Cisco Secure Firewall Reviews

We use it for content management and filtering. We wanted to separate DMZ traffic from normal customer traffic. We were also looking to set up portals for outside interests that needed to come in. We have our firewall set up for VPN and, with COVID breaking out, that became more important. We also use it for remote access control.

It improved our security. It keeps the outsiders on the outside and enables us to monitor the content that's going out from within the organization.

The ASDM (Adaptive Security Device Manager) which is the graphical user interface, works out, and Cisco keeps it current.

Cisco still has a lot of work to do. You can convert an ASA over to a Firepower, but the competitors, like Palo Alto and Juniper, are coming in. And believe it or not, they are a little bit more intuitive. Cisco has a little bit more work to do. They're playing catch up.

There is also content filtering. The bad actors are so smart nowadays, that they can masquerade as the data for a given port, and they can actually transfer data through that port. The only thing that the older firewalls know about is the port. They can't read the data going across it. That's where content filtering comes in, like Palo Alto has, with next-generation firewalls.

I have been using Cisco ASA Firewalls from the beginning, when they moved over from the PIX.

They're pretty reliable. Even from a hardware perspective, we haven't lost any power supplies or the like. An ASA works until we remove it. The maintenance is very minimal. 

It's very scalable. Every organization sets it up differently, but we've been able to perform upgrades with minimal service disruption. We have ASAs in multiple locations.

Being a government-supported organization, the technical support is great. They send us equipment. It's top-notch.

Positive

Cisco has been a leader in firewalls, and the US government primarily chooses Cisco first, before it chooses competitors.

We have a variety of providers from Juniper to Palo Alto, et cetera. But the Cisco GUI is pretty consistent, so most individuals catch on. But when it comes to the Firepower, we're going to need some more training on that, as we're upgrading and moving to the Firepower.

I like the ASA product, maybe because I'm an old guy, more so than the transition to the Firepower. The ASAs have worked ever since the PIX days and they work very reliably. Even with the upgrades, your rules don't change. That's true even with a major OS upgrade.

Things are changing and the ASAs are becoming dated. People want content filtering and so on now.

We use it for the actual firewall and also site-to-site VPN.

Our company is always growing. Every day's a new day and there is always something new to learn. We are a mature organization, but we can never sit still. We have two company locations and we use Cisco Firepower as our main firewall at both locations.

Overall, for security, we use about seven tools.

Within our company, there are just two people that maintain this solution. Myself and the IT manager. I'm the network administrator.

We were the subject of a ransomware attack a little over a year ago. Due to our console, we're able to easily see where the threat came from, all the while being able to shut down the network but maintain our network on the other side — or the other side of the site-to-site VPN. Then we could fix what we needed to be fixed here, and then subsequently correct the issues on the other side.

The manageability through the FMC is superb. I have a single dashboard that I can manage my firewalls from. I can see and manage all of my objects and control all my policies. I can look at all my logs and control my whole network from one dashboard.

FirePOWER does a good job when it comes to providing us with visibility into threats, but I would like to see a more proactive stance to it. Maybe more of an IDS approach. I don't know a better way to say it, but more of a heavier proactive approach rather than a reactive one.

I have been using Cisco Firepower NGFW Firewall for two years.

I have had little to no issues except with the first version that we had. There was a known issue with Cisco in the first version. When I went to do a restore, there was a known issue with something with the Linux kernel. It took us about two weeks to get the restore working. It was a scary moment for us, but we worked through it, and ever since we've had no issues, stability-wise.

I have contacted support multiple times and I have no problems with them. I think they do the best with what they have — especially with the pandemic this year. I think they've done everything they can do with what they have. They don't stop. They don't give up until the issue is resolved. They're really good with following-up too, making sure that the issue hasn't come back.

We have another product that monitors all traffic. It just sits back and idols in the background — It integrates, but it doesn't if you know what I mean. It's a separate dashboard, but it alerts us. We can control the security — level zero through one hundred. If a threat registers above 54% (we have the limit set at 51) it alerts us. If it's a specific threat, it can shut down services, ports, machines, authentication, and so on and so forth.

We also use AMP, Umbrella, SecureX, and Duo. They're pretty easy to integrate. I wouldn't say beginner level, but if you have a working knowledge of networks and security, you can easily get them integrated. Also, if you need help, Cisco's always there to assist.

We use Firepower Management Center — it's a wonderful tool. It has an awesome all-in-one pane of glass dashboard so you can manage multiple devices from one dashboard. It's also very easy to set up.

We used to use SonicWall. Cisco was purchased right before I came on board, but from my knowledge, we had issues with the licensing of SonicWall. We are a Cisco shop. Both my manager and I prefer Cisco over other vendors. We have more experience with Cisco and their customer support and the products themselves are just better in our experience.

The deployment was with all new networks, so the architecture was with a peer. We first sat down and discussed or laid out our network and what it would look like through IP schemes and everything else in that sense. We then figured out how many users we would have and decide what size of hardware we would need. We decided on what type of VPN connection and what certificates we would need. After that, once we were able to secure those tunnels and get communication going between our two locations, we then started tightening down our two networks as we have multiple networks within each location.

We had to decide what all needed to communicate with one another. Not every network needed to touch the outside world.

From start to finish, including production rollout for other areas, deployment took roughly one month. We did it all in-house.

Some maintenance is required involving security patches. Cisco is really good at deploying those or not deploying those, but putting those out and having release notes and upgrade paths and just the information behind all of their patches. Cisco does a really good job with that.

With any solution from anybody, I always think that licensing is a little high — but it's comparable to other companies. It definitely competes with the other vendors in the market.

If configured, Firepower provides us with application visibility and control.

The ability to futureproof our security strategy is definitely there. There are a lot of functions that we don't yet use. When I say we don't use a function, I mean that the functionality or the ability is not turned on yet simply because we have not gotten around to it. The ability is there, the capability is there. That also goes into the reasoning behind why we chose it.

Do your research, know your skillset, be comfortable with your skillset, and don't be afraid to challenge yourself.

Overall, on a scale from one to ten, I would give this solution a rating of eight.

We use the platform to provide secure perimeter internet access for customers and also to provide secure networks or secure SANs for customers. We have a global partnership with Cisco and I'm a re-sales and security manager of IT services.

The top features for me are the filtering, the intrusion prevention system, and the AMP on small operations. 

To configure the FirePower it is required an external console. It would be nice to have the console embedded in the Firewall so you don't require an extra device. I'd like to see some kind of SD-WAN included as a feature. 

I've been using this solution for six years. 

The solution is very stable and we feel very secure with it. 

The scalability is no problem. 

The technical support is excellent. 

The initial setup is quite straightforward. I think someone who knows the iOS platform and knows about firewalls can setup the device. If you don't have experience, it will be somewhat complicated. If you know the platform, implementation is very quick. We've installed over 1,000 firewalls for different customers.

This is a very stable platform, and you can adjust the engine for malware protection. It is one of the best and a very reliable solution.

I would rate this solution a 10 out of 10. 

Our company sells Cisco Firewalls and the ASA is one of the products that we implement for our clients. The primary use cases are internet access, AnyConnect, and VPN.

The most valuable features are the provision of internet access, AnyConnect, and VPN capabilities. Because I primarily deal with the VPN functionality, I don't get very deep into the IPS or other capabilities.

I have worked with the new FTD models and they have more features than the ASA line.

We have been dealing with Cisco ASA since about 2002.

I am very happy with its stability and the product in general.

In our organization, we only have one in our data center that all of our people pass through. However, I've got clients that have thousands running through large Cisco firewalls.

Cisco's technical support has always been excellent. They have great support.

I have dealt with four or five others, but so far, I have the most experience with Cisco.

Recently, I worked with the new FTD 1000 or 1100 series, and they do a lot.

The complexity of the initial setup depends on the environment. Sometimes, it's brand new whereas other times, I install a replacement for an existing Cisco device or some other product.

I am in charge of installing and configuring our Cisco Firewall solutions.

I would rate this solution a ten out of ten.

The primary use case for this solution is on the client side. PCS stands for
Perfect Computer Systems. We are an integration company, we specialize in solution integration, bringing together component subsystems into a whole and ensuring that those subsystems function together.

Cisco ASA NGFW has improved our organization by providing more internet protection. Also, for the end user, it provides easy access from outside for users accessing the site.

The feature that I found the most valuable is the overall stability of the product. 

The two areas that need improvement are the URL filtering and content filtering features.

These features are both very crucial to the end user environment. One of my main concerns and an area that could use some major improvement is the need to pay for licensing in order to enable necessary additional features. Included in the next release, I would like to see these features integrated into the products' functionality without having to pay for them on an individual basis.  

My impression of the stability of this solution is that it's great, excellent! 

As far as scalability, I haven't had any performance issues so far. There really isn't high utilization coming from the operations environment, so I don't need to upgrade the tier at the moment.

I don't have much experience with technical support since contacting tech support incurs additional costs. I have been relying on my technical knowledge and experience so far.

The initial setup was straightforward, though I find as we proceed we need an extra feature or two to enable all the functionalities and protection of the tool. It's an ongoing process. We have to be quick and agile to provide client support.

We implemented through an in-house team. 

The stability is the greatest ROI for this solution. 

My advice, since I have to pay for licensing each feature that I need to enable, like URL filtering, is to look at a pfSense. That is what we are doing because you have to pay for greater protection, a total solution can be very costly. We are looking at a pfSense, to bring down the total cost. The correct price point, in comparison to other platforms, is the main factor here.

During our initial decision-making process, we evaluated other options but the distinctions between all the options were quite minimal.

I am satisfied with the current facility and the management environment of the Cisco ASA, it's great for me.

I think that the cost would be the main factor when evaluating solutions since some of the companies or some of our clients ask about costs upfront. Once the client has made their initial request and inquired about any subsequent subsystem connectivity integration ideas, they always want to know how much everything will cost. The deciding factor is mainly based on the price point of the total user solution.

Overall, the criteria that we consider when constructing an integration decision depends largely on the client company we are working with. We evaluate clients based according to their size, industry function, and the total budget that would be recommended for an effective solution.

I would give this product a rating of 9 out of 10!

It's our firewall for our AWS VPC on the internal side that connects our VPC to headquarters.

I have been using the product for two years, but it has been installed in my company for four years.

Even on a smaller scale, people are finding you need HA pairs, and there's no way that the ASA can do that, at least in the virtual version. We needed the ability to failover to one of the others to do maintenance, and this is a glaring issue. However, it is one of their cheaper products, so its understandable. It is just that we would hope by now, because it has been in use in a lot of different environments, for even moderately sized companies, the ability to have HA pairs would be extremely useful.

It has been relatively stable, in the sense that it stays up. It doesn't die on us.

Scalability has been a pain point for us. 

It's great for what it does. Just make sure you know whatever environment you are using it in is not going to have to scale. Just use it for sandbox. As long as they stay competitive, use the ASA, but make sure you have a plan to grow out of it.

We have definitely made some calls to Cisco regarding issues. While it is time consuming, they are thorough. Sometimes depending on the urgency, if there is a real P1 problem going on, it would be more helpful to go straight to the chase than to have to go through troubleshooting steps that are mandated. A lot of times, it is understandable why they're there, but I wish they had a different, expedited process, especially when they're dealing with our senior network engineer who has already ruled out some things. Cisco tends to make you go through the steps, which is part of any normal troubleshooting. However, when you're dealing with an outage, it can be very frustrating.

The integration and configuration were pretty straightforward.

We purchased the product through the AWS Marketplace. While I wasn't part of the buying process for Cisco ASA, I have used it to purchase AMIs.

The AWS Marketplace been great, but it could be a bit more user-friendly from an aesthetic perspective. It is fully functional and easy to figure out once you are in it. However, the layout of the AMIs has a lot missing, e.g., you have to side click to find the area for community AMIs. It would be awesome if AWS Marketplace would put up a wider range of AMIs.

With the Cisco ASA, you do get what you pay for. What would really be awesome is to see Cisco blow out a real cheap version where you can use the sandbox, but leave it step-wise and go to another product relatively easily, like getting you hooked on candy. The problem is that we already paid for the ASAs, and we grew quickly. Now, we have found ourselves in a situation where we have to wait for next year's budget and everyone is using it. We've gone from a sandbox model to full production. If Cisco was a bit more on the ball with this type of thing, such as pay a smaller lump sum, then scale as a pay by use or have an option to switch models. This would be good because then we could actually leverage this type of model.

Right now, we want to go to the rocket stuff, and our people who make the decisions financially will just have a heart attack. They will choke on it. However, if we can roll it into our AWS bill, and slowly creep it in, it is usually more palatable. As crazy as that sounds, even if its more expensive to do it this way.

Our network guy looked at alternatives and settled on Cisco ASA. It was the cheapest available option, virtualized, and he was familiar with Cisco, like many people are because it's a great company. It made the most sense at the time, because our VPC was a sandbox at first. Now, it has grown, which is where the pain point is: the scalability of the ASA. We have sort of wedged ourselves into a corner.

We are now looking into Cisco Meraki, the CSR stuff, and the SD-WAN technology.

The ASA 55-x range is a solid and reliable firewall. It secures the traffic for normal purposes.

If you ask how a firewall can improve our business: It can’t. It is securing our business IT network.

But if you want to know what the ASA5520 can do to secure our network:
Not much more than any firewall. It is a solid port firewall, nothing more, nothing less.

The Cisco ASDM management tool was helpful.

Firewalls, in general, were not really designed for normal IT personnel, but for firewall and network experts. Therefore, they missed a lot of options and did not provide any good reporting or improvement options.

For example, to update or add a feature, you end up buying new support and licenses. The process is complex and changes so rapidly that you won't find a salesperson who will offer you the right products.

New generation firewalls are cloud managed or provide a good interface. They integrate into the environment. They are application aware and come with security features that are especially designed for the purpose.

There were no stability issues.

You need to buy a new product if you want to scale. I once tried to put in another network card and ended up in a support nightmare. I had to buy more support, licenses, and it was more expensive than buying a new one.

Customer Service:

Customer service is non-existent. You need to go through a very complex and annoying approval system before you can get any help. The support then gets asked a question and you get one word answers. It takes you hours to find out what version of an update you need to install, and then another day to find out how to install it.

Technical Support:

I would give technical support a rating of zero out of 10. It is clear that Cisco is not for the end-customer, but rather for resellers and providers. They might have better contracts and get more technical support.

I usually have to take what is there. If I had a choice, I would now take something newer.

You can start very easy and set up the network cards, but it also has many traps to find out the right setting for your environment.

For example, you need fixed network settings on your switch to connect with full duplex 100Mb/s. There is no autonegotiation nor other settings. This is the same problem with the WAN connection. You need to know exactly what to configure to match the WAN, or it will not work.

I once had support from a reseller and once from a provider. Both depended on the level of the person you speak with. Most have some knowledge.

Once installed, they last a long time. I would recommend replacing them after some years to get better security features.

If you look for user internet access, many new products can help with filtering and rules or procedures, like Meraki. This replaces the purpose of proxy servers.

If you have to secure web servers from the internet, you need a decent firewall with web features to process the requests and redirect traffic to web servers.

Cisco is no longer the only vendor offering these features. With Microsoft TMG out of the race, others have to push in. But firewalls are also no longer the first frontier of security. Cloud services are in there as well.

I had no choice.

Get someone to help you plan and set up the firewall concept, as well as the initial setup and testing. Waiting for later is not the time to test or change anything without an outage.

The Cisco Secure Firewall is placed between the separate VLANs. It's a common and effective method of protecting VLANs against internal risks such as Checkpoints and external parameters.

It certainly saves time. You can detect anything if you have nothing. This is why, in the end, it saves time.

Collaboration with other Cisco products such as ISE and others is the most valuable feature.

it is difficult to say what it needs in terms of what needs to be improved. I don't work with it on a daily basis.

I haven't heard anything negative about it.

While this applies to all vendors, pricing can be always lower. In my opinion, Cisco is the most expensive. 

The pricing can be reduced.

Our organization has been working with Cisco Secure Firewall for three to five years.

There are no complaints about performance or stability.

There are no issues with the scalability. It works fine.

It is simple to upgrade.

We only need one person to maintain the product.

My colleague has experience with technical support. I'm not sure if it was with Cisco's technical support directly or through Conscia in between.

This was the first solution we were using.

We are primarily Cisco housed, and I believe that practically everything is Cisco. 

It might be part of the contract for a small fee. I don't think there's any particular reason.

I am familiar with CheckPoint, as well as Microsoft ISA.

We have an implementation partner.

It's a hands-on job with a colleague of mine.

I don't know if it is particularly easy or not.

There was also some learning involved, such as knowing the traffic. This took some time. It took six months to deploy.

With the implementation partner, everything was written out. It was the best-case scenario for us.

We did not use the Cisco Firewall Migration tool.

Conscia assisted us with implementation.

They are one of the best in the Netherlands.

I am not aware of the pricing. 

It's an all-in-one contract.

I would rate Cisco Secure Firewall an eight out of ten.