E-commerce environment, Enterprise data center.
It has improved the security posture and visibility of our traffic, but it could use more predefined security templates
What is our primary use case?
How has it helped my organization?
It has improved the security posture and visibility of our traffic. It has been proven very reliable on the hardware finishing and network portion. Since Cisco have been very experience in networking.
What is most valuable?
- Snort IPS with recommendation template
- Extendable hardware module
- Straightforward licensing
- Cisco product integration
What needs improvement?
- I would like to see more improvements made to the dashboard and UI, as well as to the reporting, the reporting is quite limited and not user friendly.
- I would like them to consider offering more predefined security templates.
- Technical support product knowledge, licensing portal, activation process will need to be improved.
- The configuration is not straightforward, Cisco will need to improve this so the user can easily pick up the product.
- Bugs are more than other firewall competitors, some bugs are quite serious.
Buyer's Guide
Cisco Secure Firewall
November 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
Yes, we found some firmware bugs and Cisco took some time to fix them. We needed to escalate the issue to the account manager to expedite the escalation process.
What do I think about the scalability of the solution?
No.
How are customer service and support?
A five out of 10.
Which solution did I use previously and why did I switch?
How was the initial setup?
Complex in configuration and understanding. It would be very challenging for a non-Cisco trained engineer.
What about the implementation team?
We implemented ourselves with some assistance from the vendor. Some vendor are not expertise in this deployment, possible because of the complexity of the product.
What's my experience with pricing, setup cost, and licensing?
Base hardware cost are average. Additional hardware modules are priced higher than the base module. They also offer very clear licensing and pricing.
Which other solutions did I evaluate?
Check Point, FortiGate, Palo Alto, SonicWall, Huawei, and Sophos.
What other advice do I have?
Cisco is still a very good hardware manufacture, but they need to catch up on the software portion. We used the Cisco product because we know they tried very hard to get back into the market and we were willing to give them a chance since we are still using a lot of Cisco product. For those who are non-Cisco trained, it would be very hard to pick up.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ICT Manager at a aerospace/defense firm
Site to site VPN is easy, but it's very expensive.
What is most valuable?
- VPN
- ASDM configuration
For FirePOWER:
- IPS
- AMP
- URL filtering
How has it helped my organization?
It's pretty easy to connect between different branches using site to site VPN.
What needs improvement?
Cost, it's very expensive. To migrate from a Cisco ASA 5550 and not drop in performance, you have to go to a Cisco ASA 5555-X with FirePOWER. To fully use the Cisco FirePOWER IPS, AMP and URL filtering, you are forced to (MUST) buy the Cisco FireSIGHT management centre. You also have to buy licensing for Cisco AnyConnect VPN client
For how long have I used the solution?
I've been using it since October 2004, so for 10 years.
What was my experience with deployment of the solution?
Due to the cost, I am still waiting for more funds to deploy the final phase, FirePOWER IPS, AMP and URL filtering.
Cisco did an upgrade from v8.2 to v8.3 of the migration system. NAT configuration is different from 8.2 to 8.3. It's not easy to upgrade to 8.3 and above leading to running different software versions.
What do I think about the stability of the solution?
V8.2 is very stable. With the latest versions it's still early to tell.
What do I think about the scalability of the solution?
Upgrading from v8.2 to v8.3 is a nightmare. The risks of down time are so high that I am forced to run different versions. Stay with 8.2 on all NAT dependent on your ASA, but again it's all about the cost.
How are customer service and technical support?
Customer Service:
Excellent customer service. Cisco listens to their customers.
Technical Support:Excellent customer service and documentation.
Which solution did I use previously and why did I switch?
We previously used Checkpoint, and I switched because Checkpoint was expensive but now it looks like Cisco is following the same route.
How was the initial setup?
It was not that complex because I was using Cisco routers and switches five years prior.
What about the implementation team?
It was an in-house implementation.
What was our ROI?
I can't tell right now as I am still investing.
What's my experience with pricing, setup cost, and licensing?
The initial investment on the Cisco ASAs was around one million South African Rand and there's a R200,000 annual maintenance cost with Cisco's partners.
Which other solutions did I evaluate?
No. I went straight to Cisco because of my experience with their CUCM IPT solutions, routers and switches.
What other advice do I have?
Budget a lot of money, especially on the initial setup and the annual licensing and maintenance cost.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Cisco Secure Firewall
November 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.
Network & Systems Administrator Individual Contributor at T-Systems
Good user interface and easy to configure but needs better integration capabilities.
Pros and Cons
- "The management aspect of the product is very straightforward."
- "It would be nice if you didn't have to configure using a command-line interface. It's a bit technical that way."
What is our primary use case?
We primarily use the solution for configuring the firewall.
What is most valuable?
It's an almost perfect solution.
The configuration is very easy.
The management aspect of the product is very straightforward.
The solution offers very good protection.
The user interface itself is very nice and quite intuitive.
What needs improvement?
It would be ideal if the solution offered more integration capabilities with other vendors. For example, if you had a web security appliance, it would be great to be able to integrate everything in order to better report security events.
While I can't think of specific features I'd like improved, overall, they could do more to continue to refine the solution.
It would be nice if you didn't have to configure using a command-line interface. It's a bit technical that way.
For how long have I used the solution?
We first started using the solution in 2015. It's been five years at this point.
What do I think about the stability of the solution?
The solution is very stable. We've found it to be extremely reliable. There are not bugs or glitches. It doesn't crash or freeze.
What do I think about the scalability of the solution?
The solution can scale well. that's not a problem at all. If a company needs to expand it to fit their needs, they can do so.
How are customer service and support?
We've been in contact with technical support on multiple occasions and each time we've had a good experience. We're satisfied with their level of support. They are fairly good.
How was the initial setup?
I have nothing bad to say about the deployment. It went pretty well, and we can configure everything as we need to.
What's my experience with pricing, setup cost, and licensing?
I don't really handle the billing, so I'm unsure of the pricing. I work more on the technical side.
What other advice do I have?
We're just customers. We don't have a business relationship with Cisco.
It's a very good solution. I'd recommend it to other users.
Overall, I'd rate it seven out of ten.
Although I can't speak to the pricing, I've found the solution works quite well for us. I'd rate it higher if it could integrate a bit better with other solutions.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network Engineer at a tech services company with 51-200 employees
Capable of handling a lot of traffic, never had any downtime, and very easy to configure
Pros and Cons
- "The configuration was kind of straightforward from the command line and also from the ASDM. It was very easy to manage by using their software in Java."
- "One thing that we really would have loved to have was policy-based routing. We had a lot of connections, and sometimes, we would have liked to change the routing depending on the policies, but it was lacking this capability. We also wanted application filtering and DNS filtering."
What is our primary use case?
We were using ASA 5585 without firepower. We were using it just as a stateful firewall. We also had an IPS module on it. So, we were also using it for network segmentation and network address translations for hosting some of the services or giving access to the internet for our end users.
How has it helped my organization?
Initially, it was good. At the time we bought it, usually, IPS was in a different solution, and the firewall was in a different solution. You had to kind of correlate between the events to find the attacks or unwanted behavior in the network, but it had everything in a kind of single platform. So, the integration was great.
Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. Cisco ASA was able to handle a lot of traffic or concurrent connections at that time. We had almost 5 million per week. We didn't have to worry about it not having enough memory and stuff like that. It was a powerful machine.
What is most valuable?
The configuration was kind of straightforward from the command line and also from the ASDM. It was very easy to manage by using their software in Java.
High throughput, high concurrent connections, easy site-to-site VPN were also valuable. It also had the capability to do double network translations, which is really useful when you are integrating with other vendors for site-to-site VPN.
What needs improvement?
When we bought it, it was really powerful, but with the emerging next-generation firewalls, it started to lack in capabilities. We couldn't put application filtering, and the IPS model was kind of outdated and wasn't as useful as the new one. For the current state of the network security, it was not enough.
One thing that we really would have loved to have was policy-based routing. We had a lot of connections, and sometimes, we would have liked to change the routing depending on the policies, but it was lacking this capability. We also wanted application filtering and DNS filtering.
For how long have I used the solution?
We have been using it for around eight years.
What do I think about the stability of the solution?
Its stability is really great. It is very stable. We didn't have to worry about it. In the IT world, every time you go on holiday, you think that something might break down, but that was not the case with Cisco ASA.
Initially, we had just a single firewall, and then we moved to high availability. Even when it was just one hardware without high availability, we didn't have any problems. Apart from the planned maintenance, we never had any downtime.
What do I think about the scalability of the solution?
We feel we didn't even try to make it scalable. We had 30,000 end users.
How are customer service and support?
We haven't interacted a lot with them because we have our own network department. We were just handling all the problem-solving. So, there were only a couple of cases. Initially, when one of the first devices came, we had some problems with RAM. So, we opened the ticket. It took a bit of time, and then they changed it. I would rate them an eight out of 10.
Which solution did I use previously and why did I switch?
Our bandwidth was increasing, and the number of services that we were hosting was increasing. Our old solutions couldn't catch up with that. We had some really old D-link firewalls. They were not enterprise-level firewalls.
After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. They didn't provide us with the new license. Therefore, we decided to move to Palo Alto. The procurement process is taking time, and we are waiting for them to arrive.
How was the initial setup?
It was straightforward. Cisco is still leading in the network area. So, there are lots of resources where you can find information. There are community forums and Cisco forums, where you can find answers to any questions. You don't even have to ask. You can just Google, and you will find the solution. Apart from that, Cisco provides a lot of certification that helps our main engineers in learning how to use it. So, the availability of their resources was great, and we just followed their best-case scenarios. We could easily configure it.
The deployment took around two or three weeks because we had different firewalls. We had a couple of them, and we migrated all to Cisco. We also had around 30,000 rules. So, the data input part took a lot of time, but the initial installation and the initial configuration were done in a matter of days.
It took us one week to set up the management plane. It had different ports for management and for the data. After finishing with the management part, we slowly moved segments to Cisco. We consolidated the rules from other firewalls for one zone. After Cisco verified that it was okay, we then moved on to the next segment.
What about the implementation team?
We did it ourselves. We had about five network admins for deployment and maintenance.
What was our ROI?
We definitely got a return on investment with Cisco ASA. We have been using it for eight years, which is a long time for IT. We only had one capital expenditure. Apart from that, there were no other costs or unexpected failures. It supported us for a long time.
What's my experience with pricing, setup cost, and licensing?
When we bought it, it was really expensive. I'm not aware of the current pricing.
We had problems with licensing. After our IPS subscription ended, we couldn't renew it because Cisco was moving to the next-generation firewall platform. So, they didn't provide us with the new license.
Which other solutions did I evaluate?
I am not sure about it because back then, I was just an engineer. I didn't have decision-making authority, so I wasn't involved with it.
We recently have done pilots with Check Point and FortiGate for a couple of months. They were next-generation firewalls. So, they had much more capability than ASA, but because of being a pilot, we didn't get full-scale throughput like big enterprise-level firewalls. The throughput was not enough, and their memory cache was always filling up. They were smaller models, but both of them had the features that ASA was lacking. Traffic shaping in ASA is not as good, but these two had good traffic shaping.
What other advice do I have?
I wouldn't recommend this solution because it is already considered to be a legacy firewall.
I would rate Cisco ASA Firewall a strong eight out of 10. It is powerful, but it lacks some of the capabilities.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network Engineer at LEPL Smart Logic
Good protection and filtering capabilities, and everything can be easily done through the web user interface
Pros and Cons
- "I have experience with URL filtering, and it is very good for URL filtering. You can filter URLs based on the categories, and it does a good job. It can also do deep packet inspection."
- "When you make any changes, irrespective of whether they are big or small, Firepower takes too much time. It is very time-consuming. Even for small changes, you have to wait for 60 seconds or maybe more, which is not good. Similarly, when you have many IPS rules and policies, it slows down, and there is an impact on its performance."
What is our primary use case?
They were placed in a company on the perimeter near the ISP. There were two clusters. One cluster was at the front, and one cluster was near the data center to filter the traffic from the users to the data center and from the data center to the users and outside.
How has it helped my organization?
Our clients were completely satisfied with this firewall in terms of protection from attacks, filtering of the traffic that they wanted, being able to see inside the zip files, etc.
What is most valuable?
I have experience with URL filtering, and it is very good for URL filtering. You can filter URLs based on the categories, and it does a good job. It can also do deep packet inspection.
Its IPS engine also works very fine. I don't have much experience with it because I am an IT integrator, and we only configured it, but the company for which we configured these firewalls used this feature, and they say that IPS works very fine. They were also very pleased with its reporting. They said that its reporting is better than other firewalls they have had.
What needs improvement?
When you make any changes, irrespective of whether they are big or small, Firepower takes too much time. It is very time-consuming. Even for small changes, you have to wait for 60 seconds or maybe more, which is not good. Similarly, when you have many IPS rules and policies, it slows down, and there is an impact on its performance.
In terms of tracking users, the Palo Alto Networks firewall is better than Cisco Firepower.
For how long have I used the solution?
What do I think about the stability of the solution?
It is very stable because it is based on the Cisco ASA Firewall hardware, which is an old-generation firewall. I have had Cisco ASA Firewall for more than 10 years, and they have been working fine till now. So, Cisco Firepower NGFW Firewall's performance and stability are the best. I have never seen any issues or heard from anyone that it is bad.
What do I think about the scalability of the solution?
Its scalability is very good. It was a small implementation. Traffic was maximum of 150 megabits per second.
How are customer service and support?
I haven't worked with Cisco support.
Which solution did I use previously and why did I switch?
I have had experience with the Fortinet FortiGate firewall. It is very easy, and it does its job very well. Both Firepower and FortiGate do their job very well, but I like the Palo Alto Networks firewall the most. I have not experienced it in a real environment. I have placed it in my lab. It is a very complex firewall, and you need to know how to configure it, but it is the best firewall that I have seen in my life.
As compare to the Palo Alto Networks firewall, both Firepower and FortiGate are simpler. You can just learn which button to use and how to write rules, policies, etc. In Palo Alto, you can not guess this. You should know where each button is, how it works, and what it does. If you don't know, you cannot get the performance you want from Palo Alto. So, Firepower and FortiGate are easier to learn.
Firepower is very good for a small implementation. If you are doing a Cisco setup, you can place kind of 16 devices in one cluster. When it comes to the real environment, you need to have maybe three devices in one cluster. If two of them are in one data center and the third one is in another data center, the third firewall does not work very well when it comes to traffic flow because of the MAC address. When you want to implement Firepower in small infrastructures, it is very good, but in big infrastructures, you would have some problems with it. So, I won't use it in a large environment with five gigabits per second traffic. I will use the Palo Alto firewall for a large environment.
How was the initial setup?
It is straightforward. For me, it is very simple. The menu is quite impressive. Everything that you want to do can be done from the web user interface. You don't need to access the CLI if you don't like it. It is very easy to make rules with its web user interface.
Its deployment took two days. In terms of the implementation strategy, the first cluster was in the data center, and its main job was to filter user traffic going to the data center. The second cluster was on the edge. Its main job was to mitigate attacks on the inside network and to capture the traffic that could have viruses, malicious activities, etc.
What about the implementation team?
I deployed it myself, and it took me two days to deploy two clusters of Cisco Firepower NGFW Firewall.
What was our ROI?
I think our client did get an ROI. They are very satisfied with what they can do with these firewalls. It fits all of their needs.
What's my experience with pricing, setup cost, and licensing?
Its price is in the middle range. Both Firepower and FortiGate are not cheap. Palo Alto and Check Point are the cheapest ones.
I don't remember any costs in addition to the standard licensing fees.
What other advice do I have?
Our client didn't implement dynamic policies for dynamic environments because they were a small company, and they didn't need that kind of segmentation. I am not sure if it reduced their firewall operational costs because they were a small company, and the traffic was not so high.
I would rate Cisco Firepower NGFW Firewall an eight out of 10.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Systems Engineer at a tech services company with 11-50 employees
Default intrusion prevention engine helps identify malicious code and prevent it from being pushed into the system
Pros and Cons
- "The most important features are the intrusion prevention engine and the application visibility and control. The Snort feature in Firepower is also valuable."
- "On the VPN side, Firepower could be better. It needs more monitoring on VPNs. Right now, it's not that good. You can set up a VPN in Firepower, but you can't monitor it."
What is our primary use case?
We helped a customer to configure a new data center network. We provided the core firewalling. Between virtual routing instances, or virtual networks, we had two Firepower 2130s in HA. We did the routing and firewalling between the VRS and, in the same data center, we have an internet edge firewall also set in HA that provided the routing and firewalling to the internet and to Azure. In the same data center we had two ASAs for out-of-band management. If an error occurred in the data center, we could VPN into the ASA and troubleshoot the routing issues in the data center.
How has it helped my organization?
I have customers that have migrated from Cisco ASA to Cisco Firepower. They have benefited from the change because they have much more visibility into the network. An ASA is often used as a Layer 3 to 4 firewall. We allow networks and ports. But a Firepower firewall has the default intrusion prevention engine, so you can allow it to https on port 443, but it can also look into the packet, with deep packet inspection, and see if there is malicious code that is trying to be pushed into your system. It's a much more secure product than just having a Layer 3 to 4 firewall. It is a Layer 3 to 7 firewall.
We also use Cisco Talos, and when we configure a Firepower, we set the automatic update to get the latest vulnerabilities and databases, Snort rules, geolocation database, and security intelligence from Talos. Our customers aren't benefiting directly from Cisco Talos, but they are benefiting from having a product like Firepower that has connections to Talos.
The dynamic access policy functionality, and the fact that in Firepower 7.0 the feature has one-to-backward compatibility with the Cisco ASA Firewall, is a game-changer. Our customers have begun to transition from Cisco ASA to Cisco Firepower and because they get this capability, there are more and more VPN features. And when they shift from ASA to Firepower, they go from Layer 3 to Layer 7 visibility, instead of only going from Layer 3 to 4. They gain through the visibility they get from a next-generation firewall. They get more visibility and a more secure solution.
What is most valuable?
For Firepower the most important features are the intrusion prevention engine and the application visibility and control. The Snort feature in Firepower is also valuable.
For ASA, the most valuable feature is definitely the remote access VPN solution. The AnyConnect solution is very scalable and stable—there are no errors or flaws—which is necessary in today's world when we're all working remotely. The remote access VPN for ASA is very good.
When it comes to application visibility and control, both ASA and Firepower can provide them but the AVC feature is mostly used in Firepower. You can allow or disallow many applications through Firepower, through the access control policy.
If you configure Firepower correctly, it is good when it comes to threat visibility. It is proficient. It is the state of the art when it comes to blocking threats, network-wise. If you use it with an SSO encryption, and use your own features, blacklists, security intelligence, intrusion prevention, and access control points—if you are using it with every feature—Firepower can block most threats on your network. But it can't stand alone. It is necessary for the clients to have AMP for Endpoints, Cisco Umbrella, and Cisco ISE. If you're using Firepower as a standalone device, it can block, say, 20 or 30 percent more than the ASA can. But if you're using all of the security features from Cisco, you get much more security. It's like an onion's layers. The more layers you have, the more protection you have.
The ease of use with the new version of Firepower is more or less the same when compared to other versions of Firepower. But the dashboard has received a refresh and it's easier to use now than before. Overall, the ease of use has been increased.
What needs improvement?
On the VPN side, Firepower could be better. It needs more monitoring on VPNs. Right now, it's not that good. You can set up a VPN in Firepower, but you can't monitor it.
Firepower Management Center is slow. It could be better. And the Firepower Device Manager doesn't have all the features that the ASA has, and that's despite the fact that it's almost the same product. Cisco could use many more features from ASA in Firepower Device Manager.
For how long have I used the solution?
I have used Firepower for two years and I have worked with all Firepower models: Firepower 1000 Series, 2000 Series, Firepower 4000. I have never had my hands on a Firepower 9300, but it's mostly the same as the 4000 and 9000 Series. I have also used Firepower Management Center, virtual, the 1000 Series, and the 1600. I have also used Firepower virtual devices, the Firepower Next-Generation Firewall Virtual (NGFWv).
I was using Firepower 7.0 for around 10 weeks on a beta program. I was using it more or less every other day. I have been using it quite a lot.
What do I think about the stability of the solution?
If you stay on the recommended releases, Firepower is very stable. Cisco has had a lot of trouble and issues with Firepower since they acquired Sourcefire, and some of the issues or problems are still there. But if you stay on the recommended releases you shouldn't hit that many errors or bugs. It can be stable, but it can also be very unstable if you jump on the newest release every time.
What do I think about the scalability of the solution?
Firepower scales well if you have the 4100 Series or 9300 Series. They can scale and you can cluster the devices. Otherwise, you can only add one device, but that's more for the small customers. But if you get up to the high-end series of Firepower, it scales very well.
We have customers that have 100 or 200 clients but we also have customers that have 20,000 endpoints. They are using several different appliances. Two devices for internet edge, two devices for core infrastructure, and two devices for VPN. We help customers of all sizes.
How was the initial setup?
First you have to configure the Firepower Device Manager, or Firepower Management Center. When you bootstrap it or do the initial config, you type in the IP address, host name, and DNS. When you have the IP configuration in place, you can log in to the Firepower Management Center and start building policies that suit your needs. When you have all the policies, you can add or join Firepower devices to the Firepower Management Center. After adding the devices to the Firepower Management Center, you can then apply the policies that you built in the first place, through the devices, and that will affect the behavior on the devices.
Which other solutions did I evaluate?
ASA is best for VPN solutions, site to site, remote access VPN. It's for everything that is connected with VPN solutions. For every other feature, Firepower is better. While Firepower is getting better for VPN, it's not where it should be yet.
I have tried configuring Zyxel firewalls. I have never logged in to Check Point or Palo Alto. From my point of view, Firepower is better than Xyxel when it comes to application visibility and control.
I did use competitive solutions many years ago, so things might have changed with them. But I would say that Cisco Firepower is a bit more complicated if you are an inexperienced user. If you are setting up a firewall for the first time, other vendors have an approach that makes it easier. Cisco Firepower it's more detailed and you can do more complicated configurations than you can with some competitors. It is easier for us to approach customers with Cisco Firepower, because we can do more detailed configurations compared to what customers can get from other vendors.
With SecureX, you can get more value out of the product, especially if you're using all the security features from Cisco. In that situation, you will definitely get more out of SecureX. When you do that you can integrate all of your Cisco products into SecureX and you can correlate all the data in one place, with a single pane of glass. In that way, you get a lot more value for money with Cisco Firepower and SecureX. You will get the full value if you combine it with other products, but if you only have Cisco Firepower then SecureX will not provide that much added value.
What other advice do I have?
Have a plan. Find out how much bandwidth and throughput you need before you implement it because if you don't scale it well from the start, it can slow down your environment. Keep in mind that it adds so much security that the total data throughput can take a hit.
We have many customers, but in general, many of our customers are using all the tools they can to secure their infrastructure, such as AMP, Umbrella, and Firepower. Many companies are doing what they can to secure their network and their infrastructure. But there are also customers that only have a firewall. In today's world that's not enough to secure the network at all, but that's a decision the customer has to live with. We have tried to push them in the right direction. But the majority of our customers have a secure infrastructure.
The other Cisco products or services our customers are using in conjunction with their firewall include AMP, AnyConnect, cloud mail Email Security Appliances, Cisco ISE, and Web Security Appliances. We are only a Cisco partner. We don't do HP or Check Point or Palo Alto, so our customers do have a lot of Cisco features. For regular use, the integration among these Cisco products is pretty easy, but I have also worked with these products a lot. But it's easy to implement a firewall solution on Firepower and you can tweak it as much as you like. ASA is also easy to set up and configure, in my opinion, but I'm a security professional. For a regular user, both products can be pretty cumbersome.
Firepower 7.0 gives you visibility into how it inspects the packets, but it's tough to say how deep or how much visibility you get. However, if you have a Layer 4 firewall, it is clear that a Layer 7 firewall gives you more visibility, and you can see the packets that the application connection is using, meaning which application is using them. It's not how much visibility you get but, rather, the fact that you get Layer 7 visibility.
Cisco Secure Firewall has reduced our operational costs because it is faster to deploy configurations to firewalls. But when using it, it's more or less the same as it was before 7.0. The amount of time it saves when deploying configurations depends on how often you deploy policies or how many changes you have. But if you compare 7.0 to earlier versions, deployment time has been reduced from five to 10 minutes down to two to five minutes. If you make all the changes at once and only do one deployment, the time saved is not that big of a deal. But if you do one change and deploy, and another change and deploy, and another change and deploy, you will save more time.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Network Administrator at a transportation company with 201-500 employees
Plenty of documentation online, but the stability and scalability could improve
Pros and Cons
- "I have not contacted technical support. There is a lot of information on the internet for troubleshooting. All you need to do is use a search engine and you will find the information you are looking for easily."
- "Cisco ASA Firewall could improve by adding more advanced features such as web filtering, which is available in the next-generation firewalls. However, the Cisco ASA Firewall I am using could be old and these features have been updated."
What is our primary use case?
I use Cisco ASA Firewall at my company for network security.
What needs improvement?
Cisco ASA Firewall could improve by adding more advanced features such as web filtering, which is available in the next-generation firewalls. However, the Cisco ASA Firewall I am using could be old and these features have been updated.
For how long have I used the solution?
I have been using this solution for approximately two years.
What do I think about the stability of the solution?
The stability needs improvement.
What do I think about the scalability of the solution?
I have found the Cisco ASA Firewall scalability could improve.
How are customer service and technical support?
I have not contacted technical support. There is a lot of information on the internet for troubleshooting. All you need to do is use a search engine and you will find the information you are looking for easily.
They can improve by adding a public troubleshooting process.
Which solution did I use previously and why did I switch?
I have previously used Fortinet firewalls that I have found to be better.
What other advice do I have?
I would not recommend Cisco.
I rate Cisco ASA Firewall a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr. Network Engineer at a construction company with 10,001+ employees
The technical support is good, but there are issues with managing the client
Pros and Cons
- "The best features are stability and scalability."
- "You shouldn't have to use the ASDM to help manage the client."
What is our primary use case?
We use Cisco ASAv as a firewall.
What is most valuable?
The best features are stability and scalability.
What needs improvement?
There are other solutions that are better such as Palo Alto.
The management test needs improvement. The ACM requires Java and you need to know which version of Java is compatible with your Cisco version. It needs a client.
The pricing could be reduced.
I would like to see the issue with the client resolved. You shouldn't have to use the ASDM to help manage the client. Also, it should be subscription-based similar to Palo Alto.
For how long have I used the solution?
I have been working with Cisco ASAv for approximately eight years.
What do I think about the stability of the solution?
The stability is good, we have not had any issues.
What do I think about the scalability of the solution?
Cisco ASAv is scalable.
How are customer service and technical support?
We are satisfied with technical support. They are good.
Which solution did I use previously and why did I switch?
We are also using Palo Alto. It's very easy to manage, especially the UI system. You can do anything you want.
What's my experience with pricing, setup cost, and licensing?
Cisco is considered to be an expensive solution.
When comparing to other vendors, it's quite expensive.
What other advice do I have?
I would rate Cisco ASAv a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Popular Comparisons
Fortinet FortiGate
Netgate pfSense
Sophos XG
Palo Alto Networks NG Firewalls
Azure Firewall
Check Point NGFW
WatchGuard Firebox
SonicWall TZ
Juniper SRX Series Firewall
Untangle NG Firewall
Fortinet FortiGate-VM
SonicWall NSa
Sophos XGS
Fortinet FortiOS
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What Is The Biggest Difference Between Cisco ASA And Fortinet FortiGate?
- Cisco Firepower vs. FortiGate
- How do I convince a client that the most expensive firewall is not necessarily the best?
- What are the biggest differences between Cisco Firepower NGFW and Fortinet FortiGate?
- What Is The Biggest Difference Between Cisco Firepower and Palo Alto?
- Would you recommend replacing Cisco ASA Firewall with Fortinet FortiGate FG 100F due to cost reasons?
- What are the main differences between Palo Alto and Cisco firewalls ?
- A recent reviewer wrote "Cisco firewalls can be difficult at first but once learned it's fine." Is that your experience?
- Which is the best IPS - Cisco Firepower or Palo Alto?
- Which product do you recommend and why: Palo Alto Networks VM-Series vs Cisco Firepower Threat Defense Virtual (FTDv)?
Yes, we have 3 x 1Gbps and 1 x 155Mbps. We have four internet breakouts in different cities around the country and three of them are 1Gbps each. The fourth internet breakout is 155Mbps. There's only 2 ASA which are still on 8.3 and all others have been upgraded to 9.1. The remaining two will be upgraded in a few weeks time. Cisco ASAs are reliable, very stable and the best. The Cisco Firepower works like magic, application visibility, URL filtering and the ability to drop p2p protocols like torrent, on the fly are some of the best capabilities of the product.