Cisco Secure Firewall Reviews

VPN (site to site VPN and remote access ), NAT policies, modular policy framework, detailed troubleshooting methods.

The throughput and reliability of the product improve the network stability of our organization.

Area : URL filtering and content filtering.

When Cisco ASA is presented as an enterprise firewall, that should be capable doing IPS/IDS, firewalling, VPN concentrator, application filtering, URL filtering and content filtering.

Of course, the last three technologies can do by a proxy. But nowadays, all next generation firewalls like Fortinet, Check Point, and Palo Alto are each bundling the UTM features into a single box with multiple separate content processors (hardware) to do these jobs.

This would enable single pane glass for management. No need to look at different devices for change management and troubleshooting.

I would say Cisco ASA is the best except for its URL and content filtering module. And these modules in ASA are not straightforward, rather complex in managing the device.

I've been using this solution since 2007.

No.

All product-based firewalls will encounter scalability issues. The firewall sizing is important during the sizing.

Good.

I used to work with most of the hardware firewalls, Cisco ASA is reliable and few technologies are good enough to compete for the market (VPN, Modular policy framework, NAT, etc.).

Straightforward -- console or via the interface.

Expensive when compared to other products.

Yes, all.

If you are looking into implementing VPN or advanced features, I recommend using this product. URL or content filtering is not good as much as the NGFWs are.

The AnyConnect remote access VPN gives us an easy way to deploy remote working for our users.

It all depends on the deployment scenario, as I have used ASA for specific purposes. In general, the stateful firewall feature, site to site VPN, and AnyConnect remote access VPN are always useful.

It's not perfect, and does have room for improvement with certain features.

The SSL VPN is, and always has been, painful to configure and the Java plugin does not guarantee a uniform deployment.

Certain documentation on the newer models of ASA (specifically, ASA 5500-X with FirePower services) is a little out of date and in some cases incorrect, although this may have been corrected since my last deployment.

I've never seen a firewall that didn't need an RMA at some point! And that is true of the ASA, however, the failure rate (in my experience) has always been very low with ASA's (and Cisco equipment in general).

Nope.

With Cisco TAC, you can always get an answer to technical issues, and with the thriving Cisco support forum, you can always get answers to questions even if you don't have TAC.

Not in my current organization.

I would say it's only complex if you're not familiar with either the CLI or ASDM.

So for me, it was easy, for those without Cisco CLI (or ASDM) experience, deployment can be a little daunting.

That being said, there are plenty of configuration documents available on the Cisco website that will "hold your hand" through any deployment.

Hardware and licensing can be expensive, and licensing can be a complicated affair. I would strongly recommend you speak with your distributor to ensure you choose the right license for your needs, and read the hardware comparison guide to make sure you spec the correct hardware for your specific needs.

It's great buying the latest and greatest equipment, but no so great if your engineers don't know how to operate it!

From experience, hardware purchasing is normally dependent on the technical expertise of engineers, so if all your engineers are Cisco trained, it makes no sense to buy another vendor firewall.

Spec the right hardware model and choose the right license for your needs.

Cisco next-generation firewalls are mainly used either for data center protection - north-south traffic - or internet traffic.

The application and user-visibility and control, along with very powerful IPS and malware protection, enables our clients to secure their data centers and internet perimeter in a much better way. It provides them with traffic visibility and reporting as well.

The main advantage is when you put it between users and servers internally or between different VLANs in the network. You have full visibility over the traffic, over all the internal applications. Usually, there's a lot of traffic that is not very clear and no one knows what is on their network. So, once deploy it internally, you have full visibility over the internal traffic, who's accessing what, which protocol. It can directly detect all kinds of malicious traffic, traffic that abuses bandwidth. 

It makes different kinds of internal behavior that is useful to a network admin. And for security of course: Any kind of file infection, any kind of internal scanning, internal attacks; it gives you full visibility.

Finally, you have communication of VLANs, internally, in the network, of course. So you have a granular access control based on user and application, instead of IP and port as you would have with a traditional firewall.

During the first phase of use, it was an extra module on standard Cisco ASA firewalls. It then became a standalone solution known as FTD, Firepower Threat Defense.

The Firepower IPS, based on Snort technology, has an amazing detection engine and historical analysis capability of files that eases threat investigations a lot.

I value the integration with other products (Cisco ISE, Cisco Endpoint AMP) which increases the protection intelligence within the enterprise by sharing security info between different products, which function on different layers. It furnishes fully connected security.

It also provides detection of the client operating system, which gives very good reporting and correlation with the signatures. It can relay the signature IP to the client operating system, to give a better correlation decision.

Some ASA known features are still missing, but are being added bit by bit in each new version release, such as:

• Remote Access VPN (the last release only supported the 2100 series): The next firewall model version is expected to support Remote Access VPN in the next software release in July 2017.
• Virtualization of the appliance (multiple contexts) is still missing.
• You always need an external management system, the onboard one is not very good. You have to use FMC, FirePOWER Management Center, as external software. There's always an add-on, whereas all the competition has an onboard management interface.

I would like to see more integration with third-party devices in general. There is great integration with Cisco devices, but there's not much integration with third-party devices.

We did not encounter any issues with stability. Cisco Firepower FW is very stable in all of the deployments we have made.

The scalability is very good. They have a clustering mechanism, so you can start with an appliance and then cluster, adding more bandwidth and nodes into your cluster. If you don't have a big budget you can start with a medium appliance and then cluster appliances. Or if you want to buy it all in one shot, there is a big range.

Although it allows scaling by adding multiple firewalls together (clustering), we have never used that, as all new hardware supports high-performance throughput and connections at a reasonable price.

Technical support is perfect. Cisco is always known for its good technical support. We have never had any issues with them.

As a Cisco Gold Partner, we always proposed Cisco firewalls for our clients.

The setup was straightforward. A new Cisco FTD can be set up and running in a couple of hours. If you're used to firewalls you can quickly get along with it. There is nothing complicated.

The time deploy is short. But the time to tune and create the policies involves a learning phase. Traffic changes over time, so the tuning for firewall rules has to be as granular as possible takes a bit of time. But to deploy you can go live is fast.

The strategy is to start with high-level security policies and then monitor the traffic and the applications affected. Then on the detection logs, create more granular rules.

It has a great performance-to-price value, compared to competitive solutions. Subscriptions are annual. The licensing fee and standard support are the only costs we pay for.

We did not evaluate any alternative solutions.

Make sure you tune your rules very well, as some clients just leave the firewall as it is and don't maintain the access rules or tighten them to be more granular and efficient.

In terms of maintenance, you need one person for security analysis and one to create rules and for daily support.

Class-based policing is the most important part of the ASA, and was its differentiator.

It gave us more organized DMZs and logical segments.

I’m not a fan of the new modular licensing model. Cisco moved from a base license to an a la carte SaaS model a couple of years back, wherein the customer is required to pay for feature sets on a case-by-case basis. This makes it difficult for people who want to study and trial new technologies and features.

I’ve been using ASA technology since it was PIX, so since 1999.

We have not had stability issues.

We have not had scalability issues.

Support with Cisco TAC, or with VARs like WWT and Trace3 is usually pretty good.

I have used both ASA and PAN. Different strokes for different folks.

Initial setup is straightforward. You can get as granular and complex as you want, but out of the box, ASAs provide a secure FW solution.

We evaluate all other options.

ASAs are a solid solution. Cisco provides more training and learning materials than any other vendor, which is critical if an organization wants to take true ownership of a technological solution. Documentation and use cases alone tend to make me a fan of Cisco's way of engineering, and they have come a long way over the last few years when it comes to integrating their solutions into comprehensive security communications platforms using tools like PRIME and ISE. FirePOWER and AMP make Cisco an even better overall contender for top FW status.

It is good for firewalls, management with the adaptive security device manager (ASDM), and tools such as packet tracers for troubleshooting.

It’s a really good firewall which is easy to manage, but it is not a Next Gen firewall.

Firewall functionality is the main issue when buying this product. We use it to segment our DMZs, it is stateful firewalling, is highly reliable with zero outages, and impeccable failovers during upgrades.

The ASDM is the management tool to administer the ASAs via the GUI. It has an easy to use interface with very nice troubleshooting tools, such as Packet Tracer. This tool lets you simulate a traffic flow so you can see why flows don’t work.

It is a very reliable border firewall which makes it easy for us to organize and secure our DMZs.

• The SSL VPN portal could be better.
• The ASAs support both IPSEC as an SSL VPN.
• For IPSEC you need a Cisco VPN client.
• You can only have two SSL VPN sessions.
• For more SSL sessions you have to pay (750 IPSEC sessions are included with an ASA).
• With SSL, you connect through a browser, so it is clientless. The SSL portal offers a few functionalities which you can offer a user. Configuring this portal is not an easy task.

We have been using the solution for almost five years.

We didn't encounter any issues with stability.

Scalability is limited depending on the chosen model.

I would give technical support a rating of 9/10. Cisco is one of the best, if not the best, in support.

We chose FortiGate from Fortinet as our Next Gen Firewall solution because of the higher value for our money.

The setup was easy with lots of documentation and configuration examples provided.

You have to negotiate well.

We did not evaluate any alternative options for stateful firewalling.

You will want to have Next Generation functionality, so choose FortiGate or Cisco Firepower.

The Advanced Malware Protection and Security Group Tag (SGT) are valuable features. You are able to integrate all the networks by using SGT with the pxGrid service. This is built-in technology in Cisco devices and services.

You can extend your visibility in network infrastructure for monitoring. You can absolutely give your users a better experience. When you use .1X for user authentication:

• Users login just one time
• You can control all user access to the internet, data center resources, and across the network.

After Firepower V6.1, Cisco added bandwidth shaping on the FTD product. This feature is a little bit weak. You cannot have customized shaping in different projects.

I have used this product, as well as Cisco Firepower Threat Defense, for about two years.

I have heard about some bugs, but I have never encountered any.

This product is very scalable in our experience.

It is easy to initialize. For advanced configurations, it is sometimes complicated.

The base license is delivered with the device. This license includes IPS and user authentication. You should buy a license for an IPS update. You should also buy another license for AMP and URL filtering.

These are the important licenses: BASE, IPS, AMP, and URL filtering. Apart from the base license, the other licenses are subscription based for one, three, or five years.

I evaluated many products, such as CheckPoint, Palo Alto, Fortinet Firewall, Sophos, and Cyberoam Firewall.

This product is very usable when you need integrity in your network. This product is very functional when you use a Cisco Identity Services engine.

• Site-to-site IPsec VPN
• Remote IPsec VPN
• Reverse route injection

Cisco Context gave us the feature of creating a virtual firewall, which is good. It provides us with maximum network isolation. Also impressive is the ISP redundancy.

WCCP, and URLs, in the Cisco ASA Context both need work. When changing from single mode to multiple mode or back, the commands must be done from the command line (CLI) and cannot be done via the ASDM GUI interface. ASA context should be able to support site-to-site VPN, but the current Cisco Context does not support VPN

I've used them for six years.

During the deployment of WCCP, we noted some loopholes like it only supports ports 80 & 443. Application which is running on multiple ports doesn't work with WCCP and to make it work we need to allow respective traffic outside the firewall.

Sometimes there is an issue with the site-to-site VPN.

In certain cases, like an any access-list, if we add a URL the Cisco ASA access-list does not resolve that URL while this can be done in Juniper, and Fortinet.

9/10.

9/10,

I have migrated some set-ups from Cisco to Juniper, but not from Juniper to Cisco.

We have multiple ASA firewalls for different clients now we migrated to Cisco Context.

It was done in-house.

It's 8/10.

If it is for a banking domain, your organisation should use Cisco which can assure better security than any other vendors' products. Also, they have the best documentation, reliability and support.