Try our new research platform with insights from 80,000+ expert users
Network Engineer at a financial services firm with 5,001-10,000 employees
Real User
Helps us to manage the security policies in different areas of our network
Pros and Cons
  • "I haven't had any major problems so I haven't had to open a ticket with technical support."
  • "In the past though, colleagues have had issues during the upgrade process. The failover didn't work and production was down."

What is our primary use case?

We use it on several layers of our network like in the border, internet edge, DMZ, some extranet parts of our network, and in the data center.

How has it helped my organization?

It's a reliable solution and a stable firewall. It helps us to manage the security policies in different areas of our network. 

What is most valuable?

We use ASA as a simple, scalable firewall. Its main advantages are the stability. We use it as an active standby and as a failover solution. We depend on this solution, we've used it for several years.

What needs improvement?

  • Interaction with the equipment
  • Different interface with the product 
  • A more simple procedure in delivering policies to the equipment  
  • Simplified upgrade procedure
  • Tracking flows
  • Monitoring and logs should be easier.
Buyer's Guide
Cisco Secure Firewall
November 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.

What do I think about the stability of the solution?

It's quite stable. In the past though, colleagues have had issues during the upgrade process. The failover didn't work and production was down. 

What do I think about the scalability of the solution?

It's not so scalable.

How are customer service and support?

I haven't had any major problems so I haven't had to open a ticket with technical support. 

How was the initial setup?

The initial setup was not so complex. Most of it was straightforward. We just needed to discuss different scenarios that we had to consider regarding the deployment scenario, what could go wrong and what could happen in the future. 

What about the implementation team?

We used Telekom Romania for the deployment. We did most of the job internally but they helped us to clarify some aspects regarding the architecture design.

Which other solutions did I evaluate?

We also considered Check Point. We chose Cisco because of its capabilities. We didn't need something so complex for this solution, just a straightforward firewall. It met our requirements. 

What other advice do I have?

I would rate it a nine out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Technical Specialist with 5,001-10,000 employees
Real User
The throughput and reliability of the product improve the network stability of our organization.

What is most valuable?

VPN (site to site VPN and remote access ), NAT policies, modular policy framework, detailed troubleshooting methods.

How has it helped my organization?

The throughput and reliability of the product improve the network stability of our organization.

What needs improvement?

Area : URL filtering and content filtering.

When Cisco ASA is presented as an enterprise firewall, that should be capable doing IPS/IDS, firewalling, VPN concentrator, application filtering, URL filtering and content filtering.

Of course, the last three technologies can do by a proxy. But nowadays, all next generation firewalls like Fortinet, Check Point, and Palo Alto are each bundling the UTM features into a single box with multiple separate content processors (hardware) to do these jobs.

This would enable single pane glass for management. No need to look at different devices for change management and troubleshooting.

I would say Cisco ASA is the best except for its URL and content filtering module. And these modules in ASA are not straightforward, rather complex in managing the device.

What was my experience with deployment of the solution?

I've been using this solution since 2007.

What do I think about the stability of the solution?

No.

What do I think about the scalability of the solution?

All product-based firewalls will encounter scalability issues. The firewall sizing is important during the sizing.

How are customer service and technical support?

Good.

Which solution did I use previously and why did I switch?

I used to work with most of the hardware firewalls, Cisco ASA is reliable and few technologies are good enough to compete for the market (VPN, Modular policy framework, NAT, etc.).

How was the initial setup?

Straightforward -- console or via the interface.

What's my experience with pricing, setup cost, and licensing?

Expensive when compared to other products.

Which other solutions did I evaluate?

Yes, all.

What other advice do I have?

If you are looking into implementing VPN or advanced features, I recommend using this product. URL or content filtering is not good as much as the NGFWs are.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Cisco Secure Firewall
November 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.
it_user700158 - PeerSpot reviewer
Senior Network Security Engineer at a university
Vendor
Spec the right hardware model and choose the right license for your needs.
Pros and Cons
  • "The AnyConnect remote access VPN gives us an easy way to deploy remote working for our users."
  • "The SSL VPN is, and always has been, painful to configure and the Java plugin does not guarantee a uniform deployment."

How has it helped my organization?

The AnyConnect remote access VPN gives us an easy way to deploy remote working for our users.

What is most valuable?

It all depends on the deployment scenario, as I have used ASA for specific purposes. In general, the stateful firewall feature, site to site VPN, and AnyConnect remote access VPN are always useful.

What needs improvement?

It's not perfect, and does have room for improvement with certain features.

The SSL VPN is, and always has been, painful to configure and the Java plugin does not guarantee a uniform deployment.

Certain documentation on the newer models of ASA (specifically, ASA 5500-X with FirePower services) is a little out of date and in some cases incorrect, although this may have been corrected since my last deployment.

What do I think about the stability of the solution?

I've never seen a firewall that didn't need an RMA at some point! And that is true of the ASA, however, the failure rate (in my experience) has always been very low with ASA's (and Cisco equipment in general).

What do I think about the scalability of the solution?

Nope.

How are customer service and technical support?

With Cisco TAC, you can always get an answer to technical issues, and with the thriving Cisco support forum, you can always get answers to questions even if you don't have TAC.

Which solution did I use previously and why did I switch?

Not in my current organization.

How was the initial setup?

I would say it's only complex if you're not familiar with either the CLI or ASDM.

So for me, it was easy, for those without Cisco CLI (or ASDM) experience, deployment can be a little daunting.

That being said, there are plenty of configuration documents available on the Cisco website that will "hold your hand" through any deployment.

What's my experience with pricing, setup cost, and licensing?

Hardware and licensing can be expensive, and licensing can be a complicated affair. I would strongly recommend you speak with your distributor to ensure you choose the right license for your needs, and read the hardware comparison guide to make sure you spec the correct hardware for your specific needs.

Which other solutions did I evaluate?

It's great buying the latest and greatest equipment, but no so great if your engineers don't know how to operate it!

From experience, hardware purchasing is normally dependent on the technical expertise of engineers, so if all your engineers are Cisco trained, it makes no sense to buy another vendor firewall.

What other advice do I have?

Spec the right hardware model and choose the right license for your needs.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Member of the Board of Directors at a tech services company with 1,001-5,000 employees
Consultant
Class-based policing is the most important part of the ASA, and was its differentiator.

What is most valuable?

Class-based policing is the most important part of the ASA, and was its differentiator.

How has it helped my organization?

It gave us more organized DMZs and logical segments.

What needs improvement?

I’m not a fan of the new modular licensing model. Cisco moved from a base license to an a la carte SaaS model a couple of years back, wherein the customer is required to pay for feature sets on a case-by-case basis. This makes it difficult for people who want to study and trial new technologies and features.

For how long have I used the solution?

I’ve been using ASA technology since it was PIX, so since 1999.

What do I think about the stability of the solution?

We have not had stability issues.

What do I think about the scalability of the solution?

We have not had scalability issues.

How are customer service and technical support?

Support with Cisco TAC, or with VARs like WWT and Trace3 is usually pretty good.

Which solution did I use previously and why did I switch?

I have used both ASA and PAN. Different strokes for different folks.

How was the initial setup?

Initial setup is straightforward. You can get as granular and complex as you want, but out of the box, ASAs provide a secure FW solution.

Which other solutions did I evaluate?

We evaluate all other options.

What other advice do I have?

ASAs are a solid solution. Cisco provides more training and learning materials than any other vendor, which is critical if an organization wants to take true ownership of a technological solution. Documentation and use cases alone tend to make me a fan of Cisco's way of engineering, and they have come a long way over the last few years when it comes to integrating their solutions into comprehensive security communications platforms using tools like PRIME and ISE. FirePOWER and AMP make Cisco an even better overall contender for top FW status.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user579180 - PeerSpot reviewer
Networking Specialist at a insurance company with 1,001-5,000 employees
Vendor
Provides management with the adaptive security device manager.

What is most valuable?

It is good for firewalls, management with the adaptive security device manager (ASDM), and tools such as packet tracers for troubleshooting.

It’s a really good firewall which is easy to manage, but it is not a Next Gen firewall.

Firewall functionality is the main issue when buying this product. We use it to segment our DMZs, it is stateful firewalling, is highly reliable with zero outages, and impeccable failovers during upgrades.

The ASDM is the management tool to administer the ASAs via the GUI. It has an easy to use interface with very nice troubleshooting tools, such as Packet Tracer. This tool lets you simulate a traffic flow so you can see why flows don’t work.

How has it helped my organization?

It is a very reliable border firewall which makes it easy for us to organize and secure our DMZs.

What needs improvement?

  • The SSL VPN portal could be better.
  • The ASAs support both IPSEC as an SSL VPN.
  • For IPSEC you need a Cisco VPN client.
  • You can only have two SSL VPN sessions.
  • For more SSL sessions you have to pay (750 IPSEC sessions are included with an ASA).
  • With SSL, you connect through a browser, so it is clientless. The SSL portal offers a few functionalities which you can offer a user. Configuring this portal is not an easy task.

For how long have I used the solution?

We have been using the solution for almost five years.

What do I think about the stability of the solution?

We didn't encounter any issues with stability.

What do I think about the scalability of the solution?

Scalability is limited depending on the chosen model.

How are customer service and technical support?

I would give technical support a rating of 9/10. Cisco is one of the best, if not the best, in support.

Which solution did I use previously and why did I switch?

We chose FortiGate from Fortinet as our Next Gen Firewall solution because of the higher value for our money.

How was the initial setup?

The setup was easy with lots of documentation and configuration examples provided.

What's my experience with pricing, setup cost, and licensing?

You have to negotiate well.

Which other solutions did I evaluate?

We did not evaluate any alternative options for stateful firewalling.

What other advice do I have?

You will want to have Next Generation functionality, so choose FortiGate or Cisco Firepower.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Network Designer at ODI
Real User
You can extend your visibility in network infrastructure for monitoring.

What is most valuable?

The Advanced Malware Protection and Security Group Tag (SGT) are valuable features. You are able to integrate all the networks by using SGT with the pxGrid service. This is built-in technology in Cisco devices and services.

How has it helped my organization?

You can extend your visibility in network infrastructure for monitoring. You can absolutely give your users a better experience. When you use .1X for user authentication:

  • Users login just one time
  • You can control all user access to the internet, data center resources, and across the network.

What needs improvement?

After Firepower V6.1, Cisco added bandwidth shaping on the FTD product. This feature is a little bit weak. You cannot have customized shaping in different projects.

For how long have I used the solution?

I have used this product, as well as Cisco Firepower Threat Defense, for about two years.

What do I think about the stability of the solution?

I have heard about some bugs, but I have never encountered any.

What do I think about the scalability of the solution?

This product is very scalable in our experience.

How was the initial setup?

It is easy to initialize. For advanced configurations, it is sometimes complicated.

What's my experience with pricing, setup cost, and licensing?

The base license is delivered with the device. This license includes IPS and user authentication. You should buy a license for an IPS update. You should also buy another license for AMP and URL filtering.

These are the important licenses: BASE, IPS, AMP, and URL filtering. Apart from the base license, the other licenses are subscription based for one, three, or five years.

Which other solutions did I evaluate?

I evaluated many products, such as CheckPoint, Palo Alto, Fortinet Firewall, Sophos, and Cyberoam Firewall.

What other advice do I have?

This product is very usable when you need integrity in your network. This product is very functional when you use a Cisco Identity Services engine.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user264462 - PeerSpot reviewer
Technolgy Analyst/Lead at a tech services company with 10,001+ employees
Real User
It currently does not support VPN, but I like the documentation, reliability, and support.

What is most valuable?

  • Site-to-site IPsec VPN
  • Remote IPsec VPN
  • Reverse route injection

How has it helped my organization?

Cisco Context gave us the feature of creating a virtual firewall, which is good. It provides us with maximum network isolation. Also impressive is the ISP redundancy.

What needs improvement?

WCCP, and URLs, in the Cisco ASA Context both need work. When changing from single mode to multiple mode or back, the commands must be done from the command line (CLI) and cannot be done via the ASDM GUI interface. ASA context should be able to support site-to-site VPN, but the current Cisco Context does not support VPN

For how long have I used the solution?

I've used them for six years.

What was my experience with deployment of the solution?

During the deployment of WCCP, we noted some loopholes like it only supports ports 80 & 443. Application which is running on multiple ports doesn't work with WCCP and to make it work we need to allow respective traffic outside the firewall.

What do I think about the stability of the solution?

Sometimes there is an issue with the site-to-site VPN.

What do I think about the scalability of the solution?

In certain cases, like an any access-list, if we add a URL the Cisco ASA access-list does not resolve that URL while this can be done in Juniper, and Fortinet.

How are customer service and technical support?

Customer Service:

9/10.

Technical Support:

9/10,

Which solution did I use previously and why did I switch?

I have migrated some set-ups from Cisco to Juniper, but not from Juniper to Cisco.

How was the initial setup?

We have multiple ASA firewalls for different clients now we migrated to Cisco Context.

What about the implementation team?

It was done in-house.

What was our ROI?

It's 8/10.

What other advice do I have?

If it is for a banking domain, your organisation should use Cisco which can assure better security than any other vendors' products. Also, they have the best documentation, reliability and support.

Disclosure: My company has a business relationship with this vendor other than being a customer: Channel partner
PeerSpot user
PeerSpot user
Security Consultant at Webernetz.net - Network Security Consulting
Consultant
Cisco ASA vs. Palo Alto Networks

Cisco ASA vs. Palo Alto: Management Goodies

You often have comparisons of both firewalls concerning security components. Of course, a firewall must block attacks, scan for viruses, build VPNs, etc. However, in this post I am discussing the advantages and disadvantages from both vendors concerning the management options: How to add and rename objects. How to update a device. How to find log entries. Etc.

Cisco ASA

  • Fast Management Suite: The ASDM GUI is really fast. You do not have to wait for the next window if you click on a certain button. It simply appears directly. On the Palo, each entry to add, e.g., an application inside a security rule, takes a few seconds.
  • Better “Preview CLI Commands”: I am always checking the CLI commands before I send them to the firewall. On the Cisco ASA, they are quite easy to understand. I know, Palo Alto also offers the “Preview Changes”, but it takes a bit more time to recognize all XML paths.
  • Better CLI Commands at all: For Cisco admins it is very easy to parse a “show run” and to paste some commands into another device. This is not that easy on a Palo Alto firewall. First, you must change the config-output format, and second, you cannot simply paste many lines into another device, since the ordering of these lines is NOT correct by default. That is, it simply doesn’t work.
  • ACL Hit Count: I like the hit counts per access list entry in the GUI. It quickly reveals which entries are used very often and which ones are never used. On the Palo, you can only highlight the never used ones. Furthermore, the CLI on the ASA splits each ACL into the real objects with individual counters. Great!
  • Many SNMP OIDs: There are many options to monitor the ASA via SNMP. On the Palo Alto, e.g., you can not monitor sub-interfaces. This is really bad. Only the bare metal ethernet ports reveal counters.

Palo Alto PA

  • Out-of-Band Management Interface: Even the smallest PA-200 device has its own management interface with its own routing table (default route). This makes it easier to permit/deny admin accesses to this host. E.g., there is no confusion between an access to the SSL VPN and an access to the management GUI since they reside on different interfaces and IP addresses.
  • Browser-based GUI: No Java, no client. Just a simple browser. It is also manageable through SSL VPN portals.
  • In-Band Interface Management Profiles: On the ASA, every access through different interfaces and different protocols needs its own line to be configured (Management Access -> ASDM/HTTPS/Telnet/SSH). Management access is denied per default, while ping is allowed by default. Both must be set in different menus. Not on the Palo: Interface Mgmt with a few clicks and optional IP addresses, configurable on several interfaces.
  • –> Single Security Policy: All interfaces AND site-to-site VPNs are in zones. All security policies between these zones are in one security policy. On the ASA, you don’t have the ACLs for the VPNs in the ACL view of the interfaces since you must specify extra ACLs to the group policy of the VPN.
  • Zone Based Security Policies: A policy from zone A to zone B only takes effect for this pair of zones. The “incoming interface” policies on the ASA always have a destination of “any” zone. Though the destination addresses can be limited, it is more complicate to configure the policies if there are several interfaces in use (and not only inside and outside).
  • Network Objects in Slash-Notation: Add a host or a network object by typing “1.2.3.0/24″. On the ASA, you have three fields for the same object: host or network, IP address of the network, and netmask (in 255.x.x.x notation!) for the network.
  • Tags: A simple but useful feature are the coloured tags that can be used in policies and objects. With these tags, temporary policies or the like can easily be marked.
  • –> Managing all Un-Commited Changes: One of the best features! Configuration changes can be done in any menu of the Palo Alto, showing the candidate config in all other menus right now, even without a commit. If you rename an object here, it is visible with this new name there. (Try to change the IP-address and the default gateway on a remote Cisco ASA firewall by one step. You won’t succeed until you are using the CLI.)
  • Simple Renaming of almost Everything: (Except subinterfaces) Address objects, address groups, zones, security profiles, IPsec tunnels – everything can be renamed. Try to rename an IPsec connection profile on the ASA. Or an interface name. It won’t work or you will get tons of CLI changes.
  • History of Configuration Changes: Ever tried to revert to the config from last day? No problem: Load configuration version.
  • Configuration Log: Ever wondered who changed something? Here it is: Monitor -> Logs -> Configuration. An exact list of all configuration changes with the name of the administrator.
  • Config Audit: Comparison of two configurations, such as of the running-config and any other historical config on the device. Great feature to find certain configuration changes.
  • –> Traffic Log Filtering: This is one of the MAJOR advantages of a Palo Alto GUI. It is really simple to click some objects to filter the traffic log. Or to build more precise filters. “eq” and “neq” are your friends. ;) Forget the Real-Time Log Viewer from Cisco.
  • Adjust Columns: Or even the possibility to adjust the columns. On the ASDM GUI from Cisco, some pages are per default to small to show the relevant values, e.g., the Monitoring -> Routing -> Routes pane.
  • Application Command Center: A simple but useful monitoring tool within the GUI. You are searching for the IP that generates high traffic load during the last hour? Here you will find it. What source country is responsible for the attacks during the last week? Here you go.
  • –> Route-Based VPN: A site-to-site VPN connection is built by two gateways, independent of the traffic being routed through the tunnel. Numbered tunnel-interfaces can be used to ping the tunnel endpoint of the other side. The decision where to route the traffic is based on the routing table and not on a policy. The Cisco firewall uses policy-based VPNs in which the Proxy-IDs per connection define the tunneled networks. A bit unhandy.
  • –> IKE Policy per VPN: Every gateway has its own IKE profile configured. Different IKE settings can be used for different VPNs. The Cisco has global IKE parameters.
  • Own Zones for VPNs: Site-to-Site VPNs can be in extra zones. On the ASA, VPNs are always associated with the “outside” interface, which is complicated for using NAT policies.
  • Reasonable Default Crypto Settings: The default groups for the IPsec phase 1 and phase 2 crypto profiles have almost secure settings. Very good compared to the Cisco ASA, which really installs a view default profiles, e.g., an IKE policy with an encryption algorithm of “DES”. Yes, not 3DES, but only simple DES! Oh oh.
  • Retrieve License Keys from Server: Really cool feature. And very easy to use for the customer. Once the authorization code is added in the Palo Alto support portal, the firewall can retrieve its license via https. No need for any further activation keys.
  • Built-In Software Archive: Firmware versions can be downloaded directly through the GUI. No need for further logins, downloads from the vendor page and uploads to the unit. Just “Download” and “Install”.
  • Enough Disk Space for several Softwares: On my (small) Cisco ASA 5505, the built-in flash disk has only 128 MB. That is, I cannot even do a simple software upgrade because the free disk space does not fit for two ASA images. (I have an ASA and ASDM image as well as three AnyConnect images on the fash memory.) What a mess!
  • Sync Software to HA Member: Every software that is downloaded on the primary firewall can automatically be synced to the secondary device. This is not true on the Cisco ASA, which is really annoying when it comes to AnyConnect remote access VPN client images. If these are not uploaded manually on the second device, the other HA unit will not terminate VPN tunnels in case of a HA active-unit swap. Oh oh!
  • HA Status in GUI: With the High Availability widget, the status of the HA is visualized with green/orange/red bubbles. It shows which unit is the active/standby one. Since the PA has a real OoB management, the admin can access both devices simultaneously and can see which hardware is the active and the passive one. The Cisco ASA swaps its IP addresses and has no OoB management, so it is harder to see which hardware is the primary and the secondary one, since its IP addresses swap, too.
  • NTP Servers with Names: I know that NTP servers should be set via IP addresses to not rely on another service (DNS), but it is much more easier to use names such asde.pool.ntp.org or the like. This can be done on the Palo Alto, but not on the Cisco firewall.
  • No “bring to top” GUI: During the start of Cisco’s ASDM, it always brings its GUI to the top of all windows. In my opinion, this is annoying. During the 30-60 seconds until the whole device config is loaded into the GUI, I am working on other things. But these are generally disrupted from the highlighting of the ASDM GUI. This does not happen with the Palo Alto GUI which is in one tab of my browser.

(The major advantages are marked with an –> arrow.)

Summary

In summary, I really love the management GUI from the Palo Alto. Not hard due to the list of more than 20 advantages over the Cisco ASA platform. ;) Though it is slower than the ASDM GUI from Cisco, it offers much more useful capabilities for the daily work. Great!

Originally published on blog.webernetz.net.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user603888 - PeerSpot reviewer
it_user603888Sr. Information Security Officer (ISO) at a financial services firm with 501-1,000 employees
Vendor

Mostly Enterprise firms they're using both, would be Palo Alto using in core and gateway traffic.

See all 3 comments
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.