Cisco Secure Firewall Reviews

Previously, our customers had to always utilize hand-to-hand delivery. Now, they are able to move completely to a secure digital method. They use a strictly dark fiber optics connection from a central location to the endpoint.

Our clients have been able to consolidate infrastructure products such as Talus for hardware encryption and Dell EMC for D2D de-duplication and backup.

FMC could be improved because management with FMC is quite difficult compared to using Firepower web-based management.

We've been selling Cisco Firepower for a year.

Our clients feel that Cisco has proven stability in enterprise networking, routers, and ASA firewall security.

We are very confident with Cisco's technical support and would give them a ten out of ten.

Positive

Previously, we sold Check Point and Palo Alto.

We choose to sell Cisco because it has been approved by NATO. Our clients use a strictly offline infrastructure, and there were significant issues with Check Point. In addition, we have good support from the local Cisco office, and they also suggested that the end user goes with Cisco.

As a Cisco Secure Firewall reseller, the value we bring is very good support. You will not get the same level of support from some other vendors. For instance,  Palo Alto and Check Point don't have direct support like Cisco. They have third-party support. Thus, you may get a response only when you escalate the issue to the third tier of the service level. With Cisco, everything is resolved within a day.

The initial setup is straightforward because most network engineers have worked with Cisco. Cisco invested in universities, and as a result, 40% of the network experience of students is with Cisco.

Our clients are mostly financial institutions and have strict policies that do not allow personal data on external clouds outside the country. As a result, they mostly use an on-premises or hybrid cloud deployment model.

We are currently having our customers switch from the 2000 to the 3000 series.

The price is not too high, but the subscription is a little bit high. We compared the activation of Cisco and Fortinet, and when we activated the whole portfolio of the UTM of Fortinet, the speed was reduced. We tested the same situation with the Cisco 2140 series, and there was no reduction in speed.

When you're evaluating the solution, take a look at the customer reviews.

We have had no issues with Cisco Secure Firewall, and I would rate it at nine on a scale from one to ten.

We are mainly using it as a VPN gateway and edge firewall.

It helped us with the transition to working from home and hybrid working. Because of its VPN capabilities, it enabled us to keep working while everyone had to stay home because of COVID.

It integrates well with other systems within our environment. 

I like its integration with the AnyConnect client. I also like how modular it is. For example, I can easily integrate the Umbrella add-on into it. We are planning on adding Umbrella. We haven't added it yet, but we have researched it.

One big pain point I have is the ASDM interface because it's Java, and sometimes, it's a bit buggy and has low performance. That's something that probably won't be improved because of backward compatibility. 

The CLI is not always clear. It's not always intuitive.

Some of the things, such as site-to-site VPN, are complicated to set up. The settings you have are all hidden away in crypto maps, and you can't have a setting per tunnel. When you want to change one particular tunnel, you automatically change them all. That's a drawback.

We've been using the Cisco ASA firewall for about two years.

It's reliable.

I haven't had much contact with their tech support. We have a partner called Fundamentals for support. They're good. I'd recommend them.

We have a Palo Alto core firewall, and we handle threat detection and intrusion prevention on that device. We don't use Cisco ASA for detecting or remediating threats.

Compared to other systems that I have used in the past, Cisco ASA is reliable, and it's not a very big hassle to set up. It's very good, and it just does its job. 

It's not a very big hassle to set up. It's a bit complex when you go into different topics that aren't the basic capabilities, such as when you go above VPN and basic ACL configuration, but all in all, it does the job.

I'd rate it a seven out of ten because of the ASDM, non-intuitive CLI, and complication of setting some of the things.

Our primary use cases for this solution are as a traditional firewall, VPN system, IPS, and for URL filtering.

I think that the firewall feature is the most valuable to me as it is one of the oldest features for this solution. We also appreciate how stable the VPN is.

I have a lot of difficulties with the solution's Firewall Management Center (FMC) and the GUI. Neither is responsive enough and should be improved.

My organization has been using Cisco Secure Firewall for more than 10 years. 

My opinion is that this solution is quite stable.

We encounter tech issues often. Sometimes it's really good to work with the tech engineer, but sometimes it can be really frustrating that it's slow to go through the email chat and everything. It depends on the engineer you get.

Positive

I have had difficulties with the implementation of this solution. When I first encountered this solution, I had difficulties bringing it up and configuring it, but this was maybe due to the fact that back then it was a new technology. It is possible that I would have an easier time with it right now. 

I would say that this solution did help free up staff. Today, and even during COVID, a lot of customers are interested in VPN solutions and this demand will only keep increasing. I work from home mostly and the solution saves me two hours per day.

I do want to stress that this solution saves our organization time. We have 13 engineers in our company and even more staff in other departments and they also have the opportunity to work from home and with this, they save a lot of time. We plan on buying a smaller office thanks to this and this too will save a lot of money for the company.

The reason we chose Cisco is that some of my colleagues partnered with the provider when they came to Hungary, so they have been working with these solutions for a long time.

I do not have experience with the Cisco migration tool, but my colleagues do and they are really happy with it and its ease of use.

I would rate this solution a nine, on a scale from one to 10, with one being the worst and 10 being the best.

With [my company], NIL, it's cross-domain. It's just not ASA, but in particular we work with customers where we talk about the physical boxes or even the virtual appliances that we're deploying. The use cases can be multiple, but mostly what we have seen is perimeter security, looking at blocking [and] allowing of traffic before accessing the internet.

The majority of the challenges that we see across customers and partners is looking at the data, the integrity, security, [and] looking at various areas where they need to put in boxes or solutions which could secure their environments. It's not just about the data, but even looking at the endpoints, be it physical or virtual. That, in itself, makes the use case for putting in a box like ASA. 

And, of course, with the integrations nowadays that we have from a firewall, looking at multiple identity solutions or logging solutions you could integrate with, that in itself becomes a use case of expanding the genres of integrated security.

The best features would obviously be the ones that are most used: the perimeter security, allowing/blocking of traffic, NAT-ing, and routing, or making it easy as compared to a router. If you were to do the similar features on a router, it would be way more extensive and difficult as compared to a firewall. These are the majority of the features that anyone would begin with.

But of course, they expanded to other features like IPS or cyber security or looking at vulnerabilities or scanning, port scans. Those are the advanced things.

[In terms of overall performance] in the last decade or so, especially in the last three or four years, the scale of where the architecture has been—all the numbers, the stats, everything—has gone up exponentially. It's all because of the innovations that are always happening, and not just at the hardware level, but particularly at the software level. Of course, we can always look at the data sheets and talk about the numbers, but all I can say, in my experience, is that the numbers have really gone up, and the speed at which the numbers have gone up in the last couple of years or so, is really progressive. That's really good to see.

We're reaching [the point] where we want it to be. If you go 10 years back, we did miss the bus on bringing in the virtual versus the physical appliance, but now that we have had it, the ASAv, for a few years, I think we are doing the right things at the right place. 

The only improvement that we could make is maybe [regarding] the roadmap, to have better visibility as to what we are targeting ahead in the next few quarters. That is where we, as partners, can also leverage our repos with our customers and making them aware that there might be some major changes that we may have to introduce in their networks in the near future.

I started back in the days with ASA when I was [with] Cisco. I was [with] Cisco for 12 years. I started as a TAC engineer, and one of the teams I was leading was the ASA team, firewall, and across VPN, AAA. it became like a cross-border team or cross-architecture, and it's been long enough. I've been working with ASAs for about 12 or more years now.

From the stability standpoint, it's way better. Is there a scope for improvement? Of course. There always is. But I can just speak from my experience. What it was and what it is today, it is way better.

We look at scalability for any product of Cisco. I cannot be confined to the ASAs. We have physical, virtual, and cloud deployments. Everything is possible, so scalability is no issue.

Support, when you look at any product from Cisco, has been top-notch. I was a TAC guy myself for 10 years and I can vouch for it like anyone would do from TAC.

Support has always been extensive. There is great detail in root cause analysis. Going back into my Cisco TAC experience, it's always the story that if you know the product well, you know the things that you need to collect for TAC or for any other junior SME to work with you collectively, to get down to the solutions sooner. Otherwise, they have to let you know what you need to collect. It's better to know the product, get the right knowledge transfer, work towards those goals, and then, collectively, we can work as a great team.

I have mostly been involved in the pre-sales stage, and then eventually the post-sales as well. But we do the groundwork of making sure that we have set the stage for the customer to get the initial onboarding. And at times, I do it with other engineers or other colleagues who take it over from there. In my experience, it has been pretty straightforward.

It's not just the implementation, but [it's] also managing or maintaining [the ASA]. It would depend on how complex a configuration is, a one-box versus cluster versus clusters at different sites. Depending on the amount of configuration complexity and the amount of nodes that you have, you would need to look at staff from there. It's hard to put a number [on it and] just say you need a couple of guys. It could be different for different use cases and environments.

[In terms of maintenance] it's about a journey: the journey from having the right knowledge transfer, knowing how to configure a product, knowing how to deploy it, and then how to manage it. Now, of course, from the manageability standpoint, there are some basic checks that you have to do, like firmware upgrades, or backup restores, or looking at the sizing—how much your customer needs: a single node versus multiple nodes, physical versus virtual, cloud versus on-prem. But once you are done with that, it also depends on how much the engineers or SMEs know about configuring the product, because if they know about configuring the product, that's when they would know if something has been configured incorrectly. That also comes in [regarding] maintenance [of] or troubleshooting the product. Knowledge transfer is the key, and making sure that you're up to date and you have your basic checks done. Then, [the] manageability is like any other product, it's going to be easy.

The return on investment is not going to be restricted to just the box, because nowadays, if you look at the integrated security that Cisco has been heavily investing into, it's not just about ASA doing the firewalling functions. Now, these genres have been expanded to cyber, to third-party integrations, having integrated logging, having integrated micro and macro segmentations. The scope has been widened, so the ROI, eventually, has multiplied.

Being a partner, we work with customers who already have different vendor solutions as well. At times, there are a mix of small SMB sites, which could be, let's say, a grocery. There are smaller stores and there are bigger stores, and at times, they do local DIAs or local internet breakouts. [That's where] you do see some cloud-based or very small firewalls as well, but when you look at the headquarters or bigger enterprises, that is where we would probably position Cisco.

[My advice] would depend [on] if they are comfortable with a particular product, if they've been working with a particular vendor. If it's a Cisco shop, or if they've been working on Cisco, or the customers are quite comfortable with Cisco, I would say this is the way to go. Unless they have a mixed environment. It will still depend on the SME's expertise, how comfortable they are, and then looking at the use cases and which products would nullify or solve them. That is where we should position it.

My lessons are endless with ASA, but my lessons are mostly toward product knowledge. When you look at the deployment side of things, or for me, personally, when I was TAC, to know how things work internally within ASA—like an A to Z story, and there are 100 gaps between and you need to know those gaps—and then, eventually, you will get to the problem and solve it in minutes rather than hours.

We use it for basic firewalling, building VPN tunnels, and for some remote VPN connections.

We have two ASAs servicing external remote connectivity sessions for about 300 users.

It has definitely improved our organization. It gives us remote connectivity, helps workers connect remotely, and also gives us good connectivity to our other branches.

It would be nice if it had the client to actually access the firewall. Though, web-based access over HTTPS is actually a lot nicer than having to put on a client just to access the device.

For Firepower Threat Defense and ASAs, I would like it if there was a centralized way to manage policies, then sticking with the network functions on the actual devices. That is probably the thing that frustrates me the most. I want a way that you can manage multiple policies at several different locations, all at one site. You then don't have to worry about the connectivity piece, in case you are troubleshooting because connectivity is down.

I have been using ASA for about three years.

It is stable.

We just run updates on them. I don't know if we have had to do any hardware maintenance, which is good.

We have been just using ASAs for a smaller environment.

I don't know if I have ever worked with ASA in a highly scalable environment.

I haven't really gotten involved with the technical support for ASAs.

I work with a lot of different companies and a number of different firewalls. A lot of times it is really about the price point and their specific needs. 

This solution was present when I showed up.

The pricing is pretty standard. 

I wish there was an easier way to license the product in closed environments. I have worked in a number of closed environments, then it is a lot of head scratching. I know that we could put servers in these networks and that would help with the licensing. I have never been in a situation where we connected multiple networks, i.e., having an external network as well as an internal network, as those kinds of solutions are not always the best. I think licensing is always a headache for everyone, and I don't know if there is a simple solution.

We can build GRE tunnels. Whereas, Firepower can't route traffic nor do a bit more traffic engineering within the VPN tunnels. This is what I like about using ASAs over Firepower.

Firepower Threat Defense has a mode where you can manage multiple firewalls through a single device. 

I really like how Palo Alto does a much better job separating the network functions from the firewalling functions.

I would consider if there is a need to centralize all the configurations. If you have many locations and want to centrally manage it, I would use the ASA to connect to a small number of occasions. As that grew, I would look for a solution where I could centrally manage the policies, then have a little more autonomous control over the networking piece of it.

Know specifically what you want out of the firewall. If you are looking for something that will build the GRE tunnel so you can route between different sites, I would go with ASA over Firepower Threat Defense.

I like the ASA. I would probably rate it as eight or nine out of 10, as far as the firewalls that I have worked with.

I use it to protect my DMZ from external attacks.

Last year, we received a lot of linear service attacks in our environment during the Black Friday season. Cisco Firepower blocked every attack.

The Adversity Malware Protection (AMP) feature is the most valuable. 

It is also very easy to use. Every technical user can operate this solution without any difficulty. The dashboard of Cisco Firepower has every tool that a security operator needs. You can find every resource that you need to operate through this dashboard.

Its interface is sometimes is a little bit slow, and it can be improved.

When you need to put your appliance in failover mode, it is a little difficult to do it remotely because you need to turn off the appliance in Cisco mode. 

In terms of new features, it would be good to have AnyConnect VPN with Firepower. I am not sure if it is available at the moment.

I have been using Cisco Firepower for two years.

We use it specifically for DMZ, so we don't need it to scale it up. Because we are using this solution for a specific environment, we don't plan to increase its usage.

We have a few teams who use this solution. We have the information security team for reading the logs and policies. We have administrators, and we also have contractors for the network operation center to analyze some logs and reports. 

We have used their technical support. They are amazing. Cisco's technical support is the best.

We have used Check Point and one more solution. The main difference is in the IPS signatures. Cisco Firepower has precise and most updated IPS signatures.

The initial setup is easy. The deployment took two months because we didn't have Firepower previously, and it took us some time to plan and implement.

We used our reseller and contractor to deploy Cisco Firepower. They were good.

I would recommend this solution. I would rate Cisco Firepower a nine out of ten. 

We primarily use the solution for internet access firewalls.

The solution allows you to be more agile and react faster.

The Sourcefire stuff itself is the most valuable feature. Signature detection, intrusion detection, IDS, and IPS are all very good. AMP is very useful. I like that you can put it onto devices as well.  The aggregated views in FMC that you get when you're a global shop which is centralized, and then offers gateways per region. In Europe, America and APAC, you have all the data coming together in the FMC. That's quite nice.

The FMC could be a little bit faster.

It will be nice if they had what you traditionally would use a web application scanner for. If the solution could take a deeper look into HTTP and HTTPS traffic, that would be nice.

The stability of the solution is very good. We can see that it gets even better with every release.

For us, the scalability is good, because we sized everything right, right from the beginning. If you size it right, it's very good. We don't plan on adding more firewalls, unless we suddenly grow exponentially, which we're not expecting to do at this point.

We only contacted technical support during initial implementation and that was all handled by the consultant. I have a lot of other Cisco related tickets open, so we're used to the process.

I would say, however, that we're also using Meraki, and the Meraki support is way better, in my opinion. 

Cisco support tends to take longer, and I mean really long given the fact that subject matter is sometimes also more complicated, so it really depends. When you compare that directly to Meraki, Meraki answers the same day, and I cannot say that about the legacy Cisco support items. I can understand that the market for the legacy service is so much bigger for Cisco, so I can see why it takes longer.

The initial setup was complex because we had to migrate old ASA firewalls. The ACLs, or rather the policies, are very different now, and way more elaborate, so that that took some tweaking, and some consulting and some time. 

Deployment took two months. We had to make sure that our old ACL base settings from the ASAs were correctly translated and implemented into the new FTD setups.

We used a consultant to assist with implementation.

We've looked at a few options, but we have an internal policy that says, unless noted otherwise, network equipment has to be Cisco based. We had to go with a Cisco product.

We are using the on-premises deployment model.

My advice for those considering the solution is this: if you want to migrate something, plan enough time for testing before you come over to the solution. You should also watch as many webinars as you can about that solution, or get a consultant and do a proper lab set up and go through the whole thing with them. It's is definitely worthwhile, given the complexity of the whole product.

I would rate the solution nine out of ten.

Our primary use case includes basic firewalls, VPNs, NAT, and our connections to customers.

It's used in our data centers to protect the network and customer circuits.

Cisco ASA Firewall has improved our organization by allowing connectivity to the outside world and into different places.

Cybersecurity resilience is very important to our organization. There are always threats from the outside, and the firewall is the first line of defense in protecting the network.

Cisco ASA Firewall is a well-known product. They're always updating it, and you know what they're doing and that it works.

It would be good if Cisco made sure that the solution supports all routing protocols. Sometimes it doesn't.

I've been using it for probably 10 to 15 years.

For the most part, it's stable.

It's a very scalable solution.

The technical support is very good, and I would give them a nine out of ten.

Positive

The pricing and licensing are getting more complicated, and I'd like that to be simpler.

We evaluated some Palo Alto and Juniper solutions, but Cisco ASA Firewall is better in terms of ease of use. You could get certified in it.

To leaders who want to build more resilience within their organization, I would say that the ASA, along with its features, is a good product to have as one of the lines of defense.

The solution does require maintenance. We have four network engineers who
are responsible for upgrading code and firewall rules, and for new implementations.

On a scale from one to ten, I would rate Cisco ASA Firewall a nine. Also, it's a very good product, and it compares well to others.