Cisco Secure Firewall Reviews

Cisco ASA is born as an hardware firewall. The user case is security check on company's external connections (Internet and VPN access).

Most recent versions include antivirus and intrusion prevention to add security layers (including the above scenarios and the internal network) 

Cisco ASA have been the main security device for many years, slowly replaced with Check Point on the main datacentre.

ASA is stable and with a low level of work required on the maintenance side. It is a dedicated firewall, so you do not have to manage additional topics like spam, web sites filtering and so on.The routing part is high level as usual with Cisco products.  

You have to know the ASA command line very well because not all operations are available in the graphical interface (or let's say that sometimes it is better to operate with the ASA CLI).If you are searching for an "all in one product" it is not for you

No, stability is a really strong point with ASA.

No, an assessment about the workload is important to select the right device.

Over many year, the only kind of support we needed directly from Cisco was (really seldom) for parts replacement

The previous solution was based on software firewalls that where not able to perform as the Cisco ASA

Setup of a firewall, on a medium / large deployment is always a complex work.

Cisco ASA (more than other vendors' solutions) require a lot of know-how and real world expertise to be configured properly.

More than one external team (Cisco partners) has been involved over time.

All of them were outstanding in their work.

Positive. The devices serves thousands of users for many years, outliving other vendors solutions.

Cisco devices are for sure costly and budget could be an important constrain on selecting them as our security solution. 

When the choice was made, some comparison was made with other market leaders but integration with the existing Cisco network was a really important positive side in the final decision.

ASA is one of the the state-of-the-art firewall devices for security.
It is affordable and not too complicated to use if you are doing standard operations (modifying ACLs, natting and so on) on an existing deployment.

The user interface of the Prime Security Manager is, well, prime and one of the best pieces of software I have seen from them, and the features are on par if not better than what their competitors offer.

Cisco has done a nice job of integrating global IP reputation management into the firewall with its Security Intelligence and Operations module for insights and malware collection.

Prime manager is just for the CX line for now. CX features also add about a 30% overhead on throughput.

I enjoy the interface of Cisco products, especially the CLI version. I think the IPS feature in the product is best compared to products of other vendors. All the IPS features can be accessed from a separate interface, e.g., Cisco IDM.

We are an educational institute, and we are required to block many websites that are not suitable for students and teachers. Most of the sites, like YouTube uses an https version, thus blocking with IP address was becoming problematic. Moreover, certificate domains for Gmail and YouTube are the same. But the IPS feature in this product helps us to overcome this limitation.

Pricing of this product needs improvement.

I have used this solution for two years.

I did not encounter any issues with stability.

I did not encounter any issues with scalability.

I would give technical support a rating of a nine out of 10.

I worked with Cyberoam and Fortinet UTM at my previous job. When I joined my present company, they were already using the Cisco ASA solution. But my present company may switch to other vendors, especially Fortinet, because of the license renewal price.

As I enjoy working on CLI, I would say that the initial setup was not complex.

License and appliance costs are more expensive as compared to other vendors on the market.

If your company is small or mid-range, it is better to go with other vendors, because of the pricing.

The ASA 55-x range is a solid and reliable firewall. It secures the traffic for normal purposes.

If you ask how a firewall can improve our business: It can’t. It is securing our business IT network.

But if you want to know what the ASA5520 can do to secure our network:
Not much more than any firewall. It is a solid port firewall, nothing more, nothing less.

The Cisco ASDM management tool was helpful.

Firewalls, in general, were not really designed for normal IT personnel, but for firewall and network experts. Therefore, they missed a lot of options and did not provide any good reporting or improvement options.

For example, to update or add a feature, you end up buying new support and licenses. The process is complex and changes so rapidly that you won't find a salesperson who will offer you the right products.

New generation firewalls are cloud managed or provide a good interface. They integrate into the environment. They are application aware and come with security features that are especially designed for the purpose.

There were no stability issues.

You need to buy a new product if you want to scale. I once tried to put in another network card and ended up in a support nightmare. I had to buy more support, licenses, and it was more expensive than buying a new one.

Customer Service:

Customer service is non-existent. You need to go through a very complex and annoying approval system before you can get any help. The support then gets asked a question and you get one word answers. It takes you hours to find out what version of an update you need to install, and then another day to find out how to install it.

Technical Support:

I would give technical support a rating of zero out of 10. It is clear that Cisco is not for the end-customer, but rather for resellers and providers. They might have better contracts and get more technical support.

I usually have to take what is there. If I had a choice, I would now take something newer.

You can start very easy and set up the network cards, but it also has many traps to find out the right setting for your environment.

For example, you need fixed network settings on your switch to connect with full duplex 100Mb/s. There is no autonegotiation nor other settings. This is the same problem with the WAN connection. You need to know exactly what to configure to match the WAN, or it will not work.

I once had support from a reseller and once from a provider. Both depended on the level of the person you speak with. Most have some knowledge.

Once installed, they last a long time. I would recommend replacing them after some years to get better security features.

If you look for user internet access, many new products can help with filtering and rules or procedures, like Meraki. This replaces the purpose of proxy servers.

If you have to secure web servers from the internet, you need a decent firewall with web features to process the requests and redirect traffic to web servers.

Cisco is no longer the only vendor offering these features. With Microsoft TMG out of the race, others have to push in. But firewalls are also no longer the first frontier of security. Cloud services are in there as well.

I had no choice.

Get someone to help you plan and set up the firewall concept, as well as the initial setup and testing. Waiting for later is not the time to test or change anything without an outage.

Classic ASA features such as NAT, Stateful Firewall, and VPN are basic functions for average organizations, but next generation features such as the granular control of port hopping applications, IPs, and malware protection are mandatory, considering current advanced security threats.

One of the most valuable features is the correlation of events, including the path that a file takes in the network and its integration with the endpoint protection. This gives you the chance to take some actions in the case a breach happens.

Visibility in the network traffic.

Management console – Firesight Management Center.

When deploying Cisco FMC versions 6.0 and 6.1, some issues may appear when trying to register ASA sensors. The problem needs Cisco TAC involvement, adding more effort and time. I guess this will be fixed in version 6.2.

I've used this solution for three to five years.

Some releases of the unified image (FTD – Firepower Threat Defense – Cisco ASA + Sourcefire IPS) are not very stable, but things are getting improved.

Some clustering functions are not available in the unified image.

Excellent.

Old ASA 5500. Natural upgrade to next generation functions.

Initial setup is pretty straightforward.

The licensing model has been simplified and is easy to understand. The price is higher compared to UTM solutions, such as Fortinet, but in the same range as Checkpoint and Palo Alto.

We also work with Palo Alto Networks, Fortinet, FireEye, and some other vendors.

Take a look at the features included in the unified image. Some classic ASA functionality has not been integrated yet, go for non-unified image if the deployment requires something that is not available – classic ASA iOS plus Sourcefire code.

Cisco ASAs are great network firewalls and they can work for years after being configured. The best features are NAT, transport-layer inspections, and VPN.

With ASAs, we can keep operational expenses as low as possible. Disaster risks should be observed as usual, but this is definitely not the weak point.

I would like to see new SW versions being more stable and HW performance increase. However, the new 2000 series has high performance, but it is not shipped widely so far.

I started using Cisco firewalls when old PIX models were produced. I then observed all model changes. This makes about 10 years of continuous experience.

There are no real stability issues, if upgrades are done carefully.

I believe scalability issues are caused by poor design.

Cisco technical support makes a good impression most of the time.

Some of my customers switched from ZyXel to Cisco and this is an obvious decision for me. It will be much harder to imagine a customer replacing Check Point or Fortinet with Cisco.

The initial setup should not be left to the customer. The best way to do this is to make a basic setup and integration along with cabling and power-up, then verifying requirements and adjusting the configuration.

Basic features and IPs can work without subscriptions. All next-generation features require per-year payments. Enterprise customers usually agree with price and license fees, so I don't see any painful issues with pricing and licensing.

I compared Cisco with Fortinet, Checkpoint, and DIY solutions.

All you need to succeed is careful design, professional setup, and a support contract.

VPN (site to site VPN and remote access ), NAT policies, modular policy framework, detailed troubleshooting methods.

The throughput and reliability of the product improve the network stability of our organization.

Area : URL filtering and content filtering.

When Cisco ASA is presented as an enterprise firewall, that should be capable doing IPS/IDS, firewalling, VPN concentrator, application filtering, URL filtering and content filtering.

Of course, the last three technologies can do by a proxy. But nowadays, all next generation firewalls like Fortinet, Check Point, and Palo Alto are each bundling the UTM features into a single box with multiple separate content processors (hardware) to do these jobs.

This would enable single pane glass for management. No need to look at different devices for change management and troubleshooting.

I would say Cisco ASA is the best except for its URL and content filtering module. And these modules in ASA are not straightforward, rather complex in managing the device.

I've been using this solution since 2007.

No.

All product-based firewalls will encounter scalability issues. The firewall sizing is important during the sizing.

Good.

I used to work with most of the hardware firewalls, Cisco ASA is reliable and few technologies are good enough to compete for the market (VPN, Modular policy framework, NAT, etc.).

Straightforward -- console or via the interface.

Expensive when compared to other products.

Yes, all.

If you are looking into implementing VPN or advanced features, I recommend using this product. URL or content filtering is not good as much as the NGFWs are.

I have 15 years’ experience with Cisco products and I've had very, very little problems with them. Also, for resolving appeared issues Cisco was a good partner.

Crescendo (www.crescendo.ro) is an IT&C integrator and this product (based on Cisco Partnership) helped us to grow our business, and Cisco ASA was one of most sold product in our solutions portfolio.

Stability, high availability of services, and very high MTBU were the most valuable features for me -- because in my work as network and security consultant, it is very important to guarantee to my customer the security of his business.

The ability to integrate (as options) all-in-one features -- like anti-spam, anti-virus, etc.

With Cisco ASA firewall, no.

No. Based on their recent acquisition of Firepower, Cisco added "multi 10Gbps" NGFW performance in their solutions portfolio, which can be used by us, as a Gold Partner with Advance Security Architecture Specialization, in our network architecture proposals.

Very satisfied.

I haven' t used another solution.

Initial setup was very straightforward because the training and certification provided by the vendor helped us to solve rapidly any configuration issues.

To discuss with Cisco Systems or their partners to gain the optimal price and to not consider, without verifying, the false information that Cisco ASA is very expensive.

We evaluated other solutions, like Fortinet, HPE, Juniper, Check Point, but Cisco ASA was what we need.

To test the product in their network and to evaluate other products. I am sure that the Cisco ASA Firewall will be the winner.

Our complete relationship is based on the following partner competencies:
Certifications:

• Gold Certified Partner
Specializations:
• Advanced Collaboration Architecture Specialization
• Advanced Data Center Architecture Specialization
• Advanced Enterprise Networks Architecture Specialization
• Advanced Security Architecture Specialization

Cloud Partners:
• Storage: EMC
• Virtualization: VMware
• Cloud Management: VMware
• Cloud Professional Services
• SaaS Simple Resale

Other Authorizations:
• Registered Partner
• Cisco Certified Refurbished Equipment
• Cisco Developer Network Cisco Products Marketplace
• Cisco Meeting Server formerly Acano
• PSPP Defense
• Smart Care Registered Partner
• ATP - Unified Contact Center Enterprise

Partner since:

• More than 10 years