Cisco Secure Firewall Reviews

We primarily use this product for networking. We are a Cisco shop, as far as networking goes.

I think the room for improvement of this solution is that there is a need for more of an application awareness capability. I just don't think it has the application awareness. It obviously looks at ports and what not, but it is not necessarily able to identify applications by their action, and what they're doing.

We have not encountered issues with stability of the solution.

The scalability is fine. We have no problems with the solution. We have two of them in a standby configuration.

If I were to rank the tech support, I would give it an eight or a nine. They have not been able to resolve all of my problems. I had to find my solutions on the web myself. I found other users with similar issues to what I had experienced. Then, I resolved the issues by myself.

I would consider this solution on the "high end" of the pricing spectrum.

I have considered Check Point and Juniper in the past.

The primary use case is for edge firewall at multiple locations and remote access VPN. We use these for security and have them integrated with Splunk/QRadar.  

Edge security and Sourcefire have been nice. Sourcefire was a major improvement over the legacy IDS that it previously had. 

Sourcefire has been a great addition. The visibility and control have been nice. 

I also like the active/standby HA. 

The solution has two separate GUIs and at least three different CLIs (ASA CLI, Sourcefire CLI, and Firepower Management Center CLI). In addition, ASDM plus Firepower Management Center GUIs. If Cisco could stop rebranding, combine all the CLIs/GUIs, and give a consistent experience, this would be great. 

Also, AnyConnect is very difficult to manage and use. 

Cisco ASA is born as an hardware firewall. The user case is security check on company's external connections (Internet and VPN access).

Most recent versions include antivirus and intrusion prevention to add security layers (including the above scenarios and the internal network) 

Cisco ASA have been the main security device for many years, slowly replaced with Check Point on the main datacentre.

ASA is stable and with a low level of work required on the maintenance side. It is a dedicated firewall, so you do not have to manage additional topics like spam, web sites filtering and so on.The routing part is high level as usual with Cisco products.  

You have to know the ASA command line very well because not all operations are available in the graphical interface (or let's say that sometimes it is better to operate with the ASA CLI).If you are searching for an "all in one product" it is not for you

No, stability is a really strong point with ASA.

No, an assessment about the workload is important to select the right device.

Over many year, the only kind of support we needed directly from Cisco was (really seldom) for parts replacement

The previous solution was based on software firewalls that where not able to perform as the Cisco ASA

Setup of a firewall, on a medium / large deployment is always a complex work.

Cisco ASA (more than other vendors' solutions) require a lot of know-how and real world expertise to be configured properly.

More than one external team (Cisco partners) has been involved over time.

All of them were outstanding in their work.

Positive. The devices serves thousands of users for many years, outliving other vendors solutions.

Cisco devices are for sure costly and budget could be an important constrain on selecting them as our security solution. 

When the choice was made, some comparison was made with other market leaders but integration with the existing Cisco network was a really important positive side in the final decision.

ASA is one of the the state-of-the-art firewall devices for security.
It is affordable and not too complicated to use if you are doing standard operations (modifying ACLs, natting and so on) on an existing deployment.

NGFW features software stability, quick software updates for known bugs/vulnerabilities. Why no hardware reliability (see Clock Signal Component Issue -Cisco)? Because without NGFW features it is basically like a home router.

It is small, nobody knows where it is, nobody knows what it is, it works silently. So, as there is no issue, it is good for business and organization.

License politics, license price, precise vendor roadmap for this product.

Two years.

Yes, FirePower is not stable, because every new software version comes with many features that cause problems. Cisco has to do it because other vendors have already added these features.

No.

High.

3Com TippingPoint as IPS, Zyxel ZyWALL ZyXEL ZyWALLas VPN server. Cisco has good documentation and it is easy for Cisco certificated engineers.

Complex, because of non-ready Firepower service software setup.

The last years' experience showed that there is no full security, so why pay more. Any security vendor with a user-friendly interface, with good support, on-time updates for known vulnerabilities and reliable hardware, is acceptable for an organization.

No.

Cisco's ASA product line will be replaced by Cisco FTD. And Cisco FTD software is not ready for production (lack of many basic NGFW features). So, maybe only high-performance Firepower 41xx/21xx/90xx Series is good as IPS.

Outstanding NGFW capabilities, Site to site VPNs and High Availability. Also the integration of FirePOWER services (Web Filtering/IPS/Malware Protection) are a huge step forwards for an already great platform.

We purchased a pair of ASAs to handle all perimeter traffic in and out of our network. This devices enabled us to secure all our perimeter traffic, WAN connections, Internet connectivity and Internet facing services. FirePOWER services enabled better control and visibility over the traffic traversing our perimeter. High Avalability helped us greatly improve the availability of the services by reducing downtime caused by both Incidents and planned maintenance operations.

Only problem in my opinion is ease of use. You really need to know your way around the CLI and complex feature set to get things working. The ASDM GUI is good for some things but for the most part you'll need to stick to the CLI which is a bit difficult specially if you don't have a lot of experience around Cisco equipment.

We've operated this firewalls for around 2 years now.

ASAs are as complex as they are powerful. Configuration and administration are not as straightforward as other solutions and will take some time and studying to get used to them.

In my experience with various Firewall solutions, the stability and reliability of Cisco ASAs is unparalleled.

No

Cisco offers great customer service.

The best I have worked with.

We used to have a SonicWall and an older ASA 5510 platform. Both were replaced by a Cisco ASA cluster using a pair of 5525x.

ASAs are expensive. The initial cost is high compared to other similar solutions, and chances are the personnel that will operate them will require some training. But if you're aiming for stability and reliability, this is the best solution you will find.

We evaluated Fortinet and SonicWall, both great UTM vendors. Although those platforms are cheaper, we decided to go with Cisco because stability and reliability were mayor concerns for us, also the support is much better in my experience.

The ability to intercept unwanted traffic, and prevent attacks without interrupting everyday work, and the stability of this product are the key functionalities in our deployment.

This product, and our implementation, are not directly correlated with the core business of our company. It is designed to protect our company from outside threats and reduce impact on other network elements, such as the backend firewall, DMZ zone and VPN concentrators.

Cisco ASA lacks some functionalities, when compared with other vendors’ products. Cisco need to implement some more functionalities, like client-less VPN (HTML5), but I expect that Cisco will continue to add, and improve, features of the product. One of the features that should be improved is the URL filtering engine, as currently it has limited functionality. For full functionality, you will need an external URL filtering server, like Websense.

We have used it for more than five years, and have implemented it for perimeter network protection. It is designed for basic network protection for our corporate environment.

No issues during the deployment, as we had good planning.

No issues with stability. The device is designed for hard work 24/7. I never have a lack of resources like RAM or CPU. The only reason I need to restart the device is during a software upgrade.

In our deployment, we did not have a scalability issue.

It is very high.

We did not have any technical problems with this product, so we have not had need of technical support

We implemented ASA after a complete redesign of our network, and we believe that Cisco ASA is the right solution for our needs.

The initial setup is straightforward, as there is a lot of documentation available on the Cisco site, and other sites, which makes planning and deployment pass without any problems. However, the ASA is a complex device, with a lot of features and further tuning is complex and you must have the right knowledge to do it. Configuration can be done through a Java based application called ASDM or through the CLI interface. Using ASDM is much more simple and easy, but ASDM is not compatible with the newer Java version, so before implementation you must read the compatibility notes. Also, keep in mind that when upgrading ASA software, you must also upgrade the ASDM package.

Initial implementation was through a vendor. I would rate their experience and expertise as 9/10.

Calculating the ROI for network security or IT security is complex and dependent on many factors, like the implementation, role, expectation etc. IT security cannot be compromised, but on the other hand, we must ask how much is enough. In our case, we do not have a defined ROI for this product.

The cost of the setup was only the product price, local vendor support for the implementation, and employee training. This product is set it and forget it, so we do not have day to day costs.

We did not evaluate other products. One reason was that we believe that the ASA is a reliable product and fits our needs. Another reason, was the lack of local support for other solutions.

Unfortunately, the ASA 5500 is EoS and EoL, and I hope that Cisco’s NGF 5500-X series will be a worthy successor. This does not mean that Cisco will stop software support and will continue to release new software versions with new and improved features for the ASA 5500 series.

As with any other product, the main things for a successful implementation are to decide what you want to achieve, and what your main goal is, and then, you need good planning, not only for your current needs, but you also need to keep in mind further grow and needs. Good planning is, at least, 80% of successful implementation.

We use ASA firewalls to limit traffic between the networks.

We use an on-premises deployment model.

I like that it is easy to change the settings.

Cisco ASDM is a problem because it is old.

I've been working with it for a year, but my company has been using Cisco firewalls for 15 years.

We use Cisco Secure Firewall ASA 5506 and 5508.

Cisco Secure Firewall ASA's stability is good.

I recently had a case with technical support that took a couple of weeks to resolve. We use Cisco Smart Licensing and are not connected to the net. It was a big problem to get it to work. Cisco's technical support did not know how it worked, and I had to tell them how it worked. We haven't had interactions with technical support where there were more positive outcomes.

On a scale from one to ten with ten being the best, I would rate technical support at two.

Negative

The initial deployment is easy for this solution.

Overall, I would rate this solution at seven out of ten because Cisco ASDM needs to be updated.