Cisco Secure Firewall Reviews

I am using Cisco ASA as my firewall. I use it for security purposes to block access and for VPN. It is on the perimeter, so basically, it secures my network.

It is a very stable product. I've not had any issues with it. It is a super product, and I won't need to change it anytime soon.

Its configuration through GUI as well as CLI can be improved and made easier.

I have been using this solution for more than five years. I am using the Cisco ASA 5505 model.

It is very stable.

I manage it myself. If I can't, then I get somebody else. I don't have any support from Cisco.

The initial setup was slow. It took a day or two.

Unfortunately, there were not too many skilled guys who could install it. I had to get a third party for installation and configuration. I had to get somebody qualified in Cisco Security, and he was the only person who could actually configure it well.

I just bought it off the shelf, and I'm using it with my previous one, so I have not spent that much.

I would definitely recommend this solution. You just have to learn how to configure it. It is a Cisco solution, and there is not much to be improved. I plan to keep using it and expand its usage.

I would rate Cisco ASA Firewall an eight out of ten.

We primarily use this product for networking. We are a Cisco shop, as far as networking goes.

I think the room for improvement of this solution is that there is a need for more of an application awareness capability. I just don't think it has the application awareness. It obviously looks at ports and what not, but it is not necessarily able to identify applications by their action, and what they're doing.

We have not encountered issues with stability of the solution.

The scalability is fine. We have no problems with the solution. We have two of them in a standby configuration.

If I were to rank the tech support, I would give it an eight or a nine. They have not been able to resolve all of my problems. I had to find my solutions on the web myself. I found other users with similar issues to what I had experienced. Then, I resolved the issues by myself.

I would consider this solution on the "high end" of the pricing spectrum.

I have considered Check Point and Juniper in the past.

VPN (site to site VPN and remote access ), NAT policies, modular policy framework, detailed troubleshooting methods.

The throughput and reliability of the product improve the network stability of our organization.

Area : URL filtering and content filtering.

When Cisco ASA is presented as an enterprise firewall, that should be capable doing IPS/IDS, firewalling, VPN concentrator, application filtering, URL filtering and content filtering.

Of course, the last three technologies can do by a proxy. But nowadays, all next generation firewalls like Fortinet, Check Point, and Palo Alto are each bundling the UTM features into a single box with multiple separate content processors (hardware) to do these jobs.

This would enable single pane glass for management. No need to look at different devices for change management and troubleshooting.

I would say Cisco ASA is the best except for its URL and content filtering module. And these modules in ASA are not straightforward, rather complex in managing the device.

I've been using this solution since 2007.

No.

All product-based firewalls will encounter scalability issues. The firewall sizing is important during the sizing.

Good.

I used to work with most of the hardware firewalls, Cisco ASA is reliable and few technologies are good enough to compete for the market (VPN, Modular policy framework, NAT, etc.).

Straightforward -- console or via the interface.

Expensive when compared to other products.

Yes, all.

If you are looking into implementing VPN or advanced features, I recommend using this product. URL or content filtering is not good as much as the NGFWs are.

The context aware module gave us good visibility and control over the ingress and egress communications. Allowing us to filter unnecessary communications like streaming video, allowing us to control bandwidth utilization.

IPSec Tunnel and AnyConnect (of course), the context awareness was a good feature, but clumsy at the beginning. I think it's better now.

The packet tracer command is a great tool for troubleshooting IPSec Tunnel, which I miss in the Palo Alto and other firewalls.

Also, the IP access list counter is a good feature while troubleshooting.

ASDM can be improved.

Also, a rollback option to a previous config in time will be a great option. Logging can be improved to a vast extent, I think Palo Alto has a pretty good logging structure.

Yep, more than once, but only on one box out of the three we purchased. Suppose we got a lemon, because once replaced, everything was fine.

We never had an infrastructure that required scalability.

An eight out of 10. TAC was very good but some engineers were quite slow and I ended up figuring out the issue myself.

But overall, I like Cisco TAC a 1000 times more than Juniper TAC. Arista is the best TAC so far in my experience, they have the best talent pool.

Quite straightforward for the most part, since I had TAC on call while setting it up.

Everything with Cisco is expensive. My advice is that there are a lot better options out in the market now.

Palo Alto is pretty decent for example, but support is the best with Cisco, hands down. All other TACs do not come close, except Arista, but they do not make firewalls.

None. My old company was a complete Cisco shop.

Do look at Palo Alto for comparison, SonicWall is also on the market. But before anything, you need to know your infrastructure really well.

For example, we brought a PAN firewall for east-west traffic control so we could implement a zero trust network. But our business traffic is a bidding traffic which has extremely small packet size and huge connection size per seconds happening, which sent the PAN firewall into a tailspin. Since we bought the device without a POC, we had to eat the cost. So make sure to do a PoC with all the vendor equipment before you purchase it.

NGFW features software stability, quick software updates for known bugs/vulnerabilities. Why no hardware reliability (see Clock Signal Component Issue -Cisco)? Because without NGFW features it is basically like a home router.

It is small, nobody knows where it is, nobody knows what it is, it works silently. So, as there is no issue, it is good for business and organization.

License politics, license price, precise vendor roadmap for this product.

Two years.

Yes, FirePower is not stable, because every new software version comes with many features that cause problems. Cisco has to do it because other vendors have already added these features.

No.

High.

3Com TippingPoint as IPS, Zyxel ZyWALL ZyXEL ZyWALLas VPN server. Cisco has good documentation and it is easy for Cisco certificated engineers.

Complex, because of non-ready Firepower service software setup.

The last years' experience showed that there is no full security, so why pay more. Any security vendor with a user-friendly interface, with good support, on-time updates for known vulnerabilities and reliable hardware, is acceptable for an organization.

No.

Cisco's ASA product line will be replaced by Cisco FTD. And Cisco FTD software is not ready for production (lack of many basic NGFW features). So, maybe only high-performance Firepower 41xx/21xx/90xx Series is good as IPS.

Class-based policing is the most important part of the ASA, and was its differentiator.

It gave us more organized DMZs and logical segments.

I’m not a fan of the new modular licensing model. Cisco moved from a base license to an a la carte SaaS model a couple of years back, wherein the customer is required to pay for feature sets on a case-by-case basis. This makes it difficult for people who want to study and trial new technologies and features.

I’ve been using ASA technology since it was PIX, so since 1999.

We have not had stability issues.

We have not had scalability issues.

Support with Cisco TAC, or with VARs like WWT and Trace3 is usually pretty good.

I have used both ASA and PAN. Different strokes for different folks.

Initial setup is straightforward. You can get as granular and complex as you want, but out of the box, ASAs provide a secure FW solution.

We evaluate all other options.

ASAs are a solid solution. Cisco provides more training and learning materials than any other vendor, which is critical if an organization wants to take true ownership of a technological solution. Documentation and use cases alone tend to make me a fan of Cisco's way of engineering, and they have come a long way over the last few years when it comes to integrating their solutions into comprehensive security communications platforms using tools like PRIME and ISE. FirePOWER and AMP make Cisco an even better overall contender for top FW status.

Cisco ASA is a stateful firewall which means they are the fastest and more secure, because they maintain state tables. Cisco ASA is very efficient not only in Firewalling but in VPNs, IPS and content filtering. It also has option of failover and redundancy.

It allows us to filter incoming traffic to our network and provide a secure access to office network from outside through remote access VPN. We also connected our branch office through IPSEC site-to-site VPN tunnel which is very secure and reliable.

Some improvements required on GUI interface called ASDM. It should include health check parameters like temperature, memory used.

I am using it more than five years.

No issues, very easy to deploy.

No.

Migration to new version is very easy, therefore no issue.

9/10.

9/10.

Cisco ASA firewall is most reliable to protect the network, therefore I switched.

Yes, straightforward and simple.

I am also vendor.

100%.

Price is bit high as compared to other vendors, but Cisco ASA has reputation and most reliable product. Always go with minimum security plus license.

Yes, Fortinet and Palo Alto.

No.

It makes it very easy to have delineated roles and responsibilities between network engineering and network security.

I find the overall capability of the higher end firewall products to handle most network tasks without any issues. In addition, it is easy to train lower level help desk personnel on the GUI management.

People tend to think of firewalls as firewalls and routers as routers. Going by the book, I had to create a number of static routes in the firewall so it could reach the various subnets in my client's internal network. I decided to turn on OSPF routing to simplify my deployment. This resolved a lot of issues with remote VPN and site-to-site VPN tunnels.

In my experience, a number of engineers get tunnel vision with devices. This is exacerbated by vendors fostering a silo mentality in disciplines.

I cannot name the organization, but a large national non-profit in the medical field had too many network configuration problems because of the silo mentality.

Large Cisco ASA units have the capability to act as routers. This particular non-profit would not enable routing on the ASA until I explained that it resolve a number of issues that they were experiencing and resolving by static routes, a second Cisco ASA, and a proxy server.

Stability issues did not occur in my experience, as long as we stayed with the correct image builds.

There were no scalability issues.

Customer Service:

Generally, we do not need customer support, so it is hard to rate.

Technical Support:

Generally we do not need technical support, so it is hard to rate.

The initial setup at many clients' sites was straightforward. Very complicated networks take a lot of planning.

We implemented the solution in-house.

We cannot determine ROI just yet.

Always plan ahead for three years. In other words, do not buy a firewall on what your needs are today, but try to predict where you will be three years from now in terms of bandwidth, security requirements, and changes in organizational design. This applies to any vendor, not just this product. I find that I always need to buy a higher level product than the specifications request in order to be safe.

In locations where I have used Cisco ASA firewalls, I have compared FortiGate and SonicWall.

I utilize different brands of firewalls depending on the needs of a client, i.e., in-house IT versus outsourced. I am vendor agnostic as much as possible.