Cisco Secure Firewall Reviews

The primary use of Cisco ASA (Adaptive Security Appliances) for us it to protect from external threats to our network as a firewall and VPN solution.

Cisco ASA serves a purpose more than it improves us. It is good at what it does. We are using other vendors and splitting the traffic to different devices based on what they do best. Even though we use other products the trend at our company is that we will increase the traffic through Cisco ASA.

It's difficult to say what features are most valuable because ASA is not a cutting-edge device. It's rather more stable and proven than modern. It's difficult to suggest adding features because with new features we are adding something new, and that means it could be less stable and. New features are not the reason we use the solution — it is almost the opposite. The most valuable part of the solution is dependability.

It's already a mature and stable product. I prefer to not to use the newest software — even if Cisco suggests using the newest — because this is a critical security device.

My opinion is that the new direction Cisco is taking to improve its product is not correct. They want to make the old ASA firewall into a next-generation firewall. FirePower is a next-generation firewall and they want to combine the two solutions into one device. I think that this combination — and I know that even my colleagues who work with ASA and have more experience than me agree — everybody says that it's not a good combination. 

They shouldn't try to upgrade the older ASA solution from the older type Layer 4 firewall. It was not designed to be a next-generation firewall. As it is, it is good for simple purposes and it has a place in the market. If Cisco wants to offer a more sophisticated Layer 7 next-generation firewall, they should build it from scratch and not try to extend the capabilities of ASA.

Several versions ago they added support for BGP (Border Gateway Protocol). Many engineers' thought that their networks needed to have BGP on ASA. It was a very good move from Cisco to add support for that option because it was desired on the market. Right now, I don't think there are other features needed and desired for ASA.

I would prefer that they do not add new features but just continue to make stable software for this equipment. For me, and for this solution, it's enough. 

It is a stable solution. It is predictable when using different protocol and mechanics.

We've used several models of the product, from the smallest to the biggest. I think that this family of the ASAs is scalable enough for everything up to an enterprise environment. I think the family of products is able to handle small and large company needs.

Cisco is a well-known vendor and its support is good. In my previous company, we sometimes used a vendor rather than direct Cisco support, but sometimes we used Cisco. For ASA in my current company, we have additional support from the local vendor. If we have a problem we can also initiate a ticket directly on the Cisco support site.

About one-and-a-half years ago we implemented a different solution to handle certain situations like BGP. But when we upgraded our Cisco devices just few months ago, we could have BGP on ASA. Now our devices from Cisco have enhanced capability, not just something new and maybe less dependable. Implementing BGP on ASA was a late addition. It had been tested, the bugs were worked out and engineers wanted the solution. The stability of ASA as an older solution is what is important.

I think it is not the simplest solution to set up because it is sophisticated equipment. For engineers to work with vendors and incorporate totally different solutions, it could be difficult. It is also different from the other Cisco devices like Cisco Router IOS. It differs in a strange way, I would say, because the syntax or CRI differs. If you are used to other OSs, it is not easy to switch to ASA because you have to learn the syntax differences. 

It's common for there to be differences in syntax between vendors. But, I would say that this is more complex. The learning curve for start-up and configuration of ASA is at mid-level when it comes to the difficulty of implementation.

I did the implementation myself. ASA is not the newest solution for Cisco or the newest equipment. You can use the vendor and ask for help if you need it during the installation and for support. Because it was an older solution, it was already somewhat familiar to me.

My current company has been using ASA for quite a long time, so I was not involved in the choices.

I have been participating in choosing a new vendor and new equipment for some specific purposes as we go forward. For a next-generation firewall, Cisco's product — a combination of ASA and Firepower — is not the best solution. We are choosing a different vendor and going with Palo Alto for next-generation solutions because we feel it is better.

I think I can rate this product as an eight out of ten. A strong eight. The newest version of software and solutions often have bugs and functional problems because they have not been rigorously tested in a production environment. It is not the modern, next-generation firewall, but it solidly serves simple purposes. For simple purposes, it's the best in my opinion. I am used to its CRI (Container Runtime Interface) and its environment, so for me, familiarity and stability are the most important advantages.

Primarily, we are just using it as a firewall, mostly to protect our internal SQL network (our primary network). At the moment, we are not using Cisco Firepower for our services. We just use it as a firewall.

We have multiple secure internal networks linked with our plants. We are from a oil company, so we have multiple plant areas which need to have restricted network access. Therefore, we are using it for restricting access to the plant area, where they cannot directly connect onto the Internet.

It does not have a web access interface. We have to use Cisco ASDM and dial up network for console access, mostly. This needs a bit of improvement.

Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems.

It should have multiple features available in single product, e.g., URL filtering and a replication firewall.

It is very stable. We have routers entirely from Cisco, which are still working after ten years of deployment. I would rate the stability as a nine out of ten.

We have two people maintaining it. It does not require intensive work. We have an expert in switching technology, and another person who is knowledgeable in routing and network security.

The scalability is good.

The technical support of Cisco is very good. Nowadays, you can get anything over the Internet. They provide help over the Internet. There is a very full forum, which is manually supported.

The initial setup was completely straightforward. 

However, we have to rely on Cisco ASDM to access the firewall interface. This needs improvement. Because we have a web-based interface, and it is a lot more user-friendly.

Deployment takes two or three days. We are continuously deploying the solution to our plants over time.

We do the deployment in-house.

ROI is part of the infrastructure costs. The product has saved us a lot of time, and once we deployed the solution, it worked.

The cost is a big factor for us. This is why we are using it only in our restricted area. They are very much higher than their competitors in the market.

I would rate the cost as a six or seven out of ten.

Nine or ten years ago, there were few options at the time.

Currently, we are using Barracuda for our more general Internet access. We use Cisco for our more protected environment.

I would recommend the product, but cost is a big factor. Some companies cannot afford expensive products, like Cisco and Palo Alto.

It helps the firewall in our network and the VPN (Virtual Private Network). It creates a secure tunnel for our network.

The IPS (In-plane switching) is the most valuable feature. This enables visibility to our networks and to outside attacks. It is a solution to maintain the visibility.

At times the product is sluggish and slow.  Sometimes when deploying a new configuration or role, it is painstakingly slow. It should be a little faster than it is. 

It is a very stable solution. 

It is a scalable product. We have a lot of demand.  But, it supports any additional network that we add. It expands easily. 

Normally the Cisco tech support team are good. But, we have had some problems with tech support with this product. Some of the tech support team are really not familiar with how the IPS works. And, there is some disconnect between the tech support. Maybe they're not trained well. They're helpful, but not knowledgeable.

We mainly use it in the data center. We are obliged to use a firewall. It's a necessity.

It has helped in securing our infrastructure from end to end so that we can detect and remediate threats. There is another office in my company that does threat detection, but it has been helpful.

It hasn't freed up any time. We still have to manage the firewall. It's something we have to do.

All the features except IPS are valuable. IPS is not a part of my job.

It's already pretty good. In terms of functionality, there isn't much to improve. There could be more bandwidth and better interface speed.

I've been using Cisco firewalls for 20 years.

Its stability is very good.

It's better to have a higher speed. I'd rate it an eight out of ten in terms of scalability.

We have multiple locations and multiple departments. We are a big company, and we have a lot of remote sites. We have about 6,000 of them.

They are very good. From time to time, Cisco employees come to us and provide information about the latest features and new products. I'd rate them a ten out of ten.

Positive

We have other firewalls, and it hasn't helped to consolidate other solutions. We have to use the Cisco firewall and other vendors because of internal law. We have to use two firewalls, one from vendor A and the other one from vendor B.

We went for Cisco because it's affordable. It's something you can trust. It's something you know. It's a valued product. 

I've been involved in configuring it and assessing and ensuring that the configuration is up to date and there are no bugs, etc.

Its initial setup is not at all complex. I've been working with Cisco firewalls for 20 years, so I know them very well. It's not complicated for me.

We have all deployment models. We have on-premises and cloud deployments. We have everything. I belong to a big organization.

We had a consultant for integrating the product. Our experience with the consultant was good.

The number of people required for deployment varies, but one person can deploy the solution. It's quite easy to implement. It doesn't require a lot of staff.

It requires normal maintenance.

It's affordable.

Try it. You will be happy. 

I'd rate Cisco Secure Firewall a ten out of ten.

Our primary use case for this solution is to use it as a firewall. This product secures the internet from internal and public users.

Cisco Secure Firewall helped add to my organization's value. It is a selling product for us here. They have great support and documentation, which makes the solution easy to sell to customers. The Cisco name has a lot of value and high brand awareness.

We are selected partners now but are looking to grow to become a primary partner for Egypt. 

Cisco Secure Firewall definitely saved us time. However, security is never 100% with any product, even Cisco. So, you will have to spend some time securing your IT regardless of which solution you use.

I would say that it helped my company cut time by 50%.

The solution cautions us against threats via email notifications and internally in the web interface of the product itself on the dashboard.

What I found the most valuable about Cisco Secure Firewall is that if a client is educated about the solution, it can help him or her avoid many problems and mistakes. 

I think Cisco would benefit from comparing its solutions to other products. There is a lot to learn from solutions like Palo Alto or FortiGate. These are top security products. For example, Palo Alto has better inspection visibility than Cisco. When we ask customers about Palo Alto, they say "I like Palo Alto. It helps me see problems on time. I can audit everything through it." Cisco could improve in this regard. Cisco's inspection visibility could be better. 

I have been using this solution for a long time; since the PIX version in 2003. This adds up to almost 20 years now. I have had a plethora of experiences with this solution as both just an employee using it and also as the owner of a company. We also have a range of customers using the solution. 

We did not use any other solutions. Our strategy from the beginning has been to grow with Cisco. However, our customers have the final say in which solutions they choose and sometimes that's not Cisco. That has much to do with their previous beliefs and brand loyalty and trust. The customer's opinion matters and if the customer is loyal to Palo Alto, we are going to have a hard time getting them to make the switch. 

I am not involved in the deployment of the product. I have a sub that deploys Cisco Secure Firewall. I'm involved in guiding the deployment on the management side and making sure it's done in line with the customer's wishes. 

I did evaluate other options but ultimately went with Cisco because of the support they offer. You can reach their tech support engineers at any time. That's important. Their documentation is great as well. Their site is wonderful. 

I rate the solution a seven out of ten.

Cisco Secure Firewall should be consolidated with routers, switches, or VOIP.

We use it for VPN access for our two-factor authentication. We were looking to get access through AnyConnect, to gain access to devices behind boundaries and firewalls.

It has improved things greatly by giving us easier and better access, easier configuration, and allowing users to gain the access they need. We have also had less downtime using these firewalls.

AnyConnect has been very helpful, along with the ability to use LDAP for authentication. It's very robust and we are able to do many different things that we were looking to do.

The ASAs are being replaced with the new Firepowers and they have a different type of structure in the configuration to be able to migrate from one to the other.

I have been using Cisco ASA Firewalls for 20 years.

The stability is very good. It has been a very stable environment. Since the new AnyConnect came out, it's been very easy to use and very much self-sufficient.

You can vary scalability from very few users to thousands of users.

Technical support has been very helpful at times, helping us to know what bugs and what things are getting fixed in the next releases.

Positive

As an architecture team, we had a pretty good idea of what we wanted to do and how we wanted to do it, so it was pretty straightforward and easy. We have each one across many different avenues and many different boundaries, so each one took about a day to deploy.

We needed two to three people to deploy them and another one to go over some things to make sure everything was good to go.

There is routine maintenance, keeping it up to date and making sure the licensing versions are all good to go. We have a four-man team for maintenance and they work a regular shift of eight hours.

We used a reseller, FedData. Our experience with them was good.

It took us about six months to see benefits from our ASA Firewalls. We've seen return on our investment in terms of the timeframe of downtime, and the ability to get users connected faster and more easily has been a big benefit.

The pricing of the products isn't terrible. They're not too expensive. They're a little more expensive than other products, but you are getting the name, the company, and the support.

It's also nice that you can buy different avenues of licensing, depending on how you want to go about using them.

We buy a support license to get support if we have any issues or problems or need help on how we want to implement things.

We evaluated other options, but that was a long time ago. We went with Cisco because it is so robust as well as because they have been able to integrate their solutions into many different architectures. That makes their products easier to use.

Each use case is different and things depend upon your cost analysis and how much you need. We have these firewalls in different avenues over about 30 different sites.

The biggest lesson from using the solution is being agile which has included learning to understand how to use the ASDM and figuring out how to configure everything—the little nuances—and what can and can't be done on the CLI.

These firewalls, along with the upcoming Firepower that they're being replaced by, are going to be very good assets for two-factor authentication and VPN access.

It has been great for blocking incoming bad actors. The new Firepower modules have been a welcome additive to that.

Cybersecurity resilience has helped us be able to react and respond in a quick fashion to anything that may be happening or any anomalies within the environment.

The solution has provided us a sense of security, reliability, and trustworthiness.

The most valuable feature would be the IP blocking. It gets rid of things that you don't need in your environment.

Its resilience helps offer being able to react and self-heal.

The solution is overcomplicated in some senses. Simplifying it would be an improvement.

I have used the ASA solutions for a better part of 10 years.

The stability is unparalleled.

All solutions require maintenance, and we do that routinely. Anywhere from three to four people from the network teams to application owners are involved in the maintenance. This is a firewall in production, so we need to do maintenances after hours, but it would be nice if we didn't need to do it after hours

Scalability is unparalleled. It is easy to scale.

We don't have plans to increase our usage at this time.

In previous years, Cisco's tech support has been great. Although, I have seen it declining. I would rate their support as seven out of 10.

Neutral

We have used the Check Point firewalls as well as several different vendors.

It secures the network. The ROI is really incalculable at this point as keeping our data secure is keeping the company's assets secure.

We did evaluate other vendors.

You need to be always looking ahead and proactively developing to build resilience.

I would rate the solution as eight out of 10. It is a world-class firewall.

They were placed in a company on the perimeter near the ISP. There were two clusters. One cluster was at the front, and one cluster was near the data center to filter the traffic from the users to the data center and from the data center to the users and outside.

Our clients were completely satisfied with this firewall in terms of protection from attacks, filtering of the traffic that they wanted, being able to see inside the zip files, etc.

I have experience with URL filtering, and it is very good for URL filtering. You can filter URLs based on the categories, and it does a good job. It can also do deep packet inspection.

Its IPS engine also works very fine. I don't have much experience with it because I am an IT integrator, and we only configured it, but the company for which we configured these firewalls used this feature, and they say that IPS works very fine. They were also very pleased with its reporting. They said that its reporting is better than other firewalls they have had.

When you make any changes, irrespective of whether they are big or small, Firepower takes too much time. It is very time-consuming. Even for small changes, you have to wait for 60 seconds or maybe more, which is not good. Similarly, when you have many IPS rules and policies, it slows down, and there is an impact on its performance.

In terms of tracking users, the Palo Alto Networks firewall is better than Cisco Firepower.

It is very stable because it is based on the Cisco ASA Firewall hardware, which is an old-generation firewall. I have had Cisco ASA Firewall for more than 10 years, and they have been working fine till now. So, Cisco Firepower NGFW Firewall's performance and stability are the best. I have never seen any issues or heard from anyone that it is bad.

Its scalability is very good. It was a small implementation. Traffic was maximum of 150 megabits per second. 

I haven't worked with Cisco support.

I have had experience with the Fortinet FortiGate firewall. It is very easy, and it does its job very well. Both Firepower and FortiGate do their job very well, but I like the Palo Alto Networks firewall the most. I have not experienced it in a real environment. I have placed it in my lab. It is a very complex firewall, and you need to know how to configure it, but it is the best firewall that I have seen in my life.

As compare to the Palo Alto Networks firewall, both Firepower and FortiGate are simpler. You can just learn which button to use and how to write rules, policies, etc. In Palo Alto, you can not guess this. You should know where each button is, how it works, and what it does. If you don't know, you cannot get the performance you want from Palo Alto. So, Firepower and FortiGate are easier to learn.

Firepower is very good for a small implementation. If you are doing a Cisco setup, you can place kind of 16 devices in one cluster. When it comes to the real environment, you need to have maybe three devices in one cluster. If two of them are in one data center and the third one is in another data center, the third firewall does not work very well when it comes to traffic flow because of the MAC address. When you want to implement Firepower in small infrastructures, it is very good, but in big infrastructures, you would have some problems with it. So, I won't use it in a large environment with five gigabits per second traffic. I will use the Palo Alto firewall for a large environment.

It is straightforward. For me, it is very simple. The menu is quite impressive. Everything that you want to do can be done from the web user interface. You don't need to access the CLI if you don't like it. It is very easy to make rules with its web user interface.

Its deployment took two days. In terms of the implementation strategy, the first cluster was in the data center, and its main job was to filter user traffic going to the data center. The second cluster was on the edge. Its main job was to mitigate attacks on the inside network and to capture the traffic that could have viruses, malicious activities, etc.

I deployed it myself, and it took me two days to deploy two clusters of Cisco Firepower NGFW Firewall. 

I think our client did get an ROI. They are very satisfied with what they can do with these firewalls. It fits all of their needs.

Its price is in the middle range. Both Firepower and FortiGate are not cheap. Palo Alto and Check Point are the cheapest ones.

I don't remember any costs in addition to the standard licensing fees.

Our client didn't implement dynamic policies for dynamic environments because they were a small company, and they didn't need that kind of segmentation. I am not sure if it reduced their firewall operational costs because they were a small company, and the traffic was not so high.

I would rate Cisco Firepower NGFW Firewall an eight out of 10.