Cisco Secure Firewall Reviews

We use them in our data centers and on the client side. We have a small installation of Firepower in our main data center, and we are also using Cisco ASA firewalls. So, we have the old ASA platform and new Firepowers. 

It saves time because it's easy to operate and it's easy to add new zones or firewall rules. It's also easy to troubleshoot. It's a neat platform.

When I was managing these firewalls, I found them easy to understand, easy to deploy, and easy to maintain as compared to some of the other firewalls I have been involved with earlier. The opinion of my coworkers is that it's easy and quick to establish new zones, expand, and maintain.

I'm not very familiar with the largest Firepower models, but competitors like Palo Alto seem to have a more capable engine to do, for instance, TLS/SSL decryption. As I understand, Firepower doesn't let you export the decrypted traffic so that, for instance, the security department can look at the traffic or inspect traffic. It's all in the box. I've heard rumors that this is something Cisco is working on, but it isn't yet available.

We have been using Cisco firewalls for about 10 years. 

Its stability is good. We have a failover standby solution that works fairly well. It can have some improvements, but we are happy with it.

We had an issue where we had to install another cluster for the firewall because we went out of the capabilities on one of them. You need to analyze in advance how much your usage will grow in the future and you have to decide based on that. It's about adding more firewalls. We can scale in this way, and it's good.

Whenever I've used their tech support, they have been successful. They quickly pinpointed the problem and provided swift remediation for all the problems. My experience has been good. I'd rate them a nine out of ten.

Positive

We decided to go for Firepower because we needed to expand, and we have a large installation of Cisco devices in our environment. It's 70% Cisco. We have one location where they are using Extreme equipment, but in that location also, we have Cisco firewalls. Having one vendor leads to ease of management. It's also easy in terms of competence. We have good knowledge of Cisco, so it's easy to maintain and operate a Cisco platform.

For network security, we have a central hub for all the external traffic. That is a huge load of traffic. On those applications, we are using Palo Alto. We have a mixed combination of Cisco and Palo Alto in our central locations.

Using Cisco firewalls has helped to eliminate or consolidate some of the tools and applications. We have some installations of AlgoSec to see what's going on or how the performance is, but we have, more or less, decided that we don't need them now because there is so much information that we can pull from CSM or FMC.

It's easy to deploy and maintain.

We have a partner for Cisco products. We have a contract with a new partner now for the SDA fabric on ACI.

I'd rate Cisco Secure Firewall a nine out of ten. 

This product protects our computer systems. I use it as a traditional firewall service. I don't have any special use cases for it.

Firepower has reduced our firewall operational costs by about 25 percent.

Sometimes there is a lack of performance. One of my colleagues is using the firewall as an IPS, but he is worried about Firepower's performance. It is much lower than we expected. They need to improve the performance a lot. With the 10 Gb devices, when it gets to 5 Gbps, the CPU usage goes up a lot and he cannot manage the IPS.

I have been using Cisco Firepower NGFW Firewall for more than two years.

The most valuable property is the stability. It doesn't crash.

When I have had issues with the software, I don't think they have given me the right answers. The support for the software isn't that good, but support for the hardware is very good.

Neutral

Although I work in Korea, I needed a means of deploying computer systems in other countries. Two or three years ago I was looking for a proper solution that would cover global sites. I chose Cisco products because Cisco has a very large presence all over the world.

Once I got used to this product, it was easy to use other products, but it was not easy for me the first time.

Firepower is a little bit expensive, although there are no additional costs beyond the standard ones.

We have several brands of firewalls in our organization. Compared to them, the ease of management of the Cisco firewalls is pretty good.

When you calculate the capacity you need, you should add a buffer for performance.

There are 25 users of the solution on my team and they are all network security specialists.

I work for an engineering company that has multiple sites located in different locations, overseas and domestically in Pakistan. There are 30 to 35 sites connected to our network. We restrict the website at these locations using the Cisco Firepower module.

The main thing that I love the most is its policy and objects. Whenever I try to give access to a user, I can create an object via group creation in the object fields. This way, I am not able to enter a user in the policy repeatedly. 

Cisco Firepower is not completely integrated with Active Directory. We are trying to use Active Directory to restrict users by using some security groups that are not integrated within the Cisco Firepower module. This is the main issue that we are facing. 

There are some other issues related to their reports where we want to extract some kind of user activity. When a user tries to connect to our website, we are unable to read its logs in a proper manner and the report is not per our requirement. These are two things that we are facing.

Per my requirements, this product needs improvement. For example, I want to use and integrate with Active Directory groups. 

We have been using it since last year.

It is a stable product.

I haven't tried to work with Cisco support.

In the last 10 years, we were using the Barracuda Web Security. Compared with that product, I would give this solution six or seven out of 10 when compared to Barracuda. Barracuda has one of the best web security features, giving access to users by deploying a web agent on client computers at different sites. 

Barracuda Web Security's hardware was obsolete so our management never tried to renew its license. That is why we are trying to use the Cisco Firepower module. We want to understand their web security gateways, web security logs, what it provides, and the kind of reporting it has. We are currently doing research and development regarding what features and facilities it provides us compared to our requirements.

I am happy with the web security. However, I am not happy with the groups, reports, and integration with Active Directory.

We are using the web security, and only the web security feature. Therefore, if someone asked me to give them advice about the Cisco product, then I will definitely not recommend it since it is not fulfilling our requirement. We have different sites located domestically and at overseas sites, which is about 30 to 35 sites. It is not locating any of the clients. This is compared to the Barracuda web agent on the client computer, which is always connected to Barracuda with live IP addresses, pushing and pulling all the procedures and policies to that client and computer. This is why I will not recommend the product to anyone who has a similar situation to ours. .

I would love to use the product in the future, if my requirements are met.

I would rate the product as four out of 10.

We use it to configure the perimeter firewalls. In FireSIGHT, we have two firewalls in a cluster with high ability, then we have five firewalls in Offices. We use those firewalls as a perimeter for Offices.

We have all the devices in the Firepower Management Center system. We always work with Firepower devices in Firepower Management Center.

We have offices around the world. We are in Europe, the USA, and South America.

We have border security with Firepower. We try to curb security issues by using this Firepower firewall.

The solution provides us with good working application visibility and control.

I have access to the web version of Cisco Talos to see the reputation of IP addresses. I find this very helpful. It provides important information for my company to obtain the reputation of IP addresses. The information in Talos is quite complete.

The configuration in Firepower Management Center is very slow. Deployment takes two to three minutes. You spend a lot of time on modifications. Whereas, in FortiGate, you press a button, and it takes one second.

Three years ago, the Firepower Management Center was very slow. The solution has improved a lot in the last couple of years. It is now faster. I hope that continues to improve. 

I have been using it for three years.

We have five devices. In Rome, we don't have a technician and didn't work when we started using it. We had to send a technician to Rome to reboot the system. Now, it is stable with no problems. Also, we lost the link to the high availability firewall in our data center. We only had one device there, and Solutel had to solve this issue.

The scalability is great.

We have five devices in four locations.

Three network administrators who work with Firepower, including myself.

I usually create an issue with Solutel, then they create a case with Cisco Talos or the Cisco technicians. I am happy with Solutel's support.

We deployed in several cities, but not the same day. 

The initial deployment was done by a Cisco partner, Solutel. Our experience with Solutel was fantastic. They are local partners for us and provided us with great service.

We realized that clearly we have issues of security with a lot of attacks. I don't know if it is because with the COVID-19 virus a lot of hackers are at home or working more hours. In the last year, we have seen attacks that are very big, and we need a barrier. So, we use a firewall to block these attacks.

The price for Firepower is more expensive than FortiGate. The licensing is very complex. We usually ask for help from Solutel because of its complexity. I have a Cisco account where I can download the VPN client, then connect. Instead, I create an issue with Solutel, then Solutel solves the case.

Our license for Firepower is their best license.

We have FortiGate firewalls, the security of Office 365 from Microsoft, Cisco Umbrella, and Kaspersky Anti-virus. We are also using Cisco ASA, Meraki switches, and a router from Cisco.

The Firepower Management Center tool is very slow. We also have the FortiGate firewalls and these tools for configuring the firewall are faster.

We have to make a change to our devices in South America. We are currently evaluating Cisco Firepower Series 1000 versus FortiGate. Firepower is more powerful than FortiGate, but FortiGate is more flexible and easier to configure. Because of our last issues with Firepower, it is possible that FortiGate is more stable.

It is a very powerful device. Firepower Management Center is a great tool, but it is a bit slow.

We don't have Cisco Umbrella integrated with Firepower. We tested Firepower's integration with Meraki Umbrella, but we don't use it because you need better firmware.

I would rate this solution as an eight (out of 10).

We are using the ASA in our network to create a VPN between six places. We also use it for servers and data synchronization.

The most valuable feature is that it's secure.

It is really stable and I've never had an occasion that due to this firewall, I have had issues with the network, a breakdown, or otherwise.

This is a user-friendly product. Once you have a specialist who can configure it properly, you'll be pretty protected everything you want is in it.

In the future, I would like to be able to use an IP phone over a VPN connection.

I have been working with Cisco ASA Firewall for at least seven years.

The stability is good.

We have not tried to scale our network. It was established a long time ago and nothing has changed since then.

I have been auditing their partners in Bulgaria and I am in contact with them on a regular basis. I have not had any real issues with my equipment but overall, I think that the support is perfect.

We were using the ASA 5505 and our network is faster now, so we are now in the process of upgrading our network to the 5506 model. The 5505 is a 100 megabit product, which is very low.

We had a company that set everything up for us. They have Cisco engineers and I'm paying them annually for next-business-day support. They do all of the maintenance for us.

They have a lot of different models but most of them are really expensive. This is the main thing because, for us, the price is important.

Overall, I am pretty satisfied with this product and I recommend it.

I would rate this solution a ten out of ten.

We are an IT integrator. We include parts of the infrastructure as part of our services, which includes firewalls, routers, switches, and even some end-user devices. We are deploying Cisco, Palo Alto, and Aruba. We are a very big company, and we have probably about 300,000 employees all over the world.

We use this solution for security and for enabling site-to-site VPN. We have on-premises and cloud deployments, and we are using the latest version of this solution. It is 5500 or something like that. 

The configuration capabilities and the integration with other tools are the most valuable features. 

I really like this product. Cisco is one of my favorite brands, and I always think Cisco solutions are very reliable, easy to configure, and very secure.

It can probably provide a holistic view of different appliances because many customers do not have only one brand, besides the traditional SNMP protocols, to cover all their devices. There are some specific requirements in terms of configurations or actions that sometimes have to be done in a very manual way because of the different versions or brands in a customer's infrastructure.

It could also have some additional analytics capabilities. It has some very interesting ways to monitor the traffic and identify false positives from the architecture and the environment. It would be good if there is a way to patch with some other industry-specific solutions and synchronize some of the information, such as what other customers experience in their operations and probably share some additional information that could be leveraged or shared among the industry. Such information would be something interesting to see. It could have AI capabilities related to how the appliances could benefit from learning the current environment and different exposures.

I have been using this solution since the beginning of this company, which would be more than 20 years.

It is stable and reliable.

There is no real limit to the way they can scale. It is very easy to integrate additional firewalls or even nodes on appliances. Whenever needed, they are stackable. They are very flexible in that sense. Our clients are large businesses.

The service that we have received from Cisco has been reliable, fast, and efficient. They are very good. As long as you have a contract, you can rely on them. You should also have a technical team certified or at least trained on the infrastructure to provide in-depth first-level help. 

I have also used other solutions like Palo Alto. The capabilities are pretty much the same. It is just a matter of how they integrate with the overall landscape of the customers. Palo Alto seems to be the top end firewall these days, but the customers might have purchased Cisco in the past or have a DNA subscription using which they could probably take advantage of the security landscape that Cisco offers. It is more about what is the overall benefit rather than just the appliance.

They seem to be at the top end in terms of pricing, but they are worth the price. They are probably a little bit lower than Palo Alto. If the customers are relying on Cisco products and they are thinking more in terms of scaling to another layer in a year, it is pretty much in a good price range.

I would suggest to be sure that it smoothly integrates with the infrastructure that you have. Try to take advantage of the DNA subscription and the new monitoring features that it has. Be informed about what's new with this product.

I would rate Cisco ASA Firewall a nine out of ten.

We use remote desktop services from our data center. We can clean the client and the remote desktop server and from there we can establish a VPN channel. 

We can create a profile and we can give them access depending on the access level they need to be on. All the way from level one to level 16. I just create the user and from the dropdown, I select what access level they need to be on and that's it. I don't need to go individually to each and every account and do the configuration.

I like the user interface because the navigation is very easy and straightforward. On the left side pane, you have all the sites that you need to browse. Unlike any other firewalls, it's pretty straightforward.

If I need to download AnyConnect in a rush, it will prompt me for my Cisco login account. Nobody wants to download a client to a firewall that they don't own. 

I would definitely love to have a much nicer web interface compared to the systems interface that it has now. I also would like to download utilities without having to login into the system. Nobody would want to download a client unless they're going to use it with a physical firewall. I don't understand the logic. If I was a hacker, I could get someone to download it for me and then I can use the client. There's no logic behind it.

I would rate their stability a nine out of ten. It's pretty stable. I never come across a situation where the firewall hangs and then I need to reboot it.

Cisco is expensive and when you want to grow, it means you're going to need to spend some money but you can justify it.

We have closer to 50 users on the firewall at the moment and do have plans to increase usage.

We were previously using Sophos firewall but it had a lot of issues. 

The initial setup is a little difficult compared to other firewalls but once you get it right, especially the assistant control list, it's fine. It's a little difficult compared to other firewalls. 

The deployment took us about three days because we did some testing and we also did certain attacks and checked some hackers which is why it took some time. We wanted to make sure that it was at least 99.99% protected.

We implemented through a UK company called Rackspace. 

Licensing is expensive compared to other solutions. Especially in other regions because people are very careful when it comes to spending on IT infrastructure. My suggestion is, first test it, once you see how good it is you will definitely want to renew it. 

I would advise someone considering this solution to just go for it. It's expensive but it's a robust solution. The only thing is that you have to convince your finance guy to go for it.

I would rate it a nine out of ten. 

With the ASA there are multiple products depending on your needs based on the two generations of the ASA. Roughly split-up there are 4 products.

1. 5500 Series basic/standard firewall - This I would rate as 7/10 due to the fact that it's easy to use, manage and deploy. Its scalable SSL, and IPSec VPN options, and is lacking throughput
2. 5500-X Series basic/standard firewall - This I would rate as 8/10 due to the fact that it's easy to use, manage and deploy. Its scalable SSL, and IPSec VPN options, and it has high throughput
3. ASA5500 Series with firewall and CX - This I would rate as 5/10 due to fact that even though the firewall and VPN part is easy to manage and deploy, the CX is lacking in stability, and features. Also, it is rather complex to deploy. Add to this the CX lowers the throughput even further
4. 5500-X Series with firewall and Sourcefire - This I would rate as 9/10 because it's easy to use, manage and deploy the firewall, VPN, and also the SourceFIRE. SourceFIRE works rather well and is by far the most advanced IPS system available. But it decreases the throughput more than you´d like

In general, I like both the SSL VPN and SourceFIRE. Firstly, for the VPN, both the client and client-less versions are very scalable, flexible, and dynamic in configuration and probably the best SSL VPN solution available in the marked. Secondly, SourceFIRE has improved the IPS functionality and stability of the ASA to a point where you can begin to enjoy the fruits of your solution and root out the bad seed in you network.

For many of my customers, the SourceFIRE solution has been an eye opener of exactly what their users are generating of traffic. Some customers, after reviewing the traffic application usage reports are astounded by the amount of traffic used, for example by Facebook and YouTube. My customers like the visibility into their network usage, and not necessarily wanting to block it, but just to know that they can control the network traffic and utilization if needed.

Definitely the throughput could use an upgrade when running the SourceFIRE/AMP with the ASA. Also, it could use better troubleshooting capabilities. You are, most of the time, bound to have access to TAC for troubleshooting advanced problems.

Customers where I have deployed these solutions have had them for three plus years, and most of them have, at the present moment have first generation solutions, or are planning an upgrade to the second generation ones (NGFW or NGIPS),

There are always issues when implementing key equipment like firewalls, especially if you are converting from an unfamiliar platform, activating SourceFIRE, or doing a general maintenance rule clear-up. If you don’t follow best practice, you can seriously impact network performance or unintentionally shut-down services.

In general the ASA has a great software stability reputation, and even though SourceFIRE for ASA is still young, the stability seems to be rather good. Of course you can’t avoid all issues, and you might have to reinstall the SourceFIRE software on the modules. If you're upgrading the ASA from pre code 8.3, you will need to redo the NAT and access rules of the ASA.

License scalability for SourceFIRE is really not good if you have an ASA in HA as you need two licenses of everything, which is really bad as you wont get double SourceFIRE other than that you need to remember to buy your ASA based on the SourceFIRE's throughput and not the inspection throughput.

If you have a service contract with Cisco you can have TAC assistance, software upgrades and next-business-day RMA (or faster) otherwise you are left to yourself or your Cisco partner. Basically without a Cisco service contract, you can't get any help or software from Cisco.

Should you have a Cisco service contract, you get access to TAC that will provide you technical assistance towards solving your issue. The TAC experience can vary a lot. In general I would rate it as very good, 4/5.

Mainly customers switch from other vendor because of VPN features, ease-of-management, and good consultant/partner relationship.

The initial setup is fairly easy and there are wizards for almost all the basic needs, including the initial setup and all types of VPN technologies that the ASA supports.

I am the vendor, and I am an expert with ASA.

Make sure you get the right product/license to do the job you need done. If you are in doubt ask a consultant or a Cisco Partner. I have seen cases where a firewall wasn't the right hardware for the job and you can't just switch off the firewall/inspector for some interfaces or networks.