Cisco Secure Firewall Reviews

We use them for site-to-site VPN solutions as well as other VPN activities, and for general application security.

We needed a good VPN solution and, as our network grew, we had more applications that were virtualized and that can be spun up. We needed a solution that would keep us ahead.

Cisco ASA provides great security for our applications.

One of the best features is the ease of use. It's also easy to teach new engineers to use the ASA CLI. When I first started learning firewalls, Cisco was the first one that was taught to me and it was pretty easy to grasp. When I'm teaching other engineers to use Cisco ASAs, the results of their learning are immediate.

It needs to provide the next-generation firewall features that other vendors provide, like data analytics, telemetry, and deep packet inspection.

Also, the ASAs need to be improved a little bit to keep up with the demand for high bandwidth and session count applications.

I've been using Cisco ASAs for about 11 years.

It's reliable. It doesn't have all the features of some of the newer firewalls, but it's very reliable. It doesn't break. It's pretty rock-solid.

We have at least a pair in every one of our data centers. We gateway our applications around the firewall system, meaning all application data goes through firewalls.

We have good support from Cisco for the ASAs. That helps us out a lot. Some of our ASAs are pretty old and technically not supported anymore, but TAC always helps us out.

The initial one, for me, was a little bit complex because I hadn't done it before. It was inline and an active/standby pair, so it involved a little bit more than just deploying one firewall. 

We had some documentation written and we tested it in the lab and then the deployment took about four hours.

We deployed it alongside different solutions and then we cut over to it when it wouldn't impact the customers.

The maintenance involves doing code upgrades periodically to keep up with the security environment requirements. One person handles that.

We deployed with a consultant from Cisco support. Our experience with them was good. They provided a lot of documentation ahead of time to help us with our configuration.

From our side there were two people involved. One was doing the configuration and the other person was checking to make sure there were no errors, looking at IPs and the like.

The licensing is straightforward and simple, so we don't have to keep relicensing every year as we do with other applications.

We use Juniper as well.

We use Cisco IronPort, Firepower, Secure Firewall, Email, and Secure Connect.

As with most products, integration could be better where needed. Sometimes, for example, the Cisco Secure Firewall and IronPort are in a class of their own. When it comes to management and logging, there's room for improvement.

Most of the products aren't configured on their own, but they are related together. There should be some sort of management. We would need a supervisor to manage it before using all of the solutions together.

They address services that belong together. For example, the Secure Client provides remote access. Authentication and multiple-factor authentication are two different products that belong together. There should be a link between both products and between both management interfaces to see, for example, troubleshooting or reporting so that you have both sources together.

It would be great to have all the data correlated to have an overview and one point of administration. 

The grouping of the solutions helps save time. If you have a problem and you have a high-level overview of the system, you can easily dig deeper into the problem. For example, I can check to see why ASA isn't working but the reason for the outage is actually because of Duo. I can spend a lot of time working in the wrong direction because I didn't have an overview.

IronPort stuff looks at first a little bit outdated. It's not a fancy-colored view, but it does its job and is extremely helpful. Debugging on this platform is very easy. 

Firepower's implementation and reliability need room for improvement. 

We address our problems with the relevant people. Some of the quality of their support has dropped. If your problem gets escalated, there are many skilled people who are absolute pleasures to work with. They are brilliant at what they do. 

If you talk to someone who solves the problem within five minutes you can't do any better. But on the other hand, the other end of the range needs improvement.

You can have a case that lasts 15 months in which you have to talk to 20 people to resolve. 

Neutral

The complexity of the installation depends. It's not so easy to install. Each topic needs one management interface. So you end up with 20 to 40 different management platforms. All of them use a tremendous amount of resources. If you're willing to install it, you need a huge pile of hardware. It is not clear what everything does. Some consolidation there would be helpful. Other vendors face the same problem.

We have seen ROI from using Cisco.

I chose Cisco because I've been working with them for 23 years. I choose it for its stability and because they have the right range of products. Most of our IT staff is happy with it.

I would rate it a nine out of ten. 

We started using this solution due to challenges with throughput. We needed devices with more quantity of throughput and bandwidth. We use this solution in different locations and different departments and we have around 2000 internal customers.

Cyber security resilience is really important for our organization. It is necessary for all the points for interconnections between LAN networks and WAN networks as we receive daily attacks.

The IP filter configuration for specific political and Static NAT has been most valuable.

The access layer of this solution could be improved in terms of the way the devices interconnect with our network. We need to be able to analyze the traffic between the different interconnections in these areas.

In a future release, we would like to have an IP analyzer to try to identify the specific comportment of the customers.

I have been using this solution for seven years. 

This is a very stable solution. 

This solution would need an adjustment to be scalable. 

Our engineers usually fix the issues we have, depending on the issue. When we reached out to the technical support team, they were attentive and helped us. 

We previously used Palo Alto, Fortinet, and Cisco Firepower. We switched because Cisco is more stable and offers easy deployment for the platform.

This solution requires regular maintenance and I have 10 engineers that manage it.

I would rate this solution a nine out of ten because it is a good product that is more stable than others on the market. 

Typically, we use them on the internet edge for protecting customer networks from the internet. It's a delimiter between the local area network and the wider internet. Other use cases include securing data centers or protecting certain areas within a network. It's not particularly internet-based, but it gives you that added layer of security between networks or between VLANs and your network, rather than using a Layer 3 switch.

Ultimately, it's about securing data. Data is like your crown jewels and you need to be able to secure it from different user groups. Obviously, you need to protect your data from the internet and that's why we generally deploy Cisco ASAs.

The usability, with the GUI front end, certainly helps and it means you don't have to be a command-line person. We have to get away from that now because if you put the typical IT admin in front of a CLI they might struggle. Having something graphical, where they can click in logs to see what's going through the firewall— what's been denied, what's being allowed—very quickly, helps to get to a diagnosis or know something has been blocked. And when it comes to making changes within the environment, that can be done very quickly as well. I've seen something be blocked within a couple of minutes, and any IT admin can make a change through the GUI.

One of the most valuable features is the GUI front end, which is very easy to use. But I'm also a command-line guy, and being able to access the device via command-line for advanced troubleshooting is quite important.

One area that could be improved is its logging functionality. Your logs are usually displayed on the screen, but if you want to go back one or two days, then you need another solution in place because those logs are overwritten within minutes. 

To have that kind of feature, it's more than likely there would need to be some kind of storage on the device, but those boxes were designed a number of years ago now. They weren't really designed to have that built-in. Having said that, if you do reflash into the FTD image, and you've got the Firepower Management Center to control those devices, then all that logging is kept within the Firepower Management Center.

I've been using Cisco ASA Firewalls since they came out. Before ASA, I used Cisco PIX Firewalls. I've been using them since about 1999 or 2000.

I'm involved in the presale events as well as the implementation and post-sale support. We do everything. That is probably different from a lot of organizations. We are quite a small company, so we have to be involved at all levels. I see it from all angles.

One of the reasons I've stuck with Cisco all these years is that you always get excellent support. If a network goes down due to major issues, I know I can raise a case with TAC and get through to subject matter experts very quickly.

Obviously, you need a SMARTnet contract. That means if a device has completely failed, you can get a box replaced according to the SLAs of that contract. That's very important for customers because if you have an internet edge failure and you just have a single device, you want to know that the replacement box is going to be onsite within four hours.

When a network goes down, you're going to know about it. You want to be safe in the knowledge that someone is going to be there for you and have your back. Cisco do have your back on those kinds of things.

Cisco support is a major selling point.

Positive

In terms of deployment, a lot of organizations are moving to the cloud. People are looking at the ASAv image for deploying into the public cloud on Azure or AWS. But there are still a lot of organizations that use ASAs as their internet edge.

The on-prem and the cloud-based deployments are very similar. When you're designing a solution, you need to look at the customer's business requirements and what business outcomes they actually want from a solution. From there, you develop architecture. Then it's a matter of selecting the right kinds of kits to go into the architecture to deliver those business outcomes. We talk to customers to understand what they want and what they're trying to achieve, and we'll then develop a solution to hopefully exceed their requirements. 

Once we've gotten that far, we're down to creating a low-level design and fitting the components that we're going to deploy into that design, including the ASA firewalls and the switches, et cetera. We then deploy it for the customer.

Your investments are protected because of the innovations over time and the fact that you're able to migrate to the latest and greatest technology, through Cisco. 

There are also a lot of Cisco ASA skills out there in the marketplace, so if you have ASAs deployed and you get a new employee, it's more than likely they have had experience with ASAs and that means you're not having to retrain people.

We do deploy other manufacturers' equipment as well, but if I were to deploy a solution with firewalling, my number-one choice would probably be Cisco ASA or the FTD image or Cisco Meraki MX.

The flexibility you have in a Cisco ASA solution is generally much greater than that of others in the marketplace. 

For any Cisco environment, we choose Cisco because it comes down to support. If the network is Cisco, then you have one throat to choke. If there is a network issue, there's no way that Cisco can say, "It's the HP switch you've got down in the access layer."

ASA morphed from being just a traditional firewall, when they introduced the Firepower Next-Generation Firewall side. There has also been progress because you can reflash your old ASAs and turn them into an FTD (Firepower Threat Defense) solution. So you've got everything from your traditional ASA to an ASA with Firepower.

Cisco ASA has been improved over time, from what it was originally to what it is now. Your investments are being protected by Cisco because it has moved from a traditional firewall through to being a next-gen firewall. I'm a fan of ASA.

I think ASAs are coming towards the end of their lifespan and will be replaced by the FTDs. It's only a matter of time. But there are still a lot of Cisco customers who use ASAs, so migrating that same level of knowledge those customers have of the ASA platform across to the FPR/FTD image, will be a challenge and will require investment.

The primary use is as edge firewalls to the Internet.

We are only on-premise. There is still no cloud plan.

It provides visibility and information to the organization about what is being accessed on the Internet as well as the applications that it is protecting.

It is part of our security strategy.

• Anti-malware protection
• Web Filtering
• VPN Remote-Access

The most valuable feature is the anti-malware protection. It protects the endpoints on my network.

We use the application visibility and control feature of Cisco firewalls.

The ease of use needs improvement. It is complex to operate the solution. The user interface is not friendly.

I have been using it for eight to 10 years.

We have 200 users using this solution.

The technical support is good, but it could be better. I would rate them as six out of 10.

Neutral

The setup is not too complex. We implemented it on all our ports.

We have five people on our cybersecurity team.

The solution's ability to provide visibility into threats is fine, but the Fortinet and Check Point solutions have better dashboards and information about visibility.

We are also using Cisco AnyConnect, Umbrella (as a cloud proxy), and ISE. We have between five or six antivirus, proxy, anti-malware, data loss prevention, VPN client, and firewall tools.

I would rate this Cisco product as six out of 10.

Our primary use case is as a firewall and using it for web filtering. We use IPsec VPN services on it, as well as the router.

I have been using the product for only a few months, but the company has been using it for a couple of years.

The use of it has really bogged down our response time for certain problems, given we have to go through AT&T for everything. I don't think really highly of it, though.

The IPsec VPN and web filtering.

I would like the ability to pick and choose different features of it to run in a packaged infrastructure or modules, therefore I would like to have more customizability over it. 

It seems very clunky and slow. I would like to be able to tune it to be a more efficient product.

It has generally been okay in terms of stability. We haven't had it go down, but we do have some interruptions. I don't know if it is the ISP or the firewall. We have more frequent network disruptions, and other branches call in telling us that they are unable to use their services to do their job. Unfortunately, we can't really do anything about it. It just clears up in about five or six minutes. In terms of stability, I would give it a seven and a half out of 10.

I don't see it being very scalable. I don't have access to the actual interface on it. However, it is an older product, so it probably doesn't have high availability features. So, it's scalability is probably limited. I know that we kind of put it through the ringer with our fewer than a hundred connections into it.

AT&T handles our technical support, since it's leased through them.

I was not involved with the initial setup.

We pay a lot of money for it.

For big organizations who are used to throwing around a lot of money for absolutely surety, this would probably be a good fit for them. For the average SME, this particular firewall system, as well as Cisco in general, this product would not be a good fit for them.

We are currently looking at WatchGuard, pfSense, and Fortinet FortiGate. Netgate would provide the hardware.

We have still got nine months left on our contract with AT&T before we can actually do anything. We are just trying to do as much research and ask as many questions as we can before we get to that point.

We just don't have a lot of the control or customizability that we would like to have over the system. A lot of this has to do with how AT&T is handling the access to it. Also, the hardware is outdated. We would like to go with a product in which everything is very transparent, clear, organized, all in the same place, and we can monitor clearly. The reason that we are looking to change is price: We pay a lot for it. If we had more control over it, we would be better able to control the quality and performance of the network and services, as well as the budget.

The most important criteria when selecting a vendor:

• IPsec VPN
• Good stable connection
• Failover support: We need to have dual-WAN, so we can get two WAN connections in there and have failover. 
• Load balancing would be good, especially for those rough patches. 
• Internal web filtering and blocking: We need to be able to control what our end users are looking at.
• Monitoring: As much monitoring as we can get.
  

Cisco Secure Firewall is a next-generation firewall that can be used for various security applications. 

The advantage of using Cisco is its integration within the Cisco fabric, which allows for effective threat detection and mitigation.

Cisco could improve its score by developing more features that integrate seamlessly with various applications and investing in hardware acceleration to enhance performance.

The product is stable with minimal glitches or latency issues.

The solution is easy to install, requiring minimal expertise. Deployment time varies, but it can take about two days for a medium-sized company with 200-300 users to configure and install.

After five years of product usage, the high return on investment and low total cost of ownership can be observed.

Pricing depends on partnerships and certifications. The engineering team's certifications can qualify it for seven to eight percent discounts.

The platform's integration capabilities depend on the project context. In some cases, integrating Palo Alto may provide better performance, but Cisco can still be effective.

However, its classification in industry comparisons, such as those from Gartner, is lower than that of competitors like FortiGate and Palo Alto.

Overall, I rate it seven out of ten. 

Cisco Secure Firewall has impacted our cybersecurity cost efficiency.

The important features are IPS intrusion prevention, anti-malware, and anti-spam.

Cisco firewall needs experience with hardware. They should also enhance security antivirus, application detection, user detection, and ID detection. 

I have been using Cisco Secure Firewall for three years.

300 users are using this solution.

The support is good.

Positive

The initial setup is easy, but it takes some time to push the configurations. Also, it's a little complicated and not friendly to use. It is good only for IT and experienced people. 

The deployment took two months and a team of two to three people.

The pricing is average.

I recommend the solution to medium and enterprise customers since it is expensive. 

Overall, I rate the solution an eight out of ten.