Cisco Secure Firewall Reviews

We are a payment switch and we deal with cardholder data and information. Our primary goal is to ensure the security of customers' payment data, that they are protected.

Our security maturity is now at a good level compared to the past. To be accepted to drive Visa and Mastercard, you have to pass security assessment audits and we have managed to pass all of them now, for some years.

Apart from our firewall, we have three security tools. We have a NAC, we have a SIEM, and our syslogs.

It's easy now because we have many Cisco devices in a central point. We don't need to log in to each device and apply rules to them. We can do it from the management control and apply them to the specific firewalls that we want to apply them to.

In addition, compared to our previous firewall solution, the security is much better. Through our monitoring, we now see all the information that we require on security, in terms of PCI. We can see exactly what is happening in our environment. We know what is going, what is going in and out. If an incident happens, it provides a notification so that we can do an analysis.

Web filtering is a big improvement for us. The previous version we used, the AC520, did not have that feature included. It was not very easy for us, especially because the environment had to be isolated and we needed to get updates from outside, such as Windows patches. That feature has really helped us when we are going outside to pull those patches.

Another important feature for us is user access. Now, we can base access on rules and specify that this or that user has privilege on the NG firewall. That was not available before. 

The IDS also makes it easy to detect abnormal traffic. When it sees such traffic in the environment, it sends a notification.

We have been using Cisco Firepower NGFW Firewall for about two months.

The solution is stable. It's not hanging. With the firewalls from Cisco we are not facing a situation where devices are hanging because of too much traffic.

The scalability is fine.

We're getting support but there's a big delay until we get a response from their technical team. They're in the USA and we're in Africa, so that's the difficulty. When they're in the office, they respond.

We migrated from Cisco AC520 to the Cisco NGFW. We have also used HPE and IBM switches, as well as FortiGate firewalls. We are now completely Cisco.

Previously, we were also using AlienVault and it was easy to integrate with Cisco devices.

The initial setup is 50/50, between straightforward and complex. Migrating from Cisco to another Cisco product is okay, but migrating to Cisco from other network devices, like an IBM switch, is a bit tricky. You can't test the configuration to see if it's the same as what you're going to. But we managed with support from Cisco.

It took a month to complete the deployment.

Our implementation strategy was based on not upgrading everything at the same time. It was phased. We deployed a specific device and then we monitored everything to make sure everything looked okay, and then we moved on to the next one.

It requires a minimum of two people for deployment and maintenance, from our network and security teams.

We used internal resources with support from Cisco.

We have gotten exactly what we're looking for, based on the company's requirements.

The pricing is high.

Cisco NGFW's ability to provide visibility into threats is good compared to other solutions. The visibility is quite impressive and gives us what we're looking for, based on our security requirements.

The scalability, the performance of the devices, the features, and the support, when looking at them combined, make the product a nine out 10.

We're planning the deployment of Cisco ISE soon, to be like our NAC.

We were using ASA 5585 without firepower. We were using it just as a stateful firewall. We also had an IPS module on it. So, we were also using it for network segmentation and network address translations for hosting some of the services or giving access to the internet for our end users.

Initially, it was good. At the time we bought it, usually, IPS was in a different solution, and the firewall was in a different solution. You had to kind of correlate between the events to find the attacks or unwanted behavior in the network, but it had everything in a kind of single platform. So, the integration was great.

Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. Cisco ASA was able to handle a lot of traffic or concurrent connections at that time. We had almost 5 million per week. We didn't have to worry about it not having enough memory and stuff like that. It was a powerful machine.

The configuration was kind of straightforward from the command line and also from the ASDM. It was very easy to manage by using their software in Java. 

High throughput, high concurrent connections, easy site-to-site VPN were also valuable. It also had the capability to do double network translations, which is really useful when you are integrating with other vendors for site-to-site VPN.

When we bought it, it was really powerful, but with the emerging next-generation firewalls, it started to lack in capabilities. We couldn't put application filtering, and the IPS model was kind of outdated and wasn't as useful as the new one. For the current state of the network security, it was not enough.

One thing that we really would have loved to have was policy-based routing. We had a lot of connections, and sometimes, we would have liked to change the routing depending on the policies, but it was lacking this capability. We also wanted application filtering and DNS filtering.

We have been using it for around eight years.

Its stability is really great. It is very stable. We didn't have to worry about it. In the IT world, every time you go on holiday, you think that something might break down, but that was not the case with Cisco ASA.

Initially, we had just a single firewall, and then we moved to high availability. Even when it was just one hardware without high availability, we didn't have any problems. Apart from the planned maintenance, we never had any downtime.

We feel we didn't even try to make it scalable. We had 30,000 end users.

We haven't interacted a lot with them because we have our own network department. We were just handling all the problem-solving. So, there were only a couple of cases. Initially, when one of the first devices came, we had some problems with RAM. So, we opened the ticket. It took a bit of time, and then they changed it. I would rate them an eight out of 10.

Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. We had some really old D-link firewalls. They were not enterprise-level firewalls.

After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. They didn't provide us with the new license. Therefore, we decided to move to Palo Alto. The procurement process is taking time, and we are waiting for them to arrive.

It was straightforward. Cisco is still leading in the network area. So, there are lots of resources where you can find information. There are community forums and Cisco forums, where you can find answers to any questions. You don't even have to ask. You can just Google, and you will find the solution. Apart from that, Cisco provides a lot of certification that helps our main engineers in learning how to use it. So, the availability of their resources was great, and we just followed their best-case scenarios. We could easily configure it.

The deployment took around two or three weeks because we had different firewalls. We had a couple of them, and we migrated all to Cisco. We also had around 30,000 rules. So, the data input part took a lot of time, but the initial installation and the initial configuration were done in a matter of days.

It took us one week to set up the management plane. It had different ports for management and for the data. After finishing with the management part, we slowly moved segments to Cisco. We consolidated the rules from other firewalls for one zone. After Cisco verified that it was okay, we then moved on to the next segment.

We did it ourselves. We had about five network admins for deployment and maintenance.

We definitely got a return on investment with Cisco ASA. We have been using it for eight years, which is a long time for IT. We only had one capital expenditure. Apart from that, there were no other costs or unexpected failures. It supported us for a long time.

When we bought it, it was really expensive. I'm not aware of the current pricing.

We had problems with licensing. After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. So, they didn't provide us with the new license.

I am not sure about it because back then, I was just an engineer. I didn't have decision-making authority, so I wasn't involved with it.

We recently have done pilots with Check Point and FortiGate for a couple of months. They were next-generation firewalls. So, they had much more capability than ASA, but because of being a pilot, we didn't get full-scale throughput like big enterprise-level firewalls. The throughput was not enough, and their memory cache was always filling up. They were smaller models, but both of them had the features that ASA was lacking. Traffic shaping in ASA is not as good, but these two had good traffic shaping.

I wouldn't recommend this solution because it is already considered to be a legacy firewall.

I would rate Cisco ASA Firewall a strong eight out of 10. It is powerful, but it lacks some of the capabilities.

We primarily use the solution to operate that LAN environment over the internet and use the public and private networks separately. It's a very good firewall in terms of security, in terms of certain scenarios, and also from an ethical hacking point of view. Both are available in our environment. Both are doing great.

Cisco, obviously, gives you a great amount of reliability which comes in handy. The brand is recognized as being strong. 

Even in very big environments, Cisco comes in handy with configuration and offers reliability when it comes to managing multiple items on one platform. You are able to integrate Firepower and all AMP. With so many items to configure, I haven't yet done them all, however, I hope to.

It's great for securing the network. You learn a lot.

The initial setup is straightforward.

The solution is very stable.

The scalability of the solution is very good.

Most of the firewalls almost 90%, 95% of the firewalls will move to GUI. This is the area which needs to be improved. The graphical interface and the monitoring level of the firewall need to be worked on. 

Most of us are using the monitoring software where we get the alarm, then details of the servers, et cetera. This aspect needs to be much updated. 

From just the security point of view, in the security, it needs to be updated every day and every week. It is getting better day by day, however, from a monitoring point of view is not the same view as we have on the different monitoring servers or monitoring software, such as PRTG and Solarwinds. It needs to be changed and improved.

Cisco has launched its multiple products separately. Where there's a new version of the hardware, there is Firepower in it. However, there must be a solution for an integrated version that includes everything in your network and your firewall as well so that you can manage and integrate from the same web portal without going to every device and just configuring it and just doing everything separately. 

It would be ideal if a solution can be configured separately and then managed centrally on one end.

We have more than one Cisco firewall and it is difficult for me to integrate both on the single UI. If I have three firewalls and one is a normal firewall, I need to configure everything separately. I can't have it on the same port or integrated on the same single IP or bind it something like it.

We've mostly used Cisco solutions for two or three years at this point. Our old Cisco devices were due to be changed, and we moved over to ASA.

The firewall is stable, however, every two, three, or four years, you have to change the hardware and therefore get an updated version of the firewall.

This is something which companies have been doing for the sake of a new product and launching a new device. Yet, the stability needs to be considered where you have to upgrade for every two, three, four years and change the product and go for the new updated version. What I mean is that there is stability, however, obviously, it's not long-term.

The firewall is very scalable. Most contact versions are available depending upon the organization you have. It works for very large organizations. They are scalable for many scenarios. The scalability obviously is there for sure.

Cisco technical support is one of the best around. They have the most advanced and most experienced level of tech support I've been in contact with. Whether it is a hardware or software issue, the tech team can support you and help. They are very helpful and knowledgeable. We are quite satisfied with the level of support on offer. 

We also have experience using FortiGate.

The Cisco firewall is straightforward. It isn't a complex implementation. Obviously, you have to bind your IP on the port and then you must go on to configure for security and something like that. It's easy for me to configure a firewall at such a level.

If you pay for the hardware, you get the Firepower and if you don't, then you get the Cisco Firewall. 

We are just a customer and an end-user.

I'd rate the solution at an eight out of ten.

Obviously, you need to have one tech person on your online when you are configuring it, or just implementing when you are integrating with your live environment and organization. My advice is that the configuration is easy when a network engineer like myself handles it. A trained person is more than capable of the task. Other than configuring, a less technical person can manage the solution.  

In general, we support more public fiscal entities. Most of them are quite sizeable at 5,000-6,000 employees. We use it mostly for remote access.

The clusters in data centers are great.

We enjoy the use of the remote access VPN. We have a mechanical firewall with IPS and we have no more than these. In general, ASA is for remote access and the mechanical firewall right now is more used for data centers. 

We work to combine customers and we have a lot of customers that use networking from Cisco. They buy Cisco firewalls due to the fact that all of their networks are working with Cisco features.

It would be ideal if the solution offered a web application firewall.

We've had some issues with stability.

The solution has some scalability limitations.

The firewall itself has become a bit dated.

The pricing on the solution is a bit high.

Some individuals find the setup and configuration challenging.

I've been using the solution for ten years or more. It's been at least a decade at this point.

Normally, we don't have any problems with stability. That said, when we have problems, it may be difficult to resolve quickly. The tech from Cisco is really good. However, we have some problems that take more time. Issues haven't come up very often. We've only had two or three problems over ten years that took a while to resolve. Largely, it's quite stable. 

We typically work with large public organizations. Our customers are quite big. Some are even up to 8,000 employees.

My view is that the ASA is for data centers. When you need more performance or something like that, this may be a problem. This is due to the fact that we don't have the ability to add more performance - more CPU or more equipment - in our cluster when we deploy the solution in a perimeter. It's complicated to expand the performance with ASA on the perimeter.

We have a good relationship with technical support. They're very helpful. Sometimes we get a solution and sometimes we don't, however, they are always available to help us deal with issues.

I have been working with this equipment for years, so for me, the initial setup is pretty easy. For customers who use the Cisco solutions for the first time, maybe it's complicated. They probably feel it would be easier to configure if there was a simpler graphical view or something like that. Often a complaint is that it's difficult to configure. However, I don't have that issue.

To deploy one solution, how long it takes depends on the customer or the size of the enterprise. For a large enterprise or large public entity, we need more time or more resources to deploy the solution. That said, it's not too difficult for us as we work a lot of time with ASA. We can go fairly quickly.

We support ASA 5508, 5585, and 5525 - all the versions of the firewall. Again, we built a HTAB machine too.

We've worked with Cisco for many years and I love working with them.

Right now, ASA is getting older. A better recommendation may be to use Firepower, a Next-Generation Firewall, no ASA. In cases for some remote VPN access, we recommend ASA, however, for all of the deployments, the recommendation now is to use a Next-Generation Firewall from Cisco Firepower. 

Overall, I would rate the solution at a seven out of ten. That said, for remote access alone, I'd rate the product at a nine.

The primary use of Cisco ASA (Adaptive Security Appliances) for us it to protect from external threats to our network as a firewall and VPN solution.

Cisco ASA serves a purpose more than it improves us. It is good at what it does. We are using other vendors and splitting the traffic to different devices based on what they do best. Even though we use other products the trend at our company is that we will increase the traffic through Cisco ASA.

It's difficult to say what features are most valuable because ASA is not a cutting-edge device. It's rather more stable and proven than modern. It's difficult to suggest adding features because with new features we are adding something new, and that means it could be less stable and. New features are not the reason we use the solution — it is almost the opposite. The most valuable part of the solution is dependability.

It's already a mature and stable product. I prefer to not to use the newest software — even if Cisco suggests using the newest — because this is a critical security device.

My opinion is that the new direction Cisco is taking to improve its product is not correct. They want to make the old ASA firewall into a next-generation firewall. FirePower is a next-generation firewall and they want to combine the two solutions into one device. I think that this combination — and I know that even my colleagues who work with ASA and have more experience than me agree — everybody says that it's not a good combination. 

They shouldn't try to upgrade the older ASA solution from the older type Layer 4 firewall. It was not designed to be a next-generation firewall. As it is, it is good for simple purposes and it has a place in the market. If Cisco wants to offer a more sophisticated Layer 7 next-generation firewall, they should build it from scratch and not try to extend the capabilities of ASA.

Several versions ago they added support for BGP (Border Gateway Protocol). Many engineers' thought that their networks needed to have BGP on ASA. It was a very good move from Cisco to add support for that option because it was desired on the market. Right now, I don't think there are other features needed and desired for ASA.

I would prefer that they do not add new features but just continue to make stable software for this equipment. For me, and for this solution, it's enough. 

It is a stable solution. It is predictable when using different protocol and mechanics.

We've used several models of the product, from the smallest to the biggest. I think that this family of the ASAs is scalable enough for everything up to an enterprise environment. I think the family of products is able to handle small and large company needs.

Cisco is a well-known vendor and its support is good. In my previous company, we sometimes used a vendor rather than direct Cisco support, but sometimes we used Cisco. For ASA in my current company, we have additional support from the local vendor. If we have a problem we can also initiate a ticket directly on the Cisco support site.

About one-and-a-half years ago we implemented a different solution to handle certain situations like BGP. But when we upgraded our Cisco devices just few months ago, we could have BGP on ASA. Now our devices from Cisco have enhanced capability, not just something new and maybe less dependable. Implementing BGP on ASA was a late addition. It had been tested, the bugs were worked out and engineers wanted the solution. The stability of ASA as an older solution is what is important.

I think it is not the simplest solution to set up because it is sophisticated equipment. For engineers to work with vendors and incorporate totally different solutions, it could be difficult. It is also different from the other Cisco devices like Cisco Router IOS. It differs in a strange way, I would say, because the syntax or CRI differs. If you are used to other OSs, it is not easy to switch to ASA because you have to learn the syntax differences. 

It's common for there to be differences in syntax between vendors. But, I would say that this is more complex. The learning curve for start-up and configuration of ASA is at mid-level when it comes to the difficulty of implementation.

I did the implementation myself. ASA is not the newest solution for Cisco or the newest equipment. You can use the vendor and ask for help if you need it during the installation and for support. Because it was an older solution, it was already somewhat familiar to me.

My current company has been using ASA for quite a long time, so I was not involved in the choices.

I have been participating in choosing a new vendor and new equipment for some specific purposes as we go forward. For a next-generation firewall, Cisco's product — a combination of ASA and Firepower — is not the best solution. We are choosing a different vendor and going with Palo Alto for next-generation solutions because we feel it is better.

I think I can rate this product as an eight out of ten. A strong eight. The newest version of software and solutions often have bugs and functional problems because they have not been rigorously tested in a production environment. It is not the modern, next-generation firewall, but it solidly serves simple purposes. For simple purposes, it's the best in my opinion. I am used to its CRI (Container Runtime Interface) and its environment, so for me, familiarity and stability are the most important advantages.

Primarily, we are just using it as a firewall, mostly to protect our internal SQL network (our primary network). At the moment, we are not using Cisco Firepower for our services. We just use it as a firewall.

We have multiple secure internal networks linked with our plants. We are from a oil company, so we have multiple plant areas which need to have restricted network access. Therefore, we are using it for restricting access to the plant area, where they cannot directly connect onto the Internet.

It does not have a web access interface. We have to use Cisco ASDM and dial up network for console access, mostly. This needs a bit of improvement.

Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems.

It should have multiple features available in single product, e.g., URL filtering and a replication firewall.

It is very stable. We have routers entirely from Cisco, which are still working after ten years of deployment. I would rate the stability as a nine out of ten.

We have two people maintaining it. It does not require intensive work. We have an expert in switching technology, and another person who is knowledgeable in routing and network security.

The scalability is good.

The technical support of Cisco is very good. Nowadays, you can get anything over the Internet. They provide help over the Internet. There is a very full forum, which is manually supported.

The initial setup was completely straightforward. 

However, we have to rely on Cisco ASDM to access the firewall interface. This needs improvement. Because we have a web-based interface, and it is a lot more user-friendly.

Deployment takes two or three days. We are continuously deploying the solution to our plants over time.

We do the deployment in-house.

ROI is part of the infrastructure costs. The product has saved us a lot of time, and once we deployed the solution, it worked.

The cost is a big factor for us. This is why we are using it only in our restricted area. They are very much higher than their competitors in the market.

I would rate the cost as a six or seven out of ten.

Nine or ten years ago, there were few options at the time.

Currently, we are using Barracuda for our more general Internet access. We use Cisco for our more protected environment.

I would recommend the product, but cost is a big factor. Some companies cannot afford expensive products, like Cisco and Palo Alto.

It helps the firewall in our network and the VPN (Virtual Private Network). It creates a secure tunnel for our network.

The IPS (In-plane switching) is the most valuable feature. This enables visibility to our networks and to outside attacks. It is a solution to maintain the visibility.

At times the product is sluggish and slow.  Sometimes when deploying a new configuration or role, it is painstakingly slow. It should be a little faster than it is. 

It is a very stable solution. 

It is a scalable product. We have a lot of demand.  But, it supports any additional network that we add. It expands easily. 

Normally the Cisco tech support team are good. But, we have had some problems with tech support with this product. Some of the tech support team are really not familiar with how the IPS works. And, there is some disconnect between the tech support. Maybe they're not trained well. They're helpful, but not knowledgeable.

Our primary use case for this solution is to use it as a firewall. This product secures the internet from internal and public users.

Cisco Secure Firewall helped add to my organization's value. It is a selling product for us here. They have great support and documentation, which makes the solution easy to sell to customers. The Cisco name has a lot of value and high brand awareness.

We are selected partners now but are looking to grow to become a primary partner for Egypt. 

Cisco Secure Firewall definitely saved us time. However, security is never 100% with any product, even Cisco. So, you will have to spend some time securing your IT regardless of which solution you use.

I would say that it helped my company cut time by 50%.

The solution cautions us against threats via email notifications and internally in the web interface of the product itself on the dashboard.

What I found the most valuable about Cisco Secure Firewall is that if a client is educated about the solution, it can help him or her avoid many problems and mistakes. 

I think Cisco would benefit from comparing its solutions to other products. There is a lot to learn from solutions like Palo Alto or FortiGate. These are top security products. For example, Palo Alto has better inspection visibility than Cisco. When we ask customers about Palo Alto, they say "I like Palo Alto. It helps me see problems on time. I can audit everything through it." Cisco could improve in this regard. Cisco's inspection visibility could be better. 

I have been using this solution for a long time; since the PIX version in 2003. This adds up to almost 20 years now. I have had a plethora of experiences with this solution as both just an employee using it and also as the owner of a company. We also have a range of customers using the solution. 

We did not use any other solutions. Our strategy from the beginning has been to grow with Cisco. However, our customers have the final say in which solutions they choose and sometimes that's not Cisco. That has much to do with their previous beliefs and brand loyalty and trust. The customer's opinion matters and if the customer is loyal to Palo Alto, we are going to have a hard time getting them to make the switch. 

I am not involved in the deployment of the product. I have a sub that deploys Cisco Secure Firewall. I'm involved in guiding the deployment on the management side and making sure it's done in line with the customer's wishes. 

I did evaluate other options but ultimately went with Cisco because of the support they offer. You can reach their tech support engineers at any time. That's important. Their documentation is great as well. Their site is wonderful. 

I rate the solution a seven out of ten.

Cisco Secure Firewall should be consolidated with routers, switches, or VOIP.