Cisco Secure Firewall Reviews

We are Cisco partners. We have been selling Cisco products for more than 25 years, and we are a major player in various African markets, such as Morocco and French-speaking countries in Africa.

We have been offering a wide range of Cisco-branded security products. The most important ones were the ASA firewalls, and now, we have the next-generation ones, XDR, and all the applications or all hybrid security solutions offered by Cisco, including Umbrella, on-premise Identity Service Engine, and all the other third-party solutions.

Our main objective is to show customers the added value of Cisco products and how they can tackle all the security issues and all the threats or the cyber security issues rising on a daily basis nowadays. Cisco Talos, for instance, is something that we propose, and we also propose all the restrictions to be up-to-date. Cisco's ecosystem is very wide in security, so we have very good use cases. 

In the beginning, customers used to implement ASA firewalls mainly as the network firewall in data centers, branch offices, all locations, and also in the DMZ. Nowadays, the perspective has changed, and also with the design requirement, the nature of the cloud hybrid solutions leads us to use more sophisticated tools based in the cloud, but we still cover all the security aspects from the branch office to the data centers.

Cisco adds value by providing various solutions such as Umbrella and Duo. It's a combination. An existing firewall system only protects or controls flow on a daily basis in a normal production environment, but when it comes to security threats, we need to add more components. This is why Cisco is offering a wide range of products. Cisco is completely handling all the aspects from end to end with micro-segmentation, for instance. Identity Service Engine can handle the end-users' protection, and in the end, for the data center, we have different tools, and this is how we can cover end-to-end solutions.

The most valuable feature is IPS. It's a feature that's very interesting for tackling the most current attacks. We also have Umbrella with Secure DNS because all the threats nowadays are coming from email servers. We also have the DSA solution to limit the threats coming from ransomware. Combining all of these with Talos provides the best security solution.

It's a question of performance. When we talk about data centers, we are talking about 100 gig capacity or 400 gig capacity. When it comes to active-active solution clustering and resilience and performance, Cisco should look into these a little bit more.

We have been offering Cisco Security firewalls from the beginning of ASA, which was more than 20 years ago. We then started offering all types of firewalls, including the ones for data centers and then the next-generation firewalls.

The stability of the Cisco firewalls is the best in my opinion. We used to have ASA firewalls running for more than five years. Even when we did software upgrades, we had a very stable platform providing high performance without any outage, so customers can rely on Cisco firewall solutions.

For daily operations and projects, scalability is very important. Cisco provides a way of mixing and clustering firewalls to enhance scalability. We have many ways to scale, and as our clients grow, we can have the Cisco firewall solution grow as well.

We work with different vendors based on customer needs. We have a specification that we need to have a combination of different vendors, which is the best practice in the data center architecture and design. We cannot have one vendor at all levels, and we should have a combination. 

As a vendor, Cisco has a complete range of products to handle all the security aspects. When I look at the architecture design, the implementation of Cisco firewalls is the best. We have data centers based on Nexus for instance. We have routing components. All the compliance and architectural design requirements are met, and we can meet the customer needs according to the Cisco design guide and validation guide. When we look at the security aspect and the guidelines in terms of next-generation firewalls, in terms of redundancy on both sites or multi-sites, we have better performance with Cisco than other vendors in some cases.

Our customers use Cisco firewalls mainly in data centers, branch offices, and campus environments. They don't only use basic firewalls. They also use next-generation firewalls, which have email control, web filtering, and IPS. So, we have Cisco firewalling at all levels for providing the strongest protection policy.

The deployment of Cisco firewalls is very easy so far. We have the security expertise and all the knowledge that we need to deploy them and secure our customers' facilities. Networking and architecture are not really complicated, but you need a well-defined plan before doing implementation and going live.

Based on my 25 years of experience, 100% of our ROI expectations are met with Cisco products. The equipment is strong enough, stable, and well-developed. We have had the equipment running for more than five years without any outages, which leads to lesser costs of operations. There is also a reduction in cost in terms of upgrades or replacements, and this is why the ROI expectations have been met.

With the bundling mode with Duo licensing, it's now better. It's better to have one simplified global licensing mode, and this is what Cisco has done with bundling. The next-generation firewalls include a set of features such as filtering, emails, and IPS. This combination offers the best way for customers to manage their operating expenses.

One way to evaluate Cisco products is by looking at the experience. Gartner provides a good overview of Cisco products based on customer feedback, but the best way is by trying the product. Try-and-buy is a good model. Nowadays, all customers, enterprise service providers, and ISPs, are aware of Cisco solutions. They don't just purchase based on the technical specifications.

As a Cisco partner for over 25 years, we provide value by bringing our experience. We have worked so far with a different range of products, from the oldest Cisco firewall to the newest one, and we continue to promote them through design recommendation, capacity specification, deployment, engineering, high-level design, low-level design, migration, go-live, and maintenance and support. We cover the whole lifecycle of a product.

Our partnership with Cisco is a win-win partnership. Cisco provides us with the latest experiences and latest solutions, and on the other hand, we are doing business with our customers by using Cisco products, so it's a win-win relationship with Cisco, which leads to enhancing, promoting, and excelling in Cisco products. I would tell Cisco product managers to go fast with security platforms. Other vendors are going fast as well, and we need product managers to tackle the performance and capacity issues. It's not really an issue in itself, but it's something that can enhance and bring Cisco to the first place in security solutions.

I'd rate it an eight out of ten. The reason why I didn't give it a ten is that they have to make it better in terms of the capacity and performance for the 10 gig interface, 40 gig interface, and 100 gig interface, and in terms of how many ports and interfaces we have on appliances.

We use ASA Firewall to protect 250 to 300 devices, including workspaces and servers.

All the rules are secure and we haven't had a significant malware attack in the five years that we've been using ASA Firewall. It is a tremendous improvement for our network. However, I can't quantify the benefits in monetary terms. 

I like the ease of administration and the overall speed of processing web traffic. The modules help protect and administer web traffic. ASA Firewall's deep packet inspection gives me visibility regardless of whether I have the agent installed on all the workstations. I can see incoming web traffic and control access to suspicious or dangerous sites. I can apply a filter or make rules to restrict categories of websites.

Setting firewall network rules should be more straightforward with a clearer graphical representation. The rule-setting method seems old-fashioned. The firewall and network rules are separate from the Firepower and web access rules. You can access the firewall rules through the Cisco ASDM application, not the web client. I'm using an older version, and I'm sure this issue will improve in the next edition.

Micro-segmentation is somewhat complex. It's not easy, but it's not too difficult, either, so it's somewhere in the middle. I used micro-segmentation for 10 or 15 VLANs, and ASA Firewall acts as a router for those VLANs. The visibility offered by micro-segmentation is pretty poor. It's not deep enough. 

I have been using ASA Firewall for five years.

ASA Firewall is a stable solution.

I don't think ASA Firewall is very scalable. It depends on the models and the license. However, it's pretty simple to update and upgrade the models, so I would say it's moderately scalable. 

I worked with Cisco's technical support from the beginning and it was excellent. I rate Cisco support 10 out of 10. 

Positive

Previously, I used some Linux Servers with a software firewall for 20 years.
It was a Microsoft firewall, but I don't remember the name. It was a server that I had to install on the gateway.

Deploying ASA Firewall was complex because I needed to install an ESXi machine to implement the Firepower module. That was relatively complicated, and it took two or three days to complete the installation and verification.

I worked with a consultant who sold me the product and helped me with minor issues as needed. 

In the past, the company experienced multiple ransomware attacks, but we haven't seen any since installing ASA Firewall. It was a huge improvement. It's hard to quantify that in financial terms, but we had 40 or 50 machines damaged. 

I'm not sure precisely how much ASA Firewall costs, but I know it's a little more expensive than other solutions. I rate it seven out of ten for affordability. 

I learned about Fortinet and Palo Alto firewalls. I think FortiGate is easier to set up and manage. At the same time, Cisco firewalls are pretty secure and reliable. I think the ASA Firewall is in the top five.

I rate Cisco ASA Firewall eight out of ten. 

We use it for data center security for both the north-south and east-west.

With Firepower, you get the next-generation functionality and the next-generation firewall features. Traditionally, when you have a layer three access list, it's really tricky to get the flexibility you need to allow staff to do what they need to do with their apps without being too prescriptive with security. When Firepower comes in, you get much more flexibility and deeper security. They were mutually exclusive previously but are not so much anymore.

We have, probably, 20,000 to 25,000 end users going through the firewalls. Physical locations-wise, there are four data centers in Northern Europe, and the other locations are in the public cloud, that is, Azure and AWS.

It has improved the organization because we now have more flexibility with deployment, and we can deploy solutions quickly and more securely. As a result, we're improving the time to implement change.

The deep packet inspection is useful, but the most useful feature is application awareness. You can filter on the app rather than on a static TCP port.

Licensing is complex, and I'd like it to be simplified. This is an area for improvement.

If we could create a Firepower solution that became like an SD-WAN or a SASE solution in a box, then perhaps we could exploit that on remote sites. We've already kind of got that with Meraki, but if we could pull out some of the features from ASA Firepower and make those available in SD-WAN in SASE, then it would be pretty cool.

I've been using this solution for probably six years as Firepower and for about 10 to 15 years before Firepower came in.

It's very stable. We've seen very few issues that aren't human-related. If I were to rate the stability, it would have to be 10 out of 10 because we haven't seen any failures.

It's tough to scale because it's a firewall appliance, but in terms of the ability to deploy it virtually, it's inherently scalable. That is, as far as a firewall can scale, it's very scalable.

I'd give technical support an eight out of ten.

Positive

We used Check Point previously, and the reason we switched to Firepower was that it would be a common vendor and a commonly supported solution by our team. The consistency with Cisco is why we went with Firepower.

Our deployment model is both public cloud and private cloud. The physical devices are on-premises at a data center or virtual in an on-premises data center, and the network virtual appliances are in distributed public cloud platforms including AWS, Azure, Google, and private cloud.

We have between 20 and 50 people who are responsible for the maintenance of the solution through a various mix of ticketing systems and troubleshooting. Their responsibilities are operating the platform, that is, making sure that the connectivity works, analyzing the security, the posture that those firewalls are protecting, and implementing change.

There was no specific investment to make because there was a requirement to implement data center security. That's certainly been fulfilled, and the benefits now versus those previously are time to deliver change and having a more secure, rounded posture. Both of these are being realized.

The pricing was fairly reasonable. It was competitive and was slightly more than Check Point was. However, when we looked at the usability and the features that we would get out of Firepower, it was certainly reasonable.

Licensing is complex, and I'd like it to be simplified.

We evaluated Check Point. One of the pros was that we're a Cisco house, so having Cisco Firepower is useful.

Also, the architectural differences between Check Point and Firepower lend themselves to Firepower. The Check Point architecture is a bit more complicated.

It's a bit more complex to deploy and a bit more difficult to troubleshoot. I think troubleshooting with Firepower is much more intuitive, so it's easy for the operations guys to manage, and it's easy for people to consume.

My advice would be to compare equitable vendors and see where Cisco is strong and where they're not as strong. However, take into account your wider environment. If you've got a Cisco house and the solution has the same look and feel, those who are managing the service will say that it's Cisco and that they know it. That carries a huge weight, so pay careful attention to the rest of your environment.

Overall, I'd give this product a nine out of ten.

We are using Firepower for outbound/inbound traffic control and management as well as for our internal security. We are using it for LAN security and VMware network security. It is a hardware device, and it is deployed on-prem.

Our target is to make our network 100% secure from the outside and inside traffic. For that, we are using the latest versions, updates, patches, and licenses. We have security policies to enable ports only based on the requirements. Any unnecessary ports are disabled, which is as per the recommendation from Cisco. For day-to-day activity monitoring and day-to-day traffic vulnerabilities, we have monitoring tools and devices. If there is any vulnerability, we can catch it. We are constantly monitoring and checking our outside and inside traffic. These are the things that we are doing to meet our target of 100% security.

We have a number of security tools. We have the perimeter firewalls and core firewalls. For monitoring, we have many tools such as Tenable, Splunk, etc. We have Cisco Prime for monitoring internal traffic. For malware protection and IPS, we have endpoint security and firewalls. The outside to inside traffic is filtered by the perimeter firewall. After that, it goes to the core firewall, where it gets filtered. It is checked at port-level, website-level, and host-level security.

We have the endpoint security updated on all devices, and this security is managed by our antivirus server. For vulnerabilities, we have a Tenable server that is monitoring all devices. In case of any vulnerability or attacks, we get updated. We are also using Splunk as SIEM. From there, we can check the logs. If any device is attacked, we get to know the hostname or IP address. We can then check our monitoring tool and our database list. We can see how this attack happened. We have configured our network into security zones. We have zone-based security.

It integrates with other Cisco products. We use Cisco ASA and Cisco FTD, and we also use Cisco FMC for monitoring and creating policies. For internal network monitoring purposes, we use Cisco Prime. We also use Cisco ISE. For troubleshooting and monitoring, we can do a deep inspection in Cisco FMC. We can reach the host and website. We can also do web filtering and check at what time an activity happened or browsing was done. We can get information about the host, subnet, timing, source, and destination. We can easily identify these things about a threat and do reporting. We can also troubleshoot site-to-site VPN and client VPN. So, we can easily manage and troubleshoot these things.

Cisco FMC is the management tool that we use to manage our firewalls. It makes it easy to deploy the policies, identify issues, and troubleshoot them. We create policies in Cisco FMC and then deploy them to the firewall. If anything is wrong with the primary FMC, the control is switched to a secondary FMC. It is also disconnected from the firewall, and we can manage the firewall individually for the time being. There is no effect on the firewall and network traffic.

Cisco FMC saves our time in terms of management and troubleshooting. Instead of individually deploying a policy on each firewall, we can easily push a policy to as many firewalls as we want by using Cisco FMC. We just create a policy and then select the firewalls to which we want to push it. Similarly, if we want to upgrade our firewalls, instead of individually logging in to each firewall and taking a backup, we can use Cisco FMC to take a backup of all firewalls. After that, we can do the upgrade. If Cisco FMC or the firewall goes down, we can just upload the backup, and everything in the configuration will just come back. 

We can also see the health status of our network by using Cisco FMC. On one screen, we can see the whole firewall activity. We can see policies, backups, and reports. If our management asks for information about how many rules are there, how many ports are open, how many matching policies are there, and which public IP is there, we can log in to Cisco FMC to see the complete configuration. We can also generate reports.

With Cisco FMC, we can create reports on a daily, weekly, or monthly basis. We can also get information about the high utilization of our internet bandwidth by email. In Cisco FMC, we can configure the option to alert us through email or SMS. It is very easy.

It has a good security level. It is a next-generation firewall. It can protect from different types of attacks. We have enabled IPS and IDS. To make out network fully secure, we have zone-based security and subnets.

It is user-friendly with a lot of features. It has a CLI, which is helpful for troubleshooting. It also has a GUI. It is easy to work with this firewall if you have worked with any Cisco firewall.

With Cisco FMC, we can see the network's health and status. We can create a dashboard to view the network configuration, security policies, and network interfaces that are running or are up or down. We can also see network utilization and bandwidth utilization. We can see if there are any attacks from the outside network to the inside network. We can arrange the icons in the dashboard. For troubleshooting, we can also log in to the FMC CLI, and based on the source and destination, we can ping the firewall and the source. 

I have been using this solution for three to four years.

It is stable, but it also depends on whether it is properly configured or maintained. If you don't apply the proper patches recommended by Cisco, you could face a lot of issues. If the firewall is up to date in terms of patches, it works smoothly and is stable.

There are no issues in terms of the number of users. This is the main firewall for the organization. All users are behind this firewall. So, all departments and teams, such as HR, finance, application team, hardware teams, are behind this firewall. All users have to cross the firewall while accessing applications and websites. They cannot bypass the firewall. 

Their support is good. If we have an issue, we first try to resolve it at our level. If we are not able to resolve an issue, we call customer care or raise a ticket. They investigate and give us the solution. If there is a hardware issue or the device is defective, we will get that part as soon as possible. They replace that immediately. If it is not a hardware issue, they check the logs that we have submitted. Based on the investigation, they give a new patch in case of a bug. They arrange for a technical engineer to come online to guide us and provide instructions remotely. They provide immediate support. I would rate their support a nine out of 10.

We have HA/standby devices. We have almost 70 to 80 access switches, and we have 30 to 40 routers, hubs, and other monitoring tools and devices. We keep one or two devices as a standby. We have a standby for each Cisco tool. We have a standby for the core and distribution switches and firewalls. We have a standby firewall. When there is any hardware issue or other issue, the secondary firewall is used, and the workload moves to the secondary firewall. Meanwhile, we work with Cisco's support to resolve the issue.

For the past four to five years, we have only had Cisco firewalls. However, for some of the branches, we are using Palo Alto firewalls. It depends on a client's requirements, applications, security, etc.

I didn't do the implementation. We have, however, upgraded to a higher version. From the Cisco side, we get the updates or patches using which we upgrade a device and do the configuration. We register the product model and serial number, and after that, we can download a patch. We also can get help from Cisco. It is easy to migrate or upgrade for us.

We have vendor support. They are a partner of Cisco. When we buy the hardware devices, the vendor has the responsibility to do the implementation and configurations. We do coordinate with them in terms of providing the space and network details such as IP addresses, network type, subnets, etc. We also provide logical diagrams. We monitor the configuration, and after the configuration is done, we check how the network is working and performing.

We have an IT department that includes an applications group, a hardware group, and a security group. There are also Network Level 1, Level 2, and Level 3 teams. The Level 1 team only takes care of the network side. The Level 2 and Level 3 teams do almost similar work, but the Level 3 team is a bit at a higher level in IT security. The Level 2 and Level 3 teams take care of firewalls-level and security-level configuration, policy upgrade, etc. They manage all network devices. Overall, we have around 20 members in our department.

For the maintenance of Firepower, two guys are there. A Level 2 engineer takes care of policy creation and deployment for new networks. A Level 3 engineer takes care of a new firewall, upgrades, and network design and architecture.

When we purchased the firewall, we had to take the security license for IPS, malware protection, and VPN. If we are using high availability, we have to take a license for that. We also have to pay for hardware support and technical support. Its licensing is on a yearly basis.

It is a good product. It is easy to manage, but you need to have good experience and good knowledge, and you need to configure it properly.

Cisco FMC only supports Cisco products. If you have a large network with Cisco firewalls and other vendors' firewalls, such as Palo Alto, you can only manage Cisco products through Cisco FMC. Other vendors have their own management tools.

Most of the organizations nowadays are using the Cisco Firepower and Cisco ASA because of the high level of security. Cisco is known for its security. Cisco provides a lot of high-security firewalls such as Cisco ASA, Cisco FTD, Cisco Firepower. Cisco ASA 8500 came out first, and after that, new models such as Cisco FTD came. 

I would rate Cisco Firepower NGFW Firewall a nine out of 10. It is excellent in terms of features, ability, and security. Whoever gets to work on Cisco Firepower, as well as Cisco ASA, will get good experience and understanding of security and will be able to work on other firewalls.

I use it every day. It's something that's part of my daily tasks every day. I log in, look at logs, and do some firewall rule updates. 

We have a managed services team. I'm not part of that team, I use it for our company. I look at why things are being dropped or allowed. 

I'm using an older version. They got rid of EIGRP out of FlexConfig, which was nice. Now there's policy-based routing, which is something that I have to update my firewalls or my FMC so I can utilize that product.

Right now I use the Cisco-recommended version of FMC which is 7.0.5.

I like the GUI base of Secure Firepower Management Center. Coming from an ASA where it was the ASDM, I like the FMC where you can see everything is managed through one pane of glass. 

It's a single pane of glass, we have multiple firewalls. I can click and be on to the next firewall in a few seconds, really. 

As far as securing our infrastructure from end to end, I'm a big fan of Cisco products. I haven't used other products in the past, but I love the Cisco products. It helps a lot in the end. 

We have firewalls on the edge, internally, and then on the cloud now, so I feel we're pretty secure. 

Firewall helps with cybersecurity resilience. I really like this Cisco product. It's user-friendly. I don't like some other vendors. I've tried those in the past. Cisco is pretty easy. A caveman could do it.  

I've used Check Point and Palo Alto, and I like Cisco better. It's what I'm comfortable with. Hopefully, I'll use it until I retire. 

It runs forever. I haven't had any problems with any Secure Firewall. It just runs. You don't have to worry about it crashing. All Cisco products run forever. They run themselves. You need to update them. 

I'm a team of two. Either I'm looking at it, the other guy's looking at it, or no one's looking at it. It's part of my daily routine as I get in there and I make sure that I have the status quo before I move on to other projects or other tickets for the day. It's a daily process. They log the information right in.

I'll find out about scalability in a few weeks. I need to change out some firewalls that are a lower model to a higher model because of the VPN limitations. I'm going to have to do some more work and see how long it takes. 

They're awesome. I talked to the guys here, I had a couple of problems that keep me up at night. I was able to come here and they're going to help me out with some different ideas. Anybody I talk to has a solution, and the problem is fixed. So it's nice. I've never had any problem with TAC. They're awesome.

I wouldn't give them a ten. Nobody is perfect. I'll give them a nine because they help me with any issues I've had. I could put a ticket in a day, and then it gets taken care of in a speedy, efficient manner, and then I'm able to move on to other things that I need to worry about.

Positive

Palo Alto seems clumsy to me. I don't like it. It shouldn't be a guessing game to know where stuff is. Cisco is laid out in front of you with your devices, your policies, and logging. You point and click and you are where you need to be. 

I haven't used Check Point in a while. It's been some time but it's an okay product.

For deployment, we have different locations on the east coast, on-prem, and in the data centers. We introduced a couple of firewalls, AWS, and Azure and we're implementing those in the cloud.  

On-prem is pretty easy to implement. I could lab up an FTD on my own time. It's super easy to download and install. You get 90 days to mess around in a lab environment. I'm new to the cloud stuff. I've built firewalls there, but there were other limitations. I didn't quite understand that I have to get some practice and learn about the load balancers.  

We're a Cisco partner, so we get 80% off. That's a big discount and companies are always looking at ways to save money these days.

I don't really look at Talos. It's in the background. I don't really look at it. It's there and it works. 

Nothing is perfect so I would rate Cisco Secure Firewall a 9.2 out of ten. I love the product. It's part of my daily routine. I'll hopefully use it until I retire. 

We are a Cisco partner and we are currently using Cisco Firepower for our internet edge, intrusion prevention systems, and filtering.

We use virtual appliances in the cloud and hardware appliances on-premises.

Cisco Secure Firewall has improved usability in our environment.

The application visibility and control are great. Cisco Secure Firewall provides us with visibility into the users and the applications that are being used.

We are capable of securing our infrastructure from end to end, enabling us to detect and address threats. We have excellent visibility into the traffic flows, including those within the DMZs.

Cisco Secure Firewall has helped save our IT staff a couple of hours per month of their time because it is much easier to use the GUI instead of attempting to manage things through the CLI, which we have to access from the CRM.

We have several clients who had larger security stacks that they were able to consolidate because they were using separate products for IPS or URL filtering. With Firepower, we were able to consolidate all of those into a single solution.

The ability of Cisco Secure Firewalls to consolidate tools or applications has had a significant impact on our security infrastructure by enabling us to eliminate all the additional tools and utilize a single product.

Cisco Talos helps us keep on top of our security operations.

Cisco Secure Firewall has helped our organization enhance its cybersecurity resilience. We can generate periodic reports that are shared with the security teams to keep them informed.

The ASA has seen significant improvement due to the IPS. 

The ability to troubleshoot more easily through the gate is valuable.

The integration with all the necessary products needs improvement. Managing various product integrations, such as Umbrella, is challenging.

I have been using Cisco Secure Firewall for four years. My organization has been using Cisco Secure Firewall for a much longer period of time. 

We experienced stability issues when transitioning to version 7.2, particularly related to operating Snort from Snort Two to Snort Three. In some cases, the firewalls necessitated a reboot, but we ultimately reverted back to using Snort Two.

The technical support is responsive. In most cases where I've opened a ticket, they have promptly worked on figuring out the actual problem and assisting me in resolving it.

Positive

We have had clients who switched to Cisco Secure Firewall from Check Point, Palo Alto, and WatchGuard due to the features and support that Cisco offers.

The initial setup is straightforward. Since we were transitioning from ASA to Firepower, a significant portion of our work involved transferring the access control lists to the power values in the GUI. After that, we began adding additional features, such as IPS.

The pricing and licensing structure of the firewall is fair and reasonable.

The closest competitor that matches Cisco Firepower is Palo Alto, and the feature sets are quite comparable for both of them. One issue I have noticed with Cisco's product is the SSL decryption when used by clients connecting from inside to outside the Internet. 

Cisco lacks the ability to check CRLs or OCSP certificate status unless we manually upload them, which is impractical for a large number of items like emails. On the other hand, Palo Alto lacks the ability to inspect the traffic within the firewall tunnel, which is a useful feature to have. 

I rate Cisco Secure Firewall eight out of ten.

I recommend taking advantage of the trial by downloading virtual next-gen firewalls provided by OBA, deploying them in a virtual environment, and testing their performance to evaluate their effectiveness. This is a crucial step.

Our main use case for Cisco Secure Firewall is helping clients who want to upgrade from an old firewall and move to a next-generation firewall. We also get a lot of clients who have a next-generation firewall provider, but the firewall is not up to the task. It doesn't have all the feature sets that they need, and Cisco Secure Firewall ticks those boxes.

Cisco Secure Firewall has improved our customers' security posture because it offers Next-Gen features, granularity, and reporting on the back of it. You can see the amount of users accessing Office 365, for example, and whether they're having a good or bad experience. You can see the threats that come into your network. You can see anyone who is compromised from within your network.

If customers already have Cisco solutions such as Cisco ISE, Duo, Umbrella, and Endpoint, Cisco Secure Firewall will integrate well with all of them. Our clients will be able to get more data and automate tasks. They can have Secure Firewall automatically shut things down if a threat is detected.

Without a doubt, the best features are the reporting and analytics. Some vendors provide the same feature set, but their product won't give you the power to figure out what's going on in your network. Whereas with Cisco Secure Firewall, especially with the management platform on top, you can have all of the analytics and see exactly what is going on. You can see not only the source and destination but also the application, the URL, the type of policy it's hitting, the specific rule it's hitting, and the amount of data transferred from it. Apart from that, you get all of the risk reports. You can see how much bad stuff is coming into the network at present and whether there's anything you need to act on immediately. That data is at your fingertips, and it's by far the best feature and the best selling point of Cisco Secure Firewall.

Cisco Secure Firewall has reduced our clients' mean time to repair because they are able to find possible issues quickly. The power of the reporting, the dashboards, and all of the analytics in the background also helps to alert and quickly act on the threat.

My impression of Cisco Talos is that it's well-regarded in the industry. Cisco is so well regarded that we know their security intelligence is up-to-date. Our clients have peace of mind because they have Cisco Talos in the background and know that Cisco Secure Firewall is up-to-date with the latest threats. They can be sure that they're acting on the best available data.

I would like to see more configurable feature parity with Cisco ASA, which is the legacy product that Cisco is moving away from. When configuring remote access VPN, not all of the options are there. You have to download another tool, which means that the configuration takes a little bit longer with Cisco Secure Firewall. Though it's getting there, there are still some features lagging behind.

We've been offering Cisco Secure Firewall since its first iteration 10 years ago.

We are resellers, and the value we add to our customers as resellers is our knowledge. We have 10 years' worth of experience deploying Cisco Secure Firewall. We can deploy it the correct way. We also know whether you would need the management platform, the level of licensing you may require, and the number of VPN licenses you may need. We add value by knowing how the solution should be deployed and installed in a network.

Secure Firewall's stability is good. I think the management platform needs a little bit of work. It's not as robust from a stability point of view. Deployment times of configuration have got better over the years, but there's still some work needed so that it deploys every time when you click that button.

The scalability of Cisco Secure Firewall is really good. That's down to the management platform and the way it structures your access policies, what allows traffic in and what allows traffic out. You can easily add multiple regions, locations, and types of firewalls to the management platform. As soon as you do, they get all of those policies. Previously, you'd have had to configure each one time and time again. With this version, you import it, and it's ready to go. Thus, for scalability it's easy.

Cisco's technical support across all their products is always good and reliable. If someone says they're going to get back to you in four hours, they do. They're always there with the right level of support. If we need a Secure Firewall engineer, that's whom we'll get. We won't get someone who's never seen the product before. As far as vendors go, Cisco's technical support is probably the gold standard. I would rate them at ten out of ten.

Positive

Secure Firewall is more complex to deploy than previous Cisco Firewall products. However, it's not so complex that it's not achievable. There are some products out there that require a lot of reading to be able to deploy them. Cisco Secure Firewall has not reached that level yet, but it is a complex product.

Our clients' Secure Firewall deployment models are edge firewalls, internal firewalls, and, most often, perimeter firewalls. Sometimes, our clients ask us to help them with deployment because we have the experience.

We've used the Cisco Firewall migration tool quite a few times to migrate to Cisco Secure Firewall. It has come on a long way, and it's a lot better than it used to be. When it initially came in, there wasn't as much trust that the tool would give you everything you needed, but where it is now is great. If you've got a firewall that you want to migrate, you'll feel confident using the Cisco Firewall migration tool.

We spend a lot of time developing our consultants and our sales staff to know the product and learn how to sell the product. As a result, our ROI is that we get more clients deploying Cisco Secure Firewall.

The licensing is not as complicated as that for some other Cisco products. There are a couple of tiers of licensing, but the price point is a little too high for the market. There are other vendors that come in lower and offer more for fewer licensing options. They may offer URL filtering or malware filtering with a single license rather than requiring two or three licenses. I think Cisco could do a bit more in this area.

I deal with a lot of other vendors who also offer the same features, but Cisco Secure Firewall stands out on the analytics. It is the best for analytics and getting the reporting data.

If you're a client evaluating Cisco Secure Firewall, my advice would be to put real-world data through it to get useful data out of it. You can't see the benefits of the solution if you just turn it on and look at the device as it is. It's when you see the traffic going through it that you'll see the power of the analytics and reporting and the event data that comes through. A technical team member will understand how much easier it's going to be to troubleshoot with this platform compared to that with any other platform they've had before. With regard to reporting, a report on how many malware attacks have occurred in a particular month takes one click to generate. That data can be stored for a long time.

Overall, I would rate Cisco Secure Firewall an eight out of ten because of the feature parity. It's not quite there in terms of being able to do everything on the GUI platform. The price point is still a bit too high as well.

We have two devices in Active-Active mode, acting as a perimeter firewall. It is the main firewall that filters traffic in and out of our organization. This is where there are many rules and the mapping is done to the outside world. We use it as a next-generation firewall, for intrusion detection and prevention.

It's also linked also to Firepower, the software for network policies that acts as our network access control. 

I find it very useful when we're publishing some of our on-prem servers to the public. I am able to easily do the NATing so that they are published. It also comes in very handy for aspects of configuration. It has made things easy, especially for me, as at the time I first started to use it I was a novice.

I have also added new requirements that have come into our organization. For example, we integrated with a server that was sitting in an airport because we needed to display the flight schedule to our customers. We needed to create the access rules so that the server in our organization and the server in the other organization could communicate, almost like creating a VPN tunnel. That experience wasn't as painful as I thought it would be. It was quite dynamic. If we had not been able to do that, if the firewall didn't have that feature, linking the two would have been quite painful.

In addition, we have two devices configured in an Active-Active configuration. That way, it's able to load balance in case one firewall is overloaded. We've tested it where, if we turn off one, the other appliance is able to seamlessly pick up and handle the traffic. It depends on how you deploy the solution. Because we are responsible for very critical, national infrastructure, we had to ensure we have two appliances in high-availability mode.

I love the ASDM (Adaptive Security Device Manager) which is the management suite. It's a GUI and you're able to see everything at a glance without using the command line. There are those who love the CLI, but with ASDM it is easier to see where everything is going and where the problems are.

The ASDM makes it very easy to navigate and manage the firewall. You can commit changes with it or apply them before you save them to be sure that you're doing the right thing. You can perform backups easily from it.

It also has a built-in Packet Tracer tool, ping, and traceroute, all in a graphical display. We are really able to troubleshoot very quickly when there are issues. With the Packet Tracer, you're able to define which packet you're tracing, from which interface to which other one, and you're able to see an animation that shows where the traffic is either blocked or allowed. 

In addition, it has a monitoring module, which also is a very good tool for troubleshooting. When you fill in the fields, you can see all the related items that you're looking for. In that sense, it gives you deep packet inspection. I am happy with what it gives me.

It also has a dashboard when you log in, and that gives you a snapshot of all the interfaces, whether they're up or down, at a glance. You don't need to spend a lot of time trying to figure out issues.

Our setup is quite interesting. We have a Sophos firewall that sits as a bridge behind the Cisco ASA. Once traffic gets in, it's taken to the Sophos and it does what it does before the traffic is allowed into the LAN, and it is a bridge out from the LAN to the Cisco firewall. The setup may not be ideal, but it was deployed to try to leverage and maximize what we already have. So far, so good; it has worked.

The Cisco doesn't come with SD-WAN capabilities which would allow me to load balance two or three ISPs. You can only configure a backup ISP, not necessarily an Active-Active, where it's able to load balance and shift traffic from one interface to the other.

When I joined the organization, we only had one ISP. We've recently added a second one for redundancy. The best scenario would be to load balance. We plan to create different traffic for different kinds of users. It's capable of doing that, but it would have been best if it could have done that by itself, in the way that Sophos or Cisco Meraki or even Fortigate can.

A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition. While I'm able to configure it as a backup, the reality is that in a modern workplace, you can't rely on one service provider for the internet and your device should be able to give you optimal service by load balancing all the connections, all the IPSs you have, and giving you the best output.

I know Cisco has deployed other devices that are now capable of SD-WAN, but that would have been great on the 5516 as well. It has been an issue for us.

I have been using Cisco ASA Firewalls since November 2019.

Cisco products are quite resilient. We've had problems due to power failures and our UPSs not being maintained and their batteries being drained. With the intermittent on and off, the Cisco ASAs, surprisingly, didn't have any issue at all. The devices really stood on their own. We didn't even have any issue in terms of losing configs. I'm pretty satisfied with that.

I've had experience with some of the new Cisco devices and they're quite sensitive to power fluctuations. The power supply units can really get messed up. But the ASA 5516 is pretty resilient. We've deployed in a cluster, but even heating up, over-clocking, or freezing, has not happened.

We also have the Sophos as a bridge, although it's only a single device, it is not in a cluster or in availability mode, but we've had issues with it freezing. We have had to reboot it.

It's easy to scale it up and extend it to other operations. When we merged with another company, we were able to extend its usage to serve the other company. It became the main firewall for them as well. It works and it's scalable.

It's the main perimeter firewall for all traffic. Our organization has around 1,000 users spread across the country. It's also our MPLS solution for the traffic for branch networks. It's able to handle at least 1,000 connections simultaneously, give or take.

Prior to my joining the organization, there was a ransomware attack that encrypted data. It necessitated management to invest in network security.

When I joined the project to upgrade the network security infrastructure in our organization, I found that there was a legacy ASA that had been decommissioned, and was being replaced by the 5516. Being a type-for-type, it was easy to pick up the configs and apply them to the new one.

When I joined this organization, the solution had just been deployed. I was tasked with administrating and managing it. Managing it has been quite a learning curve. Prior to that, I had not interacted with ASAs at all. It was a deep-dive for me. But it has been easy to understand and learn. It has a help feature, a floating window where you can type in whatever you're looking for and it takes you right there.

We had a subsidiary that reverted back to our organization. That occurred just after I started using the 5516 and I needed to configure the integration with the subsidiary. That was what I would consider to be experience in terms of deployment because we had to integrate with Meraki, which is what the subsidiary was using.

The process wasn't bad. It was relatively easy to integrate, deploy, and extend the configurations to the other side, add "new" VLANs, et cetera. It wasn't really difficult. The ASDM is a great feature. It was easy to navigate, manage, and deploy. As long as you take your backups, it's good.

It was quite a big project. We had multiple solutions, including Citrix ADC and ESA email security among others. The entire project from delivery of equipment to commissioning of the equipment took from July to November. That includes the physical setup and racking.

Two personnel are handling the day-to-day maintenance.

We have seen ROI with the Cisco ASA, especially because we've just come to the end of the three-year subscription. We are now renewing it. We've not had any major security incident that was a result of the firewall not being able to detect or prevent something. That's a good return on investment.

Our device, the 5516, has been declared end-of-life. The cost of upgrading is almost equivalent to deploying a new appliance. But having had it for three years, it has served its purpose.

As with any security solution, the return on investment must be looked at in terms of what could happen. If you have a disaster or a cyber attack, that is when you can really see the cost of not having this. 

Cost-wise, it's in the same range as its competitors. It's likely cheaper than Palo Alto. Cisco is affordable for a large organization of 500 to 1,000 users and above.

You need a Cisco sales partner or engineer to explain to you the licensing aspects. Out-of-the-box, Firepower is the module that you use to handle your network access policy for the end-user. It's a separate module that you need to include, it's not bundled. You need to ensure you have that subscription.

A Cisco presales agent is key for you to know what you need. Once they understand your use cases, they'll be able to advise you about all the licenses you need. You need guidance. I wouldn't call it straightforward.

With any Cisco product, you need a service level agreement and an active contract to maximize the support and the features. We have not had an active service contract. We just had the initial, post-implementation support.

As a result, we've wasted a bit of time in terms of figuring out how best to troubleshoot things here and there. It would be best to ensure you are running an active contract with SLAs, at least with a Cisco partner. 

Also, we were not able to use its remote VPN capabilities, Cisco AnyConnect, because of a licensing limitation.

I would encourage people to go for the newer version of Cisco ASA. 

When you are procuring that device, be sure to look at the use cases you want it for. Are you also going to use it to serve as your remote VPN and, in that case, do you need more than the out-of-the-box licenses it comes with? How many concurrent users will you need? That is a big consideration when you're purchasing the device. Get a higher version, something that is at least three years ahead of being declared end-of-life or end-of-support.