Cisco Secure Firewall Reviews

We use it for VPN access for our two-factor authentication. We were looking to get access through AnyConnect, to gain access to devices behind boundaries and firewalls.

It has improved things greatly by giving us easier and better access, easier configuration, and allowing users to gain the access they need. We have also had less downtime using these firewalls.

AnyConnect has been very helpful, along with the ability to use LDAP for authentication. It's very robust and we are able to do many different things that we were looking to do.

The ASAs are being replaced with the new Firepowers and they have a different type of structure in the configuration to be able to migrate from one to the other.

I have been using Cisco ASA Firewalls for 20 years.

The stability is very good. It has been a very stable environment. Since the new AnyConnect came out, it's been very easy to use and very much self-sufficient.

You can vary scalability from very few users to thousands of users.

Technical support has been very helpful at times, helping us to know what bugs and what things are getting fixed in the next releases.

Positive

As an architecture team, we had a pretty good idea of what we wanted to do and how we wanted to do it, so it was pretty straightforward and easy. We have each one across many different avenues and many different boundaries, so each one took about a day to deploy.

We needed two to three people to deploy them and another one to go over some things to make sure everything was good to go.

There is routine maintenance, keeping it up to date and making sure the licensing versions are all good to go. We have a four-man team for maintenance and they work a regular shift of eight hours.

We used a reseller, FedData. Our experience with them was good.

It took us about six months to see benefits from our ASA Firewalls. We've seen return on our investment in terms of the timeframe of downtime, and the ability to get users connected faster and more easily has been a big benefit.

The pricing of the products isn't terrible. They're not too expensive. They're a little more expensive than other products, but you are getting the name, the company, and the support.

It's also nice that you can buy different avenues of licensing, depending on how you want to go about using them.

We buy a support license to get support if we have any issues or problems or need help on how we want to implement things.

We evaluated other options, but that was a long time ago. We went with Cisco because it is so robust as well as because they have been able to integrate their solutions into many different architectures. That makes their products easier to use.

Each use case is different and things depend upon your cost analysis and how much you need. We have these firewalls in different avenues over about 30 different sites.

The biggest lesson from using the solution is being agile which has included learning to understand how to use the ASDM and figuring out how to configure everything—the little nuances—and what can and can't be done on the CLI.

These firewalls, along with the upcoming Firepower that they're being replaced by, are going to be very good assets for two-factor authentication and VPN access.

We mainly use it for site-to-site VPNs, connecting to other businesses. I work in manufacturing and hospitals.

We connect to remote networks: manufacturing-to-businesses and hospital-to-hospital.

It was deployed in our data center across multiple sites. At the hospital where I last worked, it was deployed at 18 sites, then we did VPNs between our hospital and clinics.

We don't have to worry about when something goes down. Instead of saying, "Oh my gosh, this went down and now we have a gap here," it has automatic failovers and built-in redundancy. So, it says, "I don't have a gap anymore." This is one less thing to worry about, which was a big benefit for me. If our security group comes back, and says, "Hey, this is down." Then, it is like, "Yeah, we got it covered."

Our security groups are always very adamant that things stay up. If something went down, they say, "Why did it go down? How do we prevent it?" Since resiliency is already built-in on its initial design, we don't have to go back in every time, and say, "Here, this is what we did. This is why it was done like this." Instead, it is just, "Yes, they blessed it, and it's approved," and we don't have to go back and keep reinventing the wheel every time.

I like the ASDM for the firewall because it is visual. With the command line, it is harder to visualize what is going on. A picture is worth a thousand words.

Sometimes, it is not easy to troubleshoot. You need to know where to go. It took me quite awhile. It's like, "Okay, if it doesn't go smoothly here, then go find the documentation." Once you do it, it is not so bad. However, it is sometimes a steep learning curve on the troubleshooting part of it.

I have been using this solution for more than 20 years.

I have never had any problems with stability. In the 20-plus years that I have used them, I don't think I have ever had a failure on them. They have always been rock-solid.

We haven't done much with scalability. We have always just done active standby. However, it scales once you figure out how to do it. If there are site-to-site VPNs within your own location, it is easier because there is a template, where it is, "Here, change this IP address. Change this IP address. There, it's done." 

Third-parties weren't bad. Once my side was done, then we could easily cut and paste it, and say, "Okay, here's what my side's configured for. If you have something that is not working, then you can tell me what it is and I will help you." However, we never really had anything that we couldn't fix. It was also possible to scale on the other side.

I haven't called tech support very often. When I did call them, they could tell me what the problem was. That is where I started learning, "Here are the commands that you should be using to debug this." They have been very helpful. I would rate them as nine out of 10.

Positive

I have used Palo Alto and Fortinet. We switched mainly because we were trying to unify all our products. Instead of using multiple systems, everything with the Cisco solution is end-to-end with different views of security. Some of them wanted to be diverse, keeping things separate. For others, it was easier if everything was just with one vendor. Also, if you are Cisco-centric, it is also easier.

Since I have been using this solution, I have seen it grow. When they first started doing it, it was more like, "Here's the command line. Here's what you got to do." Now, it's easier for a new engineer to come on, and say, "Okay. Here, you are going to start supporting this, and here is how you do it," which has made life easier. Since it is a repeatable thing, no matter which company you go to, it is the same. If you get somebody who is doing it on the other side of the VPN, it is a lot easier. So, I like the Cisco product. I have used several different ones, and it's like, "Well, this is the easiest one." It might be just the easiest one because I have used it long enough, but it is also a good product. It just helps us be consistent.

We did a lot of site-to-site VPNs. We also did a third-party, which is Palo Alto or something. Though, some of them were SonicWall. It is like, "Okay, I don't know how the site is configured, then I spend hours trying to troubleshoot a VPN." The more you use it, the easier it gets. It used to take days to do it. Whereas, the last one that I built took about 30 minutes. The more we use it, the better the outcome is and the faster we can do it. Now, I am not spending days building a VPN, which should only take 10 to 15 minutes.

There is ROI when you use it more.

Once you know what the product is, it is not that bad. Yes, it is expensive. When you try to get a license, it is like, "Well, I don't know which one of these I need. And, if I don't buy it now, then I will probably be back later. Now, I have to justify the money." Typically, you end up just buying everything that you don't use most of the time. It is one of those solutions where you get what you pay for. If you don't know what you need, just buy everything. We have additional licenses that we don't use.

Take your time with it. Actually, read the documentation. Don't just assume you know what stuff means since that will sometimes come back and bite you. I have done that too many times. If you go from version to version, it changes a little bit, and so it is like, "Well I don't know why it doesn't work." Then, you go read the notes, "Oh, yeah. This changed and it is done over here now."

Building more resiliency should be a priority, and it's going to take money to do that. So, you need to actually believe and invest in it. Otherwise, it's an idea. It's great, because we all want redundancy, but nobody typically wants to spend the money to do it. Or, they want to do it as cheaply as possible. It's like, "Okay, I can do that," but you're going to have more gaps. Then, it is not really worth it. Therefore, invest the money the first time and do it right.

I would rate it as nine out of 10.

We use it to segment the east and the west traffic in our data center. We also use it on the internet edge and for VPN termination.

We use its multiple versions. We use the virtual and the physical ones. We have multiple Cisco Firepower 9300, and we also have a few Cisco Firepower 4100.

It helps in protecting against threats from outside and within our data center. With the enhancement in the newest version 7.0, visibility is where we always wanted it to be. The introduction of the Unified Events feature really helps us out daily.

It enables us to implement dynamic policies for dynamic environments. With the recently added Dynamic Attributes feature, we are able to create more dynamic and fast-changing policies. In our data center, workloads tend to go up and down very quickly, and that's why dynamic policies are important. Because the workloads in our data center are fast-moving, we need to be able to change our firewall policy accordingly and quickly. That's what makes it a very important feature for us.

Snort 3 IPS allows us to maintain performance while running more rules. Our performance has
definitely increased after migrating to Snort 3. Rules are easier to implement. We also like the underlying antivirus advancements that they made with the new architecture, which increases its benefit for us.

The VPN and the login enhancements that were introduced in version 7.0 are invaluable to us. That was something that was missing before. 

Feature-wise, we mostly use IPS because it is a security requirement to protect against attacks from outside and inside. This is where IPS helps us out a bunch.

It is good in terms of the overall ease to use in managing it. Some of the things need some tuning, but overall, it is good.

The visibility for VPN is one big part. The policy administration could be improved in terms of customizations and flexibility for changing it to our needs.

I have been using this solution for about six years.

Its stability is quite good. We couldn't find any issues.

Its scalability is very good due to clustering. 

In terms of our plans to increase its usage, it has everything we need. We don't plan to add anything more because it has all that we need as of now.

Their support is not perfect. Sometimes, you get the feeling that some of the support engineers don't have a deep knowledge of the product, but there are some engineers who are able to help.

Most of our clients were on Cisco ASA.

I wouldn't call it extremely straightforward, but I wouldn't call it complex either. Its deployment took about a day.

In terms of the deployment strategy, we create our deployment plans for ourselves and our customers. The deployment plan depends on the environment.

We deploy it ourselves.

It is very hard to say because we don't measure that. It is also very difficult to measure if it has helped in reducing our firewall operational costs.

Its pricing is good and competitive. There is a maintenance cost.

It includes SecureX that makes it cost-effective as compared to the other solutions where you have to pay for XDR and SOAR capabilities.

Technically, it is a very good firewall, but some improvements need to be done on the management side. I would advise getting a consultant or someone from Cisco to help you in implementing and using this firewall to its fullest extent.

We don't use workload integration as of now. We also don't use its dynamic policy capabilities to enable tight integration with a secure workload at the application workload level. Similarly, we don't use the solution's tags for VMware, AWS, or Azure for dynamic policies implementation in the cloud.

I would rate Cisco Firepower NGFW Firewall an eight out of 10.

I am using Cisco ASA 5525 for netting, routing, and site-to-site VPN. We have two sites. I am using Cisco ASA Firewall on one site and Check Point Next-Generation Firewall on another site.

We have integrated it with Cisco Anyconnect. This feature has been very good for us during the lockdown.

Netting is one of the best features. We can modify it in different ways. Site-to-site VPN is also an awesome feature of Cisco ASA.

The biggest advantage of Cisco products is technical support. They provide the best technical support.

Cisco should work on ASDM. One of the biggest drawbacks of Cisco ASA is ASDM GUI. Cisco should improve the ASDM GUI. The configuration through ASDM is really difficult as compared to CLI. Sometimes when you are doing the configuration in ASDM, it suddenly crashes. It also crashes while pushing a policy. Cisco should really work on this.

We have been using this solution for one and a half years.

It is stable and reliable. If you are looking for security from Layer 1 to Layer 4, Cisco ASA is good, but if you are looking for Layer 7 security, deep security, and malware detection, this is not the right product. You have to use some other product.

We have more than 400 employees. We are currently not thinking of increasing its usage because we need more security, and Cisco ASA is not good for Layer 5 to Layer 7 security.

The biggest advantage of a Cisco product is technical support. They provide 24/7 support on 365 days. Their technical support is one of the best. I would rate them a ten out of ten.

Cisco ASA is very not complex. It is a very simple firewall. If you are configuring it through CLI, it is easy. If you configuring it through ASDM, it will be more difficult for a beginner engineer.

It takes around two to three days to cover all the parameters. It is very easy to deploy in an existing network, which is one of the main advantages of Cisco ASA.

We are happy with its price. Licensing is on a yearly basis for technical support. There is one license for technical support. There is another license for IP Version 2 VPN and IPS.

I considered pfSense, but when I checked the reviews, pfSense's reviews were really bad, so we purchased Cisco ASA.

I am very happy with this product in terms of netting, routing, and VPN functionalities. If you are a small organization with around 100 people and you are not thinking of Layer 7 security, deep security, and malware detection, Cisco ASA would be very useful and cost-effective for you.

I would rate Cisco ASA Firewall an eight out of ten.

We primarily use this solution for network security.

This product has increased the visibility in our network.

The most valuable feature of this solution is its ability to integrate vertically.

There used to be information displayed about the packets in a module called Packet Flow, but it is no longer there. In order to accomplish the same thing you now have to wade through lots of information in the Syslogs.

This is a highly stable solution.

This solution is very scalable.

Technical support for this solution is good. The response times meet our expectations and we have not had any issues.

We have always been using this same solution, but previous versions. We update them in trying to keep up with the amount of data coming through, such as more streaming.

The initial setup of this solution was straightforward. We had the proper documentation to reference.

We deployed this solution in-house.

I don't work with the numbers, but I can say that it's great for security and has improved our effectiveness at the office.

The cost of this solution is high.

We did evaluate another option, but we stayed with the Cisco solution because it's trustworthy.

This is a good product from a trustworthy vendor, but it is not perfect.

I would rate this solution an eight out of ten.

ASA5585-SSP-60 was deployed after a migration from Juniper SRX5600. The solution is used for the protection of the mobile data network. It is protecting 3G/4G Internet customers and the Private APN.

So far, we are not satisfied by the move. The precedent solution is much more adapted to the Telco environment, although Cisco recommended this platform. Cisco ASA also brought our network down several times due to a memory leakage bug, which is still not resolved.

All features provided by the platform are quite the same for all other platforms. We rather missed some features we were used to, such as virtual routers

• VPN creation with Cisco is quite difficult: Some DH groups are not supported (compared to Juniper).
• Expected to see the enablement of virtual routing, which is key in a Telco environment. We need to provide this in LAN to LAN services with shared platforms (DNS, proxies, etc.).
• Application visibility 

Yes, a memory leakage issue which literally freeze the nodes (we have an HA environment). The issue is still not solved and the only recommendation from Cisco is to reboot the node.

Yes, the throughput highlighted on the datasheet (10Gbps) should be reviewed. This throughput is only for a UDP running environment, which you will never find in the real world. Rather consider a multiprotocol throughput.

Experience with technical support was mitigated. 

Technically, they denied any issues on the node and call the memory leak issue, "A cosmetic issue." They were stating that memory disappearance reported by SNMP was an error and will have no impact on the traffic. They have reviewed this since we have recorded several blackouts during the year.

We were using Juniper SRX5600. The switch was more a strategic decision than a technical one.

We are also using a 5520 for seven years in our datacenter and we are satisfied by this version.

The initial setup was very complex. Migration from Juniper (with wide usage of VR) to Cisco is complex and you should make sure to master all the flows on the node. Also, Juniper is more permissive on asymmetric traffic, which Cisco will deny by default. 

Implementation was performed by a Cisco recommended local partner. 

We were not satisfied at all (from the pre to post implementation). Their level of expertise was zero.

I do not know.

Nothing to highlight at this level. 

We did an evaluation with Check Point.

It is definitely not for Telco.

Centralized policy creation for URL, application, IPS, etc. It simplifies matters more than previously.

It provides centralized management. I would also add that URL, Malware and IPS built-in has been a great help as well. Where we used to need several products for all these features, we now only need the ASAs with the additional licensing. So now, it is more a matter of license management over hardware and licensing management.

More centralization and simplification of product lines would help most engineers, but I think licensing is the key here. Most organizations won’t pay the money to have ELA licensing, so all the individual licenses for these products can be overwhelming. Plus, they never really synch for expiration time.

This is mainly due to reliance on other Cisco products and licensing. For example, Palo Alto includes several features in one whereas Cisco requires multiples. However, I still think Cisco offers great products but to get a "10" they might consolidate devices or simplify licensing.

I have used this for two years, but company has used Cisco solutions for many years.

We did somewhat have stability problems. Upgrading the ASA, ASDM, and SFR can be a pain if you have as many firewalls as we do (21). Once you can get them to fall under FPMC management it can be a little easier, but it is a battle to get to that point.

There have been no scalability issues from my point of view. I was handed the solution, so some of the initial work was done.

I rate support 10/10. TAC has always done a great job with answering my questions and providing remote support when needed.

Previously, I used ASAs without FirePower; and unsure what my company used prior to that.

For me, setup was half-and-half. In one update run I missed the step that discusses how the ASA and ASDM need to be on a specific patch prior to upgrading the SFR. FPMC attempted to push the new update to the devices regardless of this mismatch that caused FPMC to loose communication. I had to downgrade the SFR all the way back to v5.4.1 before I could install the latest version. You also have to step through several updates before you are done, so that can be tedious as well.

Read everything and track all your licenses. Research all options and maybe pick a few to PoC. It doesn’t hurt to trial others. Maybe they are a better fit for your environment.

We are moving forward with ELA 5.0 for all Cisco security devices. Prior to that decision, we did a PoC with Palo Alto 3020 and 220 firewalls and Panorama. Those are some great products, but we are so Cisco centric that the cost of ELA isn’t much more than we are spending now.

Do research. FPMC is great for us but it requires a lot of time and attention.

Our use for Cisco Secure is for the firewall. 

Network segmentation is the most valuable feature.

The dashboard can be improved. 

I have been using Cisco Secure Firewall for seven years. 

It is stable.

It is scalable. A thousand-plus users are using the solution in my company. 

The initial setup is straightforward. 

Pricing is high.

Overall, I rate the product an eight out of ten.