Cisco Secure Firewall Reviews and Pricing

it_user346116

I.T Security Consultant

Jan 24, 2018

Download

Once set up properly, it can run for a whole year without any major issues

Pros and Cons

"The most stable firewall I’ve ever worked with. Once you get the ASA set up properly, it can run for a whole year without any major issues, apart from the normal daily administration."

"The ASA needs to incorporate the different modules you have to integrate to achieve UTM functions, especially for small businesses."

What is most valuable?

This is our perimeter router. We used it purposely for NAT and to port forward traffic. Other essential features of a firewall are handled separately by a UTM.

What needs improvement?

The ASA needs to incorporate the different modules you have to integrate to achieve UTM functions, especially for small businesses.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

No stability issues at all, the most stable firewall I’ve ever worked with.

Buyer's Guide

Cisco Secure Firewall

April 2025

Free Report: Cisco Secure Firewall Reviews and More

Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.

DOWNLOAD NOW

848,716 professionals have used our research since 2012.

What do I think about the scalability of the solution?

No scalability issues.

How are customer service and support?

Quite good.

Which solution did I use previously and why did I switch?

We’ve always used ASA from the get go. We added the UTM is to compliment it.

How was the initial setup?

Straightforward.

What's my experience with pricing, setup cost, and licensing?

Pricing is why we had to go for a UTM. For us to achieve what we needed, if we had gone with the ASA, the cost would have been high compared to getting one box (UTM).

Which other solutions did I evaluate?

Juniper, Check Point, Astaro

What other advice do I have?

Go for it. I really like how, once you get the ASA set up properly, it can run for a whole year without any major issues, apart from the normal daily administration.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user275442

Senior Presales Engineer at a tech services company with 501-1,000 employees

Jul 20, 2015

Download

The various NGFW and NGIPS features are valuable, but the option to use ASA to decrypt SSL would be an improvement.

What is most valuable?

NGFW: VPN (IPSec, SSL), NAT (provides great flexibility)

NGIPS: Application visibility, file policies (store files), network discovery, correlation features

What needs improvement?

SSL decryption for modules. Although I think it is better to separate SSL decryption as a service from the software module since it requires additional hardware, but I think it would be great if there is an option to use the ASA (not the software module) to decrypt the SSL.

Ex: Add a license to decrypt SSL traffic on the ASA itself. The ASA already supports SSL VPN. So if SSL decryption can be integrated that would be nice.

For how long have I used the solution?

5 years+

What was my experience with deployment of the solution?

Basic setup is easy, but if you need to do some advanced stuff, it can be intuitive, but some things require some kind of tutorial to understand how it can be done. Good thing is that this device is becoming popular and there are many 3rd party free tutorials and guides that can help.

What do I think about the stability of the solution?

I heard about defect that were encountered by my colleagues, but not something that cannot be fixed using an upgrade.

What do I think about the scalability of the solution?

Clustering is available for ASA with firepower services.

Also for firepower appliances, there is stacking available for some models.

How are customer service and technical support?

Customer Service:

Great support. The engineers know what they are doing.

Technical Support:

10/10

Which solution did I use previously and why did I switch?

How was the initial setup?

Well, it is straight forward as long as you understand the components available.

ASA can be configured using the CLI or ASDM.

For the Firepower you will need to use a FireSIGHT as a management solution.

Since you will be using two GUIs, I wouldn't call it straight forward.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner

Buyer's Guide

Cisco Secure Firewall

April 2025

Free Report: Cisco Secure Firewall Reviews and More

Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.

DOWNLOAD NOW

848,716 professionals have used our research since 2012.

it_user237354

Sr. Network Engineer at a tech services company with 10,001+ employees

May 14, 2015

Download

CLI of the firewall is valuable, but there are IOS related bugs in later versions.

What is most valuable?

Stateful inspection
CLI of the firewall

How has it helped my organization?

It has increased the security and works best for VPN users.

What needs improvement?

The product has been introduced with UTM i.e. FirePower, and I would like to use it and comment on it.

For how long have I used the solution?

I've used it for three years.

What was my experience with deployment of the solution?

Encountered IOS related bugs in later versions.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

10/10.

Technical Support:

It depends on the support contract that you have.

Which solution did I use previously and why did I switch?

I previously used CheckPoint, and switched because of the UTM features.

How was the initial setup?

It was straightforward.

What about the implementation team?

I implemented it myself.

Which other solutions did I evaluate?

I think evaluated other options with reference to our architecture.

What other advice do I have?

You should analyze the current setup and implement it as per the customers' requirement.

Disclosure: My company has a business relationship with this vendor other than being a customer: Platinum Partner

it_user182013

Federal Civ/Intel Engineering Lead at a tech vendor with 1,001-5,000 employees

Apr 9, 2015

Shortcomings of Cisco ASA 5500-X with FirePOWER Services

I started to title this a "Review" of the Cisco ASA with FirePOWER, but my objective is to highlight a few limitations of the integrated solution so that potential customers understand the product. It may turn out to be a review after all, but that's the focus.

Let's set some product context. Cisco completed its acquisition of Sourcefire on October 7, 2013, and its initial integration into the Cisco Security family on November 10, 2014. That makes this union very fresh--think of Cisco FirePOWER as newlyweds. They're starting to share the same roof, but carry a lot of individuality and his/her domain around with them.

Next, let's zoom in on the word, "Services", or as you may see elsewhere, "Module". Sourcefire makes a number of standalone, independent intrusion prevention system and application firewall appliances (i.e. 7000 series, 8000 series). When Cisco and Sourcefire united, they introduced the ability to put a dependent Sourcefire module into the Cisco ASA 5500-x next-generation firewall family. One Cisco partner described it as functioning like a virtual machine within the ASA (of sorts). Summation: it needs the host (ASA) to survive.

This "Module" should actually be packaged and marketed as a "Starter Kit" or an entry-level, feature-limited offering (with no building-block upgrade path; it's a hardware ceiling). And perhaps it is by some Cisco VARs, but it's new, so I think many are still coming up to speed with what it brings to the table.

o justify my above assertion, I'll highlight four characteristics that have affected or disappointed me in my deployment, and that have motivated a new set of quotes to move to the hardware/standalone solution.

1. SSL Inspection

Oftentimes you don't know what you don't know and thus you lack the wisdom to ask about it. That was me with this feature. I didn't know that the integrated module only supported a subset of features, so I didn't know to ask about its ability to decrypt inbound SSL traffic.

We host a number of public HTTPS services, though, so one goal of implementing FirePOWER was to protect against intrusion via that conduit.

While reading the Online Help and attempting configuration, I ran across references saying that it was only supported on "Series 3" devices, yet I couldn't quite find how Cisco categorized FirePOWER services. FireSight Management Center (a.k.a. "Defense Center") also gives the illusion of hope in this matter, because it reveals all features as configurable, being that it can manage the largest of Sourcefire appliances. The rubber meets the road, though, when you try to apply a policy with SSL inspection to unsupported devices. And yep, the module is one of those.

Summary: SSL traffic remains cloaked to FirePOWER services. IPS can only treat the headers (read: source/destination IP and port).

2. User Control

This one was less important to me, but still an unfortunate discovery. FirePOWER (all devices) support "User Awareness" through LDAP integration and user agents installed on endpoints, but the ability to control traffic based on the identity of the user as another hardware-only feature. Thus, you can see who is doing what, but control must be applied through hardware or traffic identity, not user.

3. Fail-Close Design

I may butcher the explanation here, but because of the integrated nature of the FirePOWER module and services, if FirePOWER inside of an ASA firewall goes down (crashes, restarts Snort, etc), traffic through the ASA stops. This is regardless of the "sfr fail-open" command, which only practically applies to standalone appliances.

I discovered this with Cisco TAC on a Webex where they put the Sourcefire into software bypass to troubleshoot traffic flow and attempt to take it out of line. That didn't work so well. Alarms and alerts started flying as the ASA clamped down on all new sessions (existing ones seemed to hold--very thankful as I was remote). Anyways, TAC didn't know of this design either until they asked engineering about a potential bug and were told it was "by design".

Major Warning/PSA: Adding FirePOWER Services to your ASA will introduce a new network availability risk. You will be very secure, though, since traffic will stop if the IPS is down. Blessing? Curse? Depends on you.

4. Bug: Active FTP is blocked by FirePOWER Services (CSCze96017)

Cisco was still working on this one when I closed my case regarding it, and their internally-published workaround wasn't accurate at the time. The practical impact, though, is that Active FTP traffic is blocked by Sourcefire due to network address translation (NAT) confusion. The ASA handles it fine, but when the FTP server initiates the new data channel outbound to the client, Sourcefire gets confused and blocks it.

The workaround, which sounds like it may become the "solution" (not fixable), is to deny FTP traffic in your Sourcefire policy:

access-list Outside_SFR extended deny tcp any any eq ftp access-list Outside_SFR extended permit ip any any

class-map Outside-class  match access-list Outside_SFR

policy-map Outside-policy  class Outside-class  sfr fail-open

Note: the last line still contains "sfr fail-open", but it won't apply until we replace the module with the full appliance.

This bug means that Sourcefire cannot inspect or provide any services (not even against IP headers) to FTP traffic. It will not show up in FireSight (Defense Center). Only the ASA will be able to treat it based on standard ACLs, etc.

Alright, let's end on a high note. Apart from those four things, the Cisco ASA with FirePOWER Services solution works well, provides great insight, applies Advanced Malware Protection strongly, and shuts down a ton of illegitimate connections before they can attACK ;).

If you're looking to get your feet wet, and if SSL inspection isn't critical, I recommend giving FirePOWER a shot.

Originally posted at: http://www.thegurleyman.com/shortcomings-of-cisco-asa-5500-x-with-firepower-services/

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user641307Dy Head IT with 501-1,000 employees

Report as inappropriate

Jun 12, 2017

In our POC we have found that Cisco does not provide Centralized Firewall Policy Manager in cloud. We have to buy appliance only.

See all 4 comments

reviewer1474608

Consultor at a government with 201-500 employees

May 2, 2021

Download

Impressive ISP feature but more services should be integrated

Pros and Cons

"I like the IPS feature, it is the most valuable."

"I have used Fortinet, Palo Alto, and Check Point previously and I prefer the process of everything working together."

What is our primary use case?

I am using the solution as a firewall.

What is most valuable?

I like the IPS feature, it is the most valuable.

What needs improvement?

I do not like the assembly of this solution. For example, they should combine FirePOWER into one solution.

Which solution did I use previously and why did I switch?

I have used Fortinet, Palo Alto, and Check Point previously and I prefer the process of everything working together. We are in the process of moving on to Fortinet from this solution.

What other advice do I have?

I rate Cisco ASA Firewall a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Shamal Fernando

System Engineer at a tech services company with 501-1,000 employees

Jan 25, 2021

Download

Stable, scalable, and flexible, with good support

Pros and Cons

"It's a flexible solution."

"The configuration is an area that needs improvement."

What is our primary use case?

We use Cisco ASA for traffic control.

What is most valuable?

It's a flexible solution.

What needs improvement?

The configuration is an area that needs improvement.

In the next release, I would like to see the UI include or provide web access, and more integration.

For how long have I used the solution?

I have been using Cisco ASA Firewall for five years.

We are not using the latest version, as it is not available.

What do I think about the stability of the solution?

It's a stable solution and we have not had any issues.

What do I think about the scalability of the solution?

It's a scalable product. We have approximately 2,000 users in our organization.

We have plans to continue to use it.

How are customer service and technical support?

Technical support provides us with good service.

How was the initial setup?

The initial setup was straightforward. It was easy for us because we have experience.

It was already deployed when I arrived.

We have two or three guys for deployment and maintenance.

What other advice do I have?

This is a product that I would recommend to others.

I would rate Cisco ASA Firewall a nine out of ten.

Which deployment model are you using for this solution?

On-premises

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user821520

Information Systems Manager at a manufacturing company with 201-500 employees

Mar 12, 2018

Download

Its most valuable feature is its ability to work with the traffic

Pros and Cons

"Its ability to work with the traffic."

"I would like it to be easier to work with and have a better user interface. It is not straightforward. You need to know the Cisco command-line interface."
"Initial setup was fairly complex."

What is our primary use case?

Business use. It has performed well.

What is most valuable?

Its ability to work with the traffic.

What needs improvement?

I would like it to be easier to work with and have a better user interface. It is not straightforward. You need to know the Cisco command-line interface.

What do I think about the stability of the solution?

Stability has been fine.

What do I think about the scalability of the solution?

It is good.

How are customer service and technical support?

I have not used technical support.

Which solution did I use previously and why did I switch?

We have always been with Cisco.

How was the initial setup?

Initial setup was fairly complex. Just having to know the command prompt rather than having a better user interface.

What's my experience with pricing, setup cost, and licensing?

We looking for a possible new solution because of the licensing and VPN.

Which other solutions did I evaluate?

We evaluated Cisco and Meraki.

What other advice do I have?

Look through what your needs are.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user789333

President and CTO with 51-200 employees

Jan 11, 2018

Download

Very good as a stateful inspection firewall, but weak in all other areas

Pros and Cons

"Strong in NAT and access-lists."
"Very good as a stateful inspection firewall."

"VPNs are weak as this product still does not support route-based VPNs."

What is our primary use case?

Firewall only - no advanced services.

How has it helped my organization?

In the early days, before UTM and NGFW, this product was awesome. Cisco tried to add Firepower, but it requires a different management interface and is still too expensive.

What is most valuable?

Strong in NAT and access-lists
Very good as a stateful inspection firewall, but weak in all other areas.

What needs improvement?

Integrated threat management
Route-based VPNs: VPNs are weak as this product still does not support route-based VPNs.
Single management interface
Better throughput for price point

For how long have I used the solution?

More than five years.

What's my experience with pricing, setup cost, and licensing?

Price point is too high for features and throughput available.

What other advice do I have?

Overall, this is a legacy product.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner