Cisco Secure Firewall Reviews

Our primary use case is for handling office traffic VPN tunnels and filtering the traffic. All the traffic comes into the house and gets filtered in and out the Firepower interface. It's performed well.

Because of the deeper inspection it provides we have better security and sections that allow users broader access.

With this solution, you can have an inspection of each package and see what the threat level it's at. It has made the work more dynamic. We don't have to block as much like we had to in the old days.

They should develop a web interface that is actually useful. Currently, we still have an issue where you have to go in and do manual configuring by the command line if you want certain functions in it. This means that we need to find people at a higher technical level to be able to do changes in those things. It would be much easier if you had a more friendly user interface basis where you don't have to go in and do the command line off.

They should be a little bit faster sometimes in updating their threat protection. Cisco should redo their website so it's actually usable in a faster way.

Stability is fantastic. 

We are a rather small firm so we don't have much growth leads but there is a wide range of firewalls that I can expand onto. We can also set up cluster solutions. It's rather indefinite in its expandable possibilities.

I've only had to use their technical support once. Otherwise, I haven't had to use them.

We were using SonicWall before.

The initial setup is very complex but once it's done, it's fantastic. 

I would rate it a nine out of ten. Not a ten because of the horrible initial setup and because you can't handle all operations from one interface. You have to go back into the command line to even be able to type program language, even though you have a graphic user interface for it but it doesn't work properly.

For the AWS version, Cisco is our primary use. We have our own appliances and products, which are indicated as Cisco ASA. So, we test these product against Cisco ASA using different types of rules for new cases. During the test process, we make sure the integration works. 

We have been using the solution for two years.

Right now, it serves a purpose and has everything that we need. Performance-wise, it is top-notch.

It is a comprehensive suite and complete package. We have the following with the product:

• Interest point detection
• Firewall stuff
• VPN
• It's configurable.
• It guards with its own threat intelligence. 

We find that virtual instances are helpful because they are easy to use on AWS Marketplace, as they are On Demand. We have a lot of traffic on AWS. Therefore, to monitor the traffic rather than using on-premise, we use virtual instances of Cisco ASA. This is pretty easy to use and we receive value off of it.

Cisco ASA should be easier to use. It is a bit tough to navigate and see what is going on. While I like the UI and dashboards of Cisco ASA, if you compare them to Palo Alto or Fortinet, they have much richer UIs. An analyst (or anyone) can see them, and say, "I have got all these important pointers on my dashboard." However, with Cisco ASA, we need to dig into many things and go to many views to see what is actually there.

It is stable. We put a good amount of stress on it.

Especially for the AWS version, we can spin up multiple instances and do load-balancing. 

We have 15 to 20 Cisco ASA switches with a couple of physical appliances and twelve machines. Our team is using four to five machines.

It is all self-guided, and we were already using the physical appliances. Therefore, we knew how to use the product.

Our individual release cycle has been quicker because the entire development and testing environment has been automated because of these virtual instances. It has aligned our development workflow. This is where we have seen the ROI increase. 

For example, if you are working with a physical appliance, then you need to have a dedicated lab administrator to work with it, even to test a simple use case. This takes time because we would need to frequently reset that appliance and load all the data. It is no longer like that.

Purchasing from the AWS Marketplace was easy. It was just point and click.

It is pay-as-you-go, so it much cheaper than buying in the plants.

We also checked Fortinet and Palo Alto, their AWS versions. 

When compared products, Cisco ASA is easy on AWS. We received a trial version. It is easy to setup and evaluate.

We also already had Cisco products. This provided a tighter integration with what we already had. Since most of our traffic stays in AWS, it made sense to use AWS Cisco ASAv.

Once you deploy a virtual database or virtual machine for any product, like Cisco. The first thing to do with your data is test it. So, you need to be prepared with the test that you want to test before you deploy the instances. Because after deploying instances, you wait and see what the data come back with, how to configure it, and review what doesn't work. Therefore, you need to do some background homework before starting, such as what type of data you need to put into it, how to test it, and will the system process it.

We have used both the on-premise and AWS version. We started using AWS in the past six to seven months. Prior to that, we used the on-premise version. The AWS version is better as it is quick to spin up and configure. Also, with AWS, everything is preset, and it is more flexible.

We have it integrated with many other products, like threat intelligence and analytics. For example, all our logs go into Splunk, then we receive our analytics from there. We also have Splunk on AWS. Thus, all the data stays on the cloud, so there is no latency, etc.

IT landscape is dynamic, requiring security policy, controls, and visibility to be better than ever. 

• 1Gbps
• Multi-service
• Beats sophisticated cyber attacks with a superior security appliance.
• IT landscape is dynamic.
• Requires security policy, controls, and visibility to be better than ever. 

This applies to all ASA-related Management/to-the-box traffic, like SNMP, SSH, etc., with Firepower services combined with our proven network firewall along with the industry’s most effective next-generation IPS and advanced malware protection. Therefore, you can get more visibility, be more flexible, save more, and protect better.

Historic events related to security incidents. My organization must have a unified strategy for event logging and correlation.

The Cisco Product Security Incident Response creates and maintains publications, commonly referred to as PSIRT Advisories, for security-related issues in Cisco ASA.

The Cisco ASA device needs overall improvement, as configurations alone do not completely secure my network. The operational procedures in use on the network contribute as much to security as the configuration on devices.

There is 24/7 support anytime, anywhere.

Before, I did not manage my private network well (or professionally). For this reason, I have been updating products.

Commercial leasing is the best option.         

Malicious URLs are being blocked.

Advanced malware protection, it blocks malicious attacks.

• Bandwidth allocation.
• SSL decryption (avoid installing the intermediate device certificate in the client) should happen from Firepower itself.
• Critical bugs need to be addressed before releasing the version.
• Need to reduce the time to for detection of new threats.
• Enable a feature for importing/exporting logs when required for analysis.
• Dynamic IP address in client systems mapping with respect to OS change or device change should be updated periodically in FireSIGHT management.
• Virtual patching would be helpful for servers that are not able to update patches due to compatibility issues.

Yes, there were stability issues due to memory issues in the cluster environment and Firepower misbehaved due to non-responding of service/process.

No scalability issues.

Good support.

We switched from our previous solution because of scalability issues.

It was straightforward, even though we migrated from a third-party to Cisco.

Price should be judged based on the above answers, among the most capable vendors.

FortiGate.

We are using ASA5585-X with Firepower SSP-20 (ASA version 9.6(1)3, Firepower version 6.1.0.5).

When looking at different solutions, take a deep look at the features.

It is good for firewalls, management with the adaptive security device manager (ASDM), and tools such as packet tracers for troubleshooting.

It’s a really good firewall which is easy to manage, but it is not a Next Gen firewall.

Firewall functionality is the main issue when buying this product. We use it to segment our DMZs, it is stateful firewalling, is highly reliable with zero outages, and impeccable failovers during upgrades.

The ASDM is the management tool to administer the ASAs via the GUI. It has an easy to use interface with very nice troubleshooting tools, such as Packet Tracer. This tool lets you simulate a traffic flow so you can see why flows don’t work.

It is a very reliable border firewall which makes it easy for us to organize and secure our DMZs.

• The SSL VPN portal could be better.
• The ASAs support both IPSEC as an SSL VPN.
• For IPSEC you need a Cisco VPN client.
• You can only have two SSL VPN sessions.
• For more SSL sessions you have to pay (750 IPSEC sessions are included with an ASA).
• With SSL, you connect through a browser, so it is clientless. The SSL portal offers a few functionalities which you can offer a user. Configuring this portal is not an easy task.

We have been using the solution for almost five years.

We didn't encounter any issues with stability.

Scalability is limited depending on the chosen model.

I would give technical support a rating of 9/10. Cisco is one of the best, if not the best, in support.

We chose FortiGate from Fortinet as our Next Gen Firewall solution because of the higher value for our money.

The setup was easy with lots of documentation and configuration examples provided.

You have to negotiate well.

We did not evaluate any alternative options for stateful firewalling.

You will want to have Next Generation functionality, so choose FortiGate or Cisco Firepower.

The Advanced Malware Protection and Security Group Tag (SGT) are valuable features. You are able to integrate all the networks by using SGT with the pxGrid service. This is built-in technology in Cisco devices and services.

You can extend your visibility in network infrastructure for monitoring. You can absolutely give your users a better experience. When you use .1X for user authentication:

• Users login just one time
• You can control all user access to the internet, data center resources, and across the network.

After Firepower V6.1, Cisco added bandwidth shaping on the FTD product. This feature is a little bit weak. You cannot have customized shaping in different projects.

I have used this product, as well as Cisco Firepower Threat Defense, for about two years.

I have heard about some bugs, but I have never encountered any.

This product is very scalable in our experience.

It is easy to initialize. For advanced configurations, it is sometimes complicated.

The base license is delivered with the device. This license includes IPS and user authentication. You should buy a license for an IPS update. You should also buy another license for AMP and URL filtering.

These are the important licenses: BASE, IPS, AMP, and URL filtering. Apart from the base license, the other licenses are subscription based for one, three, or five years.

I evaluated many products, such as CheckPoint, Palo Alto, Fortinet Firewall, Sophos, and Cyberoam Firewall.

This product is very usable when you need integrity in your network. This product is very functional when you use a Cisco Identity Services engine.

I especially value Change Management and Compliance. They are most valuable because we are required to comply with regulations regarding credit card processing (PCI) and protecting patient data (HIPAA).

This product has made visible some areas that were previously hidden.

There are many areas for improvement despite the fact that we love the product, but because it is a newer version we’ve been working out lots of issues. Some of those issues are based on our environment.

I have used the product for 1.5 years with nearly a year for this version.

We did not have any problem with the previous (v7) version but when we upgraded to (v8) the new version, we were well aware that there would be some bugs and issues that would require resolution.

We have had no scalability issues.

Tech Support is awesome. I never get someone who has no clue what they are doing. These guys are well trained and know their stuff.

We did not use a previous solution. FireMon was implemented as part of a security mandate and we chose this product over its competitors.

Setup was pretty simple, because we implemented the single server model.

We purchased licenses for our High Availability (HA) devices as well but they were not really needed.

I was not the researcher and decision maker. I inherited the tool.

To make sure they have the cooperation of the networking team that supports the firewalls. It has been difficult for us to get the tool working to its full potential because our network team is resistant to some of the things we want to monitor.