We provide IT solutions. We provide solutions to our customers based on their requirements. We support them from the beginning and do the installation and configuration in the head office and front office.
We installed Cisco ASA to support a customer in a WAN environment. They used it for site-to-site VPN and remote VPN. They used it for accessing remote office locations via the remote VPN feature. They had Cisco ASA 5500.
It made our customer's network more secure. They also have customers outside the office, and they are able to use the remote VPN feature to log in securely.
The high-availability and remote VPN features are most valuable.
It is easy to configure. It has a GUI and a CLI.
It doesn't have Layer 7 security.
I used this solution for maybe a year.
It is stable.
It is scalable.
For any issues, we contact the local support. They are very easy to deal with.
I have also worked with Fortigate.
It was easy to configure. The site-to-site VPN configuration didn't take too much time. It was complete in three to four hours.
Its price is moderate. It is not too expensive.
I would rate Cisco ASA Firewall a nine out of 10.
We were using ASA 5585 without firepower. We were using it just as a stateful firewall. We also had an IPS module on it. So, we were also using it for network segmentation and network address translations for hosting some of the services or giving access to the internet for our end users.
Initially, it was good. At the time we bought it, usually, IPS was in a different solution, and the firewall was in a different solution. You had to kind of correlate between the events to find the attacks or unwanted behavior in the network, but it had everything in a kind of single platform. So, the integration was great.
Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. Cisco ASA was able to handle a lot of traffic or concurrent connections at that time. We had almost 5 million per week. We didn't have to worry about it not having enough memory and stuff like that. It was a powerful machine.
The configuration was kind of straightforward from the command line and also from the ASDM. It was very easy to manage by using their software in Java.
High throughput, high concurrent connections, easy site-to-site VPN were also valuable. It also had the capability to do double network translations, which is really useful when you are integrating with other vendors for site-to-site VPN.
When we bought it, it was really powerful, but with the emerging next-generation firewalls, it started to lack in capabilities. We couldn't put application filtering, and the IPS model was kind of outdated and wasn't as useful as the new one. For the current state of the network security, it was not enough.
One thing that we really would have loved to have was policy-based routing. We had a lot of connections, and sometimes, we would have liked to change the routing depending on the policies, but it was lacking this capability. We also wanted application filtering and DNS filtering.
We have been using it for around eight years.
Its stability is really great. It is very stable. We didn't have to worry about it. In the IT world, every time you go on holiday, you think that something might break down, but that was not the case with Cisco ASA.
Initially, we had just a single firewall, and then we moved to high availability. Even when it was just one hardware without high availability, we didn't have any problems. Apart from the planned maintenance, we never had any downtime.
We feel we didn't even try to make it scalable. We had 30,000 end users.
We haven't interacted a lot with them because we have our own network department. We were just handling all the problem-solving. So, there were only a couple of cases. Initially, when one of the first devices came, we had some problems with RAM. So, we opened the ticket. It took a bit of time, and then they changed it. I would rate them an eight out of 10.
Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. We had some really old D-link firewalls. They were not enterprise-level firewalls.
After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. They didn't provide us with the new license. Therefore, we decided to move to Palo Alto. The procurement process is taking time, and we are waiting for them to arrive.
It was straightforward. Cisco is still leading in the network area. So, there are lots of resources where you can find information. There are community forums and Cisco forums, where you can find answers to any questions. You don't even have to ask. You can just Google, and you will find the solution. Apart from that, Cisco provides a lot of certification that helps our main engineers in learning how to use it. So, the availability of their resources was great, and we just followed their best-case scenarios. We could easily configure it.
The deployment took around two or three weeks because we had different firewalls. We had a couple of them, and we migrated all to Cisco. We also had around 30,000 rules. So, the data input part took a lot of time, but the initial installation and the initial configuration were done in a matter of days.
It took us one week to set up the management plane. It had different ports for management and for the data. After finishing with the management part, we slowly moved segments to Cisco. We consolidated the rules from other firewalls for one zone. After Cisco verified that it was okay, we then moved on to the next segment.
We did it ourselves. We had about five network admins for deployment and maintenance.
We definitely got a return on investment with Cisco ASA. We have been using it for eight years, which is a long time for IT. We only had one capital expenditure. Apart from that, there were no other costs or unexpected failures. It supported us for a long time.
When we bought it, it was really expensive. I'm not aware of the current pricing.
We had problems with licensing. After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. So, they didn't provide us with the new license.
I am not sure about it because back then, I was just an engineer. I didn't have decision-making authority, so I wasn't involved with it.
We recently have done pilots with Check Point and FortiGate for a couple of months. They were next-generation firewalls. So, they had much more capability than ASA, but because of being a pilot, we didn't get full-scale throughput like big enterprise-level firewalls. The throughput was not enough, and their memory cache was always filling up. They were smaller models, but both of them had the features that ASA was lacking. Traffic shaping in ASA is not as good, but these two had good traffic shaping.
I wouldn't recommend this solution because it is already considered to be a legacy firewall.
I would rate Cisco ASA Firewall a strong eight out of 10. It is powerful, but it lacks some of the capabilities.
We are using it as a firewall for our data center and headquarter. We are also using it for DR. We are using Cisco ASA 5500 Series.
It is a security device, and it is useful for securing our environment. It provides role-based access and other features and helps us in easily securing our environment.
It provides visibility. It has been helpful for packet inspection and logging activities for all kinds of packets, such as routing packets, denied packets, and permitted packets. All these activities are visible on Cisco ASA. There are different commands for logging and visibility.
We use Cisco ASA for the integration of the network. Our company is a financial company, and we are integrating different organizations and banks by using Cisco ASA. We are using role-based access. Any integration, any access, or any configuration is role-based.
The remote access, VPN, and ACL features are valuable. We are using role-based access for individuals.
IPS is also valuable for intrusion detection and prevention. It is a paid module that can be added. I'm using it for security, VLAN management, segregation management, and so on.
It is easy to use. In our region and our country, Cisco is well known, and most of the companies are using Cisco products. We have been using Cisco devices for a while, and our company primarily has Cisco devices. So, we are familiar with it, which makes it very easy to use for us. Even when we compare it with other products, it is easier to use.
It is easy for us to manage it because it is a familiar product, and it has been a part of our environment. Now, other products are providing free training, free access, and free license, because of which things are changing. So, you can easily become familiar with other products.
Its licensing cost and payment model can be improved. Cisco doesn't provide training and certification for engineers without payments. Other companies, such as Huawei, provide the training for free. Their subscription and licenses are also free and flexible. Other products are breaking the market by providing such features.
It doesn't support all standard interfaces. It is also not suitable for big companies with high bandwidth traffic. Its capacity should be improved.
Other products are becoming easier to access and configure. They are providing UI interfaces to configure, take backup, synchronize redundant machines, and so on. It is very easy to take backup and upgrade the images in those products. Cisco ASA should have such features. If one redundant machine is getting upgraded, the technology and support should be there to upgrade other redundant machines. In a single window, we should be able to do more in terms of backups, restores, and upgrades.
We have been using this solution for almost eight years.
It is stable. It needs to be configured based on the standards and functionality. We have one device that has been working for more than 10 years, which indicates it is stable, but it requires licenses to upgrade features.
It doesn't have an expansion card. So, it may not scalable for huge buildings. It also lacks a lot of standard interfaces. Other products are providing capacity for a data center. Other technologies are expanding their interface bandwidth from 10 gigs. In my opinion, Cisco ASA doesn't have this capability.
Their support is very good. We have a support license, so their support is very good. They are tracing us and following up with us to solve the problem on time.
Its setup is easy. We are familiar with Cisco ASA and other Cisco products, and they are easy to configure. A lot of resources are available on the internet, so it is easy to set up for anyone with basic training. It is easy in different types of environments, such as universities and colleges.
It generally doesn't take more than a day, but it also depends on the size of the organization. If an organization is very big and if you need a line-by-line configuration for access role and VPN, it can take a bit more time.
Cisco is constantly upgrading and providing features based on current requests. We usually plan deployments at the end of the year and at the beginning of the year. Everyone plans for new products, new configurations, and new expansions based on that.
Any security product provides a return on investment. Any gap in security may cost an organization more.
It is expensive. There is a cost for everything. There is per year license cost and support cost. There is also a cost for any training, any application, and any resource. Things are very costly to do with Cisco.
Other brands are cheaper. They are also more flexible in terms of training, subscription, and licensing. They give lots and lots of years free. They provide more than Cisco.
I would advise understanding its features, advantages, and disadvantages as compared to other solutions. It is simple, but its cost is a negative point.
I would rate Cisco ASA Firewall an eight out of 10.
I have used the Cisco ASA 5585-X Series hardware. The software was probably version 9. We implemented a cluster of two firewalls. In these firewalls, we had four virtual firewalls. One firewall was dedicated for Edge, near ISP, and one firewall was for the data center. One firewall was for the application dedicated to that company, and one firewall was dedicated only to that application.
Dynamic policies were useful in the data centers for our clients. They were making some changes to the networks and moving virtual machines from one site to another. With dynamic policies, we could do that easily.
We find all of its features very useful. Its main features are policies and access lists. We use both of them, and we also use routing.
It is very stable. It is a very good firewall for a company that doesn't want to look at packets higher than Layer 4.
The virtual firewalls don't work very well with Cisco AnyConnect.
There are two ways of managing it. You can manage it through the GUI-based software or command-line interface. I tried to use its GUI, but I couldn't understand it. It was hard for me. I know how to use the command line, so it was good for me. You should know how to use the command-line interface very well to make some changes to it. Its management through GUI is not easy.
It is very stable. It has been five years since I have configured them, and they have been up and running.
It is not much scalable. It is only a Layer 4 firewall. It doesn't provide deep packet inspection, and it can see packets only up to TCP Layer 4. It can't see the upper layer packets. So, it is not very scalable, but in its range, it is a very good one. What it does, it does very well.
I have not worked with Cisco support for this firewall.
It is not straightforward. You should know what to do, and it needs to be done from the command line. So, you should know what to do and how to do it.
From what I remember, its deployment took a week or 10 days. When I was doing the deployment, that company was migrating from an old data center to a new one. We were doing configurations for the new data center. The main goal was that users shouldn't know, and they shouldn't lose connectivity to their old data center and the new one. So, it was a very complex case. That's why it took more time.
Our clients have seen an ROI because they paid only once, and they have been using their firewalls for five years. They didn't have to pay much for anything else.
I like its licensing because you buy the license once, and it is yours. We don't have to go for a subscription. So, I liked how they licensed Cisco ASA Firewall. Our clients are also very satisfied with its licensing model.
You cannot compare Cisco ASA Firewall with any of the new-generation firewalls because they are at a higher level than Cisco ASA Firewall. They are at a different level.
It is a very good firewall for small companies that don't want to do deep packet inspection at Layer 7. It is not easy, but you can manage it. You should know how to use the command-line interface. Otherwise, it would be difficult to work with it.
For Cisco ASA Firewall, there will be no improvements because they will not make these firewalls anymore. They want to make changes to the next-generation firewalls, and they are killing the old ones.
I would rate Cisco ASA Firewall a 10 out of 10. I like it very much.
They were placed in a company on the perimeter near the ISP. There were two clusters. One cluster was at the front, and one cluster was near the data center to filter the traffic from the users to the data center and from the data center to the users and outside.
Our clients were completely satisfied with this firewall in terms of protection from attacks, filtering of the traffic that they wanted, being able to see inside the zip files, etc.
I have experience with URL filtering, and it is very good for URL filtering. You can filter URLs based on the categories, and it does a good job. It can also do deep packet inspection.
Its IPS engine also works very fine. I don't have much experience with it because I am an IT integrator, and we only configured it, but the company for which we configured these firewalls used this feature, and they say that IPS works very fine. They were also very pleased with its reporting. They said that its reporting is better than other firewalls they have had.
When you make any changes, irrespective of whether they are big or small, Firepower takes too much time. It is very time-consuming. Even for small changes, you have to wait for 60 seconds or maybe more, which is not good. Similarly, when you have many IPS rules and policies, it slows down, and there is an impact on its performance.
In terms of tracking users, the Palo Alto Networks firewall is better than Cisco Firepower.
It is very stable because it is based on the Cisco ASA Firewall hardware, which is an old-generation firewall. I have had Cisco ASA Firewall for more than 10 years, and they have been working fine till now. So, Cisco Firepower NGFW Firewall's performance and stability are the best. I have never seen any issues or heard from anyone that it is bad.
Its scalability is very good. It was a small implementation. Traffic was maximum of 150 megabits per second.
I haven't worked with Cisco support.
I have had experience with the Fortinet FortiGate firewall. It is very easy, and it does its job very well. Both Firepower and FortiGate do their job very well, but I like the Palo Alto Networks firewall the most. I have not experienced it in a real environment. I have placed it in my lab. It is a very complex firewall, and you need to know how to configure it, but it is the best firewall that I have seen in my life.
As compare to the Palo Alto Networks firewall, both Firepower and FortiGate are simpler. You can just learn which button to use and how to write rules, policies, etc. In Palo Alto, you can not guess this. You should know where each button is, how it works, and what it does. If you don't know, you cannot get the performance you want from Palo Alto. So, Firepower and FortiGate are easier to learn.
Firepower is very good for a small implementation. If you are doing a Cisco setup, you can place kind of 16 devices in one cluster. When it comes to the real environment, you need to have maybe three devices in one cluster. If two of them are in one data center and the third one is in another data center, the third firewall does not work very well when it comes to traffic flow because of the MAC address. When you want to implement Firepower in small infrastructures, it is very good, but in big infrastructures, you would have some problems with it. So, I won't use it in a large environment with five gigabits per second traffic. I will use the Palo Alto firewall for a large environment.
It is straightforward. For me, it is very simple. The menu is quite impressive. Everything that you want to do can be done from the web user interface. You don't need to access the CLI if you don't like it. It is very easy to make rules with its web user interface.
Its deployment took two days. In terms of the implementation strategy, the first cluster was in the data center, and its main job was to filter user traffic going to the data center. The second cluster was on the edge. Its main job was to mitigate attacks on the inside network and to capture the traffic that could have viruses, malicious activities, etc.
I deployed it myself, and it took me two days to deploy two clusters of Cisco Firepower NGFW Firewall.
I think our client did get an ROI. They are very satisfied with what they can do with these firewalls. It fits all of their needs.
Its price is in the middle range. Both Firepower and FortiGate are not cheap. Palo Alto and Check Point are the cheapest ones.
I don't remember any costs in addition to the standard licensing fees.
Our client didn't implement dynamic policies for dynamic environments because they were a small company, and they didn't need that kind of segmentation. I am not sure if it reduced their firewall operational costs because they were a small company, and the traffic was not so high.
I would rate Cisco Firepower NGFW Firewall an eight out of 10.
I can't put Cisco on the firewall when the security landscape has changed so much in the past five to ten years. We are doing a lot more in the next generation of firewalls. We had a legacy classic firewall before we went to Firepower, and we spent a lot less time on that firewall, but we are spending more time on the Firepower because we are utilizing a lot of the features that are available in Firepower that were not available in the previous firewall that we had. I'm not going to say that we're spending less time, but we're gaining more value.
Another benefit has been user integration. We try to integrate our policies so that we can create policies based on active users. We can create policies based on who is accessing a resource instead of just IP addresses and ports.
If I were to have been asked a few weeks ago, I would have said threat prevention was the most valuable feature, but the world is changing a lot, so my favorite features a few years ago might not be my favorite features today.
The visibility the solution gives when doing deep packet inspection can be complex. I really like the visibility, but it's not always intuitive to use. I also help other customers. We are a contracting company that implements their solutions, and I've found that it's not always easy to get everyone to utilize some of the visibility features. But for me personally, I think they're very valuable.
The ease of use when it comes to managing Cisco Firepower has a lot of room for improvement. When monitoring a large set of firewall policies, the user interface could be lighter. It's sometimes heavy in use, and there could be improvements there. I know they're trying to make improvements.
It's mainly the UI and the management parts that need improvement. The most impactful feature when you're using it is the user interface and the user experience.
We were an early adopter when Firepower first came out. I've been using Cisco firewalls for the last two decades.
For newer hardware models, the stability is good. We've tried to run Firepower on some of the legacy-supported hardware as well, but with the stability issues, they are not as good. If I were to judge based on the hardware that I have, I'd say it's good. I haven't had any issues with the stability on my platform.
We just recently enabled Snort 3 so I'm evaluating the functionality. That's what we've considered, but we haven't done any performance testing. Our company would qualify as a small to medium business company. The average office environment is about 100 to 200 people. Performance-wise, my company is about 120 people.
Scalability is really not relevant. I know there are features that address some of those parts, like clustering and stuff, but that's really not applicable in my use cases.
The support is eight to nine out of ten. You can't blame them for any faults of the prototypes, but the support has been really good and really helpful when we had any issues.
I have hands-on experience in both Fortinet and Palo Alto. So if I were to compare this to Palo Alto, for example, I would say that the user interface in Palo Alto is a lot better. But the reason that I'm working with Firepower is that we have a Cisco network as well, and Cisco ISE. We're trying to integrate different Cisco solutions. We're trying to utilize the ecosystem benefits where I can connect my Cisco Firepower to ISE and have it talk to the App Cloud. There's a benefit of utilizing Cisco Firepower in conjunction with our other Cisco solutions.
Ease of management is similar with Cisco and Fortinet, I would say similar, but it's easier in Palo Alto.
I recently deployed a similar solution at a customer's premises, and that setup was straightforward.
The steps are fairly documented and the documentation and guides on Cisco are straightforward. You know what you're expected to configure, and it's easy to get up, running, and started. It takes some more time to check everything and get everything as you want to have it, but getting started and getting connectivity and starting to create policies was easy to do and didn't take a very long time.
It took two to four hours, including some upgrades.
My main advice would be to utilize all the guides and documentation available from Cisco publicly and not trying to implement it using legacy thinking. Don't try to just replace something else you have. If you have a next-gen firewall, you want to try to utilize what you're getting, and getting the most out of a firewall. There are some great guides and documentation on Cisco that explains what you can do and how you can do it.
I would rate it a seven out of ten.
We are using it for firewall and intrusion prevention.
I have deployed it into different environments: retail, commercial, law, real estate, and the public sector. Retail is the biggest environment that I have deployed this firewall into, with 43 different sensors and a range up to 10 GbE throughput.
I am using up to version 7.0 across the board as well as multiple models: 1000 Series or 2100 Series.
The integration of network and workload micro-segmentation help us provide unified segmentation policies across east-west and north-south traffic. It is important to have that visibility. If you can't detect it, then you can't protect it. That is the bottom line.
The solution has enabled us to implement dynamic policies for dynamic environments. These are important because they give us flexibility and more granular control of access.
It is usually a central gateway into an organization. Trying to keep it as secure as possible and have easy to use operability is always good. That way, you can manage the device.
The solution has very good visibility when doing deep packet inspection. It's great because I can get packet captures out of the device. Because if an intrusion fires, I can see the packet that it fired in. So, I can dive into it and look at what is going on, what fired it, or what caused it.
Cisco Secure Firewall is fine and works when it comes to integration of network and workload micro-segmentation.
The integration of network and workload micro-segmentation is very good when it comes to visibility in our environment. It is about how you set it up and the options that you set it up for, e.g., you can be as detailed as you like or not at all, which is good.
Its Snort 3 IPS has better flexibility as far as being able to write rules. This gives me better granularity.
It needs better patching and testing as well as less bugs. That would be nice.
I would like it to have faster deployment times. A typical deployment could take two to three minutes. Sometimes, it depends on the situation. It is better than it was in the past, but it could always use improvement.
I have been using it for seven years.
Stability has been good so far. It has been much better than in the past. In the past, there were times where there were known issues or bugs.
Scalability has been fine. I haven't had an issue with it. I just haven't had a need to deal with scalability yet.
I would rate Cisco's support for this solution as nine out of 10 for this solution. The support has been very good. We got the job done. Sometimes, why it wasn't perfect, the challenge was getting a hold of someone.
I have used this solution to replace different vendors, usually Cisco ASA that is reaching end of life.
The initial setup is straightforward for me at this point. That is just because of the experience that I have in dealing with it. for a new person, it would be a little bit more complex. They have gotten better with some of the wizards. However, if you are not familiar with it, then that makes it a little more challenging.
Depending on the situation, we will go through the typical setups. We know what we want to configure and sort of follow a template.
We have seen ROI with a better, more secure environment.
Cisco Secure Firewall has helped us to reduce our firewall operational costs. This is based on the fact that the newer models, where we have been replacing older models, have better throughput, capacity, and performance overall.
Pricing is the same as other competitors. It is comparable. The licensing has gotten better. It has been easier with Smart Licensing.
There are additional costs, but that depends on the feature sets that you get. However, that is the same with any firewall vendor at this point.
I have also worked with Check Point and Palo Alto. The support is much better with Cisco than Check Point. Check Point had a little bit better of a central management station. Whereas, Cisco with the FMC is a little different as far as there are still some features that are being added to the FMC, which is good. As far as Palo Alto goes, they are quite comparable as far as their functionality and feature sets. Cisco wins for me because it has Snort, which is a known standard for IPS, which is good. Also, Cisco has the Talos group, which is the largest group out there for security hunting.
Check Point was the easiest as far as user-friendliness and its GUI. After that, Cisco and Palo Alto would be kind of tied for ease of use.
Definitely do your research, e.g., how you want to set it up and how deep you want to go in with it. This will actually help you more. When we say Cisco Secure Firewall, is it Next-Generation, running ASA, or running Firepower? Or, does Meraki actually fit in there? So, there are different scales based on what you are trying to look for and how deep security-wise you want to go into it.
SecureX is a nice feature, but it has to be for the right environment. It is nice that we get it, but most people don't take advantage of it.
The dynamic policy capabilities can enable tight integration with Secure Workload at the application workload level, but I am not using much with Secure Workload at this point.
I would rate Cisco Secure Firewall as nine out of 10. I would not give it a 10 because of bugs.
We helped a customer to configure a new data center network. We provided the core firewalling. Between virtual routing instances, or virtual networks, we had two Firepower 2130s in HA. We did the routing and firewalling between the VRS and, in the same data center, we have an internet edge firewall also set in HA that provided the routing and firewalling to the internet and to Azure. In the same data center we had two ASAs for out-of-band management. If an error occurred in the data center, we could VPN into the ASA and troubleshoot the routing issues in the data center.
I have customers that have migrated from Cisco ASA to Cisco Firepower. They have benefited from the change because they have much more visibility into the network. An ASA is often used as a Layer 3 to 4 firewall. We allow networks and ports. But a Firepower firewall has the default intrusion prevention engine, so you can allow it to https on port 443, but it can also look into the packet, with deep packet inspection, and see if there is malicious code that is trying to be pushed into your system. It's a much more secure product than just having a Layer 3 to 4 firewall. It is a Layer 3 to 7 firewall.
We also use Cisco Talos, and when we configure a Firepower, we set the automatic update to get the latest vulnerabilities and databases, Snort rules, geolocation database, and security intelligence from Talos. Our customers aren't benefiting directly from Cisco Talos, but they are benefiting from having a product like Firepower that has connections to Talos.
The dynamic access policy functionality, and the fact that in Firepower 7.0 the feature has one-to-backward compatibility with the Cisco ASA Firewall, is a game-changer. Our customers have begun to transition from Cisco ASA to Cisco Firepower and because they get this capability, there are more and more VPN features. And when they shift from ASA to Firepower, they go from Layer 3 to Layer 7 visibility, instead of only going from Layer 3 to 4. They gain through the visibility they get from a next-generation firewall. They get more visibility and a more secure solution.
For Firepower the most important features are the intrusion prevention engine and the application visibility and control. The Snort feature in Firepower is also valuable.
For ASA, the most valuable feature is definitely the remote access VPN solution. The AnyConnect solution is very scalable and stable—there are no errors or flaws—which is necessary in today's world when we're all working remotely. The remote access VPN for ASA is very good.
When it comes to application visibility and control, both ASA and Firepower can provide them but the AVC feature is mostly used in Firepower. You can allow or disallow many applications through Firepower, through the access control policy.
If you configure Firepower correctly, it is good when it comes to threat visibility. It is proficient. It is the state of the art when it comes to blocking threats, network-wise. If you use it with an SSO encryption, and use your own features, blacklists, security intelligence, intrusion prevention, and access control points—if you are using it with every feature—Firepower can block most threats on your network. But it can't stand alone. It is necessary for the clients to have AMP for Endpoints, Cisco Umbrella, and Cisco ISE. If you're using Firepower as a standalone device, it can block, say, 20 or 30 percent more than the ASA can. But if you're using all of the security features from Cisco, you get much more security. It's like an onion's layers. The more layers you have, the more protection you have.
The ease of use with the new version of Firepower is more or less the same when compared to other versions of Firepower. But the dashboard has received a refresh and it's easier to use now than before. Overall, the ease of use has been increased.
On the VPN side, Firepower could be better. It needs more monitoring on VPNs. Right now, it's not that good. You can set up a VPN in Firepower, but you can't monitor it.
Firepower Management Center is slow. It could be better. And the Firepower Device Manager doesn't have all the features that the ASA has, and that's despite the fact that it's almost the same product. Cisco could use many more features from ASA in Firepower Device Manager.
I have used Firepower for two years and I have worked with all Firepower models: Firepower 1000 Series, 2000 Series, Firepower 4000. I have never had my hands on a Firepower 9300, but it's mostly the same as the 4000 and 9000 Series. I have also used Firepower Management Center, virtual, the 1000 Series, and the 1600. I have also used Firepower virtual devices, the Firepower Next-Generation Firewall Virtual (NGFWv).
I was using Firepower 7.0 for around 10 weeks on a beta program. I was using it more or less every other day. I have been using it quite a lot.
If you stay on the recommended releases, Firepower is very stable. Cisco has had a lot of trouble and issues with Firepower since they acquired Sourcefire, and some of the issues or problems are still there. But if you stay on the recommended releases you shouldn't hit that many errors or bugs. It can be stable, but it can also be very unstable if you jump on the newest release every time.
Firepower scales well if you have the 4100 Series or 9300 Series. They can scale and you can cluster the devices. Otherwise, you can only add one device, but that's more for the small customers. But if you get up to the high-end series of Firepower, it scales very well.
We have customers that have 100 or 200 clients but we also have customers that have 20,000 endpoints. They are using several different appliances. Two devices for internet edge, two devices for core infrastructure, and two devices for VPN. We help customers of all sizes.
First you have to configure the Firepower Device Manager, or Firepower Management Center. When you bootstrap it or do the initial config, you type in the IP address, host name, and DNS. When you have the IP configuration in place, you can log in to the Firepower Management Center and start building policies that suit your needs. When you have all the policies, you can add or join Firepower devices to the Firepower Management Center. After adding the devices to the Firepower Management Center, you can then apply the policies that you built in the first place, through the devices, and that will affect the behavior on the devices.
ASA is best for VPN solutions, site to site, remote access VPN. It's for everything that is connected with VPN solutions. For every other feature, Firepower is better. While Firepower is getting better for VPN, it's not where it should be yet.
I have tried configuring Zyxel firewalls. I have never logged in to Check Point or Palo Alto. From my point of view, Firepower is better than Xyxel when it comes to application visibility and control.
I did use competitive solutions many years ago, so things might have changed with them. But I would say that Cisco Firepower is a bit more complicated if you are an inexperienced user. If you are setting up a firewall for the first time, other vendors have an approach that makes it easier. Cisco Firepower it's more detailed and you can do more complicated configurations than you can with some competitors. It is easier for us to approach customers with Cisco Firepower, because we can do more detailed configurations compared to what customers can get from other vendors.
With SecureX, you can get more value out of the product, especially if you're using all the security features from Cisco. In that situation, you will definitely get more out of SecureX. When you do that you can integrate all of your Cisco products into SecureX and you can correlate all the data in one place, with a single pane of glass. In that way, you get a lot more value for money with Cisco Firepower and SecureX. You will get the full value if you combine it with other products, but if you only have Cisco Firepower then SecureX will not provide that much added value.
Have a plan. Find out how much bandwidth and throughput you need before you implement it because if you don't scale it well from the start, it can slow down your environment. Keep in mind that it adds so much security that the total data throughput can take a hit.
We have many customers, but in general, many of our customers are using all the tools they can to secure their infrastructure, such as AMP, Umbrella, and Firepower. Many companies are doing what they can to secure their network and their infrastructure. But there are also customers that only have a firewall. In today's world that's not enough to secure the network at all, but that's a decision the customer has to live with. We have tried to push them in the right direction. But the majority of our customers have a secure infrastructure.
The other Cisco products or services our customers are using in conjunction with their firewall include AMP, AnyConnect, cloud mail Email Security Appliances, Cisco ISE, and Web Security Appliances. We are only a Cisco partner. We don't do HP or Check Point or Palo Alto, so our customers do have a lot of Cisco features. For regular use, the integration among these Cisco products is pretty easy, but I have also worked with these products a lot. But it's easy to implement a firewall solution on Firepower and you can tweak it as much as you like. ASA is also easy to set up and configure, in my opinion, but I'm a security professional. For a regular user, both products can be pretty cumbersome.
Firepower 7.0 gives you visibility into how it inspects the packets, but it's tough to say how deep or how much visibility you get. However, if you have a Layer 4 firewall, it is clear that a Layer 7 firewall gives you more visibility, and you can see the packets that the application connection is using, meaning which application is using them. It's not how much visibility you get but, rather, the fact that you get Layer 7 visibility.
Cisco Secure Firewall has reduced our operational costs because it is faster to deploy configurations to firewalls. But when using it, it's more or less the same as it was before 7.0. The amount of time it saves when deploying configurations depends on how often you deploy policies or how many changes you have. But if you compare 7.0 to earlier versions, deployment time has been reduced from five to 10 minutes down to two to five minutes. If you make all the changes at once and only do one deployment, the time saved is not that big of a deal. But if you do one change and deploy, and another change and deploy, and another change and deploy, you will save more time.
I use Cisco ASA Firewall at my company for network security.
Cisco ASA Firewall could improve by adding more advanced features such as web filtering, which is available in the next-generation firewalls. However, the Cisco ASA Firewall I am using could be old and these features have been updated.
I have been using this solution for approximately two years.
The stability needs improvement.
I have found the Cisco ASA Firewall scalability could improve.
I have not contacted technical support. There is a lot of information on the internet for troubleshooting. All you need to do is use a search engine and you will find the information you are looking for easily.
They can improve by adding a public troubleshooting process.
I have previously used Fortinet firewalls that I have found to be better.
I would not recommend Cisco.
I rate Cisco ASA Firewall a six out of ten.
We use it to segment the east and the west traffic in our data center. We also use it on the internet edge and for VPN termination.
We use its multiple versions. We use the virtual and the physical ones. We have multiple Cisco Firepower 9300, and we also have a few Cisco Firepower 4100.
It helps in protecting against threats from outside and within our data center. With the enhancement in the newest version 7.0, visibility is where we always wanted it to be. The introduction of the Unified Events feature really helps us out daily.
It enables us to implement dynamic policies for dynamic environments. With the recently added Dynamic Attributes feature, we are able to create more dynamic and fast-changing policies. In our data center, workloads tend to go up and down very quickly, and that's why dynamic policies are important. Because the workloads in our data center are fast-moving, we need to be able to change our firewall policy accordingly and quickly. That's what makes it a very important feature for us.
Snort 3 IPS allows us to maintain performance while running more rules. Our performance has
definitely increased after migrating to Snort 3. Rules are easier to implement. We also like the underlying antivirus advancements that they made with the new architecture, which increases its benefit for us.
The VPN and the login enhancements that were introduced in version 7.0 are invaluable to us. That was something that was missing before.
Feature-wise, we mostly use IPS because it is a security requirement to protect against attacks from outside and inside. This is where IPS helps us out a bunch.
It is good in terms of the overall ease to use in managing it. Some of the things need some tuning, but overall, it is good.
The visibility for VPN is one big part. The policy administration could be improved in terms of customizations and flexibility for changing it to our needs.
I have been using this solution for about six years.
Its stability is quite good. We couldn't find any issues.
Its scalability is very good due to clustering.
In terms of our plans to increase its usage, it has everything we need. We don't plan to add anything more because it has all that we need as of now.
Their support is not perfect. Sometimes, you get the feeling that some of the support engineers don't have a deep knowledge of the product, but there are some engineers who are able to help.
Most of our clients were on Cisco ASA.
I wouldn't call it extremely straightforward, but I wouldn't call it complex either. Its deployment took about a day.
In terms of the deployment strategy, we create our deployment plans for ourselves and our customers. The deployment plan depends on the environment.
We deploy it ourselves.
It is very hard to say because we don't measure that. It is also very difficult to measure if it has helped in reducing our firewall operational costs.
Its pricing is good and competitive. There is a maintenance cost.
It includes SecureX that makes it cost-effective as compared to the other solutions where you have to pay for XDR and SOAR capabilities.
Technically, it is a very good firewall, but some improvements need to be done on the management side. I would advise getting a consultant or someone from Cisco to help you in implementing and using this firewall to its fullest extent.
We don't use workload integration as of now. We also don't use its dynamic policy capabilities to enable tight integration with a secure workload at the application workload level. Similarly, we don't use the solution's tags for VMware, AWS, or Azure for dynamic policies implementation in the cloud.
I would rate Cisco Firepower NGFW Firewall an eight out of 10.
We have multiple use cases for Cisco Firepower. We have two types of use cases:
The goal is to have some Firewall protection with a Layer 7 features, like URL filtering, IPS, malware at the perimeter level as well as inspecting the traffic going through that firewall, because all traffic is encrypted. We want visibility, ensuring that we can protect ourselves as much as we can.
In production, I am currently using Cisco Firepower version 6.7 with the latest patch, and we are starting to roll out version 7.0.
I have multiple customers who are running Cisco Firepower on-prem. Increasingly, customers are going through the cloud, using Cisco Firepower on AWS and Azure.
We are implementing Cisco Firepower at the Inter-VRF level so we can have some segmentation. For example, between ACI and all the Inter-VRF being done through Firepower, we are able to inspect local east-west traffic. It is great to use Cisco Firepower for segmentation, because on the Firepower, we now have a feature called VRF. So, you can also expand the VRF that you have locally on your network back to the firewall and do some more tweaking and segmentation. Whereas, everything was coming into a single bucket previously and you had to play around with some features to make sure that the leaking of the prefixes was not advertised. Now, we are really working towards segmentation in terms of routing in Firepower.
The integration of network and workload micro-segmentation helps a lot to provide unified segmentation policies across east-west and north-south traffic. One concrete example is with Cisco ACI for the data center. Not only are we doing what is called a service graph on the ACI to make sure that we can filter traffic east-west between two endpoints in the same network, but when we go north-south or east-west, we can then leverage what we have on the network with SGTs on Cisco ISE. Once you build your matrix, it is very easy to filter in and out on east-west or north-south traffic.
Since SecureX was released, this has been a big advantage for Cisco Firepower. You can give a tool to a customer to do some analysis, where before they were doing it manually. So, this is a very big advantage.
The IPS is one of the top features that I love.
The dashboard of the Firepower Management Center (FMC) has improved. The UI has been updated to look like a 2021 UI, instead of what it was before. It is easy to use and navigate. In the beginning, the push of the config was very slow. Now, we are able to push away some conflicts very quickly. We are also getting new features with each release. For example, when you are applying something and have a bad configuration, then you can quickly roll back to when it was not there. So, there have been a lot of improvements in terms of UI and configuration.
We saw a lot of improvements on Cisco Firepower when Snort 3 came along. Before, with Snort 2, we were able to do some stuff, but the bandwidth was impacted. With Snort 3, we now have much better performance.
I would like to see improvement when you create policies on Snort 3 IPS on Cisco Firepower. On Snort 2, it was more like a UI page where you had some multiple choices where you could tweak your config. On Snort 3, the idea is more to build some rules on the text file or JSON file, then push it. So, I would like to see a lot of improvements here.
I have been using Cisco Firepower for multiple years, around four to five years.
In terms of Firepower's stability, we had some issues with Snort 2 CPUs when using older versions in the past. However, since using version 6.4 until now, I haven't seen any big issues. We have had some issues, just like any other vendor, but not in terms of stability. We have had a few bugs, but stability is something that is rock-solid in terms of Firepower.
Cisco Firepower scalability is something that can be done easily if you respect the best practices and don't have any specific use cases. If I take the example of one of my customers moving to the cloud, there is one FMC and he is popping new Firepower devices on the cloud, just attaching them to the existing policy and knots. This is done in a few minutes. It is very easy to do.
When you open a ticket with Cisco tech support for Cisco FMC, you can be quite confident. Right away, the engineer onboarding is someone skilled and can help you out very quickly and easily. This is something that is true 90% of the time. For sure, you always have 10% of the time where you are fighting to get the right guy. But, most of the time, the guy who does the onboarding can right away help you out.
The initial setup and implementation of Cisco Firepower is very easy. I am working with a lot more vendors of firewalls, and Cisco Firepower is one of the best today. It is one of the easiest to set up.
The minimum deployment time depends on really what you want to do. If you just want to initiate a quick setup with some IPS and have already deployed FMC, then it takes less than one hour. It is very easy.
What takes more time is deploying the OVA of Cisco Firepower Management Center and doing all the cabling stuff. All the rest, it is very easy.
If you are working without a Firepower Management Center and using Firepower Device Manager with Cisco on the cloud, then it is even easier. It is like the Meraki setup, where you just plug and play everything and everything will be connected to the cloud. It is very easy.
If you configure Cisco Firepower, it has to be based on Cisco's recommendations. You can view all the traffic and have full visibility in terms of applications, support, URL categorization, and inspect malware or whatever file is being exchanged. We also love to interconnect Cisco Firepower with some Cisco ISE appliances so we can do some kind of threat containment. If something is seen as a virus coming in from a user, we can directly tell Cisco ISE to block that user right away.
I am working for a Cisco Professional Services Partner. We have only one guy deploying the devices. We don't require a big team to deploy it. In terms of configuration, it takes more people based on each person's skills because you have multiple areas: firewalls, IPS, knots, and routing. So, it depends on which skills will be required the most.
For maintenance on an average small to medium customer, it takes one to two people. When it is a big customer with multiple sites, you should have a small team of four to five people. This is because it is mostly not about creating the rules, but more about checking and analyzing the logs coming through Cisco Firepower Manager Center.
Whether Cisco Firepower reduces costs depends on the architecture that you are on. I had some of my customers answer, "Totally, yes," but for some of them that is not really true.
When we are fighting against other competitors for customers, whether it is a small or big business, we feel very comfortable with the price that Firepower has today.
I have worked with Palo Alto, Fortinet, and Sophos. I work a lot more with Palo Alto and Cisco Firepower. I find them to be very easy in terms of management operations. Fortinet is also a vendor where we see the ease of use, but in terms of troubleshooting, it is more complex than Firepower and Palo Alto. Sophos is the hardest one for me to use.
I love the IPS more on the Cisco Firepower, where you can do more tweaking compared to the other solutions. Where I love Palo Alto and Fortinet more compared to Firepower is that you still have CLI access to some configs instead of going through the UI and pushing some configs. When you are in big trouble, sometimes the command line is easier to push a lot more configs than doing some clicks and pushing them through the UI.
Compared to the other vendors, Firepower requires more deep dive skills on the IPS stuff to make it work and ensure that you are protected. If you go with the basic one in the package, you will be protected, but not so much. So, you need to have more deep dive knowledge on the IPS to be sure that you can tweak it and you can protect yourself.
Another Cisco Firepower advantage would be the Talos database. That is a big advantage compared to other solutions.
In terms of threat defense, we have a feature of TLS 1.3 that is free where we can see applications without doing any SSL inspection, which can increase the performance of the firewall without doing some deep dive inspection. At the same time, we keep some visibility of what application is going through. Therefore, we have a win-win situation if one wants to protect against some specific applications.
Do not just look at the data sheet that vendors are publishing. Sometimes, they make sense. But, in reality, these documents are made based on specific use cases. Just do a proof of concept and test every single feature. You will find out that Cisco Firepower is much better and more tweakable than other solutions.
When you start using Cisco Firepower Management Center, you need a few days to get used to it. Once you know all the menus, it is kind of easy to find your way out and analyze traffic, not only in terms of the firewall but also in terms of IPS or SSL decryption. Different users are split away who can help you to troubleshoot what you want to troubleshoot, not having everything in one view.
Today, the only use cases that we have for dynamic policies are leveraging the API on Cisco FMC to push some config or change the config. There isn't a feature built automatically on the FMC to build a new policy, so we are leveraging APIs.
I would rate Cisco Firepower between eight and nine. The only reason that I am not giving a full nine is because of the Snort 3 operations, where there is a need for improvement.
Telindus, our company, is an integrator. We sell Firepower and we do use it ourselves. I use all the different versions of the product.
We either replace our customers' other brands of firewalls with Firepower, or we upgrade their old Cisco ASA Firewalls to the new Firepower firewalls. The type of device we advise them to install depends on the customer's requirements and the throughputs needed.
Our primary use case for Firepower is for big networks.
The most important feature is the intensive way you can troubleshoot Cisco Firepower Firewalls. You can go to the bit level to see why traffic is not handled in the correct way, and the majority of the time it's a networking issue and not a firewall issue. You can solve any problem without Cisco TAC help, because you can go very deeply under the hood to find out how traffic is flowing and whether it is not flowing as expected. That is something I have never seen with other brands. That is why, when people move from another brand to Cisco, they never leave Cisco. They see that advantage.
Something I like about Firepower, in general, is that it still relies on the old ASA code. That's something customers really like because when they go into the CLI, they remember, "Oh, that's the ASA, that I am familiar with," but it's enriched with all the next-gen features of Snort. When a customer has knowledge of the ASA codes, they can do intensive troubleshooting because they know the device.
Customers also like Talos, which is the intelligence behind all of Cisco's security products, including Firepower. Talos is very good and is actually the most important part of a security product. It's important that you have something in the background that is continuously enriching intelligence so that you get information about upcoming threats on time. That keeps you protected as soon as possible when a Zero-day happens. Something that customers like about Cisco Firepower, in combination with Talos intelligence, is that full-time people are working in the background to provide information to Cisco security products.
Customers really want visibility into their networks. For example, they want identity management and that is something you can use Firepower for. With it, in addition to an IP address going somewhere, you can also see the username. That's a big advantage of Firepower, and can be set up quite easily.
Also, in very large networks, our customers use Cisco DNA Center. They have automation orchestration for their access network and that works seamlessly with Cisco Firepower firewalls. Security Group Tags can be used from DNA to an edge Firepower firewall. That way, they have microsegmentation within their access network for DNA. And they can extend that to their firewall rules for Firepower.
Our customers also use Cisco ISE to get user information. ISE is connected to DNA Center. That is something that Firepower works seamlessly with, and we do sell it a lot. We sell a lot of Cisco's other security equipment, and they all send their information to SecureX. Having more Cisco security products means your security information is becoming enriched within the SecureX platform. The integration among these Cisco products is more than easy. Cisco documents everything, in detail, when it comes to how to integrate the different parts. I've never had an issue with integrating Cisco security products with each other.
And for smaller networks, like those our government customers have, what they like about Cisco Firepower, and why they purchase it nine out of 10 times, is its ease of use and the reporting in Firepower Management Center. That is something they really like. They can look up things themselves and they like the SecureX integration.
The Firepower FTD code is missing some old ASA firewalls codes. It's a small thing. But Firepower software isn't missing things that are essential, anymore.
I've been using Cisco Firepower NGFW Firewall since it came out; from the time Cisco started to use the name Firepower and they bought Snort. That's when they put in the next-generation features.
Firepower is rock-stable. So far, I have not seen any failed firewall. The only thing that was not quite stable in the past was Firepower Management Center, but since version 6.6 that has also been rock-stable. I haven't had any failed components in the last couple of years. I did have them two years ago and further in the past, where firewalls were not functioning and needed a reboot, but since 6.6, the stability is very good. We don't have priority-one tickets anymore.
In the Netherlands, where I work, we don't have very big customers requiring very high throughput. So I cannot say anything about clustering where you can pile different ASAs or Firepower devices together to increase performance when you require it.
But scalability, in general, is pretty hard. Competition-wise, sometimes it's hard to sell Cisco security products because, in my opinion, Cisco is quite honest about the real throughput they are able to provide. Other vendors may be giving figures that are a little bit "too perfect." Sometimes it's hard for us to sell Cisco firewalls because a customer says, "Well, when I go to other brands they say they have double the throughput for half the price." Well, that's great on paper, but...
In general, after we have installed Cisco firewalls, our customers are very pleased by the performance. They also like that they can tweak settings to get more performance out of the firewall by enabling specific policies for specific traffic, and by disabling inspection for very internal data center traffic. That provides a big boost to the overall firewall performance. When a customer complains that we didn't scale it correctly, and they say it's not performing as well as they expected, I'm always able to tweak things so that it performs the way the customer requires.
I have interacted with Cisco's technical support many times. Nowadays, it sometimes takes a while to get to the person with the correct knowledge, but that is happening in the world in general. First-line people are common around the world and they are trying to figure out if an issue is actually a second-or third-line issue. But when you do reach the correct department, and they know that you are knowledgeable and that you are really facing a high-priority issue or a strange behavior, Cisco's support does everything it can to help you fix things, including involving the development department. I'm very happy with their tech support.
Most of the time we replace Sophos, Check Point, SonicWall, and Fortinet firewalls with Cisco firewalls. Customers really like the overall integration with SecureX. They see the advantage of having more security products from Cisco to get more visibility into their security. We also replace old, non-next-generation firewalls from Cisco; old ASAs.
The initial deployment of Firepower is a straightforward process. For me, it's pretty easy. If you have never worked with it, I can imagine it might be complex.
Cisco makes it easier all the time. You can now deploy a remote branch by managing the device on an external interface. In the beginning, with previous software versions, that was hard. You needed to configure the file as a remote branch, but for that you needed the central Firepower Management Center to configure it and you didn't have a connection yet. It was a big issue to set up an initial firewall remotely when there was no connection to the Management Center. But that's been fixed.
In general, you just put down some management IP addresses and configure things so that the devices see each other and it starts to work. It's far from complex.
Generally, the initial setup takes four hours. The implementation strategy depends on the customer. I always have a conversation with the customer upfront. I explain how the connectivity works for Cisco Firepower, and then I say that I want to be in a specific subnet field. Then I start configuring the basics, and that is the part that takes about four hours, for Firepower Management Center and two firewalls in HA. Then, I start to configure the firewalls themselves, the policies, et cetera.
I have experience with SonicWall, Fortinet, Juniper, and Sophos firewalls, among others. We work with Fortinet and Palo Alto. It's not that we only do Cisco. But I can say from my experience that I am really more convinced about Cisco products.
What customers really like about Cisco, the number-one thing that they are really happy about within Firepower—and it was also in the old ASA code, but it's even more a feature in Firepower—is that the configuration is in modules. It's modular. You have different policies for the different functions within your firewall, so that your access control policy is only for your access lists and that's it. You have a different network address translation policy. It's all separated into different policies, so a customer knows exactly where to look to configure something, to change something, or to look at something which is not working properly.
Also, with Cisco, when a customer is not totally certain about a change he's going to make, he can make a copy of the specific access control policy or the NAT policy. If something doesn't go right, he can assign the copied policy back to the device and everything is back to the way it was.
These are the biggest advantages our customers see. When a customer doesn't have any knowledge about firewalls, I can explain the basics in a couple of hours and they have enough familiarity to start working with it. They see the different modules and they know how to make a backup of a specific module so that they can go back to the previous state if something goes wrong.
My advice is "buy it." A lot of people prefer a specific brand and it's fairly hard to convince them that something else, like Cisco, is not bad, as well. They are so convinced about their existing firewall that they want to keep that brand because they are familiar with it and they won't need to learn a new firewall. It's hard for a customer to learn how a firewall works in the first place.
But my advice is that people should read about how Cisco security, in general, is set up and how it is trying to protect them with Talos. They need to understand that Cisco security is very good at what it does. They shouldn't blindly believe in what they have at the moment. I always hear, "My firewalls are good enough. I don't need Cisco. I will just buy the same ones, but new." Cisco Firepower is superior to other firewalls and people should not be afraid to dive in. By educating themselves about the firewall, they will be fine in managing it.
Practically speaking, Cisco firewalls are easier to manage than the firewalls they have at the moment, but they need to make the leap and try something else. That is the hardest part. When I do show them what they are capable of, and how you can configure all kinds of different things, they start to understand.
We don't have many customers that use other vendors' security products together with Firepower. We convince nine out of 10 customers to go over to Cisco fully. We do have customers who don't do that, and then we try to find a way to get the solutions to work together. For example, we try to integrate other brands' switches or firewalls with Cisco security products, but most of the time that is pretty hard. It's not the fault of Cisco. It requires that the other brands speak a protocol language that will support integration, but in the end, it's not perfect and the integration does not work very well. The majority of the time, we are not able to integrate into other security products. Cisco is using standard protocols, but the other vendor is abusing some sort of protocol and then it doesn't work well.
I don't prefer using applications in firewall rules, but our customers do use the application visibility and control, and it works perfectly. Firepower is very good at recognizing the application and is very good at showing you the kind of application that has been recognized. Customers use that in their access control policy rules, and I have never heard bad things about it. Cisco Firepower works very well in recognizing applications.
I get questions from customers because they do not understand threat messages generated by Firepower. Sometimes, it's hard to read what exactly the message is saying. In my opinion, that is not something that is specific to Cisco security or Firepower, rather it is an issue with security in general. Most networking people get these fancy firewalls and they get fancy security events. It's hard for some of them to understand what is meant, and what the severity level is of the message. It's more that a networking guy is trying to read security events. Firepower is doing a good job, but customers sometimes have problems understanding it and then they stop looking at it because they don't understand it. They assume that Firepower is taking the correct actions for them.
Firepower is not a fire-and-forget box. It is something you actually do have to take a look at. What I tell customers is, "Please enable Impact-One and Impact-Two messages in your mailbox, and if it's really something that you cannot understand, just forward it to me and I will take a look for you. Most of the time they are not very high-impact messages. There are only one or two high-impact messages per month.
There are customers who say, "We want you to review the messages in Firepower once a week." I have a look at them when I have time. We try to help the customer check security events once a week or so. That's not great, but it's always a question of finding a good balance between the money a customer can spend and the security aspects. When we do monitor all the events, 24/7, for a customer, you can imagine that it is quite expensive.
I configure every customer's automatic tweaking of IPS policies so that the IPS policy is enabled for the devices seen by Firepower, for recognition of what kinds of clients and hosts are in the network. Other than that, we do not do a lot of automation within Firepower.
Since 7.0, I don't have a lot of things to complain about. If I do have suggestions for improvements, I will give them during the beta programs. The speed of the FMC is very good. The deployment time is much better. They added the policy deployment rollback. That was something I really missed, because if I destroyed something I was able to undo that. Now, for me, it's actually almost perfect.
We use it for malware and IPS.
The automated policy application and enforcement have freed up time for us, on the order of 30 percent.
Also if one Cisco antivirus implementation is the subject of an attack, all other Cisco implementations get that information rapidly, in real time. All the other firewalls are in sync when it comes to malware attacks, through the update of the database. That is good.
The visibility it provides into threats is good. Every day we find lots of malware attacks targeting our network, but they don't get through to the network.
The dashboard is the most important thing. It provides good visibility and makes management easy. Firepower also provides us with good application visibility and control.
Cisco Talos is well known around the world and everyone trusts Talos for malware intelligence. It is number one. It is also the most secure for Snort rules. It is more secure than others because its real-time analysis is better.
In addition, Firepower Management Center is helpful.
We also use Cisco ISE and the integration between it and Firepower is okay.
I've been using Cisco Firepower NGFW Firewall for four or five years.
It's a stable product.
The scalability is good.
Their technical support is good. When my NOC or my engineers have needed support the feedback I've had is that tech support has been good at critical moments. They have given us good service.
There was no issue with the initial setup. It's straightforward because Cisco gives us lots of documentation. It's not a big deal, for me. In four or five years I have deployed 35 to 40 Firepowers for financial organizations and corporate offices.
We also use Palo Alto, Fortinet, Sophos, and Check Point.
One issue with Firepower Management Center is deployment time. It takes seven to 10 minutes and that's a long time for deployment. In that amount of time, management or someone else can ask me to change something or to provide permissions, but during that time, doing so is not possible. It's a drawback with Cisco. Other vendors, like Palo Alto or Fortinet do not have this deployment time issue.
The other issue is the upgrading process, with Cisco. Sometimes, if we use a standalone device we need to create maintenance windows at that time and we need to restart Firepower. But with other vendors, like Palo Alto, there is no need to update in that way.
If they mitigated these two things, Cisco would be number-one in the world in the security domain.
We have not integrated Firepower with Cisco SecureX because it needs IOS 6.6. It's a limitation. If we have an external device, we would need downtime and in a financial organization, management will not allow us the downtime.
In my experience, the deployment procedure with Cisco is not the easiest, it's not plug-and-play. I hope that Cisco will give us that type of implementation.
Overall, I would rate Firepower at eight out of 10.
We are currently using this solution as a VPN and an internet firewall in some locations. In our data center, we are still using FortiGate as an internet firewall but we are evaluating other options.
If you compare the ASA and the FirePOWER, the best feature with FirePOWER is easy to use GUI. It has most of the same functionality in the Next-Generation FirePOWER, such as IPS, IPS policies, security intelligence, and integration and identification of all the devices or hardware you have in your network. Additionally, this solution is user-friendly.
We cannot have virtual domains, which we can create with FortiGate. This is something they should add in the future. Additionally, there is a connection limit and the FMC could improve.
I have been using Cisco Firepower NGFW Firewall for approximately three years.
The solution is not stable. There seems to be always some issues. This is not ideal when you are running a system in a data center environment.
There is room for improvement in the scalability of this solution.
I was satisfied with the support we received.
When I did the installation three or four years ago it was challenging.
This solution is expensive and other solutions, such as FortiGate, are cheaper.
I have evaluated FortiGate firewalls and when comparing with this solution there is no clear better solution, they each have their pros and cons.
I would recommend a Next-Generation firewall. FortiGate has a Next-Generation firewall but I have never used it. However, it would be similar to the Cisco Next-Generation FirePOWER, which has most of the capabilities, such as running all the BDP sessions and having security intelligence in one system.
I would recommend everyone to use this solution.
I rate Cisco Firepower NGFW Firewall a six out of ten.
We use it for intrusion prevention and in our VPN that is connected to our head office. It provides protection and security and node clustering. It gives us all the security features that we need within our environment.
The features that are most valuable within the firewall are the IPS as well as the Unified Communications. We also really like the dynamic grouping.
An area for improvement is the graphical user interface. That is something that is coming up now. They could make the product more user-friendly. A better GUI is something that would make life much easier. Traditionally, Cisco products have been command-line-based.
The Cisco ASA Firewall has been in our environment for the past seven years.
The product is very stable. We've not had any challenges with it in all this time. It performs very well.
We have 2,000 users who connect through this product. We are planning to increase use as we go, toward the end of the year.
The technical support has been excellent. When there have been any issues, they've always been there for us.
The initial configurations were straightforward, not complex at all. It took us just two days to finalize things.
We did most of the setup in-house, but we also had assistance from our partner.
We pay annually and there are no costs in addition to the standard fees.
When you compare Cisco ASA Firewall with Sophos, they are more or less the same in terms of functionality.
Cisco ASA Firewall is very stable and very reliable. It requires very minimal support, once you configure it and put it in your environment. You don't need to attend to faults or issues. Once you install it and plug it in, it is good to go.
We have been using the ASA Firewall for a long time, and it is an advanced product for our current use. In terms of improvement, there's not much that can be done to it. It is a solid product, very effective, and it does its job well.
We primarily use the solution as a firewall for our data centers. We have a medium-sized data center right now. It's about six or seven servers. We actually store the data for students and schools and need to protect it.
Overall, the solution works very well.
The solution is quite fast. We found that the speed was good and the throughput was good.
The stability has been very good.
The solution can scale as necessary.
The product is quite robust and durable.
The solution lacks the abilities of an FTD type which are the abilities we need, and they are not in the firewall. We're looking for a next-generation firewall instead.
The graphical interface could be improved. From what I have seen, Fortinet, for example, has a nicer GUI.
The solution needs to be easier to use. Right now, it's overly complicated.
The initial setup is a bit complex.
The cost of the solution is very high.
The product should add free URL filtering. It's another product, or part of another product, however, it should be available as part of this offering as well.
I've been using this solution for about seven or eight years at this point. It's been a while.
The stability is excellent and the performance is good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.
The product can scale nicely. If a company would like to expand it, it can do so.
We have about 10,000 schools use the solution in general, and 1,000 to 2,000 that use it simultaneously daily.
I don't directly deal with technical support. Typically, that's something that others on the team deal with. We have our own team within the company that, if I run into issues, I would reach out to first. I can't speak to how helpful or responsive they are. I've never had a chance to contact them.
I have not used other firewalls.
The initial setup is not easy or straightforward. It's a bit complex and a little difficult.
We have three engineers on staff. They are capable of handling any maintenance.
The solution is quite expensive. Fortinet and other competitors are about half the price. Cisco is very expensive in comparison. They need to work to be more competitive.
We're currently looking into a new firewall - something that is Next Generation. We don't know what it will be yet, however, we are considering Cisco, Fortinet, or Palo Alto.
It's my understanding that Fortinet is better in graphics and has a better user experience than Cisco, however, I haven't had a chance to test anything out.
We're just a customer and an end-user.
We no longer have an SLA for this solution. We're potentially looking for something new.
I'd recommend the solution to others. It works well. It's durable and fast and you don't have to check up on it daily as it is rather reliable. That said, it is pricey.
In general, I would rate the solution at a seven out of ten.
I am using this solution for monitoring incoming and outgoing network traffic. This includes many types of traffic, such as VPN users.
I have found the most valuable feature to be the access control and IPsec VPN. There are a lot of people moving towards the next-generation versions of firewalls which have some advanced features such as this one. You can define rules based on the application instead of how they are traditionally are done. There are more general and traffic controls, and additional features for intrusion prevention for malware analysis.
When comparing the graphical interface of this solution to other vendors it is more difficult to configure. There is a higher learning curve for administrators in this solution.
A lot of vendors, such as Palo Alto, are going toward cloud-based systems and Cisco should follow.
I have been using this solution for approximately two years.
The solution is stable.
Since this is a hardware solution it does not scale as well as cloud versions. We have approximately 20,000 people using this solution in my organization.
The support of this solution is very good.
We have security specialists to manage the solution.
I have previously used FortiGate and Palo Alto solutions. When comparing them to this solution they have more standard features in their normal firewall this one does not.
My advice to those wanting to implement the solution is to look at their use case and see if it meets those requirements for what they are looking for. There are a lot of security features that people may not be aware of and do not use. Explore the solution and all its features which will help you understand the configurations.
I rate Cisco ASA Firewall an eight out of ten.
We are using Cisco ASA Firewall 5525 for network security. We needed a network security solution that can take care of the network security and URL filtering. We also wanted to create site-to-site VPNs and have remote VPNs. For all these use cases, we got Cisco ASA, and we are pretty happy with it.
The remote VPN and IPsec VPN or site-to-site VPN features are valuable. The clustering feature is also valuable. We have two ISP links. Whenever there is a failover, users don't even get to know. The transition is very smooth, and the users don't notice any latency. So, remote VPN, site-to-site VPN, and failover are three very powerful features of Cisco ASA.
Cisco has the best documentation. You can easily find multiple documents by searching the web. Even a child can go online and find the required information.
There is huge scope for improvement in URL filtering. The database that they have is not accurate. Their content awareness and categorization for URL filtering are not that great. We faced many challenges with their categorization and content awareness. They should improve these categorization issues.
It is very reliable.
It is scalable. Cisco is pretty popular with organizations, and many customers are using it. It is suitable for all kinds of customers. It can cater to small, medium, and large organizations.
I have interacted with them many times. I have been on a call with their technical support continuously for 48 hours. They were very prompt. In terms of technical support and documentation for switching, firewall, and routing solutions, no one can match Cisco.
Its initial setup was very straightforward. Its documentation is very easily available on the web, which is very useful.
Their pricing is very aggressive and good. Even a small company can afford it. I am happy with its pricing. Its licensing is on a yearly basis.
I would recommend this solution to others if they are not specifically looking for URL filtering and want to use it for their infrastructure. It is a perfect and very reliable solution, but it lacks when it comes to URL filtering.
I would rate Cisco ASA Firewall a nine out of ten.
We are a large company in the country in which we operate. We are a government agency dealing with taxes and we provide services for all taxpayers within the country. We have services for internal users, as well as services for public users. The main reason we use these firewalls is to protect our environment and to provide our services efficiently so that we are up and running 24/7.
Our solution is deployed in a private cloud. Everything is hosted in our environment and provided as cloud services. We are in the process of moving our infrastructure from the previous environment to the new environment where Cisco firewalls are installed.
In terms of our security maturity as an organization, we are young. In fact, we are young as a country. We have been providing electronic services for more than 10 years for our clients. We have a huge number of clients, with over 120,000 users who subscribe to our system and who access our services on a daily basis or, at a minimum, three to four times per year.
We use a few tools for security in terms of management, both internal and external, but we are mainly relying on Cisco. Our network is based on Cisco, and we also protect our mail system with Cisco. Previously, and in parallel, we used Sophos next-generation firewalls.
The solution provides us with application visibility and control and, at this stage, we are happy with it. Similarly, we are very happy with Cisco Firepower Management Center. We're still at an early stage, but we haven't seen any problems with the Cisco products. We are still switching on features and looking at how they are working.
When it comes to the integration among Cisco tools, we find it easy. It's a very practical integration with other components as well.
We also believe that Cisco is updated about all security issues and threats and efficient enough to provide us with the features and protection we need.
We just installed them recently. We started installation at the end of 2020 and we completed it this month, April 2021.
It's still early, but we believe the stability is alright.
The scalability of the solution is better than the other firewalls we have, due to technical features. Our technicians have realized that this is much more scalable compared to other solutions.
So far, the technical support has been excellent.
The initial setup was a bit complex. It wasn't a major challenge, but due to our requirements and network, it was not very straightforward but still easy enough.
We did a proper implementation plan according to the complexity of our network and our requirements. Then we used the best method for implementing it while mitigating our risks and meeting our requirements. We found a good way to implement it.
The setup took us two calendar months, but in terms of the actual time required to configure it, it was not so long. The setup took approximately as long as for other firewalls we have used.
It's hard to talk about ROI when it comes to security, but security now is expensive. You have to pay for it.
For us, the pricing was more economical than other products we used. There were no extra costs.
We evaluated a lot of the providers: Juniper, Palo Alto, Check Point, and Fortinet. Our technical team really researched things for a considerable amount of time, and they came up with a decision that this would be the best.
Cisco was chosen because there were many features according to assessments made by other users and as noted in technical data sheets we looked at during the research. They came up with a few features which are better than what other products have.
Also, especially when you have been a long-time user of Cisco products and services, we found that from a budget perspective it was going to be much more preferable than the others.
We are very satisfied with the service and the product. I don't think that any product would be better than Cisco when it comes to next-generation firewalls.
We are primarily using the solution for VLAN implementations and also for remote VPN capability - basically it's used for connecting to remote offices securely.
After implementing tools, including Cisco ASA, unauthorized access comes down a lot. We are not facing asset issues as of now. We are not facing an issue related to malicious traffic or any bad activity in our network.
The solution can allow and block traffic over the VLANs.Some of the unauthorized actions and malicious traffic can also be blocked effectively, as we are following PCI DSS compliance. We are a card industry. We are using cards as a payment method, and therefore we need to follow the compliance over the PCI DSS. That's why we chose one of the best products. ASA Firewall is very secure.
It's always easy to integrate Cisco with the same company products. If you are using other CIsco products, there's always easy integration.
Cisco is one of the most popular brands, and therefore the documentation is easily available over the internet.
They are best-in-class.
The remote VPN feature is one of the best features we've found.
We like that there is two-factor authentication on offer. We can integrate a Google authenticator with Cisco ASA so that whenever a person is logging on to any network device, they need to enter the password as well as the security code that is integrated by Google. It's a nice added security feature.
Cisco ASA provides us with very good application visibility and control. The Cisco CLI command line is one of the easiest we found on the market due to the fact that the GUI and the user interface are very familiar. If you're a beginner, you can easily access it. There's no complicated UI.
When compared to other products available, the cost is pretty similar. There's no big gap when you compare Cisco pricing to other products.
There are multiple features in a single appliance, which is quite beneficial to us.
Support that is on offer 24/7. Whenever we face some technical issue, we can reach out to them easily.
We have not had any security breaches.
They provide a helpful feature that allows us to configure email.
We are getting a lot from the appliance in real-time.
There's an upgraded version of the 5500 that has come to the market. It offers the latest encryption that they have. If they want to add better features to the current Cisco ASA, they can start by increasing the encryption. That is the only thing they need to improve. The rest is good.
We've been using the solution for about five or more years at this point. It's been a while.
The stability and availability are very good. there are no bugs or glitches. It doesn't crash or freeze. it's a reliable solution.
We have it in our infrastructure for around 15 plus users, including Fortinet sites.
We have found that whenever the traffic spikes at peak times, the product automatically scales up to the requirement. We have also implemented the single sign-on it, and therefore, it automatically scales up. We haven't felt any limitations. Currently, we are using it for 1500 plus users. At any given time, there are around 700 plus users available in the office. It's a 24/7 infrastructure. We have tested it for up to 750 plus users, and it's perfectly fine.
Technical support is excellent. they are always available, no matter the time of day, or day of the week. We are quite satisfied with their level of support. They are quite helpful and very responsive. I'd rate them at a ten out of ten. They deserve perfect marks.
We did not previously use a different solution. When the office was launched we implemented Cisco as a fresh product.
We are using a Cisco ASA Firewall, as well as Sophos at the remote sites. We are using another product is for log collecting. There are three solutions that basically cover us for security purposes. Those, at least, are the physical devices we are using as of now. The rest are cloud solutions such as Nexus.
That said, I personally, have used Sophos XG as a firewall in the past. Sophos is good in terms of traffic blocking and identifying interruptions to the traffic. The features are better on Cisco's side. For example, there is two-factor authentication and a remote VPN. The only benefit I found in Sophos was the way it dealt with the traffic.
The initial setup was not overly complex or difficult. It was quite straightforward and very easy to implement.
Deployment takes about 20 to 25 minutes.
In terms of the implementation strategy, at first, we put up the appliances in the data center. After that, we connected it with the console. After connecting the console, we had an in-house engineer that assisted. Cisco provided us onboarding help and they configured our device for us. We have just provided them the IP address and which port we wanted up. Our initial configuration has been done by them.
While most of the setup was handled in-house, we did have Cisco help us with the initial configurations.
The ROI we are getting from Cisco ASA is higher availability, which we are getting all the time. On top of that, it's good at blocking traffic and protecting us from cyber-crime issues.
The pricing is pretty reasonable. it's standard and comparable to other solutions. The maximum difference between products might be $20 to $40. It's not much of a difference.
We did not evaluate other solutions. We trust Cisco. It's a very good product and well known in the market.
We are a customer and an end-user.
We are using physical Cisco appliances.
We use a lot of Cisco products, Cisco router (the 3900-series routers), and Cisco switches.
In the next quarter, we will implement SD-WAN. Once the SD-WAN is implemented, then we will go with an automated policy and DNS kinds of tools. We are in the process of upgrading to Cisco ASA Firepower in the next quarter. We have not integrated Cisco ASA with Cisco's SecureX solution.
I'd recommend the solution, especially for medium-sized or larger companies and those who are looking for long-term solutions (for example those with a user base of around 2,000 plus users in and around 20 plus applications). It's reliable and offers users a lot of features. This helps companies avoid having to rely on other third-party solutions.
If you are new to Cisco, you should take advantage of the education they have on offer. Cisco provides access to training and it's worth taking advantage of this.
Overall, I'd are the solution at a nine out of ten.
We use this solution for advanced IPS, IDS, advanced malware protection, and web filtering.
The most valuable features of this solution are advanced malware protection, IPS, and IDS.
web filtering needs to improve because cisco firepower sync with bright cloud website for the website category. sometimes your URL is falling in the wrong category because of the bright cloud. so if you want to change the category you will have to drop the mail to the bright cloud and they will take action and it's a very long procedure.
more than 2 years
This is a very reliable solution.
I have extended my Cisco solution and did not have any trouble.
We have more than 400 users and we plan to increase usage.
The initial setup is very simple to deploy in the Egyptian network. It takes two to three days to deploy but if you are implementing AMP then it will take an extra one or two days.
I am happy with the product in general, including the pricing.
We evaluated a Sophos firewall but when I checked the reviews, I found that Sophos did not rate as well in terms of IPS, IDS, and malware protection.
Cisco utilizes BrightCloud for URL filtering. Web filtering is the main problem with this product.
My advice to anybody who is considering this product is that if they want good security, compared to other offerings such as those by Check Point and Palo Alto, then they should implement Cisco Firepower.
I would rate this solution an eight out of ten.
I am using Cisco ASA 5525 for netting, routing, and site-to-site VPN. We have two sites. I am using Cisco ASA Firewall on one site and Check Point Next-Generation Firewall on another site.
We have integrated it with Cisco Anyconnect. This feature has been very good for us during the lockdown.
Netting is one of the best features. We can modify it in different ways. Site-to-site VPN is also an awesome feature of Cisco ASA.
The biggest advantage of Cisco products is technical support. They provide the best technical support.
Cisco should work on ASDM. One of the biggest drawbacks of Cisco ASA is ASDM GUI. Cisco should improve the ASDM GUI. The configuration through ASDM is really difficult as compared to CLI. Sometimes when you are doing the configuration in ASDM, it suddenly crashes. It also crashes while pushing a policy. Cisco should really work on this.
We have been using this solution for one and a half years.
It is stable and reliable. If you are looking for security from Layer 1 to Layer 4, Cisco ASA is good, but if you are looking for Layer 7 security, deep security, and malware detection, this is not the right product. You have to use some other product.
We have more than 400 employees. We are currently not thinking of increasing its usage because we need more security, and Cisco ASA is not good for Layer 5 to Layer 7 security.
The biggest advantage of a Cisco product is technical support. They provide 24/7 support on 365 days. Their technical support is one of the best. I would rate them a ten out of ten.
Cisco ASA is very not complex. It is a very simple firewall. If you are configuring it through CLI, it is easy. If you configuring it through ASDM, it will be more difficult for a beginner engineer.
It takes around two to three days to cover all the parameters. It is very easy to deploy in an existing network, which is one of the main advantages of Cisco ASA.
We are happy with its price. Licensing is on a yearly basis for technical support. There is one license for technical support. There is another license for IP Version 2 VPN and IPS.
I considered pfSense, but when I checked the reviews, pfSense's reviews were really bad, so we purchased Cisco ASA.
I am very happy with this product in terms of netting, routing, and VPN functionalities. If you are a small organization with around 100 people and you are not thinking of Layer 7 security, deep security, and malware detection, Cisco ASA would be very useful and cost-effective for you.
I would rate Cisco ASA Firewall an eight out of ten.
We currently have this solution hosted in a service provider's premises. They give us the link for our infrastructure and that is how we manage our equipment. We use the VPN feature to connect with our clients.
The most valuable feature we have found to be the VPN because we use it often. Additionally, overall the solution is user-friendly and especially the ASDM GUI.
The solution has not had any layer upgrades. It does not have layer five and upwards, it only has up to layer four. This has caused some problems for us.
In the future, it would be wonderful to have an antivirus, log analyzer, and PDF/Excel data exportation features build into the solution. The data export would be great to be able to look at the access list.
I have been using the solution for four years.
The solution is stable up to a point. We have had some troubles making VPN connections with other technologies, such as Check Point. We have some of our clients that have Check Point equipment on their side, and sometimes the traffic ceases. We then are forced to reset the tunnel in order to get the traffic back.
Currently, we have approximately 20 site-to-site VPNs operations.
We have had no issues with technical support.
We are currently using a Check Point solution because this solution lacks by not having an application layer.
The initial setup is can be complicated if you are not familiar with the command line. There is documentation available by Cisco and once you are trained it is not difficult at all.
We use implementation consultants for the full deployment and it took approximately two weeks to complete.
My advice to those wanting to implement the solution would be that implementations sometimes do not go as planned. You need to do your research to be prepared.
We are evaluating other solutions because this one is getting close to its expiration. There are no other technologies out there that offer better features than this ASA solution.
I rate Cisco ASA Firewall a six out of ten.
We primarily use the solution to operate that LAN environment over the internet and use the public and private networks separately. It's a very good firewall in terms of security, in terms of certain scenarios, and also from an ethical hacking point of view. Both are available in our environment. Both are doing great.
Cisco, obviously, gives you a great amount of reliability which comes in handy. The brand is recognized as being strong.
Even in very big environments, Cisco comes in handy with configuration and offers reliability when it comes to managing multiple items on one platform. You are able to integrate Firepower and all AMP. With so many items to configure, I haven't yet done them all, however, I hope to.
It's great for securing the network. You learn a lot.
The initial setup is straightforward.
The solution is very stable.
The scalability of the solution is very good.
Most of the firewalls almost 90%, 95% of the firewalls will move to GUI. This is the area which needs to be improved. The graphical interface and the monitoring level of the firewall need to be worked on.
Most of us are using the monitoring software where we get the alarm, then details of the servers, et cetera. This aspect needs to be much updated.
From just the security point of view, in the security, it needs to be updated every day and every week. It is getting better day by day, however, from a monitoring point of view is not the same view as we have on the different monitoring servers or monitoring software, such as PRTG and Solarwinds. It needs to be changed and improved.
Cisco has launched its multiple products separately. Where there's a new version of the hardware, there is Firepower in it. However, there must be a solution for an integrated version that includes everything in your network and your firewall as well so that you can manage and integrate from the same web portal without going to every device and just configuring it and just doing everything separately.
It would be ideal if a solution can be configured separately and then managed centrally on one end.
We have more than one Cisco firewall and it is difficult for me to integrate both on the single UI. If I have three firewalls and one is a normal firewall, I need to configure everything separately. I can't have it on the same port or integrated on the same single IP or bind it something like it.
We've mostly used Cisco solutions for two or three years at this point. Our old Cisco devices were due to be changed, and we moved over to ASA.
The firewall is stable, however, every two, three, or four years, you have to change the hardware and therefore get an updated version of the firewall.
This is something which companies have been doing for the sake of a new product and launching a new device. Yet, the stability needs to be considered where you have to upgrade for every two, three, four years and change the product and go for the new updated version. What I mean is that there is stability, however, obviously, it's not long-term.
The firewall is very scalable. Most contact versions are available depending upon the organization you have. It works for very large organizations. They are scalable for many scenarios. The scalability obviously is there for sure.
Cisco technical support is one of the best around. They have the most advanced and most experienced level of tech support I've been in contact with. Whether it is a hardware or software issue, the tech team can support you and help. They are very helpful and knowledgeable. We are quite satisfied with the level of support on offer.
We also have experience using FortiGate.
The Cisco firewall is straightforward. It isn't a complex implementation. Obviously, you have to bind your IP on the port and then you must go on to configure for security and something like that. It's easy for me to configure a firewall at such a level.
If you pay for the hardware, you get the Firepower and if you don't, then you get the Cisco Firewall.
We are just a customer and an end-user.
I'd rate the solution at an eight out of ten.
Obviously, you need to have one tech person on your online when you are configuring it, or just implementing when you are integrating with your live environment and organization. My advice is that the configuration is easy when a network engineer like myself handles it. A trained person is more than capable of the task. Other than configuring, a less technical person can manage the solution.
I am using the solution as a firewall.
I like the IPS feature, it is the most valuable.
I do not like the assembly of this solution. For example, they should combine FirePOWER into one solution.
I have used Fortinet, Palo Alto, and Check Point previously and I prefer the process of everything working together. We are in the process of moving on to Fortinet from this solution.
I rate Cisco ASA Firewall a six out of ten.
The primary use case is mainly around perimeter security at the HQ and the branch. This will include using the Next-Generation Intrusion Prevention System (NGIPS), using advanced malware protection for networks on the firewall, and remote access VPN as well as site-to-site VPN.
I work for a Cisco partner and managed service provider. We have a number of customers. Typically, the standard setup that we have is a Firepower Management Center Virtual, running in VMware, with physical FTD appliances (as the firewalls) on-premises.
We work with more mid-size organizations who typically have email security, web security, endpoint security, and perimeter security. In terms of products, that would be:
That would be a typical technology mix. Sometimes, some customers will consume something like Duo Security for multi-factor authentication.
We are primarily running ASA Firewalls with the FTD image. We are also running some Firepower 1000 Series.
One of the nice things about Firepower is that you can set it to discover the environment. If that is happening, then Firepower is learning about every device, software operating system, and application running inside or across your environment. Then, you can leverage the discovery intelligence to get Firepower to select the most appropriate intrusion prevention rules to use for your environment rather than picking one of the base policies that might have 50,000 IPS rules in it, which can put a lot of overhead on your firewall. If you choose the recommendations, as long as you update them regularly, you might be able to get your rule set down to only 1,000 or 1,500, which is a significant reduction in a base rule set. This means that the firewall will give you better performance because there are less rules being checked unnecessarily. That is really useful.
Cisco implemented a role-based access control for Firepower, so you can have very granular accounts. For example, a service desk analyst could have read-only access. If we have a security operations team, then they could have access to update IPS vulnerability databases. A network engineer could have access to update ACLs, not rules, which is quite useful. Also, you can selectively push out parts of the policy package based on your role-based access control. So, if you have one job role and work on one part of the configuration, and I work on another job role working on a different part of the configuration, then I could just deploy the changes that I have made without affecting what you are doing (or without pushing out your changes). It is quite nice to be able to do that in that way.
The most valuable feature is the Next-Generation Intrusion Prevention System. For customers who don't have a SIEM platform, Firepower Management Center offers some SIEM-like functionality that clearly categorizes intrusion prevention alerts. So, they are rated with flags, from zero to four. If I see a level 1 flag, then this means that the attempted intrusion, not only relates to a real vulnerability, but we likely have a system in our environment somewhere that could be exploited by that vulnerability. In that sense, it helps us quickly target which intrusions should be investigated versus what is noise. A level 2 flag just identifies where an intrusion relates to a known vulnerability. It doesn't mean that you are vulnerable to it, because you may not have the particular hardware/software combination that the vulnerability relates to. Therefore, being able to quickly determine where to focus your investigation is important.
All Cisco security technologies have API integrations. We have all Cisco security products for all our customers integrated into SecureX for overall visibility of threat detections across all security appliances. Cisco Advanced Malware Protection is a good example. It is not just a product but a capability that has been integrated into multiple products or technologies. We see in Firepower that we can benefit from Advanced Malware Protection at a network level, but that same technology is also available on email security as well as endpoint security. So, if a threat is detected in one place that can be blocked everywhere, almost at the same time, then the integration is very good.
If we look at something like Cisco Umbrella, then we see Umbrella integrated with Cisco Meraki appliances, both on firewalls and access points. So, there does seem to be a good level of integration.
Integrations are primarily API-driven. You just generate an API. You have an identifier and generate an API key. It is normally five minutes or under to integrate something. Cisco has SecureX, which is their security management platform. They also have Cisco SecureX threat response, which is a threat hunting tool. With both of these tools, they can take the API keys from any Cisco products as well as some third-party products, then you can integrate them in just a couple of minutes. It is pretty easy.
FlexConfig is there as a bridge for features that are not yet natively integrated into Firepower. It is a way of allowing you to be able to configure things that wouldn't otherwise be possible until the development team can add them into Firepower's native capability. There is still some work that needs to be done around FlexConfig. There are still quite a few complex things, like policy-based routing, that have to be done in FlexConfig, and it doesn't always work perfectly. Sometimes, there are some glitches. It is recommended that you configure FlexConfig policies with Cisco TAC. It would be good to see Cisco accelerate some of those configurations that you can only do in FlexConfig into the platform, so that they are there natively.
I have been using it for around 18 months.
The product has significantly improved over the last two years. I am aware that the Cisco product team has made significant strides forward in addressing oversights that may have previously existed in the platform. I don't have that much in the way of improvements now. We are running the latest code, the 6.7 code, on all our environments. It addresses so many issues that previously existed in earlier versions of the code. From 6.6, the code has improved significantly and introduced many feature benefits.
The new code, 6.6 and higher, seems to be very stable. Now, you don't need to deploy the entire policy package every time you make a change. You can just deploy the segment of the configuration that has been changed. This has increased how quickly you can deploy the configuration, which is a good improvement. We seem to have less bugs and glitches in the newer code. I can't think of any real bugs or glitches that I have seen since we have been running 6.6. With 6.5 and earlier, there were some problems. Now, it seems to be very stable.
The thing that restricts the scalability would be Firepower Management Center. It is constrained by how many events it can record. It suits customers who have a smaller number of sites, like a dozen or maybe 20 sites. You can still record your connection and intrusion event history for a significant period of time. But, if you are talking about a customer with hundreds of firewalls, then Firepower Management Center probably is not the right proposition.
If I am a customer with a dozen sites, I probably don't have the money to pay for a dedicated SIEM platform. So, Firepower Management Center is great for me because it is like a mini SIEM from a perimeter security perspective. I can store my connection and intrusion event history. I can get an idea of which IPS intrusions are things I should focus my attention on. These are the things that a SIEM could help you with. I can manage my firewalls from a single management location, which is really good. However, if I am a customer who has hundreds of firewalls, then it is not really scalable because I wouldn't be able to store the amount of intrusion and connection events that I would need for those firewalls.
Cisco Defense Orchestrator would probably be the better option if you had an environment that had hundreds of sites with hundreds of firewalls. Even if you acknowledge that Cisco Defense Orchestrator doesn't store events per se, it just allows you to manage and deploy policies to the firewalls, when you have an environment with hundreds of firewalls, then you will definitely have the budget for a SIEM platform. At that point, you would be scaling by having separate platforms for separate functions rather than one platform to do everything.
Firepower Management Center is great for some customers with whom we work because they don't have hundreds of sites with hundreds of firewalls. They just have somewhere between two and 10 sites. So, it is a good fit for that kind of customer.
Cisco Talos is one of the largest private security, threat hunting, research organizations, but non-governmental. It is quite powerful when we explain to customers the threat intelligence injected into Cisco products. I have attended some Cisco Talos workshops, webinars, etc., and they do seem to be amongst the best in their field. So, I have a high degree of confidence in Cisco Talos, and it is one of the most powerful capabilities that Cisco has as a security vendor. You could have the best features for a product, but if the security intelligence is not good nor current, and if it can't accurately predict new threat trends in a timely way, then it still may not help you.
The technical support is absolutely brilliant. When I call Cisco TAC and have a case, every single engineer that I get assigned to any case is an expert in their field. I feel like they understand the product that we are talking about inside out. I have never raised a case for Firepower and not been able to get a resolution. I have a high degree of confidence in them.
The support may not be one of the features documented in the data sheet, but I have worked with other vendors where their quality of support is not comparable. When you are looking at the total cost of a solution, you need to look at more than what the face value of the product is. You need to look at:
From my experience with Cisco TAC, the resolution will always be very quick. More often than not, it is within a couple of days, if it is a P3. If it is a P1, then it is the same day. I couldn't ask for better.
I find the initial setup fairly straightforward. I wouldn't say it is simple, but it is not a simple piece of technology. You have different policies for different areas of the system, e.g., you have a policy for access control, NAT, FlexConfig, remote access, VPN, etc. There are a lot of policies that you either have to create or configure. However, it is fairly intuitive. Once you have done it once, you know where everything is.
If we assume the most basic variables, one FMC and one FTD on the same LAN, then the FMC can be provisioned with the policies in a day. The appliance can be imaged and added to the FMC with the policies pushed out on another day. If you add remote access VPN into the mix, especially if you have an Active Directory integration, I would probably add another day. You could probably have a working setup in three to four days, depending on if you have any issues with the licensing portal.
It is very easy to deploy site-to-site VPN tunnels between Firepowers. I appreciate that Cisco deprecated all legacy cypher standards. This means you need to use the modern, robust cipher standards that cannot be broken right now. This is a good thing. However, if you are using two Firepower devices, then it is easy to set up a site-to-site VPN tunnel and use the strongest cipher standard, which is also good.
We normally always try to pre-stage, spinning up virtual FMC and VMware, then configure as much as possible before adding an appliance in. It can be a bit more challenging if you have a lot of FTDs at different sites because you need to be aware that you may be managing a device on an internal IP address while you are pre-staging, but that address may change when you deploy the solution. You just have to think that through, in terms of how Firepower Management Center will keep its connectivity to the device once you deploy it. So, if Firepower Management Center and appliances are all on the same local area network, then it is straightforward. However, it is when you have multiple appliances at different sites that it can be a bit more tricky to make sure that the connectivity is maintained when you deploy. I think some more guidance around this would be good. We have a process that works for us, but it took a bit of figuring out with Cisco TAC to make sure we were not missing anything. If they could maybe document it a bit better, that would be good.
Normally, someone like myself could set everything up, so you wouldn't need a big team. However, if you are doing integrations with something like Active Directory, then you need the person who administers that system to be involved. Likewise, if you are doing site-to-site VPN tunnels with third-parties, then you probably need someone from that third-party organization involved. Most of the configurations can be done by one person. You do need to let the Firepower discovery run for around two weeks before you then run the recommendations around which IPS rules to apply, but it would be possible to just select one of the base policies and leave it at that.
You could choose to run the network discovery, which you should do anyway because there are added benefits, for two weeks then choose the Firepower recommendations. However, if you didn't have time to do that, or that wasn't an option for some reason, you could just choose one of the base IPS policies, like Security over Connectivity or Balance, and that would work out-of-the-box.
Everyone who uses the platform has felt more confident in their perimeter security. The Firepower platform makes it very easy to keep track of what software revision you are on, what your revision is versus what the latest is. It makes it really easy to schedule tasks to download the latest geolocation and vulnerability updates, automate backups, and copy backups to a remote location. Operationally as well as from a security perspective, everything has been positive in terms of the feedback.
I like the Smart Licensing, because it is more dynamic and easier to keep track of where you are at. If we have a high availability firewall pair and they are deployed in active/standby rather than active/active, I would expect that we would only pay for one set of licenses because you are using only one firewall at any one time. The other is there just for resiliency. The licensing, from a Firepower perspective, still requires you to have two licenses, even if the firewalls are in active/standby, which means that you pay for the two licenses, even though you might only be using one firewall any one time. This is probably not the best way to do it and doesn't represent the best value for money. This could be looked at to see if it could be done in a fairer way. For example, you can only deploy MX firewalls in active/standby. There are no other options. You only need one license for those firewalls because you can only use one at a time. This seems quite fair. They may need to look again at this from a Firepower perspective.
I work for a Cisco partner, so we are very Cisco-focused. Most of our customers consume predominantly all Cisco solutions. We have some customers who may have the odd product that is not Cisco, but a majority of their security suite will be Cisco.
I have some experience with budget firewall platforms, like SonicWall and WatchGuard, but these are not really comparable to Cisco in terms of being direct competitors. It would be like me trying to compare a performance car against a budget economy car. It is not a fair comparison.
I would probably ask, "How long do you want to keep the connection and intrusion events for?" You need to remember that Firepower Management Center can only keep a certain amount of events. I think you need to have that in mind as one criteria to make your decision against.
You need to look at what hardware platform you are going to be deploying. We have a lot of customers who are running ASAs, but they are running the Firepower Threat Defense image on their ASA. For all intents and purposes, those ASAs act as FTDs. Now, try to remember those ASAs were never designed originally to run the FTD code. Now, they can run the FTD code, but some of the dedicated Firepower appliances have a split architecture. So, they have separate physical resources, CPU, and memory for running the traditional firewalling capabilities versus the next-generation firewall capabilities, like IPS, AMP for Networks, and AVC. Maybe, have a think about the hardware platform, because you need to try to assess what throughput you are trying to put through the firewall and how that will impact the performance of the box.
There is definitely some advantage moving to the dedicated Firepower appliances rather than putting the Firepower code on an ASA. Although, it does allow you to leverage an existing investment if you put the FTD code onto the ASA, but you need to be mindful of the limitations that it has. Also, if you are looking to do SSL decryption, then you need a much bigger firewall than you think you need because this puts a lot of overhead on the appliance. However, this would be the same for any vendor's firewall. It is not Cisco specific.
If 10 is the most secure, then our customers are typically in the middle, like a five, in terms of maturity of their organization’s security implementation. This will be because they won't necessarily have things like Network Access Control, such as Cisco ISE. They also won't necessarily have security analytics for anomaly detection, like Stealthwatch or Darktrace. For some of these more sophisticated security technologies, you need to be a large enterprise to be able to afford or invest in them.
While Firepower provides application visibility and control, we don't use it much simply because we use Cisco Umbrella. Firepower gives you application visibility control on a location-by-location basis. So, if we have a firewall at the head office or a firewall at the branch, then we get application visibility control by firewall. However, because we use Cisco Umbrella, that gives us very similar application and visibility control but on a global level. So, we tend to do application visibility and control more within Cisco Umbrella because we can apply it globally rather than on a site-by-site basis. Sometimes, it is useful to have that granular control for an individual site, but it is not something that we use all the time.
I would rate the solution as a nine out of 10.
I am an IT administrator and my job is probably 80% security analyst. We are a HIPAA environment, so we're a regulated industry and my job is to keep us from being breached. It's extremely difficult and an ever-changing, evolving problem. As such, I spend a couple of hours a day just reading everything threat report from every source I can get.
We have a pair of 2110 models, with high availability set up.
There are multiple licenses that you can get with this firewall, and we subscribe to all three. A few months ago, we made the decision to do an enterprise agreement just because of the amount of security software we have. We subscribe to the threat, the URL, and the malware licensing. We use it for IPS, URL blocking, IP blocking, and domain blocking.
We've embraced the Cisco ecosystem primarily because I think they made some very intelligent acquisitions. We talk about security and depth and they've really done a good job of targeting their acquisition of OpenDNS Umbrella. It's all part of our ecosystem.
I take the firewall information and using SecureX, Cisco Threat Response, AMP for Endpoints, and Umbrella, I'm able to aggregate all that data with what I'm getting from the firewalls and from our email security, all into one location. From my perspective, being a medium-sized organization, threat hunting can be extremely difficult.
This product enriches all of the threat data, which I am able to see in one place.
There's nothing I personally have needed to do that I haven't been able to do with the firewall. It integrates so tightly into how I spend the majority of my day, which is threat response.
Much of this depends on any given organization's use case, but because I was an early adapter of Cisco Threat Response and was able to start pulling that data into it, and aggregate that with all of my other data. As I'm doing threat hunting, rather than jump into the firewall and look in the firewall at events, I'm able to pull that directly into Threat Response.
The ability to see the correlation of different event types in one place, these firewalls have definitely enriched that. You have Umbrella, but there are so many different attack types that it's good to have the DNS inspection at the firewall on the edge level too. So, the ability to take all of that firewall data and ingest it directly via SecureX and into our SIEM, where I have other threat feeds, including third-party thread feeds, gives our SIEM the ability to look at the firewall data as well. It lends to the whole concept of layering, where you don't have to have all of your eggs in one basket.
With our Rapid7 solution, I'm able to take the firewall data and dump it into our SIEM. The SIEM is using its threat feeds, as well as the threat feeds that are coming from Cisco Talos. In fact, I have other ones coming into the SIEM as well. So, I'm able to also make sure that something's not missed on the Talos side because it's getting dumped into our SIEM at the same time. All of this is easy to set up and in fact, I can automate it because I can get the threat data from the firewall.
In terms of its ability to future-proof our security strategy, every update they've done makes sense. We've been using one flavor or another of Cisco firewall products for a long time. Although I have friends that live and die by Fortinet or Palo Alto, I've never personally felt that I'm wanting for features.
We get the Security Intelligence Feeds refreshed every hour from Talos, which from my understanding is that they're the largest intelligence Security Intelligence Group outside of the government. My experience with Talos has been, they're pretty on top of things. Another driving factor towards Cisco: We get feeds every hour, automatically refreshed, and updated into the firewall.
If I had to rely on one security intelligence, which I wouldn't, but if I had to, I'm sure it would be Talos. The fact that it gets hourly updates from Talos gives me some peace of mind.
The real strength for the Cisco next-generation firewall is it'll do pretty much anything you want it to do, although it requires expertise and proper implementation. It's not an off-the-shelf product. For instance, there are some firewalls that may be easier to set up because they don't have the complexity, but at the same time, they don't have the feature set that the Cisco firewall has.
The firewall does DNS inspection, and you can create policies there.
The firewall integrates seamlessly and fully with our SIEM. We use a Rapid7 SIEM inside IDR and it now integrates seamlessly with that. Cisco's doing a lot more with APIs and automation, which we've been leveraging.
In terms of application visibility and control, I used the firewall and I also use Umbrella, but it depends on what it is that I'm seeing. One component that I use is network discovery. When you configure the policy properly, it'll go out and do network discovery so you're not loading up a bunch of rules you don't necessarily need. Instead, you're targeting rules that Cisco will say, "Hey, because of network discovery, we found that with this bind to whichever version server, we recommend you apply this ruleset." This is something that's been very helpful. You don't necessarily have to download every rule set, depending on your environment.
I have used it for application control. Right now, we're in the midst of doing tighter integration with ISE and the integration is very good. This is something that we would expect, given that it's a Cisco product.
I use the automated policy application and enforcement every chance I get. Using an automation approach, I would rather have a machine isolated even if it's a false positive because that can happen much faster than I can get an alert and react to it. On my end, I'm trying to automate everything that I can, and I haven't experienced a false positive yet.
Anything that's machine learning-based with automation, that's where I'm focusing a fair amount of attention. Another advantage to having Cisco is that their installed base is so huge. With machine learning, you're benefiting from that large base because the bigger their reach is, the bigger and better the dataset is for machine learning.
At some point, you have to trust that the data set is good. What's impressed me about Cisco is with all of our Cisco products, whether it's AMP or whatever, they're really putting an emphasis on automation, including workflows. For someone like me, if I get an alert in the middle of the night and I see it at 6:00 AM, it is going to be a case of valuable time lost, so anything that I can do to make my life easier, I'll definitely do it.
It would be great if some of the load times were faster. My general sense is that it's probably related to them taking a couple of different technologies and marrying them together. We are using virtual, so the way that I handled that was to throw more RAM in it, which these days, is pretty cheap. I could see some improvement with the speed of deploying policies out, although it's not terrible by any means. One thing about Cisco is whatever they're doing, it keeps getting better.
The speed of deploying policies could be improved, although it is not terrible by any means.
Another legitimate criticism of Cisco that comes to mind is that you need to make sure you've got your licensing straightened out. I haven't had any problems in a long time, but I know people that haven't used Cisco products sometimes can run into issues because they haven't figured out so-called smart licensing. Depending on the Cisco person you're working with, make sure you have all that stuff all set to go before you start the implementation.
That's an area that Cisco has been working on, I know. But licensing is a common complaint about Cisco. I suggest making sure that you have that stuff in place and you've got all your licenses all ready to go. It seems like a dumb thing, but my most common complaint about Cisco before we entered into our enterprise agreement was licensing. When it's working, it's great, but God help you if you've got a licensing problem.
They've been very reliable for us and we haven't had one fail, so we've never had to failover. That has been generally my experience with Cisco products, which is one reason that we tend to lean on Cisco hardware for switching, too. The reliability of the hardware over the years has been very good.
We have integrated these firewalls with other products, such as Cisco ISE, and it hasn't been a problem. ISE is a Cisco product so it would make sense that it integrates well, but ISE integrates with other firewalls as well.
Everything that I've done with these firewalls has been pretty seamless. We've had no downtime with them at all. They've been very rugged as we expanded usage through integration.
People knock Cisco TAC but in my experience, they have been very good. I've always found them to be extremely helpful. Friends that I have made from inside Cisco say, "Hey, you want me to look at this or that?", which is very helpful.
The big three solutions, Cisco, Fortinet, and Palo Alto, are all really good but I tend to lean on Cisco versus the others because one of their strengths, in general, is threat intelligence. When you put a bunch of security people in a room then you have a lot of consensuses, but like anything, you'll have a lot of disagreements, too.
Each of these products has its strengths and weaknesses. However, when you factor in AnyConnect, which most people will agree is state-of-the-art from a security standpoint in terms of VPN technology, especially when it's integrated with Umbrella, it plays into the firewall. But, it always comes back to configuration. Often, when you read about somebody having an attack, it's probably because they didn't set things up properly.
If you're a mom-and-pop shop, maybe you can get by with a pfSense or something like that, which I have in my house. But again, if you're in a regulated environment, you're looking at not just a firewall, you're looking at all sorts of things. The reality is, security is complicated.
Cisco gives you lots of options, which means that it can be complicated to set up. You have to know what you're doing and it's good to have somebody double-check your work. But, on the other hand, it does everything from deep packet inspection and URL filtering to whatever you want it to do, with world-class integration. It integrates with Umbrella, AnyConnect, ISE, StealthWatch, and other products.
It is important to remember that a firewall is only as good as it's configured. Sometimes, people will forget to configure a policy, or they will create the rules but forget to apply them. It comes back to the fact that it's a professional product and it's only as good as the person who's using it.
I do some security consulting and I've seen many misconfigurations. People will write a Rule Set but forget to apply it to a policy, for example. There is no foolproof product and I think it is a challenge to say, "Wow, this firewall is better than that firewall." These things are complex, but Cisco has always, in my mind, set many kinds of standards. I don't know any serious security person that would argue that.
Especially AnyConnect with an Umbrella module attached, I think most people would argue it's state-of-the-art. I know that I would because it allows me to do a couple of things at once. It's not just the firewall; it's AnyConnect, and it's what you can do with AnyConnect given its functionality with Umbrella. It gets kind of complicated and it depends on the use case, and some people don't need that.
Again, what makes it difficult to say something about a firewall is, the configuration possibilities are so varied and endless. How people license them is different. Some people think, "I prefer the IPS License," or whatever. But again, I think to get the strength of a Cisco firewall is just that.
I found our setup straightforward, but you don't go into it blind. You have to be clear on your requirements and you need to take the setup step-by-step. Whenever I deploy a firewall, I have a couple of people to double-check my work. These are people who only work on Cisco firewalls and they act as my proofreaders whenever I am doing a new deployment.
Cisco's documentation is very good and it's always very thorough. However, it's not for a novice, so you wouldn't want a novice setting up the firewall for an enterprise. Personally, I've never had any issues with policies not deploying properly or any other such problems.
Talking about how long it takes to deploy, it's a good weekend if it's a new deployment. It's not just clicking and you're done. I haven't installed a Fortinet product, but I can't imagine any of them are easy to install. Essentially, I found it straightforward, but it is involved. You've got to take your time with it.
You need to make sure anything you do with your networking, that you have it planned out well in advance. But once you do that, you go through the steps, which are well-documented by Cisco.
Cisco is not for a small mom-and-pop shop because of the cost, but if you're in a regulated industry where a breach could cost you a million dollars, it's a bargain. That's the way I look at it.
We also use Cisco Umbrella, and I may use features from that product, depending on where I am.
Every firewall has its pluses and minuses, but because we've taken such a layered approach and we're not relying on one thing to keep us safe, I've never really gone, "Oh, I've had it." I've heard some complaints about Cisco TAC, but generally speaking, I've been able to configure them and do whatever I need to with the Cisco firewall. There's nothing in my experience with Cisco that leads me to believe that that's going to stop.
I've always felt comfortable with every Cisco purchase we've made and every improvement they've made to it. I think they keep moving in a positive direction and they're pretty good with updates and fixes. You can have 10 people, networking people or security people, and they'll all have different takes on it. That said, I've always been very comfortable. I don't stay up at night and worry about our firewalls.
One thing to remember about Cisco is that whatever they're doing, it just keeps getting better. In my experience with Cisco, I have yet to have a product of theirs that they haven't improved over time. For example, we bought into OpenDNS Umbrella before Cisco acquired them. At the time, I was wondering whether they were going to improve it or what was going to happen with it, because you can never be sure. Again, Cisco has done nothing but improve it. It's a far more mature product than when we picked it up five or six years ago.
While not directly related to the NGFW, it speaks to Cisco's overarching vision for security, which again, I'm always looking at layers. If you're thinking that you're going to secure an environment by buying a firewall, yes, that's a really important piece of it, but it's only one piece of it.
Cisco is a company that is really open about vulnerabilities, which some people could see that as a negative but I see as a positive. I do security all the time, so I'm always going to be paranoid. That said, I've spent so much time doing this stuff that I've developed a lot of trust in Cisco. Again, I think there are other great products out there, but Cisco has made it really easy to integrate stuff into this ecosystem where you have multiple layers of not perfect, but state-of-the-art enterprise security.
My advice for anybody who is implementing this solution is, first of all, to know what you're doing. If you're not sure then get somebody that does. However, I would say that's probably true of any firewall. If your business relies on it, have all of your information ready beforehand, it's just all the straightforward stuff that any security person needs.
In summary, I think what I can say about them is there's nothing I needed to do that I haven't been able to do. I have incredible visibility into everything that's happening. We continue to leverage more features, to use it in different ways, and we haven't run into any limitations. I cannot say that the product is perfect, however, and I would deduct a mark for the interface loading. It's not terrible but sometimes, especially when you're doing the setup, it can chug away for a while. Considering what the device does, I think that it's a small complaint.
I would rate this solution a nine out of ten.
We are using it to manage our environment.
The whole firewall functionality, including firewall policies and IPS policies, is valuable. It has all kinds of functionalities. It has IPS, VPN, and other features. They are doing quite a lot of stuff with their devices.
It lacks management. For me, it still doesn't have a proper management tool or GUI for configuration, logging, and visualization. Its management is not that easy. It is also not very flexible and easy to configure. They used to have a product called CSM, but it is no longer being developed. FortiGate is better than this solution in terms of GUI, flexibility, and user-friendliness.
I have been using this solution for five to ten years.
It is rather stable. It can have some peculiarities, but most of the time, it is quite stable.
These are big devices. They have multiple models, but most of the models can be virtualized. You can create many virtual firewalls and add whatever you want.
We faced some issues, but I don't deal with these issues. My colleague interacts with them, and it seems it is not that easy. Cisco is a large company, and sometimes, it is not easy to get quick and very efficient support.
We have a firewall specialist who handles the installation.
It is affordable. The hardware is not that expensive anymore. It is a matter of licensing these days.
It is a good solution for a big traffic load, but its management is not very easy. FortiGate is better in terms of management and user-friendliness.
I would rate Cisco ASA Firewall an eight out of ten.
It is for defense, protecting workloads from a distributed type of an environment. On-premises, we are hosting several different distributed user session type environments. In our case, it is remote desktop services, which enable users to go out and browse the Internet, in some cases to do legitimate services, and in other cases, it is more of a personal browsing session. In this case, the primary purpose is to protect those user sessions when they are accessing the Internet. The secondary use case is to protect these services and applications from inbound threats, e.g., Internet scanning, Internet exploit attempts, any sort of attack, reconnaissance, or anything of that nature coming from the public Internet.
Firepower is an add-on to Cisco ASAs that enables intrusion prevention detection and some additional advanced functionalities. We have both.
We have two on-premise data centers where Firepower is deployed.
In terms of logging, that has been a big benefit because it is a fairly straightforward and easy process to log results. We stream through a folder and that information goes out to Splunk. It delivers immediate value. While Firepower reporting is generally pretty good, there is some delay, as far as when information shows up and updates the internal Firepower reporting mechanism. What we found is if this information is streamed into a SIEM, then it can immediately apply additional enrichment on top of it and build slightly more relevant, near real-time reporting, in comparison to doing it directly from Firepower. In terms of value for Firepower data, the ability to stream that out as a log, then characterize and enrich it within the SIEM that is where we gain the most value from a security perspective.
The solution’s ability to provide visibility into threats is good. Combined with Cisco's own trend intelligence characterization as well as the creation and application of that sort of tag into the stream of data that Firepower detects, that immediately tells us which threat type it is:
All this additional information is definitely useful. We treat it personally as set and forget because we are in the block mode - intrusion prevention mode. We don't let threats in. We err on the side of being overly protective. This is opposed to letting in threats, then detecting, identifying, and taking action on stuff that got through. Instead, we just block it. In our day-to-day operations, normally what was blocked is generally useful, but it's not operationally important.
It is set up to automatically apply the blocks and use the threat intelligence delivered by Talos as well as the intrusion prevention rules. All of that is entirely automated.
It has improved our organization's security posture dramatically. It has definitely given us modern protection and peace of mind in terms of attacks against our infrastructure from known or emerging threats, so we can be protected against them.
Intrusion prevention is its most valuable feature because of its effectiveness. Cisco is the largest security company and one of the largest threat intelligence services with Talos. Cisco can identify and immediately apply any new threat information into signature sets for their Intrusion Prevention tools, including endpoint. In our case, we are talking about Firepower. That scope is what results in is an almost immediate application of application prevention signatures against any upcoming network attacks. So, if there is a new vulnerability, some sort of high critical value globally, the Cisco team is typically able to identify and write corresponding detection or prevention signatures, then apply them across their toolset.
It is one of the fastest solutions, if not the fastest, in the security technology space. This gives us peace of mind knowing that as soon as a new attack comes online that we will be protected in short order. From that perspective, no one really comes close now to Firepower, which is hugely valuable to us from an upcoming new attack prevention perspective.
We are using Cisco Cloud Email Security and DNS security from Cisco as well as endpoint protection. The integration between these products is pretty good. The benefit is the ability of all these disparate tools to talk to each other and be able to take action, sort of feeding each other with newly intelligent detection mechanisms and passing that information on to the next tool, then taking action on that next tool based on information identified on the first tool. That is really the biggest benefit of using the ecosystem. So, we've optimized it. We leveraged Cisco's tech response, which connects with each of these tools. We definitely find value every day.
It was very easy to integrate with the SIEM, which is really our primary use case. Besides the Cisco ecosystem, it is integrating with a standalone separate SIEM solution, which is Splunk in our case. This was an easy, simple approach to accomplish. We had no issues or problems with that.
Try to understand if there is a need, e.g., if there is a need to log this information, get these logs out, and forward to some sort of a SIEM technology or perhaps a data store that you could keep it for later. There is limited data storage on the appliance itself. So, you need to ship it out elsewhere in order for you to store it. The only point of consideration is around that area, basically limited storage on the machine and appliance. Consider logging it elsewhere or pushing it out to a SIEM to get better controls and manipulation over the data to generate additional metrics and visibility.
In some cases, I could see how SIEM is not an option for certain companies, perhaps they either cannot afford it, or they do not have the resources to dedicate a security analyst/engineer who could deploy, then manage the SIEM. In most cases, Firepower is a useful tool that a network engineer can help set up and manage, as opposed to a security engineer. To make the solution more effective and appealing, Cisco could continue to improve some of the reporting that is generated within the Firepower Management Console. Overall, that would give a suitable alternative to a full-fledged SIEM, at least on a network detection side, application identification side, and endpoint identification and attribution side. Potentially, a security analyst or network engineer could then simply access the Firepower Management Console, giving them the visibility and data needed to understand what is going on in their environment. If Cisco continues to improve anything, then I would suggest continuing to improve the dashboarding and relevant operational metrics present within the platform, as opposed to taking those logs and shipping them elsewhere.
About four years.
Once it is deployed, not much staff is required as long as the intrusion rules are specifically configured to automatically update. That is the primary thing. Then, the continuous periodic updates from Cisco apply operating system patches just to make sure that critical vulnerabilities are patched and operating system optimization is applied routinely. Strategy-wise, I would patch quarterly unless there was a critical vulnerability that Cisco would discover, then apply a patch against it. At which point, we would then patch our appliance.
The stability is very good. As far as I can tell, we don't have any issues with availability or stability.
Cisco accounts for scalability by having different hardware recommendations, depending on what the throughput is, the required coverage is in terms of number of devices, the amount of traffic, etc. In our case, I don't see any issues. We are appropriately sized, but I could see how if someone's environment doubles, then someone should account for that by either procuring another appliance and separating some of the traffic flows or getting a bigger, more powerful system that can handle increase in throughput.
We try fitting to an ecosystem mentality. For example, we have four different Cisco products, which is technically a single ecosystem. If you were to think of it that way, then it is four different tools from Cisco. Then, there are two additional ones on the network, which makes six. There are additional two or three for an endpoint, plus another two or three for email, and another two or three for identities. So, I would say there are probably around 20 security solutions total.
The network team as well as the security team use it. Combined, that is approximately six people.
We are perfectly sized. I don't think there will be a need to increase the footprint or anything like that, at least for a while.
I know that people typically say TAC is hit or miss. In my case, it was always a good experience. Whether it was Firepower related for licensing questions or email, I have never had any issues with Cisco TAC.
Cisco Talos is very good. They are very well-regarded and well-known. I respect the team. They know what they are doing. They are one of the best overall. They are probably the best threat intelligence organization out there. Their visibility is unparalleled, because the data that Cisco has access to and the telemetry that it's able to gather are quite amazing.
Almost all networks globally in the world are built with the Cisco products. The telemetry that it generates gives Cisco unparalleled visibility, and Talos steps into that. They are able to apply their analytics over that data and identify emerging threats before practically anyone else, but Microsoft. From that perspective, my organization appreciates what Talos is able to do. Cisco's intelligence is delivered through Talos, applying it to other products that are not Cisco, but we haven't gone down that path yet.
We started with Firepower. It was one of the first products that helped secure our organization. We are close to sort of an advanced maturity, primarily compliance-driven. We are not there yet, but we are close to it. We are somewhere sort of in the high to middle area. We have sort of a high compliance-driven security and close to the compliance-driven area, but still slightly below it. We are still fine-tuning and implementing some security technologies. Then, within a year's time, these will be simply managed and audited.
In my current place, I did not help set it up, but I did set it up previously as a dedicated intrusion detection and prevention tool with another security engineer. Honestly, the setup was pretty straightforward. This was a couple of versions behind. It definitely has well-understood requirements from a virtual machine and resources required perspective. No questions that came up.
For the dedicated intrusion appliance, we needed to identify where the most benefit would come from, so we identified the network space. The sort of choke point where we could apply the Firepower appliance in order to inspect the most traffic. In terms of efficiencies, the primary goal was to identify how to maximize the visibility using Firepower. We deployed it in a choke point and ensured that most of the traffic for the company goes through this intrusion appliance and the initial deployment occurred in a visibility mode only - No blocking, intrusion detection only. Then, with time, as we got comfortable with all the traffic that was being seen with a signature application across the traffic and understood the chances for false positives were low to none. At that point, we put it into prevention.
If we needed to address something with Cisco directly regarding Firepower support, that was also addressed fairly quickly with no issues.
The automated policy application and enforcement saves us at least a third of an FTE per day. In terms of time, that is about 30 percent per day. By deploying the solution, we are saving $600 a week, which is significant.
In some cases, resources, like a security engineer, are actually hard to come by because they are expensive. Substituting some of that engineering time with an effective technology, like Firepower, is probably a good strategy.
I know that licensing for some of the advanced solutions, like Intrusion Prevention and Secure Malware Analytics, are nominal costs.
I have used one of Cisco's competitors and am fairly familiar with it: Palo Alto. I am also familiar with the Barracuda solution. I would say Palo is comparable with Firepower to some degree. The Barracuda solutions that I've used are nowhere near as close in terms of capability, metrics, user interface, or anything like that to Cisco.
Palo Alto and Cisco are about the same in terms of application visibility, user assignments, and attributions. They are comparable. On the threat side is where I think Firepower is better. It's able to identify and characterize better. It's also able to deliver metrics around that information in a clearer fashion. As an example, it is easier to extract fields and values in the log. It seems that the design of the appliance was focused around security, which is evident in how that information is being presented, both in the Firepower Management Console as well as in the log.
On the IT infrastructure side, we are using Cisco hardware for the network. Then, as a security team, we are looking at adding Cisco's incident response solution, but we have not done it yet.
Firepower provides us with application visibility and control. We don't utilize it to the fullest extent. We rely on some additional tools like DNS, to identify applications being used across our endpoints. However, the Firepower deployment primarily protects the servers. So, on the servers, it is a controlled environment. Therefore, we do know the applications and services being used and deployed out of the servers.
Applying something like this to protect yourself from the Internet, which is where most of the threats come from, besides email. It guarantees that you are able to refocus your energy on internal processes: endpoints, people, etc. Intrusion Prevention is effective because it helps security teams refocus their efforts to build out other components, such as security pillars of the organization.
The solution is effective. My initial exposure to Cisco started through Firepower, since then I have understood that Cisco is moving towards an ecosystem approach. Basically, Firepower represents what I think Cisco stands for.
I would rate the solution as a nine (out of 10).
It does what it needs to do and does it great with a good sense of confidence, allowing the team and me to focus on other things. If needed, we can always leverage that data to derive different values from it.
We use it to configure the perimeter firewalls. In FireSIGHT, we have two firewalls in a cluster with high ability, then we have five firewalls in Offices. We use those firewalls as a perimeter for Offices.
We have all the devices in the Firepower Management Center system. We always work with Firepower devices in Firepower Management Center.
We have offices around the world. We are in Europe, the USA, and South America.
We have border security with Firepower. We try to curb security issues by using this Firepower firewall.
The solution provides us with good working application visibility and control.
I have access to the web version of Cisco Talos to see the reputation of IP addresses. I find this very helpful. It provides important information for my company to obtain the reputation of IP addresses. The information in Talos is quite complete.
The configuration in Firepower Management Center is very slow. Deployment takes two to three minutes. You spend a lot of time on modifications. Whereas, in FortiGate, you press a button, and it takes one second.
Three years ago, the Firepower Management Center was very slow. The solution has improved a lot in the last couple of years. It is now faster. I hope that continues to improve.
I have been using it for three years.
We have five devices. In Rome, we don't have a technician and didn't work when we started using it. We had to send a technician to Rome to reboot the system. Now, it is stable with no problems. Also, we lost the link to the high availability firewall in our data center. We only had one device there, and Solutel had to solve this issue.
The scalability is great.
We have five devices in four locations.
Three network administrators who work with Firepower, including myself.
I usually create an issue with Solutel, then they create a case with Cisco Talos or the Cisco technicians. I am happy with Solutel's support.
We deployed in several cities, but not the same day.
The initial deployment was done by a Cisco partner, Solutel. Our experience with Solutel was fantastic. They are local partners for us and provided us with great service.
We realized that clearly we have issues of security with a lot of attacks. I don't know if it is because with the COVID-19 virus a lot of hackers are at home or working more hours. In the last year, we have seen attacks that are very big, and we need a barrier. So, we use a firewall to block these attacks.
The price for Firepower is more expensive than FortiGate. The licensing is very complex. We usually ask for help from Solutel because of its complexity. I have a Cisco account where I can download the VPN client, then connect. Instead, I create an issue with Solutel, then Solutel solves the case.
Our license for Firepower is their best license.
We have FortiGate firewalls, the security of Office 365 from Microsoft, Cisco Umbrella, and Kaspersky Anti-virus. We are also using Cisco ASA, Meraki switches, and a router from Cisco.
The Firepower Management Center tool is very slow. We also have the FortiGate firewalls and these tools for configuring the firewall are faster.
We have to make a change to our devices in South America. We are currently evaluating Cisco Firepower Series 1000 versus FortiGate. Firepower is more powerful than FortiGate, but FortiGate is more flexible and easier to configure. Because of our last issues with Firepower, it is possible that FortiGate is more stable.
It is a very powerful device. Firepower Management Center is a great tool, but it is a bit slow.
We don't have Cisco Umbrella integrated with Firepower. We tested Firepower's integration with Meraki Umbrella, but we don't use it because you need better firmware.
I would rate this solution as an eight (out of 10).
I use it for VPNs, remote-access VPNs, environment issues, and failover issues. I also use the
content mode, NAT, and PAT in this firewall. We always use ASA for VPN sites and firewall sites. We use the edge for internet access for data center servers or company customers' internet access.
We always use ASA for integration another companies and branches easily.
The Inline Mode configuration works really well, and ASA works very impressively.
I think the ASA layer is thin. It's always Layer 3 or Layer 4 source controller and doesn't control the Layer 7 traffic at all. It's important, and you'll need an additional firewall.
All next-generation firewalls don't have much control over Layer 7, but there's a little bit of control for inspection. ASA never controlled Layer 7, and it's a bad point.
I don't like to use ASDM, a graphical interface, and other solutions for ASA. I wouldn't say I like this, and it's not good(ASDM).
I have over seven years of experience with Cisco ASA Firewall.
It's stable. ASA works very well, and it's impressive. I use only ASA and only the Inline Mode.
It's a scalable, high availability solution. It's an active/standby model for VPN. But if you don't use VPN in these devices, it works as an active/active high availability model.
If you're a Cisco Administrator or Cisco certified, the initial setup isn't a problem. But if you don't know Cisco devices and how they work, it can get a little complicated.
I would advise new users to look at next-generation firewalls like FTD or other models from Cisco. It's better than Cisco ASA. Cisco ASA Firewall isn't a next-generation firewall.
On a scale from one to ten, I would give Cisco ASA Firewall an eight.
We are using the solution for airports.
The Cisco NGFW is an excellent fit for purpose for our network security.
I have been using the solution for five years.
We have not had to deal with stability issues.
The support of the solution is great, their staff is perfect.
My team tells me that other solutions such as Fortinet and Palo Alto are easier to implement.
People have said that Palo Alto is a less expensive solution than Cisco, but in my experience, at least from today, Cisco is cheaper than Palo Alto.
I do not hear anything bad about the competition. I am difficult to change my ways and learn a new product. Unless somebody comes and makes a SWOT analysis and shows me the evidence of how the alternative is better, I am fine with Cisco.
I would recommend this solution to others.
I rate Cisco Firepower NGFW Firewall an eight out of ten.
We use it for the actual firewall and also site-to-site VPN.
Our company is always growing. Every day's a new day and there is always something new to learn. We are a mature organization, but we can never sit still. We have two company locations and we use Cisco Firepower as our main firewall at both locations.
Overall, for security, we use about seven tools.
Within our company, there are just two people that maintain this solution. Myself and the IT manager. I'm the network administrator.
We were the subject of a ransomware attack a little over a year ago. Due to our console, we're able to easily see where the threat came from, all the while being able to shut down the network but maintain our network on the other side — or the other side of the site-to-site VPN. Then we could fix what we needed to be fixed here, and then subsequently correct the issues on the other side.
The manageability through the FMC is superb. I have a single dashboard that I can manage my firewalls from. I can see and manage all of my objects and control all my policies. I can look at all my logs and control my whole network from one dashboard.
FirePOWER does a good job when it comes to providing us with visibility into threats, but I would like to see a more proactive stance to it. Maybe more of an IDS approach. I don't know a better way to say it, but more of a heavier proactive approach rather than a reactive one.
I have been using Cisco Firepower NGFW Firewall for two years.
I have had little to no issues except with the first version that we had. There was a known issue with Cisco in the first version. When I went to do a restore, there was a known issue with something with the Linux kernel. It took us about two weeks to get the restore working. It was a scary moment for us, but we worked through it, and ever since we've had no issues, stability-wise.
I have contacted support multiple times and I have no problems with them. I think they do the best with what they have — especially with the pandemic this year. I think they've done everything they can do with what they have. They don't stop. They don't give up until the issue is resolved. They're really good with following-up too, making sure that the issue hasn't come back.
We have another product that monitors all traffic. It just sits back and idols in the background — It integrates, but it doesn't if you know what I mean. It's a separate dashboard, but it alerts us. We can control the security — level zero through one hundred. If a threat registers above 54% (we have the limit set at 51) it alerts us. If it's a specific threat, it can shut down services, ports, machines, authentication, and so on and so forth.
We also use AMP, Umbrella, SecureX, and Duo. They're pretty easy to integrate. I wouldn't say beginner level, but if you have a working knowledge of networks and security, you can easily get them integrated. Also, if you need help, Cisco's always there to assist.
We use Firepower Management Center — it's a wonderful tool. It has an awesome all-in-one pane of glass dashboard so you can manage multiple devices from one dashboard. It's also very easy to set up.
We used to use SonicWall. Cisco was purchased right before I came on board, but from my knowledge, we had issues with the licensing of SonicWall. We are a Cisco shop. Both my manager and I prefer Cisco over other vendors. We have more experience with Cisco and their customer support and the products themselves are just better in our experience.
The deployment was with all new networks, so the architecture was with a peer. We first sat down and discussed or laid out our network and what it would look like through IP schemes and everything else in that sense. We then figured out how many users we would have and decide what size of hardware we would need. We decided on what type of VPN connection and what certificates we would need. After that, once we were able to secure those tunnels and get communication going between our two locations, we then started tightening down our two networks as we have multiple networks within each location.
We had to decide what all needed to communicate with one another. Not every network needed to touch the outside world.
From start to finish, including production rollout for other areas, deployment took roughly one month. We did it all in-house.
Some maintenance is required involving security patches. Cisco is really good at deploying those or not deploying those, but putting those out and having release notes and upgrade paths and just the information behind all of their patches. Cisco does a really good job with that.
With any solution from anybody, I always think that licensing is a little high — but it's comparable to other companies. It definitely competes with the other vendors in the market.
If configured, Firepower provides us with application visibility and control.
The ability to futureproof our security strategy is definitely there. There are a lot of functions that we don't yet use. When I say we don't use a function, I mean that the functionality or the ability is not turned on yet simply because we have not gotten around to it. The ability is there, the capability is there. That also goes into the reasoning behind why we chose it.
Do your research, know your skillset, be comfortable with your skillset, and don't be afraid to challenge yourself.
Overall, on a scale from one to ten, I would give this solution a rating of eight.
Most of our use cases revolve around the basic firewall features. Our client is also leveraging on Anyconnect, which is serving the client-based VPN. Sometimes they will establish a VPN connection from one firewall with another. It's the type-for-type VPN. In terms of Cisco, typically, these are just some of the legacy features, that's what we use. In terms of a next-gen firewall, I feel that our customers would prefer to use other brands like Palo Alto, Check Point, and FortiGate.
Our clients who use this solution are typically small businesses. I think there's a Gartner chart that says that Palo Alto is actually the foreleader, followed by Check Point, then FortiGate. Cisco is not anywhere near. From a cybersecurity standpoint, they are quite weak.
They need to do an overhaul of the management console because they are still using the client-based management tool, which is quite outdated in terms of functionality and usability. The interface hasn't changed since the last generation many years back.
I have been using Cisco ASA Firewall for roughly four years.
It is extremely stable I would say — at least after you deploy it. Typically, there won't be any instability in terms of the hardware as well as the software. It can be running for many years without any issues. It's a totally different story when compared to other brands because, out-of-the-box, they offer far more features and are actually leveraged on more resources which leads to more instability.
I would say in terms of scalability, they are still the greatest family of products. Scalability means you can actually add on some processing parts to actually increase the throughput when the requirement comes up. They have a range of products for that, but this solution, it's already going out of phase, because at JSC, you can only allow up to a certain amount of upgrades that can be added on.
Support is not a requirement. In the whole industry, there are a lot of Cisco-trained personnel that we can actually seek advice from. There's not much leveraging on the Cisco support so far.
If our clients need support, we provide it. Support is not cheap. Sometimes a device will go out of warranty, but the customers are not willing to renew the support contract. Of course, there are a lot of cheaper alternatives. In Singapore, a lot of companies outsource support. Most of the time we go through third-party companies instead of Cisco directly.
For a non-Cisco guy like me, there is quite a substantial amount of learning that needs to be done to actually understand how the products are. Some brands like FortiGate, require only an hour and 15 minutes to enable the product, to facilitate the basic requirements of connecting up the traffic and adding on the firewall router. For Cisco, there are levels of challenges because it's a hardened solution that sees a lot of restrictions right out of the box.
Without really understanding how it works, then there'll be a lot of confusion regarding the traffic, etc. You'll find yourself wondering if there are any security concerns if you alter it out-of-the-box. The management console is quite outdated; usually, a lot of configuration is through Commander. We really need to understand how to articulate the Cisco Commander to perform even the most basic feature.
We handle the implementation for our customers.
I am a sales engineer, we are mainly in charge of selling the product. In terms of support, we have a department that covers that aspect. Sometimes after implementation, we also provide maintenance support services towards the whole project and sell it as a whole bundle. As a distributor, we also sell our products, our equipment, and devices. So the support team covers that aspect.
We sell Cisco ASA Firewall as a bundle — the price is very cheap. If a customer were to go for renewal direct from Cisco, then the price would be quite high.
My main concern is the full revamp of the management console. We'd like to see a more user-friendly total revamp of how to manage the firewall rules. Also, there are a lot of additional features that need to be granular because with Cisco, at this point in time, all these features are still working in silos. A lot of integration needs to be done in general.
Personally, I would discourage people from using Cisco. Overall, on a scale from one to ten, I would give this solution a rating of six.
We use the platform to provide secure perimeter internet access for customers and also to provide secure networks or secure SANs for customers. We have a global partnership with Cisco and I'm a re-sales and security manager of IT services.
The top features for me are the filtering, the intrusion prevention system, and the AMP on small operations.
To configure the FirePower it is required an external console. It would be nice to have the console embedded in the Firewall so you don't require an extra device. I'd like to see some kind of SD-WAN included as a feature.
I've been using this solution for six years.
The solution is very stable and we feel very secure with it.
The scalability is no problem.
The technical support is excellent.
The initial setup is quite straightforward. I think someone who knows the iOS platform and knows about firewalls can setup the device. If you don't have experience, it will be somewhat complicated. If you know the platform, implementation is very quick. We've installed over 1,000 firewalls for different customers.
This is a very stable platform, and you can adjust the engine for malware protection. It is one of the best and a very reliable solution.
I would rate this solution a 10 out of 10.
I often work with financial sector companies such as banks as well as retail organizations.
The solution offers very easy configurations.
The administration of the solution is very good.
The product integrates well with other products.
The initial setup can be a bit complex for those unfamiliar with the solution.
There are better solutions in terms of border security. Palo Alto, for example, seems to be a bit more advanced.
The cost of the solution is very high. Fortinet, as an example, has good pricing, whereas Cisco has very high costs in comparison.
We've used the solution recently. We've used it at least over the last 12 months or so.
The stability of the solution is pretty good. I don't recall having issues with this aspect of the solution.
This particular product does not have high availability and therefore scalability is limited.
You need a pretty sizable solution for a center.
We have about 300 clients using this solution, and therefore the amount of people on the solution is very high, however, I don't have the exact number of users across all clients. For solutions providers, we have IT solutions for maybe around 5,000 users.
I have experience working with technical support from Cisco. It's very easy to contact them and talk with them. There were times we worked using email, for example, for communication. We also worked with Cisco engineers in Mexico directly. We're very satisfied with the level of service so far.
We also work with Fortinet and Palo Alto, for example. As a reseller, we work with many solutions.
I did not directly implement the solution. I don't have the right type of expertise. You need to know a bit about what you are doing, otherwise, the initial setup is a bit complex.
You may need, for example, a separate management device for this kind of solution. It's quite difficult to handle if you don't have in-depth knowledge.
The cost of the solution is quite high. It's very expensive compared to other options. For example, Fortinet is much more reasonably priced.
I am working for a Cisco seller in Mexico, and we have a relationship with Cisco. We are a gold partner. We ensure that the development is of the proper sizing for our clients.
I would rate the solution at a nine out of ten. We've had a very good experience so far. The only downside is that it's not as advanced as, for example, Palo Alto. That said, if you have the right skills to manipulate the configuration capabilities, Cisco is quite good.
We use this solution for our firewall and intrusion prevention system.
The most valuable feature is that I have 16 public IP addresses that tunnel through into servers inside.
There are no issues that we are aware of. It does its job silently in the background.
The initial setup could be simplified, as it can be complex for new users.
We have been working with this solution for a couple of years.
It's stable. If there is ever a problem, it never seems to be the firewall.
This particular model can't quite handle the bandwidth we need. We're actually replacing it shortly with the new higher capacity model.
Technical support is good. They are responsive.
The initial setup was somewhat complex at first.
We had help from an integrator, which was Dell. They were helpful.
The price is comparable.
We are just at the beginning of the deployment of Arctic Wolf for managed detection and response. We don't have a lot of information yet, as we are onboarding it now.
We wanted to have someone watching and we couldn't set up the SOC by ourselves because we need six security dedicated people to man it at all times. With a staff of 80, it was too much. We engaged Arctic Wolf to be our 24/7 eyes on the potential risks that are happening. They can alert us and we can deal with it.
We like to use the integrator just to make sure that the firewall is set up correctly. If you don't have people dedicated to the firewall, then you can't do it in-house.
I would rate the Cisco firepower NGFW Firewall a nine out of ten.
The feature set is fine and is rarely a problem.
Cisco makes horrible UIs, so the interface is something that should be improved. Usability is poor and it doesn't matter how good the feature set is. If the UI, whether the command-line interface or GUI, isn't good or isn't usable, then you're going to miss things. You may configure it wrong and you're going to have security issues.
Security vendors have this weird approach where they like to make their UIs a test of manhood, and frankly, that's a waste of my time.
The SNMP implementation is incredibly painful to use.
I have been using Cisco Firepower NGFW Firewall within the past year.
I work with a lot of different IT products including three different firewall solutions in the past 12 months.
Everything has room for improvement.
I would rate this solution a five out of ten.
We tend to use the solution as it's forced on us by corporate. Our company wants us to use it.
The solution is stable. We haven't had any issues in that sense.
The security of the hardware is excellent. Cisco is very serious in its approach to security.
We have a high level of trust in Cisco and its products.
The solution is excellent for enterprise-level networks.
The solution is difficult to use. There's more required than a typical firewall. It's different than, for example, Palo Alto and Fortinet, which we find are easier to set up.
If the implementation was easier, it would be a lot better for us.
It would be such a great product for us if it was easier to manage.
I've been working with the solution for more than ten years. It's been a long time. It's been over a decade at this point.
The solution is quite stable. We have no problems with bugs or glitches. It doesn't crash or freeze. It's good.
We've found the solution to be scalable. A company shouldn't have any issues with expanding it if it needs to.
We have about 300 users on the solution currently. We do plan to continue to use Cisco in the future.
We use third-party technical support that's offered and we're quite satisfied with the level of attention we receive.
I have knowledge of Palo Alto and Fortinet.
While those two are easier to set up and control, nothing compares to Cisco in terms of security. They're very strong in that regard. We also find Cisco to be more stable.
However, we only use Cisco firewalls in our organization. We don't use anything else.
The implementation is not so straightforward. It's rather complex and we have a lot of trouble with it.
The implementation took us about one month.
We plan to implement an updated version next month as well.
We need three to eight people to handle the setup.
I did not handle the implementation by myself. Rather, it's done by another team including the original support from Singapore and with license support from headquarters in Japan.
However, our team does handle the implementation in-house, and we can handle the setup for clients as well.
We do need to purchase licenses. Those come from headquarters in Japan. They handle the details in terms of pricing. I'm not sure of the overall costs.
We're both a customer of Cisco and a reseller.
This month we plan to upgrade from our existing hardware.
Overall, we've been happy with the results we've gotten. I would rate the solution at a nine out of ten.
We primarily provide implementation and maintenance services to our clients.
The software itself is very simple.
The solution is easy to operate. It's not overly complex.
The command line is the same as it is on the Cisco iOS router.
The technical support is very helpful and responsive.
The solution needs to have better logging features.
Cisco needs to migrate its ASA Firewall to a management console or to a web console.
I've been working with the solution for six years at this point.
The solution is largely stable. Once we adopted Cisco services, we found that everything was pretty reliable. There aren't bugs or glitches. It doesn't crash or freeze. It's quite good.
The scalability is a problem as the solution has a low throughput.
We've been in touch with technical support and I've always found them easy to reach. They're responsive and helpful. I find their service much better than, for example, Fortinet or Palo Alto. Overall, we're satisfied with Cisco with respect to their technical support.
We have some experience working with Palo Alto and Fortinet solutions as well.
While I don't have the exact pricing of the solution, it's my understanding that Cisco is rather costly. It's not the cheapest option on the market. It's expensive. It's more costly, for example than Palo Alto.
We have a gold partnership status with Cisco, however, we are also partners with companies such as Fortinet and Palo Alto.
For a next-generation firewall, I would likely recommend Palo Alto. However, if a company had the budget, I would recommend Fortinet. That said, for a VPN gateway, I would recommend Cisco ASA.
In general, I would rate Cisco's ASA Firewall at seven out of ten.
We use Cisco ASA for traffic control.
It's a flexible solution.
The configuration is an area that needs improvement.
In the next release, I would like to see the UI include or provide web access, and more integration.
I have been using Cisco ASA Firewall for five years.
We are not using the latest version, as it is not available.
It's a stable solution and we have not had any issues.
It's a scalable product. We have approximately 2,000 users in our organization.
We have plans to continue to use it.
Technical support provides us with good service.
The initial setup was straightforward. It was easy for us because we have experience.
It was already deployed when I arrived.
We have two or three guys for deployment and maintenance.
This is a product that I would recommend to others.
I would rate Cisco ASA Firewall a nine out of ten.
The feature I have found most valuable is the IPS advanced threat detection for removing ransomware and malware.
An area of improvement for this solution is the console visualization.
I have been using this solution for two months.
The solution is stable.
The customer service/technical support is very good with this solution.
The initial setup is straightforward and it took two weeks to deploy. Currently, 5000 employees use this solution in our company.
The solution was chosen because of its price compared to other similar solutions.
I would recommend this solution to other users.
Our primary use case of Cisco ASA Firewall is to protect our environment. We are customers of Cisco and I'm a network engineer.
The solution is simple to deploy and stable.
Technical support could be improved, they take a long time to respond.
I've been using this solution for 10 years.
This is a stable solution.
Initial setup was relatively simple, it took around six months and I deployed myself.
I would rate this solution a nine out of 10.
We utilize the solution for our IT security.
To be honest, all of the features that are provided, all the other vendor will also have. One feature we did find valuable was the CLI, it is more accurate. Additionally, I was happy with the customization, dashboards, access lists and interface.
We frequently use the Bottleneck feature we purchased specialized from Cisco.
It is hard to collaborate with our filtered environment.
If Cisco could combine the Bottleneck feature of ASA, their platform called Umbrella, and the other team they have that has similar malware protection into one, this would be perfect.
I have been using the solution for almost three years.
The solution is stable. However, It does have some bugs, but Cisco always fixes them really quickly. Sometimes we have to restart and it would be better if the bugs could be fixed without having to reload.
The scalability is not perfect.
The support has been great and responsive. Most of their engineers are very professional and knowledgeable.
The setup is easy to do if you are familiar with these type of installs, if not then it could be difficult.
We have a perpetual license for all of our firewalls. For some of the features, we purchase them on demand. The pricing is decent but it could always be cheaper, we would be happier.
We will probably change to a higher version in the near future or migrate to a next-generation firewall which would include IPI and some other new features. This makes sense because our current firewall ends the support in several years.
Cisco FirePower, the next-generation firewall, is much better for stability.
I have used many versions of the software over the years, versions 8.6 to 9.1 and 9.9 to 9.12.
Keep in mind before purchasing the solution, if you do need to scale the solution then ASA is probably not right for you.
I rate Cisco ASA Firewall an eight out of ten.
This is a product that is used at the infrastructure level to protect the network from outside traffic.
The most valuable feature is stability.
When using this product, our network is slower. The performance should be improved.
The installation could be made easier.
We have been working with Cisco Firepower NGFW Firewall for more than two years.
This is a stable product and we plan to continue using it.
Support from Cisco is good enough.
The installation can be easy, although it is slightly more difficult to install than Fortinet FortiGate. One day is enough for deployment but it takes a long time to configure.
I deployed Firepower with support from the team in India.
We have a team of three people for deployment and maintenance.
The price of Firepower is not bad compared to other products.
This is a good product and I recommend it.
I would rate this solution an eight out of ten.
I primarily use the solution for the IPsec only.
The user interface, the UI, is excellent on the solution. Let's say you want to check the real-time locker - you can create it by the UI using ADSM.
The VPN portion of the solution isn't the greatest.
The stability is not the best.
The solution is far too expensive.
I've been working with the solution for about six months, or maybe a little bit less than that.
I haven't found the stability to be very good. The IPsec stability leaves a lot to be desired. They really need to work on the solution's stability capabilities.
In ASA, I built the IPsec between ASA and Fortigate due to the fact that most of the time I have to restart the timer to flow the data.
We only have two to three users who directly deal with the solution within our company. Overall, we have between 100-200 employees. We haven't really scaled it.
I personally would prefer not to use ASA going forward. However, I don't know if the company itself has any plans to increase usage or not.
While I've dealt with Cisco technical support in the past on other solutions, I have not contacted them in regards to this specific product.
That said, my past experience with Cisco technical support has been very positive and I found them to be very helpful in general. I just can't speak to this specific product.
I was pretty junior when the solution was initially implemented in the organization. For that reason, I did not take an active role in implementing the solution. I wouldn't be able to really discuss the setup specifics or the level of difficulty.
I'm not exactly sure who handles maintenance, if any, within our organization.
The licensing is quite expensive. I don't have the exact amount, however, it's my understanding that it's a very pricey solution. There's a lot of competition out there, including from Fortigate, which offers just as good, if not better products.
I'm not overly familiar with ASA. I only work with it on an administration level.
I work with the latest version and I use the ASDM version server.
I wouldn't recommend that an organization choose ASA as a solution. They should look into other options.
Overall, I would rate the solution at a six out of ten. We haven't had the greatest experience.
We use Cisco ASA Firewall to protect different sites at a protocol level. We also use it for antivirus and bot protection.
I think Cisco ASA Firewall is the most stable firewall solution.
The price can be better.
I've been using Cisco ASA Firewall for the last ten years.
I think they're all are stable. I've never seen a firewall that's unstable.
I'm satisfied with their technical support.
It's easy for me to configure one because I have firewall configuration certifications. I don't know what someone with nothing in terms of experience would be able to do.
It normally takes me a week to implement and deploy. I normally need a week and three people to do maintenance.
I used to implement it several years ago, but now I ask our engineer to do it.
Cisco ASA Firewall should be cheaper.
I would recommend Cisco ASA Firewall to potential users.
On a scale from one to ten, I would give Cisco ASA Firewall an eight.
We are using the ASA in our network to create a VPN between six places. We also use it for servers and data synchronization.
The most valuable feature is that it's secure.
It is really stable and I've never had an occasion that due to this firewall, I have had issues with the network, a breakdown, or otherwise.
This is a user-friendly product. Once you have a specialist who can configure it properly, you'll be pretty protected everything you want is in it.
In the future, I would like to be able to use an IP phone over a VPN connection.
I have been working with Cisco ASA Firewall for at least seven years.
The stability is good.
We have not tried to scale our network. It was established a long time ago and nothing has changed since then.
I have been auditing their partners in Bulgaria and I am in contact with them on a regular basis. I have not had any real issues with my equipment but overall, I think that the support is perfect.
We were using the ASA 5505 and our network is faster now, so we are now in the process of upgrading our network to the 5506 model. The 5505 is a 100 megabit product, which is very low.
We had a company that set everything up for us. They have Cisco engineers and I'm paying them annually for next-business-day support. They do all of the maintenance for us.
They have a lot of different models but most of them are really expensive. This is the main thing because, for us, the price is important.
Overall, I am pretty satisfied with this product and I recommend it.
I would rate this solution a ten out of ten.
In general, we support more public fiscal entities. Most of them are quite sizeable at 5,000-6,000 employees. We use it mostly for remote access.
The clusters in data centers are great.
We enjoy the use of the remote access VPN. We have a mechanical firewall with IPS and we have no more than these. In general, ASA is for remote access and the mechanical firewall right now is more used for data centers.
We work to combine customers and we have a lot of customers that use networking from Cisco. They buy Cisco firewalls due to the fact that all of their networks are working with Cisco features.
It would be ideal if the solution offered a web application firewall.
We've had some issues with stability.
The solution has some scalability limitations.
The firewall itself has become a bit dated.
The pricing on the solution is a bit high.
Some individuals find the setup and configuration challenging.
I've been using the solution for ten years or more. It's been at least a decade at this point.
Normally, we don't have any problems with stability. That said, when we have problems, it may be difficult to resolve quickly. The tech from Cisco is really good. However, we have some problems that take more time. Issues haven't come up very often. We've only had two or three problems over ten years that took a while to resolve. Largely, it's quite stable.
We typically work with large public organizations. Our customers are quite big. Some are even up to 8,000 employees.
My view is that the ASA is for data centers. When you need more performance or something like that, this may be a problem. This is due to the fact that we don't have the ability to add more performance - more CPU or more equipment - in our cluster when we deploy the solution in a perimeter. It's complicated to expand the performance with ASA on the perimeter.
We have a good relationship with technical support. They're very helpful. Sometimes we get a solution and sometimes we don't, however, they are always available to help us deal with issues.
I have been working with this equipment for years, so for me, the initial setup is pretty easy. For customers who use the Cisco solutions for the first time, maybe it's complicated. They probably feel it would be easier to configure if there was a simpler graphical view or something like that. Often a complaint is that it's difficult to configure. However, I don't have that issue.
To deploy one solution, how long it takes depends on the customer or the size of the enterprise. For a large enterprise or large public entity, we need more time or more resources to deploy the solution. That said, it's not too difficult for us as we work a lot of time with ASA. We can go fairly quickly.
We support ASA 5508, 5585, and 5525 - all the versions of the firewall. Again, we built a HTAB machine too.
We've worked with Cisco for many years and I love working with them.
Right now, ASA is getting older. A better recommendation may be to use Firepower, a Next-Generation Firewall, no ASA. In cases for some remote VPN access, we recommend ASA, however, for all of the deployments, the recommendation now is to use a Next-Generation Firewall from Cisco Firepower.
Overall, I would rate the solution at a seven out of ten. That said, for remote access alone, I'd rate the product at a nine.
We use the solution to monitor the connections as part of our parameter protection for our network. We restrict what kind of traffic comes in and out, we use it basically for traffic management.
Cisco used to be all command-line operations and now Firepower is in a way modelled from FortiGate. Firepower has integrated a UI into it now.
You do not have to do everything through a command line which makes it a lot easier to apply rules.
You are able to see the traffic of what sites users are visiting.
There are warnings if you are about to go to sites that could be malicious.
It also allows you to block within categories, such as, by URL.
The solution always had these capabilities, but it did not have a user interface that was user-friendly.
The solution could offer better control that would allow the ability to restrictions certain features from a website. For example, If we want to allow YouTube but not allow uploads or we want to allow Facebook but not allow the chat or to playing of videos. This ability to customize restrictions would be great.
We have been using the solution for three months now. We have always used Cisco but before we were using the ASA and now we use the new version with the threat defence.
The stability is good so far. My opinion could change in another couple of months once we get more deeply involved with the solution.
We currently are protection approximately 220 users.
We just deployed it a couple of months ago, we have not used the tech support with the Firepower yet. We have not had an issue that we have had to raise with them.
Generally, the tech support for Cisco takes too long to go through the different tiers of support agents to get to someone that can resolve the issue. You end up speaking to someone that is not qualified to solve the issue, then you have to be escalated upwards over and over. This system could be better.
I rate the tech support service generally from Cisco a seven out of ten.
The installation is not hard and not easy either, it falls in between.
The time of implementation took us two to three days. This was in part because we were migrating from another Cisco firewall. The config files were already there, we just had to bring them over. While having the config files we just had to set up the hardware to have us up and running. The install could have taken longer if this was not the case.
Currently, I would give this solution high marks because I have not had a problem. However, keeping in mind, my evaluation period has been short. I would not give the solution a ten, nothing is perfect.
I rate Cisco Firepower NGFW Firewall a nine out of ten.
We are a solution provider and the Cisco ASA Firewall is one of the security products that we implement for our customers. My clients use it for security, and also to establish VPN connections.
My client is in the financial sector and all of the connections are doing using the VPN. This type of access makes the connections more secure.
The most important feature is the VPN connection.
My clients also use the antimalware features and the scan is very good. It also supports packet inspection and IPS.
Cisco ASA is easy to configure.
The integration with the security features is something that I like.
The SecureX ASA administration platform should be improved.
The orchestration of modules should be improved.
I would like to see the inclusion of a protocol that can be used to protect databases. This would be a good feature to have added.
We have been working with the Cisco ASA Firewall for approximately three years.
I have not had problems with stability, although I have had some small issues with bugs. In general, I can operate without a problem.
It is very easy to scale this product. With SMC, you can control all levels of ASA in a central console. You can simply add a new ASA firewall to protect your network, and you will be able to control it.
We have approximately 300 users.
My clients for this solution are medium-sized organizations.
I have not been in contact with technical support but I use the implementation guide. I have also used the community support and I think that it's okay. The information that I received about the configuration was good.
Prior to Cisco ASA, my client was using Fortinet FortiGate. They switched because there were complaints about the connection being slow.
The complexity of the setup depends on the needs and requirements of the client.
When a client does not know exactly what is needed, the complexity increases because the configuration is not clear. You really have to have a good understanding of what the client needs before configuring it.
If the model does not have SMC then it is complex to configure.
The length of time for deployment also depends on the requirements, but it will usually take between three days and one week.
This is an expensive product, although when you buy this solution, you can do many things so it provides good value for the investment.
My clients did evaluate other options but ultimately chose this product. Other than the VPN connection, I don't know the reasons for this decision.
I can recommend this product because it is one of the most stable firewalls on the market. The suitability, however, depends on the environment and what is needed.
I would rate this solution an eight out of ten.
I am doing research on the product and testing it for security.
It is a flexible solution and can be easily integrated with your network hardware. It is a very useful product. This product is very popular in the industry and the network security environment is good.
It would be a benefit to improve the integration with other similar products from other vendors on the market, for example, Huawei or Fortinet products. Comparing Cisco solution to others, it is expensive, it would be better for it to be cheaper.
I have been using the solution for three to four years.
I have found the stability of this solution really good, this is why I use it.
The product is scalable.
The customer service is really helpful, they do their part in keeping our organization's network from outside intrusion.
I have used other solutions in the past, such as Cisco Firepower. I find Cisco products to be superior.
The solution is normally easy to install but if the user has more requirements, as in a more complicated setup, it could take more time.
I did the deployment myself.
The product is very expensive.
I would recommend this product. I suggest this solution to my colleagues because it is a great product and is really stable. When looking at other products in use in other companies this product is superior.
I rate Cisco ASA Firewall ten out of ten.
Cisco Firepower NGFW Firewall has a lot of environment to use for your network to see what kind of critical threats are coming or going. I use it to find out what this threat is and then formulate a strategy for it. I use it a lot on my simple network to see how it works, inspect the network traffic, and so on.
Cisco Firepower NGFW Firewall is a really helpful product for network security. I have integrated it for incidence response. If there is a security event, the Cisco firewall will automatically block the traffic, which is useful.
Cisco Firepower NGFW Firewall can be more secure. But no product is 100% secure, so it's a case of always wanting more security. The product is also really expensive. It would help if they provided free academic access to the enterprise edition for students for a whole month, two months, three months, or a year.
I have been using Cisco Firepower NGFW Firewall for about two years.
I used Cisco ASA Firewall, but in our specific environment and not for the whole network.
It's easy to install Cisco Firepower NGFW Firewall. You can install it on the platform with all the images in one set form. It took me about 20 to 30 minutes to install.
I implemented Cisco Firepower NGFW Firewall on my own.
For me, personally, as an individual, Cisco Firepower NGFW Firewall is expensive. But it should be affordable for enterprises and educational institutions.
I would recommend Cisco Firepower NGFW Firewall to potential customers.
On a scale from one to ten, I would give Cisco Firepower NGFW Firewall a ten.
We are a Cisco implementor in Venezuela.
Our primary use is to deal with incoming access. We open ports for web servers or special applications that our clients have inside their network. We also use it to provide site-to-site VPN access.
The most valuable feature is the ability to block almost all of the ports.
All of the commands work the same way, whether in the graphical interface or when using the command line.
Cisco products have a lot of features.
The graphical interface should be improved to make the configuration easier, to do things with a single click.
There should be better integration with open-source products because some of our clients use them. It would be helpful if they integrated well.
I have been using the Cisco ASA Firewall for almost 10 years.
This is a very stable product.
The scalability is good and it can be used for organizations of all sizes.
Technical support is good and we haven't had any problems with documentation that is provided.
I also have experience with pfSense.
The initial setup is easy.
We have evaluated various open-source solutions for our clients.
The main difference with Cisco is that it is a big company, and their products are very easy to use. They have the best routers, switches, and firewalls.
Cisco ASA is a product that I can recommend for its stability.
I would rate this solution a nine out of ten.
We are using this product to filter network traffic.
It's a flexible solution and is well-known in the community. Most professionals are familiar with Cisco products and we prefer to work with products that we know. That is why we chose to work with Cisco firewalls, and also for the quality.
In the next year, we are planning to migrate to the Cisco Firepower. Our planned product would be Cisco Firepower 20 or the 40 series.
In the next release, I would like to see the VPN and UTM features included.
I have been using the Cisco ASA Firewall for the past ten years.
We have a few different versions that we are using. Some are 5505, 5510, and 5515.
It's stable. We have not had any issues with stability.
It's a scalable solution. We have five or six users in our organization.
We have not contacted technical support because we have not had any issues.
Previously, we did not use any other solutions. Our company is almost 11 years old and have been using this solution for ten years. We have been using this solution from the beginning.
I have not been present for most of the deployments, but from my experience, the deployment is not complex for organizations like ours because we have less equipment and infrastructure.
In Ethiopia, most of the deployments, especially in government organizations, are on-premises because of government policy.
Our policies are limited and not complex.
Overall, I would say that it's pretty straightforward. While I was not a part of the deployment and had to guess, I would say it may have taken a week to deploy.
We require a team of four or five to maintain this solution.
In summary, this is a good product and I recommend it.
I would rate this solution a nine out of ten.
It's very stable and mature.
The content filtering on an application level is not as good as other solutions such as Palo Alto.
While the price is fair with all of the features that it has, it should be cheaper.
I have been using the Cisco ASA Firewall for seven years.
It's a stable solution.
We have plans to continue using this solution in the future.
It's a scalable product. We have 200,000 users in our organization.
Cisco technical support is good.
Previously, we used other products. We used Fortinet and CheckPoint.
We have a team of 50 or 60 Network Engineers to maintain this solution.
The price is fair. It's not the cheapest, but it's not bad.
Cisco ASA Firewall is a good product. I would recommend it to others who are interested in using it.
I would rate it a seven out of ten.
I am using Cisco ASA as my firewall. I use it for security purposes to block access and for VPN. It is on the perimeter, so basically, it secures my network.
It is a very stable product. I've not had any issues with it. It is a super product, and I won't need to change it anytime soon.
Its configuration through GUI as well as CLI can be improved and made easier.
I have been using this solution for more than five years. I am using the Cisco ASA 5505 model.
It is very stable.
I manage it myself. If I can't, then I get somebody else. I don't have any support from Cisco.
The initial setup was slow. It took a day or two.
Unfortunately, there were not too many skilled guys who could install it. I had to get a third party for installation and configuration. I had to get somebody qualified in Cisco Security, and he was the only person who could actually configure it well.
I just bought it off the shelf, and I'm using it with my previous one, so I have not spent that much.
I would definitely recommend this solution. You just have to learn how to configure it. It is a Cisco solution, and there is not much to be improved. I plan to keep using it and expand its usage.
I would rate Cisco ASA Firewall an eight out of ten.
We primarily use the solution in order to create access rules. That's what I use it for mostly. Sometimes, if I need to do some mapping, I may also leverage this product.
In terms of access, the solution is great at making sure that the firewall has the right IPs, or that the right IPs are passing through where they should be.
The product does a good job of making sure that the connection is one that the user can trust. It keeps everything secure.
From what I've already done with ASA, I've noted that it's a very simple solution.
It is a very user-friendly product. I started with the GUI version. There are different versions. You could have the CLA, and the GUI version if you like. Both are really user-friendly and they're easy to learn.
We haven't been working with the product for too long, and therefore I haven't really found any features that are lacking. So far, it's been pretty solid.
One of the things that would make my life easier on ASA, especially for the CLA, is if it had an ASBN feature, specifically for the CLA. This would allow you to be able to see at once where a particular object group is being used without having to copy out all the object groups that have already been created.
I don't have to see all the object groups that have been created on that firewall. That's just something that I would really appreciate on the CLA, even though it already exists on the GUI.
I've been using the solution for six months now. It's been less than a year. It hasn't been too long just yet.
The solution has been quite stable.
Most of the clients that we deal with use this solution. No one has ever complained about having a breach or anything, to the best of my knowledge, even though we see some people combine different firewalls together, and use them alongside Cisco ASA. So far, we've not had any issue with Cisco ASA. It's reliable and keeps our clients safe.
I've never tried to scale the product. I haven't worked with it too long at this point. I wouldn't be able to comment on its scalability potential.
I've never dealt with technical support yet. I can't speak to their level or response or their knowledge of the product.
In the past, I've worked with Check Point and Fortinet as well.
I've been handling the implementation. So far, it's been good, even with no prior knowledge of the solution itself. It's my first time working with it.
On my team, lots of people are working on different aspects, and most of the setup is being done by those that have more knowledge about the firewall than we have. We don't have anything to do with the setup, we just make sure that we implement whatever connections the clients already have. It's already broken down that way, just to avoid as many mistakes as possible.
We already have a process for implementation based on the number of connections. The maximum we normally work on each connection is maybe 20 to 30 minutes. However, the process could be as little as one minute. It depends on how many connections we want to add at a time.
We're handing the implementation via our own in-house team.
I'm just handling the implementation and therefore don't have any insights on the pricing aspect of the solution. I wouldn't be able to say how much the company pays or if the pricing is high or low.
That said, the pricing isn't an issue. It's more about what's best for the customer or the client. We want to give the client the best service, and very good protection. If a client begins to worry about pricing, we can't exactly guarantee the same level of safety.
Our company has a partnership with Cisco.
We have different clients and therefore use different versions of the solution. Nobody wants to use an out-of-date version, and therefore, we work to keep everything updated.
Overall, I would rate the solution at a nine out of ten.
We mostly use it for remote access. We also use this firewall between different segments of our enterprise network.
We have legacy models of this solution. We are using models 5510 and 5520.
We are mostly using it for remote access, so the remote access feature is the most valuable, but all other features are also needed and required. It is also a very straightforward and reliable solution.
We don't have any serious problems. The firewall models that we have are quite legacy, and they have slower performance. We are currently investigating the possibility of migrating to next-generation firewalls.
We have been using Cisco ASA Firewall for around one hour and a half years.
It is quite stable. We didn't have any issues or crashes, so we find it to be a solid solution.
We don't have Cisco support because these models are excellent.
It has moderate complexity. I didn't have any prior experience in configuring these firewalls. That's why I found its initial setup to be of moderate complexity, but now, I have got used to using and maintaining these devices.
We're using the smart license for this firewall. The models that we have require licensing for remote access.
I would absolutely recommend this solution. It is a very straightforward and reliable solution. I would definitely like to propose and offer this solution to other colleagues.
Cisco doesn't have any plans to develop this kind of solution more. Cisco ASA Firewall will not be developed in the future. The next-generation firewall is the next step in the development of the Cisco firewall. For this reason, we are investigating the possibility of migrating to another product.
I would rate Cisco ASA Firewall a nine out of ten. We are very happy with this solution. It is very straightforward and reliable, but it is quite a legacy solution and lacks performance.
We are using this solution for the site-to-site VPN tunnels and VPN Connections.
I like all of the features.
It is my understanding that they are in the process of discontinuing this device.
They are in the process of shutting down this ASA series and will continue with Firepower.
In the next release, it could be more secure.
I have been using Cisco ASA Firewall for six years.
We are not using the latest version.
It's a stable solution. I have not had any issues.
This product is scalable. We have 100 users in our organization.
We will not continue to use this solution. We will be upgrading to either Firepower or Check Point.
Technical support is perfect.
I was using Dell SonicWall before Cisco ASA Firewall.
The initial setup was straightforward.
It's easy to install and it doesn't take a lot of time for the initial configuration.
It took an hour to install.
I completed the installation myself. We did not use a vendor or vendor team.
There are licensing costs.
I would not recommend this solution. The technology is old and they should move to Firepower or NextGen Firewall.
I would rate the Cisco ASA Firewall an eight out of ten.
We are an IT integrator. We include parts of the infrastructure as part of our services, which includes firewalls, routers, switches, and even some end-user devices. We are deploying Cisco, Palo Alto, and Aruba. We are a very big company, and we have probably about 300,000 employees all over the world.
We use this solution for security and for enabling site-to-site VPN. We have on-premises and cloud deployments, and we are using the latest version of this solution. It is 5500 or something like that.
The configuration capabilities and the integration with other tools are the most valuable features.
I really like this product. Cisco is one of my favorite brands, and I always think Cisco solutions are very reliable, easy to configure, and very secure.
It can probably provide a holistic view of different appliances because many customers do not have only one brand, besides the traditional SNMP protocols, to cover all their devices. There are some specific requirements in terms of configurations or actions that sometimes have to be done in a very manual way because of the different versions or brands in a customer's infrastructure.
It could also have some additional analytics capabilities. It has some very interesting ways to monitor the traffic and identify false positives from the architecture and the environment. It would be good if there is a way to patch with some other industry-specific solutions and synchronize some of the information, such as what other customers experience in their operations and probably share some additional information that could be leveraged or shared among the industry. Such information would be something interesting to see. It could have AI capabilities related to how the appliances could benefit from learning the current environment and different exposures.
I have been using this solution since the beginning of this company, which would be more than 20 years.
It is stable and reliable.
There is no real limit to the way they can scale. It is very easy to integrate additional firewalls or even nodes on appliances. Whenever needed, they are stackable. They are very flexible in that sense. Our clients are large businesses.
The service that we have received from Cisco has been reliable, fast, and efficient. They are very good. As long as you have a contract, you can rely on them. You should also have a technical team certified or at least trained on the infrastructure to provide in-depth first-level help.
I have also used other solutions like Palo Alto. The capabilities are pretty much the same. It is just a matter of how they integrate with the overall landscape of the customers. Palo Alto seems to be the top end firewall these days, but the customers might have purchased Cisco in the past or have a DNA subscription using which they could probably take advantage of the security landscape that Cisco offers. It is more about what is the overall benefit rather than just the appliance.
They seem to be at the top end in terms of pricing, but they are worth the price. They are probably a little bit lower than Palo Alto. If the customers are relying on Cisco products and they are thinking more in terms of scaling to another layer in a year, it is pretty much in a good price range.
I would suggest to be sure that it smoothly integrates with the infrastructure that you have. Try to take advantage of the DNA subscription and the new monitoring features that it has. Be informed about what's new with this product.
I would rate Cisco ASA Firewall a nine out of ten.
Our primary use case is for perimeter security.
We are using the enterprise version. Cisco has many versions. Maybe we are using the old version of ASA because it needs to be the freeware. In each freeware, there are different types of things. Maybe it is the standard version because the other version cost a lot. I need to combine it with another solution like an open source standard solution of the ASA firewall from Cisco.
Firewalls are about blocking. ASA is for blocking, but it does not have the intelligence like Fortinet to detect attacks. If I could use ASA to detect attacks, maybe we could buy another service from Cisco although it's very expensive. I would choose Fortinet, but my clients like ASA support. I prefer Fortinet because Fortinet has a UTM and it's a good firewall.
In terms of what could be improved, the UTM part should be more integrated for one price, because if you buy ASA from Cisco, you need to buy another contract service from Cisco as a filter for the dictionary of attacks. In Fortinet, you buy a firewall and you have it all.
I would like to see all the features like Fortinet has. If I buy ASA, I would like to see a Fortinet-like interface.
It would be good if Cisco could improve their web interface to configure the equipment. Cisco is very reliable and very secure, but has to compete with Fortinet which is very hard.
On a scale of one to ten, I would give Cisco ASA Firewall a nine.
I have been using Cisco ASA Firewall for about 15 years.
We have maybe 100 - 200 end users using the solution.
I would give their technical support an eight out of ten because of their response time.
Let me give an example. When I have a problem, and I contact support, maybe there is a guy from India or from another country answering me. This is very slow. The people look at the ticket and increase the time for response.
The initial setup is easy. Firewalls are like programming. If you know programming, you know every language. Firewalls are the same. If you know the security and blocking the perimeter, it's the same for all the firewalls. The difference with the different firewalls are the functionalities. Learn the functionalities in every brand.
My advice to anyone considering Cisco ASA Firewall is that you need a lot of money to implement the Cisco solution. But it's a good solution. If you want to go to Cisco, you need a lot of money.
In our organization, we are using it as an internal firewall.
It is already improved because all of the computer updates are available online. So, you can update, and I think that the ASA 5585 is already updated.
All of the licensing features can be upgrades.
The interface is user-friendly.
The cost is very high. Most organizations cannot afford it.
We have been using the latest version of this solution for the last five years.
It's a stable product.
It's a scalable solution. We have more than 2000 users in our organization.
Technical support is fine, we have no issues.
The initial setup was very easy. Cisco documentation is online, so it was no problem at all.
It took approximately 30 minutes to install.
If we compare it with FortiGate and the co-existing ASA, FortiGate is better in terms of price.
This is a product that I can recommend to others.
I would rate this solution a ten out of ten.
I'm the group information technology manager and we are customers of Cisco.
The best feature for me is the VPN and I also like the firewall.
In terms of improvement, we'd like to see a good graphical user interface. I'd also like to see the initial setup simplified. In comparison, if I were to implement the Fortigate firewall from scratch, it's a fairly simple set up. That is not the case with the ASA firewall, where you really need to have the skill and know what you're doing.
I've been using this solution for 18 years.
The solution is stable, we haven't had any issues. If we need something, we go to a consultant. In terms of product stability, it works very well.
We haven't made any changes since implementing and we haven't tried scaling.
We get our support from the resellers, not from Cisco.
For those who have the technical know-how with Cisco products, I would recommend going with the ASA firewall, but if you're new to the field and running a smaller business, deployment will be complicated.
I would rate this solution a nine out of 10.
I am a pre-sales engineer, and I do comparisons based on my customer's requests.
The most valuable features of this solution are the integrations and IPS throughput.
The price and SD-WAN capabilities are the areas that need improvement.
In the next release, I would like to see more of the FortiGate features added. FortiGate is compatible with Cisco ACI, but I can't see Firepower with Security Fabric. For example, if I had Fortinet activated, could I integrate with it?
I have familiar with the Next Generation firewalls for two years, and six years with firewalls in general.
It's a stable product.
It's scalable indeed.
Our clients are SMB Enterprise.
It's just a fact, nothing is better than Cisco technical support.
Previously, I was working with Fortinet. I would most likely recommend Fortinet, because of the price and the security fabric integration with other products. It's scalable as well, and all of the FortiGate features are useful.
It's very easy to implement and it's very easy to administrate.
The initial setup was straightforward. With other vendors, it is easier, but it was straightforward.
This product is expensive.
I would rate this solution an eight out of ten.
The way we've installed Firepower was for the migration process. For example, there was a data center consolidation, and therefore we had to move everything. We offer data center products to our customers across VPN funnels. We had to move away from older ASAs, so it's a lift and shift. We move older ASAs, which were dispersed in many sites, and we consolidated a couple of services in a single site. Firepower was left there in place. I came in and I took over the administration duties, and now I'm trying to put everything together in a way that it makes sense.
With Firepower, they have better hardware. It's fitted for more throughput, more load. I'm trying to centralize service delivery on this high-availability pair and move all the remote access to Firepower. Then, it's all part of a transition process from a hybrid cloud to a full cloud deployment on a cloud provider. It's mostly just a necessary pain, until we move away from our on-prem deployments. Currently, I'm working with Azure, etc. and I try to look at the main design of the whole process, even though it's going to take two years.
COVID has also made everything very, very slow for us as we try to move away from our initial plan.
The 2100 models are extremely useful for us.
It's got the capabilities of amassing a lot of throughput with remote access and VPNs.
They need a VTI. I know it's going to be available in the next software version, which is the 6.7 version. However, the problem with that is that the 6.7 is going to deprecate all the older IKEv1 deployment tunnels. Therefore, the problem is that we have a lot of customers which are using older encryptions. If I do that, update it, it's not going to work for me.
We've been using the solution for about a year.
The solution is pretty solid in terms of stability, however, I prefer Palo Alto. For the enterprise world, it's better to have Palo Alto. For the service provider field, Firepower is quite well suited, I'd say. That said, Palo Alto, is definitely the enterprise way to go. For a smaller deployment, you can also go with FortiGate. It's simple, however, it works for smaller offices.
The scalability of the product is pretty good. If you need to expand it, you can do so with relative ease.
The technical support is amazing. They do reply quickly, and often within an hour. It's been great. I've worked at Cisco before, however, with the type of contract we are in, I find it super fast right now. We're quite satisfied with the level of support.
I don't have any knowledge as to what the product costs. It's not part of the business I deal with.
Palo Alto, it's my understanding, is a little more expensive, however, it depends on the users and on the design. It always depends on the contract
We're just customers. We don't have a business relationship with Cisco.
It's a solid, reliable product, however, if it's right for a company depends on the use case and the size of the organization. For a startup, this might not be a suitable option.
Overall, I'd rate this solution nine out of ten. As a comparison, if I was rating Palo Alto, I would give it a ten out of ten.
The number one use for this product is security.
The management of the application can be improved with enhancements to the user interface.
I would like the ability to drill down into certain reports because currently, that cannot be done. In fact, this is one of the reasons that we want to move away from Cisco. Better reporting tools would be an improvement.
We have been using Cisco ASA for approximately seven years.
This product is pretty stable.
Our current model is reaching its end of life, so it's not very scalable at the moment. We don't plan to increase usage.
It is currently providing protection for about 30 users.
The technical support is with our solution provider. I would say that it's average, rather than very good.
The initial setup is complex. I would say that it took a maximum of a week to deploy.
We had a service provider who took care of the installation for us.
This is an expensive product. We pay about €2,000 ($2,400 USD) per year for licensing.
Technical support is in addition to the standard licensing fees.
At this point, Cisco ASA is not a product that I recommend. My advice is that people should look at other solutions because there are other products available on the market that are just as good, if not even better.
I would rate this solution a seven out of ten.
We are a service provider and we work on a variety of different projects for many customers. We do not use this product ourselves. Rather, we deploy it for different customers.
The primary use case is to protect the organization from unauthorized use.
The most valuable feature is the access control list (ACL).
Report generation is an area that should be improved.
I have been working with this product for two years.
This firewall is quite stable and we use it on a daily basis.
The scalability is good.
I have not worked with equipment from OEMs other than Cisco. It's the only vendor I use.
The initial setup is straightforward. The length of time for deployment depends on whether it is the entire setup or just the basic installation.
I deployed this product myself.
This is a product that I can recommend for an internal firewall. It's good enough.
I would rate this solution a seven out of ten.
The solution is primarily used for protecting the environment, or the cloud environments for our customers.
All the specific features you find within the NextGen firewall are quite useful. The touch intel feature is specifically useful to us. We deliberately choose this kind of product due to its set of features.
The implementation is pretty straightforward.
The security market is a fast-changing market. The solution needs to always check if the latest threats are covered under the solution.
It would always be helpful if the pricing was improved upon a bit.
In a future release, it would be ideal if they could offer an open interface to other security products so that we could easily connect to our own open industry standard.
We've been using the solution for about five or more years at this point.
The solution is stable. It's very reliable. It doesn't crash or freeze and doesn't seem to be plagued by bugs or glitches.
The solution can scale quite well. A company that needs to expand it can do so easily.
In our case, we have clients with anywhere between 1,000 and 10,000 users.
We have our own in-house team that can assist our clients should they need technical support. They're quite knowledgeable and can handle any issues.
I also have experience with Fortinet and Check Point.
The implementation isn't complex. It's straightforward. However, it also depends on the specifications of the customer. Normally we check that out first and then we can make a judgment of how to best implement the solution.
Typically, the deployment takes about two days to complete.
In terms of maintenance, we have about five people, who are engineers, who can handle the job.
We deliver the solution to our customers.
You do need to pay for the software license. In general, it's a moderately expensive solution. It's not the cheapest on the market.
We're a partner. We aren't an end-user. We are a managed security provider, and therefore we use this solution for our customers.
We always provide the latest version of the solution to our clients.
Typically, we use both cloud and on-premises deployment models.
I'd recommend the solution to others. It's quite good.
On a scale from one to ten, I would rate it at an eight.
We primarily use the solution for basic firewall configurations such as NAT, FORWARD PORT and Block TCP-UDP Port.
My company is very small just built last year, i now am using cisco asa 5510 for NAT and Port Forward and limit users access directly from internet only via Remote-VPN.
The ability to block threats is its most valuable aspect.
Most clients in Laos use the basic setup, which works quite well. It ensures that nothing can get onto the local network.
It's pretty reliable and allows for isolation capabilities within the network.
The ADSM is very good.
I like that I can use the command line. I use a lot of Cisco and often work with this. If you are comfortable with the command line, it's quite good.
The user interface isn't as good as it could be. They should work to improve it. It would make it easier for customer management if it was easier to use.
Cisco does not have a lot of web management. We have to use ASTM server management to make up for it.
I've been using the solution, give or take, for around five years at this point.
When we need assistance from technical support, we typically deal with the team in China. They've been very good. Whenever I have a problem, they can resolve it. They are knowledgeable and responsive. We're satisfied with the level of support we get.
We typically offer clients a few different solutions. For example, we may recommend Fortinet.
For a new user, the initial setup may be a bit difficult. For me, since I am comfortable with Cisco, it's pretty straightforward. A new connection has its own complexities. It may be a different thing on Java SDK. There may be some programs that may not be able to access it.
In Laos, clients don't have much wiggle room when it comes to cost. The economy right now isn't very good. Most just choose the basic solution in order to avoid pricey licensing fees.
subscription payment
We're just customers. We use it in our office and suggest it to clients. However, we don't have a business relationship with Cisco.
We try to adhere to our client's needs, and therefore, if they specify hardware they want to use, like Fortinet, we tend to accommodate them.
That said, if they ask my opinion, I usually recommend Cisco ASA.
I know a lot about the product and I'm good at controlling everything. I have a lot of knowledge and understanding after working with it so closely. That's why I tend to favor it when my customers ask for advice.
Overall, I would rate the solution seven out of ten. If the user interface were a bit better, I'd rate it higher.
I use it to protect my DMZ from external attacks.
Last year, we received a lot of linear service attacks in our environment during the Black Friday season. Cisco Firepower blocked every attack.
The Adversity Malware Protection (AMP) feature is the most valuable.
It is also very easy to use. Every technical user can operate this solution without any difficulty. The dashboard of Cisco Firepower has every tool that a security operator needs. You can find every resource that you need to operate through this dashboard.
Its interface is sometimes is a little bit slow, and it can be improved.
When you need to put your appliance in failover mode, it is a little difficult to do it remotely because you need to turn off the appliance in Cisco mode.
In terms of new features, it would be good to have AnyConnect VPN with Firepower. I am not sure if it is available at the moment.
I have been using Cisco Firepower for two years.
We use it specifically for DMZ, so we don't need it to scale it up. Because we are using this solution for a specific environment, we don't plan to increase its usage.
We have a few teams who use this solution. We have the information security team for reading the logs and policies. We have administrators, and we also have contractors for the network operation center to analyze some logs and reports.
We have used their technical support. They are amazing. Cisco's technical support is the best.
We have used Check Point and one more solution. The main difference is in the IPS signatures. Cisco Firepower has precise and most updated IPS signatures.
The initial setup is easy. The deployment took two months because we didn't have Firepower previously, and it took us some time to plan and implement.
We used our reseller and contractor to deploy Cisco Firepower. They were good.
I would recommend this solution. I would rate Cisco Firepower a nine out of ten.
We are a solution provider and Cisco NGFW is one of the products that we implement for our clients. My clients use it for internet access within the enterprise.
I like the firewall features, Snort, and the Intrusion Prevention System (IPS).
This product is managed using the Firepower Management Center (FMC), but it would be better if it also supported the command-line interface (CLI). Cisco's FTD devices don't support the command-line interface and can only be configured using FMC.
We have been using this product for the past four years.
This is a stable product and we plan to continue implementing it for clients in the future.
Cisco NGFW is a scalable firewall. My client has more than 100 users.
We have support from Cisco's TAC, the Technical Assistance Center, and they support this product well. We haven't had any issues with them.
Prior to the Next Generation firewall, my clients were using Cisco ASA for more than 10 years.
The initial setup is easy, with the installation and configuration taking about two hours.
I did the deployment myself.
This product requires licenses for advanced features including Snort, IPS, and malware detection.
In summary, this is a good product and I recommend it.
I would rate this solution a ten out of ten.
Our primary use case is as a data center firewall for internet firewalls and also as a VPN concentrator. I'm the chief technology officer and we are partners of Cisco.
In terms of features there hasn't been much improvement but it's a very stable solution and a very good firewall with almost all of the features required for next generation firewall purposes. Almost all the firewalls on the market have the same features available, but if you take into account the integrations and reporting of Cisco, it's a little better than the others. In particular, the briefing reporting is better. With Fortinet we would probably have to use FortiAnalyzer as a separate reporting module for Fortinet, but here the reporting is good.
There needs to be an improvement in the time it takes to deploy the configurations. It normally takes two to four minutes and they need to reduce this. The deployment for any configuration should be minimal. It's possibly improved on the very latest version.
An additional feature I would like to have in Firepower would be for them to give us the data from the firewall - Cisco is probably working on that.
I've been using this solution for close to five years.
The scalability is very good.
We generally provide support but if we're not able to resolve an issue, we escalate it to Cisco and they're great. They are one of the best support services I've used and it's one of the reasons Cisco is doing so well in the market.
I also work with Fortinet and Palo Alto. Fortinet is also a really good product but Cisco is a leader in next generation firewalls and now that they are catching up to Fortinet, they have provided a lot of features and flexibility. I personally see Cisco as being good for large enterprise companies and Fortinet is better for families as well as small and medium size businesses. When it comes to Palo Alto, the high price point is one thing that is an issue, some companies are unable to afford it. Palo Alto is good but Cisco is catching up to them and I believe in a year or two, Cisco will probably match Palo Alto as well and be much better.
The initial setup is not too complex, but as with Fortinet, they have some detailed steps required which adds to the flexibility also. With flexibility comes a bit of complexity, but it's not too bad. Deployment time takes a few minutes. I am responsible for implementation and maintenance for our clients. We were previously deploying only for medium or large enterprise companies but Cisco has come up with the 1000 and 1100 series firewalls for smaller companies which is pretty good. They're a cost-effective solution and competitive in the market.
Cisco falls somewhere in the middle in terms of pricing, it's not very expensive and it's not very cheap. There is an additional accessory fee associated with Cisco but normally they have a separate subscription cost for different types of security to protect the firewall. There are separate bundles available inside the pricing and that's probably true for all of the firewalls.
Cisco is a large, good and reliable firewall. They are working on advanced features and catching up with the leaders in the market. I believe that's a score for them. A yearly subscription is cheaper than Palo Alto and Fortinet offer. They provide good support and once it's loaded, it doesn't give a lot of problems, that's very important.
I would rate this solution an eight out of 10.
I am a consultant and when clients ask for white papers or studies, I do the research. At that point, they do whatever change processes they have; I give them all of the numbers and other relevant data, but that's the extent of what we do in my organization.
They are just using it as a stateful packet inspection firewall, traditional firewalling.
At this point, my client is looking for their next solution so something may not be working.
The most valuable features for my client are the ASDM and monitoring.
They have familiarity with the Cisco CLI.
Cisco ASA is not a next-generation firewall product.
My client has been using the Cisco ASA solution for approximately five years.
They've been using it for five years and my assumption is that it's been good for what they needed it t do. However, they were consulting to move forward with something different.
The scalability is very limited because as a traditional firewall, it's a step behind. As far as the scale goes, my assumption is that you just buy a bigger model.
I was not consulting with this client when they implemented the Cisco ASA.
This is a hardware-based device, versus a virtual one, so it's maxed out.
My assumption is that it's a typical HA, basic setup.
My client is looking for a next-generation firewall solution to replace the Cisco ASA.
What they need is a step up from what they already have that includes application-controlled firewall rules, as well as other features that ASA doesn't currently have.
My suggestion for anybody who is looking at Cisco ASA is to work with the vendor, as they have newer products.
I would rate this solution a seven out of ten.
Our company sells Cisco Firewalls and the ASA is one of the products that we implement for our clients. The primary use cases are internet access, AnyConnect, and VPN.
The most valuable features are the provision of internet access, AnyConnect, and VPN capabilities. Because I primarily deal with the VPN functionality, I don't get very deep into the IPS or other capabilities.
I have worked with the new FTD models and they have more features than the ASA line.
We have been dealing with Cisco ASA since about 2002.
I am very happy with its stability and the product in general.
In our organization, we only have one in our data center that all of our people pass through. However, I've got clients that have thousands running through large Cisco firewalls.
Cisco's technical support has always been excellent. They have great support.
I have dealt with four or five others, but so far, I have the most experience with Cisco.
Recently, I worked with the new FTD 1000 or 1100 series, and they do a lot.
The complexity of the initial setup depends on the environment. Sometimes, it's brand new whereas other times, I install a replacement for an existing Cisco device or some other product.
I am in charge of installing and configuring our Cisco Firewall solutions.
I would rate this solution a ten out of ten.
The configuration support is very good. You can find a lot of configuration samples and troubleshooting tips on the internet, which is very good.
You need to have a little bit of knowledge to be able to configure it. Otherwise, it would be very difficult to configure because there is no GUI. The latest software available in the market has a GUI and probably zero-touch provisioning and auto-configuration. All these things are not available in our version. You need to manually go and configure everything in the switch.
In terms of new features, we would definitely want to have URL-based filtering, traffic steering, and probably a little bit steering in the bandwidth based on the per-user level and per-user group. We will definitely need some of these features in the near future.
I have been using this solution for the last one and a half years.
Stability-wise, it is pretty stable. It is probably not very feature-rich, but whatever features we are using, they are pretty stable.
Scalability-wise, we did not have much problem because we have a single site. If we have two or more sites, and if we want to have a site-to-site VPN and more number of users, we are not sure about the scalability. We will have to go for an updated version of the new product line.
We have close to 80 plus users. We anticipate a huge increase in the number of users and plan to increase the usage of Cisco ASA Firewall. We may have to open a new center in a different city, which will lead to more sites, users, and usage.
Their support is good, but the cost of support is very high. Next year onwards, we may not go for technical support because most of the time, they only do the configuration, and the configuration-related information is pretty much available on the internet.
Initially, we started with some open-source alternatives, like Opium, but eventually, we thought of moving towards a proven solution. We just did a study. We didn't put the open-source solution into production. One of our customers was basically suggesting us to go with this one, and we went for it. We did not get time to go through, study, and explore different options because we didn't have the bandwidth for testing the complete features of the open-source alternatives. Therefore, we thought of going for a commercial solution. A lot of alternatives are available right now for this solution.
The initial setup was not too complicated. It was good.
We took the help of a reseller for the initial configuration.
The product cost is a little high. It is a little bit on the high side, and it should be a little bit cost-friendly.
I would rate Cisco ASA Firewall a seven out of ten. It needs improvement in terms of a few features and cost-friendliness.
It provides the firewall and security for our edge network.
We are using a really old ASA device that is at end-of-life, so we're replacing it.
The most valuable feature is the access control list (ACL).
This is an older product and has reached end-of-life.
We have been using Cisco ASA for probably ten years.
This is a very stable product.
We're just a small company, so we have not had to scale it.
The technical support is definitely very good.
The initial setup was very straightforward.
Just one person is required for maintenance.
My advice for anybody who is implementing Cisco ASA is that it is not very difficult to deploy and not very difficult to understand how to continue adding more rules to it.
I would rate this solution an eight out of ten.
We primarily use the solution for the various firewalls.
Cisco is powerful when it comes to detecting intrusions. It's better than, for example, Fortinet.
Cisco has multiple products - not just firewalls. The integration between other items provides a powerful end-to-end solution. It's nice and easy. There is one management system and visibility into all of the features. Using the same product is more powerful than using multiple systems. Cisco is known by most customers due to the fact that at least they have switches. However, when clients say "we need an end-to-end option" Cisco is there.
The stability is very good.
Technical support services are excellent.
Before an ASA, it was a live log. It was easy and comfortable to work with. After the next-generation firewall, Firepower, the live log became really slow. I cannot reach the information easily or quickly. This has only been the case since we migrated to next-generation firewalls.
There is some delay between the log itself. It's not really real-time. Let's say there's a delay of more than 20 seconds. If they had a monitoring system, something to minimize this delay, it would be good.
It would be ideal if I could give more bandwidth to certain sites, such as Youtube.
I work with Fortinet also, and I find that Fortinet is easier now. Before it was Cisco that was easier. Now Fortinet is simpler to work with.
On firewall features, Fortinet is better. Cisco needs to become more competitive and add more features or meet Fortinet's offering.
I've been using the solution since about 2003, when I originally implemented it.
The solution is extremely stable. We don't have any issues whatsoever. It doesn't have bugs or glitches. It works well. Occasionally, it may need patches, however, there's very little downtime.
The scalability of the solution is very good. We have no trouble expanding the solution.
They have multiple products that fit in multiple areas. They also have virtual firewalls, which are working well in virtualization systems. They have the data center firewalls feature for data centers. It's scalable enough to cover most of the use cases that might arise.
Cisco offers excellent technical support. They're useful and very responsive - depending on the situation itself. Sometimes we require the support of agents and we've found Cisco to have one of the best support systems in the market.
I also work with Fortinet, and it's my sense that, while Fortinet is getting easier to use, Cisco is getting harder to deal with.
The initial setup is not complex at all. It's pretty straightforward.
A full deployment takes between two and three days. It's pretty quick to set up.
The pricing is neither cheap nor expensive. It's somewhere in the middle. If you compare it to Fortinet or Palo Alto, Fortinet is low and Palo Alto is very high. Cisco falls in the middle between the two.
As far as deployment options go, they often have more wiggle-room with discounts, especially for larger deployments. Therefore, in general, it ranges closer to Fortinet's pricing.
We're partners with Cisco, Fortinet, and Palo Alto.
I work with on-premises deployments and virtual firewalls, however, I don't use the cloud.
The solution works well for medium-sized enterprises.
Overall, I would rate the solution nine out of ten.
I'd recommend users to layer in solutions. At the perimeter, if they have two tiers, I'd recommend Palo Alto as the first and then Cisco ASA as the second. Cisco can work on the data center or Fortinet. In the case of Fortinet, they have the best backline throughput from all of the other products.
I like them mostly because they don't break and they have great diagnostics. If something is awry, you can generally figure it out. And of course, everybody has a VPN, but I like the security of their VPN.
They should improve their interface and ensure that people actually know what they're doing before they start programming; that would make me happy. But that's never going to happen — it's a total pipe dream.
Some of the next-generation stuff that Cisco is doing now allows you to add web filtering and provides more security inside the device. That's why we were looking at the Next-Generation Firewall.
I have been using this solution since they developed it.
I've had a couple of issues. Way back, they had a power supply that had to be changed out. They also had some issues with the 5500 series. Other than that, they're pretty rock-solid.
Within their limitations, yes, they're scalable. You don't want to put a 5506 in when you need a 5525 — you'll never get it there. If properly sized, they're scalable, but you can't make a 5506 a 5525 — there're different processors and everything. You have to know where you're going. You have to know your customer first.
The tech support is good. The documentation is verbose almost to the point of being confusing if you don't know what it is you're looking for.
It's only confusing if you have somebody who is not familiar with it. They give you every option in great detail, so you can spend time searching through a manual that you might not otherwise. Here's an example: take Sophos or SonicWall — let's say the manual for SonicWall is 25 to 30 pages; that same Cisco documentation is going to be three times that size or more.
It's not that it needs to be simplified, the people using it need to be knowledgeable. It is not a novice box, we'll put it that way.
We've been with Cisco for a long time. We've used their routers and gadgets for years and years.
The initial setup is quite straightforward.
I would guess that the market value of Cisco is going to be towards the higher-end. I don't know that it's the highest, but feature for feature, I'd say it's probably well-priced.
Cisco ASA Firewall Is not as much of a plug and play solution as some of the others. You just need to make sure that you do your research.
On a scale from one to ten, I would give Cisco ASA Firewall a rating of nine.
My primary use case with Cisco Firepower NGFW is implementing, configuring, maintaining, and troubleshooting lab and customer devices in both lab and production environments.
Using best practices for configuration, as well as fine-tuning intrusion policies and utilizing as many of the features that the firewall has to offer, which are feasible in said environment.
Overall, I am confident to say that I have worked with every flavor of Cisco Firepower NGFW, be it their older IPS-only sensors, ASA with Firepower services, as well as the FTD sensor itself.
Cisco Firepower NGFW has improved our organization by giving us the opportunity to protect both our network and our customer's environments. Being able to work with the device in a lab environment and utilizing the whole feature set is really easy with the Evaluation licenses of 90 days on the FMC. The only thing that you need is an environment with enough resources to virtualize both the FMC and FTD sensors.
I would like to emphasize the easy-to-use evaluation period of the Cisco Firepower NGFW because many other firewall vendors lack this and it is a real pain having to test everything in production environments because you cannot build a good lab environment without paying for licenses.
The most valuable feature that Cisco Firepower NGFW provides for us is the Intrusion policy.
Again, with that being said, I cannot shy away from giving kudos to all of the other features such as AVC (Application Visibility and Control), SSL Decryption, Identity policy, Correlation policy, REST API, and more.
All of the features that are incorporated in the Cisco Firepower NGFW are awesome and easy to configure if you know what you are doing. Things almost always work, unless you hit a bug, which is fixed with a simple software update.
I believe that the current feature set of the device is very good and the only thing that Cisco should work on is improving the user experience with the device.
Also, they need to ensure that all of the implemented features are working as they should, and able to integrate with more third-party software in an easier manner.
As it stands currently, Cisco is doing this, but I am not confident enough to say that their QA team is doing as good a job as they should as there have been software releases that were immediately pulled back the same day as they were released.
I have been working with Cisco NGFW for almost five years as of 2020.
I have seen devices working without any issues and/or without a reboot of the device for many years (although I do not recommend this) running on base versions of the software, and I have seen an out-of-the-box fresh install having many stability issues. However, overall my impression is that the most recent software versions are very stable without any evident underlying issues.
Keep your software up-to-date and the solution should be stable.
Cisco Firepower NGFW has a large variety of devices that are able to accommodate every company's needs, be they small or large. Overall, the scalability of the devices is very good.
Experience with Cisco TAC has been awesome almost always. The SLAs are kept every time, which is very hard to get from any of the other firewall vendors. I have not seen any other vendor get you a proficient engineer on the phone within 15 minutes.
Cisco ASA and Firepower NGFW is the first firewall solution that I have and am still using.
Once you deploy a few of these devices, the initial setup is really straightforward and easy to do unless the position of the firewall on the network needs you to do some connectivity magic in order for it to work.
All of the implementations that we have done are with in-house teams, so I have no overview of the vendor team.
Cisco, as we all know, is expensive, but for the money you are paying, you know that you are also getting top-notch documentation as well as support if needed. In some cases, this may save you a lot of money or stress, which is why everyone who uses Cisco solutions loves them.
I have worked with many other firewall vendors in both production and lab environments such as CheckPoint, Palo Alto, Fortinet, Juniper, but to be honest I find Cisco's firewall solutions and Palo Alto's firewall solution to be the best.
I believe that Cisco Firepower NGFW is the future leader in NGFW, with only maybe Palo Alto being the main competitor. This is very good, as we all know that having a rival is good for us, the users :)
We primarily use it for our clients. We have one or more at each client site - or multiple locations if they have multiple locations.
Typically our clients are up to about 500 users. Most of them are smaller than that, but they go as large as 500. They're using the solution for the full next-gen firewall stacks - intrusion protection, URL filtering, advanced malware protection, or so-called AMP. Those are the three subscription services that Cisco sells. All of our clients have those subscription services enabled at their main location. Typically, they're just protecting users that are behind the firewall. We also use it for site-to-site VPN, and we use it for client-to-site VPN.
In terms of our clients, security is one of those things that, ideally, nobody notices. It improves the functioning in the sense that you don't get hacked. However, from a noticeable, management point of view, the URL filtering is a pretty significant enhancement. People are able to block access to various websites by category. It isn't revolutionary. Lots of products do this. However, it's a nice sort of add-on to a firewall product.
At the end of the day, the solution offers good productivity enhancement to a company.
Cisco's support is great.
For experienced users, they are pretty much able do anything they want in the interface with few restrictions.
The command-line interface is really useful for us. We script basic installations and modifications through the command-line, which is considered sort of old school, and yet it allows us to fully document the changes that we're making due to the fact that we can save the exact script that was applied and say, "Here are the changes that we made."
We can have less experienced people do initial takes on an install. They can edit a template, and we can have a more experienced person review the template, and then apply it, and we don't have to worry about whether anyone inexperienced went into certain corners of the interface and made changes or whatever.
Everything is all documented in the file or in the command line script that gets uploaded to the device. It gives us great visibility.
I would say that in inexperienced hands, the interface can be kind of overwhelming. There are just a lot of options. It's too much if you don't know what you are looking for or trying to do.
The GUI still uses Java, which feels out of date today. That said, it's an excellent GUI.
The biggest downside is that Cisco has multiple firewall lines. The ASA line which is what we sell, and we sell most of the latest versions of it, are kind of two families. One is a little older, one's a little newer. We mostly sell the newer family. Cisco is kind of de-emphasizing this particular line of products in their firewall stable. That's unfortunate.
They have the ASA line, Meraki, which is a company they bought some years ago where all the management is sort of cloud interface that they provide rather than a kind of interface that you manage right on the box. They also bought Snort and they integrated the Snort intrusion detection into the ASA boxes. In the last couple of years, they've come out with a sort-of replacement to Snort, a line of firewalls that don't use IOS.
It's always been that the intrusion prevention and the based firewalling features had separate interfaces within IOS. They've eliminated IOS in this new product line and built it from the ground up. We haven't started using that product yet. They have higher performance numbers on that line, and that's clearly the future for them, but it hasn't reached feature parity yet with the ASA.
The main downside is that it feels a little bit like a dead end at this point. One needs to decide to move to one of these other Cisco lines or a non-Cisco line, at some point. We haven't done the research or made the plunge yet.
What I would like to see is a more inexpensive logging solution. They should offer either the ability to maintain longer-term logs right on the firewall or an inexpensive server-based logging solution. Cisco has logging solutions, however, they're very high end.
We've been using the solution for 20 or more years. It's been well over two decades at this point.
The solution is solid. It's a big advantage of choosing Cisco. There are no worries about stability at all.
The scalability of the solution is good. Within our customer base, it is absolutely scalable. You can go very large with it. However, if you really want the highest speeds, you have to move off of the IOS ASA line and onto the newer stuff.
Typically our clients cap out at 500 employees.
Technical support is excellent. They are extremely knowledgeable and responsive. It'd rate the ten out of ten. We're quite satisfied with the level of support Cisco provides.
We did use Juniper's NetScreen product on and off for a while. We stopped using it about ten years ago now.
We had previous experience with the Cisco gear, so we were comfortable with it, and Juniper bought the NetScreen product and sunsetted it. You had to move into a different firewall product that was based on their equivalent of IOS, something called Juno OS, and we didn't like those products. Therefore, when they sunsetted the Juniper products, we looked around and settled on Cisco.
Due to the fact that we're experienced with it and we've scripted the command line, it's extremely simple for us. That said, I think it's complex for somebody that doesn't know the IOS platform.
We're Cisco resellers.
We're always on the latest version. I don't actually keep track of the version numbers myself, however, part of what the service that we provide for our clients is updating their firewalls to the latest version.
We use multiple deployment models. We use both on-premises and cloud versions. They are also all different sizes, according to the requirements of the company.
I'd advise other companies considering Cisco to be sure to factor in the cost of the ongoing security subscriptions and the ongoing SmartNet into the purchase price. Those things, over the years, represent more than the cost of the firewall itself - significantly more. However, I'd advise others to get the security subscriptions due to the fact that it really dramatically increases the security of the solution overall.
On a scale from one to ten, I'd rate them at an eight. We love the product, however, we feel like it's not Cisco's future direction, which is the only reason I would downgrade its score. To bring it up to a 10, they'd have to make it their main product line again, which they aren't going to do.
We are primarily using the solution to protect our network.
The security the solution offers is very good. Security-wise, it's the top in the world.
The product has excellent technical support.
The user interface is easy to navigate.
Everything is user friendly.
The annual subscription cost is a bit high. They should try to make it comparable to other offerings. We have a number of Chinese products here in Pakistan, which are already very cheap and have less annual maintenance costs compared to Cisco.
I've been using the solution for a few years now.
The solution is reliable. We have been using it for more than a couple of years and we haven't had any problems. There's been no downtime and no hardware failures. It's pretty stable.
We've never tried to scale. We have a pretty small set up in our country. It's unlikely we will have to scale.
Currently, we have between 200 and 300 people on the solution.
The technical support has been very good. They are helpful and knowledgeable. We're quite satisfied with their level of service.
This is the first product of this nature that we have implemented. We didn't previously use a different solution.
Initially, the preliminary set up took us some time. However, we did have some local expertise in Pakistan. Once, when we were stuck on something, we could manage to get help from Cisco online. It wasn't that tricky or complex. In the end, it was straightforward.
We had some assistance with a local expert as well as Cisco.
There's an annual subscription. It's not cheap. It's quite pricey if you compare it to other competitors in Pakistan. There aren't any extra costs beyond the yearly licensing.
We pay about $200 yearly and we have two firewalls.
We are the customer. We are in the oil and gas business. We don't have a business relationship with Cisco.
I'd recommend the solution to others straight away. It's more or less a very standard option here in Pakistan.
Overall, on a scale from one to ten, I'd rate the solution at an eight.
We are using Cisco ASAv in our company and have deployed it for many of our customers. They are in both government and the private sector.
The deployment method varies depending on the customer's needs. For the government, it's through the government cloud while others are on-premises.
It is very stable compared to other firewall products.
It has good security features.
The firewall features make it easy for the users to work on it.
The interface needs improvement. I would like a better interface for Cisco. Other solutions such as Palo Alto have a user-friendly dashboard.
They need a user-friendly interface that we could easily configure.
It would be beneficial to have some of the features that Cisco has, integrating with other types of security.
I have been using this solution for approximately eight years.
It's a very stable solution out of the box and we have not had any issues in our deployment.
We have 86% of the devices being used simultaneously.
It's scalable based on the type of license and modules that you require.
We don't have the option to update the box, but we can add features such as antivirus protection.
We have contacted technical support for some issues outside our technical expertise, mostly for updating the license.
We have a team that handles our issues.
We work on a case-by-case basis and are have good offers by Cisco.
It's very competitive with other products.
They should incorporate it with FortiGate, or Sophos firewalls.
If they are looking for a layer 7 type of security then they need to go with another solution.
I would rate Cisco ASAv a nine out of ten.
We use Cisco ASAv as a firewall.
The best features are stability and scalability.
There are other solutions that are better such as Palo Alto.
The management test needs improvement. The ACM requires Java and you need to know which version of Java is compatible with your Cisco version. It needs a client.
The pricing could be reduced.
I would like to see the issue with the client resolved. You shouldn't have to use the ASDM to help manage the client. Also, it should be subscription-based similar to Palo Alto.
I have been working with Cisco ASAv for approximately eight years.
The stability is good, we have not had any issues.
Cisco ASAv is scalable.
We are satisfied with technical support. They are good.
We are also using Palo Alto. It's very easy to manage, especially the UI system. You can do anything you want.
Cisco is considered to be an expensive solution.
When comparing to other vendors, it's quite expensive.
I would rate Cisco ASAv a six out of ten.
Our primary use case for this solution is to improve network security.
The maturity of our company's security implementation depends on our clients. Some of our clients really need a lot of work but some of them are advantaged. We are major implementors for Cisco.
We implement it for our clients and we also use it internally. Our security maturity is advanced. We have been in IT business for over 75 years. We have major netowrk firewall experts in the company, so we know what to do.
Our company uses more than thirty security tools. Ideally, we would use an end to end unified tool. But network security is far from that so we need to use multiple tools.
Firepower has been used for quite a few enterprise clients. Most of our clients are Fortune 500 and Firepower is used to improve their end to end firewall functionality.
The most valuable feature is the intelligence. It sends a warning for a potential attack, a zero-day attack. It sends us an advanced warning. We really like this feature.
We use other Cisco tools for switches, routers, and AppDynamics. We also use their wireless tool. We are Cisco's biggest partner, so we use the majority of their solutions. This is one of the reasons people become a Cisco-shop, because of the integration.
The integration between these products isn't perfect.
Firepower provides us with application visibility and control. We have a standard evaluation procedure with around 136 criteria. We have a team that does the evaluation and there were viruses reported.
In terms of its ability to provide visibility into threats, we put a different application to be tested. We check how much we can see. What kind of network traffic goes through different devices. We know what's going on. If something went wrong, we see the attack, we know where and which attack. We put it into our testing center. You can never get 100% visibility. Sometimes we can't detect until the damage is done. That is the danger of being in the firewall business. You never know what kinds of tricks a hacker will use. It's endless work.
Talos is pretty decent. It offers smart intelligence. It helps my team detect what is going on. Without it, the ability of the power stations would be much less. Talos is one of the reasons that we go with Cisco. It is a big advantage.
We use automated policy application and enforcement. Any of the networks are very complex. It has freed up a lot of our time. Now, it's much better but it's still far from enough. We have saved 90% of our time due to the automation.
Firepower has improved our enterprise defense ability by a lot.
We use the whole suite of Cisco device management options. Compared to ten years ago, I have seen a lot of improvement, but it's still far from enough. I wish the intelligence will be improved. There is a big learning curve now. If a new gear comes into place, then the first three months aren't so accurate. With machine learning, it is getting better. The intelligence should be there from day one. But it will still need to learn the environment and which attack is the most common.
We are still trying to figure out the best practices for harmonizing policies and enforcement across heterogeneous networks. It's something new. More and more applications are going onto the cloud and we need the hybrid Firepower ability.
The intelligence has room for improvement. There are some hackers that we haven't seen before and its ability to detect those types of attacks needs to be improved.
There is a bit of an overlap in their offerings. Which causes clients to overpay for whatever they end up selecting.
I have been using Firepower for 3 years.
I see a lot of improvement in terms of stability but it's still not 100%. We still have bugs and things will go wrong that will cause the system to not function and we will have to reboot and restart. That is something that Cisco should fix.
The scalability is reasonable and okay.
One of the clients we have has 21,000,000 node.
We use their support a lot. In my view, they need a lot of improvement. A lot of the representatives are far away and they don't have a lot of knowledge. You need to get to level two or three for them to be able to help. My team is very experienced so it takes a lot for us to make a call to technical support. We need to talk to the right person to work out the issue. The support structure is not able to reach the right level right away. This is a problem that Cisco needs to work a lot to improve one.
We also use Palo Alto, Check Point, Fortinet, Juniper, and Microsoft.
Cisco came into firewalls much later. I would say they're top ten but they're not number one yet. They need to do more work. Cisco does better than the smaller players.
The best firewall option is Palo Alto.
Considering the expertise and the way they detect an advanced attack, Palo Alto is better than Cisco.
Compared to many years ago, the configuration is much more simplified. It is still not one button to get it all done. It's not easy enough. It hasn't reached the level where a junior staff member can get the job done.
For my enterprise environment, the deployment goes wave by wave. It can take six to eight weeks. We do a rolling upgrade. It's not something that can be done in one action because the network is so huge and complex.
We have a uniform implementation strategy. We have a standard upgrading proceeding. We do testing and verify and then we put it into production.
We are the integrators and consultant team.
18 months
Be careful
Yes
Get your homework done. Get to know in-depth what Cisco can do and compare it with Palo Alto. If you're happy with Cisco, go for it but Palo Alto is the safer choice.
I would rate it an eight out of ten.
The primary use case is to have full visibility over our Web & Application behavior on the local network and over the internet. On the other hand, reporting is one of the main needs so that we can monitor and evaluate our consumption and according to that, build up our policies and security.
Cisco NGFW had the needs that were required by us but unfortunately, was very primitive.
There was no added value and every feature requires license thus extra HIDDEN cost despite a large number of renewals. Paying that much compared to what other vendors can give is out of the negotiation. For this reason we dropped it.
Unfortunately in Cisco, only the hardware was good. As for the features and services it was less than the others. Having all of the features means higher specs of hardware and intelligence processing so that it can handle all the logs proactively. Now, what is needed from the Information security, is to be proactively aware of any threat that might expose our data and at the same time have full visibility over our information sharing endpoints.
In NGFW, Cisco should be aligned with the new technology and inspection intelligence because Cisco is far behind in this pipeline. Nowadays IoT, Big Data, AI, Robotics, etc. are all evolving and shifting from automatic to intelligent. All brands that do not follow will be extinct.
I have been using this solution for three years.
good
I was using a different solution prior to this one. I shifted because I found that it can heal my pain at least partially. By the end, it did the job and more.
Not that simple, but anyone who have the knowledge can configure it.
Through a vendor and they have good tech
Always look for the history of the products and their evolution, as this will reflect their prices. As for the licenses, be smart and choose the ones you are going to use AS PER YOUR NEED.
More features=More Licenses=More work time=Increase in Cost.
Always consider what you might need to reduce your wasted time and invest it in other solutions (i.e. "If it takes you three hours to do an analysis report and the solution you are getting has this feature to reduce your time to five minutes then you can consider this license. But, if there is a feature where you can have access to the machine from the cloud and you are always connected to the company by VPN, there is no need to buy this license").
Whenever I go for a new solution, I test many leaders "NOT RELYING ON GARTNER", yet going for sites that are related to technical evaluations and real case studies. The vendors were Sophos Cyberoam, Barracuda, FortiGate, Websense, & Check Point.
Think before you buy, as this solution can be your success or failure. Always work with professionals and not promoters.
We are an ISP, so it's primarily for customer firewalls that we help customers setup and maintain. While we do use Cisco ASA in our company, we mostly configure it for customers. Our customers use it as a company firewall and AnyConnect VPN solution.
A lot of people trust Cisco. Just by its name, they feel more secure. They know it's a quality solution, so they feel safer.
The most valuable feature must be AnyConnect. We have quite a few customers who use it. It is easy to use and the stablest thing that we have. We have experienced some issues on all our VPN clients, but AnyConnect has been the stablest one.
It is one of the easiest firewalls that I've worked with. Therefore, if you're not comfortable with command line, it probably is one of the best solutions on the market.
One of the problems that we have had is the solution requires Java to work. This has caused some problems with the application visibility and control. When the Java works, it is good, but Java wasn't a good choice. I don't like the Java implementation. It can be difficult to work with sometimes.
If you use Cisco ASDM with the command line configuration, it can look a bit messy. We have some people who use them both. If you use one, it's not a problem. If you use both, it can be an issue.
For five or six years.
We haven't had any issues with the firewalls.
The maturity of our company's security implementation is good. We are very satisfied as long as we maintain the software. It has needed to be updated quite a few times.
We don't have any firewalls that can handle more than a couple of gigabits, which is pretty small. I think the largest one we have is the 5525-X, though we haven't checked it for scalability.
In my company, there are probably 16 people (mostly network engineers) working with the solution: seven or eight from my group and the others from our IT department.
I haven't worked with Cisco's technical support. We haven't had real issues with these firewalls.
This was the first firewall solution that I worked with.
The initial setup has been pretty straightforward. We have set up a lot of them. The solution works.
The deployment takes about half an hour. It takes a little longer than if we were using their virtual firewalls, which we could implement in a minute.
We have a uniform implementation strategy for this solution. We made some basic configurations with a template which we just edited to fit a customer's needs.
We haven't notice any threats. The firewalls is doing its job because we haven't noticed any security issues.
The licensing is a bit off because the physical firewall is cheaper than the virtual one. We only have the physical ones as they are cheaper than the virtual ones. We only use the physical firewalls because of the price difference.
Our company has five or six tools that it uses for security. For firewalls, we have Check Point, Palo Alto, Juniper SRX, and CIsco ASA. Those are the primary ones. I think it's good there is some diversity.
The GUI for Cisco ASA is the easiest one to use, if you get it to work. Also, Cisco ASA is stable and easy to use, which are the most important things.
We use this solution with Cisco CPEs and background routers. These work well together.
We have some other VPN options and AnyConnect. We do have routers with firewalls integrated, using a lot of ISR 1100s. In the beginning, we had a few problems integrating them, but as the software got better, we have seen a lot of those problems disappear. The first software wasn't so good, but it is now.
We have disabled Firepower in all of our firewalls. We don't use Cisco Defense Orchestrator either. We have a pretty basic setup using Cisco ASDM or command line with integration to customers' AD.
I would rate the product as an eight (out of 10).
We are a Cisco partner and we implement solutions for our customers who are generally in the banking sector and other private sectors.
They are using it as a data center firewall and to secure their internet connections. Our customers usually integrate the firewall with ISE, with a Firepower module for IPS, and there are some NAC solutions.
The solution enhances the performance of the network. It blocks most of the threats and it updates attack signatures so it protects customer data better. The loss of data would be a crisis for any customer. With the deep inspection and analysis and the threat updates, it gives you more protection and safety.
Our clients use automated policy application and enforcement. For example, when you have a very big deployment or a bank needs to deploy more branches, this saves a lot of time when doing the implementation. Similarly, when you add more users or you add more devices, when you create a profile of the policies, they will be available in a matter of minutes, regardless of the number of branches or users or applications. It reduces the time involved in that by 75 percent.
The traffic inspection and the Firepower engine are the most valuable features. It gives you full details, application details, traffic monitoring, and the threats. It gives you all the containers the user is using, especially at the application level. The solution also provides application visibility and control.
The integration between the ASA and Cisco ISE is very easy because they are from the same vendor. We don't face any integration problems. This is one of the valuable points of Cisco firewalls. They can be easily integrated with different Cisco security products.
Our clients also use other products with Cisco ASA, such as Aruba ClearPass and different NAC solutions. The integration of these other products is also easy with Cisco.
It integrates with email security and Firepower. For example, if you have an attached file infected or you have attacks through email, the traffic will be forwarded to the email security and it will be blocked by the firewall. It gives you a clear view of the file and it can be blocked at every stage, protecting your network from this threat.
One of the best parts is the traffic management and the inspection of the traffic packets. The Device Manager is easy to use to supervise things, and the Firepower application gives you clear threat detection and blocking of all threats. Cisco also provides a better analysis of the traffic.
In addition, Talos is an enhancement to Cisco firewalls, and provides a better view.
The device management options, such as Firepower Device Manager (FDM), Cisco Firepower Management Center (FMC), or Cisco Defense Orchestrator (CDO) add a lot of enhancements in the initial deployment and configuration. In migrating, they can help to create the migration configuration and they help in managing encryption and automation. They add a lot enhancements to the device. They make things easier. In the past, you had to use the CLI and you could not control all this. Now you have a GUI which provides visibility and you can easily integrate and make changes.
When I deal with other firewalls like Palo Alto or Fortinet, I think there is some room for performance tuning and enhancement of the ASA. I'm not saying there is a performance issue with the product, but when compared to others, it seems the others perform a little bit better.
There could be enhancements to the cloud part of the solution. It's good now, but more enhancements would be helpful.
Finally, security generally requires integration with many devices, and the management side of that process could be enhanced somewhat. It would help if there was a clear view of the integrations and what the easiest way to do them is.
I have been using Cisco ASA NGFW for more than 10 years.
The ASA is stable. There may be some small stability issues, when compared to others, but it is a stable product. There could be enhancements to the ASA in this area when compared to other vendors, but it is not a problem with the product.
It is scalable, with virtualization and other features.
In terms of future-proofing our customers' security, we recommend the ASA. We have tested it in large environments and it's working well. The lesson I have learned from using Cisco ASA is that Cisco's research is continuous. They provide enhancements every day. It's a product for the future.
Technical support is a very strong point in Cisco's favor. I would rate it very highly. The support is excellent.
The setup is of medium difficulty. It is not very complex. Generally, when working in the security field, things are a little bit complex because you are integrating with many vendors and you are defending against a lot of different kinds of attacks.
The amount of time it takes to deploy the ASA depends on the complexity of the site where it is being set up. On average, it can take about a week. It could be that there are many policies that need to be migrated, and it depends on the integration. For the initial setup, it takes one day but the amount of time it takes beyond that depends on the security environment.
Our customers definitely see return on investment with Cisco ASA because when you protect your network there is ROI. If you lose your data you have a big loss. The ROI is in the security level and the protection of data.
The value of the pricing needs to be enhanced from Cisco because there are a lot of competitors in the market. There is room for improvement in the pricing when compared to the market. Although, when you compare the benefits of support from Cisco, you can adjust the value and it becomes comparable, because you usually need very good support. So you gain value there with this device.
My advice is to take care of and monitor your policies and be aware of the threats. You also have to be careful when changing policies. When you do, don't leave unused policies around, because that will affect performance. You should have audits of your firewall and its policies and follow the recommendations from Cisco support.
Among the things I have learned from using Cisco ASA is that integration is easy, especially with Cisco products. And the support helps you to integrate with anything, so you can integrate with products outside of the Cisco family as well.
The first time I deployed Cisco ASA was for one of our clients. This client had a Palo Alto firewall and he wanted to migrate. He bought an ASA 2505, and he wanted us to come in and deploy it and, after that, to put in high-availability. We deployed it and the high-availability means that in case one fails, there is a second one to take over.
I have deployed Cisco ISE and, in the same environment, we had a Cisco FTD. In that environment, we were using the ASA for VPN, and we were using the FTD like an edge device. The ASA was deployed as VPN facilitator and for the wireless part too, so that the wireless network was under the ASA firewall.
If we look at the Cisco ASA without Firepower, then one of the most valuable features is the URL filtering.
Also, it's easy to integrate ASA with other Cisco security products. When you understand the technology, it's not a big deal. It's very simple.
When it comes to threat visibility, the ASA is good. The ASA denies threats by using common ACLs. It can detect some DoS attacks and we can monitor suspicious ICMP packets using the ASA. It helps you know when an attack is detected.
Cisco Talos is good. It provides threat intelligence. It updates all the devices to be aware of the new threats and the new attacks out there, so that is a good thing. It's like having God update all the devices. For example, even if you have FTD in your company, malware can be very difficult to detect. There is a new type of malware called polymorphic malware. When it replicates, it changes its signature which makes it very difficult for a firewall to detect. So if your company encounters one type of malware, once, it is automatically updated in your environment. And when it is updated, Talos then updates every firewall in the world, so even if those other firewalls have not yet encountered those particular types of malware, because Talos automatically updates everything, they're able to block those types of malware as well. Talos is very beneficial.
When it comes to managing, with FMD (Firepower Management Device) you can only manage one device, but when you work with FMC (Firepower Management Center) you can manage a lot of sensors, meaning FTDs. You can have a lot of FTDs but you only have one management center and it can manage all those sensors in your company. It is very good.
One area where the ASA could be improved is that it doesn't have AMP. When you get an ASA with the Firepower model, ASA with FTD, then you have advanced malware protection. Right now, threats and attacks are becoming more and more intense, and I don't think that the ASA is enough. I think this is why they created FTD.
Also, Cisco is not so easy to configure.
I have been using and deploying Cisco ASA for two to three years.
Cisco ASA is stable.
It's scalable. You can integrate AD, you can integrate Cisco NAC. You can integrate quite a lot of things so that makes it scalable.
When you configure the ASA, there is already a basic setup there. Based on your environment, you need to customize it. If you understand security and firewalls very well, you can create your own setup.
For me, the initial setup is easy, but is it good? Because from a security perspective, you always need to customize the initial setup and come up with the setup that fits with your environment. So it's always easy to do the initial setup, but the initial setup is for kids in IT.
The time it takes to set up the ASA depends on your environment. For a smaller deployment, you just have the one interface to configure and to put some policies in place and that's all. If you are deploying the ASA for something like a bank, there are a lot of policies and there is a lot of testing to do, so that can take you all night. So the setup time really depends on your environment and on the size of the company as well.
When it comes to Cisco, the price of everything is higher.
Cisco firewalls are expensive, but we get support from Cisco, and that support is very active. When I hit an issue when I was configuring an FTD, as soon as I raised a ticket the guy called me and supported me. Cisco is very proactive.
I had the same kind of issue when I was configuring a FortiGate, but those guys took two or three days to call me. I fixed the issue before they even called me.
I have used firewalls from Fortinet, Palo Alto, and Check Point. To configure an ASA for VPN, there are a lot of steps. When it comes to the FortiGate, it's just a few clicks. FortiGate also has built-in templates for configuring VPN. When you want to create a VPN between FortiGate and FortiGate, the template is already there. All you need to do is enter an IP address. When you want to configure a VPN with a third-party using the FortiGate, and say the third-party is Cisco, there is a VPN template for Cisco built into the FortiGate. So FortiGate is very easy to configure, compared to Cisco. But the Cisco firewall is powerful.
Check Point is something like Cisco but if I have to choose between Cisco and Check Point firewalls, I will choose Cisco because of all the features that Cisco has. With Cisco you can do a lot of things, when it comes to advanced malware protection and IPS. Check Point is very complicated to manage. They have recently come out with Infinity where there is a central point of management.
Palo Alto has a lot of functionality but I haven't worked on the newer models.
Cisco firewalls are not for kids. They are for people who understand security. Now I know why people with Cisco training are very good, because they train you to be competent. They train you to have ability. And when you have ability, their firewall becomes very easy to configure.
When Cisco is teaching you, Cisco teaches you the concept. Cisco gives you a concept. They don't focus on how to configure the device. With Fortinet, for instance, Fortinet teaches you how to configure their device, without giving you the concepts. Cisco gives you the concepts about how the technology is working. And then they tell you how you are going to configure things on their box. When you are an engineer and you understand the technology from Cisco, it means that you can drive everything, because if you understand Cisco very well, you can work with FortiGate. If you understand security from Cisco, it means that you can configure everything, you can configure every firewall. This is why I like Cisco.
When it comes to other vendors, it's easy to understand and it's easy to configure, but you can configure without understanding. And when you configure without understanding, you can't troubleshoot. To troubleshoot, you need understanding.
I'm a security analyst, so I deal with everything about firewalls. I'm talking about ASA firewalls, and I'm talking about ASA with Firepower, FTD, and Cisco Meraki MX. When it comes to security tools I am comfortable with Cisco and everything Cisco.
One of our clients was using Cisco ASA. They got attacked, but I don't think that this attack came from outside their company. They were managing their firewall and configuring everything well, but they were still getting attacks. One of their employees had been compromised and his laptop was infected. This laptop infected everything in the organization. So the weakest link can be your employees.
We use the Cisco firewall for a number of things. We've got VPN tunnels, IPsec tunnels. We also use it for basic network layer filtering for our internal service, because we have a number of services that we offer out to clients, so that is the first device that they come across when they get into the network.
We have a network of six remote sites and we use proxy to go to the internet, and from the internet Cisco is the first line of defense. We have internet banking services that we offer to our clients, and that also makes use of the Cisco firewall as the first line of defense. And we've got a number of servers, a Hyper-V virtual environment, and we've got a disaster recovery site.
We had VAPT (vulnerability assessment and pen testing) done by external people to see our level of security from inside and outside and they managed to find some deficiencies inside. That's when they recommended that we should put in network access control. By integrating the ASA with Cisco ISE, that is what we are trying to achieve.
The whole idea is to make sure that any machines that are not on our domain should not be able to connect to the network. They should be blocked.
We also have Cisco switches deployed in our environment. All our active switches are Cisco. The ASA is integrated with them. This integration was done by a combination of our Cisco partner and in-house, because we did this at the time of setting up the infrastructure in 2016.
The benefits we see from the ASA are connected to teleworking as well as, of course, having the basic functionality of a firewall in place and the prevention of attacks. The VPN is also helpful.
Among the most valuable features are the reports which are generated according to the rules that we've put in place to either block traffic or report suspicious attempts to connect to our network. They would come standard with any firewall and we're always monitoring them and taking any corrective steps needed.
We have the ASA integrated with Cisco ISE for network access control. The integration was done by our local Cisco partner. It took them about a month to really get the solution up and running. I would like to believe that there was some level of complexity there in terms of the integration. It seems it was not very easy to integrate if the experts themselves took that long to really come up with a working solution. Sometimes we had to roll back during the process.
Initially, when we put it up, we were having issues where maybe it would be barring things from users completely, things that we wanted the users to access. So we went through fine tuning and now I think it's working as we expect.
We have been using Cisco ASA NGFW since 2016, when we launched.
The ASA is utilized 100 percent of the time. It's up all the time as it's a perimeter firewall. It's always up. It's our first line of defense. It's quite robust, we've never had issues with it. It's very stable.
We haven't maxed it out in terms of its capacity, and we've got up to about 200 users browsing the internet at any given time. In terms of throughput, we've got an ASA 5525 so it handles capacity pretty well. There aren't any issues there.
We have a Cisco partner, so if ever we did have issues we'd go through them, but up until now — this bank has been open for four years — we've never had an issue with the Cisco firewall.
We went with Cisco because it's a reputable brand and we also have CCNP engineers in our team as well. It's the brand of choice. We were also familiar with it from our past jobs.
The ROI is the fact that we haven't been attacked.
It's a brilliant firewall, and the fact that it comes with a perpetual license really does go far in terms of helping the organization in not having to deal with those costs on an annual basis. That is a pain point when it comes to services like the ones we have on FortiGate. That's where we really give Cisco firewalls the thumbs up.
From the point of view of total cost of ownership, the perpetual licensing works well in countries like ours, where we are facing challenges with foreign exchange. Trying to set up foreign payments has been a challenge in Zimbabwe, so the fact that we don't have to be subscribed and pay licenses on an annual basis works well. If you look at FortiGate, it's a good product, but we are always under pressure when renewal time comes.
Where Cisco falls a bit short is because of the fact that, if I want IPS, I have to buy another license. That's why I have my reservations with it. If I want Cisco AnyConnect, I have to buy another license. That's where we have challenges. That's unlike our next-gen FortiGate where everything comes out-of-the-box.
My advice is "go for it," 100 percent. If ever I was told to implement a network, ASA would definitely be part and parcel of the solution.
The biggest lesson we've learned from using the product is about the rapid growth of the product's offerings.
In terms of the maturity of our organization's security implementation, I would like to believe that we are about midway. We still need to harden our security. We need to conduct penetration testing every two years and, resources permitting, maybe yearly. The guys out there who do cyber security crimes are becoming more and more advanced, so there is a need for us to also upgrade our security.
We have a two-layer firewall setup, which is what is recommended as the standard for the payment card industry. We probably need solutions linked with cloud providers from the likes of Cisco, and to put in some bank-grade intrusion detection solutions. Because we have already adopted two technologies, Cisco and FortiGate, we might be looking at solutions from those two providers.
We're also looking at end-point security solutions. We've been using the one which comes with our Office 365 and Microsoft product, Windows Defender. We are going to be trialing their new end-point management solution. We are trying to balance things from a cost point of view and providing the right level of security.
In addition to Windows Defender and the firewalls — ASA and FortiGate — and the network access control, we also have SSL for the website.
As for application visibility and control, currently we're just using logging. We don't have the Firepower installed, so it's just general logging and scheduled checks here and there. As for threat visibility, for us the ASA is a perimeter firewall. Behind that firewall we have an IDS and an IPA. We actually have the license for Firepower but we haven't implemented it; it was just an issue of priorities at the time.
Some are being used as edge firewalls and others are for our server-farm/data center. So some are being used as transparent firewalls and others are used as a break between the LAN and WAN.
In addition to the firewalls, we have Mimecast for email security as we're using Office 365. We're also using IBM's QRadar for SIEM. For antivirus we're just using Microsoft Windows Defender. We also have an internet proxy for content and for that we're using NetScaler.
Automated policies definitely save us time. I would estimate on the order of two hours per day.
On the network side, where you create your rules for allowing traffic — what can come inside and what can go out — that works perfectly, if you know what you want to achieve. It protects you. Once you get all your rules in place, done correctly, you have some sort of security in terms of who can have access to your network and who has access to what, even internally. You're secure and your authorization is in place for who can access what. If someone who is trying to penetrate your network from the outside, you know what you've blocked and what you've allowed.
It's not so difficult to pull out reports for what we need.
It comes with IPS, the Intrusion Prevention System, and we're also using that.
I've been using Cisco ASA NGFW for five years.
The stability is quite good. We haven't had issues. I've used them for five years now and I haven't seen any hardware failures or software issues. They've been running well. I would recommend them for their reliability.
You can extend your network. They are cool. They are good for scalability.
We have a Cisco partner we're working with. But if they're struggling to assist us then they can log a ticket for us. Our partner is always a 10 out of 10.
Given that we have been upgrading with Cisco firewalls, I would say that our company has seen a return on investment with Cisco. We would have changed to a different product if we were not happy.
The response time from the tech and the support we get from our partner is quite good. We have never struggled with anything along those lines, even hardware RMAs. Cisco is always there to support its customers.
The pricing is quite fair for what you get. If you're comparing with other products, Cisco is expensive, but you do get benefits for the price.
The firewall that I was exposed to before was Check Point.
It's very good to get partner support if you're not very familiar with how Cisco works. Cisco Certified Partner support is a priority.
For application visibility and control we're using a WAN optimizer called Silver Peak.
To replace the firewalls within our data center we're planning to put in FMCs and FTDs. With the new FMCs what I like is that you don't need to log in to the firewalls directly. Whatever changes you do are done on your FMCs. That is a much needed improvement over the old ASAs. You can log in to the management center to make any configuration changes.
There are two of us managing the ASAs in our company, myself and a colleague, and we are both network specialists. We plan to increase usage. We're a company of 650 employees and we also have consultants who are coming from outside to gain access to certain services on our network. We need to make provisions on the firewall for them.
We have an offshore development center with around 1,400 users (in one location) where we have deployed this firewall.
The maturity of our organization’s security implementation is a four out of five (with five being high). We do have NOC and SOC environments along with in-built access to our systems.
We use Acunetix as one of our major tools. We do have some open source. There are a couple of networks where we are using the Tenable tool. We have implemented an SIEM along with a Kaspersky at the cloud level. In the Cisco firewall, we installed Kaspersky in the firewall logs which upload to Kaspersky for us to review back.
Being able to determine our active users vs inactive users has led us to increased productivity through visibility. Also, if an issue was happening with our throughput, then we wouldn't know without research. Now, notifications are more proactively happening.
The advance malware protection (AMP) is valuable because we didn't previously have this when we had an enterprise gateway. Depending on the end user, they could have EDR or antivirus. Now, we have enabled Cisco AMP, which give us more protection at the gateway level.
The application visibility is also valuable. Previously, with each application, we would prepare and develop a report based on our knowledge. E.g., there are a couple business units using the SAS application, but we lacked visibility into the application layer and usage. We use to have to configure the IP or URL to give us information about usage. Now, we have visibility into concurrent SAS/Oracle sessions. This solution gives us more visibility into the inbound/outbound traffic being managed. This application visibility is something new for us and very effective because we are using Office 365 predominantly as our productivity tool. Therefore, when users are accessing any of the Office 365 apps, this is directly identified and we can see the usage pattern. It gives us more visibility into our operations, as I can see information in real-time on the dashboards.
The solution has positively affected our organization’s security posture. I would rate the effects as an eight (out of 10). There is still concern about the engagement between Cisco Firepower and Cisco ASA, which we have in other offices. We are missing the visibility between these two products.
We would like more application visibility and an anti-malware protection system, because we don't have this at the enterprise level.
The central management tool is not comfortable to use. You need to have a specific skill set. This is an important improvement for management because I would like to log into Firepower, see the dashboard, and generate a real-time report, then I question my team.
Nearly a year.
So far, it has been stable.
We have around 32 people for maintenance. Our NOC team works 24/7. They are the team who manages the solution.
Scalability is one of our major business requirements. We are seeing 20 percent growth year-over-year. The plan is to keep this product for another four years.
We contacted Cisco directly when issues happened during the implementation, e.g., the management console was hacked.
We used Fortinet and that product was coming to end of life. We had been using it continuously for seven years, then we started to experience maintenance issues.
Also, we previously struggled to determine who were all our active users, especially since many were VPN users. We would have to manually determine who was an inactive user, where now the process is more automated. It also had difficult handling our load.
The initial setup was complex. We engaged NTT Dimension Data as there were a couple things that needed to be done for our requirements and validation. This took time to get signed off on by quality team. However, the configuration/implementation of the system did not take much time. It was a vanilla implementation.
We did face performance issues with the console during implementation. The console was hacked and we needed to reinstall the console in the virtual environment.
We were engaged with a local vendor, NTT Dimension Data, who is a Cisco partner. They were more involved on the implementation and migration of the firewall. Some channels were reconfigured, along with some URL filtering and other policies that we used for configuration or migration to the new server.
Our experience with NTT Dimension Data has been good. We have been using them these past four to five years.
We have seen ROI. Our productivity has increased.
The change to Cisco Firepower has reduced the time it takes for our network guy to generate our monthly report. It use to take him many hours where he can now have it done in an hour.
Cisco pricing is premium. However, they gave us a 50 to 60 percent discount.
There are additional implementation and validation costs.
We also evaluated Check Point, Palo Alto, Sophos, and Cisco ASA. In the beginning, we thought about going for Cisco ASA but were told that Firepower was the newest solution. We met with Cisco and they told us that they were giving more attention going forward to Firepower than the ASA product.
We did a small POC running in parallel with Fortinet. We evaluated reports, capability, and the people involved. Palo Alto was one of the closest competitors because they have threat intelligence report in their dashboard. However, we decided not to go with Palo Alto because of the price and support.
We are using Cisco at a global level. We have internally integrated this solution with Cisco Unified Communications Manager in a master and slave type of environment that we built. It uses a country code for each extension. Also, there is Jabber, which our laptop users utilize when connecting from home. They call through Jabber to connect with customers. Another tool that we use is Cisco Meraki. This is our all time favorite product for the office WiFi environment. However, we are not currently integrating our entire stack because then we would have to change everything. We may integrate the Cisco stack in the future. It should not be difficult to integrate since everything is a Cisco product. The only issue may be compliance since we have offices in the US and Europe.
We are now using a NGFW which helps us deep dive versus using a normal firewall.
Overall, I would rate Cisco Firepower as an eight (out of 10).
I protect my two servers with the help of Firepower. Both servers are connected to the Firepower and I monitor the traffic to both servers with it. I block traffic from all countries except the USA, for security purposes.
It meets my requirements regarding VPN, perimeter protection, and applications. I'm comfortable with what Firepower does for me. Firepower is the only security product deployed in my organization.
The Talos team is very expert and does a good job. It is a great achievement by Cisco for Firepower. It analyzes all the websites and viruses that could create vulnerabilities. Talos helps us by providing major protection. They maintain everything and we don't need any other security appliances. In the future, we may go for an email security appliance, but right now Firepower is enough for us. Without the Talos team, the Firepower might not fulfill our requirements.
For example, if I receive an email and it has a potentially malicious link, I can enter the link in the Talos website and it will provide me with all the details about the website link in the email, including which country and IP it is from. I always try to cross-check any potentially malicious links with Talos. It tells me whether I am vulnerable or not.
One of the most valuable features is the AMP. It's very good and very reliable when it comes to malicious activities, websites, and viruses.
It also handles application vulnerabilities. I have blocked some applications in my Firepower. In addition, there are predefined policies that come with the Firepower and I have created my own policies as well.
We also use Cisco switches, the 2920 for Layer 2 and the 3560 for Layer 3. The Firepower is integrated with the 3560. I have configured a gateway on the 3560 and all our traffic goes through the switch and is then passed on to the Firepower. The integration between the two was very easy.
