Cisco Secure Firewall Reviews

We use it as a network firewall.

For business purposes, it's a very detailed solution, which is it's greatest benefit, as you can get almost any piece of information you need from the solution. It allows for admins to be able to troubleshoot pretty easily.

The solution is part of a suite. If you pay for it, it has basically a view that's called Firepower, and it's really good at being able to analyze exact bits of a pack, at the packet level, and has the ability to allow you to examine that traffic. It is really good. That's probably my favorite part of the suite.

I would definitely say the pricing could be improved. If you're going to get the latest and greatest of this solution, it's very expensive and it's actually the reason my organization is moving away from it.

I'm working on a slightly older version, but what it needs is better alert management. It's pretty standard, but there are no real advanced features involved around it.

We haven't had any major issues in regards to stability. In general, there are best practices in the industry to use. It's never really mattered because generally, with firewalls, you have two in any given location or service. They seem to be redundant of each other. So there's never been a problem where we lost functionality because of the firewall.

It's pretty scalable. Cisco is a large enterprise solution and it's designed to be able to serve large enterprise, so, it's fairly scalable. We're using the solution minimally at this point, and we're decreasing usage because it's too expensive to upgrade.

They have pretty good customer support. The solution's technical support is great.

I had not previously used another solution.

I was not with the organization when they originally rolled it out, so I can't speak to how straightforward or complex the initial setup was. There are about six people who manage the solution. We have security engineers and network engineers. If someone is trying to get an idea of how many people are required, it varies because a lot of organizations will have multiple firewalls in different locations. Six for one organization may be way more than somebody needs or way fewer than somebody needs.

We didn't use any other group for the deployment. We did all the work in-house.

My company is moving away from the solution because it is quite expensive.

We've looked at the Fortinet solution. The Fortinet FortiGate.

I would just say that it's expensive. The product is fine on its own, it's high end. It's got a high brand name attached to it. I would recommend the product, however. The product works great. It does everything it's supposed to do. There's no issues with it, no real concerns. It's just expensive.

I would rate it an eight out of 10 because it does everything it's designed to do, but it is not any better than other industry-leading solution, and it's far more expensive.

The VPN and monitoring are the most valuable features.

I tried to buy licenses, but I had trouble. Their licensing is too expensive.

If they can get the reporting to go into deeper detail, it would really be helpful because in order to get the reports in Cisco you have to go to look at the information that you don't necessarily need. 

Also, the pricing is quite high. 

The stability is good. Very simple. Upgrades are great. But when we upgrade it, things break. You have to upgrade about three things before you get something stable.

I haven't had to scale, so I can't speak to this aspect of the solution.

I haven't had to deal with technical support, so I don't have much to say.

We didn't previously use a different solution.

The initial setup was straightforward.

I did the setup myself. The budget I had didn't allow me to get support. I would use Google a lot. The first implementation took me about three weeks because I did not know what I was doing. So it took me a while. It took me about three weeks, but everything else took about two days, maybe three days and I was done. 

We did look at Barracuda.

They really need support for deployment.

I would rate this solution nine out of 10 because I think if you have the budget and you plan it properly I think you won't have the initial deployment problems I faced.

My primary use case for this solution is for Internet access for the enterprise or for users, publishing, email, and to protect our network.

Before Firepower, we didn't have any visibility about what attack was happening or what's going on from the inside to outside or the outside to inside. After Firepower and the reporting that Firepower generates, I can see what's going on: which user visits the malicious website, or which user uploaded or downloaded malicious code, and what the name of the code is and from which country. This is very useful and helpful for me to detect what's going on. It enables me to solve any problem.

They give me more visibility of what's going on when traffic comes in and goes out from the company or comes in from the outside. I can see what's going on with this traffic, which is a nice feature. I also like the malware inspection and management of the dashboard features. The management of the dashboard is different from the old Cisco Firewall. This management brings everything together into one management platform. 

I would like for them to develop better integration with other security platforms. I would also like for them to make the Cloud configuration easier. 

One to three years.

Stability is perfect. I haven't had any problems. 

Scalability is great. We have around 1,500 users. 

Their technical support is good. I opened a ticket when we did the installation. We didn't have any issues with them.

We were previously using Cisco ASA without Firepower. We switched to Cisco Firepower because Firepower has more features, like malware inspection, and more possibilities with identity management.

The initial setup was a little complex. We required three staff members for deployment and maintenance.

We implemented ourselves. Deployment took around six months. 

It's more expensive than Fortinet and Juniper. The price is high compared to other vendors. In general, for the license, it's not that expensive.

We also evaluated Fortinet and Juniper.

I would advise someone considering this solution to subscribe to the URL filtering and to use malware inspection.

I would rate this solution a nine out of ten.

We are currently using version 6.3. Our primary use case of this solution is to put Firepower inside of the data center and at the Edge network.

This solution has improved my organization. I'm a solution provider and so I deploy in many different companies that are my customers right now. Before Firepower, we had some problems with the architecture of the firewall. Firepower can support two types of intelligence identity: it can support the application visibility and control, and it has a great deep inspection in the packet. Before this solution, we had some problems with malware detection. Right now, we can easily detect and filter all the applications. Before this solution, we never had any file trajectory, but right now we do, according to the file trajectory of Firepower that we have after attack solutions. 

We never had any solution or any workaround for after an attack. We never had any clue what the source of an attack was or how the attack could affect the company. Right now, because of the file trajectory and the great monitoring that FMC does, we know what's happened so we can analyze it after an attack.

The architecture of FTD is great because it has an in-depth coverage and because it uses the AVC, (Application, Visibility, and Control) and also rate limits. Also, the architecture of fast paths is great.

I would like to see real-time log systems because it's very helpful when you want to troubleshoot.

Stability really depends on the software that you use. If you use the suggested software that Cisco suggests, you will see a highly robust and highly stable system. A crash or block will never happen to you. It really depends on the version that you are using. Definitely check the release notes before installation.

I've worked with the 2000 series, the 4000, and the 9000. The 9000 series is really impressive because it's absolutely scalable for large deployments.

I haven't had to contact their technical support. 

We previously used ASA, which is a regular firewall. We switched to Firepower because it has a lot of features. It is one of the best firewalls in the world so we shifted to Firepower.

The time it takes to implement depends on the policy of the customer. Practically speaking, it takes around three to four hours to deploy, but it can depend because the Firepower solutions have two parts. One part is the hardware, it is an actual firewall and actual device but the monitoring system and the control system is a software called FMC. Most of the customers deploy it over VMware. The time of deployment really depends on your resources, but on average will take three to four hours.

At least two to three people with professional knowledge, around three years of experience, are needed for the deployment and maintenance, not only for Firepower but in every security solution. The device is doing something, but the most important part is analyzing it. The device can give you logs, but the engineer should analyze the log and do something.

Deployment without inspection can require only one person but if you want to analyze the IPS, at least two people will be needed.

Based on the services that you will get, especially the AMP license, the price is very reasonable. The license system is also good but it's not very impressive. It's a very regular licensing system. They call it a smart license which means that your device will connect to the internet. This is a little bit of a headache for some customers. It doesn't make the customer happy because most of the customers prefer not to connect their firewall or system to the internet.

I would advise someone considering this solution to just read the release notes before doing anything. You should know what the exact architecture is and what the exact details of the software are before trying to deploy it.

I would rate this solution a ten. 

The ability to intercept unwanted traffic, and prevent attacks without interrupting everyday work, and the stability of this product are the key functionalities in our deployment.

This product, and our implementation, are not directly correlated with the core business of our company. It is designed to protect our company from outside threats and reduce impact on other network elements, such as the backend firewall, DMZ zone and VPN concentrators.

Cisco ASA lacks some functionalities, when compared with other vendors’ products. Cisco need to implement some more functionalities, like client-less VPN (HTML5), but I expect that Cisco will continue to add, and improve, features of the product. One of the features that should be improved is the URL filtering engine, as currently it has limited functionality. For full functionality, you will need an external URL filtering server, like Websense.

We have used it for more than five years, and have implemented it for perimeter network protection. It is designed for basic network protection for our corporate environment.

No issues during the deployment, as we had good planning.

No issues with stability. The device is designed for hard work 24/7. I never have a lack of resources like RAM or CPU. The only reason I need to restart the device is during a software upgrade.

In our deployment, we did not have a scalability issue.

It is very high.

We did not have any technical problems with this product, so we have not had need of technical support

We implemented ASA after a complete redesign of our network, and we believe that Cisco ASA is the right solution for our needs.

The initial setup is straightforward, as there is a lot of documentation available on the Cisco site, and other sites, which makes planning and deployment pass without any problems. However, the ASA is a complex device, with a lot of features and further tuning is complex and you must have the right knowledge to do it. Configuration can be done through a Java based application called ASDM or through the CLI interface. Using ASDM is much more simple and easy, but ASDM is not compatible with the newer Java version, so before implementation you must read the compatibility notes. Also, keep in mind that when upgrading ASA software, you must also upgrade the ASDM package.

Initial implementation was through a vendor. I would rate their experience and expertise as 9/10.

Calculating the ROI for network security or IT security is complex and dependent on many factors, like the implementation, role, expectation etc. IT security cannot be compromised, but on the other hand, we must ask how much is enough. In our case, we do not have a defined ROI for this product.

The cost of the setup was only the product price, local vendor support for the implementation, and employee training. This product is set it and forget it, so we do not have day to day costs.

We did not evaluate other products. One reason was that we believe that the ASA is a reliable product and fits our needs. Another reason, was the lack of local support for other solutions.

Unfortunately, the ASA 5500 is EoS and EoL, and I hope that Cisco’s NGF 5500-X series will be a worthy successor. This does not mean that Cisco will stop software support and will continue to release new software versions with new and improved features for the ASA 5500 series.

As with any other product, the main things for a successful implementation are to decide what you want to achieve, and what your main goal is, and then, you need good planning, not only for your current needs, but you also need to keep in mind further grow and needs. Good planning is, at least, 80% of successful implementation.

We are using these firewalls for edge security or different zones of security. We use them throughout the whole organization, but they vary in size, depending on if it's a small office in Spain or a large office in another country. We have offices in many countries.

It saves time. It protects us from experiencing big or small attacks. If we are vulnerable to attacks, it would take us a lot of time to fix that and put out all the fires. Hopefully, we won't need that when we have several layers of security.

We feel that we can trust the security, and our assets and business are well protected. We need to have trust in it, but we also see that it works. We have a security company that has tested that it works.

They have already improved it to some degree. It has become easier, but I've not drilled down much myself. I mostly use CLI, but I can see that it's a little bit more GUI-based. So, improvement is already there. It's a good thing that we now have GUI-based control over the details, and that would be the way to go.

It integrates with other security products from Cisco, but sometimes, there can be glitches or errors.

I have been using Cisco firewalls for the last 20 years. We are now mostly using FPRs, but we also have some old Cisco firewalls that we need to change to newer technologies.

It has been a while since I used it myself. My experience was good. You get the correct engineer for the task. I'd rate them an eight out of ten.

Positive

We have firewalls from other vendors, but we will be moving over to Cisco. When we have the same vendor, it would take less time to train people to do their job because there is one technology rather than four or five different ones.

I was involved in its deployment, but that was a few years ago. It was not an in-depth technical installation; it was more of a physical installation. It was easy. We are a big company, so we need to plan the downtime and get approval from the business to take down systems and upgrade them. 

I'd rate Cisco Secure Firewall a seven out of ten.

Our primary use case for Cisco Secure Firewall is segregation between different environments. We put Cisco Secure Firewall between each of those environments to create this segregation. 

Cisco Secure Firewall improved our organization. We have it in every one of our French offices. 

What I like about Cisco Secure Firewall is that you get to integrate it into one box. For example, you can have one big switch with a model inside of it. This makes it easy to manage. 

One thing that Cisco could improve is the GUI. The graphic user interface should be more user-friendly. If you compare it with some of its competitor's GUIs, Cisco falls short in terms of how rules are pushed. 

We have also run into issues with functionality and flexibility. Cisco does fall behind its competitors in this regard. It's our opinion that Cisco is not a leader in security devices. 

I have been using Cisco Secure Firewall for two decades. 

We are satisfied with the level of support we get from Cisco. Getting support is quite easy. When we have a problem, our engineer just opens up a case and we get a reply quickly. The support usually has deep knowledge of the solution. 

Positive

I was involved in the initial deployment. It was quite simple, not complex at all. 

We have seen a return on investment in terms of price because we have a partnership with our provider. 

We chose Cisco Secure Firewall because we were already using Cisco switch routers and other products, so we wanted everything to be from one provider. However, we do use other products as an additional security measure.

The solution does help us save time because it enables us to do a good job of filtering from the get-go. This ensures we have fewer potential threats to look through.

Cisco Secure Firewall has not helped us consolidate tools because part of our security strategy is having multiple firewalls from different providers. Our company policy is that it is better to have different technology, so we do have some overlap.

The use case is protecting our building. We have one office and we use it to protect the network.

The fact that we can use Firepower Management Center gives us visibility. It allows us to see and manage the traffic that is going through the network.

We have an older version of the ASA and there are always improvements that could be made. Nowadays, nobody is in the office, so I need to figure out how to put the firewall outside. If I could have a centralized firewall that also receives information from external locations, like peoples' home offices, that would help us consolidate everything into one appliance.

I have been using Cisco ASA Firewalls for over 10 years.

We've had issues with it because we always run it in pairs for high availability. We've had issues with the unit, but not in the last five or six years. It's pretty, pretty stable.

The product we have has some limitations when it comes to scalability. That's one of the things we're looking to address with a new solution.

Technical support was good when I used it, but I haven't needed support for the solution lately. I know people complain about support, but I don't have experience with it for this device because I haven't needed support recently.

We do pay the annual fee for support and I expect them to be there in four hours with a new device, if we need one, as they've done in the past.

Positive

We didn't have a previous solution.

My system engineer did the initial setup and he's the person who manages it, day in and day out.

I don't think we've tracked enough data points to see ROI data points, but the value comes from the fact that it's still running and that we are still happy with it. That is definitely a good return on our investment.

The pricing is too high and the licensing is too confusing.

Go for it.