Cisco Secure Firewall Reviews

Some branches are joint through Cisco ASA 5500-X VPNs. Executives or employees are connected via AnyConnect.

It joins all branches and permits employees to work outside their offices, but everything is based on high securities standards (PCI compliance).

• Reliability
• Robustness
• Security features
• High encryption, hashing, and integrity support
• Support
• High performance

Multiple WAN connections: Even though you can implement more than one interface to outside connections, it is lacking on load balances, etc.

Solid datacenter firewall, but the ASA software is old with no application recognition. If only a Layer 4 FW is needed, this is a good solution.

Do not use it in cluster mode. It is not worth it. These firewalls can do 10G, so just design the rest of the network around this.

Do not do cluster to add more bandwidth.

Nothing fancy about ASA capabilities, it does its job and does it well as long as you only care about filtering ports and protocols.

The needed features are already being done on Firepower, but this software is still in flux. 

It is very stable.

Setting it up is not as intuitive as other more modern NGFWs.

The ASA 55-x range is a solid and reliable firewall. It secures the traffic for normal purposes.

If you ask how a firewall can improve our business: It can’t. It is securing our business IT network.

But if you want to know what the ASA5520 can do to secure our network:
Not much more than any firewall. It is a solid port firewall, nothing more, nothing less.

The Cisco ASDM management tool was helpful.

Firewalls, in general, were not really designed for normal IT personnel, but for firewall and network experts. Therefore, they missed a lot of options and did not provide any good reporting or improvement options.

For example, to update or add a feature, you end up buying new support and licenses. The process is complex and changes so rapidly that you won't find a salesperson who will offer you the right products.

New generation firewalls are cloud managed or provide a good interface. They integrate into the environment. They are application aware and come with security features that are especially designed for the purpose.

There were no stability issues.

You need to buy a new product if you want to scale. I once tried to put in another network card and ended up in a support nightmare. I had to buy more support, licenses, and it was more expensive than buying a new one.

Customer Service:

Customer service is non-existent. You need to go through a very complex and annoying approval system before you can get any help. The support then gets asked a question and you get one word answers. It takes you hours to find out what version of an update you need to install, and then another day to find out how to install it.

Technical Support:

I would give technical support a rating of zero out of 10. It is clear that Cisco is not for the end-customer, but rather for resellers and providers. They might have better contracts and get more technical support.

I usually have to take what is there. If I had a choice, I would now take something newer.

You can start very easy and set up the network cards, but it also has many traps to find out the right setting for your environment.

For example, you need fixed network settings on your switch to connect with full duplex 100Mb/s. There is no autonegotiation nor other settings. This is the same problem with the WAN connection. You need to know exactly what to configure to match the WAN, or it will not work.

I once had support from a reseller and once from a provider. Both depended on the level of the person you speak with. Most have some knowledge.

Once installed, they last a long time. I would recommend replacing them after some years to get better security features.

If you look for user internet access, many new products can help with filtering and rules or procedures, like Meraki. This replaces the purpose of proxy servers.

If you have to secure web servers from the internet, you need a decent firewall with web features to process the requests and redirect traffic to web servers.

Cisco is no longer the only vendor offering these features. With Microsoft TMG out of the race, others have to push in. But firewalls are also no longer the first frontier of security. Cloud services are in there as well.

I had no choice.

Get someone to help you plan and set up the firewall concept, as well as the initial setup and testing. Waiting for later is not the time to test or change anything without an outage.

Centralized policy creation for URL, application, IPS, etc. It simplifies matters more than previously.

It provides centralized management. I would also add that URL, Malware and IPS built-in has been a great help as well. Where we used to need several products for all these features, we now only need the ASAs with the additional licensing. So now, it is more a matter of license management over hardware and licensing management.

More centralization and simplification of product lines would help most engineers, but I think licensing is the key here. Most organizations won’t pay the money to have ELA licensing, so all the individual licenses for these products can be overwhelming. Plus, they never really synch for expiration time.

This is mainly due to reliance on other Cisco products and licensing. For example, Palo Alto includes several features in one whereas Cisco requires multiples. However, I still think Cisco offers great products but to get a "10" they might consolidate devices or simplify licensing.

I have used this for two years, but company has used Cisco solutions for many years.

We did somewhat have stability problems. Upgrading the ASA, ASDM, and SFR can be a pain if you have as many firewalls as we do (21). Once you can get them to fall under FPMC management it can be a little easier, but it is a battle to get to that point.

There have been no scalability issues from my point of view. I was handed the solution, so some of the initial work was done.

I rate support 10/10. TAC has always done a great job with answering my questions and providing remote support when needed.

Previously, I used ASAs without FirePower; and unsure what my company used prior to that.

For me, setup was half-and-half. In one update run I missed the step that discusses how the ASA and ASDM need to be on a specific patch prior to upgrading the SFR. FPMC attempted to push the new update to the devices regardless of this mismatch that caused FPMC to loose communication. I had to downgrade the SFR all the way back to v5.4.1 before I could install the latest version. You also have to step through several updates before you are done, so that can be tedious as well.

Read everything and track all your licenses. Research all options and maybe pick a few to PoC. It doesn’t hurt to trial others. Maybe they are a better fit for your environment.

We are moving forward with ELA 5.0 for all Cisco security devices. Prior to that decision, we did a PoC with Palo Alto 3020 and 220 firewalls and Panorama. Those are some great products, but we are so Cisco centric that the cost of ELA isn’t much more than we are spending now.

Do research. FPMC is great for us but it requires a lot of time and attention.

We use them for VPNs and as firewalls, of course. We wanted to protect the network and have secure communication with our peers.

They secure the network and ensure our network is always available.

They are easy to maintain.

I would like to see them add more next-generation features so that you don't need a lot of appliances to do just one task. It should be a single solution.

I have been using Cisco ASA Firewalls for nine years.

In terms of stability, it is a really good product and platform. Overall, it's great.

It's not really cost-effective when it comes to scalability. It is a really expensive product if you go to the modular firewalls. You need to get new appliances to get new features.

Tech support is good but it could be improved on some points.

Neutral

I have used Fortinet, Check Point, and Palo Alto firewalls. Most of those solutions have everything integrated into them so you don't need multiple appliances. You get a single solution for your network. It would be better to have a centralized firewall, from Cisco, that can do everything.

The initial deployment was straightforward. The last implementation of an ASA took us about one to two weeks.

Our implementation strategy was to have good architecture and to have all the requirements for the project beforehand. Everything went really smoothly because of that.

We needed four or five people for deployment, including field techs and network engineers.

For clean and easy protection of an enterprise, it is a really good product. It can be also deployed as a virtualized solution in data centers.

It is hard to control the bandwidth of end-users with a Cisco Firewall. That is the main issue I've faced. I used Mikrotik for many years for this very reason. Mikrotik has the option to set a bandwidth restriction for a single IP or complete segments. Cisco should add this option to their firewall.

We have been using Cisco for about five years. All our products, switches, routers, and firewalls are Cisco devices.

Cisco Firewall's scalability is fine. 

I rate Cisco ASA Firewall eight out of 10. Cisco offers a great educational series to train users on their devices.

I can't put Cisco on the firewall when the security landscape has changed so much in the past five to ten years. We are doing a lot more in the next generation of firewalls. We had a legacy classic firewall before we went to Firepower, and we spent a lot less time on that firewall, but we are spending more time on the Firepower because we are utilizing a lot of the features that are available in Firepower that were not available in the previous firewall that we had. I'm not going to say that we're spending less time, but we're gaining more value.

Another benefit has been user integration. We try to integrate our policies so that we can create policies based on active users. We can create policies based on who is accessing a resource instead of just IP addresses and ports.

If I were to have been asked a few weeks ago, I would have said threat prevention was the most valuable feature, but the world is changing a lot, so my favorite features a few years ago might not be my favorite features today.

The visibility the solution gives when doing deep packet inspection can be complex. I really like the visibility, but it's not always intuitive to use. I also help other customers. We are a contracting company that implements their solutions, and I've found that it's not always easy to get everyone to utilize some of the visibility features. But for me personally, I think they're very valuable. 

The ease of use when it comes to managing Cisco Firepower has a lot of room for improvement. When monitoring a large set of firewall policies, the user interface could be lighter. It's sometimes heavy in use, and there could be improvements there. I know they're trying to make improvements.

It's mainly the UI and the management parts that need improvement. The most impactful feature when you're using it is the user interface and the user experience.

We were an early adopter when Firepower first came out. I've been using Cisco firewalls for the last two decades.

For newer hardware models, the stability is good. We've tried to run Firepower on some of the legacy-supported hardware as well, but with the stability issues, they are not as good. If I were to judge based on the hardware that I have, I'd say it's good. I haven't had any issues with the stability on my platform.

We just recently enabled Snort 3 so I'm evaluating the functionality. That's what we've considered, but we haven't done any performance testing. Our company would qualify as a small to medium business company. The average office environment is about 100 to 200 people. Performance-wise, my company is about 120 people.

Scalability is really not relevant. I know there are features that address some of those parts, like clustering and stuff, but that's really not applicable in my use cases.

The support is eight to nine out of ten. You can't blame them for any faults of the prototypes, but the support has been really good and really helpful when we had any issues.

I have hands-on experience in both Fortinet and Palo Alto. So if I were to compare this to Palo Alto, for example, I would say that the user interface in Palo Alto is a lot better. But the reason that I'm working with Firepower is that we have a Cisco network as well, and Cisco ISE. We're trying to integrate different Cisco solutions. We're trying to utilize the ecosystem benefits where I can connect my Cisco Firepower to ISE and have it talk to the App Cloud. There's a benefit of utilizing Cisco Firepower in conjunction with our other Cisco solutions.

Ease of management is similar with Cisco and Fortinet, I would say similar, but it's easier in Palo Alto.

I recently deployed a similar solution at a customer's premises, and that setup was straightforward.

The steps are fairly documented and the documentation and guides on Cisco are straightforward. You know what you're expected to configure, and it's easy to get up, running, and started. It takes some more time to check everything and get everything as you want to have it, but getting started and getting connectivity and starting to create policies was easy to do and didn't take a very long time.

It took two to four hours, including some upgrades.

My main advice would be to utilize all the guides and documentation available from Cisco publicly and not trying to implement it using legacy thinking. Don't try to just replace something else you have. If you have a next-gen firewall, you want to try to utilize what you're getting, and getting the most out of a firewall. There are some great guides and documentation on Cisco that explains what you can do and how you can do it.

I would rate it a seven out of ten. 

We use it to configure the perimeter firewalls. In FireSIGHT, we have two firewalls in a cluster with high ability, then we have five firewalls in Offices. We use those firewalls as a perimeter for Offices.

We have all the devices in the Firepower Management Center system. We always work with Firepower devices in Firepower Management Center.

We have offices around the world. We are in Europe, the USA, and South America.

We have border security with Firepower. We try to curb security issues by using this Firepower firewall.

The solution provides us with good working application visibility and control.

I have access to the web version of Cisco Talos to see the reputation of IP addresses. I find this very helpful. It provides important information for my company to obtain the reputation of IP addresses. The information in Talos is quite complete.

The configuration in Firepower Management Center is very slow. Deployment takes two to three minutes. You spend a lot of time on modifications. Whereas, in FortiGate, you press a button, and it takes one second.

Three years ago, the Firepower Management Center was very slow. The solution has improved a lot in the last couple of years. It is now faster. I hope that continues to improve. 

I have been using it for three years.

We have five devices. In Rome, we don't have a technician and didn't work when we started using it. We had to send a technician to Rome to reboot the system. Now, it is stable with no problems. Also, we lost the link to the high availability firewall in our data center. We only had one device there, and Solutel had to solve this issue.

The scalability is great.

We have five devices in four locations.

Three network administrators who work with Firepower, including myself.

I usually create an issue with Solutel, then they create a case with Cisco Talos or the Cisco technicians. I am happy with Solutel's support.

We deployed in several cities, but not the same day. 

The initial deployment was done by a Cisco partner, Solutel. Our experience with Solutel was fantastic. They are local partners for us and provided us with great service.

We realized that clearly we have issues of security with a lot of attacks. I don't know if it is because with the COVID-19 virus a lot of hackers are at home or working more hours. In the last year, we have seen attacks that are very big, and we need a barrier. So, we use a firewall to block these attacks.

The price for Firepower is more expensive than FortiGate. The licensing is very complex. We usually ask for help from Solutel because of its complexity. I have a Cisco account where I can download the VPN client, then connect. Instead, I create an issue with Solutel, then Solutel solves the case.

Our license for Firepower is their best license.

We have FortiGate firewalls, the security of Office 365 from Microsoft, Cisco Umbrella, and Kaspersky Anti-virus. We are also using Cisco ASA, Meraki switches, and a router from Cisco.

The Firepower Management Center tool is very slow. We also have the FortiGate firewalls and these tools for configuring the firewall are faster.

We have to make a change to our devices in South America. We are currently evaluating Cisco Firepower Series 1000 versus FortiGate. Firepower is more powerful than FortiGate, but FortiGate is more flexible and easier to configure. Because of our last issues with Firepower, it is possible that FortiGate is more stable.

It is a very powerful device. Firepower Management Center is a great tool, but it is a bit slow.

We don't have Cisco Umbrella integrated with Firepower. We tested Firepower's integration with Meraki Umbrella, but we don't use it because you need better firmware.

I would rate this solution as an eight (out of 10).