Cisco Secure Firewall Reviews

For our customers, Firepower is a classic perimeter firewall. Sometimes it's also for branch connections, but for those cases, we prefer Meraki because it's simpler. If a customer has Meraki and requires advanced security features, we will offer Firepower as a perimeter solution for them. Meraki is for SD-WAN and Firepower is for the perimeter.

Firewalls are not a new technology but they have a very distinct role in an enterprise for defending the perimeter. Firepower is for organizations that have traditional infrastructures, rather than those that are heavily utilizing cloud services. For us, the clients are government agencies and ministries, and we have a lot of them as our customers in Latvia.

Most firewalls do the same things, more or less. Because we have to compete with other vendors, it's the things that are different that are important. With Cisco, it's the security intelligence part. It's quite simple to configure and it's very effective. It cuts down on a lot of trouble in the early phases.

IPS and Snort are very important because they also differentiate Cisco from other vendors and competitors.

I also like that, in recent years, they have been developing the solution very quickly and adding a lot of new, cool features. I really love the new web interface of Cisco Secure Firewall Management Center. It looks like a modern web-user interface compared to the previous one. And the recent release, 7.2, provided even more improvements. I like that you have the option to switch between a simplified view and the classic view of firewall policies. That was a good decision.

A major area of improvement would be to have more functionality in public clouds, especially in terms of simplifying it. The high availability doesn't work right now because of the limitations in the cloud. Other vendors find ways to make it work differently than with on-prem solutions.

This is very important because we have customers that build solutions in the cloud that are like what they had on-prem. They have done a lift-and-shift because it's easier for them. They lift their on-prem physical boxes and shift them to the cloud, convert them to virtual, and it continues to work that way. Many times it's not the most efficient or best way to do things, but it's the easiest. The easiest path is probably the way to go.

I have been using Cisco Firepower NGFW Firewalls for four or five years now, but before that, I worked with ASA Firewalls a lot. It was just a transition. I have been using Firepower almost from day one.

We are an integrator and we resell as well as provide professional services. We do everything from A to Z.

There are a lot of things that can be improved. As a Cisco partner, I usually take the first hit if something doesn't work. In recent years, the solution has improved and is more stable. But it has to continue to improve in that direction.

A Firepower firewall is a very important point of exit and entry to a network. It's a critical piece of infrastructure. They should have high availability.

By comparison, I am also a huge fan of Stealthwatch (Cisco Secure Network Analytics) and I use it everywhere. I've been working with that solution for 15 years but it's not mission-critical. If it doesn't work, your boss is not calling you. If it doesn't work, it is not collecting telemetry and it doesn't do its job, but you are not stressed to fix it. With firewalls, it's a little different.

Tech support really depends on how lucky you are. It depends on when you create a TAC case and in which time zone the case is created. That determines which part of TAC takes ownership of your case. I have had a few unpleasant cases but, at the end of the day, they were resolved. I didn't feel like I was alone in the field with an angry customer.

Positive

We made a gradual transition from ASA to Firepower because they first had this as Sourcefire services. That is what we used to install first for our customer base. Then Firepower defense appliances and firmware came out. It was a natural process.

My view may be a little bit biased because I do a lot of Cisco deployments, and I have a lab where I play all the time. But overall the deployment is not too complicated.

The deployment time depends on what type of deployment you have. If it's a physical deployment, it may be a little bit faster because you don't have to set up virtual machines. But I recently had a project in AWS, and I used Terraform Templates and it was easy. I still had to configure some additional things like interfaces, IP addresses, and routing. 

Because I know where everything is in the UI, the deployment is okay. One thing I miss a little bit is being able to configure things, like routing, via the command line, which is how it used to be done with the ASA Firewalls. But I understand why they've taken that ability away.

With ASA Firewalls, even when you were upgrading them, the experience was much better because it didn't have those advanced Snort features and you could usually do an upgrade in the middle of day and no one would notice. You didn't have any drops. With Firepower, that's not always the case.

It's hard to talk about pricing when you compare firewalls because firewall functionality is almost the same, regardless of whether it's a small box or a large box. The difference is just the throughput. Leaving aside things like clustering, what you have to look at are the throughput and the price.

Cisco's pricing is more or less okay. In other areas where we work with Cisco solutions, like other security solutions and networking, Cisco is usually much more expensive than others. But when it comes to firewalls, Cisco is cheaper than Check Point although it is not as cheap as Fortigate. But with the latest improvements in hardware and speed, the pricing is okay.

To me, as a partner, the licensing is quite simple. I'm responsible for providing estimates to my sales guys and, sometimes, as an architect, I create solutions for my customers and give them estimates. There are other Cisco solutions that have much more complicated licensing models than Firepower. In short, the licensing is quite okay.

Not all of our customers use Cisco and that means we have competition inside our company with Check Point. We also made some attempts with Palo Alto Firewalls, long before we became Cisco partners, but somehow it didn't work for us.

I enjoy working with Cisco because it's more of a networking-guy approach. It reminds me a lot of all the other Cisco equipment, like their switches and routers. The experience is similar.

I haven't worked a lot with Checkpoint firewalls, but I like how they look. What I don't really like is the way you configure them because it's very different from what networking guys are used to doing. I'm not saying it's bad, it's just different. It's not for me. Maybe it appeals more to server guys. Cisco has a more network-centric approach.

It's deployed in multiple ways, depending on the use case. Generally speaking, we have them as edge firewalls, but I have some customers who use them as data center firewalls, and some customers who use them as VPN firewalls. And in some places, they're the east-west firewalls, as they would be called in a core network. We do have some that are for cloud firewalling, that we're using in Azure and AWS. But generally speaking, they're deployed as edge firewalls and on-prem.

In some cases that I'm aware of, when moving from specific platforms like Check Point, Firepower has offered a much easier way of working with the platform and deploying changes. For the customer, it's a lot easier in the newer platform than it was in the previous one.

I've done network assessments, where we wanted to get visibility into all flows. I used Firepower boxes for some of those, where we tapped a line and let Firepower see all the traffic. It was incredibly helpful in picking up all of the flows of data. As a result, I was able to give information to the customer, saying, "This is what it's doing and this is what it's seeing in your network." I find it very helpful to get all that type of data. It's got a lot more information than NetFlow-type systems.

There have also been use cases where I'm doing east-west and north-south in the same firewall box. That is possible with SGTs and SD-Access and Firepower. That ability has been critical in some of the designs we've done. A scenario would be that we have an underlay, a corporate network, and a guest network VRF-routed zone; big macro security zones. We are doing micro-segmentation at the edge with SD-Access, but the macro-segmentation between the zones is handled by the firewall. Because we didn't want to split up our east-west and north-south, because there really wasn't a budget for it, they're on the same box. That box is able to do both flows that go towards the internet and flows that go between the different interfaces on the firewall. We're using SGTs in those policies and we're able to extend the logic from the SD-Access environment into the firewall environment, which creates a very unified approach to security.

We're also able to implement dynamic policies for dynamic environments with 7.0. That's becoming more and more important every day. IPs are becoming less important; names and locations and where things live in the cloud mean things are becoming a lot more fluid in the world of security. It's very helpful to have objects and groups that can follow that fluidity along, as opposed to me trying to do it old school and static everything up. No one has time for that. Dynamic policy capabilities enable tight integration with Secure Workload at the application workload level. The IP is less relevant and the application or the VMware tag can be tied to a specific ruleset. It's very helpful to be able to have it be so dynamic now. We're using more and more of those dynamic group concepts.

When it comes to the solution’s tags for dynamic policy implementation in cloud environments, VMware is the primary one I'm seeing these days, but I expect Azure to pick up significantly. The use of these tags for dynamic policy implementation in cloud environments simplifies things. We don't have to have so much static stuff pinned up. We can just have a single rule that says, "If it's this tag, then do this," as opposed to, "If it's this IP and this IP and this other IP, then you're allowed to do this thing." By disconnecting it from the IP address, we've made it very flexible.

It may sound a bit strange, but one of the most valuable features of Firepower 7.0 is the "live log" type feature called Unified Event Viewer. That view has been really good in helping me get to data faster, decreasing the amount of time it takes to find information, and allowing me to fix problems faster. I've found that to be incredibly valuable because it's a lot easier to get to some points of data now.

Also, the new UI is always getting better from version to version. In the beginning, when it came to managing Cisco Secure Firewall, it wasn't always the easiest, but with 6.7 and 7.0, it's gotten easier and easier. It's a pretty easy system to manage. It's especially beneficial for people who are familiar with ASA logic because a lot of the Firepower logic is the same. For those people, they're just relearning where the buttons are, as opposed to having to figure out how to configure things.

I've used the backup VTI tunnel and that's a feature that lets me create some redundancy for my route-based stuff and it works pretty well. I haven't had any issues with it

Firepower 7.0 also has fantastic Dynamic Access Policies that allow me to replicate a lot of the configurations that were missing and that made it difficult to move off the old ASA platform for some customers. The addition of that capability has removed that limitation and has allowed me to move forward with implementing 7.0. 

Snort 3 is one of the biggest points on Firepower 7.0. I've been using Snort 3 for quite a while and, while I don't have a ton of customers on it, I do have some who are running on it and it's worked out pretty well. In their use cases, there wasn't a lot of risk, so that's why we started with it. Snort 3 has some huge advantages when it comes to performance and policy and how it's applying things and processing the flows.

Dynamic Objects have also been really critical. They're very valuable. Version to version, they're adding a lot more features onto Dynamic Objects, and I'm a big fan. 

I've also used the Upgrade Wizard quite a bit to upgrade the firmware. 

And on the management side, there are the health modules. They added a "metric ton" of them to the FMC [Firepower Management Center]. In version 6.7 they released this new health monitor which makes it a lot easier to see data and get to information faster. It's quite nice looking, as opposed to CLI. The new health modules really do stand out as a great way to get to some of that health data quickly—things like interface information, statistics, drops—that were harder to get to before. I can now see them over time, as opposed to at just a point in time. I've used that a lot and it has been very helpful.

In addition, there is the global search for policy and objects. I use that quite a bit in the search bar. It's a great way to get some information faster. Even if I have to pivot away from the screen I'm on, it's still great to be able to get to it very quickly there. 

In a lot of ways, they've addressed some of the biggest complaints, like the "housekeeping" stuff where you have to move around your management system or when it comes to making configuration changes. That has improved from version to version and 7.0 is different. They've added more and have made it easier to get from point A to point B and to consume a lot of that data quickly. That allows me to hop in and do some data validation much faster, without having to search and wait and search and wait. I can get to some of that data quicker to make changes and to fix things. It adds to the overall administrator experience. When operating this technology I'm able to get places faster, rather than it being a type of bottleneck.

There is also the visibility the solution gives you when doing deep packet inspection. It blows up the packet, it matches application types, and it matches web apps. If you're doing SSL decryption it can pinpoint it even further than that. It's able to pull encrypted apps apart and tell me a lot about them. There's a lot of information that 7.0 is bringing to the forefront about flows of data, what it is, and what it's doing. The deep packet inspection and the application visibility portion and Snort are really essential to managing a modern firewall. Firepower does a bang-up job of it, by bringing that data to the forefront.

It's a good box for visibility at the Layer 7 level. If you need Layer 7 visibility, Firepower is going to be able to do that for you. Between VLANs, it does a good job. It's able to look at that Layer 7 data and do some good filtering based on those types of rules.

I'd like to see Cisco continue its approach to making it easier to navigate the UI and FMC and make it easier to get from point A to point B. Generally, the room for improvement is going to be all UI-related. The platform, overall, is solid.

I'd also like them to continue to approach things from a policy-oriented perspective. They are moving more and more in that direction. 

Also, the change-deployment time can always be improved. Even at 50 seconds, it's longer than some of its competitors. I would challenge Cisco to continue to improve in that area. It's very reasonable at 50 seconds, it's not like it used to be in early versions of Firepower, where it was around seven minutes. Still, it could be quicker. The faster we can deploy changes, the faster we can roll back changes if we have messed something in the configuration. Low deploy times are really good to have. 

I would also like to see more features that will help us connect things to the cloud dynamically, and connect things to other sites dynamically. There should be more SD-WAN features in the boxes. If I can use one box to solve cloud connectivity problems, and not have to do stuff so statically, the way I have to do things today on them, that would be helpful.

I am a Cisco partner and reseller and I actually beta test for the Firepower team. I work on Firepower boxes and have done so since the beginning. I have customers on Firepower 7.0 and I have been using Firepower 7.0 since its release.

I haven't really had any major complaints or issues with Firepower 7.0 stability.

It scales, but it depends on the growth rate of the customer and the amount of bandwidth. It's usually a speed and feed problem: Is the firewall box big enough to handle the traffic? Snort 3 has made some improvements there and it's even given some life back to older boxes because of improvements in code and in how Snort processes data. But, overall, the box just has to be big enough for the amount of traffic you're trying to shove through it.

I've been doing this a long time and I don't usually need to call tech support. But when I do need to call TAC, after working with a lot of the other vendors out there, Cisco TAC is still one of the best technical resources in the market. I do like TAC. That's not to say that every TAC engineer is great, but comparatively, they're one of the best support organizations.

Neutral

The initial setup is straightforward, with the caveat that I've been doing this for a long time, so for me it is simple and makes sense. But it is pretty straightforward. You have overall policies that wrap up into your access policy, which is the base policy. You have DNS policies that will roll right up into it. Likewise, platform policies get attached to devices. Generally speaking, it's a lot of working through the logic of the rules: How do you want to block stuff, and how do you want to permit stuff? A lot of that is normal firewalling. When I say the setup is simple, it's because it involves normal firewalling issues. You have to deal with routing, NAT rules, ACLs, and VPNs. It's a matter of just kind of working through those same things that every firewall has to solve.

The deployment time depends on the customer and how many rules. If we're building out all their rule sets, it could range from 40 hours to hundreds of hours. It also depends on what we're coming from. We're not generally walking into environments that are green, meaning there's no box there today. It's almost always that there's something else there that we're replacing. We have to take what we're coming from, convert it, and then put it on Firepower. Small businesses might have a couple of rules, enterprises might have hundreds of rules.

Our implementation strategy is to go in, document the current state of the environment, and then work on a future state. We then work through all the in-between stuff. When we have the old firewall configuration, we determine what it will look like on the new firewall configuration. Does the firewall configuration need to be cleaned up? Are there things that we can optimize and improve or modify? A lot of it involves copying configuration from the old platform to the new one. We're usually not trying to change a ton in a firewall project because it increases the risk of problems arising. Usually, customers' networks are operating when we get into them. We prefer to do a cleanup project after implementation, but sometimes they coincide.

In our company, one person can usually do a firewall cutover. And maintenance of Firepower 7.0 usually requires one person. Maintenance will usually involve a firmware upgrade.

There is a lot of value with SecureX. Other customers struggle to bring all the data back to one place, the way you can with SecureX, across a product portfolio. The value of that capability is incredible. I don't know how to put a monetary value on it, but from an operational perspective, it's very helpful to have it all back in one place because you're not having to hop around to multiple UIs to find the data you're looking for.

With any vendor, prices are often a little bit negotiable. There are things like discounted rates. There's a list price and then, as a partner, we get a discounted rate based on how much product we're purchasing and our relationship with the vendor. 

But on the list-price side of things, there are three big licenses on an FTD [Firepower Threat Defense] box. There are the malware license, the threat license, and the URL filtering license. You can license them in one-year, three-year, and five-year increments. Each license will enable different features on the box. The malware license will enable AMP filtering or AMP detection. The threat detection enables use of the IPS solution, which is really Snort's bread and butter. And the URL filtering enables filtering based on URL categories.

Sometimes we use URL filtering and sometimes we don't. It depends on the customer and on whether they have a different URL filtering strategy, like Umbrella. The two big ones that we sell are malware and threat detection, with threat detection probably being the license we sell the most.

SMARTnet, the technical support component, covers the box. When you purchase the hardware, you buy it with SMARTnet. Licenses cover features, SMARTnet covers support.

We continue to support, integrate, and sell three out of the major four vendors: Palo Alto, Fortinet, and Cisco. Every vendor has been a great partner with us, so I don't want to showcase one firewall platform over another.

Palo Alto is arguably the most mature out of the group when it comes to the firewall in general, but they've also been developing on the same platform for quite a long time.

FortiGate, on the other hand, is great in a lot of use cases.

Cisco's strength is how it integrates with the security portfolio at Cisco. When you have a lot of other security products or integrations, Firepower really stands out above the rest. Palo Alto and Fortinet, although they can integrate with SDA to some degree, they don't integrate to the same depths as Firepower. You really start to see the benefits of Firepower in your organization when you're looking at the Cisco security stack. That's what I would argue is one of the biggest benefits of Cisco in general, that stack of products.

With Cisco, it's not necessarily about a single piece, it's definitely about how they all can communicate and talk to each other, and how information is shared between the components, so that you can create a unified approach to security. Their SecureX product is an integration point. It brings together a lot of that information from different product lines in one place. That's really Cisco's game. Some of the other security vendors struggle to keep up with the breadth and depth of what Cisco is doing in all those different spaces.

In terms of ease of management, Firepower is an enterprise product. While FDM [Firepower Device Manager] is really easy to use, FMC has a lot more knobs to turn. Comparing FortiGate to FMC, a lot of the capabilities of FortiGate are still at the CLI level only. Palo Alto is 100 percent UI-based, not that you can't configure a Palo Alto from CLI, but I don't think anybody does that.

My advice is that you need to know your flows. If you're upgrading to Firepower, you should know what traffic matters and what traffic doesn't matter. If you really want to be successful, you should know all the flows of traffic, how they function, what they do. That way, when you get the box up and running, you know exactly how it should operate.

You can split Firepower users into two buckets: help desk and admin. Help desk will usually be read-only and admin will be read-write. If there's one engineer at a customer, he might have admin rights. If there's a help desk and one senior firewall guy, he might have admin rights where his help desk has read-only. It varies by the size of the customer. Most midsize organizations have one or two firewall guys. When you get into the big enterprises, the number goes up.

Regarding Firepower's Snort 3 IPS allowing you to maintain performance while running more rules, the "book answer" is yes, it's supposed to. We're not really running Snort 3 a ton on those yet because of some of the risk and because some of those customers haven't upgraded to 7.0 yet. Those that are on Snort 3 are just not running policy sets that are large enough that to notice any major or even minor improvements. I have seen an uptick in performance improvements with Snort 3, even on firewalls that are not 100,000-rule firewalls. We are seeing improvements with Snort 3. It's just that Snort 2 performance hasn't really affected the box overall, it just runs a little hotter.

When I mentioned the risk for Snort 3 for our larger clients, what I meant is that with new things come new risks. Snort 3 is one of those new things and we have to evaluate, when we upgrade a customer to it, whether the risk of the upgrade warrants doing it for the customer. In some cases, the answer is no, because of burn-in time. With some of our riskier locations or locations that require 24/7, it makes more sense to run Snort 2, which has been out there since forever on the Firepower platform. It's a lot more stable on Snort 2 and the problems are known problems, from a design perspective. We've mitigated those and worked around them. With Snort 3, there could be new bugs or problems, and in some environments, we want to mitigate that risk.

My expectation is that by 7.1 or 7.2 we will upgrade more generally to Snort 3. It's not that it's far away. It's just that with 7.0 being the first release of Snort 3, and 7.0 only having one or two patches under its belt, we thought it better to remove some risk and just use Snort 2.

Cisco Secure Firewall helps to reduce firewall operational costs, depending on the firewall vendor it's replacing. In some cases, customers are coming from old platforms where the security wasn't nearly at the same level as a next-gen firewall, so the advantage of moving to a next-gen firewall is the increase in security. But that comes with an operational burden no matter the firewall type. There is a lot more visibility and capability out of the NGFW platform, but it comes at a cost. There's more data to work through and more things to configure. Still, in most cases, Cisco Secure Firewall is going to decrease operational usage with the caveat that it has to be an "apples-to-apples" situation, which is very hard to come across these days. 

We are using Firepower for outbound/inbound traffic control and management as well as for our internal security. We are using it for LAN security and VMware network security. It is a hardware device, and it is deployed on-prem.

Our target is to make our network 100% secure from the outside and inside traffic. For that, we are using the latest versions, updates, patches, and licenses. We have security policies to enable ports only based on the requirements. Any unnecessary ports are disabled, which is as per the recommendation from Cisco. For day-to-day activity monitoring and day-to-day traffic vulnerabilities, we have monitoring tools and devices. If there is any vulnerability, we can catch it. We are constantly monitoring and checking our outside and inside traffic. These are the things that we are doing to meet our target of 100% security.

We have a number of security tools. We have the perimeter firewalls and core firewalls. For monitoring, we have many tools such as Tenable, Splunk, etc. We have Cisco Prime for monitoring internal traffic. For malware protection and IPS, we have endpoint security and firewalls. The outside to inside traffic is filtered by the perimeter firewall. After that, it goes to the core firewall, where it gets filtered. It is checked at port-level, website-level, and host-level security.

We have the endpoint security updated on all devices, and this security is managed by our antivirus server. For vulnerabilities, we have a Tenable server that is monitoring all devices. In case of any vulnerability or attacks, we get updated. We are also using Splunk as SIEM. From there, we can check the logs. If any device is attacked, we get to know the hostname or IP address. We can then check our monitoring tool and our database list. We can see how this attack happened. We have configured our network into security zones. We have zone-based security.

It integrates with other Cisco products. We use Cisco ASA and Cisco FTD, and we also use Cisco FMC for monitoring and creating policies. For internal network monitoring purposes, we use Cisco Prime. We also use Cisco ISE. For troubleshooting and monitoring, we can do a deep inspection in Cisco FMC. We can reach the host and website. We can also do web filtering and check at what time an activity happened or browsing was done. We can get information about the host, subnet, timing, source, and destination. We can easily identify these things about a threat and do reporting. We can also troubleshoot site-to-site VPN and client VPN. So, we can easily manage and troubleshoot these things.

Cisco FMC is the management tool that we use to manage our firewalls. It makes it easy to deploy the policies, identify issues, and troubleshoot them. We create policies in Cisco FMC and then deploy them to the firewall. If anything is wrong with the primary FMC, the control is switched to a secondary FMC. It is also disconnected from the firewall, and we can manage the firewall individually for the time being. There is no effect on the firewall and network traffic.

Cisco FMC saves our time in terms of management and troubleshooting. Instead of individually deploying a policy on each firewall, we can easily push a policy to as many firewalls as we want by using Cisco FMC. We just create a policy and then select the firewalls to which we want to push it. Similarly, if we want to upgrade our firewalls, instead of individually logging in to each firewall and taking a backup, we can use Cisco FMC to take a backup of all firewalls. After that, we can do the upgrade. If Cisco FMC or the firewall goes down, we can just upload the backup, and everything in the configuration will just come back. 

We can also see the health status of our network by using Cisco FMC. On one screen, we can see the whole firewall activity. We can see policies, backups, and reports. If our management asks for information about how many rules are there, how many ports are open, how many matching policies are there, and which public IP is there, we can log in to Cisco FMC to see the complete configuration. We can also generate reports.

With Cisco FMC, we can create reports on a daily, weekly, or monthly basis. We can also get information about the high utilization of our internet bandwidth by email. In Cisco FMC, we can configure the option to alert us through email or SMS. It is very easy.

It has a good security level. It is a next-generation firewall. It can protect from different types of attacks. We have enabled IPS and IDS. To make out network fully secure, we have zone-based security and subnets.

It is user-friendly with a lot of features. It has a CLI, which is helpful for troubleshooting. It also has a GUI. It is easy to work with this firewall if you have worked with any Cisco firewall.

With Cisco FMC, we can see the network's health and status. We can create a dashboard to view the network configuration, security policies, and network interfaces that are running or are up or down. We can also see network utilization and bandwidth utilization. We can see if there are any attacks from the outside network to the inside network. We can arrange the icons in the dashboard. For troubleshooting, we can also log in to the FMC CLI, and based on the source and destination, we can ping the firewall and the source. 

I have been using this solution for three to four years.

It is stable, but it also depends on whether it is properly configured or maintained. If you don't apply the proper patches recommended by Cisco, you could face a lot of issues. If the firewall is up to date in terms of patches, it works smoothly and is stable.

There are no issues in terms of the number of users. This is the main firewall for the organization. All users are behind this firewall. So, all departments and teams, such as HR, finance, application team, hardware teams, are behind this firewall. All users have to cross the firewall while accessing applications and websites. They cannot bypass the firewall. 

Their support is good. If we have an issue, we first try to resolve it at our level. If we are not able to resolve an issue, we call customer care or raise a ticket. They investigate and give us the solution. If there is a hardware issue or the device is defective, we will get that part as soon as possible. They replace that immediately. If it is not a hardware issue, they check the logs that we have submitted. Based on the investigation, they give a new patch in case of a bug. They arrange for a technical engineer to come online to guide us and provide instructions remotely. They provide immediate support. I would rate their support a nine out of 10.

We have HA/standby devices. We have almost 70 to 80 access switches, and we have 30 to 40 routers, hubs, and other monitoring tools and devices. We keep one or two devices as a standby. We have a standby for each Cisco tool. We have a standby for the core and distribution switches and firewalls. We have a standby firewall. When there is any hardware issue or other issue, the secondary firewall is used, and the workload moves to the secondary firewall. Meanwhile, we work with Cisco's support to resolve the issue.

For the past four to five years, we have only had Cisco firewalls. However, for some of the branches, we are using Palo Alto firewalls. It depends on a client's requirements, applications, security, etc.

I didn't do the implementation. We have, however, upgraded to a higher version. From the Cisco side, we get the updates or patches using which we upgrade a device and do the configuration. We register the product model and serial number, and after that, we can download a patch. We also can get help from Cisco. It is easy to migrate or upgrade for us.

We have vendor support. They are a partner of Cisco. When we buy the hardware devices, the vendor has the responsibility to do the implementation and configurations. We do coordinate with them in terms of providing the space and network details such as IP addresses, network type, subnets, etc. We also provide logical diagrams. We monitor the configuration, and after the configuration is done, we check how the network is working and performing.

We have an IT department that includes an applications group, a hardware group, and a security group. There are also Network Level 1, Level 2, and Level 3 teams. The Level 1 team only takes care of the network side. The Level 2 and Level 3 teams do almost similar work, but the Level 3 team is a bit at a higher level in IT security. The Level 2 and Level 3 teams take care of firewalls-level and security-level configuration, policy upgrade, etc. They manage all network devices. Overall, we have around 20 members in our department.

For the maintenance of Firepower, two guys are there. A Level 2 engineer takes care of policy creation and deployment for new networks. A Level 3 engineer takes care of a new firewall, upgrades, and network design and architecture.

When we purchased the firewall, we had to take the security license for IPS, malware protection, and VPN. If we are using high availability, we have to take a license for that. We also have to pay for hardware support and technical support. Its licensing is on a yearly basis.

It is a good product. It is easy to manage, but you need to have good experience and good knowledge, and you need to configure it properly.

Cisco FMC only supports Cisco products. If you have a large network with Cisco firewalls and other vendors' firewalls, such as Palo Alto, you can only manage Cisco products through Cisco FMC. Other vendors have their own management tools.

Most of the organizations nowadays are using the Cisco Firepower and Cisco ASA because of the high level of security. Cisco is known for its security. Cisco provides a lot of high-security firewalls such as Cisco ASA, Cisco FTD, Cisco Firepower. Cisco ASA 8500 came out first, and after that, new models such as Cisco FTD came. 

I would rate Cisco Firepower NGFW Firewall a nine out of 10. It is excellent in terms of features, ability, and security. Whoever gets to work on Cisco Firepower, as well as Cisco ASA, will get good experience and understanding of security and will be able to work on other firewalls.

One of the things that we have solved the most with this solution is the P2P connection that we have with different clients. It gives us greater connection security with good management of the configured rules. 

Likewise, it has made it easier for us to have this type of equipment under monitoring, and, since we have implemented them, we have not been presented with any performance problems in the equipment as they have not presented CPU or RAM saturation or that for some reason it fails without any cause. We all have them managed and monitored. We always receive an email notifying us if there's something that the equipment has detected as well.

The ASA firewalls have undoubtedly helped us to improve our infrastructure throughout the corporation and currently we have just over 50 firewalls - all of them in different parts of Mexico. 

This infrastructure has been improved since, in our corporation, we handle the dynamic EIGRP protocol, which Cisco owns, and this solution has given us a geo-redundancy in our company. In case of presenting a problem with a firewall or a link, it performs an immediate convergence where end-users do not detect a failure, helping us to maintain a 99.99% operational level at all times.

I am very happy to use this type of Cisco equipment in my infrastructure. It has given us the most value is the management of dynamic routing, in this case, EIGRP. This protocol, together with a series of additional configurations, has helped us to maintain an automatic redundancy in all our infrastructure, keeping us with very high numbers of operability and without failures that take more than 1 minute or that have not been resolved automatically. With this solution, we only speak with our suppliers either for a link or equipment report, and even if the box or circuit is out of operation, the operation continues to work without problems.

Today, ASA firewalls are leaving the market and are being replaced by firepower equipment - a technology with which I am not very familiar. However, in the training or research, I have done on this new product, I see that it has many additional tools such as centralization of the administration through a single team (in the case the firepower management). It is something that we do not have, yet we are already considering it since this type of technology will help us to have better management and better administration of the equipment through a single platform. The management of additional services with this new module will certainly help us to have the internet network much more secure with connections to the outside.

I've used the solution for more than seven years.

The solution is great in terms of stability.

The scalability is great.

Technical support is great.

We previously used Fortigate.

The initial setup was not complex.

We handled the implementation in-house. 

We've seen an 80% ROI.

Cisco is not cheap, however, it is worth investing in these technologies.

We always evaluate various other options.

We are using it as a firewall for our data center and headquarter. We are also using it for DR. We are using Cisco ASA 5500 Series.

It is a security device, and it is useful for securing our environment. It provides role-based access and other features and helps us in easily securing our environment.

It provides visibility. It has been helpful for packet inspection and logging activities for all kinds of packets, such as routing packets, denied packets, and permitted packets. All these activities are visible on Cisco ASA. There are different commands for logging and visibility.

We use Cisco ASA for the integration of the network. Our company is a financial company, and we are integrating different organizations and banks by using Cisco ASA. We are using role-based access. Any integration, any access, or any configuration is role-based. 

The remote access, VPN, and ACL features are valuable. We are using role-based access for individuals.

IPS is also valuable for intrusion detection and prevention. It is a paid module that can be added. I'm using it for security, VLAN management, segregation management, and so on.

It is easy to use. In our region and our country, Cisco is well known, and most of the companies are using Cisco products. We have been using Cisco devices for a while, and our company primarily has Cisco devices. So, we are familiar with it, which makes it very easy to use for us. Even when we compare it with other products, it is easier to use.

It is easy for us to manage it because it is a familiar product, and it has been a part of our environment. Now, other products are providing free training, free access, and free license, because of which things are changing. So, you can easily become familiar with other products.

Its licensing cost and payment model can be improved. Cisco doesn't provide training and certification for engineers without payments. Other companies, such as Huawei, provide the training for free. Their subscription and licenses are also free and flexible. Other products are breaking the market by providing such features. 

It doesn't support all standard interfaces. It is also not suitable for big companies with high bandwidth traffic. Its capacity should be improved.

Other products are becoming easier to access and configure. They are providing UI interfaces to configure, take backup, synchronize redundant machines, and so on. It is very easy to take backup and upgrade the images in those products. Cisco ASA should have such features. If one redundant machine is getting upgraded, the technology and support should be there to upgrade other redundant machines. In a single window, we should be able to do more in terms of backups, restores, and upgrades.

We have been using this solution for almost eight years.

It is stable. It needs to be configured based on the standards and functionality. We have one device that has been working for more than 10 years, which indicates it is stable, but it requires licenses to upgrade features.

It doesn't have an expansion card. So, it may not scalable for huge buildings. It also lacks a lot of standard interfaces. Other products are providing capacity for a data center. Other technologies are expanding their interface bandwidth from 10 gigs. In my opinion, Cisco ASA doesn't have this capability.

Their support is very good. We have a support license, so their support is very good. They are tracing us and following up with us to solve the problem on time.

Its setup is easy. We are familiar with Cisco ASA and other Cisco products, and they are easy to configure. A lot of resources are available on the internet, so it is easy to set up for anyone with basic training. It is easy in different types of environments, such as universities and colleges.

It generally doesn't take more than a day, but it also depends on the size of the organization. If an organization is very big and if you need a line-by-line configuration for access role and VPN, it can take a bit more time.

Cisco is constantly upgrading and providing features based on current requests. We usually plan deployments at the end of the year and at the beginning of the year. Everyone plans for new products, new configurations, and new expansions based on that.

Any security product provides a return on investment. Any gap in security may cost an organization more.

It is expensive. There is a cost for everything. There is per year license cost and support cost. There is also a cost for any training, any application, and any resource. Things are very costly to do with Cisco.

Other brands are cheaper. They are also more flexible in terms of training, subscription, and licensing. They give lots and lots of years free. They provide more than Cisco.

I would advise understanding its features, advantages, and disadvantages as compared to other solutions. It is simple, but its cost is a negative point. 

I would rate Cisco ASA Firewall an eight out of 10.

It's hard to judge how much time it saves our organization because it's doing things you don't realize. For example, when it's blocking web advertisements, when it's blocking phishing, when it's blocking geolocation, the time it saves is because of the things you might have had to deal with that, now, you don't. Any time we have some kind of internet-related event, it's definitely going to take us hours worth of time. We have to do an investigation, we have to report on it, we have to write something up. By protecting our environment it probably saves our security analysts a fair number of hours during the week.

It's the brick wall that keeps us from the bad guys. It does a lot of things. In the beginning when you just have a firewall, of course, it's your NAT and it's your Access Control List. It's the thing that allows traffic in and out. There is some routing involved in that too. But once you add Firepower onto to it and you start enabling some of its features, you get some IDS/IPS involved with it and you can even do web filtering.

We used to do some web filtering on the Firepower but we moved into Umbrella once we started. We do use Firepower for one piece of web filtering because Umbrella has yet to provide it: advertisement blocking. We don't allow our end-users to go into advertisements. If they're going to go to a site, they have to know what the site is, not just try to hit some kind of Google ad to get to it because those can be dangerous.

In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth. It's definitely usable, though. You can get a lot of good information out of it.

It's hard to stay on the bleeding edge on firewalls because you have to be careful with how they integrate with Firepower. If you update one you have to update the other. They definitely have some documentation that says if you're at this version you can go to this version of Firepower, but you need to be careful with that.

We've been using Firepower for two to three years.

It's pretty stable. There are times where I'll get an email saying a process has stopped. But a few seconds later, they'll say it restarted it on its own. It's hardy enough that if it is having problems, it's bringing things back up. For the most part, it's been very reliable.

It's been really good. And even so, if I've had to reboot the actual appliance, I'll bring it back up and it's good to go.

We haven't hit that issue of scalability. We have increased the amount of traffic through it and it's handled it, but I think that's also a product of the ASA as well. If the ASA is going to choke, Firepower is going to choke as well.

We're going to be bringing in two new firewalls, as early as the fourth quarter or first quarter of 2020, and those are going to be pure FTD appliances. We'll probably be using those a little bit more extensively. I don't think we're going to be using the SSL portion, but we'll probably have the IDS/IPS, and we'll probably have the AMP turned on. That's because with the endpoints, we're not sure if we're going to be able to install an antivirus, so we can at least watch that. We'll probably use most of the suite on it.

I've always liked Cisco support. We're a pretty big Cisco shop, so you're not going to hear a lot of complaints from me about support. And not only that, but if I do have a problem with Cisco support, we get ahold of somebody - our customer-success people and the salespeople from Cisco who are focused on our organization - and we get help. It's very good.

Sometimes, I'll have to contact the first tier of tech support. I'll still open up a case. But in case that, for whatever reason, is not going to our satisfaction, at least we have a chain of command we can go through and talk to some different people. We might get it escalated if we're just not getting something fixed on time. But Cisco has very top-notch support.

We've been with Cisco and haven't had anything else yet. We haven't had a desire to move in a different direction. We've stayed with it because of how good it is.

We were initially introduced to Firepower by a consultant. At that time, it was for the web filtering because the web filtering we had was awful. We were using Sophos. Without getting too derogatory, it was just awful. There was no alerting and it was very hard to manage, whereas this is really easy to manage. With Cisco, it was very easy to set up content groups, to allow some users to get to some stuff and other users to not get to it. That's where it really started. There weren't any pros to Sophos that weren't in Firepower. We got rid of Sophos.

Our organization is a big believer in training, So I attended a five-day class on this. From that, I was able to set it up pretty easily.

We have a virtual appliance. Once it actually installs and we set IPs and got some of the base set up, it was done within about a day. But the time it takes will depend. We're not an organization that has 10,000 users. We're probably a medium enterprise, of about 400+ users, rather than a large enterprise, so our ruleset is comparatively small. As a result, it didn't take me as long as it might for some, a total of two or three days, and that's even with fine-tuning. But because we're still using the ASA and the ASDM, we still have those rules in the firewall. We're not really at the FTD point where all the rules are in there. If we were, to migrate it would probably take some time.

For me, it was relatively simple because of the valuable training I had. There are some good resources online, don't get me wrong. It was just nice to be able to do something hands-on at a place, in training, and then come back and be able to do it.

The neat thing is that the gentleman who taught us, instead of just teaching us the material from a book or even, "This is how you can pass the Firepower test," taught us how he would go into a Fortune 100 and set up an organization. I had almost a step-by-step lesson on how to keep going through the configurations to get to a finished product.

With a firewall, you're always coming back to it to tweak it a little bit. You might find, "Oh, I'm not getting the logging a lot," or, "Oh boy, this rule is doing this, but maybe I want to tighten it down a little bit more." But to get the base configuration, to get the objects in, it takes about a couple of days. At that point, you can at least have traffic going through it. You may not be blocking anything, but you can be monitoring things.

It was just me.

The return on investment would be the fact that I'm just not spending a lot of time either searching for things or trying to stop what's coming in and out of our network. The return on investment is the time I would have to spend during the day looking at things versus it proactively doing its job.

We're going to get to a point, not this year and not the coming year, probably going into 2021, where we're going to want to replace the ASA appliances with either virtuals or actual physicals. But the Firepower series of appliances is not cheap.

I just got a quote recently for six firewalls that was in the range of over half-a-million dollars. That's what could push us to look to other vendors, if the price tag is just so up there. I'm using these words "fictitiously," but if it's going to be outlandish, as a customer, we would have to do our due diligence and look at other solutions at that point.

In addition to that cost, there are licensing fees for some of the individual things like AMP, the IPS/IDS piece. It depends on what you want to use, such as the SSL piece and the VPN piece, which we don't use.

We haven't evaluated any other options. The only thing that may ever force us in that direction would be cost. Only if the cost of the solution got so large would we have to look at something comparable.

The neat part about this is how Cisco continues to evolve its product line and help us stay secure, while still doing our day-to-day business.

My advice would depend on how you want to use it. What are you looking for Firepower to do?

Firepower added features that, until we introduced into our environment, we could not have done. We probably could have added a third-party product but we would hate to keep doing all that. It's nice to be able to have our products from the same organization because then, if something's really wrong, we can talk to the same organization as we're trying to troubleshoot something through our environment. We use Cisco switches, Cisco routers, we use ISE, and Umbrella. We have a lot of products through Cisco.

We use the ACLs. We use the intrusion side, just to watch traffic. We have used the malware and have actually caught stuff in there. We do have a DNS policy so that at least we can check to make sure someone's not going to a bogus site; things can get blocked for that, but Umbrella is really good at what it does. We also have it connected to our Active Directory so I can see which users are going where, and that is valuable. But I can also see that in Umbrella, so there's some overlap.

For managing the solution it's me and at least one other person. I'm the primary resource on it.

We used to use AMP for endpoints through the Firepower but we decided to discontinue that. We have AMP on all our endpoints but with all the other things we have, such as Umbrella, we were satisfied enough with the security we have. We didn't want two different things possibly stopping files instead of having one console area to be able to see those kinds of things.

Overall, I would rate Firepower at eight out of ten. Every product can improve. But for what we're looking to do, it does a very good job.

The primary use case is to protect our departments. We have sub-departments or sites categorized by the number of users and types of applications. We categorize the latter in terms of small, medium, or large. Based on that, we select a firewall in terms of throughput and the number of concurrent sessions it can handle. We then deploy the firewall with a predefined set of rules which we require for inbound and outbound traffic.

We are in operations delivery and we need to support multiple clients. We have different departments where our primary responsibility is to protect our organization's assets and data and to store them in a centralized data center. Apart from that, we have responsibility to support our clients in terms of infrastructure.

All the devices are on-premise. Nothing is on the cloud or is virtualized.

One of the most valuable features in the current version is the dashboard where we have a complete analytical view of the traffic behavior. We can immediately find anomalies. 

The most important point is the detection engine which is now part of the next-generation firewalls and which is supported by Cisco Talos.

Most users do not have awareness of this product's functionality and features. Cisco should do something to make them aware of them. That would be quite excellent and useful to organizations that are still using legacy data-center-security products.

The product's stability is perfect. From my observation, the mean time to failure is once in seven years or eight years. All the hardware in the device is quite stable. I haven't seen any crashing of the operating system.

Scaling is quite easy. 

On a scale of one to ten, I would evaluate Cisco support as a ten. I get support in a fraction of time. There is no problem in getting support.

Since I have worked in this organization, Cisco has been the primary product that has been deployed.

The initial setup is quite straightforward. It's quite simple, without any complexities. Whenever we find any issue during the primary phase, we reach out to the Cisco technical support team for assistance and within a short period of time we get support from them.

The most recent deployment we did took about three weeks.

In terms of deployment plan, we go with a pre-production consultation. We create a virtual model, taking into account all the rules, all the cabling, and how it should work in the environment. Once everything on the checklist and the prerequisites are in place, then we migrate the existing devices into production.

As consultants, most of the time we deploy ASA by ourselves. If there is any complexity or issue, we get in touch with a system integrator or we open a ticket with the technical support team.

There would definitely be return on investment by going with Cisco products. They are stable.

For any organization looking for a secure solution that can be deployed in their domain or infrastructure, my advice is to go with Cisco Next-Generation Firewalls because they have a complete bundle of security features. There is a single pane of glass with complete management capabilities and analytic features to understand and gather information about the traffic.

The lessons that most of our clients have learned is that in deployment it is easy to configure and it is easy to manage. It's quite stable and they do not get into difficulties in terms of day-to-day operations. 

We haven't faced any problems with this product.

Compared to other OEMs, such as Juniper and Fortinet, Cisco's product is excellent. There are no bugs and I don't see any lack in terms of backend and technical support. In my opinion, at the moment, there is no room for product enhancement.

Most of the users are system administrators working on their own domains. The minimum number of users among our clients is a team of 15 to 20 we have clients with up to 700 users at the largest site.

The product is quite extensively used in each department, to protect assets and data centers. We are using the attack prevention engine and URL filtering is also used at most of our sites. We are also using it for data center connectivity and for offloading transactions.

I would rate Cisco at ten out of ten for the functionality and the features they provide.

The most valuable features are the IPS and Botnet software modules. These security features, working in tandem, truly provide a peace-of-mind against all levels of cyber-attacks.

Since the 5512-x is software license based, there is no need to purchase additional hardware to enable much needed features.

Since most features are license based and some licenses are time-based, there should be a way for the device to alert via SNMP that licenses are about to expire. Also, I would like to be able to use both the IPS and CX modules simultaneously, instead of one or the other.

I have been using the 5512-x for almost one year now.

Deployment of the 5512-x is very simple. The main issue I found was in deploying the firewall using the "new" style of configuring NAT statements.

I have not encountered any stability issues with the IOS version or the IPS version. I am currently running IOS 9.3.2 and IPS version 7.3(2)E4.

The 5512-x with a BASE license does not have many options for scalability. However, the Security Plus option allows multiple contexts and ACTIVE/ACTIVE fail-over options. I currently do not use those features, but I can definitely see the need for both of these options.

Cisco customer services have always been excellent. I have never had any issues with them.

Cisco TAC is always hit-or-miss. You either get a guru or a newbie, and there is nothing in between.

The previous firewall was a Cisco SA520W. This device was great as it was a firewall, IPS and WLC all in one. I switched due to this device being EOL/EOS. Also, the main complaint about this device was that with the IPS enabled all traffic was slowed to a crawl. I would rate the SA520W as 3/10.

The SA520W was a simple setup. There is no CLI option; it is all done within a straightforward GUI.

All solutions are designed, configured, and maintained by me.

The ROI on the SA520W is 0. As this device is EOL/EOS.

The original setup cost of the SA520W was approx. US$500. The setup for the 5512-x was approx. US$3000. For the 5512-x, additional costs were endured for the IPS and Botnet licenses approx. an additional US$1000/year. As for day-to-day costs, the 5512-x self-updates the security modules, so there is little interaction that I need to perform.

I was considering going to the ISA550W (the replacement for the SA520W) or a 5505. I ultimately went with the 5512-x due to its speed and software licensing model.

The next-gen firewalls are a great solution. Be aware of the additional hardware costs (120GB SSD) that are needed to implement some features like the CX module. Also, if you do not need ACTIVE/ACTIVE fail-over there is no real need for the Security plus license. And finally, understand the true speed of the model you choose with and without the IPS module enabled before making a final decision.