I'm most impressed with the visibility and control SourceFire solutions provide in to the types of traffic flowing in and out of an environment. It makes the discovery of applications and classification of user traffic simple, which in turn allows an organization to more effectively develop security policies and enforce acceptable use for its enterprise users.
Consulting Engineer at a tech services company with 5,001-10,000 employees
It makes the discovery of applications and classification of user traffic simple but I'd like to see a roadmap for SSL decryption.
What is most valuable?
How has it helped my organization?
I've worked with customers that have dealt with malware issues in the past and preventing its spread laterally within the environment has always been a concern. With SourceFire, we've been able to detect malicious files and stop them at the network edge before internal systems are compromised. Leveraging AMP in addition to FireAMP, which is the endpoint malware solution, is incredibly effective at blocking malware at the host level.The other good news is FireAMP can be leveraged along side traditional endpoint anti-virus software. The Defense Center also provides visibility into how malware is moving within the environment so tracking down infected machines becomes much easier for IT staff.
What needs improvement?
The overall product line is sound, but I'd like to see a roadmap for SSL decryption as part of the ASA with FirePOWER solution.
For how long have I used the solution?
I've been working with SourceFire product offerings since Cisco's acquisition of the company in late 2014. Prior to the officially branded Cisco solution, I'd worked with open source Snort in various capacities for several years. I've been using Cisco ASA with FirePOWER services, Cisco SourceFire NGIPS/NGFW most recently.
Buyer's Guide
Cisco Secure Firewall
October 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.
What was my experience with deployment of the solution?
Learning the advanced capabilities of the system can take time, but it's rather intuitive. I have not encountered issues deploying base functionality with the offerings at this point.
What do I think about the stability of the solution?
Overall, the systems are stable and IT admins have control in to how the sensors operate within the network in the event of failure.
What do I think about the scalability of the solution?
There are scalability limitations with FirePOWER on the ASA, so determining anticipated throughput requirements is critical. The standalone IPS sensors can be stacked for increased throughput, so depending on your organizations needs, this may be a better path for some organizations concerned about scalability.
How are customer service and support?
Customer Service:
8/10.
Technical Support:9/10.
Which solution did I use previously and why did I switch?
I've used Palo Alto's FW/IPS offerings and Cisco's older IPS platform on the ASA. Usually, I don't decide what organizations purchase, but I am impressed with SourceFire's capabilities over the latter.
How was the initial setup?
Initial set up is straight forward, but there is not much documentation available if you have no experience with the offering. I'd recommend training for all network admins that administer SourceFire systems, especially if you want to leverage some of the advanced features.
What other advice do I have?
Do research in to the types of offerings out there and make a determination of what may be the best fit for your organizations requirements and future security goals.
Disclosure: My company has a business relationship with this vendor other than being a customer: The company I work for is partners with many tech vendors
Network Security Engineer at Smals vzw
Affordable, scalable, and suitable for a big traffic load
Pros and Cons
- "The whole firewall functionality, including firewall policies and IPS policies, is valuable. It has all kinds of functionalities. It has IPS, VPN, and other features. They are doing quite a lot of stuff with their devices."
- "It lacks management. For me, it still doesn't have a proper management tool or GUI for configuration, logging, and visualization. Its management is not that easy. It is also not very flexible and easy to configure. They used to have a product called CSM, but it is no longer being developed. FortiGate is better than this solution in terms of GUI, flexibility, and user-friendliness."
What is our primary use case?
We are using it to manage our environment.
What is most valuable?
The whole firewall functionality, including firewall policies and IPS policies, is valuable. It has all kinds of functionalities. It has IPS, VPN, and other features. They are doing quite a lot of stuff with their devices.
What needs improvement?
It lacks management. For me, it still doesn't have a proper management tool or GUI for configuration, logging, and visualization. Its management is not that easy. It is also not very flexible and easy to configure. They used to have a product called CSM, but it is no longer being developed. FortiGate is better than this solution in terms of GUI, flexibility, and user-friendliness.
For how long have I used the solution?
I have been using this solution for five to ten years.
What do I think about the stability of the solution?
It is rather stable. It can have some peculiarities, but most of the time, it is quite stable.
What do I think about the scalability of the solution?
These are big devices. They have multiple models, but most of the models can be virtualized. You can create many virtual firewalls and add whatever you want.
How are customer service and technical support?
We faced some issues, but I don't deal with these issues. My colleague interacts with them, and it seems it is not that easy. Cisco is a large company, and sometimes, it is not easy to get quick and very efficient support.
What about the implementation team?
We have a firewall specialist who handles the installation.
What's my experience with pricing, setup cost, and licensing?
It is affordable. The hardware is not that expensive anymore. It is a matter of licensing these days.
What other advice do I have?
It is a good solution for a big traffic load, but its management is not very easy. FortiGate is better in terms of management and user-friendliness.
I would rate Cisco ASA Firewall an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Cisco Secure Firewall
October 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.
Network Security Engineer at a tech services company with 201-500 employees
Good UI but too expensive and not very stable
Pros and Cons
- "The user interface, the UI, is excellent on the solution."
- "The stability is not the best."
What is our primary use case?
I primarily use the solution for the IPsec only.
What is most valuable?
The user interface, the UI, is excellent on the solution. Let's say you want to check the real-time locker - you can create it by the UI using ADSM.
What needs improvement?
The VPN portion of the solution isn't the greatest.
The stability is not the best.
The solution is far too expensive.
For how long have I used the solution?
I've been working with the solution for about six months, or maybe a little bit less than that.
What do I think about the stability of the solution?
I haven't found the stability to be very good. The IPsec stability leaves a lot to be desired. They really need to work on the solution's stability capabilities.
In ASA, I built the IPsec between ASA and Fortigate due to the fact that most of the time I have to restart the timer to flow the data.
What do I think about the scalability of the solution?
We only have two to three users who directly deal with the solution within our company. Overall, we have between 100-200 employees. We haven't really scaled it.
I personally would prefer not to use ASA going forward. However, I don't know if the company itself has any plans to increase usage or not.
How are customer service and technical support?
While I've dealt with Cisco technical support in the past on other solutions, I have not contacted them in regards to this specific product.
That said, my past experience with Cisco technical support has been very positive and I found them to be very helpful in general. I just can't speak to this specific product.
How was the initial setup?
I was pretty junior when the solution was initially implemented in the organization. For that reason, I did not take an active role in implementing the solution. I wouldn't be able to really discuss the setup specifics or the level of difficulty.
I'm not exactly sure who handles maintenance, if any, within our organization.
What's my experience with pricing, setup cost, and licensing?
The licensing is quite expensive. I don't have the exact amount, however, it's my understanding that it's a very pricey solution. There's a lot of competition out there, including from Fortigate, which offers just as good, if not better products.
What other advice do I have?
I'm not overly familiar with ASA. I only work with it on an administration level.
I work with the latest version and I use the ASDM version server.
I wouldn't recommend that an organization choose ASA as a solution. They should look into other options.
Overall, I would rate the solution at a six out of ten. We haven't had the greatest experience.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Systems Administrator\Ag. IT Manager at a construction company with 201-500 employees
It secures my network and is very stable
Pros and Cons
- "It is a very stable product. I've not had any issues with it. It is a super product, and I won't need to change it anytime soon."
- "Its configuration through GUI as well as CLI can be improved and made easier."
What is our primary use case?
I am using Cisco ASA as my firewall. I use it for security purposes to block access and for VPN. It is on the perimeter, so basically, it secures my network.
What is most valuable?
It is a very stable product. I've not had any issues with it. It is a super product, and I won't need to change it anytime soon.
What needs improvement?
Its configuration through GUI as well as CLI can be improved and made easier.
For how long have I used the solution?
I have been using this solution for more than five years. I am using the Cisco ASA 5505 model.
What do I think about the stability of the solution?
It is very stable.
How are customer service and technical support?
I manage it myself. If I can't, then I get somebody else. I don't have any support from Cisco.
How was the initial setup?
The initial setup was slow. It took a day or two.
What about the implementation team?
Unfortunately, there were not too many skilled guys who could install it. I had to get a third party for installation and configuration. I had to get somebody qualified in Cisco Security, and he was the only person who could actually configure it well.
What's my experience with pricing, setup cost, and licensing?
I just bought it off the shelf, and I'm using it with my previous one, so I have not spent that much.
What other advice do I have?
I would definitely recommend this solution. You just have to learn how to configure it. It is a Cisco solution, and there is not much to be improved. I plan to keep using it and expand its usage.
I would rate Cisco ASA Firewall an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Owner/CTO at FS NETWORKS
Good solution that is easy to implement
Pros and Cons
- "The initial setup is easy."
- "In terms of what could be improved, I would say the UTM part should be more integrated for one price, because if you buy ASA from Cisco, you need to buy another contract service from Cisco as a filter for the dictionary of attacks. In Fortinet, you buy a firewall and you have it all."
What is our primary use case?
Our primary use case is for perimeter security.
We are using the enterprise version. Cisco has many versions. Maybe we are using the old version of ASA because it needs to be the freeware. In each freeware, there are different types of things. Maybe it is the standard version because the other version cost a lot. I need to combine it with another solution like an open source standard solution of the ASA firewall from Cisco.
What is most valuable?
Firewalls are about blocking. ASA is for blocking, but it does not have the intelligence like Fortinet to detect attacks. If I could use ASA to detect attacks, maybe we could buy another service from Cisco although it's very expensive. I would choose Fortinet, but my clients like ASA support. I prefer Fortinet because Fortinet has a UTM and it's a good firewall.
What needs improvement?
In terms of what could be improved, the UTM part should be more integrated for one price, because if you buy ASA from Cisco, you need to buy another contract service from Cisco as a filter for the dictionary of attacks. In Fortinet, you buy a firewall and you have it all.
I would like to see all the features like Fortinet has. If I buy ASA, I would like to see a Fortinet-like interface.
It would be good if Cisco could improve their web interface to configure the equipment. Cisco is very reliable and very secure, but has to compete with Fortinet which is very hard.
On a scale of one to ten, I would give Cisco ASA Firewall a nine.
For how long have I used the solution?
I have been using Cisco ASA Firewall for about 15 years.
What do I think about the scalability of the solution?
We have maybe 100 - 200 end users using the solution.
How are customer service and technical support?
I would give their technical support an eight out of ten because of their response time.
Let me give an example. When I have a problem, and I contact support, maybe there is a guy from India or from another country answering me. This is very slow. The people look at the ticket and increase the time for response.
How was the initial setup?
The initial setup is easy. Firewalls are like programming. If you know programming, you know every language. Firewalls are the same. If you know the security and blocking the perimeter, it's the same for all the firewalls. The difference with the different firewalls are the functionalities. Learn the functionalities in every brand.
What other advice do I have?
My advice to anyone considering Cisco ASA Firewall is that you need a lot of money to implement the Cisco solution. But it's a good solution. If you want to go to Cisco, you need a lot of money.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Principal Network Engineer at a manufacturing company with 501-1,000 employees
Good monitoring capability, but it lacks the next-generation firewall functionality
Pros and Cons
- "The most valuable features for my client are the ASDM and monitoring."
- "Cisco ASA is not a next-generation firewall product."
What is our primary use case?
I am a consultant and when clients ask for white papers or studies, I do the research. At that point, they do whatever change processes they have; I give them all of the numbers and other relevant data, but that's the extent of what we do in my organization.
They are just using it as a stateful packet inspection firewall, traditional firewalling.
How has it helped my organization?
At this point, my client is looking for their next solution so something may not be working.
What is most valuable?
The most valuable features for my client are the ASDM and monitoring.
They have familiarity with the Cisco CLI.
What needs improvement?
Cisco ASA is not a next-generation firewall product.
For how long have I used the solution?
My client has been using the Cisco ASA solution for approximately five years.
What do I think about the stability of the solution?
They've been using it for five years and my assumption is that it's been good for what they needed it t do. However, they were consulting to move forward with something different.
What do I think about the scalability of the solution?
The scalability is very limited because as a traditional firewall, it's a step behind. As far as the scale goes, my assumption is that you just buy a bigger model.
Which solution did I use previously and why did I switch?
I was not consulting with this client when they implemented the Cisco ASA.
This is a hardware-based device, versus a virtual one, so it's maxed out.
How was the initial setup?
My assumption is that it's a typical HA, basic setup.
Which other solutions did I evaluate?
My client is looking for a next-generation firewall solution to replace the Cisco ASA.
What they need is a step up from what they already have that includes application-controlled firewall rules, as well as other features that ASA doesn't currently have.
What other advice do I have?
My suggestion for anybody who is looking at Cisco ASA is to work with the vendor, as they have newer products.
I would rate this solution a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network Specialist at a financial services firm with 501-1,000 employees
Automated policies save us time
Pros and Cons
- "On the network side, where you create your rules for allowing traffic — what can come inside and what can go out — that works perfectly, if you know what you want to achieve. It protects you."
What is our primary use case?
Some are being used as edge firewalls and others are for our server-farm/data center. So some are being used as transparent firewalls and others are used as a break between the LAN and WAN.
In addition to the firewalls, we have Mimecast for email security as we're using Office 365. We're also using IBM's QRadar for SIEM. For antivirus we're just using Microsoft Windows Defender. We also have an internet proxy for content and for that we're using NetScaler.
How has it helped my organization?
Automated policies definitely save us time. I would estimate on the order of two hours per day.
What is most valuable?
On the network side, where you create your rules for allowing traffic — what can come inside and what can go out — that works perfectly, if you know what you want to achieve. It protects you. Once you get all your rules in place, done correctly, you have some sort of security in terms of who can have access to your network and who has access to what, even internally. You're secure and your authorization is in place for who can access what. If someone who is trying to penetrate your network from the outside, you know what you've blocked and what you've allowed.
It's not so difficult to pull out reports for what we need.
It comes with IPS, the Intrusion Prevention System, and we're also using that.
For how long have I used the solution?
I've been using Cisco ASA NGFW for five years.
What do I think about the stability of the solution?
The stability is quite good. We haven't had issues. I've used them for five years now and I haven't seen any hardware failures or software issues. They've been running well. I would recommend them for their reliability.
What do I think about the scalability of the solution?
You can extend your network. They are cool. They are good for scalability.
How are customer service and technical support?
We have a Cisco partner we're working with. But if they're struggling to assist us then they can log a ticket for us. Our partner is always a 10 out of 10.
What was our ROI?
Given that we have been upgrading with Cisco firewalls, I would say that our company has seen a return on investment with Cisco. We would have changed to a different product if we were not happy.
The response time from the tech and the support we get from our partner is quite good. We have never struggled with anything along those lines, even hardware RMAs. Cisco is always there to support its customers.
What's my experience with pricing, setup cost, and licensing?
The pricing is quite fair for what you get. If you're comparing with other products, Cisco is expensive, but you do get benefits for the price.
Which other solutions did I evaluate?
The firewall that I was exposed to before was Check Point.
What other advice do I have?
It's very good to get partner support if you're not very familiar with how Cisco works. Cisco Certified Partner support is a priority.
For application visibility and control we're using a WAN optimizer called Silver Peak.
To replace the firewalls within our data center we're planning to put in FMCs and FTDs. With the new FMCs what I like is that you don't need to log in to the firewalls directly. Whatever changes you do are done on your FMCs. That is a much needed improvement over the old ASAs. You can log in to the management center to make any configuration changes.
There are two of us managing the ASAs in our company, myself and a colleague, and we are both network specialists. We plan to increase usage. We're a company of 650 employees and we also have consultants who are coming from outside to gain access to certain services on our network. We need to make provisions on the firewall for them.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Architect - Cloud Serviced at a comms service provider with 10,001+ employees
Has next gen features like application awareness and intrusion protection but the CLI needs to be simplified
Pros and Cons
- "They wanted to leverage something which is equivalent that can give them the next gen features like application awareness and intrusion protection. So that is a major reason they were looking forward to this. The original ASA firewall did not have these features. This was the major reason the customer moved on to Cisco Firepower Threat Defense (FTD). Now they can go ahead and leverage those functionalities."
- "I was just trying to learn how this product actually operates and one thing that I see from internal processing is it does fire-walling and then sends it to the IPS model and any other model that needs to be performed. For example, content checking or filtering will be done in a field processing manner. That is something that causes delays in the network, from a security perspective. That is something that can be improved upon. Palo Alto already has implemented this as a pilot passed processing. So they put the same stream of data across multiple modules at the same time and see if it is giving a positive result by using an XR function. So, something similar can be done in the Cisco Firepower. Instead of single processing or in a sequential manner, they can do something similar to pile processing. Internal function that is something that they can improve upon."
What is our primary use case?
Our primary use case is whatever is best for our customer. I'm the service provider. The customer's main purpose is to use the malware services protection and the firewall itself, as well as the application awareness feature.
How has it helped my organization?
My client company is Cisco Oriented. They wanted to leverage something which is equivalent that can give them the next gen features like application awareness and intrusion protection. That is a major reason they were looking forward to this. The original ASA firewall did not have these features. This was the major reason the customer moved on to Cisco Firepower Threat Defense (FTD). Now they can go ahead and leverage those functionalities.
What is most valuable?
Firepower is an okay product. However, it is better as a firewall than the IPS or other services it provides.
What needs improvement?
I was trying to learn how this product actually operates and one thing that I see from internal processing is that it does fire-walling and then sends it to the IPS model and any other model that needs to be performed. For example, content checking or filtering will be done in a field processing manner. That is something that causes delays in the network, from a security perspective. That is something that can be improved upon. Palo Alto already has implemented this as a pilot passed processing. They put the same stream of data across multiple modules at the same time and see if it is giving a positive result by using an XR function. Something similar can be done in Cisco Firepower. Instead of single processing or in a sequential manner, they can do something similar to pile processing. An internal function that is something that they can improve upon.
They can also improve on cost because Cisco is normally expensive and that's the reason customers do not buy them.
Also, if they could provide integration with Cisco Umbrella, that would actually improve the store next level. Integration is one thing that I would definitely want.
From a technical perspective, maybe they could simplify the CLI. That is one thing that I would like to be implemented because Cisco ASA or Cisco, in general, is usually good at simple CLIs. That is one thing that I saw lacking in FTD. Maybe because they got it from another vendor. They're trying to integrate the product.
For how long have I used the solution?
Two years
What do I think about the stability of the solution?
From a stability diagnosis, once I did the deployment it did not give me any issue for at least six to eight months. Once it went to a stable support, I did not see major problems. I don't think there were issues with stability.
However, the core upgrades frequently come in, so you need to be carefully devising that support management. From a stability perspective, if you are happy with your current stuff and you do not require past updates it would be very stable. If you're using an IPS, the only challenge would be past management. With Cisco having cloud integration and just firing one command and getting things done, it is still okay. It is a good stable product.
What do I think about the scalability of the solution?
We have only one or two firewalls as a site data center firewall.
From what I have studied, they are scalable. You can have eight firewalls integrated with the FTP devices. I don't think scalability would be an issue but I do not have a first-hand answer on that.
There are approximately 2,500 customer base users using Cisco Firepower. It's a data center firewall, so all the sites integrate for one data center.
You do not need extra staff to maintain Firepower. One field technician engineer, FTE would be sufficient and should not be a problem. I don't think extra staff would be needed. For support, for instance, you need one person.
How are customer service and technical support?
They have very good documentation, so there's a small chance you will actually need technical support. I would give kudos to the Cisco documentation. That would be the answer.
I have not tried the support because most of it has been solved with the documentation. Nevertheless, Cisco support has typically been a pleasant experience. I don't think that would be a problem with this.
Which solution did I use previously and why did I switch?
We did previously use a different solution. They had two different solutions. One was Cisco ASA itself and before that, they used Check Point.
We are a Cisco company and that's the reason they are moving from one Cisco product to another Cisco product, which was better than the previous one. So, that was a major reason for the switch. I would say the other vendors are improving. This company was just Cisco oriented so they wanted something Cisco.
How was the initial setup?
The initial setup is a bit difficult. Other vendors are doing the app integration solution. The initial setup was medium in complexity.
You need to install the Firepower CLI. You need to log into that and then you'll need to sit down to connect to the ASA and configure the ASA level services. You also need a Firepower management station for it to work appropriately. The setup is serious and a bit complex.
What about the implementation team?
In my scenario, because I had to learn the entire technology over there and then apply it, it took me around two weeks time to do it. Then the integration, improvisation, and stuff that normally happens took some extra time. You can safely say around two to four weeks period is what it normally takes for deployment. This is based on how the company evaluates the product. It depends on how much you know at that point.
Usually, for the deployment, the company works with Cisco, so they only use Cisco products. I am a DIY person, I did the deployment myself.
What's my experience with pricing, setup cost, and licensing?
We normally license on a yearly basis.
The hardware procurement cost should be considered. If you're virtual maybe that cost is eradicated and just the licensing cost is applied. If you have hardware the cost must be covered by you.
All the shipping charges will be paid by you also.
I don't think there are any other hidden charges though.
Which other solutions did I evaluate?
We gave them Palo Alto as an alternative option. I think they were more into Cisco. They did not evaluate the Palo Alto though, they just opted for Cisco.
What other advice do I have?
If you're really looking into Cisco Firepower, they have a good product, but I would say study hard and look around. If you want an easier product, you can always use Palo Alto. If you are a Cisco guy and you want to be with Cisco, you'll need to get an integration service engineer from the Cisco side. That will actually help you out a lot. Alternatively, maybe you can go for Palo Alto. That would be the best thing to do.
If you are not worried about the technical integration part and learning how it works and how well it can go with the environment, I would recommend you go ahead and take an integration engineer with you. Doing a POC could be troublesome for you. We have professional services. You can leverage that.
If you do not want to invest much money on all that stuff you can go ahead and hire someone who's already aware. Or if not, you can use any other vendor like Palo Alto.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Popular Comparisons
Fortinet FortiGate
Netgate pfSense
Sophos XG
Cisco Umbrella
Cisco Identity Services Engine (ISE)
Meraki MX
Zscaler Internet Access
Palo Alto Networks NG Firewalls
Azure Firewall
Check Point NGFW
WatchGuard Firebox
SonicWall TZ
Sophos UTM
Palo Alto Networks WildFire
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What Is The Biggest Difference Between Cisco ASA And Fortinet FortiGate?
- Cisco Firepower vs. FortiGate
- How do I convince a client that the most expensive firewall is not necessarily the best?
- What are the biggest differences between Cisco Firepower NGFW and Fortinet FortiGate?
- What Is The Biggest Difference Between Cisco Firepower and Palo Alto?
- Would you recommend replacing Cisco ASA Firewall with Fortinet FortiGate FG 100F due to cost reasons?
- What are the main differences between Palo Alto and Cisco firewalls ?
- A recent reviewer wrote "Cisco firewalls can be difficult at first but once learned it's fine." Is that your experience?
- Which is the best IPS - Cisco Firepower or Palo Alto?
- Which product do you recommend and why: Palo Alto Networks VM-Series vs Cisco Firepower Threat Defense Virtual (FTDv)?
Hey All,
I am using frotinet porduct for more than 10 years, I am studying to move to Cisco ASA5516 with source power, I would like to know how is it stable against fortigate FG300D
Fortigate firewall throughput numbers are totally different from the Cisco ASA5516,
any help?