Try our new research platform with insights from 80,000+ expert users
it_user243879 - PeerSpot reviewer
Network Security Engineer at a tech services company with 1,001-5,000 employees
Consultant
There are some stability issues due to software bugs, but in the long run the devices are very stable.

What is most valuable?

VPN - Both site to site (IPsec) and remote access (IPsec and SSL).

How has it helped my organization?

Through the use of VPNs, we were able to connect our branches together through the internet without the any additional cost.

What needs improvement?

  • Throughput
  • Price

For how long have I used the solution?

Since 2008, so seven years, and I have been a heavy/daily user, and all of my jobs were related to network security.

Buyer's Guide
Cisco Secure Firewall
November 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

Sometimes, due to software bugs, but in the long run the ASA is a very stable product when compared to other vendors firewall solutions.

What do I think about the scalability of the solution?

One of the major disadvantages with the ASAs is the throughput, while the network evolves, the ASA was usually causing the bottle neck.

How are customer service and support?

Customer Service:

It's very good when compared to other vendors.

Technical Support:

It's very good when compared to other vendors.

Which solution did I use previously and why did I switch?

Mainly switching from the old Cisco PIX to a new Cisco ASA. The reason for switching is to get a higher throughput, and due to the fact the that the Cisco PIX went EoL.

How was the initial setup?

It requires training, but after that it is straight forward.

What about the implementation team?

I work for a vendor, and we implement the solution for multiple customers.

Which other solutions did I evaluate?

Yes, and we chose Cisco ASA mainly due to the fact that they have a very good, reliable and very responsive technical customer support.

What other advice do I have?

I have worked on the best firewalls in the market, and Cisco ASA is one of the best.

The below screenshots are taken from a demo of ASDM.

Disclosure: My company has a business relationship with this vendor other than being a customer: Golden Cisco Partner
PeerSpot user
PeerSpot user
Federal Civ/Intel Engineering Lead at a tech vendor with 1,001-5,000 employees
Real User
Shortcomings of Cisco ASA 5500-X with FirePOWER Services

I started to title this a "Review" of the Cisco ASA with FirePOWER, but my objective is to highlight a few limitations of the integrated solution so that potential customers understand the product. It may turn out to be a review after all, but that's the focus.

Let's set some product context. Cisco completed its acquisition of Sourcefire on October 7, 2013, and its initial integration into the Cisco Security family on November 10, 2014. That makes this union very fresh--think of Cisco FirePOWER as newlyweds. They're starting to share the same roof, but carry a lot of individuality and his/her domain around with them.

Next, let's zoom in on the word, "Services", or as you may see elsewhere, "Module". Sourcefire makes a number of standalone, independent intrusion prevention system and application firewall appliances (i.e. 7000 series, 8000 series). When Cisco and Sourcefire united, they introduced the ability to put a dependent Sourcefire module into the Cisco ASA 5500-x next-generation firewall family. One Cisco partner described it as functioning like a virtual machine within the ASA (of sorts). Summation: it needs the host (ASA) to survive.

This "Module" should actually be packaged and marketed as a "Starter Kit" or an entry-level, feature-limited offering (with no building-block upgrade path; it's a hardware ceiling). And perhaps it is by some Cisco VARs, but it's new, so I think many are still coming up to speed with what it brings to the table.

o justify my above assertion, I'll highlight four characteristics that have affected or disappointed me in my deployment, and that have motivated a new set of quotes to move to the hardware/standalone solution.

1. SSL Inspection

firepower_ssl_reqOftentimes you don't know what you don't know and thus you lack the wisdom to ask about it. That was me with this feature. I didn't know that the integrated module only supported a subset of features, so I didn't know to ask about its ability to decrypt inbound SSL traffic.

We host a number of public HTTPS services, though, so one goal of implementing FirePOWER was to protect against intrusion via that conduit.

While reading the Online Help and attempting configuration, I ran across references saying that it was only supported on "Series 3" devices, yet I couldn't quite find how Cisco categorized FirePOWER services. FireSight Management Center (a.k.a. "Defense Center") also gives the illusion of hope in this matter, because it reveals all features as configurable, being that it can manage the largest of Sourcefire appliances. The rubber meets the road, though, when you try to apply a policy with SSL inspection to unsupported devices. And yep, the module is one of those.

Summary: SSL traffic remains cloaked to FirePOWER services. IPS can only treat the headers (read: source/destination IP and port).

2. User Control

This one was less important to me, but still an unfortunate discovery. FirePOWER (all devices) support "User Awareness" through LDAP integration and user agents installed on endpoints, but the ability to control traffic based on the identity of the user as another hardware-only feature. Thus, you can see who is doing what, but control must be applied through hardware or traffic identity, not user.

3. Fail-Close Design

I may butcher the explanation here, but because of the integrated nature of the FirePOWER module and services, if FirePOWER inside of an ASA firewall goes down (crashes, restarts Snort, etc), traffic through the ASA stops. This is regardless of the "sfr fail-open" command, which only practically applies to standalone appliances.

I discovered this with Cisco TAC on a Webex where they put the Sourcefire into software bypass to troubleshoot traffic flow and attempt to take it out of line. That didn't work so well. Alarms and alerts started flying as the ASA clamped down on all new sessions (existing ones seemed to hold--very thankful as I was remote). Anyways, TAC didn't know of this design either until they asked engineering about a potential bug and were told it was "by design".

Major Warning/PSA: Adding FirePOWER Services to your ASA will introduce a new network availability risk. You will be very secure, though, since traffic will stop if the IPS is down. Blessing? Curse? Depends on you.

4. Bug: Active FTP is blocked by FirePOWER Services (CSCze96017)

Cisco was still working on this one when I closed my case regarding it, and their internally-published workaround wasn't accurate at the time. The practical impact, though, is that Active FTP traffic is blocked by Sourcefire due to network address translation (NAT) confusion. The ASA handles it fine, but when the FTP server initiates the new data channel outbound to the client, Sourcefire gets confused and blocks it.

The workaround, which sounds like it may become the "solution" (not fixable), is to deny FTP traffic in your Sourcefire policy:

access-list Outside_SFR extended deny tcp any any eq ftp access-list Outside_SFR extended permit ip any any
class-map Outside-class  match access-list Outside_SFR
policy-map Outside-policy  class Outside-class  sfr fail-open

Note: the last line still contains "sfr fail-open", but it won't apply until we replace the module with the full appliance.

This bug means that Sourcefire cannot inspect or provide any services (not even against IP headers) to FTP traffic. It will not show up in FireSight (Defense Center). Only the ASA will be able to treat it based on standard ACLs, etc.

Alright, let's end on a high note. Apart from those four things, the Cisco ASA with FirePOWER Services solution works well, provides great insight, applies Advanced Malware Protection strongly, and shuts down a ton of illegitimate connections before they can attACK ;).

If you're looking to get your feet wet, and if SSL inspection isn't critical, I recommend giving FirePOWER a shot.

Originally posted at: http://www.thegurleyman.com/shortcomings-of-cisco-asa-5500-x-with-firepower-services/

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user641307 - PeerSpot reviewer
it_user641307Dy Head IT with 501-1,000 employees
Vendor

In our POC we have found that Cisco does not provide Centralized Firewall Policy Manager in cloud. We have to buy appliance only.

See all 4 comments
Buyer's Guide
Cisco Secure Firewall
November 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.
it_user6381 - PeerSpot reviewer
Manager of Infrastructure at a manufacturing company with 51-200 employees
Vendor
Very stable, but high learning curve.

Valuable Features:

We choose Cisco ASA 5500 Series for our branch office primarily because it is a stable firewall. Many home and even business grade firewalls will often start acting up and have to be rebooted, but the ASA is completely rock-solid. ASA Firewall Chains STP and RST Protocol allows us to build redundant uplinks to STP compatible switches. It has 256 MB RAM and 128 MB of flash which is plenty for future upgrades. I personally like to have the multitude of VPN options such as - IPsec VPN, DMVPN, L2TP, SSL, Any Connect, etc. The IPsec VPN is supported on the iPhone, so it is cool to be able to access my home network from my phone.

Room for Improvement:

Extraordinary learning curve, especially if you do not have previous skill with Cisco PIX or routers. Even using the Java-based ASDM, it can take time to find your way. In addition, ASDM is not compatible with the latest version of Java (you will get an 'unconnected sockets' error). No support for DHCP reservations. I like to configure Servers and Printers this way, and cannot find any decent reason Cisco would not support it as they do on their routers and Layer 3 switches.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cyber Security Consultant at a tech services company with 51-200 employees
Reseller
A reliable but outdated firewall
Pros and Cons
  • "It is extremely stable I would say — at least after you deploy it."
  • "They need to do an overhaul of the management console."

What is our primary use case?

Most of our use cases revolve around the basic firewall features. Our client is also leveraging on Anyconnect, which is serving the client-based VPN. Sometimes they will establish a VPN connection from one firewall with another. It's the type-for-type VPN. In terms of Cisco, typically, these are just some of the legacy features, that's what we use. In terms of a next-gen firewall, I feel that our customers would prefer to use other brands like Palo Alto, Check Point, and FortiGate.

Our clients who use this solution are typically small businesses. I think there's a Gartner chart that says that Palo Alto is actually the foreleader, followed by Check Point, then FortiGate. Cisco is not anywhere near. From a cybersecurity standpoint, they are quite weak.

What needs improvement?

They need to do an overhaul of the management console because they are still using the client-based management tool, which is quite outdated in terms of functionality and usability. The interface hasn't changed since the last generation many years back.

For how long have I used the solution?

I have been using Cisco ASA Firewall for roughly four years.

What do I think about the stability of the solution?

It is extremely stable I would say — at least after you deploy it. Typically, there won't be any instability in terms of the hardware as well as the software. It can be running for many years without any issues. It's a totally different story when compared to other brands because, out-of-the-box, they offer far more features and are actually leveraged on more resources which leads to more instability.

What do I think about the scalability of the solution?

I would say in terms of scalability, they are still the greatest family of products. Scalability means you can actually add on some processing parts to actually increase the throughput when the requirement comes up. They have a range of products for that, but this solution, it's already going out of phase, because at JSC, you can only allow up to a certain amount of upgrades that can be added on.

How are customer service and technical support?

Support is not a requirement. In the whole industry, there are a lot of Cisco-trained personnel that we can actually seek advice from. There's not much leveraging on the Cisco support so far.

If our clients need support, we provide it. Support is not cheap. Sometimes a device will go out of warranty, but the customers are not willing to renew the support contract. Of course, there are a lot of cheaper alternatives. In Singapore, a lot of companies outsource support. Most of the time we go through third-party companies instead of Cisco directly.

How was the initial setup?

For a non-Cisco guy like me, there is quite a substantial amount of learning that needs to be done to actually understand how the products are. Some brands like FortiGate, require only an hour and 15 minutes to enable the product, to facilitate the basic requirements of connecting up the traffic and adding on the firewall router. For Cisco, there are levels of challenges because it's a hardened solution that sees a lot of restrictions right out of the box.

Without really understanding how it works, then there'll be a lot of confusion regarding the traffic, etc. You'll find yourself wondering if there are any security concerns if you alter it out-of-the-box. The management console is quite outdated; usually, a lot of configuration is through Commander. We really need to understand how to articulate the Cisco Commander to perform even the most basic feature.

What about the implementation team?

We handle the implementation for our customers. 

I am a sales engineer, we are mainly in charge of selling the product. In terms of support, we have a department that covers that aspect. Sometimes after implementation, we also provide maintenance support services towards the whole project and sell it as a whole bundle. As a distributor, we also sell our products, our equipment, and devices. So the support team covers that aspect.

What's my experience with pricing, setup cost, and licensing?

We sell Cisco ASA Firewall as a bundle — the price is very cheap. If a customer were to go for renewal direct from Cisco, then the price would be quite high.

What other advice do I have?

My main concern is the full revamp of the management console. We'd like to see a more user-friendly total revamp of how to manage the firewall rules. Also, there are a lot of additional features that need to be granular because with Cisco, at this point in time, all these features are still working in silos. A lot of integration needs to be done in general. 

Personally, I would discourage people from using Cisco. Overall, on a scale from one to ten, I would give this solution a rating of six.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Distributor
PeerSpot user
Team Leader Network Egnieer at deam
Real User
Efficient at improving client operations and has excellent stability
Pros and Cons
  • "The stability of Cisco ASA is excellent compared to other products on the market. Because of our customer experience as an integrator company, our clients never report any performance problems. We have a good performance reputation with Cisco ASA."
  • "Usually, the customers are satisfied, but I am going to recommend that all clients upgrade to FirePOWER management. I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility."

What is our primary use case?

We use Cisco ASA with Firepower. Currently, we have been implementing the solution for around four years. Our company has been around for a long time, more than ten years. We cover the solutions for Network Direct Turbo ATM at the moment, it's a lot of the security work.

How has it helped my organization?

Cisco ASA is best at the technical part of the business, related to our selling and management services. We have to improve the technical functionality of the product as part of making an efficient service for the customer. We need to improve the customer's technical experience with Cisco ASA & Firepower.

What is most valuable?

There are two main ways that using Cisco ASA & Firepower has improved our organization:

  1. Technical features
  2. Our Sales team

What needs improvement?

With Cisco ASA, we used the SMB of the model. The customers are usually satisfied, but I am going to recommend that all clients upgrade to Firepower management.

For Cisco ASA Firepower, I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

The stability of Cisco ASA is excellent compared to other products on the market. The performance is good. Compared to Fortinet on the watchband firewall, it is indispensable. Because of our customer experience as an integration company, our clients never report any performance problems. We have good performance from Cisco ASA.

What do I think about the scalability of the solution?

ASA is limited in terms of its scalability because of our customer environments. They are in the banking and microfinance sector. Our clients always want to move to the next generation firewall so they like FirePOWER. When we move clients to Firepower, they need to integrate with Sourcefire and move into more complicated management.

We have the staff perform the migrations to Firepower. We redirected traffic with Sourcefire and also require the use of FMC by our management center with Firepower.

How are customer service and technical support?

I've been exploring the technical support for Cisco ASA. I haven't had any problems with it.

How was the initial setup?

The initial setup is straightforward. 

What other advice do I have?

I always encourage our existing customers to move to the Cisco ASA Firepower version, i.e. the next generation Firepower like 2100, 4000, or 9300.

I would rate Cisco ASA an eight out of ten. An eight and not a ten because some of the features are limited and some are awful. We had to install other solutions for security and had to spend a lot on other hardware. Other vendors like Fortinet or Palo Alto Networks focus more on offering complete solutions.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Infrastructure Engineer at Atlas Group
Real User
My confidence continues to build upon using Cisco firewalls
Pros and Cons
  • "My confidence continues to build upon using Cisco firewalls."
  • "Antivirus features must be integrated for end user security."
  • "Security must be increased when a new user connects over the LAN and an alarm must be generated."

How has it helped my organization?

My confidence continues to build upon using Cisco firewalls. I prefer to use Cisco firewalls to any others. 

What needs improvement?

Antivirus features must be integrated for end user security. They must be increased in the next version along with audit and restriction for the incoming user. Security must be increased when a new user connects over the LAN and an alarm must be generated.

For how long have I used the solution?

Three to five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user865122 - PeerSpot reviewer
Information Technology at Giumarra
User
​It is worth every penny that we have invested in it
Pros and Cons
  • "It is much better than most of the other firewalls that I have worked with."
  • "It needs more tunneling capabilities."

What is our primary use case?

I have been using the 5510 a lot, and have been working with it for many years. I have also used the 5505 and other firewalls.

How has it helped my organization?

It is much better than most of the other firewalls that I have worked with.

What needs improvement?

It needs more tunneling capabilities. 

For how long have I used the solution?

More than five years.

What was our ROI?

It is worth every penny that we have invested in it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Network Security Specialist at a financial services firm with 501-1,000 employees
Real User
It is easy to create interfaces and routing, but the product needs real-time logs
Pros and Cons
  • "It is easy to create interfaces and routing, which all can be done at the GUI level."
  • "The product needs real-time logs to be able to monitor our services, so we can know if any our services have been blocked via the firewall or on the application side."

What is our primary use case?

Currently used for at our disaster recovery site as our internal firewall, not a lot of services are running through it. We are still going around learning how to use it.

How has it helped my organization?

Since we have used Firepower firewall, we are facing issues of getting real-time logs, as they are not available with the latest version.

What is most valuable?

It is easy to create interfaces and routing, which all can be done at the GUI level. For now, we are still going around the services and will add more in the future.

What needs improvement?

The product needs real-time logs to be able to monitor our services, so we can know if any our services have been blocked via the firewall or on the application side.

For how long have I used the solution?

Less than one year.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.