Cisco Secure Firewall Reviews

The context aware module gave us good visibility and control over the ingress and egress communications. Allowing us to filter unnecessary communications like streaming video, allowing us to control bandwidth utilization.

IPSec Tunnel and AnyConnect (of course), the context awareness was a good feature, but clumsy at the beginning. I think it's better now.

The packet tracer command is a great tool for troubleshooting IPSec Tunnel, which I miss in the Palo Alto and other firewalls.

Also, the IP access list counter is a good feature while troubleshooting.

ASDM can be improved.

Also, a rollback option to a previous config in time will be a great option. Logging can be improved to a vast extent, I think Palo Alto has a pretty good logging structure.

Yep, more than once, but only on one box out of the three we purchased. Suppose we got a lemon, because once replaced, everything was fine.

We never had an infrastructure that required scalability.

An eight out of 10. TAC was very good but some engineers were quite slow and I ended up figuring out the issue myself.

But overall, I like Cisco TAC a 1000 times more than Juniper TAC. Arista is the best TAC so far in my experience, they have the best talent pool.

Quite straightforward for the most part, since I had TAC on call while setting it up.

Everything with Cisco is expensive. My advice is that there are a lot better options out in the market now.

Palo Alto is pretty decent for example, but support is the best with Cisco, hands down. All other TACs do not come close, except Arista, but they do not make firewalls.

None. My old company was a complete Cisco shop.

Do look at Palo Alto for comparison, SonicWall is also on the market. But before anything, you need to know your infrastructure really well.

For example, we brought a PAN firewall for east-west traffic control so we could implement a zero trust network. But our business traffic is a bidding traffic which has extremely small packet size and huge connection size per seconds happening, which sent the PAN firewall into a tailspin. Since we bought the device without a POC, we had to eat the cost. So make sure to do a PoC with all the vendor equipment before you purchase it.

Cisco ASA is a stateful firewall which means they are the fastest and more secure, because they maintain state tables. Cisco ASA is very efficient not only in Firewalling but in VPNs, IPS and content filtering. It also has option of failover and redundancy.

It allows us to filter incoming traffic to our network and provide a secure access to office network from outside through remote access VPN. We also connected our branch office through IPSEC site-to-site VPN tunnel which is very secure and reliable.

Some improvements required on GUI interface called ASDM. It should include health check parameters like temperature, memory used.

I am using it more than five years.

No issues, very easy to deploy.

No.

Migration to new version is very easy, therefore no issue.

9/10.

9/10.

Cisco ASA firewall is most reliable to protect the network, therefore I switched.

Yes, straightforward and simple.

I am also vendor.

100%.

Price is bit high as compared to other vendors, but Cisco ASA has reputation and most reliable product. Always go with minimum security plus license.

Yes, Fortinet and Palo Alto.

No.

• Firewall mode
• AnyConnect gateway
• Client-less SSL VPN

The versatility of the product has allowed us to solve a number of perimeter requirements without having to seek out different products or companies for solutions. It has allowed for a single management mechanism, and by having a single platform solution, it has allowed for simpler training.

The configuration/management interface is complex and can be confusing. Technical documentation is often sparse and can be incomplete when covering specific implementations.

I've used Cisco PIX and ASA firewalls since 2003.

Not with the ASAs, with some early version PIX products.

Not with the ASAs, with some early version PIX products.

The ASAs offer several different technologies for HA and we have used all of them successfully.

It's excellent.

Excellent, we have always been able to get the specific expertise needed to solve our challenges with the products.

Checkpoint Firewalls - the primary reason we switched was cost and limited support options.

It's pretty straightforward. I came at these products already having considerable firewall experience.

It was all in-house, as we all had 10 years plus experience when we moved to PIX firewalls and then a few years later we brought in the ASAs.

• Watchguard
• Sonicwall
• Checkpoint

The product line offers tremendous capability. Please look into all of the solutions it can provide for you to maximize your investment.

We utilize the solution for our IT security. 

To be honest, all of the features that are provided, all the other vendor will also have. One feature we did find valuable was the CLI, it is more accurate. Additionally, I was happy with the customization, dashboards, access lists and interface.

We frequently use the Bottleneck feature we purchased specialized from Cisco.

It is hard to collaborate with our filtered environment. 

If Cisco could combine the Bottleneck feature of ASA, their platform called Umbrella, and the other team they have that has similar malware protection into one, this would be perfect. 

I have been using the solution for almost three years.

The solution is stable. However, It does have some bugs, but Cisco always fixes them really quickly. Sometimes we have to restart and it would be better if the bugs could be fixed without having to reload.

The scalability is not perfect.

The support has been great and responsive. Most of their engineers are very professional and knowledgeable.

The setup is easy to do if you are familiar with these type of installs, if not then it could be difficult.

We have a perpetual license for all of our firewalls. For some of the features, we purchase them on demand. The pricing is decent but it could always be cheaper, we would be happier.

We will probably change to a higher version in the near future or migrate to a next-generation firewall which would include IPI and some other new features. This makes sense because our current firewall ends the support in several years. 

Cisco FirePower, the next-generation firewall, is much better for stability.

I have used many versions of the software over the years, versions 8.6 to 9.1 and 9.9 to 9.12.

Keep in mind before purchasing the solution, if you do need to scale the solution then ASA is probably not right for you.

I rate Cisco ASA Firewall an eight out of ten.

We use the solution to monitor the connections as part of our parameter protection for our network. We restrict what kind of traffic comes in and out, we use it basically for traffic management.

Cisco used to be all command-line operations and now Firepower is in a way modelled from FortiGate. Firepower has integrated a UI into it now.

You do not have to do everything through a command line which makes it a lot easier to apply rules.

You are able to see the traffic of what sites users are visiting.

There are warnings if you are about to go to sites that could be malicious.

It also allows you to block within categories, such as, by URL.

The solution always had these capabilities, but it did not have a user interface that was user-friendly.

The solution could offer better control that would allow the ability to restrictions certain features from a website. For example, If we want to allow YouTube but not allow uploads or we want to allow Facebook but not allow the chat or to playing of videos. This ability to customize restrictions would be great.

We have been using the solution for three months now. We have always used Cisco but before we were using the ASA and now we use the new version with the threat defence.

The stability is good so far.  My opinion could change in another couple of months once we get more deeply involved with the solution.

We currently are protection approximately 220 users.

We just deployed it a couple of months ago, we have not used the tech support with the Firepower yet. We have not had an issue that we have had to raise with them. 

Generally, the tech support for Cisco takes too long to go through the different tiers of support agents to get to someone that can resolve the issue. You end up speaking to someone that is not qualified to solve the issue, then you have to be escalated upwards over and over. This system could be better.

I rate the tech support service generally from Cisco a seven out of ten.

The installation is not hard and not easy either, it falls in between.

The time of implementation took us two to three days. This was in part because we were migrating from another Cisco firewall. The config files were already there, we just had to bring them over. While having the config files we just had to set up the hardware to have us up and running. The install could have taken longer if this was not the case.

Currently, I would give this solution high marks because I have not had a problem. However, keeping in mind, my evaluation period has been short. I would not give the solution a ten, nothing is perfect.

I rate Cisco Firepower NGFW Firewall a nine out of ten.

Our primary use case of this program is network protection.

Up until now we haven't been down due to issues with the internet connection or denial of service, so the program does what it claims to do.

The firewalls of this program protects my internet from dangerous internet sites. For us, Cisco is the number one in firewall protection. We are seeking to buy another UTM solution for band management.

The program is very expensive.

We haven't had any problems with the stability so far.

We have 500 users working on the solution and I believe it may increase, so I believe the program is scalable.

The technical support from the company is very good. They are always available when we have problems.

We did use another UTM solution before for firewall, URL and band management. We didn't switch, we just have two layers now. If we want to use Cisco for band management or URL safety, we have to pay a license fee and it is very expensive.

The initial setup was straightforward and it took the company about a day to deploy the firewalls.

The licensing is very expensive.

In the future, I would like to see friendlier configuration and only one license because everything needs a license. You need a URL license, security license, everything is based on a license. I would like to have one license that covers everything. But I am really impressed by the program and my rating is nine out of ten.

For the AWS version, Cisco is our primary use. We have our own appliances and products, which are indicated as Cisco ASA. So, we test these product against Cisco ASA using different types of rules for new cases. During the test process, we make sure the integration works. 

We have been using the solution for two years.

Right now, it serves a purpose and has everything that we need. Performance-wise, it is top-notch.

It is a comprehensive suite and complete package. We have the following with the product:

• Interest point detection
• Firewall stuff
• VPN
• It's configurable.
• It guards with its own threat intelligence. 

We find that virtual instances are helpful because they are easy to use on AWS Marketplace, as they are On Demand. We have a lot of traffic on AWS. Therefore, to monitor the traffic rather than using on-premise, we use virtual instances of Cisco ASA. This is pretty easy to use and we receive value off of it.

Cisco ASA should be easier to use. It is a bit tough to navigate and see what is going on. While I like the UI and dashboards of Cisco ASA, if you compare them to Palo Alto or Fortinet, they have much richer UIs. An analyst (or anyone) can see them, and say, "I have got all these important pointers on my dashboard." However, with Cisco ASA, we need to dig into many things and go to many views to see what is actually there.

It is stable. We put a good amount of stress on it.

Especially for the AWS version, we can spin up multiple instances and do load-balancing. 

We have 15 to 20 Cisco ASA switches with a couple of physical appliances and twelve machines. Our team is using four to five machines.

It is all self-guided, and we were already using the physical appliances. Therefore, we knew how to use the product.

Our individual release cycle has been quicker because the entire development and testing environment has been automated because of these virtual instances. It has aligned our development workflow. This is where we have seen the ROI increase. 

For example, if you are working with a physical appliance, then you need to have a dedicated lab administrator to work with it, even to test a simple use case. This takes time because we would need to frequently reset that appliance and load all the data. It is no longer like that.

Purchasing from the AWS Marketplace was easy. It was just point and click.

It is pay-as-you-go, so it much cheaper than buying in the plants.

We also checked Fortinet and Palo Alto, their AWS versions. 

When compared products, Cisco ASA is easy on AWS. We received a trial version. It is easy to setup and evaluate.

We also already had Cisco products. This provided a tighter integration with what we already had. Since most of our traffic stays in AWS, it made sense to use AWS Cisco ASAv.

Once you deploy a virtual database or virtual machine for any product, like Cisco. The first thing to do with your data is test it. So, you need to be prepared with the test that you want to test before you deploy the instances. Because after deploying instances, you wait and see what the data come back with, how to configure it, and review what doesn't work. Therefore, you need to do some background homework before starting, such as what type of data you need to put into it, how to test it, and will the system process it.

We have used both the on-premise and AWS version. We started using AWS in the past six to seven months. Prior to that, we used the on-premise version. The AWS version is better as it is quick to spin up and configure. Also, with AWS, everything is preset, and it is more flexible.

We have it integrated with many other products, like threat intelligence and analytics. For example, all our logs go into Splunk, then we receive our analytics from there. We also have Splunk on AWS. Thus, all the data stays on the cloud, so there is no latency, etc.

This solution is involved in the protection of the network perimeter and the VPN gateway.

It allows you to fine-tune and create flexible circuits, as well as unites a large number of different types of connections.

• AnyConnect
• Double translations
• Independent IPS module
• High performance
• Various methods of organizing a VPN

• Simplify licensing
• Do not combine the IPS module with the main operating system.
• In new products, leave the CLI.