Cisco Secure Firewall Reviews

Cisco ASA has a well-written command-line interface. Cisco’s AnyConnect SSL VPN is by far the best client VPN technology I’ve ever had to deploy and manage. Upgrades are a breeze. Failovers between units are flawless. FirePower add-ons deepen security with intrusion prevention (IPS), anti-malware protection (AMP), and URL filtering. These particular services can run as a hardware or software module within the ASA. Unlike ASA with CSM, these modules are managed by FireSight, a single pane for all of your FirePower nodes. It’s intuitive and easy to use, but still lacks some automation capabilities (e.g., bulk edits, etc.).

Cisco is a huge name in the networking world. Having a solution that includes their firewall technology adds value from an operability and support perspective. Cisco, although sometimes considered to be "behind the times" with firewall technology, continues to prove it has momentum in the industry through acquisitions such as Sourcefire and OpenDNS, with rapid integration into their systems. Additionally, ASA is synergistic with other security offerings from Cisco, such as ISE, remote tele-office workers, etc.

When running multiple firewalls in your network, you need someone to manage them from a central point. Cisco’s answer is Cisco Security Manager (CSM). Unfortunately, this is a suite of applications that is in much need of an overhaul. It is riddled with bugs and lacks the intuitive experience found in competing vendor offerings. The counter-intuitive interface makes configuration management cumbersome and prone to mistakes. There are software defects within certain modules of the application, resulting in a frustrating experience. Reporting is almost useless. The best part about it is the logging component, but it still is lacking, compared to what you get from other competing vendors.

Aside from management, I think Cisco needs to become more application-focused, something that a few of their competitors shine in.

I've deployed and managed Cisco ASA's for over a decade. I've used the X-series models for about three years now.

I have not encountered any stability issues; this is a solid firewall platform. Stability is where it shines.

The newer clustering capabilities have introduced some solid scalability design options. From a cost perspective, scalability is quite intimidating.

Cisco's TAC engineers are competent, responsive and typically resolve issues in a timely fashion. Do not use them for "best practice"; this is what channel partners are for.

I previously used Check Point. Check Point relied on a thick, Windows-based client and, at the time, did not support transparent contexts. However, Check Point has a solid management platform, which is something Cisco should take some pointers from.

Initial setup is complex for a new user, straightforward for a seasoned user. Tons of documentation is available, but you can easily get lost for days if you've never touched one. Cisco offers ASDM, a GUI wizard that can help set up the firewalls. This is nice for newer folks.

Work very closely with your channel partners to verify you have all the licensing you need (VPN, Firepower, etc.). Pricing is always a challenge. Buy closer to Cisco's EOY and you might save a few bucks.

Before choosing this product, I also evaluated Palo Alto. I really liked their firewall platform, their Panorama management platform, and wildfire technology. Their SSL VPN was seriously lacking. This is a decent option to consider as well.

Read the Cisco Validated Designs (CVDs) regarding ASAs. Find some decent blogs, discuss topologies and scenarios with a seasoned engineer, and get your final design validated by Cisco. Your Cisco SE should be able to assist with this. If you need assistance implementing, work with your channel partner.

Our use for Cisco Secure is for the firewall. 

Network segmentation is the most valuable feature.

The dashboard can be improved. 

I have been using Cisco Secure Firewall for seven years. 

It is stable.

It is scalable. A thousand-plus users are using the solution in my company. 

The initial setup is straightforward. 

Pricing is high.

Overall, I rate the product an eight out of ten. 

We use Cisco IronPort, Firepower, Secure Firewall, Email, and Secure Connect.

As with most products, integration could be better where needed. Sometimes, for example, the Cisco Secure Firewall and IronPort are in a class of their own. When it comes to management and logging, there's room for improvement.

Most of the products aren't configured on their own, but they are related together. There should be some sort of management. We would need a supervisor to manage it before using all of the solutions together.

They address services that belong together. For example, the Secure Client provides remote access. Authentication and multiple-factor authentication are two different products that belong together. There should be a link between both products and between both management interfaces to see, for example, troubleshooting or reporting so that you have both sources together.

It would be great to have all the data correlated to have an overview and one point of administration. 

The grouping of the solutions helps save time. If you have a problem and you have a high-level overview of the system, you can easily dig deeper into the problem. For example, I can check to see why ASA isn't working but the reason for the outage is actually because of Duo. I can spend a lot of time working in the wrong direction because I didn't have an overview.

IronPort stuff looks at first a little bit outdated. It's not a fancy-colored view, but it does its job and is extremely helpful. Debugging on this platform is very easy. 

Firepower's implementation and reliability need room for improvement. 

We address our problems with the relevant people. Some of the quality of their support has dropped. If your problem gets escalated, there are many skilled people who are absolute pleasures to work with. They are brilliant at what they do. 

If you talk to someone who solves the problem within five minutes you can't do any better. But on the other hand, the other end of the range needs improvement.

You can have a case that lasts 15 months in which you have to talk to 20 people to resolve. 

Neutral

The complexity of the installation depends. It's not so easy to install. Each topic needs one management interface. So you end up with 20 to 40 different management platforms. All of them use a tremendous amount of resources. If you're willing to install it, you need a huge pile of hardware. It is not clear what everything does. Some consolidation there would be helpful. Other vendors face the same problem.

We have seen ROI from using Cisco.

I chose Cisco because I've been working with them for 23 years. I choose it for its stability and because they have the right range of products. Most of our IT staff is happy with it.

I would rate it a nine out of ten. 

We have all kinds of use cases. Our customers are large enterprises, and they need perimeter security. Zero trust, network access control, and network segmentation are quite important these days.

We are a partner and reseller. We implement, and we resell. As a Cisco Secure reseller, we have all the expertise. Our customers are usually overworked and have no time to learn how to implement these things and get some expertise. That's what we bring in. We help them select the right solution, select the proper design and architecture, and implement it. They basically lack the time and expertise, and we are a trusted advisor who helps them with their issues.

I'm working with security. It improves the security posture of our customers and protects them from threats. We recently saw a bunch of hacks in Germany and our customers are concerned. We help to protect our customers from that, and that's very important.

The analysis tools and encrypted traffic analysis save time. They help detect security threats and incidents that can cause outages for customers. It's a great improvement.

Application inspection, network segmentation, and encrypted traffic detection or encrypted traffic analysis (ETA) are valuable for our customers. I'm from Germany, and in Germany, people are very concerned about privacy. We have a bunch of public customers, and they have an issue with decrypting traffic, even if it's only for security analysis. They have some fears. So, they are quite interested in the capability to detect threats without decrypting traffic.

The usability of Cisco Firepower Threat Defense is an issue. The product is still under development, and the user interface is very difficult to deal with. That's one area where it should be improved. Another area for improvement, which is also related to the firewall, is stability. We are having stability issues, and we had some cases where customers had a network down situation for about one or two days, which is not great.

As a partner, I have been working here for about nine years, but we offered this solution all the time. The company has probably been doing that for at least 15 years.

Cisco Firepower Threat Defense has improved a lot over the last few years, but we sometimes still have really big issues.

Their support is pretty awesome. It doesn't really matter if you have a hardware issue or a software issue. If it's a hardware issue, you get a replacement quickly, and if you have a software issue, you get quick support. There are also some bad examples. I have one from wireless where after a problem was acknowledged, it needed about one year to get fixed. It depends a little bit on how complex the issue is, but in general, it's quite okay.

We are also selling Fortinet, Palo Alto, and Check Point. We sell all solutions, but I'm quite focused on Cisco. It's mostly because I have the most expertise and experience with it over the years. I've been working with Cisco security solutions for 15 to 20 years. That's where my expertise is, and with Cisco, you have a solution for everything. It's not always the best of breed, but in the overall solution frame, you have something for everything, and they interact nicely with each other, which is great.

The deployment model is totally customer dependent. The way we work, we look at the customer environment and develop a proper deployment model for them. Some of them are using enterprise agreements. It's becoming more and more common, so they can use several solutions at once or with some kind of added use price and other benefits.

I'm not always involved in the deployment. I work as an architect. I do not implement all the solutions I design, but I implement some of them. For me, it's important because, for one, I like it, and second thing is that I need to have some kind of hands-on experience to understand the solution so that I can make better designs.

If you do the initial setup for the first time, it's somewhat complex., but over time, you get the experience, and then it's more or less straightforward. 

Our clients rarely used the firewall migration tool. It gives you a starting point for the configuration, but usually, there are so many things you need to rework afterward. We use it sometimes, but it only does a part of the job.

It does require maintenance. The clients have maintenance contracts for that.

In our company in Germany, just for the security solutions, we have about 20 to 30 engineers. They are experienced in different areas. For the firewalls, we have 10 engineers.

Cisco was never a cheap solution. Compared to other vendors, it's more or less at the same level, except maybe Fortinet which is fairly cheap.

In terms of licensing, we still have issues with the subscription model. Many of our customers are used to buying a solution and owning it. It takes time to convince people to go for the subscription model. That's still an issue for us.

We have Cisco Firepower Threat Defense, email security, web security, and Cisco Umbrella. Most of the time, I am working with Identity Services Engine for identity-related things. That's the main product I work with all the time. I have almost no direct contact with Talos, but I know that below the hood, it just improves all their security solutions.

To those evaluating this solution, I would advise being a little bit careful with it. It interfaces well with other Cisco solutions, so it has value, but it's not always the best solution.

At the moment, I would rate it a six out of ten.

The primary use case is as one-layer protection of our OT network. The way we're set up is that we have our OT network behind the commercial network, and we do dual firewalls. We've Cisco firewalls on the commercial network side and a different vendor and a different management group on the OT network side.

It's a good solution. It's in some ways a reactive solution where we have it sitting in a whitelist mode rather than a blacklist mode. So, we are blocking everything and permitting specific things, and it seems to work fairly well for us.

It hasn't necessarily freed up the time, but it has helped in securing the infrastructure and the OT network behind it. The intent of this particular solution is not time-saving. It's not a cost solution. It's meant to isolate and control access to and from a specific set of infrastructure.

It allows us to get access. We're seeing more and more that business systems like SAP are looking to get access to OT systems, and this is how our systems get that.

It's protecting the organization against the impact of cyber threats and cybersecurity. We run manufacturing plants that have hazardous material, and we don't want that manufacturing process to be impacted by break-in exposure, cyber threats, or any other similar thing.

We would like to be able to manage a set of firewalls rather than individual firewalls. We haven't really looked into it or yet implemented it, but a single pane of glass would be helpful. We also use another vendor's firewalls, and they have a centralized management infrastructure that we have implemented, which makes it a little bit easier when you're managing lots of firewalls.

We've been using Cisco firewalls for 10 years or more.

It has been a very stable solution. If you keep it up to date and do sensible management on it, it's a very stable solution.

So far, in this use case, it has met our scalability requirements in terms of traffic and management.

We have an excellent account team, and they go to bat for us inside of Cisco. We also have access to TAC and things like Smart Net, and all that seems to go very well. It's a good team. I'd rate them a nine out of ten.

Positive

We weren't using anything similar in this particular use case. We chose Cisco because they originally came on the recommendation of our networking partner. They came in with a strong recommendation from a strong partner.

I wasn't involved in its deployment. That was before I started working in this space.

In this specific use case, the biggest return on investment is that we do not have incidents, and this ultimately, in some of our factories, ends up being a health and human-safety use case.

We've gone to all smart licensing, so that works well. 

Understand what you're trying to protect and what you're trying to protect it from, and then also understand how the solution is managed.

I'd rate Cisco Secure Firewall a nine out of ten.

• VPN
• ASDM configuration

For FirePOWER:

• IPS
• AMP
• URL filtering

It's pretty easy to connect between different branches using site to site VPN.

Cost, it's very expensive. To migrate from a Cisco ASA 5550 and not drop in performance, you have to go to a Cisco ASA 5555-X with FirePOWER. To fully use the Cisco FirePOWER IPS, AMP and URL filtering, you are forced to (MUST) buy the Cisco FireSIGHT management centre. You also have to buy licensing for Cisco AnyConnect VPN client

I've been using it since October 2004, so for 10 years.

Due to the cost, I am still waiting for more funds to deploy the final phase, FirePOWER IPS, AMP and URL filtering.

Cisco did an upgrade from v8.2 to v8.3 of the migration system. NAT configuration is different from 8.2 to 8.3. It's not easy to upgrade to 8.3 and above leading to running different software versions.

V8.2 is very stable. With the latest versions it's still early to tell.

Upgrading from v8.2 to v8.3 is a nightmare. The risks of down time are so high that I am forced to run different versions. Stay with 8.2 on all NAT dependent on your ASA, but again it's all about the cost.

Excellent customer service. Cisco listens to their customers.

Excellent customer service and documentation.

We previously used Checkpoint, and I switched because Checkpoint was expensive but now it looks like Cisco is following the same route.

It was not that complex because I was using Cisco routers and switches five years prior.

It was an in-house implementation.

I can't tell right now as I am still investing.

The initial investment on the Cisco ASAs was around one million South African Rand and there's a R200,000 annual maintenance cost with Cisco's partners.

No. I went straight to Cisco because of my experience with their CUCM IPT solutions, routers and switches.

Budget a lot of money, especially on the initial setup and the annual licensing and maintenance cost.

This is an SSL that can decrypt and encrypt SSL traffic. 

The ability to encrypt and decrypt is great.

The dashboards are excellent.

We really like the reporting aspect of the product. 

It is stable. 

We found the initial setup to be easy.

Maybe the dashboard could be a bit better. There are some reports where we don't get it. We need a deep dive into a particular URL, however, it provides the URL and the IP address, and there is no more information that can show more details. Basically, the report models can be improved.

With their console, we have to build a separate VM. In some of the products, the management console comes along with the box itself. It'll be one solution to take the backup and keep it. Even if you want to build a DR, it'll be easy. However, the challenge we had is if that VM is down, my team may not able to access the Firepower remotely. Therefore, the management console itself should be built within the Firepower box itself, rather than expecting it to be built in a separate VM.

I've been using the solution for more than four years. 

We have not, as of now (touch wood) faced any issues. It's stable, and we don't face any performance issues as well. It's reliable. There are no bugs or glitches. It doesn't crash or freeze.

At this moment, we have not thought through scaling. The model which we use is less than 60%. What I heard from them is you can cascade it to another box, and scaling can be done.

We have between 400 to 450 concurrent users on a daily basis accessing this box. Overall, we have 2,000 devices that could be easily communicated via Firepower.

Technical support is good. We've found it to be quite good in general. 

Positive

The initial setup is great. It's very easy and quite straightforward. If you understand the process, it is very easy. I'd rate it a 4.5 out of five in terms of ease of implementation. 

I don't manage licensing. I can't speak to the actual cost of the product. 

We're a customer and end-user.

I'd recommend the solution to organizations that have around 1,500 people that need to access the solution. 

I would rate the solution a nine out of ten. 

We use it for remote access VPN. That means the folks at home can work from home using AnyConnect.

For our very specific use case, for remote access for VPN, ASAs are very good.

Cisco also introduces new features and new encryption techniques.

Cisco wasn't first-to-market with NGFWs. That is one of the options now. They did make an acquisition, but other vendors got into that space first. I would tell Cisco to move faster, but everything moves at the speed of light and it's hard to move faster than that. But they should look at what other vendors are doing and try not only to be on the same wavelength but a little bit better. It's hard to be critical of Cisco given that they pave the way a lot, but they should see what their peers are doing and try to emulate that.

In terms of additional features, perhaps there could be some form of integration with the cloud. I don't know how much appetite we would have for that given the principle of keeping a lot of the sensitive data on-prem. But some integration with the cloud might be useful, given that the cloud is everything you see these days. We have our on-premises devices, but maybe they could provide an option where it fails over to a cloud in a worst-case scenario.

I've been using Cisco ASA Firewalls from the time I was in school. I learned it when I was in the academic setting. I joined Cisco and worked there for six years there as a sales engineer before joining my current company.

The stability of the solution is a 10 out of 10.

Scalability is probably a 10 out of 10 for what we're looking at.

Their technical support is very good. Maybe I view them with rose-colored glasses since I was there for six years, but they really do try hard. Cisco cracks the whip on them. They do a lot of work. There's no downtime.

Positive

The challenge we wanted to address was scale. We're growing and we needed something a little more robust, something that could hold a big boy. We've got a lot more employees and we were using an older version of the hardware, so we upgraded to the newest version of the hardware, given that we're familiar with it. It solves our use case of allowing employees to work from home.

I was involved in the design, deployment, and operations. Our team is very special in the fact that we don't delegate to other folks. We're responsible for what we eat and what we design. We actually do the hands-on work and then we maintain it. We tend not to hire out because they come, they wash their hands clean of it, leave, and then there's all this stuff that needs fixing. If we get paged at 3:00 AM it might be our fault, and the lessons are learned.

Our network engineering team consists of about 12 people.

The pricing is fair.

My advice to others would be to design it well and get it validated by the Cisco team or by a consulting company. Don't be afraid of the solution because they have skin in the game. It's been in the market for so long, it's like buying a Corolla, as odd as that sounds. If you have a use case for your car where you're just driving from A to B, then get that Corolla and it will suit you well. It will last you 100 million miles.

Cyber security resilience is super important. We have super important data and we need to secure it. We're regulated and audited by the government and we're audited all the time. I get audited when I breathe. We have to make sure everything is super transparent and make sure that we have all of the fail-safes in place and done well. We have to be very accountable so that there are no "gotchas."