Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Firewalls
September 2022
Get our free report covering Netgate, Cisco, Sophos, and other competitors of Fortinet FortiGate. Updated: September 2022.
635,162 professionals have used our research since 2012.

Read reviews of Fortinet FortiGate alternatives and competitors

Project Engineer at Telindus B.V.
Real User
Talos continuously enriches intelligence so that you get information about upcoming threats on time
Pros and Cons
  • "The most important feature is the intensive way you can troubleshoot Cisco Firepower Firewalls. You can go to the bit level to see why traffic is not handled in the correct way, and the majority of the time it's a networking issue and not a firewall issue. You can solve any problem without Cisco TAC help, because you can go very deeply under the hood to find out how traffic is flowing and whether it is not flowing as expected. That is something I have never seen with other brands."
  • "The Firepower FTD code is missing some old ASA firewalls codes. It's a small thing. But Firepower software isn't missing things that are essential, anymore."

What is our primary use case?

Telindus, our company, is an integrator. We sell Firepower and we do use it ourselves. I use all the different versions of the product. 

We either replace our customers' other brands of firewalls with Firepower, or we upgrade their old Cisco ASA Firewalls to the new Firepower firewalls. The type of device we advise them to install depends on the customer's requirements and the throughputs needed.

Our primary use case for Firepower is for big networks.

What is most valuable?

The most important feature is the intensive way you can troubleshoot Cisco Firepower Firewalls. You can go to the bit level to see why traffic is not handled in the correct way, and the majority of the time it's a networking issue and not a firewall issue. You can solve any problem without Cisco TAC help, because you can go very deeply under the hood to find out how traffic is flowing and whether it is not flowing as expected. That is something I have never seen with other brands. That is why, when people move from another brand to Cisco, they never leave Cisco. They see that advantage.

Something I like about Firepower, in general, is that it still relies on the old ASA code. That's something customers really like because when they go into the CLI, they remember, "Oh, that's the ASA, that I am familiar with," but it's enriched with all the next-gen features of Snort. When a customer has knowledge of the ASA codes, they can do intensive troubleshooting because they know the device.

Customers also like Talos, which is the intelligence behind all of Cisco's security products, including Firepower. Talos is very good and is actually the most important part of a security product. It's important that you have something in the background that is continuously enriching intelligence so that you get information about upcoming threats on time. That keeps you protected as soon as possible when a Zero-day happens. Something that customers like about Cisco Firepower, in combination with Talos intelligence, is that full-time people are working in the background to provide information to Cisco security products.

Customers really want visibility into their networks. For example, they want identity management and that is something you can use Firepower for. With it, in addition to an IP address going somewhere, you can also see the username. That's a big advantage of Firepower, and can be set up quite easily.

Also, in very large networks, our customers use Cisco DNA Center. They have automation orchestration for their access network and that works seamlessly with Cisco Firepower firewalls. Security Group Tags can be used from DNA to an edge Firepower firewall. That way, they have microsegmentation within their access network for DNA. And they can extend that to their firewall rules for Firepower. 

Our customers also use Cisco ISE to get user information. ISE is connected to DNA Center. That is something that Firepower works seamlessly with, and we do sell it a lot. We sell a lot of Cisco's other security equipment, and they all send their information to SecureX. Having more Cisco security products means your security information is becoming enriched within the SecureX platform. The integration among these Cisco products is more than easy. Cisco documents everything, in detail, when it comes to how to integrate the different parts. I've never had an issue with integrating Cisco security products with each other.

And for smaller networks, like those our government customers have, what they like about Cisco Firepower, and why they purchase it nine out of 10 times, is its ease of use and the reporting in Firepower Management Center. That is something they really like. They can look up things themselves and they like the SecureX integration.

What needs improvement?

The Firepower FTD code is missing some old ASA firewalls codes. It's a small thing. But Firepower software isn't missing things that are essential, anymore.

For how long have I used the solution?

I've been using Cisco Firepower NGFW Firewall since it came out; from the time Cisco started to use the name Firepower and they bought Snort. That's when they put in the next-generation features. 

What do I think about the stability of the solution?

Firepower is rock-stable. So far, I have not seen any failed firewall. The only thing that was not quite stable in the past was Firepower Management Center, but since version 6.6 that has also been rock-stable. I haven't had any failed components in the last couple of years. I did have them two years ago and further in the past, where firewalls were not functioning and needed a reboot, but since 6.6, the stability is very good. We don't have priority-one tickets anymore.

What do I think about the scalability of the solution?

In the Netherlands, where I work, we don't have very big customers requiring very high throughput. So I cannot say anything about clustering where you can pile different ASAs or Firepower devices together to increase performance when you require it. 

But scalability, in general, is pretty hard. Competition-wise, sometimes it's hard to sell Cisco security products because, in my opinion, Cisco is quite honest about the real throughput they are able to provide. Other vendors may be giving figures that are a little bit "too perfect." Sometimes it's hard for us to sell Cisco firewalls because a customer says, "Well, when I go to other brands they say they have double the throughput for half the price." Well, that's great on paper, but... 

In general, after we have installed Cisco firewalls, our customers are very pleased by the performance. They also like that they can tweak settings to get more performance out of the firewall by enabling specific policies for specific traffic, and by disabling inspection for very internal data center traffic. That provides a big boost to the overall firewall performance. When a customer complains that we didn't scale it correctly, and they say it's not performing as well as they expected, I'm always able to tweak things so that it performs the way the customer requires.

How are customer service and technical support?

I have interacted with Cisco's technical support many times. Nowadays, it sometimes takes a while to get to the person with the correct knowledge, but that is happening in the world in general. First-line people are common around the world and they are trying to figure out if an issue is actually a second-or third-line issue. But when you do reach the correct department, and they know that you are knowledgeable and that you are really facing a high-priority issue or a strange behavior, Cisco's support does everything it can to help you fix things, including involving the development department. I'm very happy with their tech support.

Which solution did I use previously and why did I switch?

Most of the time we replace Sophos, Check Point, SonicWall, and Fortinet firewalls with Cisco firewalls. Customers really like the overall integration with SecureX. They see the advantage of having more security products from Cisco to get more visibility into their security. We also replace old, non-next-generation firewalls from Cisco; old ASAs.

How was the initial setup?

The initial deployment of Firepower is a straightforward process. For me, it's pretty easy. If you have never worked with it, I can imagine it might be complex. 

Cisco makes it easier all the time. You can now deploy a remote branch by managing the device on an external interface. In the beginning, with previous software versions, that was hard. You needed to configure the file as a remote branch, but for that you needed the central Firepower Management Center to configure it and you didn't have a connection yet. It was a big issue to set up an initial firewall remotely when there was no connection to the Management Center. But that's been fixed.

In general, you just put down some management IP addresses and configure things so that the devices see each other and it starts to work. It's far from complex.

Generally, the initial setup takes four hours. The implementation strategy depends on the customer. I always have a conversation with the customer upfront. I explain how the connectivity works for Cisco Firepower, and then I say that I want to be in a specific subnet field. Then I start configuring the basics, and that is the part that takes about four hours, for Firepower Management Center and two firewalls in HA. Then, I start to configure the firewalls themselves, the policies, et cetera.

Which other solutions did I evaluate?

I have experience with SonicWall, Fortinet, Juniper, and Sophos firewalls, among others. We work with Fortinet and Palo Alto. It's not that we only do Cisco. But I can say from my experience that I am really more convinced about Cisco products.

What customers really like about Cisco, the number-one thing that they are really happy about within Firepower—and it was also in the old ASA code, but it's even more a feature in Firepower—is that the configuration is in modules. It's modular. You have different policies for the different functions within your firewall, so that your access control policy is only for your access lists and that's it. You have a different network address translation policy. It's all separated into different policies, so a customer knows exactly where to look to configure something, to change something, or to look at something which is not working properly.

Also, with Cisco, when a customer is not totally certain about a change he's going to make, he can make a copy of the specific access control policy or the NAT policy. If something doesn't go right, he can assign the copied policy back to the device and everything is back to the way it was. 

These are the biggest advantages our customers see. When a customer doesn't have any knowledge about firewalls, I can explain the basics in a couple of hours and they have enough familiarity to start working with it. They see the different modules and they know how to make a backup of a specific module so that they can go back to the previous state if something goes wrong.

What other advice do I have?

My advice is "buy it." A lot of people prefer a specific brand and it's fairly hard to convince them that something else, like Cisco, is not bad, as well. They are so convinced about their existing firewall that they want to keep that brand because they are familiar with it and they won't need to learn a new firewall. It's hard for a customer to learn how a firewall works in the first place.

But my advice is that people should read about how Cisco security, in general, is set up and how it is trying to protect them with Talos. They need to understand that Cisco security is very good at what it does. They shouldn't blindly believe in what they have at the moment. I always hear, "My firewalls are good enough. I don't need Cisco. I will just buy the same ones, but new." Cisco Firepower is superior to other firewalls and people should not be afraid to dive in. By educating themselves about the firewall, they will be fine in managing it.

Practically speaking, Cisco firewalls are easier to manage than the firewalls they have at the moment, but they need to make the leap and try something else. That is the hardest part. When I do show them what they are capable of, and how you can configure all kinds of different things, they start to understand.

We don't have many customers that use other vendors' security products together with Firepower. We convince nine out of 10 customers to go over to Cisco fully. We do have customers who don't do that, and then we try to find a way to get the solutions to work together. For example, we try to integrate other brands' switches or firewalls with Cisco security products, but most of the time that is pretty hard. It's not the fault of Cisco. It requires that the other brands speak a protocol language that will support integration, but in the end, it's not perfect and the integration does not work very well. The majority of the time, we are not able to integrate into other security products. Cisco is using standard protocols, but the other vendor is abusing some sort of protocol and then it doesn't work well.

I don't prefer using applications in firewall rules, but our customers do use the application visibility and control, and it works perfectly. Firepower is very good at recognizing the application and is very good at showing you the kind of application that has been recognized. Customers use that in their access control policy rules, and I have never heard bad things about it. Cisco Firepower works very well in recognizing applications.

I get questions from customers because they do not understand threat messages generated by Firepower. Sometimes, it's hard to read what exactly the message is saying. In my opinion, that is not something that is specific to Cisco security or Firepower, rather it is an issue with security in general. Most networking people get these fancy firewalls and they get fancy security events. It's hard for some of them to understand what is meant, and what the severity level is of the message. It's more that a networking guy is trying to read security events. Firepower is doing a good job, but customers sometimes have problems understanding it and then they stop looking at it because they don't understand it. They assume that Firepower is taking the correct actions for them.

Firepower is not a fire-and-forget box. It is something you actually do have to take a look at. What I tell customers is, "Please enable Impact-One and Impact-Two messages in your mailbox, and if it's really something that you cannot understand, just forward it to me and I will take a look for you. Most of the time they are not very high-impact messages. There are only one or two high-impact messages per month.

There are customers who say, "We want you to review the messages in Firepower once a week." I have a look at them when I have time. We try to help the customer check security events once a week or so. That's not great, but it's always a question of finding a good balance between the money a customer can spend and the security aspects. When we do monitor all the events, 24/7, for a customer, you can imagine that it is quite expensive.

I configure every customer's automatic tweaking of IPS policies so that the IPS policy is enabled for the devices seen by Firepower, for recognition of what kinds of clients and hosts are in the network. Other than that, we do not do a lot of automation within Firepower.

Since 7.0, I don't have a lot of things to complain about. If I do have suggestions for improvements, I will give them during the beta programs. The speed of the FMC is very good. The deployment time is much better. They added the policy deployment rollback. That was something I really missed, because if I destroyed something I was able to undo that. Now, for me, it's actually almost perfect.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Reseller
Donald Keeber - PeerSpot reviewer
President at Margate Net
Real User
Top 5
Ensures a company has a better security posture
Pros and Cons
  • "It helps the organization function better by virtue of cleaner and more predictive Internet access and usage being conducted by the employees and constituents of the company. It helps ensure that they have a stronger security posture. It is preventive medicine If you have DNS Security in place. You will be happy you had it. If you don't have it, you may never need it. However, if you did need it, and didn't have it, you will wish that you did. It is one of those things, like insurance."
  • "The tech support was once great, but now it is poor. The tech support has gone south. It is really difficult. I had a Priority 1 case last a week in their queue, and after multiple complaints, I finally got somebody to take the case. These are things that are unacceptable in the business world. They could train their employees better."

What is our primary use case?

In most cases, our use cases were for migration and conversions. People were coming off of dated Cisco platforms and other types of firewall technologies that might not have met next-generation standards, like App-ID. Then, Palo Alto Unit 42 had to go out there and investigate with threat hunters, etc, which was not that well-known or used. Then, Palo Alto sort of showed everybody that world back in 2007 or 2008.

Mostly, I was dealing with people migrating off of their platforms onto Palo Alto. Unfortunately, in most cases, they wound up just converting them into service-based firewalls, like what they were already using, because they weren't ready to accept the requirements behind actually creating an effective App-ID policy yet for their company.

It wasn't well adopted at first. Even though everybody wanted it, people were putting it in and not really fully deploying it. Once I started working for Palo Alto, we had a whole lot more control over getting people to actually utilize the technology, like it was meant to be used. Mostly, it was going in as a service-based firewall with some App-ID. However, people weren't really taking advantage of the SSL decryption and other things necessary to truly utilize the firewall effectively.

I have an active customer who has 600 users using Palo Alto. I have another active customer with 300 users using Palo Alto.

How has it helped my organization?

It helps the organization function better by virtue of cleaner and more predictive Internet access and usage being conducted by the employees and constituents of the company. It helps ensure that they have a stronger security posture. It is preventive medicine If you have DNS Security in place. You will be happy you had it. If you don't have it, you may never need it. However, if you did need it, and didn't have it, you will wish that you did. It is one of those things, like insurance.

What is most valuable?

Machine learning is definitely here to stay. Machine learning has to be a part of everybody's solution now, especially going out into the cloud where we don't have as much hardware control. We don't control our perimeters as much anymore. We need to have machine learning. So, machine learning has been a critical point in the evolution of this product.

DNS Security incorporates Unit 42, WildFire, and all the rest of their antivirus and threat features. It can be very effective because it will know about these bad actor zones and DNS hacks before it gets to your network, which is important. Everybody should be using it, but I haven't found as many people adopting it as they should.

For anything manipulating TCP 453 or any type of DNS-type application, you will want to be all over that. It is definitely a big problem.

What needs improvement?

It is not a unified solution yet. That is probably why it has been hurting them in the cloud evolution. It does not have a complete single-pane-of-glass management,

For how long have I used the solution?

I worked for Palo Alto for about three and a half to four years. I retired from them last year. Before that, I was with Juniper firewalls. So, I have about 10 years experience, on and off, with Palo Alto in various, different scenarios.

What do I think about the stability of the solution?

They push stuff out that is not quite ready. If you use the product one version back, then you are pretty good. However, if you try to stay cutting edge, you are going to run into stuff that doesn't work. They are forever releasing stuff that doesn't work right or as designed. Every company does that though, so it is just a question of who is worse. You need to be careful with some of the newer stuff that they release. You need to bake it very well before you put it into production.

What do I think about the scalability of the solution?

I am not absolutely certain they have done a good job in scaling out. They may start to suffer now and going forward because there are other, more cloud-ready platforms out there starting to shine over Palo Alto. They are not the prodigal son anymore.

It has limited scalability since it is still very hardware-centric. They have a cloud VM model, but I haven't had too much experience with it.

How are customer service and support?

The tech support was once great, but now it is poor. The tech support has gone south. It is really difficult. I had a Priority 1 case last a week in their queue, and after multiple complaints, I finally got somebody to take the case. These are things that are unacceptable in the business world. They could train their employees better.

Several years ago, I would put technical support at eight or nine out of 10. Now, they are down around two or three, which is really low. I have had very bad luck with their support lately.

How would you rate customer service and support?

Negative

How was the initial setup?

It depends on whether you are coming in from a migration, which means that you expect everything that you will be doing to be out-of-the-box. It has to be if you are putting it in place. You can then evolve it from there to make it more capable. 

I find the technology pretty easy to work with. Some people don't find it as straightforward. That probably leaves some areas for improvement, where people almost have to do a boot camp to fully take advantage of the product. That shouldn't be the case for a new customer. It should be a little bit more seamless than it is, but it's not bad. I can't really knock it. It is fairly simple to employ, if you know what you are doing.

Most migrations take anywhere from two to six weeks.

What about the implementation team?

I did the deployment. I was using it while I was at Palo Alto. I am still managing them, even outside of Palo Alto. It has been a consistent experience.

What was our ROI?

The return on investment doesn't necessarily show right away. However, if a company gets hacked and taken down, they are out of business. So, was your return on investment strong if you put these firewalls in and it prevented that? Absolutely. However, if you put them in and you never get attacked, then you might ask, "Would you have gotten attacked before?

What's my experience with pricing, setup cost, and licensing?

There is a license for DNS Security, which I have never actually licensed, but it is a very powerful tool. DNS security is important, and I think that Palo Alto's capabilities are effective and strong there. However, I don't find a lot of companies taking advantage of it.

This is not the firewall to choose if you are looking for the cheapest and fastest solution. Palo Alto NGFWs are expensive. By the time you license them up and get them fully functional, you have spent quite a bit of money. If it is a small branch office with 10 to 15 users, that is hard to justify. However, my customers will do that if I tell them, "You still need to do that," then they will do it since it is still an entry point into the network. 

You really need Premium Support, Applications and Threats, DNS Security, and antivirus. The extra bolt-ons, such as Advanced URL Filtering, you need to determine by use case where you are going to use those licenses, then see if you really need them. You might be adding a bunch of licenses that you will never actually get to effectively use. Their licensing model has gotten a bit exorbitant and a la carte . You will wind up spending quite a bit of money on licenses and renewals.

Which other solutions did I evaluate?

There is another company out there that I like quite a bit in the firewall space who does a really good job and has a very fast, inexpensive firewall. That is Fortinet. My two favorite firewall companies are Fortinet and Palo Alto. I recommend Fortinet in cases where people don't have the money, as you can get a very nice solution from Fortinet for a lot less money. Fortinet is a good player. I like Fortinet. 

Palo Alto's interface is a little nicer to work with, e.g., a little easier and more intuitive than Fortinet. This makes Palo Alto a little nicer for the end user, but Fortinet is a kick-ass solution. I would never downplay it. It is definitely really strong. For $600, you can get a fully functional next-generation firewall on Fortinet, and you can't do that with Palo Alto. That is a world of difference in pricing.

What other advice do I have?

Machine learning is taking logs and feeding them back through. Everybody is doing machine learning now. You need to have some type of machine learning in order to understand what is going through your environment since you can't be predictive anymore, like you used to be able to be. There is no way of knowing what things are going to do. Therefore, machine learning helps the firewall become smarter. However, machine learning is only as good as how it is utilized and how effectively it is deployed, and it is not always obvious. With Palo Alto, it was difficult to get the API keys and whatnot to work correctly, getting real, effective, actual, usable machine language stuff to use in the policies. It was a lot more hype than reality.

Their zero-pass architecture is not really zero-pass, but it is better than others. It still has to run the traffic through again, once it is recognized at the port, service, and route level, to be acceptable. Then, it has to bring it back through to try to recognize the application. So, it is not necessarily a 100% zero-pass, but the way it works. 

It is like in the Indianapolis 500 when a car pulls into a pit stop. Instead of having one place in the pit stop where the tires are changed, another place in the pit stop that does the windows, and another place that does the gas, they have all the guys come around the car and do their work on the car at the same exact time. That is what is happening with Palo Alto. The packet gets there and the services attack the packet versus having to run the packet through the mill. That is what makes it faster, but it still has to do it more than once before it really knows. It is definitely better than what anybody else has done up to this point. 

With a single-pass cloud, we are not concerned with hardware as much anymore. Now, we are concerned with technology, implementation, and how controls are deployed. That is more important now than where the hardware is, e.g., if the hardware is integrated or deintegrated. I don't know if that is even that important anymore, but it was at one time.

As long as you are comfortable with the price point, you are not going to make a mistake going this way. It is definitely best-in-class and a first-class firewall. I would never be ashamed of putting Palo Alto Networks NGFWs into my network. It's a very good product. As much as I might complain about this and that, there isn't any product that you would put in the network where you are going to have 100% confidence in it. There will always be something. Palo Alto NGFWs are the best way to go.

I would rate this solution as nine out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Shashidhara B N - PeerSpot reviewer
Director & CIO of IT services at Connectivity IT Services Private Limited
Real User
Top 10
The micro-segmentation features are helpful for access control layers and virtual LAN policy enforcement
Pros and Cons
  • "ASA integrates with FirePOWER, IPS functionality, malware filtering, etc. This functionality wasn't there in the past. With its cloud architecture, Cisco can filter traffic at the engine layer. Evasive encryptions can be entered into the application, like BitTorrent or Skype. This wasn't possible to control through a traditional firewall."
  • "There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so you need to be slightly careful, especially on the site track."

What is our primary use case?

I'm a solution architect specializing in IT infrastructure designs. I create solutions for clients using Cisco and other products. I've developed solutions with various Cisco Firewall models. I may use an entry-level solution for smaller businesses, like the Cisco 555 Series or 5500. If it's a large enterprise, I may use the 4000 Series, or an ISR router integrated with a firewall for a branch office, and maybe an ISR router, which is integrated with the firewall.

I work with businesses of all sizes, but I see Cisco more often in medium-sized companies or large enterprises. Small businesses often pick Sophos or FortiGate because of the pricing. Large enterprises use Cisco and other products like Palo Alto or Check Point, especially for managing cloud architectures like GCP and AWS. 

If the customer only needs a plain firewall, Cisco ASA is sufficient. It can compete with FortiGate or Sophos. When I talk about a next-gen firewall, the basics include malware protection, instruction prevention, URL filtering, etc. Firepower is integrated to address these next-gen requirements. 

I may use the tabs for dynamic policy implementation in cloud environments depending on the clients' needs, but not typically VMware. I might get a false positive with the VMware operator and platform layer. If I stop some surveys, my production will stop. In such cases, I cannot just go by dynamic classification blindly. It would be better for the application layer, not the platform layer.

How has it helped my organization?

I don't have any metrics about how ASA has improved operations for my clients, but I can look at their market share relative to Check Point and other competitors. Cisco has a decent footprint today, and it reduced my customers' CapEx. I don't have the numbers. I'm just speaking relatively. Cisco can reduce operational expenditures by around 40 percent. I'm just giving a vague estimate, but I don't have any specific metrics.

Cisco offers two architectures. I can choose the Meraki track if I want an OpEx model or the traditional track, which is a CapEx model. Due to Cisco's tech acquisitions, I have various feature options within the same product. The DNA of Cisco combines the traditional Cisco architecture with the next-generation firewall.

Segmentation can be helpful for some clients. Let's use a financial organization as an example. We have traffic moving through the branch to the core banking. This is where we can employ segmentation. We can do security policy restrictions for branch employees to prevent them from accessing certain financial reporting systems. We can limit them to the branch level. 

I can enforce certain policies to prevent all branch traffic from reaching one layer of a particular segment by minimizing the overall traffic on the network. I can always control the traffic when I segment it. This set of capabilities is beneficial when a lot of financial algorithms are done.

What is most valuable?

ASA integrates with Firepower, IPS functionality, malware filtering, etc. This functionality wasn't there in the past. With its cloud architecture, Cisco can filter traffic at the engine layer. Evasive encryptions can be entered into the application, like BitTorrent or Skype. This wasn't possible to control through a traditional firewall. 

Deep Packet Inspection looks at the header information and inspects the contents of a particular packet. We can also look at traffic management. It can control end-user applications, and we can check device performance when we do this type of regression on our resources. This is what we look at with a DPI. It can help us reduce the overall OpEx and CapEx.

Traditionally, we needed multiple software and hardware tools. With these features, we can snoop into our network and understand each packet at a header level. That's called the service control engine.

Within Cisco's Service Control Engine Architecture, there's something called the Preferred Architecture, which has a supervisor engine. It's more of a network management tool. Cisco makes it more convenient to manage our resources. It has a nice UI, or we can go into the command-line level. 

Cisco's micro-segmentation features are helpful for access control layers and virtual LAN policy enforcement. That's how we segregate it. Micro-segmentation is focused on the application layer. When we design a policy that is more automated or granular, and we have a specific business requirement, we get into micro-segmentation. Otherwise, the majority of the implementation will be generic network segmentation.

Dynamic classification is also essential given the current security risks and the attacks. We cannot wait for it to tell us if it's a false positive or a real threat. In those cases, dynamic classification is essential, especially at a MAC level.
When using WiFi, we may have a suspicious guest, and we cannot wait for someone to stop it manually. The firewall needs to at least block the traffic and send an alert.

In cases like these, integration with Cisco ISE is handy. If the firewall alone doesn't help, you must redesign your architecture to include various associated products as you increase your requirements. For example, you may have to get into multiple servers, so you'll need an ISE for identity management. 

As you start scaling up your requirements, you go beyond a firewall. You start from an L1 layer and go to the L7 sitting at the organization's gateway. When you talk about dynamic policy implementation, that's where you start to get serious about your operations and can change things suddenly when an attack is happening.

With ISE integration, you get another dynamic classification if an endpoint connects immediately. ISE has a lot of authorization rules, so it applies a filter. The dynamic policy capabilities enable tighter integration at the application workload level. Snort 3 IPS enables you to run more rules without sacrificing performance, and IPS puts you one step ahead of any threats to the organization.

What needs improvement?

There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so we need to be slightly careful, especially on the site track. 

We face challenges with Cisco when implementing some security vulnerability assessments, including the algorithms and implementing SSL 3.0. I may change the entire product line because traditional product lines don't support that.

Integration isn't typically a problem because the network is compatible, but Cisco could upgrade the threat database. They could integrate the threat database of the on-premise firewall with the cloud. Check Point has cloud integration with a market database of all the vulnerabilities. Cisco could add this to its roadmap to make the product more effective.

For how long have I used the solution?

I have been working with firewalls for about 20 to 25 years, but I've been using Cisco for around 12 to 15 years.

What do I think about the stability of the solution?

Cisco ASA Firewall is reliable, especially in the Indian context. For example, I had a couple of banks with around 5,000 branches and ATMs. It was easy to deploy remotely or send it to each branch. 

What do I think about the scalability of the solution?

Cisco ASA Firewall is scalable to a certain extent.

How are customer service and support?

Cisco support is okay, but not great. I rate Cisco support five out of ten. The response time is too long. We need an instant response to security issues. They follow some legacy processes.

In some cases, I think they're good, but they have hundreds of questions and steps to go through before the ticket is escalated. The local partner adds a lot of value in that case.

How would you rate customer service and support?

Neutral

How was the initial setup?

The standard setup is straightforward and takes around four hours. You can also do more customization and adjustments to deploy it in a particular environment.
I design a custom implementation strategy for each customer. It depends on whether I'm migrating an existing environment or doing a fresh deployment. I try to understand the customer's security footprint and all the issues I need to address before installation. 

What's my experience with pricing, setup cost, and licensing?

I think Cisco's price is in the right space now. They have discounts for customers at various levels. I think they're in the right spot. However, Cisco can be expensive when you factor in these additional features. 

If you add SecureX, Cisco's cost will definitely jump. We started with the standard ASA, then we added segmentation and micro-segmentation, and now we're talking about automation and unified architecture. SecureX is an integrated security portfolio. It gives a vertical and 360-degree algorithm with an open, integrated platform that can scale.

Which other solutions did I evaluate?

In most next-generation products, the UA itself will manage a lot of things, but it's easier to find people with expertise. If you put 10 firewall experts in the room, six will be talking about Cisco, but you can hardly find one or two people talking about Check Point or Palo Alto. Others would be more talking about Sophos, FortiGate, etc.

What other advice do I have?

I rate Cisco ASA Firewall seven out of ten. If you're implementing a Cisco firewall, you must be crystal clear about your business requirements and how a Cisco ASA firewall will address your problem. You need to understand whether this product line contains all the features you need. 

Can it pass a security audit? Does it integrate with your network device? How scalable is it? Will this solution you're implementing today be adequate in the next three years? These are the questions that you should ask.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
Flag as inappropriate
Pre Sales Security at a tech services company with 201-500 employees
Reseller
Multifeatured firewall solution with a user-friendly interface, high availability, scalability, and stability
Pros and Cons
  • "User-friendly firewall solution which scales well, is stable, and has high availability."
  • "Support for SonicWall TZ needs improvement, particularly the time it takes before you're able to speak to a support person, e.g. you have to wait for at least 30 minutes on the phone."

What is our primary use case?

Our customers use SonicWall TZ for network security and also for connectivity, e.g. when our customer is a company with HQ and branches, and they want to secure their branches the way they secure their HQ, we recommend SonicWall TZ so we're able to protect both the users in the HQ and the users in the branches. We also use this solution to optimize the bandwidth that they have by configuring SD-WAN services.

Another use case for this product is when using switches, e.g. when people want to connect their IP phones, their access points, and their access control devices, we recommend the switches and utilize SonicWall TZ, but mostly this firewall solution is for network security monitoring, analytics, and reporting.

How has it helped my organization?

SonicWall TZ has a number of benefits to customers.

One benefit is the visibility of the network and activities that are happening on the network, which enables customers to improve on their policies. For example, if a  customer sees that YouTube is consuming a lot of bandwidth, they can revise the policies and allocate less bandwidth to YouTube, then give more bandwidth to business critical applications.

Another benefit of this solution is that it's able to bring a lot of visibility to things that are hidden from a normal IT person's view, so now that these things are visible, users are able to make quick decisions. For example, there was an organization that was complaining that they have less bandwidth, so we implemented the firewall and noticed that whatever they were getting, they needed to add more, before they're able to add more bandwidth from their ISP. 

The simplicity of SonicWall TZ is also one of the things I like about it.

What is most valuable?

I found many features in SonicWall TZ that are valuable. The NSM (Network Security Manager) is great when you have more than one firewall, e.g. two, three, five, etc., because it's a central place where you can configure the firewalls.

Even for users who only have one firewall, SonicWall TZ is great, because it's very easy to use. It's user-friendly. I have used other firewalls, and I've worked with Fortinet and Palo Alto, and if I compare their user interface with SonicWall TZ, this solution has an interface that's so much easier to use.

In this product, configuring the policies and everything else that needs to be configured is straightforward. You don't have to move through multiple pages and tabs. It's easy to configure and use.

The analytics feature of SonicWall TZ is also good, because users are able to see information on bandwidth utilization, including applications that are traversing the network.

I also like the Capture ATP (advanced threat protection) feature of this solution, because it shows the unknown files that have been detected in the network, how they were scanned, and what the results are. It's a very good feature.

I like the licensing scheme of SonicWall TZ. If you have high availability requirements, you don't need to buy two licenses. You just buy one. This is cost-effective for the customers. I also like the secure upgrade promotion, e.g. If you have an existing firewall from Cisco, Fortinet, or another competitor, SonicWall will give you a two-year license for the price of a one-year license.

SonicWall TZ has good features that I can really position to my customers, and that's how we're able to win new business.

I also like the form factor uniqueness of this product. You can use it even in an office with 10, 15 people. That's very great. That's a day one capability, and it's not licensed, e.g. it's something you can get out-of-the-box. I also believe that SonicWall TZ 570 and 670 series can accommodate SFP (small form-factor pluggable), and I find that very unique.

SonicWall TZ also has high availability, so it's a perfect solution.

What needs improvement?

Support for SonicWall TZ needs improvement, particularly the time it takes before you're able to speak to a support person, e.g. you have to wait for at least 30 minutes on the phone, and this needs to be improved.

This is an affordable solution, but a competitor like Sophos can give SonicWall a run for their money. Sophos and Fortinet are major competitors of SonicWall, and the way they package their solutions, especially Sophos, they're cheaper, so for some customers who aren't technical, they will just run to these competitors because they're cheaper. However, once you explain to the customer that this is the situation, mostly we're able to win the business for SonicWall.

An additional feature I'd like to see in the next release of SonicWall TZ is enhanced automation.

For how long have I used the solution?

I've worked with SonicWall TZ since 2019. I've been working with it for three years now.

What do I think about the stability of the solution?

I didn't have any issues with SonicWall TZ in terms of stability. I started working with SonicWall in 2019, and all the customers I sold this to, not a single device has failed, apart from one customer who had a failure in Ethiopia last year, but that customer bought the device for quite some time, e.g. in 2018 or 2019, so that one had been onsite. I've not heard of any breakage apart from that one, so this product is stable.

What do I think about the scalability of the solution?

SonicWall TZ is scalable. I just have one customer here who is suffering because of issues with sizing and scoping initially, but from what I've seen, this solution is scalable. It scales well.

How are customer service and support?

I was able to contact the SonicWall technical support team a few times, but before I was able to talk to a support person, I had to stay on the line for almost 30 minutes, sometimes even longer than 30 minutes. This is something that they need to improve.

How was the initial setup?

The initial setup for this solution was very straightforward. I don't have an issue with setting up SonicWall TZ.

What's my experience with pricing, setup cost, and licensing?

I find the licensing scheme of SonicWall TZ cost-effective for customers. SonicWall also has a secure upgrade promotion that lets you enjoy a two-year license for the price of a one-year license, if you have an existing firewall from competitors, e.g. Cisco, Fortinet, etc.

Which other solutions did I evaluate?

I was able to evaluate Fortinet FortiGate briefly. I also evaluated Palo Alto.

What other advice do I have?

I've used Fortinet FortiGate briefly. SonicWall TZ is what I'm using at the moment. We are an authorized distributor of SonicWall, so we sell SonicWall products, including SonicWall TZ, to resellers and partners.

We deal with the latest versions of this solution: the gen 7 series and the gen 7 NSa series. These are what we've been selling to most of our customers.

We have not been able to sell SonicWall TZ on cloud. We have received requests for quotes, particularly for cloud deployment, but what we were able to sell were on-premises deployment, e.g. physical devices.

Deployment of this product usually takes less than a day, but it really depends with the setup, with the network. We recently had one that took two days, but it's usually just less than a day.

We sell SonicWall TZ to different companies. One company has 10 users. Another company has a hundred users. There's another company with 500 users. We sell to partners, and that's our main job. The partners sell to the customer, so you'll find one partner has five customers, another partner has two customers, etc. We are just not covering Kenya. We cover east Africa all the way up to Congo, Ethiopia, Djibouti, and Eritrea. We cover all those areas.

What I usually tell people who are looking into implementing this product is that it's the easiest to use among the many firewalls I've seen.

I have not been disappointed with SonicWall TZ, so I'm giving it an eight out of ten, not a perfect score, because there's still room for improvement.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
Presales Solutions Consultant/Engineer at a comms service provider with 51-200 employees
Consultant
Top 20
Very user-friendly and nimble software platform solution
Pros and Cons
  • "Their dashboard is also a good point for us and the customer. The solution is very clean and easy."
  • "Another thing that should be improved in Versa are their firewall features."

What is our primary use case?

We are using this product and also implementing it for our clients. We manage everything for the customer. We use it here on our platform and also manage the solution for our customers for whom we install it.

Let's say a customer is on premises and he wants to move to the internet but wants to keep the interconnection between their sites. He doesn't want to remain embedded. We would propose Versa in this case.

Also, if a client asks us for more reporting, more analytics and more monitoring and our embedded solution can't do this as a single solution because it would be very heavy and expensive, we would propose Versa. The client finds the analytics and monitoring in Versa very easy and very clear.

What is most valuable?

In terms of the most valuable features of Versa, I should know because I have also used Cisco, Fortinet and VeloCloud at a previous company where I worked. I explain that between Versa and VeloCloud I find that Versa has more features over VeloCloud. I do think that you have less regarding the firewall features compared to other solutions, though.

Their dashboard is also a good point for us and the customer. The solution is very clean and easy, but it depends what the customer has and how we can integrate it with their current network.

Another thing is regarding the analytics. We have about 15 sites in Europe, the US and Asia. I do some administration for the analytic portal, and this side is very interesting for the customer because today Versa has an embedded solution and we don't have the visibility for all the sites they're using.

What needs improvement?

In terms of what could be improved, I would say that since we're using more and more 4G today, the product should have two slots for 4G and also have the equipment for giga ready. It should not have different equipment to have a giga bandwidth. For example, it should have 110 and 200, 810 and 800. It would be good if they had only one product that goes directly to the bandwidth for one gigabyte and not necessarily to have different products to do it. Of course if I compare it to only one gigabyte, the price also needs to be reduced.

Another thing that should be improved in Versa are their firewall features. You have their firewall license secure solution but if they could include more features regarding their firewall protection and data protection it would be good. This is because when we go to a customer who also wants a firewall they compare it to other products on the market that are doing more with the firewall. As you know, Fortinet is very strong in this point. If they could put more features on this side, they can be, maybe not equal, but improved.

For how long have I used the solution?

Our company has been using Versa FlexVNF for around five years with our customers. Our network is on the ISP here in France and our AVN solution is only based on this product. 

What do I think about the stability of the solution?

It is stable. We haven't had any issues, and neither have the customers that already have it running for two or three years. They have stability on their end. The only stability issues are on the circuit and not on Versa's end. Sometimes the line is cut, so the customer will have an issue. But we don't have any issues with Versa.

What do I think about the scalability of the solution?

In terms of scalability, it doesn't matter if the company is large, medium, or small. We can use it for small and big companies - there is no limitation there. It is not always the company size that matters. When we go to a market segment and a big company, they may not know Versa at all. They may know VeloCloud better.

How are customer service and technical support?

I can say that I am satisfied with customer support but I'm not quite sure because it is my colleagues who manage this part of support. We have our technical support that manages Versa, the circuit, and all the vendors who are also on our platform.

How was the initial setup?

In terms of the initial setup, I can't answer that because I am just from the sales side, I don't do the installations, my colleagues do it. What I see from the customers that have installed Versa is that the initial step on the starting configuration is very easy. A half hour or hour. My colleagues who use it here in the company manage it and they have a full version for the configuration.

The issue that is difficult for us is when a customer needs firewall features included and he already has a firewall in place that he asks us to replace and to install the features from Versa. It is very complicated for us because it means more time to install since we need to export all the other features that already have rules in the firewall and to put them in Versa. That takes time.

What's my experience with pricing, setup cost, and licensing?

Regarding the price, we can make do with its price today, but I am seeing from our competitors that this market is becoming very aggressive. We lost some projects because we didn't have any strategy to deal with the price. We think that when we discuss the quality of the product the price won't be an issue, so we do not propose it as "low-cost" for this reason.

Which other solutions did I evaluate?

Currently I propose Versa. That's the platform for my strategy. However, the market is not ready to propose a solution to a customer that's managed by an ISP. So, in the beginning they investigate VeloCloud, Cisco and Fortinet. But in the end they select Versa because it is small and easy for customers, and it has many features that are very interesting to the customers.

Today, when we look back, it was the right decision to choose Versa and our customers are very happy that we only propose this solution.

What other advice do I have?

We always propose only Versa solutions in our quotes for our customers when we have a new project. I only recommend Versa. VeloCloud was the first one to market and for customers that is very important. Customers ask me for a comparison between VeloCloud and Versa since VeloCloud was the first one on the market and he wants to be sure that if he goes with Versa it will not be a mistake.

For me it's not enough just to be first on the market. I know Versa, but I know it's not enough. VeloCloud solutions are more public for companies and buyers than Versa is.

These are the only two products that we validate that are in the regular network - Advantec and them.

On a scale of 1-10, where one is the worst and 10 is the best, I would rate Versa Flex an 8.

It is not a ten because it has a lot of features on the equipment and it is really heavy on the portal. It's not really friendly. Maybe they could do something different for users or administrators to have a friendlier portal.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Buyer's Guide
Firewalls
September 2022
Get our free report covering Netgate, Cisco, Sophos, and other competitors of Fortinet FortiGate. Updated: September 2022.
635,162 professionals have used our research since 2012.