki MXs that we're using for the branch offices. The Merakis are pretty good firewalls as well.

      We also have access here at our primary data centers, but they're configured differently and do different things. The MXs we have at our data centers are more about the LAN functionality and the ability to fail from site to site and to take the VPN connections from the branch offices. For remote access VPN, we primarily used the firewalls. For our site-to-site VPNs, we primarily use these firewalls. For our public-facing traffic, or what is traditionally referred to as DMZ traffic, we're primarily relying on these firewalls. So, they have a lot of functionality here at the credit union. Almost all of our internet bound traffic travels through those in some way, unless we're talking about our members' WiFi traffic.

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      Tomáš Plíšek - PeerSpot reviewer
      Tomáš PlíšekCEO at Diestra consulting CZ, s.r.o.
      User

      For many years we use CISCO technologies in infrastructures our clients ( in our network too, btw.) and can say we are very satisfied. This brand is reliable.

      Senior Network Engineer at a consultancy with 1,001-5,000 employees
      Real User
      Notably reduced our time to root cause and MTTR
      Pros and Cons
      • "We can easily track unauthorized users and see where traffic is going."
      • "We would like to see improvement in recovery. If there is an issue that forces us to do recovery, we have to restart or reboot. In addition, sometimes we have downtime during the maintenance windows. If Cisco could enhance this, so that upgrades would not necessarily require downtime, that would be helpful."

      What is our primary use case?

      The primary use case of for Cisco firewalls is to segment our network. We're using them on the perimeter network for traffic filtering. Since deploying them, we have seen a maturing of the security in our organization. 

      We're using both the FTD 2100 and 4100. We have about 40 sites that are using our approximately 80 FTDs. We have about 2,000 users.

      How has it helped my organization?

      It has helped us to solve some problems regarding auditor recommendations. We used to have some audit recommendations that we were not able to comply with. With FTD deployed we have been able to be in compliance around our 36 remote sites.

      Before deploying them we had a lot of incidents of internet slowness and issues with site access, as well as computers that had vulnerabilities. But as soon as we deployed them we were able to track these things. It has helped the user-experience regarding connectivity and security. 

      In addition, it is giving us a better view regarding the traffic profile and traffic path. And we can categorize applications by utilization, by users, etc.

      The solution has, overall, made us twice as productive and, in terms of response time for resolving issues or to identify root causes, we are three times more effective and efficient.

      What is most valuable?

      We can easily track unauthorized users and see where traffic is going. It is very useful.

      FTD is also fully integrated with Talos. We are in the process of acquiring it and we will integrate it. That way we will have everything from Talos to do correlations.

      What needs improvement?

      We would like to see improvement in recovery. If there is an issue that forces us to do recovery, we have to restart or reboot. In addition, sometimes we have downtime during the maintenance windows. If Cisco could enhance this, so that upgrades would not necessarily require downtime, that would be helpful.

      We would also like to have a solution on the cloud, where we could manage the configuration. CDO is in the ASA mode. If Cisco could do it in full FTD — the configuration, the administration, and everything — it would be very good, and easy.

      What do I think about the stability of the solution?

      The solution is stable. Last year, we deployed it in more 32 countries and it has been stable since the deployment. We haven't had any issues with the firewall. If we have any issues, it is usually due to the power. The solution itself is stable.

      What do I think about the scalability of the solution?

      It's scalable.

      How are customer service and technical support?

      Tech support is able to resolve 70 percent of the issues. In case of an emergency, we can open a case because we have a contract for Smart Net support on the devices. In case of an issue, we open a case and we get assistance.

      Which solution did I use previously and why did I switch?

      Before FirePOWER we were using the ASA.

      How was the initial setup?

      At the beginning, it was complex, but we were able to develop a step-by-step implementation. Now, we can deploy one in about two hours, including integration testing, physical testing, configuration, and applying the rules.

      What about the implementation team?

      We have in-house engineers for the deployment. We haven't used external, third-parties. We are a big institution, based in 36 countries. The team that is focused on this deployment is a team of five. The person who is handling the implementation will be in contact with a local engineer at the remote site, and will assist him, remotely, to do the testing and follow the steps to deploy.

      What's my experience with pricing, setup cost, and licensing?

      The one-time cost is affordable, but the maintenance cost and the Smart Net costs need to be reduced. They're too high. A company like ours, that has about 80 firewalls, has to multiple the maintenance cost per device by 80. Cisco should find a way to provide some kind of enterprise support. We don't want to buy support per unit of equipment. It would be easier for everybody.

      What other advice do I have?

      We are using about ten different security tools, including analytics, monitoring, threat management, and email security. What we have integrated is the ISE and FTD but the third-party solutions are not fully integrated.

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      Security Officer at a government
      Real User
      Gives us visibility into potential outbreaks as well as malicious users trying to access the site
      Pros and Cons
      • "For us, the most valuable features are the IPX and the Sourcefire Defense Center module. That gives us visibility into the traffic coming in and going out, and gives us the heads-up if there is a potential outbreak or potential malicious user who is trying to access the site. It also helps us see traffic generated by an end device trying to reach out to the world."
      • "We were also not too thrilled when Cisco announced that in the upcoming new-gen ASA, iOS was not going to be supported, or if you install them, they will not be able to be managed through the Sourcefire. However, it seems like Cisco is moving away from the ASA iOS to the Sourcefire FireSIGHT firmware for the ASA. We haven't had a chance to test it out."

      What is our primary use case?

      We use them for perimeter defense and for VPN, and we also do web filtering.

      We're using ASAs at the moment. Going forward, we'll probably look at the FirePOWERs. We currently have anywhere from low end to the mid-range, starting with 5506s all the way up to 5555s. Everything is on-prem.

      We have a total of five different security tools in our organization. A couple of them complement each other so that's one of the reasons that we have so many, instead of just having one. For an organization like ours, it works out pretty well.

      We are a utility owned by a municipality, with a little over 200 employees in multiple locations.

      How has it helped my organization?

      Our response time has improved considerably. Rather than getting an alert from an antivirus which could be instantaneous or missed, we can take a look at the console of the Sourcefire Defense Center and identify the device. We can peek into it and see the reason it was tagged, what kind of event it encountered. We can then determine if it was something legit — a false positive — or a positive.

      It has improved the time it takes to do mediation on end-user devices. Instead of it being anywhere from ten to 15 to 30 minutes, we can potentially do it within about five minutes or under, at this point. In some cases, it can even be under a minute from when the event happens. By the time end-user gets a message popping up on their screen, a warning about a virus or something similar from one of the anti-malware solutions that we have, within under a minute or so they are isolated from the network and no longer able to access any resources.

      What is most valuable?

      For us, the most valuable features are the IPX and the Sourcefire Defense Center module. That gives us visibility into the traffic coming in and going out and gives us the heads-up if there is a potential outbreak or potential malicious user who is trying to access the site. It also helps us see traffic generated by an end device trying to reach out to the world. 

      Sourcefire is coupled with Talos and that provides us good insight. It gives us a pretty good heads-up. Talos is tied to the Sourcefire Defense Center. Sourcefire Defense Center, which is also known as the management console, periodically checks all the packets that come and go with the Talos, to make sure traffic coming and going from IP addresses, or anything coming from email, is not coming from something that has already been tagged in Talos.

      We also use ESA and IronPort firewalls. The integration between those on the Next-Gen Firewalls is good. They are coupled together. If the client reports that there is a potential for a file or something trying to access the internet to download content, there are mediation steps that are in place. We don't have anything in the cloud so we're not looking for Umbrella at this point.

      What needs improvement?

      We've seen, for a while, that the upcoming revisions are not supported on some of 5506 firewalls, which had some impact on our environment as some of our remote sites, with a handful of users, have them. 

      We were also not too thrilled when Cisco announced that in the upcoming new-gen ASA, iOS was not going to be supported, or if you install them, they will not be able to be managed through the Sourcefire. However, it seems like Cisco is moving away from the ASA iOS to the Sourcefire FireSIGHT firmware for the ASA. We haven't had a chance to test it out. I would like to test it out and see what kind of improvements in performance it has, or at least what capabilities the Sourcefire FireSIGHT firmware is on the ASA and how well it works.

      For how long have I used the solution?

      We've been using next-gen firewalls for about four years.

      What do I think about the stability of the solution?

      With the main firewall we haven't had many issues. It's been pretty stable. I would rate it at 99.999 percent. Although I think it's very well known in the industry that there was a clock issue with the 5506 and the 5512 models. Their reliability has been far less. I wouldn't give those five-nine's. I would drop it down to 99 percent. Overall, we find the product quite stable.

      What do I think about the scalability of the solution?

      We are a very small environment. Based on our scale, it's been perfect for our environment.

      How are customer service and technical support?

      Their tech support has been pretty good. If the need arises, I contact them directly. Usually, our issues get resolved within 30 minutes to an hour. For us, that's pretty good.

      Which solution did I use previously and why did I switch?

      We were using multiple products in the past. Now, we have it all centralized on one product. We can do our content filtering and our firewall functions in the same place. The ASAs replaced two of the security tools we used to use. One was Barracuda and the other was the because of tools built into the ASAs, with IPX, etc.

      When we switched from the Barracuda, familiarity was one of the biggest reasons. The other organizations I've worked in were pretty much doing Cisco. I'm not going to deride the Barracuda. I found it to be pretty close, performance-wise. In some cases, it was pretty simple to use versus the Sourcefire management console. However, when you went into the nitty gritty of things, getting down to the micro level, Sourcefire was far ahead of Barracuda.

      How was the initial setup?

      We found the initial setup to be pretty straightforward the way we did it. We ended up doing one-on-one replacement. But as the environment grew and the needs grew, we ended up branching it off into different segmentations.

      Going from two devices to five devices took us a little over a year. That was all at one location though. We branched it off, each one handling a different environment. 

      For the first one, since it was new to us and there were some features we weren't familiar with, we had a partner help us out. Including configuring, install, bringing it into production, and going through a learning process — in monitoring mode — it took us about two to three days. Then, we went straight into protective mode. Within three years we had a Sourcefire ruleset on all that configured and deployed.

      It was done in parallel with our existing infrastructure and it was done in-line. That way, the existing one did all the work while this one just learned and we watched what kind of traffic was flowing through and what we needed to allow in to build a ruleset.

      It took three of us to do the implementation. And now, we normally have two people maintain the firewalls, a primary and a secondary.

      What about the implementation team?

      We use JKS Systems. We've been with them for 16-plus years, so our experience with them has been pretty good. They help with our networking needs.

      What was our ROI?

      On the engineering side we have definitely seen ROI. So far, we haven't had much downtime in our environment.

      What's my experience with pricing, setup cost, and licensing?

      Pricing varies on the model and the features we are using. It could be anywhere from $600 to $1000 to up to $7,000 per year, depending on what model and what feature sets are available to us.

      The only additional cost is Smart NET. That also depends on whether you're doing gold or silver, 24/7 or 8/5, etc.

      What other advice do I have?

      The biggest lesson I've learned so far from using the next-gen firewall is that it has visibility up to Layer 7. Traditionally, it was IP or port, TCP or any protocol we were looking for. But now we can go all the way up to Layer 7, and make sure STTP traffic is not a bit torn. That was something that we did not have before on the up-to-Layer-3 firewall.

      Do your research, do your homework, so you know what you're looking for, what you're trying to protect, and how much you can manage. Use that to narrow down the devices out there. So far, in our environment, we haven't had any issues with the ASA firewalls.

      From the first-gen, we have seen that they are pretty good. We are pretty content and happy with them.

      The solution can help with the application visibility and control but that is one portion we have really not dived into. That's one of the things we are looking forward to. As a small utility, a small organization, with our number of employees available, we can only stretch things so far. It has helped us to identify and highlight things to management. Hopefully, as our staff grows, we'll be able to devote more towards application visibility and all the stuff we really want to do with it.

      Similarly, when it comes to automated policy application and enforcement, we don't use it as much as we would like to. We're a small enough environment that we can do most of that manually. I'm still a little hesitant about it, because I've talked to people where an incident has happened and quite a bit of their devices were locked out. That is something we try to avoid. But as we grow, and there are more IoT things and more devices get on the network, that is something we'll definitely have to do. As DevNet gets going and we get more involved with it, I'm pretty sure more automation on the ASA, on the network side and security side, will take place on our end.

      We do find most of the features we are looking on the ASA. Between the ASA firewall and the Sourcefire management console, we have pretty much all the features that we need in this environment.

      In terms of how the solution future-proofs our organization, that depends. I'm waiting to find out from Cisco what their roadmap is. They're still saying they're going to stick with ASA 55 series. We're also looking at the Sourcefire FireSIGHT product that they have for the firewalls. It depends. Are they going to continue to stick with the 55s or are they going to migrate all that into one product? Based on that, we'll have to adjust our needs and strategize.

      If I include some of the hiccups we had with the 5506 models, which was a sad event, I would give the ASAs a nine out of ten.

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      IT Infrastructure Specialist at RANDON S.A
      Real User
      Shows the top-consuming applications to help determine if there is a deviation or if we need to increase bandwidth
      Pros and Cons
      • "The protection and security features, like URL filtering, the inspection, and the IPS feature, are also very valuable for us. We don't have IT staff at most of the sites so for us it's important to have a robust firewall at those sites"
      • "The user interface for the Firepower management console is a little bit different from traditional Cisco management tools. If you look at products we already use, like Cisco Prime or other products that are cloud-based, they have a more modern user interface for managing the products. For Firepower, the user interface is not very user-friendly. It's a little bit confusing sometimes."

      What is our primary use case?

      Currently, we have 16 remote sites. Some of them are sales offices and some of them are industrial plants. And we have a centralized IT department here in Brazil. The business asked me to support those remote sites. We started using the Firepower Threat Defense, which is one of the versions of next-gen firewalls from Cisco, at some of the sites. We have them operating at five sites, and we are deploying at a sixth site, in Mexico, with the same architecture. That architecture has the firewall running on the site's router, and we manage them all from here in Brazil.

      How has it helped my organization?

      Overall, I would summarize Firepower NGFW's effect on our company's security position by saying that, until now, we haven't had any major security incidents. The investment we made, and the investment we are still making in that platform, have worked because they are protecting us from any risks we are exposed to, having all these remote sites and using the internet as the way to connect those sites. They are doing what they promised and they are doing what we paid for.

      What is most valuable?

      For us, the main feature is due to the fact that we have internet connections for all these sites, and we use the internet to communicate with our data center using VPN. So the VPN support in these boxes is one of the most valuable features.

      Also, with the firewall itself, the protection and security features, like URL filtering, the inspection, and the IPS feature, are also very valuable for us. We don't have IT staff at most of the sites so for us it's important to have a robust firewall at those sites, to support the business and give us peace of mind. If we do have an incident, since we don't have any IT personnel there for support, we need to do everything remotely.

      It provides us with application visibility and control. We can see, on the dashboard, all the applications that are most used and which are under some sort of risk or vulnerability. From my perspective, which is more related to the network itself and the infrastructure, not the security aspect, it helps a lot when we need to check some situation or issue that could be related to any attack or any violation. We can see that there are one or two or three applications that are the top-consuming applications. We can use this information to analyze if there is a deviation or if it's something that we need to consider as normal behavior and increase the bandwidth on the site. It's very important to have this analytic view of what's happening. That's especially true for us, since we have information on all these remote sites but we don't have IT resources on-premises. Having this view of all the sites in the same pane of glass is very important.

      It's not just the visibility of things, but the management of application behavior is very important. If I see that, for example, Facebook is consuming too much bandwidth, I can make a policy on the console here and deploy it to our remote offices. So the application visibility feature is one of the key parts of the solution.

      NGFW's ability to provide visibility into threats is also one of the important features. Although we have several applications that are based on-premises — we have databases and file servers that only exist inside the company or inside those remote sites — we see more traffic going to and coming from the internet every day. It's not optional anymore to have visibility into all this traffic. More and more, we are moving things to Office 365 or other SaaS platforms which are hosted on the internet. We need to see this traffic crossing our network. It's a top priority for us.

      When it comes to Talos, I recognized the importance of it before they were even calling it Cisco Talos. As a user of the URL filtering product, the IronPort appliances, for six or seven years, perhaps or more, I was introduced, at that time, to a community that was called SenderBase.org, which was like the father of the Cisco Talos. Knowing them from that time, and now, the work they do is very important. It provides knowledge of what is happening in the security space. The information they can collect from all the hardware and software they have deployed with their customers is great. But the intelligence they also have to analyze and provide fixes for things like Zero-day attacks, for example, is crucial. They are able to map and categorize risks. They're unbeatable, currently. Although we know that other vendors have tried to replicate this service or feature, the history they have and the way they do their work, make it unbeatable currently.

      What needs improvement?

      Some products supersede others within Cisco. I have three platforms and some of the features are the same in two products. It's not clear for us, as a  customer, if Cisco intends to have just one platform for security in the future or if they will offer one product for a particular segment, such as one product for the big companies, one product for the financial segment, another product for enterprise, and another product for small business.

      Sometimes, Cisco itself has two products which are doing the same things in some areas. That is something they could make clearer for customers: the position of each product or the roadmap for having just one product. 

      For example, I have a management console for the next-gen firewalls we are deploying. But the SD-WAN also has some security features and I would have to use another management console. I don't have integration between the products. Having this integration or a roadmap would help. I don't know if there will be one product only in the future, but at least having better integration between their own products is one area for improvement.

      Also, the user interface for the Firepower management console is a little bit different from traditional Cisco management tools. If you look at products we already use, like Cisco Prime or other products that are cloud-based, they have a more modern user interface for managing the products. For Firepower, the user interface is not very user-friendly. It's a little bit confusing sometimes. This is another area where they could improve.

      For how long have I used the solution?

      We have been using Cisco NGFWs for about for two years.

      What do I think about the stability of the solution?

      The stability is okay. It's robust enough to support the business we have. We haven't had any major issues with the product itself. Of course, we don't touch them frequently because it's a security deployment so it's not the type of thing where we make changes every day. Once we deploy them, and deploy the policies, we don't touch them frequently.

      We have one issue at one of the sites, at times. There is a power outage at the site and the virtual machine itself crashes. We have to recover from the crash and reinstall the backup. It's something that is not related to the product itself. It's more that our infrastructure has a problem with power which led to a firewall problem, but the product itself is not the root cause.

      What do I think about the scalability of the solution?

      It is scalable in our scenario. It is scalable the way we deploy it. It's the same template or architecture, and that was our intention, for all our remote sites. From this point of view, the scalability is okay. But if one of those remote sites increases in demand, in the number of users or in traffic, we don't have too much space to increase the firewall itself inside that deployment. We would probably need to replace or buy a new, more robust appliance. So the scalability for the architecture is fine. It's one of the major requirements for our distributed architecture. But scalability for the appliance itself, for the platform itself, could be a problem if we grow too much in a short period of time.

      I don't know how to measure how extensively we use it, but it's very important because without it, we can't have VPN and we can't communicate with our headquarters. We have SAP as our ERP software and it's located in our data center here at our headquarters. If we can't communicate with the data center, we lose the ability to communicate with SAP. So if we don't have the firewall running on those remote sites, it is a major problem for us. We must have it running. Otherwise, our operations at these remote sites will be compromised. In terms of volume, 40 percent of our sites are deployed and we still have plans to deploy the other 60 percent, this year and next year.

      Regarding future demands, if we create new business, like we are doing now in Mexico, our basic template has this next-gen firewall as part of it. So any other new, remote sites we deploy in the future, would use the same architecture and the same next-gen firewall.

      Which solution did I use previously and why did I switch?

      For our remote sites we didn't use a specific security platform. We had the Cisco router itself and the protection that the Cisco router offers. But of course you can't compare that with a next-gen firewall. But here in our headquarters, we currently use Palo Alto for our main firewall solution. And before Palo Alto, we used Check Point.

      The decision to use Cisco was because Cisco could offer us an integrated platform. We could have only one router at our remote sites which could support switch routing with acceleration, for IP telephony and for security. In the future we also intend to use SD-WAN in the same Cisco box. So the main advantage of using Cisco, aside from the fact that Cisco is, course, well-positioned between the most important players in this segment, is that Cisco could offer this solution in a single box. For us, not having IT resources at those remote sites, it was important to have a simple solution, meaning we don't have several boxes at the site. Once we can converge to a single box to support several features, including security, it's better for us.

      The main aspect here is that if we had Fortinet or Check Point or Palo Alto, we would need another appliance just to manage security, and it wouldn't be integrated with what we have. Things like that would make the remote site more complex.

      We don't currently have a big Cisco firewall to compare to our Palo Alto. But one thing that is totally different is the fact that Cisco can coexist with the router we have.

      How was the initial setup?

      I participated in the first deployment. I know it's not hard to do, but it's also not easy. It requires some knowledge, the way we deploy it. We use next-gen firewalls inside the Cisco router. It's virtualized inside the Cisco router. So you need to set settings on the router itself to allow the traffic that comes to the router to go to the firewall and return to the router to. So it's not an easy setup but it's not very complex. It requires some knowledge, not only of security, but also of routing and related things. It's in the middle between complex and simple.

      Once you have the templates for it, it's easier. It can take a day or two to deploy, or about 20 hours for the whole configuration.

      What about the implementation team?

      The name of the local partner we use here in Brazil is InfraTI.

      For the first deployment we had to understand how to do it because of the constraints. We have the router and we have the next-gen firewalls running inside the router. Until we decided how to deploy, it took a little while. But now we have the knowledge to do that more easily. They are able to deploy it satisfactorily. We are happy with them.

      For deployment and maintenance of the solution, it requires two people and our partner. On our side there is an engineer to discuss the details, and then there is the person who does the deployment itself.

      What other advice do I have?

      You must know exactly what features are important for you, and how you can manage all this infrastructure in the future. Sometimes you can have a product that is superior but it might demand an increase in manpower to manage all the software or platforms. Another point to consider is how good the integration is between products? You should check what features you need, what features you can have, and the integration with other products.

      In terms of the maturity of our security implementation, we have had security appliances, software or hardware, for more than 15 years. So we have a long history of using security products. We started using Cisco competitors in the past and we still use them for our headquarters, where I am. Our main firewall is not currently Cisco, although we are in the process of evaluation and we will replace this firewall soon. Cisco is one of the brands being evaluated for that.

      In the past, while it's not a next-gen firewall, we also used a Cisco product for URL filtering, up until this year.

      We are moving to the cloud. We are starting to use Office 365, so we are moving email, for example, from on-premises to the cloud. But until June of this year, we mainly used security from Cisco. But we also have antivirus for endpoint protection. We also had Cisco IPS in the past, which was a dedicated appliance for that, but that was discontinued about two years ago. Those are the major products we use currently. In addition — although it's not specifically a security product — we use Cisco ISE here to support our guest network for authentication. We plan, in the near future, to increase the use of Cisco Identity Services Engine. When we start to use that to manage policies and the like, we will probably increase the integration. I know that both products can be integrated and that will be useful for us.

      There's one other product which we use along with Cisco next-gen which is a SIEM from Splunk. Currently, that is the only integration we have with Cisco. We send logs from next-gen firewalls to the Splunk machine to be analyzed and correlated. 

      Although I'm not involved on a daily basis in operations, I helped in the process of integrating it. It was very easy to integrate and it's a very valuable integration, because we can analyze and correlate all the events from the next-gens from Cisco, along with all the other logs we are collecting in our infrastructure. For example, we also collect logs from the Windows machine that we use to authenticate users. Having those logs correlated on the Splunk box is very valuable. The integration is very easy. I don't know who built what, but there's a kind of add-on on the Splunk that is made for connection to firewalls, or vice versa. The integration is very simple. You just point to the name of the server and a user name to integrate both.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      PeerSpot user
      Security Architect
      Real User
      Gives us valuable insights about encrypted traffic on the web, with statistics up to Layer 7
      Pros and Cons
      • "The IPS, as well as the malware features, are the two things that we use the most and they're very valuable."
      • "For the new line of FTDs, the performance could be improved. We sometimes have issues with the 41 series, depending what we activate. If we activate too many intrusion policies, it affects the CPU."

      What is our primary use case?

      Our primary use cases for FTD are IPS, intrusion detection, and to get visibility into the network and the traffic that is going on in some sites. We always have them in-line, meaning that they're between two networking connections, and we analyze the traffic for the purposes of internal detection.

      In production, from the FTD line, we mostly have 2110s and 2130s because we have a lot of small sites, and we are starting to put in some 4110s. We only have FirePOWER here, but we don't use them most of the time as next-gen firewalls but more as an IPS.

      Everything is on-premises. We don't use public clouds for security reasons.

      How has it helped my organization?

      When you put FTD between your internet and network units, you can get valuable insights about your encrypted traffic on the web, DNS traffic, and the like. It gives us statistics up to Layer 7.

      Although I can't go into the details, the way the solution has helped our organization is more on the root-cause side when there is an incident, because we get very detailed information.

      FTD's ability to provide visibility into threats is very good, if the traffic is clear. Like most companies, we have the issue that there is more and more encrypted traffic. That's why we use Stealthwatch instead, because we can get more information about encrypted traffic. But FTD is pretty good. It gives us a lot of details.

      We put them in in-line and in blocking mode and they have stopped some weird things automatically. They help save time every day. We have 150,000 people all over the world, and there are times when computers get infected. It helps save time because those infections don't propagate over the network.

      The fact that we can centrally manage clients for our IPS, and that we can reuse what we type for one IPS or one firewall, makes it easy to expand that to multiple sites and multiple devices. Overall, it has been a great improvement.

      What is most valuable?

      The IPS, as well as the malware features, are the two things that we use the most and they're very valuable.

      Cisco Talos is also very good. I had the chance to meet them at Cisco Live and during the Talos Threat Research Summit. I don't know if they are the leader in the threat intelligence field but they are very competent. They are also very good at explaining complicated things easily. We use all of their blacklist, threat intelligence, and malware stuff on our FTDs. We also use the website from Talos where you can get web reputation and IP reputation.

      What needs improvement?

      For the new line of FTDs, the performance could be improved. We sometimes have issues with the 41 series, depending on what we activate. If we activate too many intrusion policies, it affects the CPU. We have great hopes for the next version. We have integrated Snort 3.0, the new Snort, because it includes multi-threading. I hope we will get better performance with that.

      What do I think about the stability of the solution?

      The stability depends on the version. The latest versions are pretty good. Most of the time, we wait for one or two minor version updates before using the new major version because the major versions go through a lot of changes and are still a bit unstable. For example, if you take 6.3, it started to be pretty stable with 6.3.03 or 6.3.04.

      What do I think about the scalability of the solution?

      Scalability depends on the site. At some sites we have ten people while at others we have a data center with a full 10 Gig for all the group. We have had one issue. When there are a lot of small packets — for example, when our IPS is in front of a log server or the SNMP servers — sometimes we have issues, but only when we get a peak of small packets.

      How are customer service and technical support?

      We've got a little history with tech support. We have very good knowledge within our team about the product now. We have a lab here in Montreal where we test and assess all the new versions and the devices. Sometimes we try to bypass level-one tech support because they are not of help. Now, we've have someone dedicated to work with us on complex issues. We use them a lot for RMAs to return defective products.

      Which solution did I use previously and why did I switch?

      In our company, we have used another firewall which we developed based on FreeBSD.

      I, personally, used to work with Juniper, Check Point, and Fortinet. I used Fortinet a lot in the past. If you use the device only for pure firewall, up to Layer 4, not as an application or next-gen firewall, Fortinet is a good and cheaper option. But when it comes to a UTM or next-gen, Cisco is better, in my opinion. FortiGate can do everything, but I'm not sure they do any one thing well. At least with Cisco, when you use the IPS feature, it's very good.

      How was the initial setup?

      Setting up an FTD is a bit more complex with the new FTD line. They integrated the FXOS, but the OS is still not fully integrated. If you want to be able to fully manage the device, you still need to use two IP addresses: One for FXOS and one for the software. It's complicating things for the 4110 to have to, on the one hand manage the chassis and the hardware on one, and on the other hand to manage the logical device and the software from another one.

      But overall, if you take them separately, it's pretty easy to set up and to manage.

      The time it takes to deploy one really depends. I had to deploy one in Singapore and access the console remotely. But most of the time, once I get my hands on it, it can be very quick because we have central management with FMC. Setting up the basic configuration is quick. After that, you have to push the configuration that you use for your group IPS and that's it. My experience is a bit different because I lose time trying to get my hands on it since I'm on the other side of the world. But when I get access to it, it's pretty easy to deploy. We have about 62 of them in production, so we have a standard for how we implement them and how we manage them.

      We have Professional Services and consultants who work with us on projects, but not for the deployment. We have our own data centers and our own engineers who are trained to do it. We give them the instructions so we don't need Cisco help for deployment. We have help from Cisco only for complex projects. In our case, it requires two people for deployment, one who will do the configuration of the device, and one who is physically in the data center to set up the cables into the device. But that type of setup is particular to our situation because we have data centers all around the world.

      For maintenance, we have a team of a dozen people, which is based in India. They work in shifts, but they don't only work on the FTDs. They work on all the security devices. FTD is only a part of their responsibilities. Potentially we can be protecting 140,000 people, meaning all the employees who work on the internal network. But mostly, we work for international internal people, which would be roughly 12,000 people. But there are only three people on my team who are operators.

      What was our ROI?

      ROI is a difficult question. We have never done the calculations, but I would say we see ROI because of some security concerns we stopped.

      What's my experience with pricing, setup cost, and licensing?

      Cisco changed its price model with the new FTD line, where the appliances are a bit cheaper but the licensing is a bit more expensive. But that's not only Cisco, a lot of suppliers are doing that. I don't remember a lot of the licensing for Fortinet and Check Point, but Cisco's pricing is high, at times, for what they provide.

      What other advice do I have?

      FTD is pretty good. You can stop new threats very quickly because you can get the threat intelligence deployed to all your IPSs in less than two hours. Cisco works closely with Talos and anything that Talos finds is provided in the threat intelligence of the FTDs if you have the license. It's pretty good to have the Cisco and Talos teams working closely. I know Palo Alto has an similar arrangement, but not a lot of suppliers get that chance.

      Our organization's security implementation is pretty mature because we try to avoid the false positives and we try to do remediation. We try to put threat intelligence over a link to our IPS next-gen firewalls.

      Overall, we have too many tools for security in our organization — around a dozen. It's very complicated to integrate all of them. What we have done is to try to use the Elastic Assist Pack over all of them, as a main point of centralization of log information. The number of tools also affects training of teams. There are issues because one tool can't communicate with the another one. It can be very hard, in terms of technical issues and training time, to have everybody using all these processes.

      We also use Cisco Stealthwatch, although not directly with the FTD, but we hope to make them work together. There is not enough integration between the two products.

      Overall, FTD is one part of our security strategy. I wouldn't rely only on it because we've got more and more issues coming from the endpoints. It lets you decipher everything but sometimes it is very complicated. We try to use a mix and not rely only on the FTDs. But for sure it's great when you've got a large network, to give you some visibility into your traffic.

      I rate it at eight out of ten because it's pretty good technology and pretty good at stopping threats, but it still needs some improvement in the management of the new FTD line and in performance.

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      Anshul Kaushik - PeerSpot reviewer
      Anshul KaushikTechnical Solutions Architect - Security Channels at a tech company with 51-200 employees
      Real User

      FTD 6.4.0.4 is the recommended release now and is more stable in terms of features and functions. The new HW models Firepower 1K are 2-3 times better in performance as compared to the legacy ASA 5500-x series at the same price. The addition of new 41xx models are more efficient at the same price as compared to previous 41xx models.
      The current release of FTD is 6.5 , got released last month.

      Senior Network Engineer at Orvis Company, Inc
      Real User
      Policy rulesets are key, and upgrades are relatively seamless in terms of packet loss
      Pros and Cons
      • "The information coming from Talos does a good job... I like the fact that Cisco is working with them and getting the information from them and updating the firewall."
      • "Our latest experience with a code upgrade included a number of bugs and issues that we ran into. So more testing with their code, before it hits us, would help."

      What is our primary use case?

      We use them to block or allow traffic out to the internet and to control a handful of DMZs. Overall, they're for access control. We do IPS and IDS as well.

      We have the FMC (FirePOWER Management Center) which manages the 4110s and we have 5516s and the ASA5545-Xs. It's an ASA running the Next Generation Firewall code. We're using all of the FMC with 6.4.04, so they're all running the Next Generation Firewall code. We deploy the software on-prem.

      How has it helped my organization?

      The information coming from Talos does a good job. It marks that information and bumps it up to us. We have rules where we are getting alerts and it does a good job as far as giving us alerts goes. Talos is pretty well-respected. I like the fact that Cisco is working with them and getting the information from them and updating the firewall. We get the vulnerability database stuff updated, and the location stuff gets sent out. I like all that.

      In terms of how the ASAs have affected our security posture as an organization, it's done well. We're growing with ASA, with the FirePOWER. When we first started there were a lot of bugs and a lot of issues. But now they're coming forward and acting on requests, things that we want.

      What is most valuable?

      The majority of what I use is the policy ruleset. We have another company that deals with the IPS and the IDS. That's helpful, but I can't necessarily speak to that because that's not the majority of what I do. The majority of what I do is create rules and work with the customers to make sure that things are getting in and out of the environment.

      I work with our e-commerce team to make sure that new servers that are spun up have the appropriate access to other DMZ servers. I also make sure that they have access to the internet. I make sure they have a NAT so that something can come into them if need be.

      We use Umbrella, Cisco's DNS, which used to be OpenDNS. We use that to help with security so that we're not going to sites that are known to be bad. They work well together. They're two different things. One is monitoring DS and doing web URLs, while the firewall I'm doing is traffic in and out, based on source destination and ports protocols.

      One of the things I like is that the upgrades are relatively seamless, as far as packet loss is concerned. If you have a firewall pair, upgrading is relatively painless, which is really nice. That's one of the key features. We do them off-hours, but we could almost do them during the day. We only lose a few packets when we do an upgrade. That's a bonus and if they keep that up that would be great. Check Point does a reasonably good job at it as well, but some of the other ones I've dealt with don't. I've heard from people with other firewalls and they don't have as good an experience as we do. I've heard other people complain about doing upgrades.

      What needs improvement?

      One of the things that we got out of the Check Point, which we're finally getting out of the ASA, is being able to analyze the hit count, to see whether a rule is actually used or not. That is going to be incredibly beneficial. That still has ways to go, as far as being able to look into things, security-wise, and see whether or not rules or objects are being hit. It could help in clean-up, and that, in itself, would help with security. The FTD or the FirePOWER has a little way to go on that, but they're doing well implementing things that not only we at Orvis, but other people, are requesting and saying should be done and are needed.

      In addition, if pushing policy could take a little less time — it takes about five minutes — that would be good. That's something they're working on. 

      Finally, our latest experience with a code upgrade included a number of bugs and issues that we ran into. So more testing with their code, before it hits us, would help.

      For how long have I used the solution?

      We've been using them for about two years. We used to have Check Point and we moved to the ASAs. We didn't really do a whole lot with them, just got them running in the first year. So in the last year-and-a-half to two years we've just been getting our feet wet with them.

      What do I think about the stability of the solution?

      The code has been reasonably good. It's getting better. The stability depends on the code and this last version of code we went through did give us a number of issues. It all depends on what the stability is in the code.

      What do I think about the scalability of the solution?

      The devices we have can scale pretty well. We have 600 to 700 people and we have an e-commerce site. It's deployed across the entire organization, although we have multiple firewalls.

      We have plans to increase usage. We're going to do more DMZ to protect ourselves. So we'll be having more interfaces off the firewalls and we'll be protecting more VLANs. That's probably as big as we are going to get. I don't see us doing too much more than that.

      How are customer service and technical support?

      Tech support is good. We have an exceptional sales rep or project manager. Jenny Phelps is the person we work with and if we have any questions or anything that needs to be escalated, we send it to her and it's usually done very quickly. That relationship is a huge value. Jenny is worth her weight in gold.

      How was the initial setup?

      I wasn't around for the initial setup, I was just starting. We were moving from Check Point to the ASA. It took about six months for them to engineer it and put it in place.

      The implementation strategy was to try to determine all the rules in the Check Point and duplicate all those rules in the FirePOWER. We had to roll back twice before it finally took. That wasn't anything to do with the FirePOWER or the ASA. It had more had to do with the person who had to put the rules in and understanding what was actually needed and how they should be put in.

      What about the implementation team?

      We did it through a consultant, Presidio. They had two people on it. Other than that, they were pretty good.

      What was our ROI?

      Just in terms of cost, the Check Point number was ten times as expensive as the Cisco number, so there was "instant" ROI in that sense. But we needed to replace our firewalls. Check Point had been in for five or six years. They did a bake-off to see which one was the best one to go to.

      What's my experience with pricing, setup cost, and licensing?

      We used Check Point and the two are comparable. Cost was really what put us onto the ASAs. They both do what it is we need them to do. At Orvis, what we need to do is very basic. But the price tag for Check Point was exorbitantly more than what it is for the ASA solution.

      We pay Cisco for maintenance on a yearly basis. There are no additional fees that I'm aware of.

      Which other solutions did I evaluate?

      My understanding is that Check Point and Fortinet that were evaluated, at the end.

      I wasn't around when we did the actual bake-off. I came in when a solution was picked. I was told why the solution was picked and I was there when they did the final install. It was managed for a little while by Presidio and then it was given to us.

      What other advice do I have?

      The biggest lesson I've learned from using the ASAs is the fact that they can do a lot. It's just figuring out how to do it. We don't do a lot, although once in a while we will do something a little interesting. These things can do more than what we're using them for. It's just a matter of our trying to figure it out or getting with our Cisco rep to figure it out.

      My advice would be to have a good handle on your rules and, if you can, take the upgrades easily.

      We have desktop security, application security, and then we have Umbrella. We use five or six different tools for security, at least. It would be nicer to have fewer but as far as I know there isn't one tool that does it all.

      We do application firewall rules where it does deep packet inspection and looks at certain things. We don't use it as much as we should, but we do application inspection and have rules that are based on just an application.

      We usually have two people on a call when we do maintenance, and we usually have Cisco involved. It's usually me and a colleague who is also a network/security engineer.

      I would rate the ASA overall at eight out of ten. The thing that comes to mind with that rating is the code. As I said, we just upgraded to 6.4.04 and we ran into a handful of bugs. We've done upgrades before and we've run into a bug as well. Just last week, we finished upgrading, and I still have one final service request, a TAC case, open. I had four open at one point. That's at the forefront of my thoughts right now.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      Network Administration Lead at Forest County Potawatomi Community
      Real User
      Highlights and helps us catch Zero-day vulnerabilities traveling across our network
      Pros and Cons
      • "The most valuable features of Cisco firewalls are the IPS and IDS items. We find them very helpful. Those are the biggest things because we have some odd, custom-made products in our environment. What we've found through their IPS and IDS is that their vulnerability engines have caught things that are near-Zero-day items, inside of our network."
      • "The worst part of the entire solution, and this is kind of trivial at times, is that management of the solution is difficult. You manage FireSIGHT through an internet browser. I've had Cisco tell me to manage it through Firefox because that's how they develop it. The problem is, depending on the page you're on, they don't function in the same way. The pages can be very buggy, or you can't resize columns in this one, or you can't do certain things in that one. It causes a headache in managing it."

      What is our primary use case?

      We use them in multiple places on our network. We use them on the edge of our network, in more of the traditional sense for inbound and outbound filtering. We also use them as a center of our network between all of our users and servers, so that all user traffic going through our servers is IPS and IDS as well.

      We have multiple Cisco 5000 Series firewalls and we also have a 4110 Series firewall, all running the FireSIGHT threat detection image. We keep that up to date within three months. If a new release comes out within three months, we're updating. The software deployment is on-prem.

      How has it helped my organization?

      We definitely feel that we're more secure now than we have been in the past. That goes back to those Zero-day vulnerabilities. An example would be some of the vulnerabilities with Adobe TIF files that were recognized. We run a document management system that wrote the extra, tailing zeros onto all the TIF files, and that was highly exploitable. The Cisco firewalls were able to catch that on the files traveling across our network and highlight it. Those are issues that, without the firewalls actually seeing the north-south traffic in our network, we just didn't have visibility into before. We were running blind and didn't even realize that we were vulnerable in those ways.

      Cisco NGFW has excellent visibility through the constructs it has. New vulnerabilities come out and we have hit those multiple times thanks to their solution. We come in on a Monday and, all of a sudden, an application that was working on Friday isn't working. That's because a major vulnerability came out over the weekend. The firewalls, and being able to use the dashboards through FireSIGHT management, provide very good visibility into what's actually going on and why different items on the network are happening. Overall, I would say the visibility is very good.

      In addition, among our multiple vendors for firewalls, etc., Cisco Talos really distinguishes Cisco from the Palo Altos and the Barracudas of the world. The work that they do to identify Zero-days and new threats out there, and then document all of that, is invaluable to our organization. I can't say enough about Cisco Talos.

      What is most valuable?

      The most valuable features of Cisco firewalls are the IPS and IDS items. We find them very helpful. Those are the biggest things because we have some odd, custom-made products in our environment. What we've found through the IPS and IDS is that their vulnerability engines have caught things that are near-Zero-day items, inside of our network. Those items are capable being exploited although they were not actually being exploited. Being able to see what those exploits are, the potential for vulnerabilities and exploits, is critical for us.

      What needs improvement?

      Cisco firewalls provide us with some application visibility and control but that's one of those things that are involved in the continuous evolution of the next-generation firewalls. We have pretty good visibility into our applications. The issue that we run into is when it comes to some of the custom apps and unusual apps that we have. It doesn't give us quite the visibility that we're looking for, but we have other products then that fill that gap.

      There would also be a little bit room for improvement on Cisco's automated policy application and enforcement. The worst part of the entire solution, and this is kind of trivial at times, is that management of the solution is difficult. You manage FireSIGHT through an internet browser. I've had Cisco tell me to manage it through Firefox because that's how they develop it. The problem is, depending on the page you're on, they don't function in the same way. The pages can be very buggy, or you can't resize columns in this one, or you can't do certain things in that one. It causes a headache in managing it. That's part of the reason that we don't do some of the policies, because management of it can be a little bit funky at times. There are other products that are a little cleaner when it comes to that.

      For how long have I used the solution?

      I've been using Cisco next-gen for at least four years.

      What do I think about the stability of the solution?

      Stability-wise, we haven't had too many issues. Before the next-generation firewalls, we used ASAs. In the 15-plus years that I've been using them I've only had one fail on me. Software-wise, we really haven't run into too many major bugs that we couldn't can get workarounds for by working with TAC. Overall the stability is excellent.

      What do I think about the scalability of the solution?

      Scalability is also excellent. I don't have any complaints about it. As long as you're willing to put the money forward, they are very scalable, but it's going to cost you.

      Their ability to future-proof our security strategy is also very good. They continuously improve on and add items, functionalities, and features to their software.

      User-wise, the government side of our organization doesn't have that many. There are maybe 1200 altogether. We had to upgrade our 5555s to 4110s and our 4110s are just about maxed out. We're pushing the max of the capabilities of all the equipment that we have. The 4110s average about eight gigabits a second all day long, for about 12 hours a day, through each of the devices. There are terabytes of traffic that go through those things a day.

      We're always increasing the usage of these devices. They are the core of our network. We use them as our core routers and all traffic goes through them. They are the integral part, the center of our network. They're everything for us.

      We have three people on our network team who maintain the entire network, including those devices. 

      How are customer service and technical support?

      Cisco's technical support is very good, overall. I've only run into one or two instances in the last 20 years where I came away with a negative experience. Those were generally unknown bugs but I didn't appreciate the way they handled some of those situations. But overall, Cisco's technical support is better than most companies'.

      How was the initial setup?

      We used the Cisco partner for implementation, but overall it seemed pretty straightforward. The deployment has been an ongoing thing. I'd say that we're never done with deploying our firewalls because of that constant state of change of the network. But the original deployment took four to five weeks.

      For the ongoing deployment, the amount of time somethings takes depends on what we're doing. We had some 5555 firewalls and all of a sudden they were no longer capable of handling the traffic that we send through. We had to operate those with 4110s. It all depends on what's going through them and what the scope of the project is. But most deployments take less than a week.

      There is also the fact that when you upgrade FireSIGHT to the next version and there are new features, you have to go through all the firewalls and make sure that they're utilizing all those features. That's one of the reasons it's always ongoing. It depends on what's released, what's new, what's old, and keeping up on that.

      What about the implementation team?

      The partner that we utilized was Heartland Business Solutions, in Wisconsin.

      Our experience with them, overall, has been pretty good. When it comes to the Cisco world, our organization's mix of experience comes in. There are items that we can do outside of the partner because we have some very talented individuals that work for us, some Cisco Certified individuals.

      One issue is that, in their business, Heartland is always trying to upsell. They are an intermediary, they play that middle guy all the time, but there are items that we're capable of doing that they push. They don't really allow us to just run with it because they want to get the engineer time and the tech time. They want to make revenue off of some items that we're capable of doing. That would be one issue with them.

      Another item that is frustrating has to do with the way they manage our Cisco licenses and Smart Nets for us. I'll give an example. We have Cisco firewalls across our entire network. Every year we have to buy the subscriptions for malware, and URL filtering, etc., to get full utilization out of them. All of our firewalls are subscribed to the max when it comes to IPS, IDS, and file inspection. To get the licenses, they have to know how many firewalls etc. we have. We have an issue where one of our firewalls went down — it's in an HA so we're still up and functional — but it's still in a down state and we're working through it right now. We contacted them because all of a sudden we found out, hey, we don't have Smart Net. We pay them to manage our Smart Net contracts because it can be quite a hassle.

      The question is, how can we not have Smart Net on a product that we know that we own. To get the subscription they know that we have X number of firewalls. When they renewed Smart Net they should know that there are that X number of firewalls in there, but there weren't. We run into a lot of that. We buy subscriptions for this, or there are yearly costs associated with that, but then when we match it up to Smart Net, we find out we don't have Smart Net on it or vice-versa. They have the numbers for subscriptions so they should be able to take those numbers and make sure that the Smart Net numbers match up with them. Or, they have the numbers for Smart Net and should be able to make sure we have the proper subscriptions lined up with it as well. That's been a frustrating point for us.

      Other than those couple items, we had really good luck with them and they've been really good to us.

      What was our ROI?

      We have absolutely seen return on our investment. For example, before Cisco started doing the AMP for Endpoints, just as an example of Cisco security overall, we had Norton Antivirus on all of our workstations and we ran McAfee across all our servers. Our helpdesk and support staff were cleaning up anywhere from six to 13 malware-infested PCs a week. It was a full-time job for two individuals going around and continuously cleaning these, even though we had McAfee and Norton, which are supposedly some of the better ones out there.

      After deploying AMP, we might have one incident every three months that our helpdesk or support has to deal with. We freed up two full-time individuals. AMP definitely has a cost, but then you look at the cost to end-users of not being able to use their PCs, or of the payroll department not being able to run their reports for payroll because the PC is too slow because it's infected with malware. 

      So not only was there the cost of the two IT resources we gained, but other departments also gained hours back by not losing their PCs and devices.

      What's my experience with pricing, setup cost, and licensing?

      Our subscription costs, just for the firewalls, is between $400,000 and $500,000 a year. In addition, there is Smart Net, but the subscription base is the most substantial. 

      In an environment like ours where you're only looking at a little over 1,000 users, when you start figuring out it all, it's basically $400 a user per year to license our Cisco firewalls. Cisco is very good. From everything I've seen, I truly believe that they lead the industry in all of this, but you do pay for it.

      Which other solutions did I evaluate?

      There have been evaluations of other products over the years. We do layer some of them to filter things through multiple product vendors, so if there ever is a vulnerability with Cisco, hopefully one of these other ones would catch it, or vice-versa.

      But we have never evaluated others with a view to potentially replacing Cisco in our network. That's because of Cisco's being the largest network company in the world. When you have Cisco, it's hard to go away from them for any reason.

      When it comes with the firewall side, one of the major differences does have to do with Talos. I've been involved in networks where Palo Altos have been broken and owned by hackers. I've been brought in to work on networks that way. The solution in those cases has been to replace with Cisco, to get control of what's going on. A lot of that has to do with Talos and their frequency of updates and how well they do with all of the security items. That's probably one of the main reasons that we don't ever look at a replacement for Cisco. We'll use other products in conjunction with it, but never to replace it.

      What other advice do I have?

      My advice would be: Don't let the price scare you.

      I would describe the maturity of our company's security implementation as "working on it." It is an evolving process. When it comes to the Cisco product line, we try to keep it as up to date as possible when they release new products. An example would be their DNA Center which we're looking at installing in the next year. From a product standpoint, we're pretty well off. From a policy and procedure standpoint, that is where we're somewhat lacking in our organization.

      In terms of the number of security tools our organization uses, we have a lot of them. From a software standpoint, we use tools from eight to 12 vendors, but there is more than one tool from each. We have anywhere from 30 to 40 security suites that we run across our environment. When it comes to hardware manufacturers, Cisco isn't the only one that we use. We use products from three different hardware manufacturers and layer our security that way. The way this number of tools affects our security operations is that there's a lot of overlap. But there are different groups that look at and use each set of tools. It works because that way there are always the checks and balances of one group checking another group's work. Overall it works pretty well.

      In terms of other products and services we use from Cisco, we're a Cisco shop. We have all of their routing and switching products, AMP for Endpoints for security, Cisco Prime Infrastructure. We also have their voice and whole collab system, their Contact Center. We have their CUCM as well as Unity Connection. A lot of our servers are Cisco UCSs, the Blade Servers are in our environment. We have Fabric Interconnects, fibre switches. Pretty well anything network related is Cisco, in our environment.

      We do layer it. We do have some F5 firewalls deployed in front of the Ciscos. We have had Barracuda firewalls in line as well, along with spam filters, so that we get that layered security.

      Cisco's cross-platform integration and data sharing between their products are very key. Cisco is really good at that. It's nice to be able to see the same data through multiple product sets and be able to view that data in different ways. Cisco-to-Cisco is really good. 

      Cisco integration with other products depends on the product and what you're trying to get out of it. Most of it we have to send through different SIEMs to actually get usable data between the two product lines. It depends on what we're doing. Every scenario's a little different.

      As for automated policy application and enforcement, we actually bought a couple of other tools to do that for us instead. We're getting into Tufin software to do automations, because it seems like they have a little bit better interface, once they pull the Cisco information in.

      Overall — and I don't want to get too full of Cisco because everyone's vulnerable in a way— we've had very few issues, even when a lot of these Zero-days are attacking cities and organizations, and there are ransomware attacks as well. We've seen items like that hit our network, but not have any effect on it, due to a lot of the Cisco security that's in place. It has been very strong in helping us detect and prevent all of that. Overall, it's given us a certain comfort level, which is both good and bad. It's good because we haven't run into the issues, but it's bad in the sense that our organization, a lot of times, takes it for granted because we haven't run into issues. They tend to overlook security at times.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      Senior Network Engineer at Johnson & Wales University
      Real User
      Very buggy, and was released before it was ready for market

      What is our primary use case?

      We had legacy Sourcefire Sensors and ASA state full firewalls.

      Cisco offered the FTD NGFW solution, but the implementation of the two systems was not successful.

      How has it helped my organization?

      The firepower sensors have been great; they do a good job of dropping unwanted traffic.

      What is most valuable?

      The VDB updates run on schedule, so less hands-on configuration is needed.

      What needs improvement?

      The software was very buggy, to the point it had to be removed.

      We are moving completely away from Cisco NGFW.  The product was pushed out before it was ready.

      For how long have I used the solution?

      We have been using this solution for twelve years.
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Dave Cooper - PeerSpot reviewer
      Network Engineer at CoVantage Credit Union
      Real User
      For any internet-related event, it's saving us hours of time
      Pros and Cons
      • "Once you add Firepower onto to it and you start enabling some of its features, you get some IDS/IPS involved with it and you can even do web filtering."
      • "In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth."

      How has it helped my organization?

      It's hard to judge how much time it saves our organization because it's doing things you don't realize. For example, when it's blocking web advertisements, when it's blocking phishing, when it's blocking geolocation, the time it saves is because of the things you might have had to deal with that, now, you don't. Any time we have some kind of internet-related event, it's definitely going to take us hours worth of time. We have to do an investigation, we have to report on it, we have to write something up. By protecting our environment it probably saves our security analysts a fair number of hours during the week.

      What is most valuable?

      It's the brick wall that keeps us from the bad guys. It does a lot of things. In the beginning when you just have a firewall, of course, it's your NAT and it's your Access Control List. It's the thing that allows traffic in and out. There is some routing involved in that too. But once you add Firepower onto to it and you start enabling some of its features, you get some IDS/IPS involved with it and you can even do web filtering.

      We used to do some web filtering on the Firepower but we moved into Umbrella once we started. We do use Firepower for one piece of web filtering because Umbrella has yet to provide it: advertisement blocking. We don't allow our end-users to go into advertisements. If they're going to go to a site, they have to know what the site is, not just try to hit some kind of Google ad to get to it because those can be dangerous.

      What needs improvement?

      In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth. It's definitely usable, though. You can get a lot of good information out of it.

      It's hard to stay on the bleeding edge on firewalls because you have to be careful with how they integrate with Firepower. If you update one you have to update the other. They definitely have some documentation that says if you're at this version you can go to this version of Firepower, but you need to be careful with that.

      For how long have I used the solution?

      We've been using Firepower for two to three years.

      What do I think about the stability of the solution?

      It's pretty stable. There are times where I'll get an email saying a process has stopped. But a few seconds later, they'll say it restarted it on its own. It's hardy enough that if it is having problems, it's bringing things back up. For the most part, it's been very reliable.

      It's been really good. And even so, if I've had to reboot the actual appliance, I'll bring it back up and it's good to go.

      What do I think about the scalability of the solution?

      We haven't hit that issue of scalability. We have increased the amount of traffic through it and it's handled it, but I think that's also a product of the ASA as well. If the ASA is going to choke, Firepower is going to choke as well.

      We're going to be bringing in two new firewalls, as early as the fourth quarter or first quarter of 2020, and those are going to be pure FTD appliances. We'll probably be using those a little bit more extensively. I don't think we're going to be using the SSL portion, but we'll probably have the IDS/IPS, and we'll probably have the AMP turned on. That's because with the endpoints, we're not sure if we're going to be able to install an antivirus, so we can at least watch that. We'll probably use most of the suite on it.

      How are customer service and support?

      I've always liked Cisco support. We're a pretty big Cisco shop, so you're not going to hear a lot of complaints from me about support. And not only that, but if I do have a problem with Cisco support, we get ahold of somebody - our customer-success people and the salespeople from Cisco who are focused on our organization - and we get help. It's very good.

      Sometimes, I'll have to contact the first tier of tech support. I'll still open up a case. But in case that, for whatever reason, is not going to our satisfaction, at least we have a chain of command we can go through and talk to some different people. We might get it escalated if we're just not getting something fixed on time. But Cisco has very top-notch support.

      Which solution did I use previously and why did I switch?

      We've been with Cisco and haven't had anything else yet. We haven't had a desire to move in a different direction. We've stayed with it because of how good it is.

      We were initially introduced to Firepower by a consultant. At that time, it was for the web filtering because the web filtering we had was awful. We were using Sophos. Without getting too derogatory, it was just awful. There was no alerting and it was very hard to manage, whereas this is really easy to manage. With Cisco, it was very easy to set up content groups, to allow some users to get to some stuff and other users to not get to it. That's where it really started. There weren't any pros to Sophos that weren't in Firepower. We got rid of Sophos.

      How was the initial setup?

      Our organization is a big believer in training, So I attended a five-day class on this. From that, I was able to set it up pretty easily.

      We have a virtual appliance. Once it actually installs and we set IPs and got some of the base set up, it was done within about a day. But the time it takes will depend. We're not an organization that has 10,000 users. We're probably a medium enterprise, of about 400+ users, rather than a large enterprise, so our ruleset is comparatively small. As a result, it didn't take me as long as it might for some, a total of two or three days, and that's even with fine-tuning. But because we're still using the ASA and the ASDM, we still have those rules in the firewall. We're not really at the FTD point where all the rules are in there. If we were, to migrate it would probably take some time.

      For me, it was relatively simple because of the valuable training I had. There are some good resources online, don't get me wrong. It was just nice to be able to do something hands-on at a place, in training, and then come back and be able to do it.

      The neat thing is that the gentleman who taught us, instead of just teaching us the material from a book or even, "This is how you can pass the Firepower test," taught us how he would go into a Fortune 100 and set up an organization. I had almost a step-by-step lesson on how to keep going through the configurations to get to a finished product.

      With a firewall, you're always coming back to it to tweak it a little bit. You might find, "Oh, I'm not getting the logging a lot," or, "Oh boy, this rule is doing this, but maybe I want to tighten it down a little bit more." But to get the base configuration, to get the objects in, it takes about a couple of days. At that point, you can at least have traffic going through it. You may not be blocking anything, but you can be monitoring things.

      What about the implementation team?

      It was just me.

      What was our ROI?

      The return on investment would be the fact that I'm just not spending a lot of time either searching for things or trying to stop what's coming in and out of our network. The return on investment is the time I would have to spend during the day looking at things versus it proactively doing its job.

      What's my experience with pricing, setup cost, and licensing?

      We're going to get to a point, not this year and not the coming year, probably going into 2021, where we're going to want to replace the ASA appliances with either virtuals or actual physicals. But the Firepower series of appliances is not cheap.

      I just got a quote recently for six firewalls that was in the range of over half-a-million dollars. That's what could push us to look to other vendors, if the price tag is just so up there. I'm using these words "fictitiously," but if it's going to be outlandish, as a customer, we would have to do our due diligence and look at other solutions at that point.

      In addition to that cost, there are licensing fees for some of the individual things like AMP, the IPS/IDS piece. It depends on what you want to use, such as the SSL piece and the VPN piece, which we don't use.

      Which other solutions did I evaluate?

      We haven't evaluated any other options. The only thing that may ever force us in that direction would be cost. Only if the cost of the solution got so large would we have to look at something comparable.

      What other advice do I have?

      The neat part about this is how Cisco continues to evolve its product line and help us stay secure, while still doing our day-to-day business.

      My advice would depend on how you want to use it. What are you looking for Firepower to do?

      Firepower added features that, until we introduced into our environment, we could not have done. We probably could have added a third-party product but we would hate to keep doing all that. It's nice to be able to have our products from the same organization because then, if something's really wrong, we can talk to the same organization as we're trying to troubleshoot something through our environment. We use Cisco switches, Cisco routers, we use ISE, and Umbrella. We have a lot of products through Cisco.

      We use the ACLs. We use the intrusion side, just to watch traffic. We have used the malware and have actually caught stuff in there. We do have a DNS policy so that at least we can check to make sure someone's not going to a bogus site; things can get blocked for that, but Umbrella is really good at what it does. We also have it connected to our Active Directory so I can see which users are going where, and that is valuable. But I can also see that in Umbrella, so there's some overlap.

      For managing the solution it's me and at least one other person. I'm the primary resource on it.

      We used to use AMP for endpoints through the Firepower but we decided to discontinue that. We have AMP on all our endpoints but with all the other things we have, such as Umbrella, we were satisfied enough with the security we have. We didn't want two different things possibly stopping files instead of having one console area to be able to see those kinds of things.

      Overall, I would rate Firepower at eight out of ten. Every product can improve. But for what we're looking to do, it does a very good job.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      Amit Gumber - PeerSpot reviewer
      Consultant at HCL Technologies
      Real User
      Dashboard gives us a complete analytical view of traffic behavior and anomalies
      Pros and Cons
      • "The most important point is the detection engine which is now part of the next-generation firewalls and which is supported by Cisco Talos."
      • "Most users do not have awareness of this product's functionality and features. Cisco should do something to make them aware of them. That would be quite excellent and useful to organizations that are still using legacy data-center-security products."

      What is our primary use case?

      The primary use case is to protect our departments. We have sub-departments or sites categorized by the number of users and types of applications. We categorize the latter in terms of small, medium, or large. Based on that, we select a firewall in terms of throughput and the number of concurrent sessions it can handle. We then deploy the firewall with a predefined set of rules which we require for inbound and outbound traffic.

      We are in operations delivery and we need to support multiple clients. We have different departments where our primary responsibility is to protect our organization's assets and data and to store them in a centralized data center. Apart from that, we have responsibility to support our clients in terms of infrastructure.

      All the devices are on-premise. Nothing is on the cloud or is virtualized.

      What is most valuable?

      One of the most valuable features in the current version is the dashboard where we have a complete analytical view of the traffic behavior. We can immediately find anomalies. 

      The most important point is the detection engine which is now part of the next-generation firewalls and which is supported by Cisco Talos.

      What needs improvement?

      Most users do not have awareness of this product's functionality and features. Cisco should do something to make them aware of them. That would be quite excellent and useful to organizations that are still using legacy data-center-security products.

      For how long have I used the solution?

      We've been using ASAs for the last ten years in our organization.

      What do I think about the stability of the solution?

      The product's stability is perfect. From my observation, the mean time to failure is once in seven years or eight years. All the hardware in the device is quite stable. I haven't seen any crashing of the operating system.

      What do I think about the scalability of the solution?

      Scaling is quite easy. 

      How are customer service and technical support?

      On a scale of one to ten, I would evaluate Cisco support as a ten. I get support in a fraction of time. There is no problem in getting support.

      Which solution did I use previously and why did I switch?

      Since I have worked in this organization, Cisco has been the primary product that has been deployed.

      How was the initial setup?

      The initial setup is quite straightforward. It's quite simple, without any complexities. Whenever we find any issue during the primary phase, we reach out to the Cisco technical support team for assistance and within a short period of time we get support from them.

      The most recent deployment we did took about three weeks.

      In terms of deployment plan, we go with a pre-production consultation. We create a virtual model, taking into account all the rules, all the cabling, and how it should work in the environment. Once everything on the checklist and the prerequisites are in place, then we migrate the existing devices into production.

      What about the implementation team?

      As consultants, most of the time we deploy ASA by ourselves. If there is any complexity or issue, we get in touch with a system integrator or we open a ticket with the technical support team.

      What was our ROI?

      There would definitely be return on investment by going with Cisco products. They are stable.

      What other advice do I have?

      For any organization looking for a secure solution that can be deployed in their domain or infrastructure, my advice is to go with Cisco Next-Generation Firewalls because they have a complete bundle of security features. There is a single pane of glass with complete management capabilities and analytic features to understand and gather information about the traffic.

      The lessons that most of our clients have learned is that in deployment it is easy to configure and it is easy to manage. It's quite stable and they do not get into difficulties in terms of day-to-day operations. 

      We haven't faced any problems with this product.

      Compared to other OEMs, such as Juniper and Fortinet, Cisco's product is excellent. There are no bugs and I don't see any lack in terms of backend and technical support. In my opinion, at the moment, there is no room for product enhancement.

      Most of the users are system administrators working on their own domains. The minimum number of users among our clients is a team of 15 to 20 we have clients with up to 700 users at the largest site.

      The product is quite extensively used in each department, to protect assets and data centers. We are using the attack prevention engine and URL filtering is also used at most of our sites. We are also using it for data center connectivity and for offloading transactions.

      I would rate Cisco at ten out of ten for the functionality and the features they provide.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner.
      PeerSpot user
      Managing Director at Fasp
      Real User
      User-friendly, easily managed, and scalable
      Pros and Cons
      • "The most valuable feature of the Firepower solution is FireSIGHT, which can be easily managed and is user-friendly."
      • "I would like to see the inclusion of more advanced antivirus features in the next release of this solution."

      What is our primary use case?

      We are a reseller and system integrator, and this is one of the solutions that we provide for our end users. We have experience with many firewall products from different vendors.

      The specific use case depends on the customer and their environment. They design the firewalls, and we supply the appropriate equipment.

      The majority of deployments are on private networks.

      What is most valuable?

      The most valuable feature of the Firepower solution is FireSIGHT, which can be easily managed and is user-friendly.

      What needs improvement?

      The performance and the level of throughput need to be improved. This would make things easier for us.

      I would like to see the inclusion of more advanced antivirus features in the next release of this solution.

      Adding internet accounting features would also be a good improvement.

      What do I think about the stability of the solution?

      This solution is completely stable, and we have not had any issues.

      What do I think about the scalability of the solution?

      Scalability of this solution is ok. They have the IPS (Intrusion Prevention System), online updates, and signature updates.

      One customer might have, for example, two hundred and fifty users, whereas another might have one hundred users. There are different models for different numbers of end-users.

      How are customer service and technical support?

      Technical support is ok, and we have had no problem with them.

      How was the initial setup?

      The initial setup of this solution is straightforward.

      What's my experience with pricing, setup cost, and licensing?

      The price of this solution is not good or bad. It is ok.

      What other advice do I have?

      This is a solution that I recommend.

      The biggest lesson that I have learned from working with this solution is to always update the firewall. If you do not have the latest updates then it will not function well, so always keep it up to date.

      I would rate this solution an eight out of ten.

      Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
      PeerSpot user
      Heritier Daya - PeerSpot reviewer
      Network Administrator at a financial services firm with 1,001-5,000 employees
      Real User
      Top 5
      Advanced Malware Protection works well to protect against cyber threats
      Pros and Cons
      • "The most valuable feature of this solution is AMP (Advanced Malware Protection), as this is really needed to protect against cyber threats."
      • "I have found that Cisco reporting capabilities are not as rich as other products, so the reporting could be improved."

      What is our primary use case?

      Our primary use case for this solution is to protect data from unauthorized access.

      What is most valuable?

      The most valuable feature of this solution is AMP (Advanced Malware Protection), as this is really needed to protect against cyber threats.

      The IPS is a must for a firewall.

      What needs improvement?

      The firewall throughput is limited to something like 1.2 Gbps, but sometimes we require more. Cisco makes another product, Firepower Threat Defence (FTD), which is a dedicated appliance that can achieve more than ten or twenty gigabits per second in terms of throughput.

      I have found that Cisco reporting capabilities are not as rich as other products, so the reporting could be improved.

      For how long have I used the solution?

      We have been using this solution for three years.

      What do I think about the stability of the solution?

      This is a reliable solution.

      We started with version 5.4, but there were many releases available on the website and we were obliged to aggregate, step by step, to reach the current version.

      What do I think about the scalability of the solution?

      This solution is really scalable and reliable. In my opinion, Cisco products are always scalable.

      How are customer service and technical support?

      Cisco has a very good team for support. They are always available, and they give you a flexible solution. It is not just about getting a solution. We are learning, as well, when we request assistance. They also have a knowledge base that we can access in order to find resolutions for problems.

      Which solution did I use previously and why did I switch?

      We were using the SonicWall solution prior to this one, but it reached end-of-life because we had updated our architecture. This is why we migrated to a next-generation firewall. We had also been using Fortinet FortiGate.

      How was the initial setup?

      The initial setup of this solution was a bit complex because it was a new technology for us. We did find documentation on the vendor's website, and it also helped that we found some videos on how to do the configuration.

      Our initial deployment took approximately three months because we were learning from scratch. We still had some service requests open because we could not fine-tune the solution, and ultimately it took a full year to fully deploy.

      This solution is managed by the qualified people in our network engineering team. 

      What about the implementation team?

      We tried to deploy this solution by ourselves, but our team was not quite qualified to implement this solution. It was a good opportunity for us to learn about it. 

      What's my experience with pricing, setup cost, and licensing?

      We are in the process of renewing our three-year license, which costs approximately $24,000 USD for the thirty-six months. In terms of licensing, this product costs a lot, but this cost can save my assets that could be millions for my company. There is no choice.

      Which other solutions did I evaluate?

      We did have knowledge of other products, but we chose this solution because it facilitates the sharing of information with their knowledge base. It helps you learn from scratch.

      What other advice do I have?

      My advice to anybody who is considering this solution is not to think twice about it. There are a lot of features that come with the cost. These institutions secure our network and they have to do research. The price of this solution is justified when you consider that it secures our network and protects our valuable assets.

      This is a very good solution but it is not perfection.

      I would rate this solution a nine out of ten.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      IT Manager, Infrastructure, Solution Architecture at ADCI Group
      Real User
      A trusted and reliable solution with a good interface and good technical support
      Pros and Cons
      • "I like the Cisco ASDM (Adaptive Security Device Manager), which is the configuration interface for the Cisco firewall."
      • "The Sandbox and the Web Censoring in this solution need to be improved."

      What is our primary use case?

      This solution is running behind the infrastructure and behind the hypervisor itself. We have two firewalls and two nodes in the cluster environment.

      This solution is suitable for both cloud and hybrid-cloud deployments. I have implemented a cloud project, and one hybrid as well. The hybrid was between a public and a local cloud.

      What is most valuable?

      The Cisco security rules are very strict and very strong.

      I like the Cisco ASDM (Adaptive Security Device Manager), which is the configuration interface for the Cisco firewall.

      What needs improvement?

      When comparing this solution to other products, the Fortinet UTM bundle has some better features in their most receive product. For example, there are better configuration features, the Sandbox is better, and so is the web censoring. These are currently in the Cisco solution, but they are better in Fortinet. The Sandbox and the Web Censoring in this solution need to be improved.

      This solution has to be more secure from the cloud. The current trend is moving towards private cloud and hybrid cloud, so it is very important to consider the cloud security aspects when the solution is installed. This includes things such as IoT and the existence of user connectivity on the cloud.

      For how long have I used the solution?

      I have been using this solution for two years, but Cisco technology, generally, for more than eight years.

      What do I think about the stability of the solution?

      The stability of this solution is great. The Cisco name and hardware are enough. The product is used in tier four data centers, so it is very trusted and very dependable. If you compare Cisco to others, the high industry and high workload have gone to Cisco. Stability is very, very high.

      What do I think about the scalability of the solution?

      This is a scalable solution.

      In terms of the number of users, it depends on the customer. A small customer may have less than twenty users. A larger customer can be complicated by having different branches with different users and different security rules. This means that you can reach up to the hundreds. 

      How are customer service and technical support?

      Technical support for this solution is good. Most of the technicians are technical people that have certifications such as CCNA, CCNP, CCIE, and CCISP. I think that they are well knowledged and well educated about the Cisco culture, industry, and products.

      The Cisco distributors are everywhere, even if I'm speaking about the Middle East. I can find distributors everywhere in Dubai. Here in Dubai, the support is great, including for firmware updates, and even replacing the hardware when the firewalls crash.

      How was the initial setup?

      The initial setup of this solution is straightforward.

      The deployment does not take much time. It is just a matter of installing the firewall and configuring the basic system to get it up and running. That's it.

      There are, of course, different models of deployment, like deploying customers, that have to be considered. However, for the most part, deployment time is not an issue at all.

      What's my experience with pricing, setup cost, and licensing?

      The pricing for Cisco products is higher than others, but Cisco is a very good, strong, and stable technology. If we compare Huawei or FortiGate or others then the prices are lower, but the higher Cisco price is acceptable because of the stability, trust, and reliability.

      Which other solutions did I evaluate?

      This is my first recommendation for firewalls, and my second recommendation is Fortinet FortiGate.

      What other advice do I have?

      This is the number one firewall product that I recommend.

      I would rate this solution an eight out of ten.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Network Security/Network Management at a educational organization with 201-500 employees
      Real User
      Offers great technical support and good security from the firewalls
      Pros and Cons
      • "The technical team is always available when we have problems."

        What is our primary use case?

        Our primary use case of this program is network protection.

        How has it helped my organization?

        Up until now we haven't been down due to issues with the internet connection or denial of service, so the program does what it claims to do.

        What is most valuable?

        The firewalls of this program protects my internet from dangerous internet sites. For us, Cisco is the number one in firewall protection. We are seeking to buy another UTM solution for band management.

        What needs improvement?

        The program is very expensive.

        For how long have I used the solution?

        We've been using Cisco Sourcefile Firewalls for three years.

        What do I think about the stability of the solution?

        We haven't had any problems with the stability so far.

        What do I think about the scalability of the solution?

        We have 500 users working on the solution and I believe it may increase, so I believe the program is scalable.

        How are customer service and technical support?

        The technical support from the company is very good. They are always available when we have problems.

        Which solution did I use previously and why did I switch?

        We did use another UTM solution before for firewall, URL and band management. We didn't switch, we just have two layers now. If we want to use Cisco for band management or URL safety, we have to pay a license fee and it is very expensive.

        How was the initial setup?

        The initial setup was straightforward and it took the company about a day to deploy the firewalls.

        What's my experience with pricing, setup cost, and licensing?

        The licensing is very expensive.

        What other advice do I have?

        In the future, I would like to see friendlier configuration and only one license because everything needs a license. You need a URL license, security license, everything is based on a license. I would like to have one license that covers everything. But I am really impressed by the program and my rating is nine out of ten.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Senior Network Administrator at a construction company with 1,001-5,000 employees
        Real User
        Good signature detection, intrusion detection, IDS, and IPS
        Pros and Cons
        • "The stability of the solution is very good. We can see that it gets even better with every release."
        • "It will be nice if they had what you traditionally would use a web application scanner for. If the solution could take a deeper look into HTTP and HTTPS traffic, that would be nice."

        What is our primary use case?

        We primarily use the solution for internet access firewalls.

        How has it helped my organization?

        The solution allows you to be more agile and react faster.

        What is most valuable?

        The Sourcefire stuff itself is the most valuable feature. Signature detection, intrusion detection, IDS, and IPS are all very good. AMP is very useful. I like that you can put it onto devices as well.  The aggregated views in FMC that you get when you're a global shop which is centralized, and then offers gateways per region. In Europe, America and APAC, you have all the data coming together in the FMC. That's quite nice.

        What needs improvement?

        The FMC could be a little bit faster.

        It will be nice if they had what you traditionally would use a web application scanner for. If the solution could take a deeper look into HTTP and HTTPS traffic, that would be nice.

        For how long have I used the solution?

        I've been using the solution for 1.5 years.

        What do I think about the stability of the solution?

        The stability of the solution is very good. We can see that it gets even better with every release.

        What do I think about the scalability of the solution?

        For us, the scalability is good, because we sized everything right, right from the beginning. If you size it right, it's very good. We don't plan on adding more firewalls, unless we suddenly grow exponentially, which we're not expecting to do at this point.

        How are customer service and technical support?

        We only contacted technical support during initial implementation and that was all handled by the consultant. I have a lot of other Cisco related tickets open, so we're used to the process.

        I would say, however, that we're also using Meraki, and the Meraki support is way better, in my opinion. 

        Cisco support tends to take longer, and I mean really long given the fact that subject matter is sometimes also more complicated, so it really depends. When you compare that directly to Meraki, Meraki answers the same day, and I cannot say that about the legacy Cisco support items. I can understand that the market for the legacy service is so much bigger for Cisco, so I can see why it takes longer.

        How was the initial setup?

        The initial setup was complex because we had to migrate old ASA firewalls. The ACLs, or rather the policies, are very different now, and way more elaborate, so that that took some tweaking, and some consulting and some time. 

        Deployment took two months. We had to make sure that our old ACL base settings from the ASAs were correctly translated and implemented into the new FTD setups.

        What about the implementation team?

        We used a consultant to assist with implementation.

        Which other solutions did I evaluate?

        We've looked at a few options, but we have an internal policy that says, unless noted otherwise, network equipment has to be Cisco based. We had to go with a Cisco product.

        What other advice do I have?

        We are using the on-premises deployment model.

        My advice for those considering the solution is this: if you want to migrate something, plan enough time for testing before you come over to the solution. You should also watch as many webinars as you can about that solution, or get a consultant and do a proper lab set up and go through the whole thing with them. It's is definitely worthwhile, given the complexity of the whole product.

        I would rate the solution nine out of ten.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Senior Network Support & Presales Engineer at a computer software company with 51-200 employees
        Real User
        Offers an easy way to manage the devices centrally but not all of its features are supported
        Pros and Cons
        • "I like the way Firepower presents the data. It gives you two classifications for the evidence, something based on the priority of the evidence and another classification based on the impact of the evidence in your environment. This makes it very easy to spot the evidence that is most impactful to my environment. Instead of having to go through all the evidence based on that priority, I can focus on the evidence that has the most impact on my environment."
        • "Also, they have a Firepower source file that I can work on the ASA device and on Firepower devices. A problem here lies in the way that you manage these devices. Some devices do not support the FMC, and some devices have to be managed through ASDM, and others have to be managed through FMC."

        How has it helped my organization?

        A lot of companies have a lot of vulnerabilities and lots of exploitations that are going inside their network that the IT staff are not aware of. You actually need a security device like a next-generation firewall to protect your network.

        Once we installed the Firepower system, we started looking at the evidence, and we found a lot of exploitations and a lot of bad things that are in the network. These things were invisible to IT, they were unaware of any of them.

        What is most valuable?

        The Firepower Management Center is an easy way to manage the devices centrally. I guess this is something that all vendors provide so it's nothing special. I like the way Firepower presents the data. It gives you two classifications for the evidence, something based on the priority of the evidence and another classification based on the impact of the evidence in your environment. This makes it very easy to spot the evidence that is most impactful to my environment. Instead of having to go through all the evidence based on that priority, I can focus on the evidence that has the most impact on my environment.

        Sometimes you might have a high priority event but it has nothing to do with your environment. You have a vulnerability. You don't have to treat a vulnerability as an attack. Since you're not vulnerable, it's not impactful to your environment so you don't have to focus on it. This is something that other products don't provide. 

        It is very flexible. You can have the next generation firewall work as a physical connection or as a Layer 2 device. You can have a combination of Layer 2 and Layer 3, which is really good. 

        What needs improvement?

        There are quite a few things that can be improved. Firepower is an acquisition from another company, Cisco's trying to put it together. Their previous ASA code with the source file code that they have acquired a few years ago still has some features that are not fully supported.

        Also, they have a Firepower source file that I can work on the ASA device and on Firepower devices. A problem here lies in the way that you manage these devices. Some devices do not support the FMC, and some devices have to be managed through ASDM, and others have to be managed through FMC.

        Most of the high-end devices do not support Onboard management. The Onboard management is only supported on the 2100 IP at the 1050 Firepower and on select ASA devices that bear the Firepower image.

        It would be very nice if the Onboard management integrated with all the devices. Log key loading for the evidence at the logs, because clearly you only have loading on the remote on the FMP, you cannot store the logs located on the device.

        For how long have I used the solution?

        I have been using this solution for around two years.

        What do I think about the scalability of the solution?

        We have several thousand employees at the company.

        How are customer service and technical support?

        Their technical support is good. 

        How was the initial setup?

        The initial setup was straightforward. 

        What's my experience with pricing, setup cost, and licensing?

        The pricing is overrated. Prices for Cisco equipment are always a little bit higher than other vendors. Customers are always complaining about the high prices of Cisco equipment, so it would be very good if these prices can be lowered down, but that's how it is. Cisco equipment usually has higher prices than its competitors.

        What other advice do I have?

        I would recommend this solution to someone considering it. I would recommend to study and know what the requirements are exactly. One of the things that might be a problem, or might be a complex thing to do is to go through Cisco Firepower, because Firepower is a software that's complex to explain to somebody. There is the previous ASA code that Cisco had and there is the source file that they acquired. Cisco started to send it as ASA Firepower services. Then they combined the two codes together and they started to send a new code called the Firepower Threat Defense, FTD.

        Any customer who wants to buy it needs to understand all of these options and what the limitations of each option are, the pros and cons. Any customer who wants to deploy Firepower needs to understand what Cisco has to offer so he can choose correctly.

        I would rate it a seven out of ten. 

        Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
        PeerSpot user
        Ahmad Alkoragaty - PeerSpot reviewer
        IT Consultant at MOD
        Consultant
        Protects our network from external threats and has good stability
        Pros and Cons
        • "The most valuable feature is that it has the ability to divide the network into three parts; internal, external, and DMZ."
        • "I would like for the user interface to be easier for the admin and network admin. I would also like to be able to access everything from the GUI interface. The way it is now, it needs somebody experience in iOS to be able to operate it. I would like to have a GUI interface."

        What is our primary use case?

        Our primary use case is to protect our network from external threats. We need to keep our portal safe. 

        We use the public cloud model of this solution. 

        What is most valuable?

        The most valuable feature is that it has the ability to divide the network into three parts; internal, external, and DMZ. 

        What needs improvement?

        I would like for the user interface to be easier for the admin and network admin. I would also like to be able to access everything from the GUI interface. The way it is now, it needs somebody experience in iOS to be able to operate it. I would like to have a GUI interface. 

        It should have integrated licenses with our other products. There should be a license bundle, like for firewalls and iOS. It would be better if it was a bundled license. 

        For how long have I used the solution?

        We have been using this solution for ten years.

        What do I think about the stability of the solution?

        It's very stable.

        What do I think about the scalability of the solution?

        The scalability is good. We have around 1,500 users. The users are regular end-users, network admins, technicians, etc. 

        We require three admins for this solution. We require five staff members for the deployment and maintenance. 

        It is used weekly. We do plan to increase the users.

        How are customer service and technical support?

        Their technical support is good. We have a maintenance contract with them for two years and we plan to renew the contract. 

        How was the initial setup?

        The initial setup was straightforward. It took around two to three days to implement. 

        What about the implementation team?

        We used a Cisco partner for the implementation. They were knowledgable and did a good job. 

        What's my experience with pricing, setup cost, and licensing?

        There are no additional costs to the standard licensing fees. 

        Which other solutions did I evaluate?

        We don't evaluate different solutions because our infrastructure is Cisco-based. We wanted it to be homogeneous with our infrastructure. 

        What other advice do I have?

        I would advise someone considering this solution to have a technical support or maintenance contract with the vendor or a third-party to help maintain the product. Without help with maintenance, there is no value to the product.

        You should have a good technician and admin support for all this product in order to maximize the value and benefits. 

        I would rate it an eight out of ten. 

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Mustafa Ahmed - PeerSpot reviewer
        Network Security Engineer at qicard
        Real User
        Valuable firewall solution for enterprise organizations who need reliable flexible security
        Pros and Cons
        • "A powerful enterprise security solution that is dependible."
        • "The GUI interface could be improved when compared to other solutions."

        What is our primary use case?

        Our primary use for the solution is as a firewall. We implemented it as an IT tech solution for our accesses through Sourcefire. It provides security.

        How has it helped my organization?

        The main product in our company is dependent on Cisco as a security solution. Cisco has a great reputation in the market. We are using Cisco as our main firewall in the company because it provides the best security.

        What is most valuable?

        The most valuable feature is for IT security management. It is extremely valuable to protection so that is the most valuable feature.

        What needs improvement?

        I'm not really sure that much has to be improved. Compared to other firewall solutions probably the thing that could be improved is the interface — the GUI. Other than that I don't think there is anything else that could be better. I think it is a great product.

        For how long have I used the solution?

        I have been using the product for two years.

        What do I think about the stability of the solution?

        I believe that Cisco is one of the most stable firewall solutions. Compared to other solutions, Cisco has a better stability record than others. That's why we like it a lot.

        What do I think about the scalability of the solution?

        I don't know that we have plans to scale the business on this site. But Cisco products are expandable. If we want to expand the functionality with new feature sets we can add modules. So in that way, it is a flexible and scalable solution. 

        We currently have 200 to 500 users who are using this solution at any time.

        How are customer service and technical support?

        We have used technical support quite a bit and always contact them if we have an issue. They will always respond as soon as possible. So I think the support is great. We don't have any issue with them being unresponsive or providing bad solutions. I like to check with them on solutions sometimes and they respond as soon as possible. It saves time and helps me to be sure I am doing the right thing before I go in the wrong direction.

        Which solution did I use previously and why did I switch?

        I don't know the exact product they were using before but I think it was just proxy. When I came to the company, the Cisco solution had already been installed, so I don't know the exact product from before.

        I think the main reason why they would have switched is the stability and possibilities are better than just proxy. Cisco is very different and more powerful than the other simple products. It's very stable.

        How was the initial setup?

        I wasn't part of the company at the time of the initial setup, and I am just performing additional tasks. We have a staff of a maximum of three or four persons so once the deployment is live it doesn't need much effort.

        I'm not sure if the company has plans to increase usage and grow our responsibilities. It's not not for me to decide. I think the company is growing and traffic is increasing. But my superior is the person responsible for determining when it is time to scale.

        What about the implementation team?

        We used a consultant for the implementation. They actually continue to help a lot when we need them for something.

        Which other solutions did I evaluate?

        I don't know if the company evaluated other solutions before choosing Cisco. When I came to the company, it was already there. Cisco is a very popular enterprise solution so they may have just chosen it without other evaluations.

        What other advice do I have?

        On a scale of one to ten with one being worst and ten being best, I would rate Cisco SourceFire Firewall as a nine. It could easily be a ten if it had a better GUI interface.

        As far as making recommendations to other people about the product, I recommend they buy it if they need an enterprise solution. Also, I would recommend other Cisco solutions like Cisco AMP (Advanced Malware Protection). 

        I think most large companies that require strong security should always use Cisco because it's stable, scalable, and has many features. Enterprise organizations will benefit from Cisco because their business requirement will be more complicated and require a better solution and more flexibility. I think all the companies should use Cisco because it's number one the market and has the best security, better stability, and better scalability.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        IT Specialist at a government with 1,001-5,000 employees
        Real User
        A flexible and easy to manage solution for segregating our servers from the rest of the environment
        Pros and Cons
        • "The most valuable features are the flexibility and level of security that this solution provides."
        • "There was an error in the configuration, related to our uplink switches, that caused us to contact technical support, and it took a very long time to resolve the issue."

        What is our primary use case?

        We use this solution as a firewall and for the segregation of our servers from the rest of the environment.

        How has it helped my organization?

        Instead of using multiple firewalls, we only need to rely on this solution. It has a small footprint.

        What is most valuable?

        The most valuable features are the flexibility and level of security that this solution provides. 

        What needs improvement?

        There was an error in the configuration, related to our uplink switches, that caused us to contact technical support, and it took a very long time to resolve the issue.

        Some of the features should be baked-in by default.

        What do I think about the stability of the solution?

        Stability has been pretty good, so far.

        What do I think about the scalability of the solution?

        This solution is very scalable.

        How are customer service and technical support?

        We have contacted technical support about an issue that we were having, and it took a very long time for them to figure it out. We were on the phone for six or seven hours with them.

        Which solution did I use previously and why did I switch?

        We previously used an ASA 5500, and it was simply time to upgrade it. We used this solution as a direct replacement.

        How was the initial setup?

        The initial setup of this solution is pretty straightforward.

        Which other solutions did I evaluate?

        We are not restricted to any one vendor, but this solution worked well as a direct replacement for our previous one. We considered both Juniper and FortiGate.

        What other advice do I have?

        This is a very straightforward firewall. There is a management platform with its own operating system. Just make sure that everything is set up properly for your uplink switches because that is an issue that we ran into.

        I would rate this solution a nine out of ten.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        it_user861456 - PeerSpot reviewer
        Senior Information Security Engineer at a financial services firm with 501-1,000 employees
        Real User
        Enables admins to be able to troubleshoot easily and has good traffic analytics features
        Pros and Cons
        • "For business purposes, it's a very detailed solution, which is it's greatest benefit, as you can get almost any piece of information you need from the solution. It allows for admins to be able to troubleshoot pretty easily."
        • "I'm working on a slightly older version, but what it needs is a better alert management. It's pretty standard, but there's no real advanced features involved around it."

        What is our primary use case?

        We use it as a network firewall.

        How has it helped my organization?

        For business purposes, it's a very detailed solution, which is it's greatest benefit, as you can get almost any piece of information you need from the solution. It allows for admins to be able to troubleshoot pretty easily.

        What is most valuable?

        The solution is part of a suite. If you pay for it, it has basically a view that's called Firepower, and it's really good at being able to analyze exact bits of a pack, at the packet level, and has the ability to allow you to examine that traffic. It is really good. That's probably my favorite part of the suite.

        What needs improvement?

        I would definitely say the pricing could be improved. If you're going to get the latest and greatest of this solution, it's very expensive and it's actually the reason my organization is moving away from it.

        I'm working on a slightly older version, but what it needs is better alert management. It's pretty standard, but there are no real advanced features involved around it.

        For how long have I used the solution?

        I've been using the solution for around one year.

        What do I think about the stability of the solution?

        We haven't had any major issues in regards to stability. In general, there are best practices in the industry to use. It's never really mattered because generally, with firewalls, you have two in any given location or service. They seem to be redundant of each other. So there's never been a problem where we lost functionality because of the firewall.

        What do I think about the scalability of the solution?

        It's pretty scalable. Cisco is a large enterprise solution and it's designed to be able to serve large enterprise, so, it's fairly scalable. We're using the solution minimally at this point, and we're decreasing usage because it's too expensive to upgrade.

        How are customer service and technical support?

        They have pretty good customer support. The solution's technical support is great.

        Which solution did I use previously and why did I switch?

        I had not previously used another solution.

        How was the initial setup?

        I was not with the organization when they originally rolled it out, so I can't speak to how straightforward or complex the initial setup was. There are about six people who manage the solution. We have security engineers and network engineers. If someone is trying to get an idea of how many people are required, it varies because a lot of organizations will have multiple firewalls in different locations. Six for one organization may be way more than somebody needs or way fewer than somebody needs.

        What about the implementation team?

        We didn't use any other group for the deployment. We did all the work in-house.

        What's my experience with pricing, setup cost, and licensing?

        My company is moving away from the solution because it is quite expensive.

        Which other solutions did I evaluate?

        We've looked at the Fortinet solution. The Fortinet FortiGate.

        What other advice do I have?

        I would just say that it's expensive. The product is fine on its own, it's high end. It's got a high brand name attached to it. I would recommend the product, however. The product works great. It does everything it's supposed to do. There's no issues with it, no real concerns. It's just expensive.

        I would rate it an eight out of 10 because it does everything it's designed to do, but it is not any better than other industry-leading solution, and it's far more expensive.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Network Engineer at a comms service provider with 1,001-5,000 employees
        Real User
        Protects from external threats to our network as a firewall and VPN solution
        Pros and Cons
        • "A stable and solid solution for protection from external threats and for VPN connections."
        • "It is not the newest, cutting-edge technology"

        What is our primary use case?

        The primary use of Cisco ASA (Adaptive Security Appliances) for us it to protect from external threats to our network as a firewall and VPN solution.

        How has it helped my organization?

        Cisco ASA serves a purpose more than it improves us. It is good at what it does. We are using other vendors and splitting the traffic to different devices based on what they do best. Even though we use other products the trend at our company is that we will increase the traffic through Cisco ASA.

        What is most valuable?

        It's difficult to say what features are most valuable because ASA is not a cutting-edge device. It's rather more stable and proven than modern. It's difficult to suggest adding features because with new features we are adding something new, and that means it could be less stable and. New features are not the reason we use the solution — it is almost the opposite. The most valuable part of the solution is dependability.

        It's already a mature and stable product. I prefer to not to use the newest software — even if Cisco suggests using the newest — because this is a critical security device.

        What needs improvement?

        My opinion is that the new direction Cisco is taking to improve its product is not correct. They want to make the old ASA firewall into a next-generation firewall. FirePower is a next-generation firewall and they want to combine the two solutions into one device. I think that this combination — and I know that even my colleagues who work with ASA and have more experience than me agree — everybody says that it's not a good combination. 

        They shouldn't try to upgrade the older ASA solution from the older type Layer 4 firewall. It was not designed to be a next-generation firewall. As it is, it is good for simple purposes and it has a place in the market. If Cisco wants to offer a more sophisticated Layer 7 next-generation firewall, they should build it from scratch and not try to extend the capabilities of ASA.

        Several versions ago they added support for BGP (Border Gateway Protocol). Many engineers' thought that their networks needed to have BGP on ASA. It was a very good move from Cisco to add support for that option because it was desired on the market. Right now, I don't think there are other features needed and desired for ASA.

        I would prefer that they do not add new features but just continue to make stable software for this equipment. For me, and for this solution, it's enough. 

        For how long have I used the solution?

        We have been using the solution for about five years.

        What do I think about the stability of the solution?

        It is a stable solution. It is predictable when using different protocol and mechanics.

        What do I think about the scalability of the solution?

        We've used several models of the product, from the smallest to the biggest. I think that this family of the ASAs is scalable enough for everything up to an enterprise environment. I think the family of products is able to handle small and large company needs.

        How are customer service and technical support?

        Cisco is a well-known vendor and its support is good. In my previous company, we sometimes used a vendor rather than direct Cisco support, but sometimes we used Cisco. For ASA in my current company, we have additional support from the local vendor. If we have a problem we can also initiate a ticket directly on the Cisco support site.

        Which solution did I use previously and why did I switch?

        About one-and-a-half years ago we implemented a different solution to handle certain situations like BGP. But when we upgraded our Cisco devices just few months ago, we could have BGP on ASA. Now our devices from Cisco have enhanced capability, not just something new and maybe less dependable. Implementing BGP on ASA was a late addition. It had been tested, the bugs were worked out and engineers wanted the solution. The stability of ASA as an older solution is what is important.

        How was the initial setup?

        I think it is not the simplest solution to set up because it is sophisticated equipment. For engineers to work with vendors and incorporate totally different solutions, it could be difficult. It is also different from the other Cisco devices like Cisco Router IOS. It differs in a strange way, I would say, because the syntax or CRI differs. If you are used to other OSs, it is not easy to switch to ASA because you have to learn the syntax differences. 

        It's common for there to be differences in syntax between vendors. But, I would say that this is more complex. The learning curve for start-up and configuration of ASA is at mid-level when it comes to the difficulty of implementation.

        What about the implementation team?

        I did the implementation myself. ASA is not the newest solution for Cisco or the newest equipment. You can use the vendor and ask for help if you need it during the installation and for support. Because it was an older solution, it was already somewhat familiar to me.

        Which other solutions did I evaluate?

        My current company has been using ASA for quite a long time, so I was not involved in the choices.

        I have been participating in choosing a new vendor and new equipment for some specific purposes as we go forward. For a next-generation firewall, Cisco's product — a combination of ASA and Firepower — is not the best solution. We are choosing a different vendor and going with Palo Alto for next-generation solutions because we feel it is better.

        What other advice do I have?

        I think I can rate this product as an eight out of ten. A strong eight. The newest version of software and solutions often have bugs and functional problems because they have not been rigorously tested in a production environment. It is not the modern, next-generation firewall, but it solidly serves simple purposes. For simple purposes, it's the best in my opinion. I am used to its CRI (Container Runtime Interface) and its environment, so for me, familiarity and stability are the most important advantages.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Jonathan LELOU - PeerSpot reviewer
        Ingénieur technico-commercial at Inter-Continental Business Machines (ICBM)
        Reseller
        Good for building a solid security solution for a company
        Pros and Cons
        • "The best solutions for our company are those we have yet to implement so it will be even better in the future for us than it already is."
        • "The user interface is too complex for people who are not trained to or certified to engage with the product. The interface should be easier to use."

        What is most valuable?

        We haven't deployed all the possible services from Cisco yet, but I started to research more of the ones that are available and I think Firepower will end up being the best, most valuable solution for us.

        What needs improvement?

        I think the visibility of the network can be improved, at least from our current setup. I do not know everything about the solution and exactly how it can be modified.

        Another way they can improve is their pricing. One thing I notice is about the price is that it would be good if they could adapt the price to the area where a company is. West Africa is not the same as in India or in the USA and it is much more difficult to afford. If Cisco can manage this for our people it would help us implement better solutions.

        To upgrade to some Cisco solutions or features you have to invest resources to create the solution or pay the difference for that functionality to upgrade services or license. It is not really an all-in-one solution. So if Cisco could manage to build an all-in-one solution with most or all of the features we would be looking for in one solution, it would be better for us.

        For example, if you want faithful service from the company and equipment, you have to pay more just to get the solutions. If it's included it would be easier for us to deploy.

        For how long have I used the solution?

        I've been using the solution with my newest employer for over three years.

        What do I think about the stability of the solution?

        For me it is stable. It is amongst the best products in that way.

        What do I think about the scalability of the solution?

        It is a scalable solution. It may cost money and resources to scale.

        How are customer service and technical support?

        I have not had direct experience with technical support for the firewall. I contacted support for the switching. For the firewall, I have not had to contact them at all.

        Which solution did I use previously and why did I switch?

        Before I used Fortinet FortiGate. But when I moved from the previous company to this company they had a different solution. That is why I switched.

        How was the initial setup?

        The initial setup was a little complex for me because I had been using a different solution. But how complex something is will depend on the mind of that person. For me, it was a little complex for me. However, it really only took one day to set it up.

        Step by step, when I work with the product for a longer period of time and gain experience, it will be very easy for me.

        What about the implementation team?

        I did the implementation by myself.

        What other advice do I have?

        If people want to build a solid security solution for their company, I think this solution is the best but it would depend on the configuration of your company. For a good company to have a good solution for security, you can choose the Cisco firewall for that and be confident. 

        I think I can give that product an eight out of ten. It comes down to the user interface. It needs to be easier so that more people can quickly develop the skills to manage the product. It would be better for us right now for more people to have certification or to just develop the skills to use the product. But if Cisco made it easier and took away the need for certification, it would be easier for us to use company-wide and have more people involved.

        Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
        PeerSpot user
        Integration / Wireless Engineer at J.B. Hunt Transport Services, Inc.
        Real User
        Provides security and visibility for our network, and it is easy to integrate
        Pros and Cons
        • "The most valuable feature of this solution is its ability to integrate vertically."
        • "There used to be information displayed about the packets in a module called Packet Flow, but it is no longer there."

        What is our primary use case?

        We primarily use this solution for network security.

        How has it helped my organization?

        This product has increased the visibility in our network.

        What is most valuable?

        The most valuable feature of this solution is its ability to integrate vertically.

        What needs improvement?

        There used to be information displayed about the packets in a module called Packet Flow, but it is no longer there. In order to accomplish the same thing you now have to wade through lots of information in the Syslogs.

        What do I think about the stability of the solution?

        This is a highly stable solution.

        What do I think about the scalability of the solution?

        This solution is very scalable.

        How are customer service and technical support?

        Technical support for this solution is good. The response times meet our expectations and we have not had any issues.

        Which solution did I use previously and why did I switch?

        We have always been using this same solution, but previous versions. We update them in trying to keep up with the amount of data coming through, such as more streaming.

        How was the initial setup?

        The initial setup of this solution was straightforward. We had the proper documentation to reference.

        What about the implementation team?

        We deployed this solution in-house.

        What was our ROI?

        I don't work with the numbers, but I can say that it's great for security and has improved our effectiveness at the office.

        What's my experience with pricing, setup cost, and licensing?

        The cost of this solution is high.

        Which other solutions did I evaluate?

        We did evaluate another option, but we stayed with the Cisco solution because it's trustworthy.

        What other advice do I have?

        This is a good product from a trustworthy vendor, but it is not perfect.

        I would rate this solution an eight out of ten.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Bashir Bashir - PeerSpot reviewer
        IT Administrator at Vegol
        Real User
        A stable solution with good monitoring and VPN capabilities
        Pros and Cons
        • "The stability is good. Very simple. Upgrades are great."
        • "They really need support for deployment."

        What is most valuable?

        The VPN and monitoring are the most valuable features.

        What needs improvement?

        I tried to buy licenses, but I had trouble. Their licensing is too expensive.

        If they can get the reporting to go into deeper detail, it would really be helpful because in order to get the reports in Cisco you have to go to look at the information that you don't necessarily need. 

        Also, the pricing is quite high. 

        For how long have I used the solution?

        I've been using the solution for six years.

        What do I think about the stability of the solution?

        The stability is good. Very simple. Upgrades are great. But when we upgrade it, things break. You have to upgrade about three things before you get something stable.

        What do I think about the scalability of the solution?

        I haven't had to scale, so I can't speak to this aspect of the solution.

        How are customer service and technical support?

        I haven't had to deal with technical support, so I don't have much to say.

        Which solution did I use previously and why did I switch?

        We didn't previously use a different solution.

        How was the initial setup?

        The initial setup was straightforward.

        What about the implementation team?

        I did the setup myself. The budget I had didn't allow me to get support. I would use Google a lot. The first implementation took me about three weeks because I did not know what I was doing. So it took me a while. It took me about three weeks, but everything else took about two days, maybe three days and I was done. 

        Which other solutions did I evaluate?

        We did look at Barracuda.

        What other advice do I have?

        They really need support for deployment.

        I would rate this solution nine out of 10 because I think if you have the budget and you plan it properly I think you won't have the initial deployment problems I faced.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Senior Network Administrator at a financial services firm with 1,001-5,000 employees
        Real User
        The granularity keeps users seeing what they are supposed to and enables the security not to become compromised
        Pros and Cons
        • "An efficient, easy to deploy and dependable firewall solution."
        • "The interface for monitoring could be improved to allow better views to make troubleshooting easier."

        What is our primary use case?

        Our primary use for the solution is for checking on and verifying the security of our customer data.

        How has it helped my organization?

        Our organization has been improved by the solution because we can be assured that the firewall is secure. It gives us more flexibility to monitor other things. Because we have safe firewalls, we don't have to worry about that and can direct resources elsewhere. If our internet goes down in one location we can bring it back up pretty easily.

        What is most valuable?

        The thing we've found most valuable is the efficiency. The firewalls are easy to configure and deploy. Overall it is an easy system to manage.

        Another valuable feature is just how granular we can get with it so we can keep users seeing what they are supposed to and don't compromise security.

        What needs improvement?

        One way the product could be improved is if you could monitor more than one rule at a time. We only have the option to have one monitor window up at a time if you're trying to troubleshoot something you end up switching back-and-forth and don't get the bigger picture all at once.

        It's reliable and it does its job. It gives you the freedom to do other things while you get indications of any issues. The multi-monitor would be a huge improvement.

        I'd definitely recommend the product. Even when you set it up for the first night, it definitely will tell you the status of the network. The important part in the setup is following the instructions to get it going.

        What do I think about the stability of the solution?

        The solution itself is good as far as stability.

        How are customer service and technical support?

        The technical support is good and the response time quick. We had some firewalls down and gave them a call. They helped resolve the issue and it was all positive.

        Which solution did I use previously and why did I switch?

        Previous to this we had just a normal firewall that I didn't like. It didn't provide enough.

        How was the initial setup?

        The setup was straightforward, even without initially having all the information we needed. It was very intuitive. When I went in to get help, help was there.

        What about the implementation team?

        We got the product from a reseller and we did the installation ourselves.

        What was our ROI?

        We certainly have seen a return on investment at the very least from being able to reallocate human resources.

        Which other solutions did I evaluate?

        Before selecting this as a solution we really didn't evaluate other options at all.

        What other advice do I have?

        As far as rating this product, I would give it a nine out of ten. The only real drawbacks are the lack of multi-monitoring and not really having clear instructions prior to jumping in and implementing it.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Solutions Architect at a manufacturing company with 10,001+ employees
        Real User
        Increases efficiency of servicing our customers by joining our networks
        Pros and Cons
        • "This solution is easy to use if you know how to set it up."
        • "The inclusion of an autofill feature would improve the ease of commands."

        What is our primary use case?

        We use this solution to join our private network to the customer's network.

        In our business, we don't have to be on the customer's network, so a lot of people will install cheap equipment. We're trying to push it to where we can standardize the equipment, although the cost of Cisco products would have to come down a little bit in order for us to be more competitive.

        How has it helped my organization?

        Firewalls are difficult, and this solution gives us outside access to connect with the customer's network and service them better. It makes us more efficient.

        What is most valuable?

        This solution is easy to use if you know how to set it up.

        The most valuable features are on the routing side, with the control between the two networks and the rules that are in there.

        What needs improvement?

        The inclusion of an autofill feature would improve the ease of commands.

        This solution would benefit from being more cost-effective.

        What do I think about the stability of the solution?

        This solution is very stable, and I haven't seen any issues with it.

        What do I think about the scalability of the solution?

        Scalability doesn't really apply to us, as it is just a firewall client.

        How are customer service and technical support?

        Technical support for this solution is really good. We had an issue with a firewall and it was a good turnaround that was quick.

        Which solution did I use previously and why did I switch?

        Our implementation of this solution was driven by the customer.

        How was the initial setup?

        The initial setup of this solution is pretty straightforward. We did have some rules that somebody had put on it that didn't match up, but we got it all worked out.

        What about the implementation team?

        We implemented this solution in-house.

        What's my experience with pricing, setup cost, and licensing?

        With respect to the routers and switches, or the core stacks that we get, they seem to be pretty comparable so I don't have any issues with the licensing.

        Some of our customers would be more likely to standardize on Cisco equipment if the cost was lower because a lot of people install cheap equipment.

        Which other solutions did I evaluate?

        While we have a partnership with Cisco, there are other products that have been used within the company. After evaluating other products such as those by Barracuda, it just happened that this solution worked out better for us. I like the Cisco reputation.

        What other advice do I have?

        With this solution, we have everything that we need. I don't know about other people's use cases, but ours is pretty straightforward.

        My advice to anybody researching this type of solution is to stick with Cisco products, no matter which one it is. We've had pretty good luck with everything from Cisco.

        I don't have any issues with this solution, so I would rate it a ten out of ten.

        Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
        PeerSpot user
        George Karani - PeerSpot reviewer
        IT Manager
        Real User
        Simplified VPN Interconnection, easy to manage, and scales well for SMB
        Pros and Cons
        • "The feature I find most valuable is the Cisco VPN Interconnection."
        • "They should allow customers to talk to them directly instead of having to go through the reseller."

        What is most valuable?

        The feature I find most valuable is the Cisco VPN Interconnection.

        The file features are useful as well. They're good at packet tracing. They are very straightforward. I would say that the Cisco ASA ASDM makes it very easy to manage the firewall.

        What needs improvement?

        I would say the pricing could be improved. It's quite expensive, especially for the economy.

        I'd like to see them more integration so that I don't need other parties for protecting my network. If I could just have ASA firewalls for perimeter protection and LAN protection, then I'm good. I don't need so many devices.

        I would like to see improvements for client protection.

        For how long have I used the solution?

        I've been using the solution for four years.

        What do I think about the stability of the solution?

        My impression is it's a stable solution. I could sound biased, but if you have a device working for four years and it's still working and people are using it, then it's stable.

        What do I think about the scalability of the solution?

        Scalability depends on which device you have.

        It's quite scalable if you have either the ASA, even if you had the new ASA firewall services, even if you had the one with the capacity of about 500 MDP. It isn't scalable for three hundred people connecting to it. I would say it is good for medium branch offices.

        I'm not sure if we have plans to extend the service.

        How are customer service and technical support?

        Technical support is good. The only thing is that Cisco cannot support you unless you have a contract with them. You have to go through the reseller in Africa. I don't see why Cisco cannot communicate directly with the customer, especially when I can prove that I have the device. They should allow customers to talk to them directly instead of having to go through the reseller.

        Which solution did I use previously and why did I switch?

        I previously used SonicWall. I'm not the one who decided to switch, I just know that previously we used SonicWall.

        How was the initial setup?

        The initial setup was straightforward. Within in an hour you're done, including with your basic training. For implementation, you need one to two people. You should have one senior network administrator. Two people can maintain it if they have the skill.

        What about the implementation team?

        I did the implementation by myself. If you decide to do it by yourself, you need basic knowledge. If you don't have that you would need a contractor.

        What's my experience with pricing, setup cost, and licensing?

        This solution might be expensive, but it is economical in the long run.

        What other advice do I have?

        The functionality is fine.

        When they prove to me they cannot be hacked then I can give them a ten.

        I would rate this solution as eight out of ten. 

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Technical Manager at a comms service provider with 501-1,000 employees
        Real User
        Offers good security and stability
        Pros and Cons
        • "What I like about Cisco is the security zone. By default when you configure it, it gives you a security zone, which other firewalls don't have."
        • "I wish the Cisco interface was not so granular. Check Point was easier to create specific rules than with ASAv."

        What is most valuable?

        One of the important aspect when deploying Ciso ASA firewall, it’s oblige you at the beginning to define your security level, which will make it easier when making your security policy ( traffic allow From Source to Destination)

        A security level will define how trusted is an interface in relation to another interface on the Cisco ASA.

        The Higher is the security level, is the more trusted is the interface.

        The highest security level is , “ Security Level 100” .

        Nowadays other Firewall manufacturer try to adopt the same deployment principle as the Cisco ASA with security level, however the Cisco ASA do have other interesting features which I think are very useful:

        - Firepower services

        - Security context

        - Firepower management



        What needs improvement?

        Normally in terms of design, the user prefers to use Cisco ASAv as a border router or a border firewall, because you have two different kinds of firewalls. You have a firewall when the data communication enters the network, and then you have a firewall, for when you've been inside the network. So, for the inside network firewall, Check Point is better because it can make a better notation of your network infrastructure. But, for the incoming data, or border firewall, ASAv is better. In terms of improving the interface, if you compared to the Check Point file, then I think that ASAv should be better. They should improve the interface so that it's similar to the Check Point firewall.

        For how long have I used the solution?

        I've been using the solution for the past three years.

        What do I think about the stability of the solution?

        The Cisco ASAv is really stable, especially if you compare it to Check Point. Not long ago Check Point did release one virtual firewall, and the virtual firewall of Check Point is not stable.

        The hardware version of the firewall is more stable than the virtual one. In terms of the data center, many companies have a virtual data center in a group environment. Many companies want to have a virtual firewall, but the one from Check Point, in comparison to Cisco, is not stable at the moment. 

        What do I think about the scalability of the solution?

        The solution is really scalable.

        How are customer service and technical support?

        I haven't dealt with technical support. We just check online, and if we have to contact Cisco about major issues, it's an internal department dealing with that. I don't know how technical support is, because our technical support team is located in Sofia, and I am in the Netherlands, so I don't have any view on that.

        How was the initial setup?

        The setup is always different. If you have a small company, the setup is quite easy, but if you have a bigger company the setups are quite complex. Cisco is pretty good in routing. So in bigger situations, configuring the ASAv file is pretty straightforward.

        The deployment also depends on the customer's site. So, the time changes because most of the time we have to do a migration. For example, some customers have an old firewall, and you have to migrate things to a new one. And sometimes, it's just copy/paste, but in some situations, we cannot migrate all firewall configurations to a new one.

        In terms of how many people you need for deployment and maintenance, again, it's dependent on the company strategy around the help desk. You should have a maintenance engineer who should be part of a team. The deployment will be done in a team. You can have one person to do the deployment but usually, you always have a backup, so it would be two. And then, for the maintenance, it can be one person or two. The maintenance can be done on the site desk, operating after office hours, so it depends.

        What other advice do I have?

        It's difficult to give specific advice on the solution because it always depends on the design solution and the strategy. So what I would recommend is to use different firewalls and to use Cisco ASAv as a border firewall.

        I would rate this solution as 7.5 out of 10. I wish the Cisco interface was not so granular. Check Point was easier to create specific rules than on ASAv, so that's why I say this. If you want to make things easier for an engineer, you always have to work on the interface. But the product, in and of itself, there's nothing wrong with it.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        it_user1073460 - PeerSpot reviewer
        Security Solution Architect at a financial services firm with 5,001-10,000 employees
        Real User
        Good documentation for the configuration
        Pros and Cons
        • "The most important feature is its categorization because on the site and social media you are unified in the way they are there."
        • "I see room for improvement when it comes to integrating all the devices into a central management system. Cisco doesn't provide this, but there are some good products in the market that can provide it."

        What is our primary use case?

        I worked for a Telecom provider, and we gave this solution to our customers.

        What is most valuable?

        The most important feature is its categorization because on the site and social media you are unified in the way they are there.

        What needs improvement?

        I see room for improvement when it comes to integrating all the devices into a central management system. Cisco doesn't provide this, but there are some good products in the market that can provide it.

        Apart from the cost, I think Cisco is quite well-positioned in the market. Also, in terms of site capabilities, other companies are still in the lead. 

        The price, integration, and licensing models are quite odd.

        For how long have I used the solution?

        I have been using Sourcefire for two or three years.

        What do I think about the stability of the solution?

        We didn't have any problem with its stability.

        What do I think about the scalability of the solution?

        Scalability depends on the requirements of the license. The licensing scheme is complicated and not straightforward. I think there were around 200 users, sometimes more.

        Which solution did I use previously and why did I switch?

        We used to use Fortinet, but we switched because of the lack of integration.

        How was the initial setup?

        The initial setup was of a medium complexity. This was especially true when it came to integration of the data servers.

        What about the implementation team?

        We used a consultant. They were very helpful. The documentation was quite easy to find for configuring the devices. We thought the boxes would be more parceled or more completely behind, but it was not a problem. The data was there.

        What other advice do I have?

        I would recommend this solution. I would rate this solution as eight out of ten.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Farhad Foladi - PeerSpot reviewer
        Cloud Services Operation Engineer at Informatic Services Company (ISC)
        Real User
        The end-user VPN with ASA allows us to connect the firewall to edge servers for security
        Pros and Cons
        • "We are using the Cisco AnyConnect for our end-user VPN with the ASA."
        • "I would like to see them release a patch for ASAv with cross-platform FirePower integration."

        What is our primary use case?

        We are using both Cisco ASAv and FTD (Firepower Threat Defense). FTD has a better interface, but we have both of them running.

        We are using Cisco ASAv for the FirePower service. We use a custom interface for our firewall.

        How has it helped my organization?

        Cisco ASAv is part of our central solution. You can use the ASA family or go on the portal for normal ASAv. We use FirePower at the edge of the network. 

        If you are working with cloud services, it's better to use the ASAv family or other Cisco solutions.

        What is most valuable?

        We are using the Cisco AnyConnect for our end-user VPN with the ASA. 

        If a user wants to connect to our network, they access it via the Cisco intranet and connect to the firewall at the edge.

        What needs improvement?

        I don't have any experience with the price, but ASA is a comprehensive solution.

        In the next update of the Cisco ASAv, I would like to see them release a patch for ASAv, i.e. to put the FirePower solution into the cross-platform integration.

        For how long have I used the solution?

        We are using the Cisco ASAv security solution in our company for three or four years.

        What do I think about the stability of the solution?

        Normally, in ASA, we have good stability.

        What do I think about the scalability of the solution?

        The scalability of ASAv we can easily manage. We can have good scalability in different times but we don't have HA in ASAv. Some features are removed in ASAv. 

        If it's a normal ASA, i.e. a physical device, you have many more ways to scalability.

        How are customer service and technical support?

        For technical support, I have little experience with Cisco, unless they patch some issues. I raised a ticket and got the response immediately. They are very supportive.

        How was the initial setup?

        For me, ASA is easy. The deployment of ASAv is done in 20 minutes.

        What about the implementation team?

        We used both an integrator and reseller for the deployment. For the initialization, it was me for our company. If we have an issue, we can raise a ticket or call for a Cisco patch. 

        For the Cisco ASAv installation, I did it myself.

        What's my experience with pricing, setup cost, and licensing?

        The pricing for Cisco ASAv depends on your license. With AnyConnect, it depends on your license. It depends on the number of concurrent users you want to connect.

        Our license is for one year only, renewable at variable pricing.

        What other advice do I have?

        On a scale from one to ten, I would rate this product at nine. Cisco ASAv is good in many advanced networking features.

        I'm working with Cisco. They have competition with many vendors.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Michael Collin - PeerSpot reviewer
        Senior System Engineer at a tech services company with 11-50 employees
        MSP
        Easy to use and easy to understand how to open a port, how to manage and how to route a device
        Pros and Cons
        • "The web interface was easy for me. The configuration is logical, so it's easy to use and easy to understand how to protect, how to open a port, how to manage and how to route a device. That's why I prefer Cisco. It's robust and I never have issues with the hardware. That's why I choose Cisco and not another vendor."
        • "The service could use a little more web filtering. If I compare it to Cyberoam, Cyberoam has more the web filtering, so if you want to block a website, it's easier in other solutions than in Cisco."

        What is our primary use case?

        I primarily use it for my small company to protect 5-10 users.

        What is most valuable?

        The web interface was easy for me. The configuration is logical, so it's easy to use and easy to understand how to protect, how to open a port, how to manage and how to route a device. That's why I prefer Cisco. It's robust and I never have issues with the hardware. That's why I choose Cisco and not another vendor.

        What needs improvement?

        The service could use a little more web filtering. If I compare it to Cyberoam, Cyberoam has more the web filtering, so if you want to block a website, it's easier in other solutions than in Cisco. I think in Cisco it's more complicated to do that, in my opinion. 

        It could also use a better web interface because sometimes it's complicated. The interface sometimes is not easy to understand, so maybe a better interface and better documentation.

        For how long have I used the solution?

        I've been using this solution for 8 years.

        What do I think about the stability of the solution?

        My impression of the stability of the solution is that it's very good.

        What do I think about the scalability of the solution?

        I don't have a sense of the scalability. I never extend the processes or usage.

        How are customer service and technical support?

        My experience with customer service is very good in general. When I have a good person on the phone, or on the email, it's in general very fast and the reply is good. It's a good solution in general.

        Which solution did I use previously and why did I switch?

        I previously used Juniper before Cisco, but only for one year. I switched because my company only used Cisco.

        How was the initial setup?

        The initial setup was not complex, it's just difficult to find out how to do it. The FAQ is not clear. In terms of deployment, it depends on the client, but deployment takes about an average of six hours.

        What about the implementation team?

        In general, I implement the solution myself.

        What other advice do I have?

        I would advise that If you want something robust, a good hardware solution, I think it's competitive and you have a good warranty, you have to choose Cisco. 

        I would rate the solution 8 out of 10.

        Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
        PeerSpot user
        IT Infrastructure Manager at Beltone financial
        Real User
        Secure, stable, and their technical support has excellent service
        Pros and Cons
        • "The features I found most valuable in this solution, are the overall security features."
        • "It could also use a reporting dashboard."

        What is our primary use case?

        We have around 250 users and security is extremely important for us. 

        What is most valuable?

        The features I found most valuable in this solution are the overall security features. 

        What needs improvement?

        The overall application security features can be improved. 
        It could also use a reporting dashboard. 

        For how long have I used the solution?

        Our company, Beltone Financial, has been using Cisco ASAv for about three years now.

        What do I think about the stability of the solution?

        I found that Cisco ASAv is a really stable solution. 

        What do I think about the scalability of the solution?

        I haven't tested scalability yet, but I believe it is a very scalable solution. We currently have 250 employees working on it without any issues.

        How are customer service and technical support?

        The few times I've had to call in technical support, the service was excellent. I've had no issues.

        Which solution did I use previously and why did I switch?

        Our company has used various other solutions in the past. We've decided to also install Cisco ASAv to add extra features to our system.

        How was the initial setup?

        The initial setup was straightforward and it took me about two days to do the installation. The fine tuning took about a week. I am the IT Infrastructure Manager of our company, but I don't believe that individuals without IT knowledge would struggle to do the installation themselves.

        What about the implementation team?

        We didn't use any consultant for the deployment - we installed and implemented Cisco ASAv ourselves and we didn't experience any problems.

        What's my experience with pricing, setup cost, and licensing?

        We pay an annual fee.

        Which other solutions did I evaluate?

        We have used many other solutions in the past and we constantly look out for other options. So we didn't switch to Cisco ASAv, we simply started using it together with another solution. We now use two products in the same time.

        What other advice do I have?

        I rate this solution an eight out of ten and I would definitely recommend it to other users. If the developers would add a reporting dashboard, and perhaps lower the pricing, I will rate it higher. But overall I am really satisfied with Cisco ASAv.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Donald Fitzai - PeerSpot reviewer
        LAN admin at Cluj County Council
        Real User
        Powerful firewall that is easy to manage and easy to configure
        Pros and Cons
        • "The firewall power that comes with Cisco ASAv is the most valuable asset. They are are very easy to manage."
        • "We found it difficult to publish an antennae sidewalk with the ASDM. I think Cisco should improve this by creating a simpler interface for the firewall."

        What is our primary use case?

        We need a good and generic firewall which is why I bought Cisco ASAv. I also needed a secure VPN. The real reason I bought it though, was for the firewall. 

        What is most valuable?

        The firewall power that comes with Cisco ASAv is the most valuable asset. They are very easy to manage and configure. 

        What needs improvement?

        There definitely is room for improvement. We found it difficult to publish an antenna plug with the ASDM. Cisco should make the interface for the firewall more simple. 

        For how long have I used the solution?

        My company has been using Cisco ASAv for three years now.

        What do I think about the stability of the solution?

        This product is very stable. Before installing Cisco ASAv, I had two or three viruses in my network. Since installing ASA, I have not had any problems with viruses. There is a huge difference with and without ASA.

        How are customer service and technical support?

        I am satisfied with the customer service because the assistance I got from the Cisco engineer was very good.

        Which solution did I use previously and why did I switch?

        I used a different solution before. I used Meraki and it was a little simpler to use. However, currently, I only have Cisco routers.

        How was the initial setup?

        The initial setup for Cisco ASAv was fairly simple. It wasn't very complicated, it would be okay for an intermediate professional. It can be made easier. I believe almost anybody could set up an ASA in a few hours. It took about two to three weeks for the platform to work properly.

        What about the implementation team?

        The installation wasn't complicated at all and I got help from a Cisco engineer. 

        What's my experience with pricing, setup cost, and licensing?

        I bought a license for three years and it was really affordable. 

        Which other solutions did I evaluate?

        I did consider other options as I have experience with Meraki and other devices. Meraki is simpler to use, but I decided on Cisco ASAv. 

        What other advice do I have?

        I am really satisfied with the product and I rate this an 8.5 out of ten. The reason why I wouldn't rate it a ten, is because I find it a little more complicated to set up a firewall for publishing than when using Meraki. I therefore believe there is room for improvement.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Information Security Officer at a government with 501-1,000 employees
        Real User
        Lots of bug fixes are required and it did not pass our in-house evaluation
        Pros and Cons
        • "Integration with all the other Cisco tools is valuable."
        • "With regards to stability, we had a critical bug come out during our evaluation... not good."

        What is our primary use case?

        We performed an in-house evaluation of Cisco ASA NGFW for use as an Internet Gateway Firewall and internal East-West traffic firewall between security zones. We are historically a Cisco shop and were planning on it being the top contender for our NGFW solution.

        How has it helped my organization?

        Cisco ASA NGFW running in "Firepower" mode - aka the actual NGFW mode was not "fully baked", so it didn't meet all our requirements to fit our network architecture. It requires a completely different language than ASA and we found it to be difficult compared to other top firewall vendor offerings.

        What is most valuable?

        Integration with all the other Cisco tools is valuable. However, we've moved away from all Cisco security tools since this evaluation. Firewall choice was key to what direction we went and we found not only was the competing firewall solution superior, but their endpoint protection solution was as well.

        What needs improvement?

        The first thing that needs to be done is to finish building out Cisco ASA "Firepower Mode" in order for all features to work correctly in complex enterprise networks. It also needs a usable GUI like Palo Alto and FortiGate. There are lots of bug fixes to be done, and Cisco should consider performing a complete rebuild of the underlying code from the ground-on-up.

        For how long have I used the solution?

        Trial/evaluation only.

        What do I think about the stability of the solution?

        With regards to stability, we had a critical bug come out during our evaluation.

        What do I think about the scalability of the solution?

        It should be well scalable. However, we didn't see a good centralized management/monitoring system like the one that Palo Alto has.

        How are customer service and technical support?

        Customer support was decent, although we definitely don't feel like you get the value of the mandatory support/maintenance fees.

        Which solution did I use previously and why did I switch?

        We used Fortinet FortiGate, but as an early gen "NGFW" it was outdated. We have issues we don't believe would be resolved with their latest offering, so we didn't even evaluate it.

        How was the initial setup?

        We found the initial setup much more difficult to do even simple things, like setting up VPN tunnels.

        What about the implementation team?

        Our in-house team tested and evaluated the solution.

        What's my experience with pricing, setup cost, and licensing?

        Watch out for hidden licensing and incredibly high annual maintenance costs. We bought much beefier Palo Altos for a less expensive one-time and annual cost.

        Which other solutions did I evaluate?

        Palo Alto Networks NGFW Firewall was compared in-house using the same configuration and testing, and it won hands-down.

        What other advice do I have?

        Watch out for the marketing hype vs objective reality. Do the advertised features actually work correctly/effectively?

        We chose a different solution after performing in-house testing.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        it_user1070472 - PeerSpot reviewer
        Information Security Manager at Tactical Air Support
        Real User
        Easy to use and has helped to secure our Internet Edge

        What is our primary use case?

        Our primary use case for this solution is to protect the Internet Edge, and our VPN (Virtual Private Network).

        How has it helped my organization?

        We moved from a Legacy firewall to the ASA with Firepower, increasing our internet Edge defense dramatically.

        What is most valuable?

        The most valuable features for us are Firepower and the VPN concentration. These are easy to use and have good insights.

        What needs improvement?

        The product would be improved if the GUI could be brought into the 21st Century.

        For how long have I used the solution?

        One to three years.
        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Mbaunguraije Tjikuzu - PeerSpot reviewer
        Information Security Administrator at Bank of Namibia
        Real User
        Valuable Firewall Capabilities Recommended for Filtering and Intrusion Prevention
        Pros and Cons
        • "Cisco ASA NGFW significantly improves our bank. It protects any high-value products that we use from hackers, viruses, malware, and script-bots. It gives us metrics on network traffic as well as what kind of attacks we are getting from the outside."
        • "Cisco should improve its user interface design. There is a deep learning curve to the product if you are a newcomer."

        What is our primary use case?

        We are using the Cisco ASA NGFW as a next-generation firewall. We are using the 5516-X version. Our primary use case of this is as an X firewall for external connections.

        How has it helped my organization?

        Cisco ASA NGFW significantly improves our bank. It protects any high-value products that we use from hackers, viruses, malware, and script-bots. It gives us metrics on network traffic as well as what kind of attacks we are getting from the outside.

        What is most valuable?

        The most valuable features are the firewall capabilities, filtering, and intrusion prevention. 

        I respect the capability of the Cisco firewall. We fully use it all as a complete firewall solution. Cisco also has excellent anti-malware detection and other similar features.

        What needs improvement?

        Cisco should improve its user interface design. There is a deep learning curve to the product if you are a newcomer.

        For how long have I used the solution?

        More than five years.

        What do I think about the stability of the solution?

        Stability is excellent.

        What do I think about the scalability of the solution?

        It can easily scale. If you want, you can scale it to a lot of traffic. It's an X file, so all of our users are going through it.

        We only require one administrator for the solution. For deployment and maintenance, it depends on how many developers you have. We require two dedicated staff at a minimum. 

        Naturally, we employ both security technicians and administrators. Cisco ASA NGFW is being used at all our branches, and we'll continue using it in the future.

        How are customer service and technical support?

        The technical support from Cisco is excellent.

        Which solution did I use previously and why did I switch?

        We have only been using Cisco solutions.

        How was the initial setup?

        The initial setup of the Cisco ASA NGFW is not easy, but at the same time also it is not complex. It's somewhere in the middle. It took about 4 weeks, then it was activated.

        What about the implementation team?

        We used a reseller consultant for the deployment.

        What's my experience with pricing, setup cost, and licensing?

        Our licensing costs for this solution is on a yearly basis. Just for the firewall, it's about $1.5 million USD.

        Which other solutions did I evaluate?

        We evaluated Palo Alto Networks, Fortinet FortiGate, and Checkpoint products.

        What other advice do I have?

        For the Cisco ASA NGFW, it is a bit more expensive than other products, but their method is a lot more stable in my experience. It has all the features that you would need in a next-generation firewall. They are always developing new features and introducing them.

        I don't have anything that I'm currently missing with Cisco. On a scale from one to ten, I would rate the product at eight.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Al Faruq Ibna Nazim - PeerSpot reviewer
        Head of Technology at Computer Services Ltd.
        MSP
        Enables us to monitor and confirm all of the traffic coming in or going out of our network
        Pros and Cons
        • "Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching."
        • "One feature lacking is superior anti-virus protection, which must be added."

        What is our primary use case?

        Cisco has a new general firewall: the Firepower NGFW. If you take a look at the Cisco Firepower product line, they have three models available:

        1. A low-scale model: the 2000 series
        2. A high-end model: the 4000 series
        3. The carrier-grade model: the 9000 series

        We have already used the 4000 and 2000 series over here. We've been using this solution in Bangladesh for some customers over the last eight months. 

        We've been using FPR 2110, 2120, 2130, & 2140. We also employ the FPR 4130 and 4140. We have been using this equipment on our last few projects. We used it as a transfer and for firewalling. The most recent one we are using for firewall support as well.

        How has it helped my organization?

        I have a two-part business. First, we provide solution services as a vendor for multiple customers working as a consulting firm. I'm providing multiple customers with support on-premises for Cisco products right now.

        We are not able to use these products internally in our company. The second part of the business is my status or core business which is basically operating as a software solution provider.

        I have personally engineered these Cisco firewall solutions for clients. When we implemented it, it was easy. We have to maintain high-end abilities in order to ensure the availability of high-end support for the clients. I generally have to look at everything. Later on, we were able to upgrade the Cisco Firepower NGFW easily. We were able to connect from the beginning to implement the complete number of files in the system. 

        What is most valuable?

        Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching.

        I would say the Cisco Firepower NGFW actually gives superior intelligent behavior to transfer its active/passive infrastructure. Overall, Cisco Firepower NGFW has been a good power element in our systems due to its central location.

        What needs improvement?

        I would say when Cisco is selling something called a firewall, they put a lot of services together to make a single box solution. When a company develops a firewall, they need to develop certain features like intrusion control and offer it pre-loaded in the product. 

        On the mix of projects that I am responsible for, I feel comfortable using the Cisco firewall for management. One feature lacking is superior anti-virus protection, which must be added.

        I have to say I am very proud of the Cisco Firepower 41400 as it can give you multiple layers of four-degree connectivity in operations. 

        We do not use the Cisco 9000, but even the lower level firewalls are pretty expensive, considering the features and software included.

        In summary, we would like Cisco to provide more features inside regarding network trafficking forecasting. Ideally, the belief is that this would add an immediate resolution.

        For how long have I used the solution?

        Less than one year.

        What do I think about the stability of the solution?

        So far we haven't encountered any stability problems. You should have a lot of patches to apply to update the firmware. You can understand the firewall in less than a week.

        We had some fraud introduced with our last box when Cisco produced an upgrade. The updated policy agreement was based on the wrong purchase date information. 

        The faster integration that is available in our region is pretty smooth for the Cisco firewall right now. I haven't found that much of a limitation to any service. 

        I used to have a lot of issues with firewall support. Now, I keep a good state of mind with Cisco. I can expect my capabilities going out of range eventually if we don't upgrade. 

        Cisco has its own cloud platform. I am able to see a single dashboard with all of my firewall activities and network performance under diagnostics, which is really helping us out.

        What do I think about the scalability of the solution?

        I would put the Cisco Firepower NGFW firewall into Transport mode, as you can do with most firewall systems for scalability. We used to have about 60% of our users on hold during six-week events. We still have certain problems without a firewall, but these days with the Cisco Firepower, we have over 80% of the load working.

        As the customer integrator for enterprise contracts, we've been able to introduce Cisco Firepower to around 10 of our new customers in Bangladesh. At least 50 of the previous Cisco customers are still using the firewall solution right now under our support.

        These are enterprise customers who require Cisco firewall support. We used to have a specialty in that which is really like the holy grail in rocket science. It used to be like that but now with Cisco's enterprise user base, we offer operational system support to reduce complexity a lot. It's really easy. It's not like you have to be a specialist.

        How are customer service and technical support?

        In Bangladesh, we had a little issue with Cisco technical support. We run our own sidebar operations, so I am not so satisfied with Cisco customer support. 

        Cisco Firepower devices have created a lot of differences with due dates over our service contract. Consequently, we don't really bother anymore with Cisco technical support. Bangladesh has a really good tech scene. That is the reason we are not that concerned about Cisco product support anymore. It's okay. We handle it our own.

        Which solution did I use previously and why did I switch?

        We previously used Cisco ASA as a firewall.

        How was the initial setup?

        The setup with the Cisco Firepower NGFW is very easy. I have used other networking and firewall equipment previously, including Juniper. I've implemented other solutions and those were really tricky compared to Cisco.

        The Cisco firewall system has eliminated all our network setup problems. Earlier when we used other products for firewalls, it was very complex to set up. Cisco firewalls from the beginning have eliminated all of the difficult parts of the initial deployment. 

        All you have to do is pull your management together and communicate to your team to follow the documentation provided by Cisco. Altogether, it is easy for our team to install the Cisco firewall products.

        What about the implementation team?

        I did the installation myself and it took 48-50 hours, approximately, in the Transfer mode. We had a further two-hour window of augmenting and transforming the data. We were able to do that successfully. Eventually, we were able to transform the entire network setup.

        What's my experience with pricing, setup cost, and licensing?

        The license in my country is available to subscribe for three years or one year. We wanted to go with the solutions for embedding a two-year subscription, but this was not possible.

        The Cisco licensing agreement in Bangladesh is different than the one in India and in Dubai. It is not a problem, but if you want to subscribe to the yearly subscription, the original cost is really high. Also, if you go for an anti-virus, you pay for an additional yearly subscription. 

        When we push customers to implement Cisco solutions, they can manage the subscription cost of Cisco internally to access these important solutions long term. Our clients have been able to secure surprisingly efficient service with the Cisco Firepower NGFW firewall solution.

        Which other solutions did I evaluate?

        This fall, we evaluated firewall equipment from Juniper Networks. This is a limitation for Cisco, as their pricing is too high. The fact is when I need to install and manage an enterprise network, Cisco has the capability of having support for the IC Treadway standards. Furthermore, I can actually manage my entire enterprise network in one dashboard. 

        If I bring in tech from the outside, like Palo Alto Networks equipment, that won't be able to integrate with my regular Cisco environment. 

        With Cisco devices, it was easier for me to grab the assets required on the network for installation. With other solutions providers, good luck managing that with any ease.

        What other advice do I have?

        In my opinion, I would rather ask everyone to have a simple network. If you need multiple networking lines, like for the Cisco ASA or the Firepower NGFW, make sure you have ample tech support. 

        There are many issues with connectivity in firewall systems, but Cisco quality is good. The connectivity of your network can really reduce your complexity over firewalls. 

        I would suggest if you want to configure a complicated network scenario, go for a next-generation firewall. I would also suggest making your firewall options go to Cisco as they have some influential products right now. 

        Once you are pushing the Cisco firewall, you'll be able to actually monitor and confirm each and every traffic coming in or going out of your network. 

        Palo Alto Networks or Juniper Networks firewalls are ideal, slightly better than Cisco. They are not as easy as Cisco to use right now, but considering the cost and everything else, Juniper Networks equipment is really good. 

        The fact is you need to consider just what you're achieving when you put in Cisco firewalls and implement Cisco routers.  For those on the verge of a new purchase, I would say that going for an expired model of firewall is definitely a good buy.

        I would rate the Cisco Firepower NGFW with an eight out of ten points.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Beka  Gurushidze - PeerSpot reviewer
        System Administrator at ISET
        Real User
        Robust cyber-security features protects server infrastructure
        Pros and Cons
        • "Right now, Cisco ASA NGFW has given us a lot of improvement. We are planning to move to a new facility and will be a much larger organization."
        • "There is no support here in Georgia. If something goes wrong, support is not always very helpful with the other firewalls or other products."

        What is our primary use case?

        I have been using the Cisco ASA NGFW for about four months. Everything works fine right now. We have only been using this device for a very short period of time. 

        • We have about 500 registered users and about 400-600 static users. 
        • For 400 to 600 users with wireless devices, we use Cisco ASA NGFW to control device traffic. We're using the new web filters. 
        • We use Cisco ASA NGFW as the bit application.

        Thus far, we are using it as a web filter to filter the data against incoming traffic. We are an educational organization, so there is no gambling allowed. We don't want to allow students access to gambling sites or adult sites, etc. We use lots of web filters. That's the primary reason I installed the Cisco firewall. 

        We are also happy with the Cisco ASA NGFW router firewall. It protects your small server infrastructure, but it's not complete. We purchased the Cisco ASA NGFW for the web filter. That's why we moved to the firewall.

        How has it helped my organization?

        Right now, Cisco ASA NGFW has given us a lot of improvement. We are planning to move to a new facility and will be a much larger organization. 

        We have an opportunity to grow now. The Cisco ASA NGFW firewall can be upgraded to another version, so it's better for us long term. It is much better because we can control the traffic that students are accessing and downloading. There are still a lot of improvements that can be done. 

        What is most valuable?

        For organization security, Cisco ASA NGFW has robust cyber-security features. We are planning to increase the number of firewalls installed, especially for wireless connections.

        What needs improvement?

        We installed a Cisco path a month ago. There was a new update for the Cisco firewall and there were security issues.

        We like Cisco filtering as a firewall, but in the current market, Cisco's passive firewall is not unique. We don't have any warranty problems with Cisco. 

        I asked our carrier several times to provide the exact gap code for me, but there is no Cisco dealer in our region. There is also no software accessibility with Cisco ASA NGFW. You can't always access the product that way. I also tried pfSense.

        There is no support here in Georgia. If something goes wrong, support is not always very helpful with the other firewalls or other products. 

        Cisco products are more supported by lots of companies who are producing technical services for cloud platforms. The certification is very easy in Georgia now. There are lots of people using Cisco in Georgia because their accessibility is better than the other products on the market. I also talked to several guys about the Barracuda firewall.

        The Barracuda firewall is very expensive. You need to pay three or four thousand dollars every three months, so it's very expensive for us. We are not a big company.

        For how long have I used the solution?

        Less than one year.

        What do I think about the stability of the solution?

        For our users, there are rules for the students and staff have another RF for authorization. There are small file servers also within the domain controller. 

        There is no special restriction for the students. They can print. They can visit outside websites online, but there is no gambling allowed at other sites.The students can access whatever they want over email or HTTP. Only the gambling and the betting sites, they cannot install the software. There are restrictions. 

        The students can use their own mobile phones or wireless devices, whatever they want. They are using the shared public key authorization. Our institution doesn't have any restrictions about accessing legal data. Except in Georgia, we have a very big problem with gambling websites. There are a lot of gambling websites, so we are trying to restrict all of the gambling sites at our company. We have a contract for the next year. 

        What do I think about the scalability of the solution?

        We are growing. In the next two years, we will have an additional 600 users, so we will double the capacity. We will see even more in the next three years. 

        It will be like very tough. In about five-year cycles, you need to update the firewall and add other new Cisco devices for the next generation of innovation.

        In five years, we will be ready for a complete upgrade cycle for everything. The stability and scalability of the Cisco ASA NGFW are good for when we need to grow. 

        For the next five years, everything is fine. After that, we will see because there will be a lot of changes.

        How are customer service and technical support?

        Technical support with Cisco is very good. We feel the company is very reliable and very competent. I have very good feelings about the future for project operations.

        Which solution did I use previously and why did I switch?

        We had the old version of the Kerio firewall, but because in our country, there is no official dealer for Kerio, we moved to the Cisco ASA NGFW. This is the main reason why we moved to the Cisco firewall.

        How was the initial setup?

        We announced the tender and bought this product with the installation plus setup included in the price. I was not involved in the installation or in the setup. 

        The company just asked a consultant to do it. The whole process, after we announced the tender, took about one to two weeks. The consultant company installed the software. They also helped us to optimize other parts of the network such as the routers and switches.

        The setup of the Cisco ASA NGFW was complex, not only for us as a firewall. We have now submitted another tender for a device router with two-node switchless support. We updated almost everything on the Cisco ASA NGFW with the core and distribution level software upgrades.

        What's my experience with pricing, setup cost, and licensing?

        We paid about $7,000 for the Cisco firewall, plus another small Cisco router and the lead switch. It was under the combined license. It's a final agreement.

        The Cisco license was not yearly. It was a yearly license for the firewall. For the router and switch, it was a lifetime license.

        Which other solutions did I evaluate?

        The other option we considered was Kerio. I tried to contact their office in Russia, but it is in the UK. I wanted to communicate with them because we cannot buy things without a warranty.

        We considered buying Kerio products with the warranty, but they said we needed to send the device to them to repair it. This meant it would take too much time to replace it. In Georgia, we need a local distributor, i.e. a local representative here who we can work with, so that's the problem.

        What other advice do I have?

        In Georgia, there is no problem using the Cisco firewall, because it's accessible. You cannot use other products, because they are not accessible. That's the whole problem.

        I would rate Cisco ASA NGFW an 8 out of 10.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Ahmed Nagm - PeerSpot reviewer
        IT Solution Consultant at PCS
        Reseller
        Offers Excellent Stability and Endpoint Protection
        Pros and Cons
        • "The feature that I found most valuable is the overall stability of the product."
        • "One of my main concerns, an area that could use improvement is in adjusting the need to buy a license to enable features."

        What is our primary use case?

        The primary use case for this solution is on the client side. PCS stands for
        Perfect Computer Systems. We are an integration company, we specialize in solution integration, bringing together component subsystems into a whole and ensuring that those subsystems function together.

        How has it helped my organization?

        Cisco ASA NGFW has improved our organization by providing more internet protection. Also, for the end user, it provides easy access from outside for users accessing the site.

        What is most valuable?

        The feature that I found the most valuable is the overall stability of the product. 

        What needs improvement?

        The two areas that need improvement are the URL filtering and content filtering features.

        These features are both very crucial to the end user environment. One of my main concerns and an area that could use some major improvement is the need to pay for licensing in order to enable necessary additional features. Included in the next release, I would like to see these features integrated into the products' functionality without having to pay for them on an individual basis.  

        For how long have I used the solution?

        More than five years.

        What do I think about the stability of the solution?

        My impression of the stability of this solution is that it's great, excellent! 

        What do I think about the scalability of the solution?

        As far as scalability, I haven't had any performance issues so far. There really isn't high utilization coming from the operations environment, so I don't need to upgrade the tier at the moment.

        How are customer service and technical support?

        I don't have much experience with technical support since contacting tech support incurs additional costs. I have been relying on my technical knowledge and experience so far.

        How was the initial setup?

        The initial setup was straightforward, though I find as we proceed we need an extra feature or two to enable all the functionalities and protection of the tool. It's an ongoing process. We have to be quick and agile to provide client support.

        What about the implementation team?

        We implemented through an in-house team. 

        What was our ROI?

        The stability is the greatest ROI for this solution. 

        What's my experience with pricing, setup cost, and licensing?

        My advice, since I have to pay for licensing each feature that I need to enable, like URL filtering, is to look at a pfSense. That is what we are doing because you have to pay for greater protection, a total solution can be very costly. We are looking at a pfSense, to bring down the total cost. The correct price point, in comparison to other platforms, is the main factor here.

        Which other solutions did I evaluate?

        During our initial decision-making process, we evaluated other options but the distinctions between all the options were quite minimal.

        What other advice do I have?

        I am satisfied with the current facility and the management environment of the Cisco ASA, it's great for me.

        I think that the cost would be the main factor when evaluating solutions since some of the companies or some of our clients ask about costs upfront. Once the client has made their initial request and inquired about any subsequent subsystem connectivity integration ideas, they always want to know how much everything will cost. The deciding factor is mainly based on the price point of the total user solution.

        Overall, the criteria that we consider when constructing an integration decision depends largely on the client company we are working with. We evaluate clients based according to their size, industry function, and the total budget that would be recommended for an effective solution.

        I would give this product a rating of 9 out of 10!

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Seang Haing - PeerSpot reviewer
        Team Leader Network Egnieer at deam
        Real User
        Efficient at improving client operations and has excellent stability
        Pros and Cons
        • "The stability of Cisco ASA is excellent compared to other products on the market. Because of our customer experience as an integrator company, our clients never report any performance problems. We have a good performance reputation with Cisco ASA."
        • "Usually, the customers are satisfied, but I am going to recommend that all clients upgrade to FirePOWER management. I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility."

        What is our primary use case?

        We use Cisco ASA with Firepower. Currently, we have been implementing the solution for around four years. Our company has been around for a long time, more than ten years. We cover the solutions for Network Direct Turbo ATM at the moment, it's a lot of the security work.

        How has it helped my organization?

        Cisco ASA is best at the technical part of the business, related to our selling and management services. We have to improve the technical functionality of the product as part of making an efficient service for the customer. We need to improve the customer's technical experience with Cisco ASA & Firepower.

        What is most valuable?

        There are two main ways that using Cisco ASA & Firepower has improved our organization:

        1. Technical features
        2. Our Sales team

        What needs improvement?

        With Cisco ASA, we used the SMB of the model. The customers are usually satisfied, but I am going to recommend that all clients upgrade to Firepower management.

        For Cisco ASA Firepower, I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility.

        For how long have I used the solution?

        Three to five years.

        What do I think about the stability of the solution?

        The stability of Cisco ASA is excellent compared to other products on the market. The performance is good. Compared to Fortinet on the watchband firewall, it is indispensable. Because of our customer experience as an integration company, our clients never report any performance problems. We have good performance from Cisco ASA.

        What do I think about the scalability of the solution?

        ASA is limited in terms of its scalability because of our customer environments. They are in the banking and microfinance sector. Our clients always want to move to the next generation firewall so they like FirePOWER. When we move clients to Firepower, they need to integrate with Sourcefire and move into more complicated management.

        We have the staff perform the migrations to Firepower. We redirected traffic with Sourcefire and also require the use of FMC by our management center with Firepower.

        How are customer service and technical support?

        I've been exploring the technical support for Cisco ASA. I haven't had any problems with it.

        How was the initial setup?

        The initial setup is straightforward. 

        What other advice do I have?

        I always encourage our existing customers to move to the Cisco ASA Firepower version, i.e. the next generation Firepower like 2100, 4000, or 9300.

        I would rate Cisco ASA an eight out of ten. An eight and not a ten because some of the features are limited and some are awful. We had to install other solutions for security and had to spend a lot on other hardware. Other vendors like Fortinet or Palo Alto Networks focus more on offering complete solutions.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Network & Security Administrator at Diamond Bank Plc
        Real User
        Enables us to to track traffic in inbound and outbound patterns so we can set expectations for network traffic
        Pros and Cons
        • "I would say the Firepower module is most valuable. I'm trying more to transition to this kind firewall. I had to study a little on Palo Alto Networks equipment. There is a lot I have to learn about the difference."
        • "The installation and integration of Cisco ASA with FirePOWER can be improved. The management with Fortigate is easier than Cisco ASA on FirePOWER. The management side of Cisco ASA can be improved so it can be more easily configured and used."

        What is our primary use case?

        I am a banker. I'm working in the bank and our equipment is mostly based on Cisco for the moment. We have some incoming projects to deploy from Fortigate to firewalls.

        Cisco ASA is that something I used when I was preparing for my CCNP exams. I've been using it on the incoming project that we want to do right now. 

        It is easy to deploy Cisco ISP solution in the bank I'm working in, i.e. Cisco Identity Services Engine. We're already used Cisco ISSO. 

        I have three Cisco ASA modules:

        1. Security for perimeters
        2. Security for data centers
        3. Data center recovery

        I have been using Cisco ASA since I've been at the bank for more than two years now. The model is 5515X. I have two modules of 5515X and the third one is the old 55105. 

        My primary use of Cisco ASA is to take advantage of all the features. I use it to enforce security policy and also to take advantage of the Firepower module.

        I have a firewall module on my two instances of 5515X. On the Firepower side, I use all features on Firepower modules that are included in the AMP.

        How has it helped my organization?

        The biggest improvement has been in the internet features. We have been asked to prohibit internet access for all users except the bank services division and that is improved. 

        For AMP features, we use Cisco ASA to track traffic in inbound and outbound patterns, so we can set expectations for network traffic. I also used the exception for encrypted traffic. 

        One problem: Before installing encrypted traffic, I had to decrypt it first. Before setting it back, I encrypt it again. That's just the way Cisco ASA functions.

        What is most valuable?

        I would say the Firepower module is most valuable. I'm trying more to transition to this kind firewall. I had to study a little of the Palo Alto Networks equipment. There is a lot I have to learn about the difference. 

        Based on my certification, I had to do a lot of lab work, a lot of projects, a lot of technical work with Cisco ASA. Now, I'm moving to other vendors, like Palo Alto Networks and Fortinet so that I can empower my level of technical experience.

        • All my change requests are for Cisco ASA to work more on ease of management. 
        • All of the features of Cisco ASA are used by all of the other vendors on the market. 
        • The firewall solutions are all based on the same network equipment. 

        The difference is why each business chooses to use it and how they implement the architecture for their solution using Cisco ASA and Firepower features.

        What needs improvement?

        The installation and integration of Cisco ASA with Firepower can be improved. I used Fortigate as well and I can say that Fortigate's features are more usable. 

        The management with Fortigate is easier than Cisco ASA on Firepower. The management side of Cisco ASA can be improved so it can be more easily configured and used.

        For how long have I used the solution?

        One to three years.

        What do I think about the stability of the solution?

        The stability of the Cisco ASA platform is okay. I know that Palo Alto is the first rated one, followed by Fortinet.

        What do I think about the scalability of the solution?

        The scalability is based on module support. We have a stand-alone version. It is not 100% applicable to talk about scalability at this point. 

        There is another Cisco ASA module available that is more scalable than ours. For the module I have, the stand-alone, the scalability is not as good as on the higher model. 

        The 5585 model, allocated for data center security, can be facilitated into the switching spot or the working spot in our data center. We can recommend the scalability there. 

        For the module I have, I'm using it as a stand-alone. I don't think it is scalable too much at this point. 

        I'm using Cisco ASA in my organization to support about 150 staff. For maintenance, I do all of the work myself.

        How are customer service and technical support?

        I do everything if you need a Cisco ASA solution to be deployed for an infrastructure requirement. We are just a team of three. There is just me and my colleagues. 

        I'm in charge of all the infrastructure system, including the network and security infrastructure. On all tasks related to the system security and network infrastructure, I'm in charge of it.

        I had to work with Cisco customer support two or three times, a long time ago. I had to work with them based on a problem with my call manager. We had a good ability to work together with Cisco customer support. It was normal. 

        They asked about the information on the installation. I had to upload it to them. They took that and came back to my problem with the results. I had a good experience with them.

        Which solution did I use previously and why did I switch?

        I didn't use a different solution in my bank, but on some other enterprise jobs, I used some unique firewall solutions. 

        Since I have been at the bank, only Cisco ASA has been deployed. We just added two new modules. In the bank, we only use Cisco ASA solutions.

        How was the initial setup?

        I will say Cisco ASA has a complex setup just based on the security policy we have to enforce (asked by the chief, the CIO). For me, it's not complex. 

        Cisco ASA is not difficult because I am in it for a year so it's easy for me to understand. I have no problem on the technical side. I always manage to do what I'm asked to do on security-side enforcement. I have no problem with that. It's normal for me. 

        It was 2 years ago that we were trying to deploy our facility equipment. We took advantage to deploy the Cisco ASA firewall (model 5515X). 

        For now, it's the only one. Since then, we're using it in an upcoming project. I will have to deploy some Fortigate and Cisco ISL as well.

        What about the implementation team?

        I don't have a technical problem implementing Cisco ASA. I am a double CCNNP and I'm preparing for my CCIE. On the technical side, I don't need help.

        I had to work with external partners because they provide us with uptake equipment. They're available to follow up on the project with us. 

        We just had to make some tests to deploy some labs. However, when it comes to configuring Cisco ASA for production, I was alone. 

        On a security basis, we couldn't let the partner know the details of our address space. This is prohibited within our organization by security policies. 

        I had to re-do everything from scratch. For this implementation of Cisco ASA & Firepowe, I was alone.

        What's my experience with pricing, setup cost, and licensing?

        The licensing for Cisco ASA is on a yearly basis. We have to renew the Firepower module license. We are in the process of renewing this one. 

        I just made the demand. They have the management who is charge asking about the price and payment terms on different offers. 

        Which other solutions did I evaluate?

        We are just a branch bank. The decision is not made here and the branches just have to follow the central policy.

        What other advice do I have?

        Cisco ASA is a good solution. I never had a problem with. I will say that I mostly recommend Fortinet because of their ease of management and Palo Alto Networks because of their reputation for business efficiency.

        I would rate Cisco ASA with an 8 out of 10 points.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Senior Executive Technical Support at AITSL
        Real User
        The product has saved us a lot of time, and once we deployed the solution, it worked
        Pros and Cons
        • "We have multiple secure internal networks linked with our plants. We are from a oil company, so we have multiple plant areas which need to have restricted network access. Therefore, we are using it for restricting access to the plant area."
        • "The initial setup was completely straightforward."
        • "Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems."
        • "We have to rely on Cisco ASDM to access the firewall interface. This needs improvement. Because we have a web-based interface, and it is a lot more user-friendly."

        What is our primary use case?

        Primarily, we are just using it as a firewall, mostly to protect our internal SQL network (our primary network). At the moment, we are not using Cisco Firepower for our services. We just use it as a firewall.

        How has it helped my organization?

        We have multiple secure internal networks linked with our plants. We are from a oil company, so we have multiple plant areas which need to have restricted network access. Therefore, we are using it for restricting access to the plant area, where they cannot directly connect onto the Internet.

        What needs improvement?

        It does not have a web access interface. We have to use Cisco ASDM and dial up network for console access, mostly. This needs a bit of improvement.

        Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems.

        It should have multiple features available in single product, e.g., URL filtering and a replication firewall.

        For how long have I used the solution?

        More than five years.

        What do I think about the stability of the solution?

        It is very stable. We have routers entirely from Cisco, which are still working after ten years of deployment. I would rate the stability as a nine out of ten.

        We have two people maintaining it. It does not require intensive work. We have an expert in switching technology, and another person who is knowledgeable in routing and network security.

        What do I think about the scalability of the solution?

        The scalability is good.

        How are customer service and technical support?

        The technical support of Cisco is very good. Nowadays, you can get anything over the Internet. They provide help over the Internet. There is a very full forum, which is manually supported.

        How was the initial setup?

        The initial setup was completely straightforward. 

        However, we have to rely on Cisco ASDM to access the firewall interface. This needs improvement. Because we have a web-based interface, and it is a lot more user-friendly.

        Deployment takes two or three days. We are continuously deploying the solution to our plants over time.

        What about the implementation team?

        We do the deployment in-house.

        What was our ROI?

        ROI is part of the infrastructure costs. The product has saved us a lot of time, and once we deployed the solution, it worked.

        What's my experience with pricing, setup cost, and licensing?

        The cost is a big factor for us. This is why we are using it only in our restricted area. They are very much higher than their competitors in the market.

        I would rate the cost as a six or seven out of ten.

        Which other solutions did I evaluate?

        Nine or ten years ago, there were few options at the time.

        Currently, we are using Barracuda for our more general Internet access. We use Cisco for our more protected environment.

        What other advice do I have?

        I would recommend the product, but cost is a big factor. Some companies cannot afford expensive products, like Cisco and Palo Alto.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        CEO at Synergy IT
        Real User
        We can create a profile and can give access depending on the access level they need to be on
        Pros and Cons
        • "I like the user interface because the navigation is very easy, straightforward on your left side pane you have all the sites that you need to browse. Unlike any other firewalls, it's pretty straightforward."
        • "If I need to download AnyConnect in a rush, it will prompt me for my Cisco login account. Nobody wants to download a client to a firewall that they don't own."

        What is our primary use case?

        We use remote desktop services from our data center. We can clean the client and the remote desktop server and from there we can establish a VPN channel. 

        How has it helped my organization?

        We can create a profile and we can give them access depending on the access level they need to be on. All the way from level one to level 16. I just create the user and from the dropdown, I select what access level they need to be on and that's it. I don't need to go individually to each and every account and do the configuration.

        What is most valuable?

        I like the user interface because the navigation is very easy and straightforward. On the left side pane, you have all the sites that you need to browse. Unlike any other firewalls, it's pretty straightforward.

        What needs improvement?

        If I need to download AnyConnect in a rush, it will prompt me for my Cisco login account. Nobody wants to download a client to a firewall that they don't own. 

        I would definitely love to have a much nicer web interface compared to the systems interface that it has now. I also would like to download utilities without having to login into the system. Nobody would want to download a client unless they're going to use it with a physical firewall. I don't understand the logic. If I was a hacker, I could get someone to download it for me and then I can use the client. There's no logic behind it.

        For how long have I used the solution?

        Three to five years.

        What do I think about the stability of the solution?

        I would rate their stability a nine out of ten. It's pretty stable. I never come across a situation where the firewall hangs and then I need to reboot it.

        What do I think about the scalability of the solution?

        Cisco is expensive and when you want to grow, it means you're going to need to spend some money but you can justify it.

        We have closer to 50 users on the firewall at the moment and do have plans to increase usage.

        Which solution did I use previously and why did I switch?

        We were previously using Sophos firewall but it had a lot of issues. 

        How was the initial setup?

        The initial setup is a little difficult compared to other firewalls but once you get it right, especially the assistant control list, it's fine. It's a little difficult compared to other firewalls. 

        The deployment took us about three days because we did some testing and we also did certain attacks and checked some hackers which is why it took some time. We wanted to make sure that it was at least 99.99% protected.

        What about the implementation team?

        We implemented through a UK company called Rackspace. 

        What's my experience with pricing, setup cost, and licensing?

        Licensing is expensive compared to other solutions. Especially in other regions because people are very careful when it comes to spending on IT infrastructure. My suggestion is, first test it, once you see how good it is you will definitely want to renew it. 

        What other advice do I have?

        I would advise someone considering this solution to just go for it. It's expensive but it's a robust solution. The only thing is that you have to convince your finance guy to go for it.

        I would rate it a nine out of ten. 

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Network Engineer at IT Security
        Real User
        Supports a secure environment and has easy administration
        Pros and Cons
        • "An eight because it's a good security solution. It's more mature than its competitors."
        • "The security features in the URL category need more improvement."

        What is our primary use case?

        Our primary use case is to support a security environment. It has performed well.

        How has it helped my organization?

        I am a security business of consultant. I deploy this solution for our customers. 

        What is most valuable?

        I like the easy administration.

        What needs improvement?

        It could use more of a system interface.

        The security features in the URL category need more improvement. 

        For how long have I used the solution?

        More than five years.

        What do I think about the stability of the solution?

        It performs very well. 

        What do I think about the scalability of the solution?

        Scalability is good. 

        How are customer service and technical support?

        Cisco has the best technical support. 

        Which solution did I use previously and why did I switch?

        I worked with Check Point, but Cisco Firepower is better. It was an easy transfer to this solution. We chose Cisco because of its trustworthy reputation. They're a big, recognized brand.  

        The most important criteria that we consider when evaluating a solution are performance, administration, and price.

        How was the initial setup?

        The initial setup was easy and simple. 

        What other advice do I have?

        I would rate this solution an eight out of ten. An eight because it's a good security solution. It's more mature than its competitors. 

        Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
        PeerSpot user
        Information Systems Manager at a non-profit with 1-10 employees
        Real User
        Traffic comes into the house and gets filtered in and out the Firepower interface
        Pros and Cons
        • "Because of the deeper inspection it provides we have better security and sections that allow users broader access."
        • "Cisco should redo their website so it's actually usable in a faster way."

        What is our primary use case?

        Our primary use case is for handling office traffic VPN tunnels and filtering the traffic. All the traffic comes into the house and gets filtered in and out the Firepower interface. It's performed well.

        How has it helped my organization?

        Because of the deeper inspection it provides we have better security and sections that allow users broader access.

        What is most valuable?

        With this solution, you can have an inspection of each package and see what the threat level it's at. It has made the work more dynamic. We don't have to block as much like we had to in the old days.

        What needs improvement?

        They should develop a web interface that is actually useful. Currently, we still have an issue where you have to go in and do manual configuring by the command line if you want certain functions in it. This means that we need to find people at a higher technical level to be able to do changes in those things. It would be much easier if you had a more friendly user interface basis where you don't have to go in and do the command line off.

        They should be a little bit faster sometimes in updating their threat protection. Cisco should redo their website so it's actually usable in a faster way.

        For how long have I used the solution?

        More than five years.

        What do I think about the stability of the solution?

        Stability is fantastic. 

        What do I think about the scalability of the solution?

        We are a rather small firm so we don't have much growth leads but there is a wide range of firewalls that I can expand onto. We can also set up cluster solutions. It's rather indefinite in its expandable possibilities.

        How are customer service and technical support?

        I've only had to use their technical support once. Otherwise, I haven't had to use them.

        Which solution did I use previously and why did I switch?

        We were using SonicWall before.

        How was the initial setup?

        The initial setup is very complex but once it's done, it's fantastic. 

        What other advice do I have?

        I would rate it a nine out of ten. Not a ten because of the horrible initial setup and because you can't handle all operations from one interface. You have to go back into the command line to even be able to type program language, even though you have a graphic user interface for it but it doesn't work properly.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        PeerSpot user
        Network Engineer at a media company with 51-200 employees
        Real User
        It creates a secure tunnel for our network. It is very scalable.

        What is our primary use case?

        It helps the firewall in our network and the VPN (Virtual Private Network). It creates a secure tunnel for our network.

        What is most valuable?

        The IPS (In-plane switching) is the most valuable feature. This enables visibility to our networks and to outside attacks. It is a solution to maintain the visibility.

        What needs improvement?

        At times the product is sluggish and slow.  Sometimes when deploying a new configuration or role, it is painstakingly slow. It should be a little faster than it is. 

        For how long have I used the solution?

        Less than one year.

        What do I think about the stability of the solution?

        It is a very stable solution. 

        What do I think about the scalability of the solution?

        It is a scalable product. We have a lot of demand.  But, it supports any additional network that we add. It expands easily. 

        How are customer service and technical support?

        Normally the Cisco tech support team are good. But, we have had some problems with tech support with this product. Some of the tech support team are really not familiar with how the IPS works. And, there is some disconnect between the tech support. Maybe they're not trained well. They're helpful, but not knowledgeable.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Cristian Serban - PeerSpot reviewer
        Network Engineer at a financial services firm with 5,001-10,000 employees
        Real User
        Helps us to manage the security policies in different areas of our network
        Pros and Cons
        • "I haven't had any major problems so I haven't had to open a ticket with technical support."
        • "In the past though, colleagues have had issues during the upgrade process. The failover didn't work and production was down."

        What is our primary use case?

        We use it on several layers of our network like in the border, internet edge, DMZ, some extranet parts of our network, and in the data center.

        How has it helped my organization?

        It's a reliable solution and a stable firewall. It helps us to manage the security policies in different areas of our network. 

        What is most valuable?

        We use ASA as a simple, scalable firewall. Its main advantages are the stability. We use it as an active standby and as a failover solution. We depend on this solution, we've used it for several years.

        What needs improvement?

        • Interaction with the equipment
        • Different interface with the product 
        • A more simple procedure in delivering policies to the equipment  
        • Simplified upgrade procedure
        • Tracking flows
        • Monitoring and logs should be easier.

        What do I think about the stability of the solution?

        It's quite stable. In the past though, colleagues have had issues during the upgrade process. The failover didn't work and production was down. 

        What do I think about the scalability of the solution?

        It's not so scalable.

        How are customer service and technical support?

        I haven't had any major problems so I haven't had to open a ticket with technical support. 

        How was the initial setup?

        The initial setup was not so complex. Most of it was straightforward. We just needed to discuss different scenarios that we had to consider regarding the deployment scenario, what could go wrong and what could happen in the future. 

        What about the implementation team?

        We used Telekom Romania for the deployment. We did most of the job internally but they helped us to clarify some aspects regarding the architecture design.

        Which other solutions did I evaluate?

        We also considered Check Point. We chose Cisco because of its capabilities. We didn't need something so complex for this solution, just a straightforward firewall. It met our requirements. 

        What other advice do I have?

        I would rate it a nine out of ten. 

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Mahmoud Ashoub - PeerSpot reviewer
        Team Leader, Information Risk Engineer at National Bank of Egypt
        Real User
        Data protection is a big benefit we see but some of their features need to be improved
        Pros and Cons
        • "Its ability to discover attacks is a valuable feature. All of the other features that have to do with security are good."
        • "Some of the features, like the stability, need to be improved."

        What is our primary use case?

        Our primary use case is for security. We are a bank in India and the data is very important for us. We use ASA for our security and protection.

        How has it helped my organization?

        Data protection is a big benefit we see from this solution. It protects our customers, our customer's accounts, and money, as we are one of the biggest banks in Egypt and the Middle East.

        What is most valuable?

        Its ability to discover attacks is a valuable feature. All of the other features that have to do with security are good.

        What needs improvement?

        Some of the features, like the stability, need to be improved. 

        For how long have I used the solution?

        More than five years.

        What do I think about the scalability of the solution?

        The scalability is good. 

        How are customer service and technical support?

        Their support is good and helpful but sometimes it takes them a while to respond. We have been stuck in critical situations so we opened a critical ticket but it took them a while to respond. 

        How was the initial setup?

        The initial setup is easy. If we have an issue we contact their support. 

        What about the implementation team?

        We implemented ourselves. 

        What other advice do I have?

        I would rate it a seven out of ten. I would recommend this solution to a colleague. No product will give you 100% of what you're looking for but this solution is close. 

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Data Center Architect at Fronius International
        Real User
        Has the full package that we're looking for but the features aren't stable enough for us to use
        Pros and Cons
        • "We chose Cisco because it had the full package that we were looking for."
        • "The stability and the product features have to really be worked on."

        What is our primary use case?

        Our primary use case of this solution is for firewalling. 

        How has it helped my organization?

        We have been using Cisco for a long time, and we use Firepower to replace other systems. It hasn't really been an improvement, but there are many features we want to use in the future. We haven't seen much improvement because we only installed it a short while ago. 

        What is most valuable?

        It has many features but not all of them work. The features aren't stable enough for us to use them. The most valuable features are the firewalling and the deep inspection. 

        What needs improvement?

        The stability and the product features have to really be worked on.

        For how long have I used the solution?

        One to three years.

        What do I think about the stability of the solution?

        The stability is getting better but we had some firmware issues. 

        What do I think about the scalability of the solution?

        The scalability is good. We have scaled it but at a normal gross so it's not very high. We have designed it for our use case and we have the option to scale but we don't use it at the moment.

        Which solution did I use previously and why did I switch?

        We chose Cisco because it had the full package that we were looking for. 

        How was the initial setup?

        The initial setup was of normal complexity. It's not straightforward, and because we started so early, the migration tools were not so good at the beginning.

        What about the implementation team?

        We implemented through our partner and had a good experience with them. 

        What other advice do I have?

        Customers should take note that the migrations steps are not easy. The tools cannot solve all configurations and handle all configurations directly so you will have to do some coding by yourself. The solution is not complete at the moment but it will get better.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Chief Information Officer at Finance Corporation Limited
        Real User
        We're assured that all updates, all patches, and all fixes are done instantaneously
        Pros and Cons
        • "The greatest benefit for the organization is the confidence that we are secured."
        • "There may have been one or two incidences of malicious threats."

        What is our primary use case?

        We mainly use this solution for our firewall and it's one layer of our security. From the time that we've used it, the organization as a whole got a sense of security because Cisco is a known product. When we do need support locally or online, we get it instantaneously. We use this solution for a couple of things: for security, for their technical support, and in terms of the knowledge and skills of the team here that gave us a good grip and confidence in the use of the product.

        How has it helped my organization?

        It gives the organization a higher vote of confidence. When I joined the organization more than six years ago, we were using the old Cisco, and some of the products already reached their end of life. Some of the products were not in its latest state, in terms of security or license. We've learned a very good lesson there. Since then, when we upgraded we made sure that all the licenses and all the security facets are in place. It gives the organization a higher vote of confidence. There may have been one or two incidences of malicious threats, but it did not really bring down the organization to a level that we would all be sorry for. The greatest benefit for the organization is the confidence that we are secured.

        What is most valuable?

        Cisco is known as a popular and trusted product. Because of its constant RND, we're assured that all updates, all patches, all fixes are done instantaneously. As far as the feature is concerned, it gives us a certain layer of protection. As a CIO, my vote of confidence is in the product itself. After making sure that we always have all the updates on the licenses we're assured that we're getting all the necessary security protection.

        What other advice do I have?

        I would rate this solution a nine out of ten. Not a ten because I'm reserving the one point for whatever new surprises they are going to provide.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        Ali Abdo - PeerSpot reviewer
        Technical Manager at a comms service provider with 1,001-5,000 employees
        Real User
        Gives more visibility into what's going on when traffic comes in and goes out from the company
        Pros and Cons
        • "Stability is perfect. I haven't had any problems."
        • "I would like for them to develop better i