No more typing reviews! Try our Samantha, our new voice AI agent.

Cisco Secure Firewall vs WatchGuard XTM [EOL] comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Sep 30, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Cisco Secure Firewall
Average Rating
8.2
Reviews Sentiment
6.9
Number of Reviews
464
Ranking in other categories
Firewalls (3rd), Cisco Security Portfolio (2nd)
WatchGuard XTM [EOL]
Average Rating
8.0
Number of Reviews
34
Ranking in other categories
No ranking in other categories
 

Featured Reviews

RajeshKumar - PeerSpot reviewer
Network Consultant at a outsourcing company with 1,001-5,000 employees
Unified policies have strengthened zero-trust demos and automate rapid threat containment
Feedback and Improvement Areas – Cisco Secure Firewall (Customer Perspective) From a customer point of view, there are a few improvement areas observed while positioning Cisco Secure Firewall in competitive scenarios. 1. Dashboard & Visibility Enhancements Customers often compare firewall dashboards across different OEMs during evaluation. * Competing vendors typically provide more feature-rich and visually detailed dashboards. * There is a perception that Cisco dashboards still require enhancement in terms of visualization, consolidated reporting, and built-in analytics. * Some OEMs advertise additional security capabilities clearly within their publicly available data sheets, making competitive positioning easier. In comparison, Cisco sometimes references separate documentation or explains how certain capabilities (such as anti-spam or antivirus functionality) can be achieved through integration or ecosystem components rather than native, built-in features. This creates a perception gap during customer discussions. Improvement Opportunity: * Enhance dashboard capabilities. * Clearly articulate feature availability in public documentation and data sheets. * Reduce dependency on cross-referenced documentation for commonly compared features. 2. Virtual Firewall / Multi-Instance Capabilities in Lower Models Another competitive challenge relates to virtual firewall capabilities. * Several OEMs provide virtual firewall (VDOM-like) functionality in lower-end models. * In Cisco’s portfolio, multi-instance capability typically starts from higher-end platforms such as the 3K series or higher. * Customers looking for smaller deployments with logical segmentation are often forced to consider higher models, resulting in a price jump. Competitors also offer: * Compact hardware models * Dongle-based firewall appliances * Smaller entry-level products with virtual segmentation In Cisco’s case: * To achieve similar multi-instance functionality, customers must opt for higher-tier models. * This creates a significant pricing gap in entry-level or SMB deployments. This pricing difference becomes a key factor when customers compare solutions. If competitors offer a lower-cost model with virtual segmentation, and Cisco requires a higher platform investment, customers may lean toward alternative OEMs. 3. Documentation Gaps – OT Protocol Visibility In our lab environment, we have deployed Cisco Secure Firewall and are using Application Visibility and Control (AVC) for OT network monitoring. Observations: * OT protocols are clearly visible within application visibility. * The firewall successfully identifies and classifies OT traffic. However: * This capability is not clearly mentioned in publicly available documentation. * When a feature is available and functional, it should be explicitly documented in data sheets and feature guides. The need for third-party integration depends on what we are looking for. Here I am saying that the integration with Cisco NAC can be done because RTC functionality is only available with Cisco ISE and the firewall integration. For other ecosystems, if we use a NAC solution that is not Cisco, we can still integrate it for user authentication, such as with VPN user authentication. But in that case, we don't achieve the same functionality, such as RTC with other NAC solutions. This is one aspect. Another part is that if we are using it, it always happens with some NAC solutions because we have Cisco NAC and Cisco firewall; we want consistent policy across the network, whether the user is on-prem or using VPN services. If this is a unified OEM solution, in that case, we require an agent, such as the Cisco Secure Client. That allows us to easily check the posture status of the remote user and connect to the network effortlessly. But if we are using a third-party solution, we can't achieve that. From a SIEM perspective, certain prerequisites must be fulfilled before integration with Cisco Secure Firewall can be completed. The feasibility of integration depends on the capabilities of the SIEM platform. If the SIEM solution supports the required APIs and event handling mechanisms, similar functionality can be achieved. Therefore, integration itself is generally not the challenge; the key consideration is the desired security outcome within the overall ecosystem. If the customer does not have a SIEM solution and intends to automate quarantine actions or enforce restricted access for users, a Network Access Control (NAC) solution becomes mandatory. In this scenario, the recommended NAC solution is Cisco Identity Services Engine (Cisco ISE). Automated quarantine and dynamic access control workflows are dependent on NAC capabilities. From a feature enhancement perspective for Cisco Secure Firewall, deeper NAC-driven integration adds significant value. 1. TrustSec / Tag-Based Policy Enforcement Cisco ISE supports Cisco TrustSec, which enables Security Group Tag (SGT)-based segmentation. * In traditional (legacy) networks, firewall policies are created based on IP addresses. * With TrustSec, policies are defined based on user identity, group membership, and security tags instead of IP subnets. * When users authenticate to the network, Cisco ISE assigns Security Group Tags (SGTs). * These tags are shared with Cisco Secure Firewall. * The firewall then enforces policies based on SGT-to-SGT rules rather than IP-to-IP rules. Benefits: * Significant reduction in the number of firewall rules * Simplified policy management * Improved scalability * Easier implementation of role-based access control This integration enhances operational efficiency and security posture. 2. Rapid Threat Containment (RTC) Another key capability is Rapid Threat Containment (RTC). If Cisco Secure Firewall detects malicious activity—such as malware download attempts identified via signature-based or advanced threat detection—it can notify Cisco ISE about the compromised endpoint. Based on this input: * Cisco ISE can automatically quarantine the user * The endpoint can be moved to a restricted VLAN * Access can be dynamically limited without manual intervention This automated workflow ensures faster response time and reduces the risk of lateral movement within the network. 3. VPN and Posture Assessment This functionality is not limited to wired or LAN users. For VPN users: * Authentication can be integrated with third-party NAC solutions. * However, if posture assessment (device compliance checking) is required in addition to authentication, Cisco ISE integration with Cisco Secure Firewall becomes essential. Cisco ISE enables: * Endpoint posture validation * Dynamic policy assignment * Automated remediation workflows
Generalm4545 - PeerSpot reviewer
General Manager- IT & Automation - Serum at a pharma/biotech company with 1,001-5,000 employees
Protects from attack software and hacking but it doesn't provide the reports in a readable format
In my opinion, image clarity is very important, because I don't get the proper image product on reports. This means that functionality is not there. My engineer does not know how he can replace an order. We attach a log after any kind of keys using a utility instead. For the internet policies that we are implementing, the policy should be based on proper protocols. We use the default policies and there are a number of third-party protocols that appear here. Management with WatchGuard XTM means that out of policy is the problem from our side. In this way, we can not do effective services for people with this one. The policy definition with WatchGuard XTM is not proper for all use case requirements. I've got weekly business reports that I am expecting attachments with from WatchGuard XTM that display data for all kinds of consideration which should be required. Main User Functionality Level Order must adhere to using the admin functionality on the registry, or else our users publish their own name. Maybe these recommendations are irrelevant, but I say that the issue to improve most with WatchGuard XTM is the Main User Function.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most important features are the intrusion prevention engine and the application visibility and control. The Snort feature in Firepower is also valuable."
"Technical support with Cisco is very good."
"When I was managing these firewalls, I found them easy to understand, easy to deploy, and easy to maintain as compared to some of the other firewalls I have been involved with earlier. The opinion of my coworkers is that it's easy and quick to establish new zones, expand, and maintain."
"The ability to intercept unwanted traffic, and prevent attacks without interrupting everyday work, and the stability of this product are the key functionalities in our deployment."
"I have worked on the best firewalls in the market, and Cisco ASA is one of the best."
"ASA is a very reliable product and I have been using it since I came across it."
"We use Cisco ASA Firewall to protect different sites at a protocol level, and we also use it for antivirus and bot protection."
"The IP filter configuration for specific political and Static NAT has been most valuable."
"Security is a requirement for any organization, using WG products you can deploy faster solutions to big problems with a fair price."
"They have a reporting system which can store data over a very long period of time. Not many other firewall vendors provide a reporting system, but if they do, like Fortinet does, then you've got buy that as an additional product and that can be more than twice as expensive as the initial investment in the firewall. And without reporting over a long-term period, you're just about wasting your time."
"I like the hostwatch because I can see what traffic uses the most bandwidth and I can block that site."
"The most valuable features of the WatchGuard product line that we appreciate and leverage the most is the UTM security suite."
"The web filtering is a good feature."
"Application Control is fantastic with over 2,500 applications and the granularity that we can either allow people to view but not be able to log on to Facebook; or view it and log onto it if they're in the marketing department, but not play Facebook games. There are all sorts of different options like that. So it's highly granular."
"Reputation Enabled Defense indicates that some websites are so infested that it's not even worth visiting them, and therefore saving the bandwidth of going through the detection process."
"This product has helped in securing my SQL database and web applications from DDoS attacks and SQL injections, improved my network speed, and helped me to set specific policies for specific applications which I couldn't do with other products."
 

Cons

"Cisco Secure Firewall should be easier to handle. It uses ASDM, which is not easy to understand. It would be better if there was direct access via HTTPS."
"The artificial intelligence and machine learning (behavioral based threat detection), which I can this will be coming out in another year, these are what we need now."
"I think the ASA layer is thin. It's always Layer 3 or Layer 4 source controller and doesn't control the Layer 7 traffic. It's important, and you'll need an additional firewall."
"One of the problems that we have had is the solution requires Java to work. This has caused some problems with the application visibility and control. When the Java works, it is good, but Java wasn't a good choice. I don't like the Java implementation. It can be difficult to work with sometimes."
"The annual subscription cost is a bit high. They should try to make it comparable to other offerings. We have a number of Chinese products here in Pakistan, which are already, very cheap and have less annual maintenance costs compared to Cisco."
"You shouldn't have to use the ASDM to help manage the client."
"The cost of keeping the licensing up on the ASA is very expensive. It has a lot of positives, but the cost of going with it is really starting to be a major negative right now."
"I have found that Cisco reporting capabilities are not as rich as other products, so the reporting could be improved."
"One huge issue with WatchGuard XTM is that I'm not getting reports in a readable format."
"Our device was not functioning properly, so we returned the product and as a result, our business was down for two days."
"I would like them to improve the product's overall protections. This would be good for all product users."
"WatchGuard doesn't have a product that allows them to get into the data center. And that's just because there is no hardware to do the job. The software could do it, but there's no hardware that allows that to happen at the moment. So it doesn't scale as well as some other products, that's for sure."
"The setting policies need improvement. It needs an easier way to do static NAT and check on what policy is being used for that specific traffic."
"The VPN errors are not helpful when troubleshooting."
"Unfortunately, I could not disable the default Outgoing policy and if I do all clients could not access the internet even if I created another Outgoing Policy to replace the default one."
"We still haven't got the Terminal Service agent to work in our Citrix environment Application Signature also doesn't work well especially in SSL traffic"
 

Pricing and Cost Advice

"Everything with Cisco is expensive. My advice is that there are a lot better options out in the market now."
"​It is worth every penny that we have invested in it.​"
"License capacity needs to be extended and the vendor needs to work on the pricing."
"All our requirements which we need performed by the firewall (e.g. VPN, URL white-listing, or IP based white-listing, etc.) have separate licenses and costs."
"Cisco Firepower is a great solution, but it is expensive compared to others that can provide similar benefits for much less."
"When we are fighting against other competitors for customers, whether it is a small or big business, we feel very comfortable with the price that Firepower has today."
"The licensing has definitely improved and got a lot easier. It is customizable depending on what the customer needs, which is a good benefit, instead of just a broad license that everybody has to pay."
"The cost of keeping the licensing up on the ASA is very expensive. It has a lot of positives, but the cost of going with it is really starting to be a major negative right now."
"Get at least a maintenance contract for the updates and take a larger WatchGuard than you need. A WatchGuard creates new ways to secure your network."
"Like all other manufacturers, there are a lot of features and different pricing. The best is to talk to a representative.​"
"It costs less than the SO works and others (like SonicWall, Cisco, and Barracuda) without increasing so much CPU use."
"The licensing and renewal is very expensive."
report
Use our free recommendation engine to learn which Firewalls solutions are best for your needs.
903,118 professionals have used our research since 2012.
 

Comparison Review

it_user206346 - PeerSpot reviewer
Security Consultant at Webernetz.net - Network Security Consulting
Mar 11, 2015
Cisco ASA vs. Palo Alto Networks
Cisco ASA vs. Palo Alto: Management Goodies You often have comparisons of both firewalls concerning security components. Of course, a firewall must block attacks, scan for viruses, build VPNs, etc. However, in this post I am discussing the advantages and disadvantages from both vendors concerning…
 

Top Industries

By visitors reading reviews
Construction Company
10%
Financial Services Firm
9%
Manufacturing Company
9%
Computer Software Company
8%
Construction Company
16%
Marketing Services Firm
11%
Financial Services Firm
11%
Performing Arts
9%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business192
Midsize Enterprise130
Large Enterprise236
By reviewers
Company SizeCount
Small Business24
Midsize Enterprise7
Large Enterprise3
 

Questions from the Community

Which is the better NGFW: Fortinet Fortigate or Cisco Firepower?
When you compare these firewalls you can identify them with different features, advantages, practices and usage at large. In my opinion, Fortinet would be the best option and l use Fortinet too...
Which is better - Fortinet FortiGate or Cisco ASA Firewall?
One of our favorite things about Fortinet Fortigate is that you can deploy on the cloud or on premises. Fortinet Fortigate is very stable, reliable, and consistent. We like that we can manage the e...
How does Cisco's ASA firewall compare with the Firepower NGFW?
It is easy to integrate Cisco ASA with other Cisco products and also other NAC solutions. When you understand the Cisco ecosystem, it is very simple to handle. This solution has traffic inspection ...
Ask a question
Earn 20 points
 

Also Known As

Cisco Adaptive Security Appliance (ASA) Firewall, Cisco ASA NGFW, Adaptive Security Appliance, Cisco Sourcefire Firewalls, Cisco ASAv, Cisco Firepower NGFW Firewall, Cisco Secure Firewall ASA Virtual - BYOL
No data available
 

Overview

 

Sample Customers

There are more than one million Adaptive Security Appliances deployed globally. Top customers include First American Financial Corp., Genzyme, Frankfurt Airport, Hansgrohe SE, Rio Olympics, The French Laundry, Rackspace, and City of Tomorrow.
AVG, Cyren, Kaspersky Lab, Lastline, NCP engineering, Trend Micro, Websense
Find out what your peers are saying about Fortinet, Netgate, Cisco and others in Firewalls. Updated: July 2026.
903,118 professionals have used our research since 2012.