Cisco Secure Firewall Reviews

I'm most impressed with the visibility and control SourceFire solutions provide in to the types of traffic flowing in and out of an environment. It makes the discovery of applications and classification of user traffic simple, which in turn allows an organization to more effectively develop security policies and enforce acceptable use for its enterprise users.

I've worked with customers that have dealt with malware issues in the past and preventing its spread laterally within the environment has always been a concern. With SourceFire, we've been able to detect malicious files and stop them at the network edge before internal systems are compromised. Leveraging AMP in addition to FireAMP, which is the endpoint malware solution, is incredibly effective at blocking malware at the host level.The other good news is FireAMP can be leveraged along side traditional endpoint anti-virus software. The Defense Center also provides visibility into how malware is moving within the environment so tracking down infected machines becomes much easier for IT staff.

The overall product line is sound, but I'd like to see a roadmap for SSL decryption as part of the ASA with FirePOWER solution.

I've been working with SourceFire product offerings since Cisco's acquisition of the company in late 2014. Prior to the officially branded Cisco solution, I'd worked with open source Snort in various capacities for several years. I've been using Cisco ASA with FirePOWER services, Cisco SourceFire NGIPS/NGFW most recently.

Learning the advanced capabilities of the system can take time, but it's rather intuitive. I have not encountered issues deploying base functionality with the offerings at this point.

Overall, the systems are stable and IT admins have control in to how the sensors operate within the network in the event of failure.

There are scalability limitations with FirePOWER on the ASA, so determining anticipated throughput requirements is critical. The standalone IPS sensors can be stacked for increased throughput, so depending on your organizations needs, this may be a better path for some organizations concerned about scalability.

8/10.

9/10.

I've used Palo Alto's FW/IPS offerings and Cisco's older IPS platform on the ASA. Usually, I don't decide what organizations purchase, but I am impressed with SourceFire's capabilities over the latter.

Initial set up is straight forward, but there is not much documentation available if you have no experience with the offering. I'd recommend training for all network admins that administer SourceFire systems, especially if you want to leverage some of the advanced features.

Do research in to the types of offerings out there and make a determination of what may be the best fit for your organizations requirements and future security goals.

We are using it to manage our environment.

The whole firewall functionality, including firewall policies and IPS policies, is valuable. It has all kinds of functionalities. It has IPS, VPN, and other features. They are doing quite a lot of stuff with their devices.

It lacks management. For me, it still doesn't have a proper management tool or GUI for configuration, logging, and visualization. Its management is not that easy. It is also not very flexible and easy to configure. They used to have a product called CSM, but it is no longer being developed. FortiGate is better than this solution in terms of GUI, flexibility, and user-friendliness.

I have been using this solution for five to ten years.

It is rather stable. It can have some peculiarities, but most of the time, it is quite stable.

These are big devices. They have multiple models, but most of the models can be virtualized. You can create many virtual firewalls and add whatever you want.

We faced some issues, but I don't deal with these issues. My colleague interacts with them, and it seems it is not that easy. Cisco is a large company, and sometimes, it is not easy to get quick and very efficient support.

We have a firewall specialist who handles the installation.

It is affordable. The hardware is not that expensive anymore. It is a matter of licensing these days. 

It is a good solution for a big traffic load, but its management is not very easy. FortiGate is better in terms of management and user-friendliness.

I would rate Cisco ASA Firewall an eight out of ten.

I primarily use the solution for the IPsec only. 

The user interface, the UI, is excellent on the solution. Let's say you want to check the real-time locker - you can create it by the UI using ADSM.

The VPN portion of the solution isn't the greatest.

The stability is not the best.

The solution is far too expensive.

I've been working with the solution for about six months, or maybe a little bit less than that.

I haven't found the stability to be very good. The IPsec stability leaves a lot to be desired. They really need to work on the solution's stability capabilities.

In ASA, I built the IPsec between ASA and Fortigate due to the fact that most of the time I have to restart the timer to flow the data.

We only have two to three users who directly deal with the solution within our company. Overall, we have between 100-200 employees. We haven't really scaled it.

I personally would prefer not to use ASA going forward. However, I don't know if the company itself has any plans to increase usage or not.

While I've dealt with Cisco technical support in the past on other solutions, I have not contacted them in regards to this specific product.

That said, my past experience with Cisco technical support has been very positive and I found them to be very helpful in general. I just can't speak to this specific product.

I was pretty junior when the solution was initially implemented in the organization. For that reason, I did not take an active role in implementing the solution. I wouldn't be able to really discuss the setup specifics or the level of difficulty.

I'm not exactly sure who handles maintenance, if any, within our organization.

The licensing is quite expensive. I don't have the exact amount, however, it's my understanding that it's a very pricey solution. There's a lot of competition out there, including from Fortigate, which offers just as good, if not better products.

I'm not overly familiar with ASA. I only work with it on an administration level.

I work with the latest version and I use the ASDM version server.

I wouldn't recommend that an organization choose ASA as a solution. They should look into other options.

Overall, I would rate the solution at a six out of ten. We haven't had the greatest experience.

I am using Cisco ASA as my firewall. I use it for security purposes to block access and for VPN. It is on the perimeter, so basically, it secures my network.

It is a very stable product. I've not had any issues with it. It is a super product, and I won't need to change it anytime soon.

Its configuration through GUI as well as CLI can be improved and made easier.

I have been using this solution for more than five years. I am using the Cisco ASA 5505 model.

It is very stable.

I manage it myself. If I can't, then I get somebody else. I don't have any support from Cisco.

The initial setup was slow. It took a day or two.

Unfortunately, there were not too many skilled guys who could install it. I had to get a third party for installation and configuration. I had to get somebody qualified in Cisco Security, and he was the only person who could actually configure it well.

I just bought it off the shelf, and I'm using it with my previous one, so I have not spent that much.

I would definitely recommend this solution. You just have to learn how to configure it. It is a Cisco solution, and there is not much to be improved. I plan to keep using it and expand its usage.

I would rate Cisco ASA Firewall an eight out of ten.

Our primary use case is for perimeter security.

We are using the enterprise version. Cisco has many versions. Maybe we are using the old version of ASA because it needs to be the freeware. In each freeware, there are different types of things. Maybe it is the standard version because the other version cost a lot. I need to combine it with another solution like an open source standard solution of the ASA firewall from Cisco.

Firewalls are about blocking. ASA is for blocking, but it does not have the intelligence like Fortinet to detect attacks. If I could use ASA to detect attacks, maybe we could buy another service from Cisco although it's very expensive. I would choose Fortinet, but my clients like ASA support. I prefer Fortinet because Fortinet has a UTM and it's a good firewall.

In terms of what could be improved, the UTM part should be more integrated for one price, because if you buy ASA from Cisco, you need to buy another contract service from Cisco as a filter for the dictionary of attacks. In Fortinet, you buy a firewall and you have it all.

I would like to see all the features like Fortinet has. If I buy ASA, I would like to see a Fortinet-like interface.

It would be good if Cisco could improve their web interface to configure the equipment. Cisco is very reliable and very secure, but has to compete with Fortinet which is very hard.

On a scale of one to ten, I would give Cisco ASA Firewall a nine.

I have been using Cisco ASA Firewall for about 15 years.

We have maybe 100 - 200 end users using the solution.

I would give their technical support an eight out of ten because of their response time.

Let me give an example. When I have a problem, and I contact support, maybe there is a guy from India or from another country answering me. This is very slow. The people look at the ticket and increase the time for response.

The initial setup is easy. Firewalls are like programming. If you know programming, you know every language. Firewalls are the same. If you know the security and blocking the perimeter, it's the same for all the firewalls. The difference with the different firewalls are the functionalities. Learn the functionalities in every brand.

My advice to anyone considering Cisco ASA Firewall is that you need a lot of money to implement the Cisco solution. But it's a good solution. If you want to go to Cisco, you need a lot of money.

I am a consultant and when clients ask for white papers or studies, I do the research. At that point, they do whatever change processes they have; I give them all of the numbers and other relevant data, but that's the extent of what we do in my organization.

They are just using it as a stateful packet inspection firewall, traditional firewalling.

At this point, my client is looking for their next solution so something may not be working.

The most valuable features for my client are the ASDM and monitoring.

They have familiarity with the Cisco CLI.

Cisco ASA is not a next-generation firewall product.

My client has been using the Cisco ASA solution for approximately five years.

They've been using it for five years and my assumption is that it's been good for what they needed it t do. However, they were consulting to move forward with something different.

The scalability is very limited because as a traditional firewall, it's a step behind. As far as the scale goes, my assumption is that you just buy a bigger model.

I was not consulting with this client when they implemented the Cisco ASA.

This is a hardware-based device, versus a virtual one, so it's maxed out.

My assumption is that it's a typical HA, basic setup.

My client is looking for a next-generation firewall solution to replace the Cisco ASA.

What they need is a step up from what they already have that includes application-controlled firewall rules, as well as other features that ASA doesn't currently have.

My suggestion for anybody who is looking at Cisco ASA is to work with the vendor, as they have newer products.

I would rate this solution a seven out of ten.

Some are being used as edge firewalls and others are for our server-farm/data center. So some are being used as transparent firewalls and others are used as a break between the LAN and WAN.

In addition to the firewalls, we have Mimecast for email security as we're using Office 365. We're also using IBM's QRadar for SIEM. For antivirus we're just using Microsoft Windows Defender. We also have an internet proxy for content and for that we're using NetScaler.

Automated policies definitely save us time. I would estimate on the order of two hours per day.

On the network side, where you create your rules for allowing traffic — what can come inside and what can go out — that works perfectly, if you know what you want to achieve. It protects you. Once you get all your rules in place, done correctly, you have some sort of security in terms of who can have access to your network and who has access to what, even internally. You're secure and your authorization is in place for who can access what. If someone who is trying to penetrate your network from the outside, you know what you've blocked and what you've allowed.

It's not so difficult to pull out reports for what we need.

It comes with IPS, the Intrusion Prevention System, and we're also using that.

I've been using Cisco ASA NGFW for five years.

The stability is quite good. We haven't had issues. I've used them for five years now and I haven't seen any hardware failures or software issues. They've been running well. I would recommend them for their reliability.

You can extend your network. They are cool. They are good for scalability.

We have a Cisco partner we're working with. But if they're struggling to assist us then they can log a ticket for us. Our partner is always a 10 out of 10.

Given that we have been upgrading with Cisco firewalls, I would say that our company has seen a return on investment with Cisco. We would have changed to a different product if we were not happy.

The response time from the tech and the support we get from our partner is quite good. We have never struggled with anything along those lines, even hardware RMAs. Cisco is always there to support its customers.

The pricing is quite fair for what you get. If you're comparing with other products, Cisco is expensive, but you do get benefits for the price.

The firewall that I was exposed to before was Check Point.

It's very good to get partner support if you're not very familiar with how Cisco works. Cisco Certified Partner support is a priority.

For application visibility and control we're using a WAN optimizer called Silver Peak.

To replace the firewalls within our data center we're planning to put in FMCs and FTDs. With the new FMCs what I like is that you don't need to log in to the firewalls directly. Whatever changes you do are done on your FMCs. That is a much needed improvement over the old ASAs. You can log in to the management center to make any configuration changes. 

There are two of us managing the ASAs in our company, myself and a colleague, and we are both network specialists. We plan to increase usage. We're a company of 650 employees and we also have consultants who are coming from outside to gain access to certain services on our network. We need to make provisions on the firewall for them.

Our primary use case is whatever is best for our customer. I'm the service provider. The customer's main purpose is to use the malware services protection and the firewall itself, as well as the application awareness feature.

My client company is Cisco Oriented. They wanted to leverage something which is equivalent that can give them the next gen features like application awareness and intrusion protection. That is a major reason they were looking forward to this. The original ASA firewall did not have these features. This was the major reason the customer moved on to Cisco Firepower Threat Defense (FTD). Now they can go ahead and leverage those functionalities.

Firepower is an okay product. However, it is better as a firewall than the IPS or other services it provides.

I was trying to learn how this product actually operates and one thing that I see from internal processing is that it does fire-walling and then sends it to the IPS model and any other model that needs to be performed. For example, content checking or filtering will be done in a field processing manner. That is something that causes delays in the network, from a security perspective. That is something that can be improved upon. Palo Alto already has implemented this as a pilot passed processing. They put the same stream of data across multiple modules at the same time and see if it is giving a positive result by using an XR function. Something similar can be done in Cisco Firepower. Instead of single processing or in a sequential manner, they can do something similar to pile processing. An internal function that is something that they can improve upon.

They can also improve on cost because Cisco is normally expensive and that's the reason customers do not buy them.

Also, if they could provide integration with Cisco Umbrella, that would actually improve the store next level. Integration is one thing that I would definitely want.

From a technical perspective, maybe they could simplify the CLI. That is one thing that I would like to be implemented because Cisco ASA or Cisco, in general, is usually good at simple CLIs. That is one thing that I saw lacking in FTD. Maybe because they got it from another vendor. They're trying to integrate the product.

Two years

From a stability diagnosis, once I did the deployment it did not give me any issue for at least six to eight months. Once it went to a stable support, I did not see major problems. I don't think there were issues with stability.

However, the core upgrades frequently come in, so you need to be carefully devising that support management. From a stability perspective, if you are happy with your current stuff and you do not require past updates it would be very stable. If you're using an IPS, the only challenge would be past management. With Cisco having cloud integration and just firing one command and getting things done, it is still okay. It is a good stable product.

We have only one or two firewalls as a site data center firewall.

From what I have studied, they are scalable. You can have eight firewalls integrated with the FTP devices. I don't think scalability would be an issue but I do not have a first-hand answer on that.

There are approximately 2,500 customer base users using Cisco Firepower. It's a data center firewall, so all the sites integrate for one data center.

You do not need extra staff to maintain Firepower. One field technician engineer, FTE would be sufficient and should not be a problem. I don't think extra staff would be needed. For support, for instance, you need one person.

They have very good documentation, so there's a small chance you will actually need technical support. I would give kudos to the Cisco documentation. That would be the answer.

I have not tried the support because most of it has been solved with the documentation. Nevertheless, Cisco support has typically been a pleasant experience. I don't think that would be a problem with this.

We did previously use a different solution. They had two different solutions. One was Cisco ASA itself and before that, they used Check Point.

We are a Cisco company and that's the reason they are moving from one Cisco product to another Cisco product, which was better than the previous one. So, that was a major reason for the switch. I would say the other vendors are improving. This company was just Cisco oriented so they wanted something Cisco.

The initial setup is a bit difficult. Other vendors are doing the app integration solution. The initial setup was medium in complexity.

You need to install the Firepower CLI. You need to log into that and then you'll need to sit down to connect to the ASA and configure the ASA level services. You also need a Firepower management station for it to work appropriately. The setup is serious and a bit complex.

In my scenario, because I had to learn the entire technology over there and then apply it, it took me around two weeks time to do it. Then the integration, improvisation, and stuff that normally happens took some extra time. You can safely say around two to four weeks period is what it normally takes for deployment. This is based on how the company evaluates the product. It depends on how much you know at that point.

Usually, for the deployment, the company works with Cisco, so they only use Cisco products. I am a DIY person, I did the deployment myself.

We normally license on a yearly basis.

The hardware procurement cost should be considered. If you're virtual maybe that cost is eradicated and just the licensing cost is applied. If you have hardware the cost must be covered by you. 

All the shipping charges will be paid by you also.

I don't think there are any other hidden charges though.

We gave them Palo Alto as an alternative option. I think they were more into Cisco. They did not evaluate the Palo Alto though, they just opted for Cisco.

If you're really looking into Cisco Firepower, they have a good product, but I would say study hard and look around. If you want an easier product, you can always use Palo Alto. If you are a Cisco guy and you want to be with Cisco, you'll need to get an integration service engineer from the Cisco side. That will actually help you out a lot. Alternatively, maybe you can go for Palo Alto. That would be the best thing to do.

If you are not worried about the technical integration part and learning how it works and how well it can go with the environment, I would recommend you go ahead and take an integration engineer with you. Doing a POC could be troublesome for you. We have professional services. You can leverage that.

If you do not want to invest much money on all that stuff you can go ahead and hire someone who's already aware. Or if not, you can use any other vendor like Palo Alto.