Cisco Secure Firewall Reviews

We use Cisco ASA with Firepower. Currently, we have been implementing the solution for around four years. Our company has been around for a long time, more than ten years. We cover the solutions for Network Direct Turbo ATM at the moment, it's a lot of the security work.

Cisco ASA is best at the technical part of the business, related to our selling and management services. We have to improve the technical functionality of the product as part of making an efficient service for the customer. We need to improve the customer's technical experience with Cisco ASA & Firepower.

There are two main ways that using Cisco ASA & Firepower has improved our organization:

1. Technical features
2. Our Sales team

With Cisco ASA, we used the SMB of the model. The customers are usually satisfied, but I am going to recommend that all clients upgrade to Firepower management.

For Cisco ASA Firepower, I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility.

The stability of Cisco ASA is excellent compared to other products on the market. The performance is good. Compared to Fortinet on the watchband firewall, it is indispensable. Because of our customer experience as an integration company, our clients never report any performance problems. We have good performance from Cisco ASA.

ASA is limited in terms of its scalability because of our customer environments. They are in the banking and microfinance sector. Our clients always want to move to the next generation firewall so they like FirePOWER. When we move clients to Firepower, they need to integrate with Sourcefire and move into more complicated management.

We have the staff perform the migrations to Firepower. We redirected traffic with Sourcefire and also require the use of FMC by our management center with Firepower.

I've been exploring the technical support for Cisco ASA. I haven't had any problems with it.

The initial setup is straightforward. 

I always encourage our existing customers to move to the Cisco ASA Firepower version, i.e. the next generation Firepower like 2100, 4000, or 9300.

I would rate Cisco ASA an eight out of ten. An eight and not a ten because some of the features are limited and some are awful. We had to install other solutions for security and had to spend a lot on other hardware. Other vendors like Fortinet or Palo Alto Networks focus more on offering complete solutions.

The use case has been for the banking sector, for one of our banking customers. According to them, it's working perfectly.

Monitoring, of course - the dashboard. It enables you to see what is happening.

It's lacking one feature: VPN. That is a feature we're looking for. Otherwise, the new devices have very good support, and the performance is quite good.

Also, the 2100 Series lacks a DDoS feature. If they could add that to those platforms, that would be good.

So far, since we installed it, there have been no issues.

In terms of scalability, it is really expensive. It is scalable, but when it comes to pricing, the upgrading is a bit high.

It's not straightforward. You need to know what you're doing, you need to be trained. I don't know for other vendors whether it's the same issue, but for Cisco you have to be trained on the system.

Check Point and Fortigate. Generally, our customers choose Firepower because they've seen the system work somewhere before, and they see it is stable and working perfectly. Those are the reasons they opt for Firepower.

There are other solutions, like Fortigate, which are very good solutions, and cheaper for the customer. Even the support via subscription is favorable, in terms of pricing. I would really advise the customer to do some research first and come up with the best solution for their needs

I rate Firepower as an eight out of 10. It is a good solution but it is expensive compared to other products, like Fortigate. Still, some of our customers do prefer Firepower over the others.

It helped us and our customers implement more granular and flexible connections to and from our/their environments, building a trust relation between all of us, having the confidence that our exchanged information is occurring in a highly secure manner.

The most valuables feature of this product are given by the comprehensive VPN solutions it offers and its tools for troubleshooting and debugging. You can provide complex and flexible way to securely access private environments. And its troubleshooting and debugging tools allow you to identify, in the fastest time possible, where some potential issues could have been occurred.

It should have an additional “operating mode”, like a “candidate configuration mode”, where you would have the possibility to test the changes you are going to implement and also the possibility to validate these changes.

In addition, a "testing" feature should be performed to let you know what would be the consequences of applying these new changes. Only after you would see the tests’ results (if they do not create any unwanted effect) would you go and commit them.

There were some issues with stability prior to code version 9.2.x, more related to Clientless SSL and Client RA VPN solutions. Some bugs affected the integrity of these type of features.

There were no problems in terms of scaling an existing solution, though very expensive.

I would give a rating of eight out of 10, compared to others vendors. The technical support is much better than most vendors, but let's say not as good as F5 Networks technical support.

I've only worked for integrator or ISP organizations. Over the years I’ve worked with multiple solutions offered by different vendors due to my customers’ budgets or preferences. What makes it the best of all the solutions I’ve worked on is the stability and its hardware.

The initial setup configurations differ from customer to customer, from very simple to highly complex solutions. Depends on the customer’s needs.

I have to admit that the price is high. But I think it's worth it if the stability of your solution counts for you.

Choose it if you aim to have a stable environment.

Provides advanced malware capabilities.

Simplified the complexity of our security architecture.

Integration of advanced malware services with the firewall through Firepower services.

We have been using this solution for six months.

There were no issues with deployment.

There were no issues with stability.

There were no issues with scalability.

I would give customer service a rating of 10/10.

I would give technical support a rating of 10/10.

We were looking to upgrade to a comprehensive firewall solution that integrated Next Generation Prevention System (NGIPS).

There were no issues with setup.

We implemented in-house.

We calculated for the entire year, but the ROI seemed very decent from the first six months.

Pricing: Negotiate

Licensing: Buy the advanced Malware Protection license subscription for one year. It is worth the investment.

We evaluated Juniper, Fortinet, and Huawei.

It gives us the ability to do lan-to-lan VPN.

So far it has proven to be rock solid and relatively easy to maintain.

• Support for automation tools (Puppet)
• More granular logging

I've used ASA for four years.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

8/10

We moved our VPN termination from a Cisco ASR to an ASA. We switched because the ASR was not scalable and we realized it was a bad idea to use the same device for routing and VPN termination.

The most complex part was figuring out the failover and what NAT mode to implement.

We did it in-house.

Licenses and prices are pretty high. I understand the validity of the product, so I can't complain much.

No options were evaluated. We heavily rely on Cisco hardware for our infrastructure

I'd say it would be very beneficial to posses certification such as CCNP Security, at least, to get the most out of it. It's a complex product which requires good knowledge of procedures and best practices. Being a CCIE R&S I know the value of those certifications, and I wish I had a CCNP Security to better handle the task.

• Scalability
• Debugging messages
• Context modes

Context modes as this means there is no need to buy additional firewall for different customers.

IPS, IDS, anti-virus etc. should be added to IOS instead of separate cards.

I've used it for three years.

No issues encountered.

No issues encountered.

No issues encountered.

Dedicated experts are available in support contract with Cisco.

100% skilled engineers with knowledge are available 24/7.

It is straightforward.

We implemented it in-house.

It is £2,000 to set up, and the running costs, depend on the customers' issue(s) or tickets raised.

• Juniper
• FortiGate

Its a nice professional product with lots of scalability. Easy to troubleshoot and there is tool called PACKET TRACER which simulates the packet and it will tell you whether a packet is allowed inbound or outbound for testing purposes.

We use this solution for company security and to define access and connection between different devices.

This solution made our organization more secure and gave us better control.

The access list is the most valuable feature of this solution. 

This solution could be more granular and user-friendly.

I have been using this solution for 12 years. 

This is a stable solution. 

This is a scalable solution. 

The technical support for this solution is good. I would rate it a seven out of ten.

Neutral

We use this solution together with Palo Alto, depending on the use case. 

The initial setup is straightforward and the deployment only takes a few hours. Our deployment strategy was to keep it simple. A large deployment of this solution can require up to 10 resources. 

The solution does require maintenance and we use an external service provider for this maintenance. 

I would rate this solution an eight out of ten.