Cisco Secure Firewall Reviews and Pricing

BURAK YESILDERYA

IT System Administrator at PFW HAVACILIK

Aug 20, 2018

Download

Creates a unified strategy for event logging and correlation

Pros and Cons

"Beats sophisticated cyber attacks with a superior security appliance."

"The Cisco ASA device needs overall improvement, as configurations alone do not completely secure my network."

What is our primary use case?

IT landscape is dynamic, requiring security policy, controls, and visibility to be better than ever.

1Gbps
Multi-service
Beats sophisticated cyber attacks with a superior security appliance.
IT landscape is dynamic.
Requires security policy, controls, and visibility to be better than ever.

This applies to all ASA-related Management/to-the-box traffic, like SNMP, SSH, etc., with Firepower services combined with our proven network firewall along with the industry’s most effective next-generation IPS and advanced malware protection. Therefore, you can get more visibility, be more flexible, save more, and protect better.

How has it helped my organization?

Historic events related to security incidents. My organization must have a unified strategy for event logging and correlation.

What is most valuable?

The Cisco Product Security Incident Response creates and maintains publications, commonly referred to as PSIRT Advisories, for security-related issues in Cisco ASA.

What needs improvement?

The Cisco ASA device needs overall improvement, as configurations alone do not completely secure my network. The operational procedures in use on the network contribute as much to security as the configuration on devices.

Buyer's Guide

Cisco Secure Firewall

April 2025

Free Report: Cisco Secure Firewall Reviews and More

Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.

DOWNLOAD NOW

848,989 professionals have used our research since 2012.

For how long have I used the solution?

Still implementing.

How are customer service and support?

There is 24/7 support anytime, anywhere.

Which solution did I use previously and why did I switch?

Before, I did not manage my private network well (or professionally). For this reason, I have been updating products.

What's my experience with pricing, setup cost, and licensing?

Commercial leasing is the best option.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user793611

Account Manager

Jan 24, 2018

Download

Blocks malicious URLs, but bandwidth allocation and detection of new bugs need work

Pros and Cons

"Malicious URLs are being blocked."

"Bandwidth allocation needs improvement."
"Critical bugs need to be addressed before releasing the version."
"Virtual patching would be helpful for servers that are not able to update patches due to compatibility issues."

How has it helped my organization?

Malicious URLs are being blocked.

What is most valuable?

Advanced malware protection, it blocks malicious attacks.

What needs improvement?

Bandwidth allocation.
SSL decryption (avoid installing the intermediate device certificate in the client) should happen from Firepower itself.
Critical bugs need to be addressed before releasing the version.
Need to reduce the time to for detection of new threats.
Enable a feature for importing/exporting logs when required for analysis.
Dynamic IP address in client systems mapping with respect to OS change or device change should be updated periodically in FireSIGHT management.
Virtual patching would be helpful for servers that are not able to update patches due to compatibility issues.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Yes, there were stability issues due to memory issues in the cluster environment and Firepower misbehaved due to non-responding of service/process.

What do I think about the scalability of the solution?

No scalability issues.

How are customer service and technical support?

Good support.

Which solution did I use previously and why did I switch?

We switched from our previous solution because of scalability issues.

How was the initial setup?

It was straightforward, even though we migrated from a third-party to Cisco.

What's my experience with pricing, setup cost, and licensing?

Price should be judged based on the above answers, among the most capable vendors.

Which other solutions did I evaluate?

FortiGate.

What other advice do I have?

We are using ASA5585-X with Firepower SSP-20 (ASA version 9.6(1)3, Firepower version 6.1.0.5).

When looking at different solutions, take a deep look at the features.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide

Cisco Secure Firewall

April 2025

Free Report: Cisco Secure Firewall Reviews and More

Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.

DOWNLOAD NOW

848,989 professionals have used our research since 2012.

it_user579180

Networking Specialist at a insurance company with 1,001-5,000 employees

Jun 25, 2017

Download

Provides management with the adaptive security device manager.

What is most valuable?

It is good for firewalls, management with the adaptive security device manager (ASDM), and tools such as packet tracers for troubleshooting.

It’s a really good firewall which is easy to manage, but it is not a Next Gen firewall.

Firewall functionality is the main issue when buying this product. We use it to segment our DMZs, it is stateful firewalling, is highly reliable with zero outages, and impeccable failovers during upgrades.

The ASDM is the management tool to administer the ASAs via the GUI. It has an easy to use interface with very nice troubleshooting tools, such as Packet Tracer. This tool lets you simulate a traffic flow so you can see why flows don’t work.

How has it helped my organization?

It is a very reliable border firewall which makes it easy for us to organize and secure our DMZs.

What needs improvement?

The SSL VPN portal could be better.
The ASAs support both IPSEC as an SSL VPN.
For IPSEC you need a Cisco VPN client.
You can only have two SSL VPN sessions.
For more SSL sessions you have to pay (750 IPSEC sessions are included with an ASA).
With SSL, you connect through a browser, so it is clientless. The SSL portal offers a few functionalities which you can offer a user. Configuring this portal is not an easy task.

For how long have I used the solution?

We have been using the solution for almost five years.

What do I think about the stability of the solution?

We didn't encounter any issues with stability.

What do I think about the scalability of the solution?

Scalability is limited depending on the chosen model.

How are customer service and technical support?

I would give technical support a rating of 9/10. Cisco is one of the best, if not the best, in support.

Which solution did I use previously and why did I switch?

We chose FortiGate from Fortinet as our Next Gen Firewall solution because of the higher value for our money.

How was the initial setup?

The setup was easy with lots of documentation and configuration examples provided.

What's my experience with pricing, setup cost, and licensing?

You have to negotiate well.

Which other solutions did I evaluate?

We did not evaluate any alternative options for stateful firewalling.

What other advice do I have?

You will want to have Next Generation functionality, so choose FortiGate or Cisco Firepower.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Kiarash Barzoodeh

Senior Network Designer at ODI

Jun 25, 2017

Download

You can extend your visibility in network infrastructure for monitoring.

What is most valuable?

The Advanced Malware Protection and Security Group Tag (SGT) are valuable features. You are able to integrate all the networks by using SGT with the pxGrid service. This is built-in technology in Cisco devices and services.

How has it helped my organization?

You can extend your visibility in network infrastructure for monitoring. You can absolutely give your users a better experience. When you use .1X for user authentication:

Users login just one time
You can control all user access to the internet, data center resources, and across the network.

What needs improvement?

After Firepower V6.1, Cisco added bandwidth shaping on the FTD product. This feature is a little bit weak. You cannot have customized shaping in different projects.

For how long have I used the solution?

I have used this product, as well as Cisco Firepower Threat Defense, for about two years.

What do I think about the stability of the solution?

I have heard about some bugs, but I have never encountered any.

What do I think about the scalability of the solution?

This product is very scalable in our experience.

How was the initial setup?

It is easy to initialize. For advanced configurations, it is sometimes complicated.

What's my experience with pricing, setup cost, and licensing?

The base license is delivered with the device. This license includes IPS and user authentication. You should buy a license for an IPS update. You should also buy another license for AMP and URL filtering.

These are the important licenses: BASE, IPS, AMP, and URL filtering. Apart from the base license, the other licenses are subscription based for one, three, or five years.

Which other solutions did I evaluate?

I evaluated many products, such as CheckPoint, Palo Alto, Fortinet Firewall, Sophos, and Cyberoam Firewall.

What other advice do I have?

This product is very usable when you need integrity in your network. This product is very functional when you use a Cisco Identity Services engine.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user560229

Security Engineer at a healthcare company with 1,001-5,000 employees

Mar 31, 2017

Download

I especially value Change Management and Compliance. They are most valuable because we are required to comply with regulations - PCI and HIPAA.

What is most valuable?

I especially value Change Management and Compliance. They are most valuable because we are required to comply with regulations regarding credit card processing (PCI) and protecting patient data (HIPAA).

How has it helped my organization?

This product has made visible some areas that were previously hidden.

What needs improvement?

There are many areas for improvement despite the fact that we love the product, but because it is a newer version we’ve been working out lots of issues. Some of those issues are based on our environment.

For how long have I used the solution?

I have used the product for 1.5 years with nearly a year for this version.

What do I think about the stability of the solution?

We did not have any problem with the previous (v7) version but when we upgraded to (v8) the new version, we were well aware that there would be some bugs and issues that would require resolution.

What do I think about the scalability of the solution?

We have had no scalability issues.

How are customer service and technical support?

Tech Support is awesome. I never get someone who has no clue what they are doing. These guys are well trained and know their stuff.

Which solution did I use previously and why did I switch?

We did not use a previous solution. FireMon was implemented as part of a security mandate and we chose this product over its competitors.

How was the initial setup?

Setup was pretty simple, because we implemented the single server model.

What's my experience with pricing, setup cost, and licensing?

We purchased licenses for our High Availability (HA) devices as well but they were not really needed.

Which other solutions did I evaluate?

I was not the researcher and decision maker. I inherited the tool.

What other advice do I have?

To make sure they have the cooperation of the networking team that supports the firewalls. It has been difficult for us to get the tool working to its full potential because our network team is resistant to some of the things we want to monitor.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.

it_user206346

Security Consultant at Webernetz.net - Network Security Consulting

Mar 11, 2015

Cisco ASA vs. Palo Alto Networks

Cisco ASA vs. Palo Alto: Management Goodies

You often have comparisons of both firewalls concerning security components. Of course, a firewall must block attacks, scan for viruses, build VPNs, etc. However, in this post I am discussing the advantages and disadvantages from both vendors concerning the management options: How to add and rename objects. How to update a device. How to find log entries. Etc.

Cisco ASA

Fast Management Suite: The ASDM GUI is really fast. You do not have to wait for the next window if you click on a certain button. It simply appears directly. On the Palo, each entry to add, e.g., an application inside a security rule, takes a few seconds.
Better “Preview CLI Commands”: I am always checking the CLI commands before I send them to the firewall. On the Cisco ASA, they are quite easy to understand. I know, Palo Alto also offers the “Preview Changes”, but it takes a bit more time to recognize all XML paths.
Better CLI Commands at all: For Cisco admins it is very easy to parse a “show run” and to paste some commands into another device. This is not that easy on a Palo Alto firewall. First, you must change the config-output format, and second, you cannot simply paste many lines into another device, since the ordering of these lines is NOT correct by default. That is, it simply doesn’t work.
ACL Hit Count: I like the hit counts per access list entry in the GUI. It quickly reveals which entries are used very often and which ones are never used. On the Palo, you can only highlight the never used ones. Furthermore, the CLI on the ASA splits each ACL into the real objects with individual counters. Great!
Many SNMP OIDs: There are many options to monitor the ASA via SNMP. On the Palo Alto, e.g., you can not monitor sub-interfaces. This is really bad. Only the bare metal ethernet ports reveal counters.

Palo Alto PA

Out-of-Band Management Interface: Even the smallest PA-200 device has its own management interface with its own routing table (default route). This makes it easier to permit/deny admin accesses to this host. E.g., there is no confusion between an access to the SSL VPN and an access to the management GUI since they reside on different interfaces and IP addresses.
Browser-based GUI: No Java, no client. Just a simple browser. It is also manageable through SSL VPN portals.
In-Band Interface Management Profiles: On the ASA, every access through different interfaces and different protocols needs its own line to be configured (Management Access -> ASDM/HTTPS/Telnet/SSH). Management access is denied per default, while ping is allowed by default. Both must be set in different menus. Not on the Palo: Interface Mgmt with a few clicks and optional IP addresses, configurable on several interfaces.
–> Single Security Policy: All interfaces AND site-to-site VPNs are in zones. All security policies between these zones are in one security policy. On the ASA, you don’t have the ACLs for the VPNs in the ACL view of the interfaces since you must specify extra ACLs to the group policy of the VPN.
Zone Based Security Policies: A policy from zone A to zone B only takes effect for this pair of zones. The “incoming interface” policies on the ASA always have a destination of “any” zone. Though the destination addresses can be limited, it is more complicate to configure the policies if there are several interfaces in use (and not only inside and outside).
Network Objects in Slash-Notation: Add a host or a network object by typing “1.2.3.0/24″. On the ASA, you have three fields for the same object: host or network, IP address of the network, and netmask (in 255.x.x.x notation!) for the network.
Tags: A simple but useful feature are the coloured tags that can be used in policies and objects. With these tags, temporary policies or the like can easily be marked.
–> Managing all Un-Commited Changes: One of the best features! Configuration changes can be done in any menu of the Palo Alto, showing the candidate config in all other menus right now, even without a commit. If you rename an object here, it is visible with this new name there. (Try to change the IP-address and the default gateway on a remote Cisco ASA firewall by one step. You won’t succeed until you are using the CLI.)
Simple Renaming of almost Everything: (Except subinterfaces) Address objects, address groups, zones, security profiles, IPsec tunnels – everything can be renamed. Try to rename an IPsec connection profile on the ASA. Or an interface name. It won’t work or you will get tons of CLI changes.
History of Configuration Changes: Ever tried to revert to the config from last day? No problem: Load configuration version.
Configuration Log: Ever wondered who changed something? Here it is: Monitor -> Logs -> Configuration. An exact list of all configuration changes with the name of the administrator.
Config Audit: Comparison of two configurations, such as of the running-config and any other historical config on the device. Great feature to find certain configuration changes.
–> Traffic Log Filtering: This is one of the MAJOR advantages of a Palo Alto GUI. It is really simple to click some objects to filter the traffic log. Or to build more precise filters. “eq” and “neq” are your friends. Forget the Real-Time Log Viewer from Cisco.
Adjust Columns: Or even the possibility to adjust the columns. On the ASDM GUI from Cisco, some pages are per default to small to show the relevant values, e.g., the Monitoring -> Routing -> Routes pane.
Application Command Center: A simple but useful monitoring tool within the GUI. You are searching for the IP that generates high traffic load during the last hour? Here you will find it. What source country is responsible for the attacks during the last week? Here you go.
–> Route-Based VPN: A site-to-site VPN connection is built by two gateways, independent of the traffic being routed through the tunnel. Numbered tunnel-interfaces can be used to ping the tunnel endpoint of the other side. The decision where to route the traffic is based on the routing table and not on a policy. The Cisco firewall uses policy-based VPNs in which the Proxy-IDs per connection define the tunneled networks. A bit unhandy.
–> IKE Policy per VPN: Every gateway has its own IKE profile configured. Different IKE settings can be used for different VPNs. The Cisco has global IKE parameters.
Own Zones for VPNs: Site-to-Site VPNs can be in extra zones. On the ASA, VPNs are always associated with the “outside” interface, which is complicated for using NAT policies.
Reasonable Default Crypto Settings: The default groups for the IPsec phase 1 and phase 2 crypto profiles have almost secure settings. Very good compared to the Cisco ASA, which really installs a view default profiles, e.g., an IKE policy with an encryption algorithm of “DES”. Yes, not 3DES, but only simple DES! Oh oh.
Retrieve License Keys from Server: Really cool feature. And very easy to use for the customer. Once the authorization code is added in the Palo Alto support portal, the firewall can retrieve its license via https. No need for any further activation keys.
Built-In Software Archive: Firmware versions can be downloaded directly through the GUI. No need for further logins, downloads from the vendor page and uploads to the unit. Just “Download” and “Install”.
Enough Disk Space for several Softwares: On my (small) Cisco ASA 5505, the built-in flash disk has only 128 MB. That is, I cannot even do a simple software upgrade because the free disk space does not fit for two ASA images. (I have an ASA and ASDM image as well as three AnyConnect images on the fash memory.) What a mess!
Sync Software to HA Member: Every software that is downloaded on the primary firewall can automatically be synced to the secondary device. This is not true on the Cisco ASA, which is really annoying when it comes to AnyConnect remote access VPN client images. If these are not uploaded manually on the second device, the other HA unit will not terminate VPN tunnels in case of a HA active-unit swap. Oh oh!
HA Status in GUI: With the High Availability widget, the status of the HA is visualized with green/orange/red bubbles. It shows which unit is the active/standby one. Since the PA has a real OoB management, the admin can access both devices simultaneously and can see which hardware is the active and the passive one. The Cisco ASA swaps its IP addresses and has no OoB management, so it is harder to see which hardware is the primary and the secondary one, since its IP addresses swap, too.
NTP Servers with Names: I know that NTP servers should be set via IP addresses to not rely on another service (DNS), but it is much more easier to use names such asde.pool.ntp.org or the like. This can be done on the Palo Alto, but not on the Cisco firewall.
No “bring to top” GUI: During the start of Cisco’s ASDM, it always brings its GUI to the top of all windows. In my opinion, this is annoying. During the 30-60 seconds until the whole device config is loaded into the GUI, I am working on other things. But these are generally disrupted from the highlighting of the ASDM GUI. This does not happen with the Palo Alto GUI which is in one tab of my browser.

(The major advantages are marked with an –> arrow.)

Summary

In summary, I really love the management GUI from the Palo Alto. Not hard due to the list of more than 20 advantages over the Cisco ASA platform. Though it is slower than the ASDM GUI from Cisco, it offers much more useful capabilities for the daily work. Great!

Originally published on blog.webernetz.net.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user603888Sr. Information Security Officer (ISO) at a financial services firm with 501-1,000 employees

Report as inappropriate

Feb 24, 2017

Mostly Enterprise firms they're using both, would be Palo Alto using in core and gateway traffic.

See all 3 comments

ChrisDaly

Senior Solution Architect at Teras Solutions Limited

Mar 14, 2024

Download

Used for deep packet inspection, Internet Edge functionality, IDS, and IDP

Pros and Cons

"We use the solution for deep packet inspection, Internet Edge functionality, IDS, and IDP."

"The solution’s GUI could be better."

What is our primary use case?

I deployed the Cisco Secure Firewall at the Internet Edge for the most part.

What is most valuable?

We use the solution for deep packet inspection, Internet Edge functionality, IDS, and IDP.

What needs improvement?

The solution’s GUI could be better.

For how long have I used the solution?

I have been using Cisco Secure Firewall for six years.

What do I think about the scalability of the solution?

Cisco Secure Firewall is a scalable solution that allows you to add capacity.

How was the initial setup?

The solution’s initial setup is straightforward.

What's my experience with pricing, setup cost, and licensing?

The solution’s pricing is competitive.

What other advice do I have?

I rate the solution's ease of management and configuration an eight out of ten. I would recommend Cisco Secure Firewall to other users based on what they want it for and a combination of price point and supportability.

Overall, I rate the solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Mohd.Rivai

Network Security Engineer at a tech services company with 201-500 employees

Jan 15, 2021

Download

Good UI but too expensive and not very stable

Pros and Cons

"The user interface, the UI, is excellent on the solution."

"The stability is not the best."

What is our primary use case?

I primarily use the solution for the IPsec only.

What is most valuable?

The user interface, the UI, is excellent on the solution. Let's say you want to check the real-time locker - you can create it by the UI using ADSM.

What needs improvement?

The VPN portion of the solution isn't the greatest.

The stability is not the best.

The solution is far too expensive.

For how long have I used the solution?

I've been working with the solution for about six months, or maybe a little bit less than that.

What do I think about the stability of the solution?

I haven't found the stability to be very good. The IPsec stability leaves a lot to be desired. They really need to work on the solution's stability capabilities.

In ASA, I built the IPsec between ASA and Fortigate due to the fact that most of the time I have to restart the timer to flow the data.

What do I think about the scalability of the solution?

We only have two to three users who directly deal with the solution within our company. Overall, we have between 100-200 employees. We haven't really scaled it.

I personally would prefer not to use ASA going forward. However, I don't know if the company itself has any plans to increase usage or not.

How are customer service and technical support?

While I've dealt with Cisco technical support in the past on other solutions, I have not contacted them in regards to this specific product.

That said, my past experience with Cisco technical support has been very positive and I found them to be very helpful in general. I just can't speak to this specific product.

How was the initial setup?

I was pretty junior when the solution was initially implemented in the organization. For that reason, I did not take an active role in implementing the solution. I wouldn't be able to really discuss the setup specifics or the level of difficulty.

I'm not exactly sure who handles maintenance, if any, within our organization.

What's my experience with pricing, setup cost, and licensing?

The licensing is quite expensive. I don't have the exact amount, however, it's my understanding that it's a very pricey solution. There's a lot of competition out there, including from Fortigate, which offers just as good, if not better products.

What other advice do I have?

I'm not overly familiar with ASA. I only work with it on an administration level.

I work with the latest version and I use the ASDM version server.

I wouldn't recommend that an organization choose ASA as a solution. They should look into other options.

Overall, I would rate the solution at a six out of ten. We haven't had the greatest experience.

Which deployment model are you using for this solution?

On-premises

Disclosure: I am a real user, and this review is based on my own experience and opinions.