Cisco Secure Firewall Reviews and Pricing

it_user237354

Sr. Network Engineer at a tech services company with 10,001+ employees

May 14, 2015

Download

CLI of the firewall is valuable, but there are IOS related bugs in later versions.

What is most valuable?

Stateful inspection
CLI of the firewall

How has it helped my organization?

It has increased the security and works best for VPN users.

What needs improvement?

The product has been introduced with UTM i.e. FirePower, and I would like to use it and comment on it.

For how long have I used the solution?

I've used it for three years.

Buyer's Guide

Cisco Secure Firewall

March 2025

Free Report: Cisco Secure Firewall Reviews and More

Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.

DOWNLOAD NOW

845,040 professionals have used our research since 2012.

What was my experience with deployment of the solution?

Encountered IOS related bugs in later versions.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and support?

Customer Service:

10/10.

Technical Support:

It depends on the support contract that you have.

Which solution did I use previously and why did I switch?

I previously used CheckPoint, and switched because of the UTM features.

How was the initial setup?

It was straightforward.

What about the implementation team?

I implemented it myself.

Which other solutions did I evaluate?

I think evaluated other options with reference to our architecture.

What other advice do I have?

You should analyze the current setup and implement it as per the customers' requirement.

Disclosure: My company has a business relationship with this vendor other than being a customer: Platinum Partner

it_user182013

Federal Civ/Intel Engineering Lead at a tech vendor with 1,001-5,000 employees

Apr 9, 2015

Shortcomings of Cisco ASA 5500-X with FirePOWER Services

I started to title this a "Review" of the Cisco ASA with FirePOWER, but my objective is to highlight a few limitations of the integrated solution so that potential customers understand the product. It may turn out to be a review after all, but that's the focus.

Let's set some product context. Cisco completed its acquisition of Sourcefire on October 7, 2013, and its initial integration into the Cisco Security family on November 10, 2014. That makes this union very fresh--think of Cisco FirePOWER as newlyweds. They're starting to share the same roof, but carry a lot of individuality and his/her domain around with them.

Next, let's zoom in on the word, "Services", or as you may see elsewhere, "Module". Sourcefire makes a number of standalone, independent intrusion prevention system and application firewall appliances (i.e. 7000 series, 8000 series). When Cisco and Sourcefire united, they introduced the ability to put a dependent Sourcefire module into the Cisco ASA 5500-x next-generation firewall family. One Cisco partner described it as functioning like a virtual machine within the ASA (of sorts). Summation: it needs the host (ASA) to survive.

This "Module" should actually be packaged and marketed as a "Starter Kit" or an entry-level, feature-limited offering (with no building-block upgrade path; it's a hardware ceiling). And perhaps it is by some Cisco VARs, but it's new, so I think many are still coming up to speed with what it brings to the table.

o justify my above assertion, I'll highlight four characteristics that have affected or disappointed me in my deployment, and that have motivated a new set of quotes to move to the hardware/standalone solution.

1. SSL Inspection

Oftentimes you don't know what you don't know and thus you lack the wisdom to ask about it. That was me with this feature. I didn't know that the integrated module only supported a subset of features, so I didn't know to ask about its ability to decrypt inbound SSL traffic.

We host a number of public HTTPS services, though, so one goal of implementing FirePOWER was to protect against intrusion via that conduit.

While reading the Online Help and attempting configuration, I ran across references saying that it was only supported on "Series 3" devices, yet I couldn't quite find how Cisco categorized FirePOWER services. FireSight Management Center (a.k.a. "Defense Center") also gives the illusion of hope in this matter, because it reveals all features as configurable, being that it can manage the largest of Sourcefire appliances. The rubber meets the road, though, when you try to apply a policy with SSL inspection to unsupported devices. And yep, the module is one of those.

Summary: SSL traffic remains cloaked to FirePOWER services. IPS can only treat the headers (read: source/destination IP and port).

2. User Control

This one was less important to me, but still an unfortunate discovery. FirePOWER (all devices) support "User Awareness" through LDAP integration and user agents installed on endpoints, but the ability to control traffic based on the identity of the user as another hardware-only feature. Thus, you can see who is doing what, but control must be applied through hardware or traffic identity, not user.

3. Fail-Close Design

I may butcher the explanation here, but because of the integrated nature of the FirePOWER module and services, if FirePOWER inside of an ASA firewall goes down (crashes, restarts Snort, etc), traffic through the ASA stops. This is regardless of the "sfr fail-open" command, which only practically applies to standalone appliances.

I discovered this with Cisco TAC on a Webex where they put the Sourcefire into software bypass to troubleshoot traffic flow and attempt to take it out of line. That didn't work so well. Alarms and alerts started flying as the ASA clamped down on all new sessions (existing ones seemed to hold--very thankful as I was remote). Anyways, TAC didn't know of this design either until they asked engineering about a potential bug and were told it was "by design".

Major Warning/PSA: Adding FirePOWER Services to your ASA will introduce a new network availability risk. You will be very secure, though, since traffic will stop if the IPS is down. Blessing? Curse? Depends on you.

4. Bug: Active FTP is blocked by FirePOWER Services (CSCze96017)

Cisco was still working on this one when I closed my case regarding it, and their internally-published workaround wasn't accurate at the time. The practical impact, though, is that Active FTP traffic is blocked by Sourcefire due to network address translation (NAT) confusion. The ASA handles it fine, but when the FTP server initiates the new data channel outbound to the client, Sourcefire gets confused and blocks it.

The workaround, which sounds like it may become the "solution" (not fixable), is to deny FTP traffic in your Sourcefire policy:

access-list Outside_SFR extended deny tcp any any eq ftp access-list Outside_SFR extended permit ip any any

class-map Outside-class  match access-list Outside_SFR

policy-map Outside-policy  class Outside-class  sfr fail-open

Note: the last line still contains "sfr fail-open", but it won't apply until we replace the module with the full appliance.

This bug means that Sourcefire cannot inspect or provide any services (not even against IP headers) to FTP traffic. It will not show up in FireSight (Defense Center). Only the ASA will be able to treat it based on standard ACLs, etc.

Alright, let's end on a high note. Apart from those four things, the Cisco ASA with FirePOWER Services solution works well, provides great insight, applies Advanced Malware Protection strongly, and shuts down a ton of illegitimate connections before they can attACK ;).

If you're looking to get your feet wet, and if SSL inspection isn't critical, I recommend giving FirePOWER a shot.

Originally posted at: http://www.thegurleyman.com/shortcomings-of-cisco-asa-5500-x-with-firepower-services/

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user641307Dy Head IT with 501-1,000 employees

Report as inappropriate

Jun 12, 2017

In our POC we have found that Cisco does not provide Centralized Firewall Policy Manager in cloud. We have to buy appliance only.

See all 4 comments

Buyer's Guide

Cisco Secure Firewall

March 2025

Free Report: Cisco Secure Firewall Reviews and More

Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.

DOWNLOAD NOW

845,040 professionals have used our research since 2012.

reviewer1474608

Consultor at a government with 201-500 employees

May 2, 2021

Download

Impressive ISP feature but more services should be integrated

Pros and Cons

"I like the IPS feature, it is the most valuable."

"I have used Fortinet, Palo Alto, and Check Point previously and I prefer the process of everything working together."

What is our primary use case?

I am using the solution as a firewall.

What is most valuable?

I like the IPS feature, it is the most valuable.

What needs improvement?

I do not like the assembly of this solution. For example, they should combine FirePOWER into one solution.

Which solution did I use previously and why did I switch?

I have used Fortinet, Palo Alto, and Check Point previously and I prefer the process of everything working together. We are in the process of moving on to Fortinet from this solution.

What other advice do I have?

I rate Cisco ASA Firewall a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Shamal Fernando

System Engineer at a tech services company with 501-1,000 employees

Jan 25, 2021

Download

Stable, scalable, and flexible, with good support

Pros and Cons

"It's a flexible solution."

"The configuration is an area that needs improvement."

What is our primary use case?

We use Cisco ASA for traffic control.

What is most valuable?

It's a flexible solution.

What needs improvement?

The configuration is an area that needs improvement.

In the next release, I would like to see the UI include or provide web access, and more integration.

For how long have I used the solution?

I have been using Cisco ASA Firewall for five years.

We are not using the latest version, as it is not available.

What do I think about the stability of the solution?

It's a stable solution and we have not had any issues.

What do I think about the scalability of the solution?

It's a scalable product. We have approximately 2,000 users in our organization.

We have plans to continue to use it.

How are customer service and technical support?

Technical support provides us with good service.

How was the initial setup?

The initial setup was straightforward. It was easy for us because we have experience.

It was already deployed when I arrived.

We have two or three guys for deployment and maintenance.

What other advice do I have?

This is a product that I would recommend to others.

I would rate Cisco ASA Firewall a nine out of ten.

Which deployment model are you using for this solution?

On-premises

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user821520

Information Systems Manager at a manufacturing company with 201-500 employees

Mar 12, 2018

Download

Its most valuable feature is its ability to work with the traffic

Pros and Cons

"Its ability to work with the traffic."

"I would like it to be easier to work with and have a better user interface. It is not straightforward. You need to know the Cisco command-line interface."
"Initial setup was fairly complex."

What is our primary use case?

Business use. It has performed well.

What is most valuable?

Its ability to work with the traffic.

What needs improvement?

I would like it to be easier to work with and have a better user interface. It is not straightforward. You need to know the Cisco command-line interface.

What do I think about the stability of the solution?

Stability has been fine.

What do I think about the scalability of the solution?

It is good.

How are customer service and technical support?

I have not used technical support.

Which solution did I use previously and why did I switch?

We have always been with Cisco.

How was the initial setup?

Initial setup was fairly complex. Just having to know the command prompt rather than having a better user interface.

What's my experience with pricing, setup cost, and licensing?

We looking for a possible new solution because of the licensing and VPN.

Which other solutions did I evaluate?

We evaluated Cisco and Meraki.

What other advice do I have?

Look through what your needs are.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user789333

President and CTO with 51-200 employees

Jan 11, 2018

Download

Very good as a stateful inspection firewall, but weak in all other areas

Pros and Cons

"Strong in NAT and access-lists."
"Very good as a stateful inspection firewall."

"VPNs are weak as this product still does not support route-based VPNs."

What is our primary use case?

Firewall only - no advanced services.

How has it helped my organization?

In the early days, before UTM and NGFW, this product was awesome. Cisco tried to add Firepower, but it requires a different management interface and is still too expensive.

What is most valuable?

Strong in NAT and access-lists
Very good as a stateful inspection firewall, but weak in all other areas.

What needs improvement?

Integrated threat management
Route-based VPNs: VPNs are weak as this product still does not support route-based VPNs.
Single management interface
Better throughput for price point

For how long have I used the solution?

More than five years.

What's my experience with pricing, setup cost, and licensing?

Price point is too high for features and throughput available.

What other advice do I have?

Overall, this is a legacy product.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner

it_user400626

Senior Network & Data Communication Engineer at a tech services company with 201-500 employees

Jun 29, 2017

Download

Most valuable features are Security, Routing and NAT.

What is most valuable?

Security, Routing and NAT.

How has it helped my organization?

Gives flexibility and several deployment options.

What needs improvement?

Some default inspection rules need better tuning. Focus development on CLI version.

For how long have I used the solution?

11 years.

What do I think about the stability of the solution?

Rarely.

What do I think about the scalability of the solution?

Yes, before Clustering was introduced.

How are customer service and technical support?

Nine out of 10.

Which solution did I use previously and why did I switch?

Yes. We changed for no special reason, just to mix things up.

How was the initial setup?

Yes, but you need to read and understand how the device functions before deployment.

What's my experience with pricing, setup cost, and licensing?

Like with all vendors, know what options you require and request the proper license accordingly. Prices are on the same level as competitors.

Which other solutions did I evaluate?

Not really, as all firewalls do most of what enterprises look for. What matters most is the after sales support.

What other advice do I have?

Read, read, read and understand your requirements beforehand.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user614874

Gerente de Telecomunicaciones at a financial services firm with 1,001-5,000 employees

Jun 28, 2017

Download

The front page of device manager is the most valuable feature. We suffered an attack and the firewall was down repeatedly.

What is most valuable?

The front page of device manager is the most valuable feature because it makes it easy to know the system status.

How has it helped my organization?

It’s hard to say because our equipment was EoS.

For how long have I used the solution?

I have used Cisco ASA for three years.

What do I think about the stability of the solution?

We suffered an attack and the firewall was down repeatedly.

What do I think about the scalability of the solution?

We have to buy more licenses to get more VPN connections.

How are customer service and technical support?

I rate support 7/10.

Which solution did I use previously and why did I switch?

We didn’t have a previous solution. I actually searched after another solution.

How was the initial setup?

Setup was complex because we had not taken a course previously.

What's my experience with pricing, setup cost, and licensing?

Sincerely, I prefer other products with no limit on licensing of VPNs, for example.

What other advice do I have?

You have to find more confidentiality, integrity and availability.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide

Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.

Updated: March 2025

DOWNLOAD NOW

Product Categories

Firewalls Cisco Security Portfolio

Buyer's Guide

Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.

Buyer's Guide

Cisco Secure Firewall

March 2025

DOWNLOAD NOW

Quick Links

Learn More:

Questions: