Cisco Secure Firewall Reviews

We are specifically using 7.0 Firepower in several different areas. We have them as an IPS within the core, IPS on the edge, and we're also using the AnyConnect Client as our basis for VPN connection into corporate and other applications.

Firepower NGFW has improved my organization in several ways. Before, we were trying to stamp out security threats and issues, it was a one-off type of way to attack it. I spent a lot of manpower trying to track down the individual issues or flare-ups that we would see. With Cisco's Firepower Management, we're able to have that push up to basically one monitor and one UI and be able to track that and stop threats immediately. It also gives us a little more granularity on what those threats might be. 

We were able to stop hundreds of threats. For killing threats, we were able to get several hundred now in comparison to the one-off that we used to be able to do.

Dynamic policies are very important for us because we do not have the manpower to really look at everything all the time. So having a dynamic way of really registering, looking at, and having certain actions tied to that are incredibly effective for us in slowing any kind of threat.

We're getting there as far as using the application, using it to go to the application level, we're at the infancy of that. We're looking at definitely tying that into our critical applications so that we can see exactly what they're doing, when they're doing it, and being able to track that.

Firepower's Snort 3.0 IPS allows us to maintain performance while running more rules with the advent of 3.0 comparatively to 2X, we have seen at least a 10 to 15% increase in speed where it seems to be more effective. The updates seem to be more effective in finding malicious information. We've definitely seen at least a 10 to 15% increase on tying policy to 3.0.

The features that we find the biggest bang for the buck are for Firepower overall. We're looking at AnyConnect, which is one of the big features. The other valuable features are IPS along with the Geotagging and the Geosync features, and of course the firewall, the basic subset of firewall infrastructure and policy management.

We've looked at other vendors, but Cisco by far has taken the lead with a holistic approach where we don't have to manage multiple different edges at one time. We can actually push policy out from our core out to the edge. The policy can be as granular as we need it to be. So the administration, also the upgradability of the edge is for us because we need to have it 24/7. The upgradability is also another piece of management, logging, and all the other little aspects of the monitoring part.

Using deep packet inspection, especially with 7.0, since it's just come out in 7.0, we're able to see much more granularly into the packet where before we could actually give a general overview using NetFlow. This gives us much more granularity into what is exactly happening on our network and snapping in the Cisco StealthWatch piece gives us the end-to-end way of monitoring our network and making sure that it's secure.

The overall ease of use when it comes to managing Cisco Secure Firewall is one of the reasons that we ended up going with Cisco because the ease of use, basically having one UI to be able to control all of our end devices, policy, geolocation, AnyConnect, all the different pieces of that in one area has been phenomenal.

Cisco Secure Firewall helped to reduce our firewall operational costs because previously if we were not using Cisco's Firepower, we would have had either Cisco ASA or another manufacturer, and we would have had those everywhere. We would have had still two at every site, several within our infrastructure, and the management of those is much more difficult because it's done by one-off.

As far as saving Adventist Health money, I would have to say that it's not necessarily the actual physical product, but the time, labor that we would have had to have to be able to monitor and administer that, and also the time to find malicious issues and security areas that we were unable to see before. So, it's tough to put a cost on that, but it would probably be several hundred thousand dollars overall if you're looking at whether we got hit with malware or with some of the other issues that we're seeing, especially within healthcare. If we were hacked, that would cost us millions.

One of the few things that are brought up is that for the overall management, it would be great to have a cloud instance of that. And not only just a cloud instance, but one of the areas that we've looked at is using an HA type of cloud. To have the ability to have a device file within a cloud. If we had an issue with one, the other one would pick up automatically.

The other part of that is that applying policy still takes longer than we expect. Every version that comes out, the speed is actually increased, but I would love to see that, even a little more as far as when we're actually deploying policy.

We have been using Firepower's series for at least the last six years.

We're staggered right now. The Firepower Management Console is at 7.0 and most of our Firepower units are at 6.6.

We have two areas for deployment. We have them as an edge at our markets, we term our hospitals as markets, but each one of the hospitals will have an HA Pair of the Firepower model. And we also have them in our core, within the ACI infrastructure. We use them as a core firewall along with an Edge firewall.

We've been using Firepower, the Threat Defense, and the Management Console for about six and a half years and I think we've had maybe two issues with it. And most of those were due to either our policy settings or something that we messed up. We've never had to return a box and we've never run into any major bugs that have actually hindered the actual security of the system.

Scalability so far has been fantastic because we started with four Firepower Threat Defense boxes, but really after that, now we have 14 and we're going to be pushing that to 44 to 46 devices. The implementation has been pretty seamless and pretty easy. It's been great.

We use it exclusively for edge and core for firewall and for policy and for IPS and AnyConnect. We plan on continuing to integrate that tighter. So in the future, we probably will not grow that many physical devices, but we plan on actually integrating those tighter into the system, tighter with integration, with Cisco's ISE, and tighter integration with our ACI infrastructure. So at the end of the day, we don't see us going any further away from using Firepower as our core security edge device.

My company has been using Cisco for many years. One of the huge pieces for us is, of course, the supportability and ongoing update, maintenance, and care. We've had a great relationship with Cisco. The tech is outstanding. Typically, we will open a tech case and they will know exactly what the issue is within two to three hours if it's a very difficult one. Typically they even know what it is when we actually open the case.

We've actually had a fantastic relationship working with Cisco. They've had a fast turnaround, great tech support, and we have not run into any issues thus far with the Firepower overall.

Prior to actually using Firepower, we were still a Cisco shop. We used Cisco ASA exclusively, and it was fantastic. But with the advent of Firepower, being able to manage, monitor, and upgrade has really cut back our time on those processes by less than half of what we had before. We were using the good old ASA for many years.

We found that the initial setup using Firepower products was actually very simple. The initial configuration for the Management Console was very straightforward. Adding devices usually takes a few minutes. And then once you've got them physically set up in your Management Console, it's streamlined. It's actually very simple.

One of the great features of having the Cisco Firepower Management Console is having the ability to group. So we have each one of our hospitals as a group, so we can actually do any device configuration within a group. They're HA so that when we do an upgrade, it is seamless because when it fires off the upgrade, it will actually force the HA over automatically as part of the upgrade. And the other part of that is policy management. We have several policies, but specifically, one for the general use at our hospitals has been phenomenal because you build out one policy and you can push that out to all of your end nodes with one push.

We require two staff members to actually implement and devise the initial configuration.

At my company, you have to be at least a senior or an architect in order to manage any type of firewalling, whether that's the IPS, the actual firewall itself, or AnyConnect. So we have senior network engineers that are assigned for that task.

We typically have one person that will actually rotate through the group for the maintenance. There's a senior network engineer that will maintain that on a daily basis. Typically, it doesn't take maintenance every day. The biggest maintenance for us comes to updating policy, verifying the geolocation information is correct, and any upgrades in the future. So typically that takes about one to two people.

We did not actually use any external authority as far as setting up, maintenance, and configuration. It all comes directly from Cisco because of our partnership with Cisco, we have had a fantastic cast of system engineers and techs when needed. We haven't had to go out of our partnership with Cisco to actually implement these, to upgrade, or update.

Cisco's pricing is actually pretty good. We get a decent discount, but when you look across the board, if you're looking at a Cisco firewall, Firepower device, a Palo Alto device, or a Juniper device, they're going to be pretty comparable. A lot of people say, "Oh, Cisco is so expensive." But when you boil it down, when you look at the licensing structure for Firepower, you look at the actual device cost and how much that costs over time, they pretty much are right in line, if not less, depending on what you're buying for Firepower. So we've actually had a great run with that, and we feel confident that we're getting the best price. I haven't seen anything better than the supportability of that.

We actually did look at another vendor when we were looking at initially grabbing Firepower, to bring in as our corporate firewall and our main inspection engine. So we did look at Palo Alto and we also looked at Juniper SRX series, but both of those didn't really have the overall manageability and tightness with the Cisco infrastructure as we would want it to. So there was nothing necessarily security-wise wrong with them, but they were not a good fit for our environment.

The biggest lesson that we've learned is in a couple of different ways. One is how to keep your policy clean. We've learned that we've really had to keep that from overextending what we want to do. It also has great feedback as you're building that out so that you can look at it and you figure out how you are going to be able to really implement this in a way that won't break something or that won't overshadow some other policy that you have. That's probably one of the biggest things that we've learned. The way that you build out your policy and the way that you use that on a daily basis is very intuitive. And it also gives you a lot of feedback as you're building that out.

The advice that I would give anybody looking at Firepower is to look at it from an overall standpoint. If you want something that you can monitor and administer well, that you can update very quickly, and that gives you all of the security aspects that anybody else can on the market, it's going to be really hard to beat because of the Management Console. With this, you've got one tool that you can actually do the device updates, device configuration and all the policy management in one area. So I would say, definitely take a look at it. It's got a great UI that is very straightforward to use. It is very intuitive and it works really well out-of-the-box. And it does not take math science to be able to implement it.

I would rate Firepower a nine out of ten. I can't think of anything that would be a 10. It's mature, it's effective and it's usable.

For companies prioritizing security, the optimal choice is one that offers a range of feeds to cater to diverse needs. This is particularly crucial for organizations implementing DDoS mitigation. The preferred solutions typically align with the top server vendors, with Cisco, Forti, and Barracuda consistently ranking among the top three vendors we collaborate with.

It's not unexpected, but it's a common scenario where customers request dual layers of security. For instance, when dealing with regulatory compliance, especially in financial sectors regulated by entities like the Central Bank, having two distinct units is often mandated. If a client predominantly uses a solution like Palo Alto, they may need to incorporate another vendor such as Cisco or Forti. Importantly, there's a significant disparity in interfaces and management platforms between these vendors, necessitating careful consideration when integrating them into the overall security architecture.

I have been using Cisco Secure Firewall for the past ten years. 

The solution is extremely scalable and based on my experience, I would rate it 7 out of 10.

Cisco is a well-established company, and it offers accessible support, both locally and through online resources. The abundance of information makes it easy to find the necessary details and assistance.

Positive

The implementation timeline for our firewall is contingent on the readiness of the policy. If the policy is prepared, the deployment can occur within a day. However, if the policy is not finalized, a brief meeting is convened to gather the necessary data for rule establishment. Once the information is ready, the implementation on VMware proceeds. Notably, there is a requisite waiting period, such as fine-tuning for optimal rule configuration, as each customer has unique requirements. It's crucial to tailor the rules to fit the specific needs of each customer, as there is no one-size-fits-all best practice in this context.

It is extremely expensive compared to its competitors and I would rate it 2 out of 10. 

I would recommend this solution and rate it 8 out of 10.

We mostly use Cisco Secure Firewall as a VPN concentrator and for its firewall features.

Using Cisco Secure Firewall has helped grow our familiarity with people that know Cisco.

The most valuable feature of Cisco Secure Firewall is its ease of configuration and that it's scalable for firewalls and VPNs.

Changes you make in the GUI sometimes do not reflect in the command line and vice versa.

We have been using the solution since its inception, so, for many years now.

We did not have any stability issues with Cisco Secure Firewall.

We did not see any limitations with Cisco Secure Firewall’s scalability.

We also use Aruba in our organization. We never have to factor in extra development time when we go to a new major version of Cisco. With Aruba, we have a pretty drawn-out development timeline for any upgrades or software improvements. Aruba and Cisco Secure Firewall are very different in their implementation and development.

The initial setup of the Cisco Secure Firewall is very straightforward. The average time it took to deploy the solution was very short. Deploying the VM and automating our configurations took a couple of minutes.

Cisco smart licensing is a hassle for a disconnected environment. However, I haven't licensed anything in a while. There have been many changes, making it easier to license disconnected devices connected to the internet.

ASAv uses the solution as a VPN concentrator and a firewall because it could be used for both. It can be used for landing AnyConnect clients on ASAv and as a firewall.

What sets Cisco Firewall apart from other products is that when we do an update, we know we're not going to break a lot of things, and there are not a lot of bugs. The integration on the Cisco side is pretty good.

Most of our team is familiar with Cisco, and everyone knows what to expect when they log in. So it's easy in that way.

I like the application visibility and control with Cisco Secure Firewall. My only complaint is that the changes made in the GUI sometimes do not reflect in the command line.

I haven't had any problems with Cisco Secure Firewall. It's very straightforward and reliable. Also, it's trustworthy because it has the Cisco name.

Cisco Secure Firewall has helped free up our IT staff for other projects. The product is quite heavy into automation. So with it being Cisco, it is very scalable in generating configs. The solution saves a week or two for implementation and integration.

Cisco Secure Firewall has helped our organization improve its cybersecurity resilience through the reliability aspect.

You know what you're getting when you use an ASAv from Cisco. Cisco Secure Firewall is a great product in terms of reliability and scalability.

Overall, I rate Cisco Secure Firewall ten out of ten.

To safeguard our clients' system data and related aspects, we rely on Next-Generation Firewalls as a system integrator. In particular, we use Cisco Secure Firewall for enhanced security measures.

We have provided our services to the National Information Center in Riyadh, which is a government database. They installed Cisco Secure Firewall systems and have given us positive feedback, which is why most of the areas prefer to use Cisco. To date, we have not received any negative feedback from our clients regarding any issues, such as hacking. Everything has been secure, and I hope it stays that way in the future.

Our company operates in Saudi Arabia, primarily working with government sectors. If any hardware malfunctions, the defective device is removed, and we receive a replacement from the reseller. We have not encountered any issues related to delays in receiving replacements for malfunctioning devices which has been beneficial.

In today's world, cyberattacks have become a common occurrence. However, so far, we have not faced any issues with our systems. I hope the situation remains the same in the future. If Cisco introduces even more advanced security measures, it would be beneficial.

One of the major issues we face in the Middle East is the long delivery time for Cisco products. Currently, they are taking almost 10 months to deliver, which is much longer compared to before when we received the products within 70 to 80 days or even two to three months. For instance, we recently placed an order that has a delivery date in the middle of 2024. This delay is unacceptable as customers cannot wait that long, and they may opt for other alternatives, such as Huawei, Juniper, or HPE. Therefore, Cisco needs to improve its delivery time and ensure that they deliver products within a reasonable timeframe, as it did before.

I have been working with Cisco Secure Firewall for more than 10 years.

We have not encountered any stability issues. The only issue we faced was with another company that did not have proper cooling systems in their data center.

The scalability of the Cisco Secure Firewall is excellent.

A few years ago, we faced an issue with some of our devices in Saudi Arabia, and we reached out to Cisco for assistance. They responded promptly and repaired our devices within the given time frame. While the delivery time for their solutions in the Middle East may be longer, Cisco still delivers their solutions on time, whether it's for repair or new orders. Even if the delivery time is up to a year, Cisco ensures that our products are provided on time.

I rate the support from Cisco Secure Firewall a ten out of ten.

Positive

As a system integrator, our primary focus is not on selling products, but rather on providing comprehensive solutions to our customers, starting from scratch and ensuring everything runs smoothly. In this regard, we rely heavily on Cisco devices, including switches, routers, code devices, NK, Nexus, 7000, and 9000. We also use other Cisco products, such as IP phones and access points. In Saudi Arabia, Cisco is the most popular brand in the market, but its popularity is declining due to prolonged delivery times. Customers cannot afford to wait a year, and this is the primary reason for the decline in demand.

The prices of Cisco Secure Firewall are competitive, especially for us as Cisco partners. We purchase the products directly from Cisco as a gold partner, which allows us to obtain better pricing than we would get from normal distributors or the local market.

Our current company, SNC ICT, is already a Cisco Gold Partner. We are actively involved in investing, purchasing, and selling Cisco products to our customers, as well as performing installations, configurations, and providing other related services.

In the Middle East, most people with a budget opt for Cisco. However, I do not have any information about the preferences in Europe, South Asia, or Asia.

We use Cisco IronPort, Firepower, Secure Firewall, Email, and Secure Connect.

As with most products, integration could be better where needed. Sometimes, for example, the Cisco Secure Firewall and IronPort are in a class of their own. When it comes to management and logging, there's room for improvement.

Most of the products aren't configured on their own, but they are related together. There should be some sort of management. We would need a supervisor to manage it before using all of the solutions together.

They address services that belong together. For example, the Secure Client provides remote access. Authentication and multiple-factor authentication are two different products that belong together. There should be a link between both products and between both management interfaces to see, for example, troubleshooting or reporting so that you have both sources together.

It would be great to have all the data correlated to have an overview and one point of administration. 

The grouping of the solutions helps save time. If you have a problem and you have a high-level overview of the system, you can easily dig deeper into the problem. For example, I can check to see why ASA isn't working but the reason for the outage is actually because of Duo. I can spend a lot of time working in the wrong direction because I didn't have an overview.

IronPort stuff looks at first a little bit outdated. It's not a fancy-colored view, but it does its job and is extremely helpful. Debugging on this platform is very easy. 

Firepower's implementation and reliability need room for improvement. 

We address our problems with the relevant people. Some of the quality of their support has dropped. If your problem gets escalated, there are many skilled people who are absolute pleasures to work with. They are brilliant at what they do. 

If you talk to someone who solves the problem within five minutes you can't do any better. But on the other hand, the other end of the range needs improvement.

You can have a case that lasts 15 months in which you have to talk to 20 people to resolve. 

Neutral

The complexity of the installation depends. It's not so easy to install. Each topic needs one management interface. So you end up with 20 to 40 different management platforms. All of them use a tremendous amount of resources. If you're willing to install it, you need a huge pile of hardware. It is not clear what everything does. Some consolidation there would be helpful. Other vendors face the same problem.

We have seen ROI from using Cisco.

I chose Cisco because I've been working with them for 23 years. I choose it for its stability and because they have the right range of products. Most of our IT staff is happy with it.

I would rate it a nine out of ten. 

We are mainly using it as a VPN gateway and edge firewall.

It helped us with the transition to working from home and hybrid working. Because of its VPN capabilities, it enabled us to keep working while everyone had to stay home because of COVID.

It integrates well with other systems within our environment. 

I like its integration with the AnyConnect client. I also like how modular it is. For example, I can easily integrate the Umbrella add-on into it. We are planning on adding Umbrella. We haven't added it yet, but we have researched it.

One big pain point I have is the ASDM interface because it's Java, and sometimes, it's a bit buggy and has low performance. That's something that probably won't be improved because of backward compatibility. 

The CLI is not always clear. It's not always intuitive.

Some of the things, such as site-to-site VPN, are complicated to set up. The settings you have are all hidden away in crypto maps, and you can't have a setting per tunnel. When you want to change one particular tunnel, you automatically change them all. That's a drawback.

We've been using the Cisco ASA firewall for about two years.

It's reliable.

I haven't had much contact with their tech support. We have a partner called Fundamentals for support. They're good. I'd recommend them.

We have a Palo Alto core firewall, and we handle threat detection and intrusion prevention on that device. We don't use Cisco ASA for detecting or remediating threats.

Compared to other systems that I have used in the past, Cisco ASA is reliable, and it's not a very big hassle to set up. It's very good, and it just does its job. 

It's not a very big hassle to set up. It's a bit complex when you go into different topics that aren't the basic capabilities, such as when you go above VPN and basic ACL configuration, but all in all, it does the job.

I'd rate it a seven out of ten because of the ASDM, non-intuitive CLI, and complication of setting some of the things.

We use them for firewall purposes. We use the small ones with the partners for the services they need, such as VPN and security.

Their performance is most valuable.

The stability could be better because we have a lot of issues with the stability of Cisco Firepower.

I've been using Cisco firewalls for 20 years.

We have a lot of issues with the stability of Cisco Firepower.

It depends on the model. We are hitting some issues with scalability. It's getting very expensive to scale out.

They sometimes take too long and don't fix the issue quickly, but eventually, it is fixed. I'd rate their support a nine out of ten.

Positive

We have been using different Cisco firewalls for a long time. We are currently using Cisco Firepower and Cisco ASA. Cisco Firepower is better than Cisco ASA, but stability is an issue.

It's now easier than before. You can have virtual appliances.

We mostly have it on-prem, but some customers want on-prem virtual.

We considered using a different solution such as Check Point or Huawei. We chose to stay with Cisco because we're experienced with Cisco and because of the support.

The old versions or models saved us time, but the newer ones take our time. Overall, I'd rate Cisco Secure Firewall an eight out of ten.

We started with the old ASA 5510 and migrated to Firepower, first using ASA as the basic operating system. Lately, we've been using FTD because it simplifies operations a lot. We are a very small networking team, and being able to push one policy to many firewalls eases our workload.

We are a global company, and we don't always have IT staff in all corners of the world. Therefore, having one place to do everything is very nice.

Cisco Secure Firewall has made it easier so that more than one person can handle things. We are able to have a bigger team that can handle simple tasks and have a smaller team focus on the deep-dive needs.

We have the same basic policies everywhere now, which makes it more flexible for us to manage.

I like the central management and IPS features. Having everything in one place is very valuable.

Cisco Secure Firewall is very good at detecting threats. We see a lot getting blocked by the IPS in our DMZ, that is, our internet-facing web service.

It helped free up IT staff time. Before, we would have to manually configure every single firewall. Every time we configure something on a firewall, it takes five to ten minutes, and we have more than 50 firewalls around the globe. We do changes every week, and the automated policy and upgrades saved us a lot of time.

In terms of the organization, we have been able to save time by getting things out faster. However, the only downside is that the policy push takes quite a while. Thus, a quick fix still takes at least 15 minutes, and troubleshooting can take time as well.

Some of our problems are related to software updates in remote sites where the internet connection is not stable. Sometimes, the image push just gets disrupted and fails.

The most annoying thing is having to replace the hardware so often. It's very difficult for us to do.

The integration between different tools could be improved. For example, with SecureX, I am yet to find out how to forward security events to different tools such as Microsoft Sentinel, which is what we use for log detection.

We've been using Cisco Secure Firewalls for a very long time.

We had to get in touch with technical support a few times, and our experience was good. I would give them a rating of nine out of ten. 

Positive

The initial deployment is easy, and I have not had any issues.

The solution is deployed on-premises. We have an on-premises FMC that connects everything.

The cost of the firewalls versus the ROI is okay.

We are quite Cisco-centric because of the performance we get for the price range. We have a lot of smaller sites, and we are not a very big organization. The price fits us perfectly.

Overall, I would rate Cisco Secure Firewall at nine on a scale from one to ten.