Cisco Secure Firewall Reviews

We use them to block or allow traffic out to the internet and to control a handful of DMZs. Overall, they're for access control. We do IPS and IDS as well.

We have the FMC (FirePOWER Management Center) which manages the 4110s and we have 5516s and the ASA5545-Xs. It's an ASA running the Next Generation Firewall code. We're using all of the FMC with 6.4.04, so they're all running the Next Generation Firewall code. We deploy the software on-prem.

The information coming from Talos does a good job. It marks that information and bumps it up to us. We have rules where we are getting alerts and it does a good job as far as giving us alerts goes. Talos is pretty well-respected. I like the fact that Cisco is working with them and getting the information from them and updating the firewall. We get the vulnerability database stuff updated, and the location stuff gets sent out. I like all that.

In terms of how the ASAs have affected our security posture as an organization, it's done well. We're growing with ASA, with the FirePOWER. When we first started there were a lot of bugs and a lot of issues. But now they're coming forward and acting on requests, things that we want.

The majority of what I use is the policy ruleset. We have another company that deals with the IPS and the IDS. That's helpful, but I can't necessarily speak to that because that's not the majority of what I do. The majority of what I do is create rules and work with the customers to make sure that things are getting in and out of the environment.

I work with our e-commerce team to make sure that new servers that are spun up have the appropriate access to other DMZ servers. I also make sure that they have access to the internet. I make sure they have a NAT so that something can come into them if need be.

We use Umbrella, Cisco's DNS, which used to be OpenDNS. We use that to help with security so that we're not going to sites that are known to be bad. They work well together. They're two different things. One is monitoring DS and doing web URLs, while the firewall I'm doing is traffic in and out, based on source destination and ports protocols.

One of the things I like is that the upgrades are relatively seamless, as far as packet loss is concerned. If you have a firewall pair, upgrading is relatively painless, which is really nice. That's one of the key features. We do them off-hours, but we could almost do them during the day. We only lose a few packets when we do an upgrade. That's a bonus and if they keep that up that would be great. Check Point does a reasonably good job at it as well, but some of the other ones I've dealt with don't. I've heard from people with other firewalls and they don't have as good an experience as we do. I've heard other people complain about doing upgrades.

One of the things that we got out of the Check Point, which we're finally getting out of the ASA, is being able to analyze the hit count, to see whether a rule is actually used or not. That is going to be incredibly beneficial. That still has ways to go, as far as being able to look into things, security-wise, and see whether or not rules or objects are being hit. It could help in clean-up, and that, in itself, would help with security. The FTD or the FirePOWER has a little way to go on that, but they're doing well implementing things that not only we at Orvis, but other people, are requesting and saying should be done and are needed.

In addition, if pushing policy could take a little less time — it takes about five minutes — that would be good. That's something they're working on. 

Finally, our latest experience with a code upgrade included a number of bugs and issues that we ran into. So more testing with their code, before it hits us, would help.

We've been using them for about two years. We used to have Check Point and we moved to the ASAs. We didn't really do a whole lot with them, just got them running in the first year. So in the last year-and-a-half to two years we've just been getting our feet wet with them.

The code has been reasonably good. It's getting better. The stability depends on the code and this last version of code we went through did give us a number of issues. It all depends on what the stability is in the code.

The devices we have can scale pretty well. We have 600 to 700 people and we have an e-commerce site. It's deployed across the entire organization, although we have multiple firewalls.

We have plans to increase usage. We're going to do more DMZ to protect ourselves. So we'll be having more interfaces off the firewalls and we'll be protecting more VLANs. That's probably as big as we are going to get. I don't see us doing too much more than that.

Tech support is good. We have an exceptional sales rep or project manager. Jenny Phelps is the person we work with and if we have any questions or anything that needs to be escalated, we send it to her and it's usually done very quickly. That relationship is a huge value. Jenny is worth her weight in gold.

I wasn't around for the initial setup, I was just starting. We were moving from Check Point to the ASA. It took about six months for them to engineer it and put it in place.

The implementation strategy was to try to determine all the rules in the Check Point and duplicate all those rules in the FirePOWER. We had to roll back twice before it finally took. That wasn't anything to do with the FirePOWER or the ASA. It had more had to do with the person who had to put the rules in and understanding what was actually needed and how they should be put in.

We did it through a consultant, Presidio. They had two people on it. Other than that, they were pretty good.

Just in terms of cost, the Check Point number was ten times as expensive as the Cisco number, so there was "instant" ROI in that sense. But we needed to replace our firewalls. Check Point had been in for five or six years. They did a bake-off to see which one was the best one to go to.

We used Check Point and the two are comparable. Cost was really what put us onto the ASAs. They both do what it is we need them to do. At Orvis, what we need to do is very basic. But the price tag for Check Point was exorbitantly more than what it is for the ASA solution.

We pay Cisco for maintenance on a yearly basis. There are no additional fees that I'm aware of.

My understanding is that Check Point and Fortinet that were evaluated, at the end.

I wasn't around when we did the actual bake-off. I came in when a solution was picked. I was told why the solution was picked and I was there when they did the final install. It was managed for a little while by Presidio and then it was given to us.

The biggest lesson I've learned from using the ASAs is the fact that they can do a lot. It's just figuring out how to do it. We don't do a lot, although once in a while we will do something a little interesting. These things can do more than what we're using them for. It's just a matter of our trying to figure it out or getting with our Cisco rep to figure it out.

My advice would be to have a good handle on your rules and, if you can, take the upgrades easily.

We have desktop security, application security, and then we have Umbrella. We use five or six different tools for security, at least. It would be nicer to have fewer but as far as I know there isn't one tool that does it all.

We do application firewall rules where it does deep packet inspection and looks at certain things. We don't use it as much as we should, but we do application inspection and have rules that are based on just an application.

We usually have two people on a call when we do maintenance, and we usually have Cisco involved. It's usually me and a colleague who is also a network/security engineer.

I would rate the ASA overall at eight out of ten. The thing that comes to mind with that rating is the code. As I said, we just upgraded to 6.4.04 and we ran into a handful of bugs. We've done upgrades before and we've run into a bug as well. Just last week, we finished upgrading, and I still have one final service request, a TAC case, open. I had four open at one point. That's at the forefront of my thoughts right now.

We have an offshore development center with around 1,400 users (in one location) where we have deployed this firewall.

The maturity of our organization’s security implementation is a four out of five (with five being high). We do have NOC and SOC environments along with in-built access to our systems. 

We use Acunetix as one of our major tools. We do have some open source. There are a couple of networks where we are using the Tenable tool. We have implemented an SIEM along with a Kaspersky at the cloud level. In the Cisco firewall, we installed Kaspersky in the firewall logs which upload to Kaspersky for us to review back.

Being able to determine our active users vs inactive users has led us to increased productivity through visibility. Also, if an issue was happening with our throughput, then we wouldn't know without research. Now, notifications are more proactively happening.

The advance malware protection (AMP) is valuable because we didn't previously have this when we had an enterprise gateway. Depending on the end user, they could have EDR or antivirus. Now, we have enabled Cisco AMP, which give us more protection at the gateway level. 

The application visibility is also valuable. Previously, with each application, we would prepare and develop a report based on our knowledge. E.g., there are a couple business units using the SAS application, but we lacked visibility into the application layer and usage. We use to have to configure the IP or URL to give us information about usage. Now, we have visibility into concurrent SAS/Oracle sessions. This solution gives us more visibility into the inbound/outbound traffic being managed. This application visibility is something new for us and very effective because we are using Office 365 predominantly as our productivity tool. Therefore, when users are accessing any of the Office 365 apps, this is directly identified and we can see the usage pattern. It gives us more visibility into our operations, as I can see information in real-time on the dashboards.

The solution has positively affected our organization’s security posture. I would rate the effects as an eight (out of 10). There is still concern about the engagement between Cisco Firepower and Cisco ASA, which we have in other offices. We are missing the visibility between these two products.

We would like more application visibility and an anti-malware protection system, because we don't have this at the enterprise level.

The central management tool is not comfortable to use. You need to have a specific skill set. This is an important improvement for management because I would like to log into Firepower, see the dashboard, and generate a real-time report, then I question my team.

Nearly a year.

So far, it has been stable.

We have around 32 people for maintenance. Our NOC team works 24/7. They are the team who manages the solution.

Scalability is one of our major business requirements. We are seeing 20 percent growth year-over-year. The plan is to keep this product for another four years.

We contacted Cisco directly when issues happened during the implementation, e.g., the management console was hacked.

We used Fortinet and that product was coming to end of life. We had been using it continuously for seven years, then we started to experience maintenance issues.

Also, we previously struggled to determine who were all our active users, especially since many were VPN users. We would have to manually determine who was an inactive user, where now the process is more automated. It also had difficult handling our load.

The initial setup was complex. We engaged NTT Dimension Data as there were a couple things that needed to be done for our requirements and validation. This took time to get signed off on by quality team. However, the configuration/implementation of the system did not take much time. It was a vanilla implementation.

We did face performance issues with the console during implementation. The console was hacked and we needed to reinstall the console in the virtual environment. 

We were engaged with a local vendor, NTT Dimension Data, who is a Cisco partner. They were more involved on the implementation and migration of the firewall. Some channels were reconfigured, along with some URL filtering and other policies that we used for configuration or migration to the new server.

Our experience with NTT Dimension Data has been good. We have been using them these past four to five years.

We have seen ROI. Our productivity has increased.

The change to Cisco Firepower has reduced the time it takes for our network guy to generate our monthly report. It use to take him many hours where he can now have it done in an hour.

Cisco pricing is premium. However, they gave us a 50 to 60 percent discount.

There are additional implementation and validation costs.

We also evaluated Check Point, Palo Alto, Sophos, and Cisco ASA. In the beginning, we thought about going for Cisco ASA but were told that Firepower was the newest solution. We met with Cisco and they told us that they were giving more attention going forward to Firepower than the ASA product.

We did a small POC running in parallel with Fortinet. We evaluated reports, capability, and the people involved. Palo Alto was one of the closest competitors because they have threat intelligence report in their dashboard. However, we decided not to go with Palo Alto because of the price and support.

We are using Cisco at a global level. We have internally integrated this solution with Cisco Unified Communications Manager in a master and slave type of environment that we built. It uses a country code for each extension. Also, there is Jabber, which our laptop users utilize when connecting from home. They call through Jabber to connect with customers. Another tool that we use is Cisco Meraki. This is our all time favorite product for the office WiFi environment. However, we are not currently integrating our entire stack because then we would have to change everything. We may integrate the Cisco stack in the future. It should not be difficult to integrate since everything is a Cisco product. The only issue may be compliance since we have offices in the US and Europe.

We are now using a NGFW which helps us deep dive versus using a normal firewall.

Overall, I would rate Cisco Firepower as an eight (out of 10).

On-premises

We use Cisco Secure Firewalls to secure our business.

Cisco Secure Firewall is a Layer 7 next-generation firewall, providing us with a significant amount of visibility into our traffic patterns and the traffic passing through the firewall. It informs us about the zones that facilitate a smooth data flow, where the data is being directed, and covers ingress and egress all the way up to layer seven. Therefore, I believe the visibility it offers is excellent.

Cisco Secure Firewall is effective in securing our infrastructure from end to end, enabling us to detect and remediate threats. However, the way we currently utilize it may not be the most optimal approach to fully leverage its end-to-end capabilities. Nonetheless, considering its purpose within our usage, it effectively fulfills its intended role.

The ability of Cisco Secure Firewall to enhance our organization's cybersecurity posture and resilience is commendable. Cisco Secure Firewall serves as our primary line of defense, deployed at the Internet edge of every site across the globe.

The most valuable feature is zone segmentation, which we utilize through the Firepower management console. This allows for centralized management, which proves highly useful. In the past, when using Cisco Firewalls, we had to manage them independently. However, now we have a single unified interface to manage all our Cisco Firewalls worldwide.

The Cisco Firewall UI could be improved. While having a centralized management console is a significant improvement, I believe there are several enhancements that could be made to the UI to enhance its user-friendliness and improve the overall flow. This is particularly important during troubleshooting, as we want to avoid wasting time navigating through different sections and excessive clicking. It would be beneficial to have everything readily accessible and a smoother flow to quickly reach the desired locations.

I believe Cisco needs to make the appliance more automated in order to provide us with additional time. This would eliminate the need for us to manually go through the firewall, search, find, and troubleshoot everything. It would be beneficial if the appliance had some form of AI integrated to generate such information, enabling us to quickly identify the problem. If necessary, we could then delve deeper into the issue.

I have been using Cisco Secure Firewall for 19 years.

Cisco Secure Firewall is stable.

The scalability of Cisco Secure Firewall depends on the different models available, as each model may have a fixed scalability level. Therefore, the scalability we obtain will vary depending on the specific model we utilize.

The quality of technical support varies. We occasionally receive excellent technicians, while other times we do not. Consequently, I believe it is preferable to rely more on the competent ones rather than the subpar ones.

Neutral

We had previously used Check Point but decided to switch to Cisco Secure Firewall. The reason for this switch was the lower cost and our company's desire to remove Check Point from our environment. It was an excellent deal, and the technology was on par. We did not lose any functionality or experience any drawbacks by choosing Cisco over Check Point. In fact, I believe we gained additional features, and Cisco is more widely adopted and supported compared to Check Point. Therefore, I am confident that we made the right decision.

The initial setup was complex. Firstly, we were migrating from a completely different platform and vendor to Cisco. Therefore, the ruleset migration was not only complex but also tedious because there was no suitable migration tool available for transitioning from Check Point to Cisco Firepower. The second part involved a complete change in our design, as we opted for a more zone-based approach where our checkpoints are more streamlined. This complexity was a result of our own decision-making.

We utilized our partner, ConvergeOne, for the integration, and they were exceptional. They demonstrated sharp skills, and together we successfully completed the job. The entire process took us a year during which we managed to cover every site within our company.

We have witnessed a return on investment through the capabilities of Cisco Secure Firewall itself, along with its numerous threat defense technologies. As a result, we do not need to purchase additional tools to enhance the firewall; everything is already integrated. Therefore, I believe this was a significant victory for us.

The pricing structure for Cisco Secure Firewall can be challenging to manage. It involves separate line items that need to be carefully tracked, such as SmartNet, FCD licenses, and other license features. This complexity adds to the difficulty of dealing with the pricing.

I rate Cisco Secure Firewall an eight out of ten.

Cisco Secure Firewall has not helped consolidate any of our applications or tools.

We use Cisco Talos to pull the signatures for everything we download. However, we don't rely on Cisco Talos for our day-to-day operations. 

Cisco Secure Firewall is a commendable product and holds a leadership position in the industry. While there are other competitors available, it is certainly worth considering, particularly for organizations that already utilize Cisco switching, routing, and related infrastructure. Cisco Secure Firewall can seamlessly integrate into the existing ecosystem, making it an appealing option to explore.

Having in-house expertise in Cisco and its products is indeed valuable when making a decision to go with Cisco Secure Firewall. The fact that our team already had a lot of expertise and experience with Cisco products played a significant role in the decision-making process.

On-premises

Our primary use case for Cisco Secure is through Cisco FMC, which we have automated using Cisco's Terraform provider for FMC. Our automation journey began with the Cisco ACI fabric, where we leveraged the Terraform provider for ACI. Eventually, we realized we could also automate firewalls and our HA clusters using the Terraform provider for FMC. This allowed us to create DMZ networks, specify IPS and IDS rules, and follow the infrastructure as a code concept. Our cross-common security team can review the repository in GitLab and approve it with a simple click of a button. This is the primary benefit we get from automation. Additionally, we can use the infrastructure as a code concept with the management center. Cisco FMC also has a great API, which makes it easy to integrate with our code, ACI, and other systems.

Cisco Security and Cisco Firewalls have been effective in protecting our organization from external threats, such as DDoS attacks.

We have several integrations. One of them is between Cisco ISE and FMC, which allows us to monitor and control our users. Additionally, we integrated Cisco ISE with FTDs to function as a remote VPN server and control the traffic and behavior in our VPN network. We also use ISE as a TACAC server and integrated it with Cisco ACI and all of our devices. Furthermore, we use NetBox as a source of truth for our ISE, which helps us track all of our devices from the network and ISE.

The primary benefits of using Cisco Secure solutions are time-saving, a robust API, and convenience for the security team. 

Cisco Secure Firewall could benefit from enhancements in its API, documentation, and automation tools. Additionally, we've noticed that the Terraform provider for FMC has only two stars, few contributors, and hasn't been updated in a year. It only has 15 to 20 resources, which limits our capabilities. We'd love to update it and add more resources. For example, we currently can't create sub-interfaces with the provider, so we have to add Python code to our Terraform provider and use local provisioners. Additionally, improvement in the API would be helpful so that we can create ACL on the GUI with a simple click, but at this time we cannot create requests via the API.

I have used Cisco Secure Firewall within the last 12 months.

Cisco TAC support is excellent. Having worked with other support companies in the past. Cisco TAC is much more helpful and friendly. They always seem eager to assist with any issues and are particularly responsive in urgent situations. For example, if there is a problem in my production zone, they are quick to reassure and assist. Overall, I have a great appreciation for their support.

I rate the support from Cisco Secure a ten out of ten.

Positive

In our business, we have implemented a number of Cisco Secure products in our network infrastructure, including Cisco ISE as a AAA server, Cisco FMC Management Center for our firewalls, and Cisco FTD for Firepower Threat Defenses. We also use a TACACS+ server for our hardware. Cisco products make up the entirety of our infrastructure, including Cisco Nexus Switches, Cisco ACI fabric for our data centers, Cisco ASR Routers, and Cisco Wireless Solutions, which include WLC controllers, access points, and other relevant hardware. In our organization, Cisco is strongly preferred.

There has been a positive return on investment observed with the implementation of Cisco Secure solutions. The use of these solutions as our primary security products has been beneficial in terms of cost and security measures.

In the past, I encountered several difficulties and misunderstandings with Cisco licensing, but now the situation has improved. The Cisco Smart Software portal is an excellent resource for keeping track of, upgrading, and researching information related to Smart Licensing and other relevant topics. It is extremely helpful. Unfortunately, since it is not my money and there is only one vendor, I am unable to provide any comments on the prices. Nevertheless, the system, along with its provision through the Cisco Smart Software portal, as well as the traditional license and subscription models, are excellent and highly beneficial.

I rate Cisco Secure a seven out of ten.

My rating of seven out of ten for the Cisco Secure is because it's not excellent, but not poor either. It was enjoyable and overall satisfactory.

We're a partner so we work with all sorts of different end-users to deploy them for their use cases, including a lot of internet edge, some data center segmentation, east-west firewalls, and not so much in the cloud, but mostly on-prem today.

We use them for securing the internet perimeter and preventing malware from coming into the environment, as well as providing content filtering for CIPA compliance or other sorts of compliance out there. That's a big use case with our customers. 

The integration with the other Cisco products is something that a lot of our customers are looking forward to, with SecureX and ISE and Secure Endpoint. Things like that are a lot of the use cases that customers bring to us to help them solve. It integrates really well.

It's allowed them (our clients) to feel or know that their network is secure, and to put those guidelines in place, or those controls in place, to prevent their users from going out and unintentionally doing something dumb by clicking on the wrong link. It's able to prevent malware. And the Umbrella integration prevents them from getting to those websites if they do happen to be too busy and click on a phishing link or something like that.

As far as metrics or examples, I don't have any that I can specifically say off the top of my head. I will say I definitely have lots of happy customers that are running it and they feel it's a stable solution and one that they can rely on.

I'm a big fan of SecureX, Cisco's platform for tying together all the different security tools. It has a lot of flexibility and even a lot of third-party or non-Cisco integration. I feel like that's a really valuable tool.

From the Firepower solution, all the features that you would think of when you're thinking about a Firewall [are valuable], including some that I stated: content filtering, the IPS, IDS, and malware prevention. All of those are big use cases and great features that work well.

I've been using Cisco Firewalls and Cisco Firepower for at least 10 years.

It's stable. I have multiple clients that run it. There are always going to be some bugs and issues that we run into, but that's where their TAC definitely jumps in and helps and recommends code versions and things like that. Overall, the stability is pretty good.

In terms of scalability, they've got all different sizes of firewalls for different scales. Being able to understand how to size the firewalls appropriately is definitely key in that. That's where a partner can help, or even the customer Cisco account team can help with the scalability. They have the big multi-instance 9300 chassis down to the small 1000 series. There's a lot of scalability within the portfolio.

Cisco has a huge TAC organization. Experiences can differ. Sometimes it's really good, sometimes you get a newer TAC engineer who needs to start at step one to investigate the issue. But they're always there. They always pick up the phone and there's always a person, a TAC engineer to escalate to, who can provide really good support. You know that they've got someone in there. It's a matter of getting to the right individual.

They could improve by having more skilled, high-level engineers that are available around the clock. I know that's an easy thing to say and a hard thing to do. 

We have engineers that do the deployments. They're very skilled and have done many Firepower deployments. The methodology that Cisco has, the documentation they have out there on how to install it and how to configure it, are top-notch. That really helps us install it for a customer and get the customer up to speed on how well it works. A firewall is never a super simple thing to install and configure, but Cisco does a really good job with some of their automation tools and the documentation.

Usually, we assign a single engineer to a firewall deployment project and he's able to complete that. The amount of time it takes to deploy will vary. A small branch, may be several hours' worth of work to deploy a firewall. A large corporate site, obviously, that's going to be much more time-consuming, with lots of policies to configure and talk through with the customers and things like that. It varies depending on the size and application.

In terms of return on investment, I have multiple clients that have been through multiple generations of ASA to Firepower to the next generation of Firepower. They definitely find the return on investment there. They find it's a valuable product to have in their network. It definitely checks that ROI box for them.

Cisco is known as a premier product and it comes with a premier price point sometimes. Sometimes that makes it challenging for some customers to bite off. They see the value when we get into a proof-of-value scenario. Price points can tend to be high, but the new line of the 3000 series Firepowers definitely solves that issue and it's very attractive.

In terms of improving it, they're doing a really good job in a competitive landscape against some of the other vendors out there. The new Firepower 3000 series was a great addition to the portfolio and really stacks up, price-wise, well against some of the other vendors out there. A year ago, that was one thing that I would've commented on, but they've done a pretty good job of filling that niche.

There are some other good solutions out there. There are a lot of other successful firewall vendors. But when I compare a Palo Alto, or a Fortinet, or SonicWall, or something like that against Cisco, it's a tough comparison. Cisco has the ecosystem of security products that all tie in together, integrate really well together. There are lots of good dashboards and observability built into the product. That's where they've got a leg up on their competition. 

My advice for others looking to use the solution is to get [together] with a good partner, someone who's got engineers and architects that know the product well, and get their thoughts on it. We can always help compare and contrast against other options out there in the market. My job is knowing the market landscape and being able to help differentiate.

And always take advantage of a proof of value. It's always best to get that box into your network, see how it works with your particular traffic mix and your set of policies. I would always put a PoC/PoV as a checkbox in a buying decision.

I would rate the product somewhere between a seven or eight out of 10. Sometimes there are stability issues, as I referenced before, or just the general TAC support, while good, could be better. There's always room for improvement there. But I feel like it's a really good product that Cisco has definitely improved as time has gone on.

A lot of them are used for campuses. Basically, it is HA pairs so it is just used to firewall off different networks from the internal network, i.e., security. 

We also use them for DMZs, where there are untrusted networks coming into trusted networks, managing traffic between the two zones.

Currently, we have almost 100 firewalls spread out all across our county. Our ASAs could be anywhere in any building, wherever there is a purpose. So, if we need to firewall off a network that we don't want touching our internal network, where we want it controlled, then it would be there. All our campuses have some form of that.

It is easier to protect our internal network and identify unknown networks. We can put descriptions on what they are, thus we are able to see different traffic coming from different networks. So, there is better visibility.

The user interface is very easy to manage and find rules. You can do object searches, which are very easy. Also, the logging is very simple to use. So, it is a lot easier to troubleshoot and find items inside the firewall.

The one thing that the ASAs don't have is a central management point. We have a lot of our environments on FTD right now. So, we are using a Firewall Management Center (FMC) to manage all those. The ASAs don't really have that, but they are easy to use if you physically go into them and manage them. 

I would like ASAs to be easier to centrally manage. Currently, in our central management, we have almost 100 firewalls in our environment, and it is almost impossible to manage them all. ASAs are now about 20% of them. We have been slowly migrating them out, but we still have some. Normally, what we would do with ASAs is physically go into those devices and do what we need from there, whether it is find rules, troubleshoot, or upgrade.

We have had ASAs in our environment for 10 years.

The ASAs are solid. They have been around a long time, so there is a lot of documentation out there. They are easy to manage and make it easy to look at logs.

They have been in the environment for 10 years. They are still running and doing their job. 

The only time that we really touch them is if we need to do a rule or code upgrade. We check vulnerabilities a lot to make sure that nothing major has come out. If something has, then we go ahead and patch the firewalls. This is done by network groups, e.g., network engineers or analysts. We usually look at security. We are alerted to any new security advisories that come out from Cisco. For anything that is critical or high, we definitely will address it if we need to. Sometimes, we go three months or months without an upgrade. Other times, we could upgrade in a month. It just depends on what comes out.

We use them for smaller campuses. Though, if we need to upgrade a model, then we go ahead and do that. For example, with our bigger campuses, we need to have a bigger model. They have specs out there that you can kind of line up with what you need.

Cisco tech support is spotty. Sometimes, we get good support. Other times, it is not so good. It is very up and down.

It seems like they have been short staffed recently. We have been waiting a long time for some of our tickets now, though they aren't critical tickets. However, that is one of the big issues which Cisco has going on right now - their staff shortage. We can open a ticket and keep following up, following up, and following up, but it might take weeks to resolve an issue. These aren't critical issues. For critical issues, we escalate and they are able to help us right away.

They handle it appropriately. Though, it depends on the time and on what they need. Sometimes, in one session, issues are resolved. Other times, you need to do multiple sessions for them to resolve it. However, for anything critical, those are resolved pretty fast.

I would rate the technical support as seven out of 10.

Neutral

Before I started, they also had Juniper SRXs. The big issue with them was the logging. It wasn't as good. We switched to ASAs for better stability, better management, and easier logging.

The initial setup was pretty straightforward. It was very simple to deploy and replace. We did a lot of replacing, which was just copying the rules over from the old one, then deploying it in kind of the same manner.

The pricing was pretty comparable to other solutions when we purchased it.

We looked at what we had and saw that Cisco was much better.

I would rate them as nine out of 10.

On-premises

We use them for some of our border firewalls in our data centers and also as our VPN concentrator. 

It's the VPN side of things that has been most useful for us. It allows us to secure our users even when they're working from home. They are able to access all of our resources, no matter where they are in the world.

I don't have any specific improvements to recommend. However, when you compare the throughput of a Cisco firewall to the competitors, especially Fortinet, what you find is that Cisco has lagged a little bit behind in terms of firewall throughput, especially for the price that you pay for that throughput.

We've been using Cisco firewalls for probably 10 years.

We have 105,000 users, and they all have access to use a VPN to connect back into our network. We found that it works very well for us, and it's very scalable to the number of users that we have. That's why we continue using it.

It's very good. Cisco has excellent support. It's better than most of our vendors. I'd rate their support a ten out of ten. 

Positive

I don't believe so. We've used Cisco, at least for this specific use case, for a long time.

The enterprise agreement that we have has helped with the pricing because it allows us to consume licensing in more of a consumption model versus a per-user type model. That has helped us a lot.

I don't know. I wasn't with the organization then.

We don't use Cisco Secure for securing our infrastructure from end to end to be able to detect and mediate threats. We have other products that serve as our endpoint detection and especially for the end-to-end side of things. That's not really our strongest use case for it. Cisco Secure hasn't helped save our organization any time or operations expenditure because we have other products that we use for that.

Overall, I'd rate Cisco Secure Firewall a ten out of ten.

We are currently using the Cisco Firepower 2140 model because it fits our sizing and performance needs.

We use Cisco Secure Firewall as the internal firewall to protect our retail PCI networks from the rest of the corporate business.

We are a global company, and we have multiple data centers. There are two in Europe, and we deployed Cisco Firepower in all of our worldwide data centers. In each region in the world, we have two data centers with Cisco Firepower to separate retail from corporate and Firepower for IPS services. This solution protects around 1,500 stores, and our corporate office has around 10,000 people.

I like the basic firewall features. We use Cisco Firepower to separate PCI from corporate, so we're not using it at the edge. If we were to use Firepower at the edge, then we would enable other features like IDS and SSL inspection. However, since we only use it as an internal firewall, plain level-four firewalling is enough for us.

Cisco Firepower is useful for securing our infrastructure from end to end so that we can detect and remediate any threats. I like the Cisco products because they are very stable and what you see is what you get. There are no vague or gray areas. We log all of our logs to Splunk, for example, and everything we see in Splunk is very useful. Finding errors or finding reasons why something is or is not working is very easy.

This solution helped to free up our IT staff's time so that they can focus on other projects. The management platform makes deployment and management, that is, day-to-day changes, very easy.

Cisco Firepower saved our organization's time because it has role-based access. We can give some engineers the ability to do day-to-day tasks and give more experienced engineers more in-depth tasks.

We have been able to consolidate our tools and applications. The FTD tool also manages our Firepower IDS nodes. As a result, we have a consolidated single pane of glass for all of our Cisco Firepower security tools.

We use the FTD management platform for the boxes. The GUI that manages multiple Firepower boxes could be improved so that the user experience is better.

We have been using Cisco Firewall for the last 15 years. We started off using Cisco ASA and have now migrated to Cisco Firepower.

The stability is very good; there's no vagueness. Either it works or it doesn't, and it's also very easy to find out why.

There haven't been any performance issues. We run HA clusters and don't do multiple clusters for scaling. We scale the boxes to our performance needs. We have nine staff members who work with this solution.

Cisco's technical support staff have always been helpful and have been able to solve our issues. I would rate them a nine out of ten.

Positive

We used Cisco ASAs, and they were all individually managed. We went from individually managed IDS and Firepower IDS solutions to this consolidated single management platform.

We chose Cisco Firewall over competing solutions because what you see is what you get. We liked that the changes are immediate. The way the logs come into our Splunk system gives us a good feeling about the stability and performance of Cisco products.

We have seen an ROI. Compared to that of other vendors, Cisco's pricing is in a good range. We use Cisco products for their complete lifespan. With the support context that we have, we also know what we spend over the lifetime of the solution.

The pricing of Cisco's boxes is pretty good.

My advice would be to talk to people who work with different vendors and get some hands-on experience. Don't just listen to or look at sales documents. See whether the performance actually matches that mentioned in the sales documents. Check with other competitors for hands-on experience as well.

I would give Cisco Secure Firewall an overall rating of eight out of ten because I'm not 100% happy with the management dashboard.