Cisco Secure Firewall Reviews

We mainly use it for ICS security.

We definitely feel more secure. We have more control over things going in and out of our network.

Cybersecurity has been our top priority because of the last few attacks on our peers in the oil and gas industry.

The IPS solution helps us to not only navigate north-south traffic, but also east-west traffic.

Third-party integrations could be improved.

Not everything works out-of-the-box. Sometimes, you have to customize it to your needs. 

I have been using it for two years.

It is stable for the most part.

There is maintenance needed for software, firmware, and updates. Three or four people keep up with the updates, etc. 

It is pretty scalable. We can add as many devices as we want.

The technical support is good. I would rate them as 10 out of 10.

Positive

We previously had a different platform. We wanted to converge multiple platforms into one.

I switched companies. So, I have more experience with Palo Alto.

We saw immediate benefits after deployment from having more control and visibility.

Pretty much everything is included in the price for what we are using.

We looked at Check Point, Palo Alto, Fortinet, and a bunch of others. The management and support for the CIsco product is better.

Listen to your customers and see what their needs are.

The whole stack provided by Cisco is a holistic solution for cybersecurity experts, like myself, and companies who are looking to secure their network.

You should partner up with a good team to view all products available, which cater and are customized to your needs.

We haven't found any gaps where it is lacking.

I would rate this product as eight or nine out of 10.

We use it to protect our DMZs and externals, to protect our network from our other city partners who manage their own networks to which we have direct connections, like VPNs, and to manage the security parameters between inside and outside connectivity and vice versa.

Cisco Firepower NGFW Firewall was introduced as a migration of many firewalls into one. Just having one firewall with one place of security and one place to look for your packets has really helped.

The features I've found most valuable are the packet captures and packet traces because they help me debug connections. I like the logs because they help me see what's going on.

The security correlation events and the network map help me to drill down on a host at will.

I really like the flexibility of the policies such as those you can use and the layer three policies with which you can block applications. It's really versatile. I like the security zones.

Cybersecurity resilience is our main focus right now. Because we're a government organization, everybody's really nervous about security and what the ramifications are. My device generates all the logs that our security team goes through and correlates all the events, so it's really important right now.

I think they need to review their whole UI because it feels like it was created by a whole bunch of different teams of developers who didn't fully talk to each other. The net policy screen is just a mess. It should look like the firewall policy screen, and they should both act the same, but they don't. I feel like it's two different buildings or programming, that don't talk to each other, and that really annoys me.

They should either build an application or get away from the web. They need to do something that's uniform and more streamlined.

We have a multi-person firewall team, and I can't look at a policy while somebody else is in it. It'll kick me out. I might be working on something that the other guy has to modify. I know that in the next versions they will be dealing with it with a soft lock, but it should've already been there.

One of Cisco's strengths is the knowledge depth of their staff. The solutions engineer we worked with knew the routing and each protocol. If he didn't know something, he would reach out to someone else at Cisco who did. He would even talk to a developer if he needed to.

I've been using Firepower for about three years.

There are some stability issues. We ran CheckPoint for years and didn't have problems with the firewall itself. However, with Firepower, in the past two years, we've had two major crashes and a software bug switchover.

We were debugging NAT rules. I did a show xlate for the NAT translation, and the firewall rebooted itself.

It has only been three instances in two years, but when I compare the stability to that of CheckPoint, it seems higher. CheckPoint just seemed to run.

We have about 8000 end users. Scalability-wise, it's already handling a large amount of traffic.

I like that Cisco's technical support will help me recover the firewall when everything falls apart. I'd give them a nine out of ten. They've really been consistently good, and they go after the problem.

Positive

We previously used CheckPoint and Fortinet. We switched from CheckPoint because it was unsupported, and we wanted to move to a next-generation firewall.

We went to Fortinet, and when we switched over, it caused a huge network outage. The Cisco engineers helped fish us out of that. Our GM at the time preferred Cisco, and we switched to Cisco Firepower NGFW Firewall.

Setting up the machines was straightforward, but exporting was complex. That is, it wasn't a complex deployment as far as the hardware goes. It was more of a complex deployment as far as transferring all the rules go because of our routing architecture.

Firepower is our main interface out to the outside world. We have about eight DMZs that are interface-based. You can do a logical DMZ or you can have an interface and a logical DMZ. We have about eight that are on interfaces. Then, we have our cloud providers and the firewall. We have rules so that our cloud providers can't ingress into our network.

I've found that Firepower does need a lot of maintenance. It needs a lot more software updates than other solutions. We have three people to maintain the solution.

For the deployment, we had about 18 team members including firewall administrators, Cisco firewall engineers, and techs.

The licensing scheme is completely confusing, and they need to streamline it. They have classic licensing and a new type of licensing now. Also, the licensing for the actual firewall is separate from the one for TAC support.

My advice to leaders who want to build more resilience within their organizations is that they should help make policies. Leaders don't want to make policies; they don't want to put their names on policies or write policy documents. I as a firewall administrator am the one saying what the policy should be. I tell them what should happen, and sometimes, they resist.

Also, because the system is just too big to really manage without TAC, you would need TAC along with Firepower.

My advice would also be to go with HA or a cluster up front and not to be cheap. You really need to go in with a robust solution up front.

I would rate Firepower an eight on a scale from one to ten because the firewall and tech support together make it a very robust solution.

We are using it for security on everything from small customers to big data centers.

It is stable. We saw benefit from this in just a few days.

Cisco AnyConnect is my favorite. It is awesome. It also exists on Firepower and newer things.

Cisco ASA is starting to get old and Firepower is taking over. All the good things happening are with Firepower. Everything that I could wish for is in Firepower. We will probably not be doing too many new installations of ASAs since Firepower is mostly taking over.

I have been using it for 15 to 20 years.

It is stable and secure. There are a few bugs, etc. Overall, we are very happy with it. We have never looked at anything else because it works so well. I would rate the stability as 10 out of 10. It is very good.

There is maintenance. We have to keep an eye out for software upgrades and forced changes to the configuration. We have a network operations team of 15 people who take care of these things from day to day.

The solution's scalability is very good.

We use it on customers who have two employees up to customers with 5,000 employees. It is also used for customers who have one site or several sites. It is all over the place

Cisco tech is always good and helpful. I would rate them as 10 out of 10.

Positive

I didn't use another solution previously.

All our deployments have been different. Some have been really easy and others have been really complex. It could go either way: some are complex and some are easy. The complex solutions could take days or a couple of weeks to deploy. Easy solutions take a day.

If it was a big project, there would be a pre-project identifying what we were going to do and making a plan for it, then we would realize that plan. If it was a smaller thing, we would just jump into it.

It was deployed in-house. Depending on the solution and its complexity, it could take a single person to a team of 20 people to deploy it.

Our return on investment is having a network that we don't need to think too much about. It works, and that is it.

Cisco is always expensive, but you get what you pay for. It is expensive for a reason. It is a good solution, and good solutions cost money.

AnyConnect is an extra license. If you want the IDS/IPS things, those are usually extra too.

I evaluated Check Point, Palo Alto, and Fortinet, but Cisco won the race. Since we were already running most of our other networking with Cisco, it felt natural to land on Cisco.

I would rate the solution as 10 out of 10.

We use it for content management and filtering. We wanted to separate DMZ traffic from normal customer traffic. We were also looking to set up portals for outside interests that needed to come in. We have our firewall set up for VPN and, with COVID breaking out, that became more important. We also use it for remote access control.

It improved our security. It keeps the outsiders on the outside and enables us to monitor the content that's going out from within the organization.

The ASDM (Adaptive Security Device Manager) which is the graphical user interface, works out, and Cisco keeps it current.

Cisco still has a lot of work to do. You can convert an ASA over to a Firepower, but the competitors, like Palo Alto and Juniper, are coming in. And believe it or not, they are a little bit more intuitive. Cisco has a little bit more work to do. They're playing catch up.

There is also content filtering. The bad actors are so smart nowadays, that they can masquerade as the data for a given port, and they can actually transfer data through that port. The only thing that the older firewalls know about is the port. They can't read the data going across it. That's where content filtering comes in, like Palo Alto has, with next-generation firewalls.

I have been using Cisco ASA Firewalls from the beginning, when they moved over from the PIX.

They're pretty reliable. Even from a hardware perspective, we haven't lost any power supplies or the like. An ASA works until we remove it. The maintenance is very minimal. 

It's very scalable. Every organization sets it up differently, but we've been able to perform upgrades with minimal service disruption. We have ASAs in multiple locations.

Being a government-supported organization, the technical support is great. They send us equipment. It's top-notch.

Positive

Cisco has been a leader in firewalls, and the US government primarily chooses Cisco first, before it chooses competitors.

We have a variety of providers from Juniper to Palo Alto, et cetera. But the Cisco GUI is pretty consistent, so most individuals catch on. But when it comes to the Firepower, we're going to need some more training on that, as we're upgrading and moving to the Firepower.

I like the ASA product, maybe because I'm an old guy, more so than the transition to the Firepower. The ASAs have worked ever since the PIX days and they work very reliably. Even with the upgrades, your rules don't change. That's true even with a major OS upgrade.

Things are changing and the ASAs are becoming dated. People want content filtering and so on now.

We primarily use it as a corporate, perimeter firewall for traffic to the internet and back, for surfing. We also have some site-to-site connections with customers.

So far, there hasn't been any breach, so we are very happy.

It has also helped to reduce the operational costs of our firewall. There is a report that is automatically generated. You don't have to search for and prepare everything by yourself. You don't need staff to prepare the information because it is automated. We only go through this report once a week and if there are some special events, we can take care of them.

The next-generation features, like IPS, among others, are the most valuable. IPS is mandatory in modern networks for protection against malicious attacks and network anomalies.

Also, it gives you great visibility when doing deep packet inspection, but you have to do HTTP inspection. If you don't do HTTP inspection, the visibility is not complete. That is the case for every firewall vendor.

The ease of use, when it comes to managing Cisco Firepower NGFW Firewalls, is getting better because the UI is improving. It was a bit cumbersome in previous versions. Checkpoint, for example, has one of the most intuitive user interfaces, and now Cisco is really improving.

The only drawback of the user interface is when it comes to policies. When you open it and click on the policies, you have to move manually left and right if you want to see the whole field within the cell. Checkpoint has a very detailed user interface. Cisco is getting better and becoming more and more user-friendly.

Cisco needs a more intuitive user interface. When you know what to do, it's easy. Otherwise, you need training. You can install it and do the initial configuration, but if you don't have the proper training it's also possible to configure it the wrong way. If that happens, some things might pass through that you don't know about.

We have been using Cisco Secure Firewall for about five years, from the beginning of the Cisco Firepower 2100 Series.

We were on version 6.2.2 but now we're up to version 7.7.0, and it has really improved. It was not hard to implement but there were many bugs in the earlier version and some were serious, but now it's stable. There are no more bugs. It's really getting better. I would recommend Firepower to every customer now because it's stable. It's a really nice firewall.

The model we have is okay for our environment, so it's scalable. We haven't seen any problems in that regard. There are 50 or 60 devices behind it and about 500 clients. It is used in a very specific environment for a large Slovenian system.

The device has achieved its purpose. We won't implement any other features.

Cisco support is the best, especially if you compare it to other vendors. Cisco may be a bit expensive compared to other vendors, but the support is really good. When you open a case they're really responsive and they resolve every case. This is my personal experience, not only when it comes to Firepower but for the whole Cisco portfolio, which I have been working with since 2005.

Positive

The initial configuration was done within a few hours, but getting all the policies in place took about a month. That was not related to the firewall, it was related to all the requirements from management and from other people as well. But the configuration to get it set up initially was straightforward, nothing special.

My colleagues and I did the deployment. We are an internal team. We are integrators, so we were able to do it by ourselves.

When it comes to XDR, the cost-effectiveness of this firewall depends on the use case because you don't always need XDR functionality. SecureX is included free of charge, so from that point of view, maybe Cisco is not that expensive compared to other vendors.  Other vendors' XDR products are not free of charge. 

But if you just look at just the firewall functionality, Checkpoint is expensive but Cisco is not the cheapest. Fortinet is cheaper.

Where we have seen ROI is due to the support, time savings, ease of management, and the reporting.

Aside from the user interface, which is getting better, Cisco is at the top for functionality and in all other respects. We work with Fortinet, Checkpoint, and we used to work with Juniper, in addition to Cisco.

With Cisco, there are a lot of features such as the network map. Cisco builds the whole network map of the machines you have behind your firewall and gives you insight into the vulnerabilities and attributes that the host has. Checkpoint and Fortinet don't have that functionality directly on the firewall. They don't give you that direct visibility into the host, such as which operating the host has.

We don't work with Juniper anymore because its user interface is really not okay. You only have the CLI or you have to use Security Director for management, which is very complex and not user-friendly. That is why we abandoned Juniper as a product.

I would rate Cisco at eight out of 10 overall, and Check Point would be a seven. Check Point fields a great solution in this space, but they have very bad support, and support is one of the most important things. Having great blogs doesn't help if support doesn't come through when you need it.

Remote access through the VPN wasn't available in the old firewall that we used, so that was a value-add. That's one way Cisco ASA has impacted our company. Also, from an administrator's perspective, newcomers have a shorter learning curve working with the ASA firewalls.

Also, when we deployed it on the data center firewalls, we did some microsegmentation using different subnets for the whole environment, including UAT and production. We didn't have segmentation before, but with the growing security needs, we segmented the servers. For each of the subnets we made different gateways on the firewall. That helped us achieve the requirements of the latest standards.

Thanks to the IPS, the malicious traffic has dropped. Initially, when we deployed the IPS, it gave us some problems. But after a week or two, it worked very well. I used a balanced security policy when I integrated it with the FMC server. On the FMC, the GUI gives me a very good, extensive view of what traffic is getting dropped and at what time. It gives me all the visibility that I need.

• The normal firewalling features are very good. You can easily create objects and work with them. 
• The AnyConnect software for remote VPN is an added feature on the firewall that works very well in our environment.
• The IPS is another important feature that I use. It doesn't impact the overall performance of the ASAs.

All of these features work fine.

Cisco ASA works very nicely from an administration perspective. The management of the device is very nice. The ASDM (Adaptive Security Device Manager) is the software that we use and it is very easy to configure using the GUI. If you are familiar with the ASDM software, it's very easy for anyone to handle. The CLI isn't different from other Cisco CLIs, so that makes it easy as well.

Also, the visibility when doing packet inspection on the ASA, using the ASDM GUI, works well. You can go to the monitoring part and see the live logs, the syslogs. All the traffic events are displayed in the syslog. You can filter on whatever event you are interested in and it is visible to you in no time. It provides a real-time display of the traffic. Troubleshooting issues is very easy using ASDM. 

In addition, if you want to do some captures at the interface level, there's a packet tracer, a tool within the ASDM and the ASA, which is available on both the GUI and the CLI. That is on the newer firewalls as well and it's very nice. It shows you the life cycle of a packet within the firewall, from entry to the exit, and how many steps it goes through. It really helps while troubleshooting. I'm very satisfied with that.

The operation of the ASA is good but the problem is that whenever you require an upgrade, there are multiple pieces of software that you have to upgrade. Extensive planning is required, because if you upgrade one piece of the software it has to be compatible with the others as well. You always need to check the compatibility metrics.

For example, if the ASA Firewall's software has to be upgraded, it has to be compatible with the IPS software—the FireSIGHT software. So that has to be upgraded as well, in addition to the ASDM software that you use to manage the firewall using the GUI. Besides that, if you are using the remote VPN part of the firewall, there is the AnyConnect hidden software that also requires an update.

So upgrading is a very extensive exercise, both when you're planning it and when you are doing it. The upgrades are very lengthy. Then Cisco introduced FTD as a unified approach, and that was a leap forward, but it has its own issues.

I've been working as a Cisco partner for about four years. Before that, I was using Cisco firewalls as a network admin. I've been engaged with Cisco firewalls since 2015.

On the FTD (Firepower Threat Defense) model, I've been working with version 6.7. I haven't tried the latest 7.0 version.

The robustness of the ASA is very good. Whenever you upgrade it, it does very well. There are no hiccups or hitches, post-upgrade.

Cisco's TAC provides very good support. If you have any issues, you can contact them and they provide assistance. You need a subscription for that. The subscription comes with a notable cost but you get great value from it. I'm very satisfied with it. 

The tech support of Cisco is unparalleled if I compare it to any other product that I have used. I've been using Citrix, Juniper, and even Palo Alto, but the support that I get from Cisco is very good. It's easy to get support and the engineers get engaged. Sometimes they provide more than you need. For example, if there are design-level issues, they will tell you that it isn't implemented well and that there are things that need to be corrected. That's not their responsibility but they'll provide that feedback.

I consider Cisco support to be the industry standard.

Positive

I've seen Cisco deployed for five to seven years. The product life cycle is good and they're continuing to support things. If you add more features and utilize it to the maximum, using the remote VPN and the like, it becomes more cost-effective. 

Having the IPS part within one box also saves you on costs. Back in 2015, the IPS was a different box that had to be deployed separately. At that time, it cost more if I had to buy another IPS and a box.

Before ASA, we were using Juniper. It had a GUI, but the CLI part of Juniper was difficult. The network administrators required a little bit of a different type of expertise. Juniper was very good, but its CLI wasn't as simple as Cisco's. When somebody new comes into the company to work on the firewall, the Cisco learning curve is relatively short and easy.

Nowadays, everybody is working with Cisco. Juniper has almost been phased out. Some people use Juniper for certain reasons, but there's a very specific clientele for it.

We went with Cisco because it is very easy to operate. It provided next-generation firewalling when it came out with ASA plus Sourcefire IPS. That was very effective at that time, compared to the others.

These days, Palo Alto is matching Cisco and, in some ways, Palo Alto is better. From 2015 to 2018/19, Cisco was considered to be the best. The security leaders are always preferred and Cisco was a leader. That's why we preferred it.

We were also always happy with Cisco support. It was very convenient to get to Cisco support, and it was very prompt and effective. They really solved our problems.

The Nextgen firewalls have a good IPS, but that IPS part wasn't very configurable using the ASDM. Later, they introduced the FMC (Firewall Management Center) and we could integrate the ASA with the FMC and get the IPS configured from the FMC GUI. That was good, but you needed two things to monitor one box. For the IPS you needed an FMC server, and for the firewalls, you needed the ASDM or the CLI.

In terms of integration with other solutions, it is a simple firewall that is integrated with the syslog servers and the SNMP monitoring from the NMS. Those types of simple things work very well. I haven't worked with much integration beyond that. You can't attach that many feeds to it. That's more a function of the Next-Generation Firewall with the IPS and FMC.

SecureX is a relatively new cloud-based solution. It's been around for one or two years. It's offered for free if you have any Cisco security solution. It encompasses ADR and NDR. The clients I work with in Pakistan are mostly financial institutions. Because it's a cloud-based security solution, they are not interested. They want on-prem solutions.

The way we've installed Firepower was for the migration process. For example, there was a data center consolidation, and therefore we had to move everything. We offer data center products to our customers across VPN funnels. We had to move away from older ASAs, so it's a lift and shift. We move older ASAs, which were dispersed in many sites, and we consolidated a couple of services in a single site. Firepower was left there in place. I came in and I took over the administration duties, and now I'm trying to put everything together in a way that it makes sense.

With Firepower, they have better hardware. It's fitted for more throughput, more load. I'm trying to centralize service delivery on this high-availability pair and move all the remote access to Firepower. Then, it's all part of a transition process from a hybrid cloud to a full cloud deployment on a cloud provider. It's mostly just a necessary pain, until we move away from our on-prem deployments. Currently, I'm working with Azure, etc. and I try to look at the main design of the whole process, even though it's going to take two years. 

COVID has also made everything very, very slow for us as we try to move away from our initial plan.

The 2100 models are extremely useful for us.

It's got the capabilities of amassing a lot of throughput with remote access and VPNs. 

They need a VTI. I know it's going to be available in the next software version, which is the 6.7 version. However, the problem with that is that the 6.7 is going to deprecate all the older IKEv1 deployment tunnels. Therefore, the problem is that we have a lot of customers which are using older encryptions. If I do that, update it, it's not going to work for me.

We've been using the solution for about a year.

The solution is pretty solid in terms of stability, however, I prefer Palo Alto. For the enterprise world, it's better to have Palo Alto. For the service provider field, Firepower is quite well suited, I'd say. That said, Palo Alto, is definitely the enterprise way to go. For a smaller deployment, you can also go with FortiGate. It's simple, however, it works for smaller offices.

The scalability of the product is pretty good. If you need to expand it, you can do so with relative ease.

The technical support is amazing. They do reply quickly, and often within an hour. It's been great. I've worked at Cisco before, however, with the type of contract we are in, I find it super fast right now. We're quite satisfied with the level of support.

I don't have any knowledge as to what the product costs. It's not part of the business I deal with.

Palo Alto, it's my understanding, is a little more expensive, however, it depends on the users and on the design. It always depends on the contract

We're just customers. We don't have a business relationship with Cisco.

It's a solid, reliable product, however, if it's right for a company depends on the use case and the size of the organization. For a startup, this might not be a suitable option.

Overall, I'd rate this solution nine out of ten. As a comparison, if I was rating Palo Alto, I would give it a ten out of ten.

My primary use case with Cisco Firepower NGFW is implementing, configuring, maintaining, and troubleshooting lab and customer devices in both lab and production environments.

Using best practices for configuration, as well as fine-tuning intrusion policies and utilizing as many of the features that the firewall has to offer, which are feasible in said environment.

Overall, I am confident to say that I have worked with every flavor of Cisco Firepower NGFW, be it their older IPS-only sensors, ASA with Firepower services, as well as the FTD sensor itself.

Cisco Firepower NGFW has improved our organization by giving us the opportunity to protect both our network and our customer's environments. Being able to work with the device in a lab environment and utilizing the whole feature set is really easy with the Evaluation licenses of 90 days on the FMC. The only thing that you need is an environment with enough resources to virtualize both the FMC and FTD sensors.

I would like to emphasize the easy-to-use evaluation period of the Cisco Firepower NGFW because many other firewall vendors lack this and it is a real pain having to test everything in production environments because you cannot build a good lab environment without paying for licenses.

The most valuable feature that Cisco Firepower NGFW provides for us is the Intrusion policy. 

Again, with that being said, I cannot shy away from giving kudos to all of the other features such as AVC (Application Visibility and Control), SSL Decryption, Identity policy, Correlation policy, REST API, and more.

All of the features that are incorporated in the Cisco Firepower NGFW are awesome and easy to configure if you know what you are doing. Things almost always work, unless you hit a bug, which is fixed with a simple software update.

I believe that the current feature set of the device is very good and the only thing that Cisco should work on is improving the user experience with the device. 

Also, they need to ensure that all of the implemented features are working as they should, and able to integrate with more third-party software in an easier manner.

As it stands currently, Cisco is doing this, but I am not confident enough to say that their QA team is doing as good a job as they should as there have been software releases that were immediately pulled back the same day as they were released.

I have been working with Cisco NGFW for almost five years as of 2020.

I have seen devices working without any issues and/or without a reboot of the device for many years (although I do not recommend this) running on base versions of the software, and I have seen an out-of-the-box fresh install having many stability issues. However, overall my impression is that the most recent software versions are very stable without any evident underlying issues.

Keep your software up-to-date and the solution should be stable.

Cisco Firepower NGFW has a large variety of devices that are able to accommodate every company's needs, be they small or large. Overall, the scalability of the devices is very good.

Experience with Cisco TAC has been awesome almost always. The SLAs are kept every time, which is very hard to get from any of the other firewall vendors. I have not seen any other vendor get you a proficient engineer on the phone within 15 minutes.

Cisco ASA and Firepower NGFW is the first firewall solution that I have and am still using.

Once you deploy a few of these devices, the initial setup is really straightforward and easy to do unless the position of the firewall on the network needs you to do some connectivity magic in order for it to work.

All of the implementations that we have done are with in-house teams, so I have no overview of the vendor team.

Cisco, as we all know, is expensive, but for the money you are paying, you know that you are also getting top-notch documentation as well as support if needed. In some cases, this may save you a lot of money or stress, which is why everyone who uses Cisco solutions loves them.

I have worked with many other firewall vendors in both production and lab environments such as CheckPoint, Palo Alto, Fortinet, Juniper, but to be honest I find Cisco's firewall solutions and Palo Alto's firewall solution to be the best.

I believe that Cisco Firepower NGFW is the future leader in NGFW, with only maybe Palo Alto being the main competitor. This is very good, as we all know that having a rival is good for us, the users :)