Try our new research platform with insights from 80,000+ expert users
PeerSpot user
IT SecOps Manager at a computer software company with 1,001-5,000 employees
Vendor
The best features are NAT, transport-layer inspections, and VPN

What is most valuable?

Cisco ASAs are great network firewalls and they can work for years after being configured. The best features are NAT, transport-layer inspections, and VPN.

How has it helped my organization?

With ASAs, we can keep operational expenses as low as possible. Disaster risks should be observed as usual, but this is definitely not the weak point.

What needs improvement?

I would like to see new SW versions being more stable and HW performance increase. However, the new 2000 series has high performance, but it is not shipped widely so far.

For how long have I used the solution?

I started using Cisco firewalls when old PIX models were produced. I then observed all model changes. This makes about 10 years of continuous experience.

Buyer's Guide
Cisco Secure Firewall
November 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.

What do I think about the stability of the solution?

There are no real stability issues, if upgrades are done carefully.

What do I think about the scalability of the solution?

I believe scalability issues are caused by poor design.

How are customer service and support?

Cisco technical support makes a good impression most of the time.

Which solution did I use previously and why did I switch?

Some of my customers switched from ZyXel to Cisco and this is an obvious decision for me. It will be much harder to imagine a customer replacing Check Point or Fortinet with Cisco.

How was the initial setup?

The initial setup should not be left to the customer. The best way to do this is to make a basic setup and integration along with cabling and power-up, then verifying requirements and adjusting the configuration.

What's my experience with pricing, setup cost, and licensing?

Basic features and IPs can work without subscriptions. All next-generation features require per-year payments. Enterprise customers usually agree with price and license fees, so I don't see any painful issues with pricing and licensing.

Which other solutions did I evaluate?

I compared Cisco with Fortinet, Checkpoint, and DIY solutions.

What other advice do I have?

All you need to succeed is careful design, professional setup, and a support contract.

Disclosure: My company has a business relationship with this vendor other than being a customer: We have been Cisco channel partners for over 15 years.
PeerSpot user
Senior IT Networking and Security Manager at a tech services company with 10,001+ employees
Real User
It is supported on many platforms and helps us gain access to the network.

What is most valuable?

There are a lot of features which are good and can be implemented, especially in the latest IOS version of the product.

They saved me a lot of time thinking how to solve different scenarios with other solutions.

Cisco AnyConnect for remote access is one of them. It is supported on most of the platforms, which business users use. They can gain access to the network, via functions like PBR, Security groups, contexts, and DNS doctoring. This gives a lot of flexibility to the product.

How has it helped my organization?

It gave us a more secure environment and a lot of flexibility to the business.

What needs improvement?

The next generations part of these products need a better approach. A lot of vendors are definitely a step or two in front of them.

For how long have I used the solution?

I have worked with these types of firewalls for more than 10 years.

What do I think about the stability of the solution?

I can say that this product is one of the most stable products I have ever worked with.

What do I think about the scalability of the solution?

In terms of scalability, this always depends on how the product was chosen and what purpose it will work for. I haven't experienced any issues with the scalability of the product.

How are customer service and technical support?

In terms of technical support, it depends on the different cases. I would surely give Cisco technical support a rating of 9/10.

Which solution did I use previously and why did I switch?

I used to work with open source solutions, but the support and complication behind them was definitely not OK. If you want to have flexibility and stability, you have to move on to something that receives more development in that specific area.

How was the initial setup?

The initial setup was straightforward and there was a lot of documentation that can help out with specific cases.

What's my experience with pricing, setup cost, and licensing?

This is definitely not a cheap solution, but I think it is worth the investment.

Which other solutions did I evaluate?

We evaluated other solutions like Juniper, but we chose Cisco, since our network was becoming more and more Cisco oriented.

What other advice do I have?

I would recommend that you understand the needs of the business case before choosing the product and start implementing it. It is very important to choose the right licenses from the beginning.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Cisco Secure Firewall
November 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.
PeerSpot user
Security Consultant at a tech services company with 501-1,000 employees
Real User
Detection engine and historical file analysis ease threat investigations
Pros and Cons
  • "The Firepower IPS, based on Snort technology, has an amazing detection engine and historical analysis capability of files that eases threat investigations a lot."
  • "I would like to see more integration with third-party devices in general. There is great integration with Cisco devices, but there's not much integration with third-party devices."

What is our primary use case?

Cisco next-generation firewalls are mainly used either for data center protection - north-south traffic - or internet traffic.

How has it helped my organization?

The application and user-visibility and control, along with very powerful IPS and malware protection, enables our clients to secure their data centers and internet perimeter in a much better way. It provides them with traffic visibility and reporting as well.

The main advantage is when you put it between users and servers internally or between different VLANs in the network. You have full visibility over the traffic, over all the internal applications. Usually, there's a lot of traffic that is not very clear and no one knows what is on their network. So, once deploy it internally, you have full visibility over the internal traffic, who's accessing what, which protocol. It can directly detect all kinds of malicious traffic, traffic that abuses bandwidth. 

It makes different kinds of internal behavior that is useful to a network admin. And for security of course: Any kind of file infection, any kind of internal scanning, internal attacks; it gives you full visibility.

Finally, you have communication of VLANs, internally, in the network, of course. So you have a granular access control based on user and application, instead of IP and port as you would have with a traditional firewall.

What is most valuable?

During the first phase of use, it was an extra module on standard Cisco ASA firewalls. It then became a standalone solution known as FTD, Firepower Threat Defense.

The Firepower IPS, based on Snort technology, has an amazing detection engine and historical analysis capability of files that eases threat investigations a lot.

I value the integration with other products (Cisco ISE, Cisco Endpoint AMP) which increases the protection intelligence within the enterprise by sharing security info between different products, which function on different layers. It furnishes fully connected security.

It also provides detection of the client operating system, which gives very good reporting and correlation with the signatures. It can relay the signature IP to the client operating system, to give a better correlation decision.

What needs improvement?

Some ASA known features are still missing, but are being added bit by bit in each new version release, such as:

  • Remote Access VPN (the last release only supported the 2100 series): The next firewall model version is expected to support Remote Access VPN in the next software release in July 2017.
  • Virtualization of the appliance (multiple contexts) is still missing.
  • You always need an external management system, the onboard one is not very good. You have to use FMC, FirePOWER Management Center, as external software. There's always an add-on, whereas all the competition has an onboard management interface.

I would like to see more integration with third-party devices in general. There is great integration with Cisco devices, but there's not much integration with third-party devices.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We did not encounter any issues with stability. Cisco Firepower FW is very stable in all of the deployments we have made.

What do I think about the scalability of the solution?

The scalability is very good. They have a clustering mechanism, so you can start with an appliance and then cluster, adding more bandwidth and nodes into your cluster. If you don't have a big budget you can start with a medium appliance and then cluster appliances. Or if you want to buy it all in one shot, there is a big range.

Although it allows scaling by adding multiple firewalls together (clustering), we have never used that, as all new hardware supports high-performance throughput and connections at a reasonable price.

How are customer service and technical support?

Technical support is perfect. Cisco is always known for its good technical support. We have never had any issues with them.

Which solution did I use previously and why did I switch?

As a Cisco Gold Partner, we always proposed Cisco firewalls for our clients.

How was the initial setup?

The setup was straightforward. A new Cisco FTD can be set up and running in a couple of hours. If you're used to firewalls you can quickly get along with it. There is nothing complicated.

The time deploy is short. But the time to tune and create the policies involves a learning phase. Traffic changes over time, so the tuning for firewall rules has to be as granular as possible takes a bit of time. But to deploy you can go live is fast.

The strategy is to start with high-level security policies and then monitor the traffic and the applications affected. Then on the detection logs, create more granular rules.

What's my experience with pricing, setup cost, and licensing?

It has a great performance-to-price value, compared to competitive solutions. Subscriptions are annual. The licensing fee and standard support are the only costs we pay for.

Which other solutions did I evaluate?

We did not evaluate any alternative solutions.

What other advice do I have?

Make sure you tune your rules very well, as some clients just leave the firewall as it is and don't maintain the access rules or tighten them to be more granular and efficient.

In terms of maintenance, you need one person for security analysis and one to create rules and for daily support.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a Cisco Gold Partner.
PeerSpot user
PeerSpot user
Principal Network Engineer at a tech services company with 51-200 employees
Consultant
Provides the capability of the higher end firewall products to handle most network tasks without issues.
Pros and Cons
  • "It makes it very easy to have delineated roles and responsibilities between network engineering and network security."
  • "In my experience, a number of engineers get tunnel vision with devices. This is exacerbated by vendors fostering a silo mentality in disciplines."

How has it helped my organization?

It makes it very easy to have delineated roles and responsibilities between network engineering and network security.

What is most valuable?

I find the overall capability of the higher end firewall products to handle most network tasks without any issues. In addition, it is easy to train lower level help desk personnel on the GUI management.

What needs improvement?

People tend to think of firewalls as firewalls and routers as routers. Going by the book, I had to create a number of static routes in the firewall so it could reach the various subnets in my client's internal network. I decided to turn on OSPF routing to simplify my deployment. This resolved a lot of issues with remote VPN and site-to-site VPN tunnels.

In my experience, a number of engineers get tunnel vision with devices. This is exacerbated by vendors fostering a silo mentality in disciplines.

I cannot name the organization, but a large national non-profit in the medical field had too many network configuration problems because of the silo mentality.

Large Cisco ASA units have the capability to act as routers. This particular non-profit would not enable routing on the ASA until I explained that it resolve a number of issues that they were experiencing and resolving by static routes, a second Cisco ASA, and a proxy server.

What do I think about the stability of the solution?

Stability issues did not occur in my experience, as long as we stayed with the correct image builds.

What do I think about the scalability of the solution?

There were no scalability issues.

How is customer service and technical support?

Customer Service:

Generally, we do not need customer support, so it is hard to rate.

Technical Support:

Generally we do not need technical support, so it is hard to rate.

How was the initial setup?

The initial setup at many clients' sites was straightforward. Very complicated networks take a lot of planning.

What about the implementation team?

We implemented the solution in-house.

What was our ROI?

We cannot determine ROI just yet.

What's my experience with pricing, setup cost, and licensing?

Always plan ahead for three years. In other words, do not buy a firewall on what your needs are today, but try to predict where you will be three years from now in terms of bandwidth, security requirements, and changes in organizational design. This applies to any vendor, not just this product. I find that I always need to buy a higher level product than the specifications request in order to be safe.

Which other solutions did I evaluate?

In locations where I have used Cisco ASA firewalls, I have compared FortiGate and SonicWall.

What other advice do I have?

I utilize different brands of firewalls depending on the needs of a client, i.e., in-house IT versus outsourced. I am vendor agnostic as much as possible.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Kiarash Barzoodeh - PeerSpot reviewer
Kiarash BarzoodehSenior Network Designer at ODI
Real User

hello
respectfully, you are right about routing, Cisco ASA is a best firewall that support routing. however, in best practices offer: do not use firewall as router and also is better to use firewall as transparent mode. because technically firewall designed for access control or something like that, so in high routing environment, sometime firewall cannot handle routing as router.

it_user216468 - PeerSpot reviewer
Consulting Engineer at a tech services company with 5,001-10,000 employees
Consultant
It makes the discovery of applications and classification of user traffic simple but I'd like to see a roadmap for SSL decryption.

What is most valuable?

I'm most impressed with the visibility and control SourceFire solutions provide in to the types of traffic flowing in and out of an environment. It makes the discovery of applications and classification of user traffic simple, which in turn allows an organization to more effectively develop security policies and enforce acceptable use for its enterprise users.

How has it helped my organization?

I've worked with customers that have dealt with malware issues in the past and preventing its spread laterally within the environment has always been a concern. With SourceFire, we've been able to detect malicious files and stop them at the network edge before internal systems are compromised. Leveraging AMP in addition to FireAMP, which is the endpoint malware solution, is incredibly effective at blocking malware at the host level.The other good news is FireAMP can be leveraged along side traditional endpoint anti-virus software. The Defense Center also provides visibility into how malware is moving within the environment so tracking down infected machines becomes much easier for IT staff.

What needs improvement?

The overall product line is sound, but I'd like to see a roadmap for SSL decryption as part of the ASA with FirePOWER solution.

For how long have I used the solution?

I've been working with SourceFire product offerings since Cisco's acquisition of the company in late 2014. Prior to the officially branded Cisco solution, I'd worked with open source Snort in various capacities for several years. I've been using Cisco ASA with FirePOWER services, Cisco SourceFire NGIPS/NGFW most recently.

What was my experience with deployment of the solution?

Learning the advanced capabilities of the system can take time, but it's rather intuitive. I have not encountered issues deploying base functionality with the offerings at this point.

What do I think about the stability of the solution?

Overall, the systems are stable and IT admins have control in to how the sensors operate within the network in the event of failure.

What do I think about the scalability of the solution?

There are scalability limitations with FirePOWER on the ASA, so determining anticipated throughput requirements is critical. The standalone IPS sensors can be stacked for increased throughput, so depending on your organizations needs, this may be a better path for some organizations concerned about scalability.

How are customer service and technical support?

Customer Service:

8/10.

Technical Support:

9/10.

Which solution did I use previously and why did I switch?

I've used Palo Alto's FW/IPS offerings and Cisco's older IPS platform on the ASA. Usually, I don't decide what organizations purchase, but I am impressed with SourceFire's capabilities over the latter.

How was the initial setup?

Initial set up is straight forward, but there is not much documentation available if you have no experience with the offering. I'd recommend training for all network admins that administer SourceFire systems, especially if you want to leverage some of the advanced features.

What other advice do I have?

Do research in to the types of offerings out there and make a determination of what may be the best fit for your organizations requirements and future security goals.

Disclosure: My company has a business relationship with this vendor other than being a customer: The company I work for is partners with many tech vendors
PeerSpot user

Hey All,
I am using frotinet porduct for more than 10 years, I am studying to move to Cisco ASA5516 with source power, I would like to know how is it stable against fortigate FG300D

Fortigate firewall throughput numbers are totally different from the Cisco ASA5516,
any help?

See all 2 comments
Information Security and Compliance Manager at RSwitch
Real User
Gives us a central point for applying rule changes, rather than logging in to each device
Pros and Cons
  • "Web filtering is a big improvement for us. The previous version we used, the AC520, did not have that feature included. It was not very easy for us, especially because the environment had to be isolated and we needed to get updates from outside, such as Windows patches. That feature has really helped us when we are going outside to pull those patches."
  • "We're getting support but there's a big delay until we get a response from their technical team. They're in the USA and we're in Africa, so that's the difficulty. When they're in the office, they respond."

What is our primary use case?

We are a payment switch and we deal with cardholder data and information. Our primary goal is to ensure the security of customers' payment data, that they are protected.

Our security maturity is now at a good level compared to the past. To be accepted to drive Visa and Mastercard, you have to pass security assessment audits and we have managed to pass all of them now, for some years.

Apart from our firewall, we have three security tools. We have a NAC, we have a SIEM, and our syslogs.

How has it helped my organization?

It's easy now because we have many Cisco devices in a central point. We don't need to log in to each device and apply rules to them. We can do it from the management control and apply them to the specific firewalls that we want to apply them to.

In addition, compared to our previous firewall solution, the security is much better. Through our monitoring, we now see all the information that we require on security, in terms of PCI. We can see exactly what is happening in our environment. We know what is going, what is going in and out. If an incident happens, it provides a notification so that we can do an analysis.

What is most valuable?

Web filtering is a big improvement for us. The previous version we used, the AC520, did not have that feature included. It was not very easy for us, especially because the environment had to be isolated and we needed to get updates from outside, such as Windows patches. That feature has really helped us when we are going outside to pull those patches.

Another important feature for us is user access. Now, we can base access on rules and specify that this or that user has privilege on the NG firewall. That was not available before. 

The IDS also makes it easy to detect abnormal traffic. When it sees such traffic in the environment, it sends a notification.

For how long have I used the solution?

We have been using Cisco Firepower NGFW Firewall for about two months.

What do I think about the stability of the solution?

The solution is stable. It's not hanging. With the firewalls from Cisco we are not facing a situation where devices are hanging because of too much traffic.

What do I think about the scalability of the solution?

The scalability is fine.

How are customer service and support?

We're getting support but there's a big delay until we get a response from their technical team. They're in the USA and we're in Africa, so that's the difficulty. When they're in the office, they respond.

Which solution did I use previously and why did I switch?

We migrated from Cisco AC520 to the Cisco NGFW. We have also used HPE and IBM switches, as well as FortiGate firewalls. We are now completely Cisco.

Previously, we were also using AlienVault and it was easy to integrate with Cisco devices.

How was the initial setup?

The initial setup is 50/50, between straightforward and complex. Migrating from Cisco to another Cisco product is okay, but migrating to Cisco from other network devices, like an IBM switch, is a bit tricky. You can't test the configuration to see if it's the same as what you're going to. But we managed with support from Cisco.

It took a month to complete the deployment.

Our implementation strategy was based on not upgrading everything at the same time. It was phased. We deployed a specific device and then we monitored everything to make sure everything looked okay, and then we moved on to the next one.

It requires a minimum of two people for deployment and maintenance, from our network and security teams.

What about the implementation team?

We used internal resources with support from Cisco.

What was our ROI?

We have gotten exactly what we're looking for, based on the company's requirements.

What's my experience with pricing, setup cost, and licensing?

The pricing is high.

Which other solutions did I evaluate?

Cisco NGFW's ability to provide visibility into threats is good compared to other solutions. The visibility is quite impressive and gives us what we're looking for, based on our security requirements.

What other advice do I have?

The scalability, the performance of the devices, the features, and the support, when looking at them combined, make the product a nine out 10.

We're planning the deployment of Cisco ISE soon, to be like our NAC.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Network Engineer at LEPL Smart Logic
Real User
One-time licensing, very stable, and very good for small companies that don't want to do deep packet inspection at higher layers
Pros and Cons
  • "We find all of its features very useful. Its main features are policies and access lists. We use both of them, and we also use routing."
  • "The virtual firewalls don't work very well with Cisco AnyConnect."

What is our primary use case?

I have used the Cisco ASA 5585-X Series hardware. The software was probably version 9. We implemented a cluster of two firewalls. In these firewalls, we had four virtual firewalls. One firewall was dedicated for Edge, near ISP, and one firewall was for the data center. One firewall was for the application dedicated to that company, and one firewall was dedicated only to that application.

How has it helped my organization?

Dynamic policies were useful in the data centers for our clients. They were making some changes to the networks and moving virtual machines from one site to another. With dynamic policies, we could do that easily.

What is most valuable?

We find all of its features very useful. Its main features are policies and access lists. We use both of them, and we also use routing.

It is very stable. It is a very good firewall for a company that doesn't want to look at packets higher than Layer 4. 

What needs improvement?

The virtual firewalls don't work very well with Cisco AnyConnect. 

There are two ways of managing it. You can manage it through the GUI-based software or command-line interface. I tried to use its GUI, but I couldn't understand it. It was hard for me. I know how to use the command line, so it was good for me. You should know how to use the command-line interface very well to make some changes to it. Its management through GUI is not easy.

What do I think about the stability of the solution?

It is very stable. It has been five years since I have configured them, and they have been up and running.

What do I think about the scalability of the solution?

It is not much scalable. It is only a Layer 4 firewall. It doesn't provide deep packet inspection, and it can see packets only up to TCP Layer 4. It can't see the upper layer packets. So, it is not very scalable, but in its range, it is a very good one. What it does, it does very well.

How are customer service and support?

I have not worked with Cisco support for this firewall.

How was the initial setup?

It is not straightforward. You should know what to do, and it needs to be done from the command line. So, you should know what to do and how to do it.

From what I remember, its deployment took a week or 10 days. When I was doing the deployment, that company was migrating from an old data center to a new one. We were doing configurations for the new data center. The main goal was that users shouldn't know, and they shouldn't lose connectivity to their old data center and the new one. So, it was a very complex case. That's why it took more time.

What was our ROI?

Our clients have seen an ROI because they paid only once, and they have been using their firewalls for five years. They didn't have to pay much for anything else.

What's my experience with pricing, setup cost, and licensing?

I like its licensing because you buy the license once, and it is yours. We don't have to go for a subscription. So, I liked how they licensed Cisco ASA Firewall. Our clients are also very satisfied with its licensing model.

Which other solutions did I evaluate?

You cannot compare Cisco ASA Firewall with any of the new-generation firewalls because they are at a higher level than Cisco ASA Firewall. They are at a different level.

What other advice do I have?

It is a very good firewall for small companies that don't want to do deep packet inspection at Layer 7. It is not easy, but you can manage it. You should know how to use the command-line interface. Otherwise, it would be difficult to work with it.

For Cisco ASA Firewall, there will be no improvements because they will not make these firewalls anymore. They want to make changes to the next-generation firewalls, and they are killing the old ones.

I would rate Cisco ASA Firewall a 10 out of 10. I like it very much.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Johan Derycke - PeerSpot reviewer
Network Security Engineer at Smals vzw
Real User
Affordable, scalable, and suitable for a big traffic load
Pros and Cons
  • "The whole firewall functionality, including firewall policies and IPS policies, is valuable. It has all kinds of functionalities. It has IPS, VPN, and other features. They are doing quite a lot of stuff with their devices."
  • "It lacks management. For me, it still doesn't have a proper management tool or GUI for configuration, logging, and visualization. Its management is not that easy. It is also not very flexible and easy to configure. They used to have a product called CSM, but it is no longer being developed. FortiGate is better than this solution in terms of GUI, flexibility, and user-friendliness."

What is our primary use case?

We are using it to manage our environment.

What is most valuable?

The whole firewall functionality, including firewall policies and IPS policies, is valuable. It has all kinds of functionalities. It has IPS, VPN, and other features. They are doing quite a lot of stuff with their devices.

What needs improvement?

It lacks management. For me, it still doesn't have a proper management tool or GUI for configuration, logging, and visualization. Its management is not that easy. It is also not very flexible and easy to configure. They used to have a product called CSM, but it is no longer being developed. FortiGate is better than this solution in terms of GUI, flexibility, and user-friendliness.

For how long have I used the solution?

I have been using this solution for five to ten years.

What do I think about the stability of the solution?

It is rather stable. It can have some peculiarities, but most of the time, it is quite stable.

What do I think about the scalability of the solution?

These are big devices. They have multiple models, but most of the models can be virtualized. You can create many virtual firewalls and add whatever you want.

How are customer service and technical support?

We faced some issues, but I don't deal with these issues. My colleague interacts with them, and it seems it is not that easy. Cisco is a large company, and sometimes, it is not easy to get quick and very efficient support.

What about the implementation team?

We have a firewall specialist who handles the installation.

What's my experience with pricing, setup cost, and licensing?

It is affordable. The hardware is not that expensive anymore. It is a matter of licensing these days. 

What other advice do I have?

It is a good solution for a big traffic load, but its management is not very easy. FortiGate is better in terms of management and user-friendliness.

I would rate Cisco ASA Firewall an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.