Cisco Secure Firewall Reviews

It's deployed in multiple ways, depending on the use case. Generally speaking, we have them as edge firewalls, but I have some customers who use them as data center firewalls, and some customers who use them as VPN firewalls. And in some places, they're the east-west firewalls, as they would be called in a core network. We do have some that are for cloud firewalling, that we're using in Azure and AWS. But generally speaking, they're deployed as edge firewalls and on-prem.

In some cases that I'm aware of, when moving from specific platforms like Check Point, Firepower has offered a much easier way of working with the platform and deploying changes. For the customer, it's a lot easier in the newer platform than it was in the previous one.

I've done network assessments, where we wanted to get visibility into all flows. I used Firepower boxes for some of those, where we tapped a line and let Firepower see all the traffic. It was incredibly helpful in picking up all of the flows of data. As a result, I was able to give information to the customer, saying, "This is what it's doing and this is what it's seeing in your network." I find it very helpful to get all that type of data. It's got a lot more information than NetFlow-type systems.

There have also been use cases where I'm doing east-west and north-south in the same firewall box. That is possible with SGTs and SD-Access and Firepower. That ability has been critical in some of the designs we've done. A scenario would be that we have an underlay, a corporate network, and a guest network VRF-routed zone; big macro security zones. We are doing micro-segmentation at the edge with SD-Access, but the macro-segmentation between the zones is handled by the firewall. Because we didn't want to split up our east-west and north-south, because there really wasn't a budget for it, they're on the same box. That box is able to do both flows that go towards the internet and flows that go between the different interfaces on the firewall. We're using SGTs in those policies and we're able to extend the logic from the SD-Access environment into the firewall environment, which creates a very unified approach to security.

We're also able to implement dynamic policies for dynamic environments with 7.0. That's becoming more and more important every day. IPs are becoming less important; names and locations and where things live in the cloud mean things are becoming a lot more fluid in the world of security. It's very helpful to have objects and groups that can follow that fluidity along, as opposed to me trying to do it old school and static everything up. No one has time for that. Dynamic policy capabilities enable tight integration with Secure Workload at the application workload level. The IP is less relevant and the application or the VMware tag can be tied to a specific ruleset. It's very helpful to be able to have it be so dynamic now. We're using more and more of those dynamic group concepts.

When it comes to the solution’s tags for dynamic policy implementation in cloud environments, VMware is the primary one I'm seeing these days, but I expect Azure to pick up significantly. The use of these tags for dynamic policy implementation in cloud environments simplifies things. We don't have to have so much static stuff pinned up. We can just have a single rule that says, "If it's this tag, then do this," as opposed to, "If it's this IP and this IP and this other IP, then you're allowed to do this thing." By disconnecting it from the IP address, we've made it very flexible.

It may sound a bit strange, but one of the most valuable features of Firepower 7.0 is the "live log" type feature called Unified Event Viewer. That view has been really good in helping me get to data faster, decreasing the amount of time it takes to find information, and allowing me to fix problems faster. I've found that to be incredibly valuable because it's a lot easier to get to some points of data now.

Also, the new UI is always getting better from version to version. In the beginning, when it came to managing Cisco Secure Firewall, it wasn't always the easiest, but with 6.7 and 7.0, it's gotten easier and easier. It's a pretty easy system to manage. It's especially beneficial for people who are familiar with ASA logic because a lot of the Firepower logic is the same. For those people, they're just relearning where the buttons are, as opposed to having to figure out how to configure things.

I've used the backup VTI tunnel and that's a feature that lets me create some redundancy for my route-based stuff and it works pretty well. I haven't had any issues with it

Firepower 7.0 also has fantastic Dynamic Access Policies that allow me to replicate a lot of the configurations that were missing and that made it difficult to move off the old ASA platform for some customers. The addition of that capability has removed that limitation and has allowed me to move forward with implementing 7.0. 

Snort 3 is one of the biggest points on Firepower 7.0. I've been using Snort 3 for quite a while and, while I don't have a ton of customers on it, I do have some who are running on it and it's worked out pretty well. In their use cases, there wasn't a lot of risk, so that's why we started with it. Snort 3 has some huge advantages when it comes to performance and policy and how it's applying things and processing the flows.

Dynamic Objects have also been really critical. They're very valuable. Version to version, they're adding a lot more features onto Dynamic Objects, and I'm a big fan. 

I've also used the Upgrade Wizard quite a bit to upgrade the firmware. 

And on the management side, there are the health modules. They added a "metric ton" of them to the FMC [Firepower Management Center]. In version 6.7 they released this new health monitor which makes it a lot easier to see data and get to information faster. It's quite nice looking, as opposed to CLI. The new health modules really do stand out as a great way to get to some of that health data quickly—things like interface information, statistics, drops—that were harder to get to before. I can now see them over time, as opposed to at just a point in time. I've used that a lot and it has been very helpful.

In addition, there is the global search for policy and objects. I use that quite a bit in the search bar. It's a great way to get some information faster. Even if I have to pivot away from the screen I'm on, it's still great to be able to get to it very quickly there. 

In a lot of ways, they've addressed some of the biggest complaints, like the "housekeeping" stuff where you have to move around your management system or when it comes to making configuration changes. That has improved from version to version and 7.0 is different. They've added more and have made it easier to get from point A to point B and to consume a lot of that data quickly. That allows me to hop in and do some data validation much faster, without having to search and wait and search and wait. I can get to some of that data quicker to make changes and to fix things. It adds to the overall administrator experience. When operating this technology I'm able to get places faster, rather than it being a type of bottleneck.

There is also the visibility the solution gives you when doing deep packet inspection. It blows up the packet, it matches application types, and it matches web apps. If you're doing SSL decryption it can pinpoint it even further than that. It's able to pull encrypted apps apart and tell me a lot about them. There's a lot of information that 7.0 is bringing to the forefront about flows of data, what it is, and what it's doing. The deep packet inspection and the application visibility portion and Snort are really essential to managing a modern firewall. Firepower does a bang-up job of it, by bringing that data to the forefront.

It's a good box for visibility at the Layer 7 level. If you need Layer 7 visibility, Firepower is going to be able to do that for you. Between VLANs, it does a good job. It's able to look at that Layer 7 data and do some good filtering based on those types of rules.

I'd like to see Cisco continue its approach to making it easier to navigate the UI and FMC and make it easier to get from point A to point B. Generally, the room for improvement is going to be all UI-related. The platform, overall, is solid.

I'd also like them to continue to approach things from a policy-oriented perspective. They are moving more and more in that direction. 

Also, the change-deployment time can always be improved. Even at 50 seconds, it's longer than some of its competitors. I would challenge Cisco to continue to improve in that area. It's very reasonable at 50 seconds, it's not like it used to be in early versions of Firepower, where it was around seven minutes. Still, it could be quicker. The faster we can deploy changes, the faster we can roll back changes if we have messed something in the configuration. Low deploy times are really good to have. 

I would also like to see more features that will help us connect things to the cloud dynamically, and connect things to other sites dynamically. There should be more SD-WAN features in the boxes. If I can use one box to solve cloud connectivity problems, and not have to do stuff so statically, the way I have to do things today on them, that would be helpful.

I am a Cisco partner and reseller and I actually beta test for the Firepower team. I work on Firepower boxes and have done so since the beginning. I have customers on Firepower 7.0 and I have been using Firepower 7.0 since its release.

I haven't really had any major complaints or issues with Firepower 7.0 stability.

It scales, but it depends on the growth rate of the customer and the amount of bandwidth. It's usually a speed and feed problem: Is the firewall box big enough to handle the traffic? Snort 3 has made some improvements there and it's even given some life back to older boxes because of improvements in code and in how Snort processes data. But, overall, the box just has to be big enough for the amount of traffic you're trying to shove through it.

I've been doing this a long time and I don't usually need to call tech support. But when I do need to call TAC, after working with a lot of the other vendors out there, Cisco TAC is still one of the best technical resources in the market. I do like TAC. That's not to say that every TAC engineer is great, but comparatively, they're one of the best support organizations.

Neutral

The initial setup is straightforward, with the caveat that I've been doing this for a long time, so for me it is simple and makes sense. But it is pretty straightforward. You have overall policies that wrap up into your access policy, which is the base policy. You have DNS policies that will roll right up into it. Likewise, platform policies get attached to devices. Generally speaking, it's a lot of working through the logic of the rules: How do you want to block stuff, and how do you want to permit stuff? A lot of that is normal firewalling. When I say the setup is simple, it's because it involves normal firewalling issues. You have to deal with routing, NAT rules, ACLs, and VPNs. It's a matter of just kind of working through those same things that every firewall has to solve.

The deployment time depends on the customer and how many rules. If we're building out all their rule sets, it could range from 40 hours to hundreds of hours. It also depends on what we're coming from. We're not generally walking into environments that are green, meaning there's no box there today. It's almost always that there's something else there that we're replacing. We have to take what we're coming from, convert it, and then put it on Firepower. Small businesses might have a couple of rules, enterprises might have hundreds of rules.

Our implementation strategy is to go in, document the current state of the environment, and then work on a future state. We then work through all the in-between stuff. When we have the old firewall configuration, we determine what it will look like on the new firewall configuration. Does the firewall configuration need to be cleaned up? Are there things that we can optimize and improve or modify? A lot of it involves copying configuration from the old platform to the new one. We're usually not trying to change a ton in a firewall project because it increases the risk of problems arising. Usually, customers' networks are operating when we get into them. We prefer to do a cleanup project after implementation, but sometimes they coincide.

In our company, one person can usually do a firewall cutover. And maintenance of Firepower 7.0 usually requires one person. Maintenance will usually involve a firmware upgrade.

There is a lot of value with SecureX. Other customers struggle to bring all the data back to one place, the way you can with SecureX, across a product portfolio. The value of that capability is incredible. I don't know how to put a monetary value on it, but from an operational perspective, it's very helpful to have it all back in one place because you're not having to hop around to multiple UIs to find the data you're looking for.

With any vendor, prices are often a little bit negotiable. There are things like discounted rates. There's a list price and then, as a partner, we get a discounted rate based on how much product we're purchasing and our relationship with the vendor. 

But on the list-price side of things, there are three big licenses on an FTD [Firepower Threat Defense] box. There are the malware license, the threat license, and the URL filtering license. You can license them in one-year, three-year, and five-year increments. Each license will enable different features on the box. The malware license will enable AMP filtering or AMP detection. The threat detection enables use of the IPS solution, which is really Snort's bread and butter. And the URL filtering enables filtering based on URL categories.

Sometimes we use URL filtering and sometimes we don't. It depends on the customer and on whether they have a different URL filtering strategy, like Umbrella. The two big ones that we sell are malware and threat detection, with threat detection probably being the license we sell the most.

SMARTnet, the technical support component, covers the box. When you purchase the hardware, you buy it with SMARTnet. Licenses cover features, SMARTnet covers support.

We continue to support, integrate, and sell three out of the major four vendors: Palo Alto, Fortinet, and Cisco. Every vendor has been a great partner with us, so I don't want to showcase one firewall platform over another.

Palo Alto is arguably the most mature out of the group when it comes to the firewall in general, but they've also been developing on the same platform for quite a long time.

FortiGate, on the other hand, is great in a lot of use cases.

Cisco's strength is how it integrates with the security portfolio at Cisco. When you have a lot of other security products or integrations, Firepower really stands out above the rest. Palo Alto and Fortinet, although they can integrate with SDA to some degree, they don't integrate to the same depths as Firepower. You really start to see the benefits of Firepower in your organization when you're looking at the Cisco security stack. That's what I would argue is one of the biggest benefits of Cisco in general, that stack of products.

With Cisco, it's not necessarily about a single piece, it's definitely about how they all can communicate and talk to each other, and how information is shared between the components, so that you can create a unified approach to security. Their SecureX product is an integration point. It brings together a lot of that information from different product lines in one place. That's really Cisco's game. Some of the other security vendors struggle to keep up with the breadth and depth of what Cisco is doing in all those different spaces.

In terms of ease of management, Firepower is an enterprise product. While FDM [Firepower Device Manager] is really easy to use, FMC has a lot more knobs to turn. Comparing FortiGate to FMC, a lot of the capabilities of FortiGate are still at the CLI level only. Palo Alto is 100 percent UI-based, not that you can't configure a Palo Alto from CLI, but I don't think anybody does that.

My advice is that you need to know your flows. If you're upgrading to Firepower, you should know what traffic matters and what traffic doesn't matter. If you really want to be successful, you should know all the flows of traffic, how they function, what they do. That way, when you get the box up and running, you know exactly how it should operate.

You can split Firepower users into two buckets: help desk and admin. Help desk will usually be read-only and admin will be read-write. If there's one engineer at a customer, he might have admin rights. If there's a help desk and one senior firewall guy, he might have admin rights where his help desk has read-only. It varies by the size of the customer. Most midsize organizations have one or two firewall guys. When you get into the big enterprises, the number goes up.

Regarding Firepower's Snort 3 IPS allowing you to maintain performance while running more rules, the "book answer" is yes, it's supposed to. We're not really running Snort 3 a ton on those yet because of some of the risk and because some of those customers haven't upgraded to 7.0 yet. Those that are on Snort 3 are just not running policy sets that are large enough that to notice any major or even minor improvements. I have seen an uptick in performance improvements with Snort 3, even on firewalls that are not 100,000-rule firewalls. We are seeing improvements with Snort 3. It's just that Snort 2 performance hasn't really affected the box overall, it just runs a little hotter.

When I mentioned the risk for Snort 3 for our larger clients, what I meant is that with new things come new risks. Snort 3 is one of those new things and we have to evaluate, when we upgrade a customer to it, whether the risk of the upgrade warrants doing it for the customer. In some cases, the answer is no, because of burn-in time. With some of our riskier locations or locations that require 24/7, it makes more sense to run Snort 2, which has been out there since forever on the Firepower platform. It's a lot more stable on Snort 2 and the problems are known problems, from a design perspective. We've mitigated those and worked around them. With Snort 3, there could be new bugs or problems, and in some environments, we want to mitigate that risk.

My expectation is that by 7.1 or 7.2 we will upgrade more generally to Snort 3. It's not that it's far away. It's just that with 7.0 being the first release of Snort 3, and 7.0 only having one or two patches under its belt, we thought it better to remove some risk and just use Snort 2.

Cisco Secure Firewall helps to reduce firewall operational costs, depending on the firewall vendor it's replacing. In some cases, customers are coming from old platforms where the security wasn't nearly at the same level as a next-gen firewall, so the advantage of moving to a next-gen firewall is the increase in security. But that comes with an operational burden no matter the firewall type. There is a lot more visibility and capability out of the NGFW platform, but it comes at a cost. There's more data to work through and more things to configure. Still, in most cases, Cisco Secure Firewall is going to decrease operational usage with the caveat that it has to be an "apples-to-apples" situation, which is very hard to come across these days. 

My company uses Cisco Secure Firewall for its protection and security features.

I won't be able to speak about the strong points of the product. I will need the input from my team to be able to speak about the advantages of the product. The solution's dashboard is fine, and in terms of support, Cisco is better than other OEMs in the market.

The solution's price can be lowered because, currently, it is pricier than the tool its competitors offer in the market. If the product's prices are lowered, it may help Cisco to expand its market base.

If Cisco reduces the price of its product, then it can gain more advantage and become much more competitive in a market where there are solution providers like Fortinet FortiGate.

I have been using Cisco Secure Firewall for five years.

I don't remember the version of the solution since there is a support team in my company to manage it. My company has a partnership with Cisco.

Stability-wise, I rate the solution an eight out of ten.

Scalability-wise, I rate the solution an eight out of ten.

Around 2,500 people use the solution in my company.

Most of the time, the solution's technical support is helpful and responsive. There have been a few cases where a few black spots have been noticed, which I think is because Cisco opted for localization of support because, during holidays, nighttime, or weekends, it becomes difficult for users to reach the support team, though the rest of the time the support is good.

If you have already scheduled a call with the support team of Cisco, then it is good. If you need to reschedule a call with the support team when you face a new issue with the product, then it may get a bit of a problem to get a hold of someone from the support team of Cisco. Earlier, there were no problems with Cisco's support team. Recently, there have been a few issues cropping up related to the technical team of Cisco. Technically speaking, the support team is good, but the availability offered by the technical team has deteriorated.

I rate the technical support a seven out of ten.

Neutral

I work with Palo Alto, Fortinet, and Check Point for different parts of our IT environment.

The product's initial setup phase was taken care of by another team in my company before I joined my current company.

On our company's core payroll, we have a very small support team, but we do have a support team in my company for the product. The support team in my company consists of around 20 to 25 engineers who work around the clock.

The solution is deployed on an on-premises model.

I rate the product's price a seven on a scale of one to ten, where one is expensive, and ten is cheap. If we compare Cisco with other OEMs available in the market, Cisco needs to work on price improvement. Nowadays, there is a lot of competition in the market with newer solutions, like Fortinet, gaining popularity, amongst a few other names like Cyberoam, a product from a local Indian vendor. Palo Alto has also gained a lot of market share in recent years.

From a security perspective, generally, there are only three solutions that our company looks at, which include Check Point in the last four or five years, among other options like Palo Alto and Cisco.

I recommend the solution for SMB businesses.

I rate the overall tool a seven out of ten.

I've deployed them in a number of different use cases. I've deployed them at the internet edge. I've used those VPN concentrators, and I've deployed them at the data center core, segmenting VLANs.

We've seen a lot of improvements in terms of cybersecurity resilience and securing our infrastructure from end to end so that we can detect and remediate threats. The visibility with FMC is excellent. Being able to have, for instance, a data center core firewall, an internet edge firewall, and a VPN concentrator device managed by the same FMC and being able to take all of that information and see it in one place is very beneficial from the security posture standpoint. It's a time saver because it makes things easy. I can log in and very easily see what my detected threats are, what's been happening over the last 24 hours, or if there's anything I need to be concerned about. Being able to see who's logging into the VPN, but also what traffic are they sending, what are they bringing back, and being able to have all that in one place is really nice. The integration between the FMC and endpoints is a nice feature and a big time saver in terms of remediating threats and remediating malware and other malicious software.

FMC is very good in terms of giving a lot of visibility into what the firewall is seeing, what it's stopping, and what it's letting through. It lets the administrator have a little bit of knowledge of what's coming in or out of the device. It's excellent.

The policies module in FMC specifically isn't the most user-friendly. Coming from Cisco ASA, Cisco ASA is a little bit easier to use. When you get into particularly complex deployments where you have a lot of different interfaces and all that kind of stuff, it's a little bit tricky. Some usability improvements there would be nice. 

For scalability, they could support a little bit more diverse deployments around clustering and high availability. Currently, it's very active standby, and being able to do a three firewall cluster or four or five firewall cluster would suit some of my deployments a little bit better. It would also help to keep the cost down for the customer because you're buying smaller devices and clustering them versus larger devices.

I've been using Cisco firewalls for fifteen years at least. I've been using them in some form or another, such as from ASAs and now FTDs and Firepower.

Its stability is excellent. In the last six months, I've probably deployed about 14 Cisco Secure Firewall devices, and I am yet to get a callback. I deploy them, and then the customer takes ownership of the device, and they're off to the races and ready to go. They've been stable, which is good. I don't like devices that break the week after I install them and make me look bad.

I've implemented them anywhere from a 500 MB throughput device up to a 20 GB throughput device. Particularly around scalability, some improvements in terms of clustering would be good.

I've called Cisco TAC many times throughout my career, and I never hesitate to do it. They've always been fantastic for me. I'd rate them a ten out of ten.

Positive

I've used a number of other competitive devices. I've customers running SonicWall, I've customers running Palo Alto, and I've customers running Fortinet. Cisco Secure Firewalls are excellent.

Cisco is at a really good place, especially with a lot of the recent updates that have happened. Compared to Palo Alto and Fortinet specifically, I find FMC is way easier to use. Specifically in the realm of cybersecurity resilience, it's for sure a much more effective tool than Palo Alto. Having come from Palo Alto, the way FMC surfaces threats and enables response to set threats is vastly easier for me and my team to work with, so we're seeing a lot more resiliency. We're seeing a lot quicker response to threats. We're seeing a lot quicker identification of threats. From that perspective, it's far and away better.

Cisco Secure Firewall is the best in the market right now. Palo Alto is okay, but Cisco is better. In terms of resiliency and providing actionable intelligence to a security team, I find Cisco products to be way better. Fortinet is also fairly easy to use. They have a lot of the same strengths. However, Fortinet's technical support is terrible. Cisco has a nice package of devices. It's easy to use. It's easy to integrate for the security team. It gives you a lot of actionable intelligence in your network. Having that kind of company and technical support to be able to back that up and be able to support the customers is very useful.

I've deployed them countless times, and I find it very easy. I did a high availability pair of internet edge firewalls for a 2,000 users organization migrating from Palo Alto, and I moved them over with AnyConnect, Umbrella, and Duo from Palo Alto in a week and a half with no downtime. I do a lot on-prem just because of my verticals. I work a lot in law enforcement. I work a lot in government, and those end up being very on-prem heavy. 

It's pretty competitive. If they could make it cheaper, it would be great. You always want cheaper, but relative to the performance capabilities of the firewall and relative to what you get, it's fair.

It's not the cheapest in the world, but you get an excellent product for that price. The onus is on us as a customer to look at what we're buying and establish not just the price but the value. You need to look at what you're getting for your dollars there. Cisco has a very good proposition there.

Its licensing is pretty good. It's not very complex. There are not a million different SKUs. I had a Palo Alto deployment where the customer had asked for a license for integration with their Cortex XDR, and they didn't include it. It was eight more SKUs and eighty thousand dollars more. It was a real disaster, and it can put a customer off from using Palo Alto. Cisco's licensing model is easy to understand whether it's apps or VPN. The way that they handle the subscriptions is very easy to understand. It's very fair.

To someone researching this solution who wants to improve cybersecurity in their organization, I'd say that the main thing to look for is usability. Find something that you can understand and that provides you with actionable intelligence because a security device that's not administered and monitored properly isn't going to do much for you. It's not going to be very effective. So, you want a device that's easy to use and that gives you a lot of that visibility and makes your job as a security administrator easy. It should make identifying and responding to threats as seamless as humanly possible because the quicker you can respond, the more security you're able to keep in your organization.

Cisco Talos is an excellent product. I've been using Cisco Talos since Cisco introduced it. In fact, I was a Sourcefire customer before Cisco acquired them, so I'm very familiar with the roots of that team and where it's from. I've been all in on them since day one.

Overall, I'd rate Cisco Secure Firewall a nine out of ten. There's always room for improvement, especially in security because the security world is changing on a daily basis. We're always looking for what can we do better and how can we improve, but what Cisco has done since the Sourcefire acquisition and where they've taken it, I'm very excited for the future.

We had implemented our Cisco API and Cisco Stealthwatch. We use the Cisco Secure Firewall for easy integration that can collaborate with all these Cisco solutions. My operations will also have less maintenance and the same existing team.

Cisco Secure Firewall's security solutions, advanced malware protection, and DDoS communication are very good. With Cisco Secure Firewall, the security is very much manageable because it protects all the incoming and outgoing traffic of our several telecom IT rooms.

The solution's deployment is time-consuming, which should be minimized and made more user-friendly for us.

The solution's graphical user interface could be made more user-friendly, and the configuration can be simple.

I have been using Cisco Secure Firewall for five years.

Cisco Secure Firewall is a stable solution.

I rate Cisco Secure Firewall ten out of ten for stability.

Cisco Secure Firewall is a scalable solution. Around 400 users are using the solution in our organization.

I rate Cisco Secure Firewall a nine out of ten for scalability.

The solution’s technical support is good.

Positive

The solution’s initial setup is complex and requires Cisco-certified people.

Two engineers were involved in the solution's deployment, which took one week.

We have seen a return on investment with Cisco Secure Firewall because it provides advanced malware protection and seamless integration with my existing solutions.

Cisco Secure Firewall is a moderately priced solution. We have to pay a yearly licensing fee for the solution.

The solution’s maintenance is very easy, and one person can do it.

Overall, I rate Cisco Secure Firewall an eight out of ten.

Our use case is mostly for the data center. We are introducing a security zone in the data center, and Cisco is helping us to identify the traffic that is coming from north to south or from outside the data center to inside the data center. It helps us to manage the traffic and ensure that it's secure and allowed to go inside the data center. We have almost completed the project. We are currently tuning the access policies to only allow what's allowed to go inside.

We are using all the firewall models for the data center. AMP, detection, and prevention are a part of the solution.

It was a requirement from our security and compliance team that any traffic going to the data center needs to be checked and secured. We are almost at the final stage of this project to allow only secure access to the data center. We are almost there. We haven't yet completed the project, but it will definitely be a very critical service for us. Our data center is huge with more than 1,000 applications. It will protect and secure our services.

We are using Cisco firewalls not only in the data center but also on the internet edge. We also have it on the OT system or OT network. We are using most of the products from Cisco, and it was easy to integrate with other services. We have the Cisco ACI solution in the data center. We could integrate Cisco ACI with our firewall. We also have Cisco Stealthwatch and Cisco ISE. We can easily integrate different technologies.

Integration and troubleshooting are the main challenges of having multiple vendors. Having an end-to-end solution from one vendor makes life a lot easier because there is an ease of integration. We don't need a third party. It is also easy in terms of support. One engineer from the same vendor can help us with various technologies. We don't need engineers from different vendors, and we also avoid that common scenario where they start to blame the other one for the issue.

Having an end-to-end solution from the same vendor simplifies the implementation. We are able to have centralized management of different products. We were able to integrate and centrally manage even the older versions of Cisco firewalls.

I'm not a security person. I'm a planner, and we were interested in the advanced features of the firewall to allow us to manage the traffic. At the current stage of implementation, their help in implementing a policy has been valuable. It simplified the implementation. Cisco's engineer helped us with a lot of scripting to see what existed. Previously, we didn't have a proper policy. In fact, we didn't have any policy because we didn't have any firewall for the data center, so generating a policy was a big challenge. Cisco's engineer helped us to do some scripting and find out what kind of policy we can have and organize those policies. That was nice.

Its implementation was not straightforward. It was mainly because we were running two projects together. In terms of features, at this stage, I don't have inputs for the area of improvement. We are still in the implementation stage of our project. After we have the solution ready and we test it, we can go to phase two and see how to enhance the solution in the future. We can then see which features will allow us to do that. After we implement it, the next stages will be to maintain it, tune it, and build on it. We will then see how flexible it is.

I've been using Cisco firewalls for about 20 years. The last model we bought for the data center is 9300.

Cisco is always there to support customers and their businesses. They are there 24/7. Whenever you have an issue or challenge, they are always there. For us, a good thing about Cisco is that there is a Cisco office in Oman. Our colleagues coordinate and communicate with them almost daily. They are always there to support us through any challenge or issue. All vendors are not available in Oman, so having a trusted partner who would always help us was a key factor for investing in Cisco. 

When we open a ticket with Cisco support, we always get someone to help us. We have a dedicated engineer who knows our infrastructure and can help us and track the issues. We are a big organization, and we have critical services. We are the biggest oil producer in Oman, which is the main economy of the country. We can't afford any interruptions. We are trying our best, and Cisco always supports us. They handle our cases in an urgent manner because they know the criticality.

For the data center, we didn't have a security zone previously. It was one of the key requirements to come up with the security zone. We chose Cisco firewalls because we were implementing ACI in the data center, and we thought that having one vendor for both activities will reduce our time of implementation, which didn't turn out to be true.

It was not a straightforward implementation. The main challenge was that we were running two projects together, so we ended up doing the same activity twice. We had two requirements: refresh the data center devices and secure them because there was no security zone. We went for the ACI implementation, which was new for us and required a lot of discussions, and when we tried to introduce the firewall, we again had a lot of discussions with Cisco about whether to go with clustering or active standby.

We discovered that our ACI was not compatible with the firewall that we are introducing. So, we ended up upgrading our ACI. That was a big activity because we had to interrupt our data center. It should have been a seamless upgrade, but because some of our services didn't have dual links, we had to do some maintenance for that. After that, we also ended up upgrading our switches because they were not supporting 40 gigs, which is what the firewall interface supported. That was another challenge that we had. After that, going to active-standby or clustering was another challenge because the switch fabric didn't work well with our design. So, we ended up going with active-standby.

It was a journey, but in the end, we managed to overcome those challenges and implemented our solution.

We've definitely seen an ROI. It was a requirement, and looking at the way it went, especially in terms of coming up with the policy and securing our data center, there has been a value-add. We now have a security zone, and we have policies. We can manage and monitor the traffic coming in and going out.

In addition, we have the flexibility of sending any traffic to the firewall, even internally from the data center. Whenever we have a doubt about any application or traffic to any application, we can just send it to the firewall and let it check and monitor. We have this visibility that we didn't have before. We can see any traffic that comes in. 

We bought a three-year license as a part of the enterprise agreement, which includes help with implementation and troubleshooting. We have a big data center with many applications, so implementation was not straightforward. We had to put effort into it. It wasn't an easy or straightforward implementation. The support that we got from Cisco engineers with the three-year premium license was helpful. The enterprise agreement helped to consume the licenses in a practical and faster way and streamline the implementation.

We are very pleased with Cisco for the automation they did to help us in coming up with a policy. That was a big challenge because we didn't have any policy in place. It was a big help for us that they came up with a policy or at least proposed a policy for us.

Our engineers are familiar with Cisco firewalls, and they are not new to them. However, things are changing and technology is changing, and new features are getting added. Automation will be the main challenge for us. Some of our engineers are not yet very good at scripting. They're still learning. The way forward would be to have people do some amount of programming to come up with useful information to enhance the solution in the future.

I'd rate Cisco Secure Firewall a seven out of ten.

We are currently using the Cisco Firepower 2140 model because it fits our sizing and performance needs.

We use Cisco Secure Firewall as the internal firewall to protect our retail PCI networks from the rest of the corporate business.

We are a global company, and we have multiple data centers. There are two in Europe, and we deployed Cisco Firepower in all of our worldwide data centers. In each region in the world, we have two data centers with Cisco Firepower to separate retail from corporate and Firepower for IPS services. This solution protects around 1,500 stores, and our corporate office has around 10,000 people.

I like the basic firewall features. We use Cisco Firepower to separate PCI from corporate, so we're not using it at the edge. If we were to use Firepower at the edge, then we would enable other features like IDS and SSL inspection. However, since we only use it as an internal firewall, plain level-four firewalling is enough for us.

Cisco Firepower is useful for securing our infrastructure from end to end so that we can detect and remediate any threats. I like the Cisco products because they are very stable and what you see is what you get. There are no vague or gray areas. We log all of our logs to Splunk, for example, and everything we see in Splunk is very useful. Finding errors or finding reasons why something is or is not working is very easy.

This solution helped to free up our IT staff's time so that they can focus on other projects. The management platform makes deployment and management, that is, day-to-day changes, very easy.

Cisco Firepower saved our organization's time because it has role-based access. We can give some engineers the ability to do day-to-day tasks and give more experienced engineers more in-depth tasks.

We have been able to consolidate our tools and applications. The FTD tool also manages our Firepower IDS nodes. As a result, we have a consolidated single pane of glass for all of our Cisco Firepower security tools.

We use the FTD management platform for the boxes. The GUI that manages multiple Firepower boxes could be improved so that the user experience is better.

We have been using Cisco Firewall for the last 15 years. We started off using Cisco ASA and have now migrated to Cisco Firepower.

The stability is very good; there's no vagueness. Either it works or it doesn't, and it's also very easy to find out why.

There haven't been any performance issues. We run HA clusters and don't do multiple clusters for scaling. We scale the boxes to our performance needs. We have nine staff members who work with this solution.

Cisco's technical support staff have always been helpful and have been able to solve our issues. I would rate them a nine out of ten.

Positive

We used Cisco ASAs, and they were all individually managed. We went from individually managed IDS and Firepower IDS solutions to this consolidated single management platform.

We chose Cisco Firewall over competing solutions because what you see is what you get. We liked that the changes are immediate. The way the logs come into our Splunk system gives us a good feeling about the stability and performance of Cisco products.

We have seen an ROI. Compared to that of other vendors, Cisco's pricing is in a good range. We use Cisco products for their complete lifespan. With the support context that we have, we also know what we spend over the lifetime of the solution.

The pricing of Cisco's boxes is pretty good.

My advice would be to talk to people who work with different vendors and get some hands-on experience. Don't just listen to or look at sales documents. See whether the performance actually matches that mentioned in the sales documents. Check with other competitors for hands-on experience as well.

I would give Cisco Secure Firewall an overall rating of eight out of ten because I'm not 100% happy with the management dashboard.

I use it every day. It's something that's part of my daily tasks every day. I log in, look at logs, and do some firewall rule updates. 

We have a managed services team. I'm not part of that team, I use it for our company. I look at why things are being dropped or allowed. 

I'm using an older version. They got rid of EIGRP out of FlexConfig, which was nice. Now there's policy-based routing, which is something that I have to update my firewalls or my FMC so I can utilize that product.

Right now I use the Cisco-recommended version of FMC which is 7.0.5.

I like the GUI base of Secure Firepower Management Center. Coming from an ASA where it was the ASDM, I like the FMC where you can see everything is managed through one pane of glass. 

It's a single pane of glass, we have multiple firewalls. I can click and be on to the next firewall in a few seconds, really. 

As far as securing our infrastructure from end to end, I'm a big fan of Cisco products. I haven't used other products in the past, but I love the Cisco products. It helps a lot in the end. 

We have firewalls on the edge, internally, and then on the cloud now, so I feel we're pretty secure. 

Firewall helps with cybersecurity resilience. I really like this Cisco product. It's user-friendly. I don't like some other vendors. I've tried those in the past. Cisco is pretty easy. A caveman could do it.  

I've used Check Point and Palo Alto, and I like Cisco better. It's what I'm comfortable with. Hopefully, I'll use it until I retire. 

It runs forever. I haven't had any problems with any Secure Firewall. It just runs. You don't have to worry about it crashing. All Cisco products run forever. They run themselves. You need to update them. 

I'm a team of two. Either I'm looking at it, the other guy's looking at it, or no one's looking at it. It's part of my daily routine as I get in there and I make sure that I have the status quo before I move on to other projects or other tickets for the day. It's a daily process. They log the information right in.

I'll find out about scalability in a few weeks. I need to change out some firewalls that are a lower model to a higher model because of the VPN limitations. I'm going to have to do some more work and see how long it takes. 

They're awesome. I talked to the guys here, I had a couple of problems that keep me up at night. I was able to come here and they're going to help me out with some different ideas. Anybody I talk to has a solution, and the problem is fixed. So it's nice. I've never had any problem with TAC. They're awesome.

I wouldn't give them a ten. Nobody is perfect. I'll give them a nine because they help me with any issues I've had. I could put a ticket in a day, and then it gets taken care of in a speedy, efficient manner, and then I'm able to move on to other things that I need to worry about.

Positive

Palo Alto seems clumsy to me. I don't like it. It shouldn't be a guessing game to know where stuff is. Cisco is laid out in front of you with your devices, your policies, and logging. You point and click and you are where you need to be. 

I haven't used Check Point in a while. It's been some time but it's an okay product.

For deployment, we have different locations on the east coast, on-prem, and in the data centers. We introduced a couple of firewalls, AWS, and Azure and we're implementing those in the cloud.  

On-prem is pretty easy to implement. I could lab up an FTD on my own time. It's super easy to download and install. You get 90 days to mess around in a lab environment. I'm new to the cloud stuff. I've built firewalls there, but there were other limitations. I didn't quite understand that I have to get some practice and learn about the load balancers.  

We're a Cisco partner, so we get 80% off. That's a big discount and companies are always looking at ways to save money these days.

I don't really look at Talos. It's in the background. I don't really look at it. It's there and it works. 

Nothing is perfect so I would rate Cisco Secure Firewall a 9.2 out of ten. I love the product. It's part of my daily routine. I'll hopefully use it until I retire. 

We are a Cisco partner and we are currently using Cisco Firepower for our internet edge, intrusion prevention systems, and filtering.

We use virtual appliances in the cloud and hardware appliances on-premises.

Cisco Secure Firewall has improved usability in our environment.

The application visibility and control are great. Cisco Secure Firewall provides us with visibility into the users and the applications that are being used.

We are capable of securing our infrastructure from end to end, enabling us to detect and address threats. We have excellent visibility into the traffic flows, including those within the DMZs.

Cisco Secure Firewall has helped save our IT staff a couple of hours per month of their time because it is much easier to use the GUI instead of attempting to manage things through the CLI, which we have to access from the CRM.

We have several clients who had larger security stacks that they were able to consolidate because they were using separate products for IPS or URL filtering. With Firepower, we were able to consolidate all of those into a single solution.

The ability of Cisco Secure Firewalls to consolidate tools or applications has had a significant impact on our security infrastructure by enabling us to eliminate all the additional tools and utilize a single product.

Cisco Talos helps us keep on top of our security operations.

Cisco Secure Firewall has helped our organization enhance its cybersecurity resilience. We can generate periodic reports that are shared with the security teams to keep them informed.

The ASA has seen significant improvement due to the IPS. 

The ability to troubleshoot more easily through the gate is valuable.

The integration with all the necessary products needs improvement. Managing various product integrations, such as Umbrella, is challenging.

I have been using Cisco Secure Firewall for four years. My organization has been using Cisco Secure Firewall for a much longer period of time. 

We experienced stability issues when transitioning to version 7.2, particularly related to operating Snort from Snort Two to Snort Three. In some cases, the firewalls necessitated a reboot, but we ultimately reverted back to using Snort Two.

The technical support is responsive. In most cases where I've opened a ticket, they have promptly worked on figuring out the actual problem and assisting me in resolving it.

Positive

We have had clients who switched to Cisco Secure Firewall from Check Point, Palo Alto, and WatchGuard due to the features and support that Cisco offers.

The initial setup is straightforward. Since we were transitioning from ASA to Firepower, a significant portion of our work involved transferring the access control lists to the power values in the GUI. After that, we began adding additional features, such as IPS.

The pricing and licensing structure of the firewall is fair and reasonable.

The closest competitor that matches Cisco Firepower is Palo Alto, and the feature sets are quite comparable for both of them. One issue I have noticed with Cisco's product is the SSL decryption when used by clients connecting from inside to outside the Internet. 

Cisco lacks the ability to check CRLs or OCSP certificate status unless we manually upload them, which is impractical for a large number of items like emails. On the other hand, Palo Alto lacks the ability to inspect the traffic within the firewall tunnel, which is a useful feature to have. 

I rate Cisco Secure Firewall eight out of ten.

I recommend taking advantage of the trial by downloading virtual next-gen firewalls provided by OBA, deploying them in a virtual environment, and testing their performance to evaluate their effectiveness. This is a crucial step.