What is our primary use case?
We were using ASA 5585 without firepower. We were using it just as a stateful firewall. We also had an IPS module on it. So, we were also using it for network segmentation and network address translations for hosting some of the services or giving access to the internet for our end users.
How has it helped my organization?
Initially, it was good. At the time we bought it, usually, IPS was in a different solution, and the firewall was in a different solution. You had to kind of correlate between the events to find the attacks or unwanted behavior in the network, but it had everything in a kind of single platform. So, the integration was great.
Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. Cisco ASA was able to handle a lot of traffic or concurrent connections at that time. We had almost 5 million per week. We didn't have to worry about it not having enough memory and stuff like that. It was a powerful machine.
What is most valuable?
The configuration was kind of straightforward from the command line and also from the ASDM. It was very easy to manage by using their software in Java.
High throughput, high concurrent connections, easy site-to-site VPN were also valuable. It also had the capability to do double network translations, which is really useful when you are integrating with other vendors for site-to-site VPN.
What needs improvement?
When we bought it, it was really powerful, but with the emerging next-generation firewalls, it started to lack in capabilities. We couldn't put application filtering, and the IPS model was kind of outdated and wasn't as useful as the new one. For the current state of the network security, it was not enough.
One thing that we really would have loved to have was policy-based routing. We had a lot of connections, and sometimes, we would have liked to change the routing depending on the policies, but it was lacking this capability. We also wanted application filtering and DNS filtering.
For how long have I used the solution?
We have been using it for around eight years.
What do I think about the stability of the solution?
Its stability is really great. It is very stable. We didn't have to worry about it. In the IT world, every time you go on holiday, you think that something might break down, but that was not the case with Cisco ASA.
Initially, we had just a single firewall, and then we moved to high availability. Even when it was just one hardware without high availability, we didn't have any problems. Apart from the planned maintenance, we never had any downtime.
What do I think about the scalability of the solution?
We feel we didn't even try to make it scalable. We had 30,000 end users.
How are customer service and support?
We haven't interacted a lot with them because we have our own network department. We were just handling all the problem-solving. So, there were only a couple of cases. Initially, when one of the first devices came, we had some problems with RAM. So, we opened the ticket. It took a bit of time, and then they changed it. I would rate them an eight out of 10.
Which solution did I use previously and why did I switch?
Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. We had some really old D-link firewalls. They were not enterprise-level firewalls.
After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. They didn't provide us with the new license. Therefore, we decided to move to Palo Alto. The procurement process is taking time, and we are waiting for them to arrive.
How was the initial setup?
It was straightforward. Cisco is still leading in the network area. So, there are lots of resources where you can find information. There are community forums and Cisco forums, where you can find answers to any questions. You don't even have to ask. You can just Google, and you will find the solution. Apart from that, Cisco provides a lot of certification that helps our main engineers in learning how to use it. So, the availability of their resources was great, and we just followed their best-case scenarios. We could easily configure it.
The deployment took around two or three weeks because we had different firewalls. We had a couple of them, and we migrated all to Cisco. We also had around 30,000 rules. So, the data input part took a lot of time, but the initial installation and the initial configuration were done in a matter of days.
It took us one week to set up the management plane. It had different ports for management and for the data. After finishing with the management part, we slowly moved segments to Cisco. We consolidated the rules from other firewalls for one zone. After Cisco verified that it was okay, we then moved on to the next segment.
What about the implementation team?
We did it ourselves. We had about five network admins for deployment and maintenance.
What was our ROI?
We definitely got a return on investment with Cisco ASA. We have been using it for eight years, which is a long time for IT. We only had one capital expenditure. Apart from that, there were no other costs or unexpected failures. It supported us for a long time.
What's my experience with pricing, setup cost, and licensing?
When we bought it, it was really expensive. I'm not aware of the current pricing.
We had problems with licensing. After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. So, they didn't provide us with the new license.
Which other solutions did I evaluate?
I am not sure about it because back then, I was just an engineer. I didn't have decision-making authority, so I wasn't involved with it.
We recently have done pilots with Check Point and FortiGate for a couple of months. They were next-generation firewalls. So, they had much more capability than ASA, but because of being a pilot, we didn't get full-scale throughput like big enterprise-level firewalls. The throughput was not enough, and their memory cache was always filling up. They were smaller models, but both of them had the features that ASA was lacking. Traffic shaping in ASA is not as good, but these two had good traffic shaping.
What other advice do I have?
I wouldn't recommend this solution because it is already considered to be a legacy firewall.
I would rate Cisco ASA Firewall a strong eight out of 10. It is powerful, but it lacks some of the capabilities.
Disclosure: I am a real user, and this review is based on my own experience and opinions.