Cisco Secure Firewall Reviews

It is primarily used as a firewall. I think that all firewalls basically work the same, but some have different configurations of the switches. Cisco ASA is very strong. 

I think that there should be better security of other firewall appliances. Migration is another main issue. If you migrate from the ASA to the new Fire Power Threat Defense appliance, it is not an easy migration. You have to do some of the migration manually, and if you are relacing those firewalls it will take a long time. It should be a smoother migration process. Some of the new engineers are still not familiar with it, and I think that Cisco should rehire some of the engineers coming from Sourcefire to do so.

There is not much to say about the stability of the product. Migration is the painful aspect of the solution.

During the mitigation process, I used tech support. But, I still have not had a completely clean migration process.

I do not like to have too many vendors it becomes difficult to diagnose and deal with. If all the switches also ran the same, I would be OK. But, this does not usually happen. Often there are many configurations of switches and we end up switching on the switches.

Cisco has recently become very expensive. Other solutions on the market are cheaper than this solution.

We have also evaluated Fortinet and Sophos UTM as possible solutions.

I am using Cisco ASA as the firewall for my business to guard the boundary of my business. It has been very helpful in my sector of media with my clients, essentially focusing on how secure their data is, especially when we are working on a few projects which involve multiple citations across Europe. 

Our content, which is the main asset for our firm, is pretty elusive behind the firewall of Cisco ASA.

It has improved my client's trust. 

VPN load balancing: This has been particularly essential for my connections to integrate via multiple time zones.

I needed to be well-versed with all the command lines for Cisco ASA in order to fully utilize it. I missed this info and wasted some operational costs. I would like to advise others to please be wary from the start.

It was initially heavy on my pocket, but it soon actualised its worth.

We use it for security of branch offices and data centers. 

It works like a firewall for security reasons. 

Filtering is the best feature, as I have gotten used to using it.                               .

The IPS and GUI are outdated. It is finally getting IPS inside, which will be a big improvement. The GUI is outdated, and they are slowly improving it. We will see if they go in the correct direction. Unfortunately, they usually just follow other vendors.

It is slowly not supported and other vendors are a few years ahead of Cisco in development.  

Configuration on Firepower is currently madness as you have to redeploy it again with all its configurations if you use it as a module.

If you compare it with other products, other firewall products in the market, at this moment, it doesn't have that many features, no impressive feature in it, in fact. 

The one thing I like about the product is the logging features, the way it logs, the way it forwards the logs in Syslog. It generates the particular Syslog. Compared to other products, that is the only feature, I feel, that is good. I have worked with other firewall products, so I know it very well. The logs are pretty good. Then it forwards. When it forwards the logs to a third-party syslog server, it then writes the Syslog very well. That is the only feature I like about it.

It doesn't have a proper GUI to do troubleshooting, so most people have to rely on the command line.

Its a sort of legacy product nowadays. The firewalls which are the next generation have loads of features added to them, and they are all in one box.

It should have packets, deep level inspections and controls, like the features which other IPS solutions have. It just doesn't have any. It's just a box which does firewalling. 

Threat management features also should be added into it. 

So, the first thing is that the GUI has to be improved. The second thing is that the UTM features have to be added to it in a much broader way; not by relating to other third-party solutions which is how it is done right now. It should have built-in UTM features like other firewalls have now. Plus it should have the ability to analyze any packets which have malicious behaviors. Currently it doesn't have anything like that. It's just a layer-3 firewall.

Regarding the GUI, it's a very childish sort of attempt. It hasn't been improved since I started working with it. Yes, it shows the logs as they are but it doesn't have any option to do proper reporting.

Stability is really good, actually.

Scalability is not that good, I think. Other firewalls, upgrading is a very easy task; from the graphical user interface, you just need to import the firmware versions into it and install it. In this firewall, you need to have a third-party solution in both. It's a process. It's a procedure, a hard procedure, actually, so there is no straightforward procedure for upgrading.

I have never called the tech support, apart from a hardware issue, but that is done through the vendor, a third-party support team.

I was actually using ASA and I switched to another one.

I actually have lots of experience working on multiple firewalls and technical solutions, so for me I don't have any problem doing things by the command line. But for others, for a person who has two years of experience or one year of experience in general, they will definitely face issues working in the command line. You have to remember all of the commands, to search for the commands. If you're in a graphical user interface, you can go search somewhere and find some options. So I would say in that way it is complex.

If I were to advise others who are looking into implementing this product I would say I don't think they will like it. They would be able to meet business requirements better with other products, other vendors' firewalls. That's what I think, that's what I know from my own experience, from dealing with customers.

If those features, which I mentioned above in the first few questions, if they can add those features into the firewall as a standalone box, it can definitely become a player on the stage. They already have a good platform, even if it's a legacy product, it has that bit of maturity. So if, on top of that very good platform, they can add those features - security, threat intelligence features - they can get back into the market.

It blocks all outside to inside traffic and only permits the specific internet traffic from the outside. VPN functionality is very useful, we can create remote access and tunnel VPN in the simplest way.

It blocked all kinds of internet attacks from outside like DOS or DDOS and avoided any down time. We created a remote tunnel from head office to data center network for easy access of servers that make working fast and they are easily manageable.

It would be great if they would add web filtering functionality to this product.

5 years

No

No

No

Excellent

Good

It is a little difficult in newer IOS versions where the use of the NAT command is different. Otherwise its straightforward to configure.

I deployed it in-house with my team.

This solution reduces any downtime therefore business continuity is not disturbed - that is ultimately ROI.

It is one time cost of about $10,000 and there is no day to day cost.

Yes, I evaluated Fortigate, SonicWall and Juniper but found Cisco ASA to be the best solution for us above all of the others.

Cisco ASA is a reliable product and it benefits you a lot in your network.

With the ASA there are multiple products depending on your needs based on the two generations of the ASA. Roughly split-up there are 4 products.

1. 5500 Series basic/standard firewall - This I would rate as 7/10 due to the fact that it's easy to use, manage and deploy. Its scalable SSL, and IPSec VPN options, and is lacking throughput
2. 5500-X Series basic/standard firewall - This I would rate as 8/10 due to the fact that it's easy to use, manage and deploy. Its scalable SSL, and IPSec VPN options, and it has high throughput
3. ASA5500 Series with firewall and CX - This I would rate as 5/10 due to fact that even though the firewall and VPN part is easy to manage and deploy, the CX is lacking in stability, and features. Also, it is rather complex to deploy. Add to this the CX lowers the throughput even further
4. 5500-X Series with firewall and Sourcefire - This I would rate as 9/10 because it's easy to use, manage and deploy the firewall, VPN, and also the SourceFIRE. SourceFIRE works rather well and is by far the most advanced IPS system available. But it decreases the throughput more than you´d like

In general, I like both the SSL VPN and SourceFIRE. Firstly, for the VPN, both the client and client-less versions are very scalable, flexible, and dynamic in configuration and probably the best SSL VPN solution available in the marked. Secondly, SourceFIRE has improved the IPS functionality and stability of the ASA to a point where you can begin to enjoy the fruits of your solution and root out the bad seed in you network.

For many of my customers, the SourceFIRE solution has been an eye opener of exactly what their users are generating of traffic. Some customers, after reviewing the traffic application usage reports are astounded by the amount of traffic used, for example by Facebook and YouTube. My customers like the visibility into their network usage, and not necessarily wanting to block it, but just to know that they can control the network traffic and utilization if needed.

Definitely the throughput could use an upgrade when running the SourceFIRE/AMP with the ASA. Also, it could use better troubleshooting capabilities. You are, most of the time, bound to have access to TAC for troubleshooting advanced problems.

Customers where I have deployed these solutions have had them for three plus years, and most of them have, at the present moment have first generation solutions, or are planning an upgrade to the second generation ones (NGFW or NGIPS),

There are always issues when implementing key equipment like firewalls, especially if you are converting from an unfamiliar platform, activating SourceFIRE, or doing a general maintenance rule clear-up. If you don’t follow best practice, you can seriously impact network performance or unintentionally shut-down services.

In general the ASA has a great software stability reputation, and even though SourceFIRE for ASA is still young, the stability seems to be rather good. Of course you can’t avoid all issues, and you might have to reinstall the SourceFIRE software on the modules. If you're upgrading the ASA from pre code 8.3, you will need to redo the NAT and access rules of the ASA.

License scalability for SourceFIRE is really not good if you have an ASA in HA as you need two licenses of everything, which is really bad as you wont get double SourceFIRE other than that you need to remember to buy your ASA based on the SourceFIRE's throughput and not the inspection throughput.

If you have a service contract with Cisco you can have TAC assistance, software upgrades and next-business-day RMA (or faster) otherwise you are left to yourself or your Cisco partner. Basically without a Cisco service contract, you can't get any help or software from Cisco.

Should you have a Cisco service contract, you get access to TAC that will provide you technical assistance towards solving your issue. The TAC experience can vary a lot. In general I would rate it as very good, 4/5.

Mainly customers switch from other vendor because of VPN features, ease-of-management, and good consultant/partner relationship.

The initial setup is fairly easy and there are wizards for almost all the basic needs, including the initial setup and all types of VPN technologies that the ASA supports.

I am the vendor, and I am an expert with ASA.

Make sure you get the right product/license to do the job you need done. If you are in doubt ask a consultant or a Cisco Partner. I have seen cases where a firewall wasn't the right hardware for the job and you can't just switch off the firewall/inspector for some interfaces or networks.

• Scalability
• Debugging messages
• Context modes

Context modes as this means there is no need to buy additional firewall for different customers.

IPS, IDS, anti-virus etc. should be added to IOS instead of separate cards.

I've used it for three years.

No issues encountered.

No issues encountered.

No issues encountered.

Dedicated experts are available in support contract with Cisco.

100% skilled engineers with knowledge are available 24/7.

It is straightforward.

We implemented it in-house.

It is £2,000 to set up, and the running costs, depend on the customers' issue(s) or tickets raised.

• Juniper
• FortiGate

Its a nice professional product with lots of scalability. Easy to troubleshoot and there is tool called PACKET TRACER which simulates the packet and it will tell you whether a packet is allowed inbound or outbound for testing purposes.

• Content filtering
• VPN features
• User interface is also very friendly

Users can VPN into the network from remote locations. It has given us a very robust and well firewalled LAN, that we use for authentication as well for our core network infrastructure.

I've used it for seven years.

No issues encountered.

It's a very stable product.

No issues encountered.

It's good.

It's good.

No previous solution was used.

It was a straightforward setup.

Implementation was in-house as we have Cisco experts.

The initial cost was approximately $6,000.

No other products were evaluated.

ASA is a very reliable product and I have been using it since I cam across it. I strongly recommend the use of the product