Cisco Secure Firewall Reviews

We have the Cisco 5585-X in our data center for perimeter security, internet protection, and for applications behind Cisco ASA DMZs. The challenges we wanted to address were security and segregating the internal networks and the DMZs.

Security-wise, it's given us the protection that we were looking for. Obviously, we're using an in-depth type of design, but the Cisco ASA has been critical in that stack for security.

The Packet Tracer is a really good tool. If someone calls because they're having problems, you can easily create fake traffic without having to do an extended packet capture. You can see, straight away, if there's a firewall rule allowing that traffic in the direction you're trying to troubleshoot. As a troubleshooting tool, Packet Tracer is one of the things that I like. It comes up in all my interviews. When I want to figure out if someone knows how to use the ASA, I ask them about use cases when they use the Packet Tracer.

One of the challenges we've had with the Cisco ASA is the lack of a strong controller or central management console that is dependable and reliable all the time. There was a time I was using what I think was called CMC, a Cisco product that was supposed to manage other Cisco products, although not the ASA. It wasn't very stable.

The controller is probably the biggest differentiator and why people are choosing other products. I don't see any other reason.

I've used the Cisco ASA going back to the 2014 or 2015 timeframe.

The ASA has been very stable for us. Since I deployed the ASA 5585 in our data center, we've not had to resolve anything and I don't even recall ever calling TAC for an issue. I can't complain about its stability as a product.

Our Cisco ASA deployment is an Active-Standby setup. That offers us resilience. We've never had a case where both of them have gone down. In fact, we have never even had the primary go down. We've mainly used that configuration when we're doing code upgrades or maintenance on the network so that we have full network connectivity. When we're working on the primary, we can switch over to the standby unit. That type of resiliency works well for our architecture.

TAC is good, although we've had junior engineers who were not able to figure things out or fix things but, with escalations, we have eventually gotten to the right person. We also have the option to call our sales rep, but we have never used that option. It seems like things are working.

Neutral

In the old days, we used Check Point. We did an evaluation of the Cisco ASA and we liked it and we brought it on board.

At that time, it was easy for our junior operations engineers to learn about it because they were already familiar with Cisco's other products. It was easier to bring it in and fit it in without a lot of training. Also, the security features that we got were very good.

The one we deployed in the data center was pretty straightforward. I also deployed the Cisco ASA for AnyConnect purposes and VPN. I didn't have to call TAC or any professional services. I did it myself.

We used a Cisco reseller called LookingPoint. I would recommend them. We've done a lot of other projects with them as well.

It's a great investment and there's a lot of value for your money if you're a CSO or a C-leader. As an engineer, personally, I have seen it work great wonders for us. When we're doing code upgrades or other maintenance we are able to keep the business going 100 percent of the time. We have definitely seen return on our investment.

I don't look at the pricing side of things, but from what I hear from people, it's a little pricey.

At the time, we looked at Juniper and at Palo Alto. We didn't get a feeling of confidence with Palo Alto. We didn't feel that it offered the visibility into traffic that we were looking for.

We use Cisco AnyConnect and we've not had any issues with it. During COVID we had to scale up and buy licenses that supported the number of users we had, and we didn't have any problems with it.

We mainly use it for site-to-site VPNs, connecting to other businesses. I work in manufacturing and hospitals.

We connect to remote networks: manufacturing-to-businesses and hospital-to-hospital.

It was deployed in our data center across multiple sites. At the hospital where I last worked, it was deployed at 18 sites, then we did VPNs between our hospital and clinics.

We don't have to worry about when something goes down. Instead of saying, "Oh my gosh, this went down and now we have a gap here," it has automatic failovers and built-in redundancy. So, it says, "I don't have a gap anymore." This is one less thing to worry about, which was a big benefit for me. If our security group comes back, and says, "Hey, this is down." Then, it is like, "Yeah, we got it covered."

Our security groups are always very adamant that things stay up. If something went down, they say, "Why did it go down? How do we prevent it?" Since resiliency is already built-in on its initial design, we don't have to go back in every time, and say, "Here, this is what we did. This is why it was done like this." Instead, it is just, "Yes, they blessed it, and it's approved," and we don't have to go back and keep reinventing the wheel every time.

I like the ASDM for the firewall because it is visual. With the command line, it is harder to visualize what is going on. A picture is worth a thousand words.

Sometimes, it is not easy to troubleshoot. You need to know where to go. It took me quite awhile. It's like, "Okay, if it doesn't go smoothly here, then go find the documentation." Once you do it, it is not so bad. However, it is sometimes a steep learning curve on the troubleshooting part of it.

I have been using this solution for more than 20 years.

I have never had any problems with stability. In the 20-plus years that I have used them, I don't think I have ever had a failure on them. They have always been rock-solid.

We haven't done much with scalability. We have always just done active standby. However, it scales once you figure out how to do it. If there are site-to-site VPNs within your own location, it is easier because there is a template, where it is, "Here, change this IP address. Change this IP address. There, it's done." 

Third-parties weren't bad. Once my side was done, then we could easily cut and paste it, and say, "Okay, here's what my side's configured for. If you have something that is not working, then you can tell me what it is and I will help you." However, we never really had anything that we couldn't fix. It was also possible to scale on the other side.

I haven't called tech support very often. When I did call them, they could tell me what the problem was. That is where I started learning, "Here are the commands that you should be using to debug this." They have been very helpful. I would rate them as nine out of 10.

Positive

I have used Palo Alto and Fortinet. We switched mainly because we were trying to unify all our products. Instead of using multiple systems, everything with the Cisco solution is end-to-end with different views of security. Some of them wanted to be diverse, keeping things separate. For others, it was easier if everything was just with one vendor. Also, if you are Cisco-centric, it is also easier.

Since I have been using this solution, I have seen it grow. When they first started doing it, it was more like, "Here's the command line. Here's what you got to do." Now, it's easier for a new engineer to come on, and say, "Okay. Here, you are going to start supporting this, and here is how you do it," which has made life easier. Since it is a repeatable thing, no matter which company you go to, it is the same. If you get somebody who is doing it on the other side of the VPN, it is a lot easier. So, I like the Cisco product. I have used several different ones, and it's like, "Well, this is the easiest one." It might be just the easiest one because I have used it long enough, but it is also a good product. It just helps us be consistent.

We did a lot of site-to-site VPNs. We also did a third-party, which is Palo Alto or something. Though, some of them were SonicWall. It is like, "Okay, I don't know how the site is configured, then I spend hours trying to troubleshoot a VPN." The more you use it, the easier it gets. It used to take days to do it. Whereas, the last one that I built took about 30 minutes. The more we use it, the better the outcome is and the faster we can do it. Now, I am not spending days building a VPN, which should only take 10 to 15 minutes.

There is ROI when you use it more.

Once you know what the product is, it is not that bad. Yes, it is expensive. When you try to get a license, it is like, "Well, I don't know which one of these I need. And, if I don't buy it now, then I will probably be back later. Now, I have to justify the money." Typically, you end up just buying everything that you don't use most of the time. It is one of those solutions where you get what you pay for. If you don't know what you need, just buy everything. We have additional licenses that we don't use.

Take your time with it. Actually, read the documentation. Don't just assume you know what stuff means since that will sometimes come back and bite you. I have done that too many times. If you go from version to version, it changes a little bit, and so it is like, "Well I don't know why it doesn't work." Then, you go read the notes, "Oh, yeah. This changed and it is done over here now."

Building more resiliency should be a priority, and it's going to take money to do that. So, you need to actually believe and invest in it. Otherwise, it's an idea. It's great, because we all want redundancy, but nobody typically wants to spend the money to do it. Or, they want to do it as cheaply as possible. It's like, "Okay, I can do that," but you're going to have more gaps. Then, it is not really worth it. Therefore, invest the money the first time and do it right.

I would rate it as nine out of 10.

We use it to segment the east and the west traffic in our data center. We also use it on the internet edge and for VPN termination.

We use its multiple versions. We use the virtual and the physical ones. We have multiple Cisco Firepower 9300, and we also have a few Cisco Firepower 4100.

It helps in protecting against threats from outside and within our data center. With the enhancement in the newest version 7.0, visibility is where we always wanted it to be. The introduction of the Unified Events feature really helps us out daily.

It enables us to implement dynamic policies for dynamic environments. With the recently added Dynamic Attributes feature, we are able to create more dynamic and fast-changing policies. In our data center, workloads tend to go up and down very quickly, and that's why dynamic policies are important. Because the workloads in our data center are fast-moving, we need to be able to change our firewall policy accordingly and quickly. That's what makes it a very important feature for us.

Snort 3 IPS allows us to maintain performance while running more rules. Our performance has
definitely increased after migrating to Snort 3. Rules are easier to implement. We also like the underlying antivirus advancements that they made with the new architecture, which increases its benefit for us.

The VPN and the login enhancements that were introduced in version 7.0 are invaluable to us. That was something that was missing before. 

Feature-wise, we mostly use IPS because it is a security requirement to protect against attacks from outside and inside. This is where IPS helps us out a bunch.

It is good in terms of the overall ease to use in managing it. Some of the things need some tuning, but overall, it is good.

The visibility for VPN is one big part. The policy administration could be improved in terms of customizations and flexibility for changing it to our needs.

I have been using this solution for about six years.

Its stability is quite good. We couldn't find any issues.

Its scalability is very good due to clustering. 

In terms of our plans to increase its usage, it has everything we need. We don't plan to add anything more because it has all that we need as of now.

Their support is not perfect. Sometimes, you get the feeling that some of the support engineers don't have a deep knowledge of the product, but there are some engineers who are able to help.

Most of our clients were on Cisco ASA.

I wouldn't call it extremely straightforward, but I wouldn't call it complex either. Its deployment took about a day.

In terms of the deployment strategy, we create our deployment plans for ourselves and our customers. The deployment plan depends on the environment.

We deploy it ourselves.

It is very hard to say because we don't measure that. It is also very difficult to measure if it has helped in reducing our firewall operational costs.

Its pricing is good and competitive. There is a maintenance cost.

It includes SecureX that makes it cost-effective as compared to the other solutions where you have to pay for XDR and SOAR capabilities.

Technically, it is a very good firewall, but some improvements need to be done on the management side. I would advise getting a consultant or someone from Cisco to help you in implementing and using this firewall to its fullest extent.

We don't use workload integration as of now. We also don't use its dynamic policy capabilities to enable tight integration with a secure workload at the application workload level. Similarly, we don't use the solution's tags for VMware, AWS, or Azure for dynamic policies implementation in the cloud.

I would rate Cisco Firepower NGFW Firewall an eight out of 10.

I am using Cisco ASA 5525 for netting, routing, and site-to-site VPN. We have two sites. I am using Cisco ASA Firewall on one site and Check Point Next-Generation Firewall on another site.

We have integrated it with Cisco Anyconnect. This feature has been very good for us during the lockdown.

Netting is one of the best features. We can modify it in different ways. Site-to-site VPN is also an awesome feature of Cisco ASA.

The biggest advantage of Cisco products is technical support. They provide the best technical support.

Cisco should work on ASDM. One of the biggest drawbacks of Cisco ASA is ASDM GUI. Cisco should improve the ASDM GUI. The configuration through ASDM is really difficult as compared to CLI. Sometimes when you are doing the configuration in ASDM, it suddenly crashes. It also crashes while pushing a policy. Cisco should really work on this.

We have been using this solution for one and a half years.

It is stable and reliable. If you are looking for security from Layer 1 to Layer 4, Cisco ASA is good, but if you are looking for Layer 7 security, deep security, and malware detection, this is not the right product. You have to use some other product.

We have more than 400 employees. We are currently not thinking of increasing its usage because we need more security, and Cisco ASA is not good for Layer 5 to Layer 7 security.

The biggest advantage of a Cisco product is technical support. They provide 24/7 support on 365 days. Their technical support is one of the best. I would rate them a ten out of ten.

Cisco ASA is very not complex. It is a very simple firewall. If you are configuring it through CLI, it is easy. If you configuring it through ASDM, it will be more difficult for a beginner engineer.

It takes around two to three days to cover all the parameters. It is very easy to deploy in an existing network, which is one of the main advantages of Cisco ASA.

We are happy with its price. Licensing is on a yearly basis for technical support. There is one license for technical support. There is another license for IP Version 2 VPN and IPS.

I considered pfSense, but when I checked the reviews, pfSense's reviews were really bad, so we purchased Cisco ASA.

I am very happy with this product in terms of netting, routing, and VPN functionalities. If you are a small organization with around 100 people and you are not thinking of Layer 7 security, deep security, and malware detection, Cisco ASA would be very useful and cost-effective for you.

I would rate Cisco ASA Firewall an eight out of ten.

We primarily use this solution for network security.

This product has increased the visibility in our network.

The most valuable feature of this solution is its ability to integrate vertically.

There used to be information displayed about the packets in a module called Packet Flow, but it is no longer there. In order to accomplish the same thing you now have to wade through lots of information in the Syslogs.

This is a highly stable solution.

This solution is very scalable.

Technical support for this solution is good. The response times meet our expectations and we have not had any issues.

We have always been using this same solution, but previous versions. We update them in trying to keep up with the amount of data coming through, such as more streaming.

The initial setup of this solution was straightforward. We had the proper documentation to reference.

We deployed this solution in-house.

I don't work with the numbers, but I can say that it's great for security and has improved our effectiveness at the office.

The cost of this solution is high.

We did evaluate another option, but we stayed with the Cisco solution because it's trustworthy.

This is a good product from a trustworthy vendor, but it is not perfect.

I would rate this solution an eight out of ten.

ASA5585-SSP-60 was deployed after a migration from Juniper SRX5600. The solution is used for the protection of the mobile data network. It is protecting 3G/4G Internet customers and the Private APN.

So far, we are not satisfied by the move. The precedent solution is much more adapted to the Telco environment, although Cisco recommended this platform. Cisco ASA also brought our network down several times due to a memory leakage bug, which is still not resolved.

All features provided by the platform are quite the same for all other platforms. We rather missed some features we were used to, such as virtual routers

• VPN creation with Cisco is quite difficult: Some DH groups are not supported (compared to Juniper).
• Expected to see the enablement of virtual routing, which is key in a Telco environment. We need to provide this in LAN to LAN services with shared platforms (DNS, proxies, etc.).
• Application visibility 

Yes, a memory leakage issue which literally freeze the nodes (we have an HA environment). The issue is still not solved and the only recommendation from Cisco is to reboot the node.

Yes, the throughput highlighted on the datasheet (10Gbps) should be reviewed. This throughput is only for a UDP running environment, which you will never find in the real world. Rather consider a multiprotocol throughput.

Experience with technical support was mitigated. 

Technically, they denied any issues on the node and call the memory leak issue, "A cosmetic issue." They were stating that memory disappearance reported by SNMP was an error and will have no impact on the traffic. They have reviewed this since we have recorded several blackouts during the year.

We were using Juniper SRX5600. The switch was more a strategic decision than a technical one.

We are also using a 5520 for seven years in our datacenter and we are satisfied by this version.

The initial setup was very complex. Migration from Juniper (with wide usage of VR) to Cisco is complex and you should make sure to master all the flows on the node. Also, Juniper is more permissive on asymmetric traffic, which Cisco will deny by default. 

Implementation was performed by a Cisco recommended local partner. 

We were not satisfied at all (from the pre to post implementation). Their level of expertise was zero.

I do not know.

Nothing to highlight at this level. 

We did an evaluation with Check Point.

It is definitely not for Telco.

Centralized policy creation for URL, application, IPS, etc. It simplifies matters more than previously.

It provides centralized management. I would also add that URL, Malware and IPS built-in has been a great help as well. Where we used to need several products for all these features, we now only need the ASAs with the additional licensing. So now, it is more a matter of license management over hardware and licensing management.

More centralization and simplification of product lines would help most engineers, but I think licensing is the key here. Most organizations won’t pay the money to have ELA licensing, so all the individual licenses for these products can be overwhelming. Plus, they never really synch for expiration time.

This is mainly due to reliance on other Cisco products and licensing. For example, Palo Alto includes several features in one whereas Cisco requires multiples. However, I still think Cisco offers great products but to get a "10" they might consolidate devices or simplify licensing.

I have used this for two years, but company has used Cisco solutions for many years.

We did somewhat have stability problems. Upgrading the ASA, ASDM, and SFR can be a pain if you have as many firewalls as we do (21). Once you can get them to fall under FPMC management it can be a little easier, but it is a battle to get to that point.

There have been no scalability issues from my point of view. I was handed the solution, so some of the initial work was done.

I rate support 10/10. TAC has always done a great job with answering my questions and providing remote support when needed.

Previously, I used ASAs without FirePower; and unsure what my company used prior to that.

For me, setup was half-and-half. In one update run I missed the step that discusses how the ASA and ASDM need to be on a specific patch prior to upgrading the SFR. FPMC attempted to push the new update to the devices regardless of this mismatch that caused FPMC to loose communication. I had to downgrade the SFR all the way back to v5.4.1 before I could install the latest version. You also have to step through several updates before you are done, so that can be tedious as well.

Read everything and track all your licenses. Research all options and maybe pick a few to PoC. It doesn’t hurt to trial others. Maybe they are a better fit for your environment.

We are moving forward with ELA 5.0 for all Cisco security devices. Prior to that decision, we did a PoC with Palo Alto 3020 and 220 firewalls and Panorama. Those are some great products, but we are so Cisco centric that the cost of ELA isn’t much more than we are spending now.

Do research. FPMC is great for us but it requires a lot of time and attention.

We use them for site-to-site VPN solutions as well as other VPN activities, and for general application security.

We needed a good VPN solution and, as our network grew, we had more applications that were virtualized and that can be spun up. We needed a solution that would keep us ahead.

Cisco ASA provides great security for our applications.

One of the best features is the ease of use. It's also easy to teach new engineers to use the ASA CLI. When I first started learning firewalls, Cisco was the first one that was taught to me and it was pretty easy to grasp. When I'm teaching other engineers to use Cisco ASAs, the results of their learning are immediate.

It needs to provide the next-generation firewall features that other vendors provide, like data analytics, telemetry, and deep packet inspection.

Also, the ASAs need to be improved a little bit to keep up with the demand for high bandwidth and session count applications.

I've been using Cisco ASAs for about 11 years.

It's reliable. It doesn't have all the features of some of the newer firewalls, but it's very reliable. It doesn't break. It's pretty rock-solid.

We have at least a pair in every one of our data centers. We gateway our applications around the firewall system, meaning all application data goes through firewalls.

We have good support from Cisco for the ASAs. That helps us out a lot. Some of our ASAs are pretty old and technically not supported anymore, but TAC always helps us out.

The initial one, for me, was a little bit complex because I hadn't done it before. It was inline and an active/standby pair, so it involved a little bit more than just deploying one firewall. 

We had some documentation written and we tested it in the lab and then the deployment took about four hours.

We deployed it alongside different solutions and then we cut over to it when it wouldn't impact the customers.

The maintenance involves doing code upgrades periodically to keep up with the security environment requirements. One person handles that.

We deployed with a consultant from Cisco support. Our experience with them was good. They provided a lot of documentation ahead of time to help us with our configuration.

From our side there were two people involved. One was doing the configuration and the other person was checking to make sure there were no errors, looking at IPs and the like.

The licensing is straightforward and simple, so we don't have to keep relicensing every year as we do with other applications.

We use Juniper as well.