Cisco Secure Firewall Reviews

We are currently using the Cisco Firepower 2140 model because it fits our sizing and performance needs.

We use Cisco Secure Firewall as the internal firewall to protect our retail PCI networks from the rest of the corporate business.

We are a global company, and we have multiple data centers. There are two in Europe, and we deployed Cisco Firepower in all of our worldwide data centers. In each region in the world, we have two data centers with Cisco Firepower to separate retail from corporate and Firepower for IPS services. This solution protects around 1,500 stores, and our corporate office has around 10,000 people.

I like the basic firewall features. We use Cisco Firepower to separate PCI from corporate, so we're not using it at the edge. If we were to use Firepower at the edge, then we would enable other features like IDS and SSL inspection. However, since we only use it as an internal firewall, plain level-four firewalling is enough for us.

Cisco Firepower is useful for securing our infrastructure from end to end so that we can detect and remediate any threats. I like the Cisco products because they are very stable and what you see is what you get. There are no vague or gray areas. We log all of our logs to Splunk, for example, and everything we see in Splunk is very useful. Finding errors or finding reasons why something is or is not working is very easy.

This solution helped to free up our IT staff's time so that they can focus on other projects. The management platform makes deployment and management, that is, day-to-day changes, very easy.

Cisco Firepower saved our organization's time because it has role-based access. We can give some engineers the ability to do day-to-day tasks and give more experienced engineers more in-depth tasks.

We have been able to consolidate our tools and applications. The FTD tool also manages our Firepower IDS nodes. As a result, we have a consolidated single pane of glass for all of our Cisco Firepower security tools.

We use the FTD management platform for the boxes. The GUI that manages multiple Firepower boxes could be improved so that the user experience is better.

We have been using Cisco Firewall for the last 15 years. We started off using Cisco ASA and have now migrated to Cisco Firepower.

The stability is very good; there's no vagueness. Either it works or it doesn't, and it's also very easy to find out why.

There haven't been any performance issues. We run HA clusters and don't do multiple clusters for scaling. We scale the boxes to our performance needs. We have nine staff members who work with this solution.

Cisco's technical support staff have always been helpful and have been able to solve our issues. I would rate them a nine out of ten.

Positive

We used Cisco ASAs, and they were all individually managed. We went from individually managed IDS and Firepower IDS solutions to this consolidated single management platform.

We chose Cisco Firewall over competing solutions because what you see is what you get. We liked that the changes are immediate. The way the logs come into our Splunk system gives us a good feeling about the stability and performance of Cisco products.

We have seen an ROI. Compared to that of other vendors, Cisco's pricing is in a good range. We use Cisco products for their complete lifespan. With the support context that we have, we also know what we spend over the lifetime of the solution.

The pricing of Cisco's boxes is pretty good.

My advice would be to talk to people who work with different vendors and get some hands-on experience. Don't just listen to or look at sales documents. See whether the performance actually matches that mentioned in the sales documents. Check with other competitors for hands-on experience as well.

I would give Cisco Secure Firewall an overall rating of eight out of ten because I'm not 100% happy with the management dashboard.

We use the Firepower as a perimeter firewall to protect from the outside network.

We are using Firepower to protect a number of services.

We are using it in a dynamic environment. This is important for our company's policies. The dynamic policy capabilities enable tight integration with Secure Workload at the application workload level.

The most valuable feature is the IPS. We also like the AnyConnect feature.

We monitor daily the final inspection activities and intelligence on Firepower. We also send logs from Firepower to our monitoring server, which is a nice feature.

The reporting and other features are nice, but there is an issue with applying the configuration. That part needs some improvement.

Services from the outside, like financial services that are critical, should be protected by the NGFW. There are cyber attacks on these services. Therefore, adding this NGFW in front of those services will reduce our costs for cyber crime.

We started using this next-generation firewall two years ago.

It is stable, but there are issues with the hybrid when you do the activation.

It is scalable. All our users utilize this firewall. We have more than 30,000 users who are end users, admins, and developers.

Cisco technical support team is perfect in their specific area, but they could improve their support for Cisco integration issues between products. I would rate them as eight out of 10.

Positive

We were previously using Cisco ASA for eight years. Now, we are using Firepower NGFW. We hope to continue using this product in the future, as long as there are no discouraging issues.

We are also using Check Point in conjunction with Cisco. We use Checkpoint for our internal networks and Secure Firewall for our outside network.

Installation wasn't that difficult, but there were some challenges on the integration. Sometimes, we face issues from the integration between another Cisco product's API and Firepower NGFW. We just integrated with our existing networks.

The firewall takes no more than two weeks to install. The integration with the API takes about six months.

We implemented ourselves. 

Two technical guys deployed it and now maintain it.

If we didn't use this NGFW, our company might have been charged by a number of attackers. Therefore, the firewall reduces our costs and operational expenses by around 40%.

Since the product is stable, we do not have to spend additional money to buy other firewalls. Once deployed, we can use the product for a long time. Thus, it is cost effective.

Pricing for Cisco is expensive. There are additional costs for the licensing part, support, and even the hardware part. The device cost is very high. I would be very happy with an improvement on the price.

From the user perspective, the reporting and other features are easy to use and user-friendly, but the Control feature of Firepower needs improvement, especially when comparing Firepower to Check Point NGFW.

For digital banking, this solution's firewalls have greatly improved our economy. Most enterprises in our country are using Cisco products because Cisco has worldwide support and cable devices.

I would rate this solution as eight out of 10.

I am an IT administrator and my job is probably 80% security analyst. We are a HIPAA environment, so we're a regulated industry and my job is to keep us from being breached. It's extremely difficult and an ever-changing, evolving problem. As such, I spend a couple of hours a day just reading everything threat report from every source I can get. 

We have a pair of 2110 models, with high availability set up.

There are multiple licenses that you can get with this firewall, and we subscribe to all three. A few months ago, we made the decision to do an enterprise agreement just because of the amount of security software we have. We subscribe to the threat, the URL, and the malware licensing. We use it for IPS, URL blocking, IP blocking, and domain blocking.

We've embraced the Cisco ecosystem primarily because I think they made some very intelligent acquisitions. We talk about security and depth and they've really done a good job of targeting their acquisition of OpenDNS Umbrella. It's all part of our ecosystem.

I take the firewall information and using SecureX, Cisco Threat Response, AMP for Endpoints, and Umbrella, I'm able to aggregate all that data with what I'm getting from the firewalls and from our email security, all into one location. From my perspective, being a medium-sized organization, threat hunting can be extremely difficult.

This product enriches all of the threat data, which I am able to see in one place.

There's nothing I personally have needed to do that I haven't been able to do with the firewall. It integrates so tightly into how I spend the majority of my day, which is threat response.

Much of this depends on any given organization's use case, but because I was an early adapter of Cisco Threat Response and was able to start pulling that data into it, and aggregate that with all of my other data. As I'm doing threat hunting, rather than jump into the firewall and look in the firewall at events, I'm able to pull that directly into Threat Response.

The ability to see the correlation of different event types in one place, these firewalls have definitely enriched that. You have Umbrella, but there are so many different attack types that it's good to have the DNS inspection at the firewall on the edge level too. So, the ability to take all of that firewall data and ingest it directly via SecureX and into our SIEM, where I have other threat feeds, including third-party thread feeds, gives our SIEM the ability to look at the firewall data as well. It lends to the whole concept of layering, where you don't have to have all of your eggs in one basket.

With our Rapid7 solution, I'm able to take the firewall data and dump it into our SIEM. The SIEM is using its threat feeds, as well as the threat feeds that are coming from Cisco Talos. In fact, I have other ones coming into the SIEM as well. So, I'm able to also make sure that something's not missed on the Talos side because it's getting dumped into our SIEM at the same time. All of this is easy to set up and in fact, I can automate it because I can get the threat data from the firewall.

In terms of its ability to future-proof our security strategy, every update they've done makes sense. We've been using one flavor or another of Cisco firewall products for a long time. Although I have friends that live and die by Fortinet or Palo Alto, I've never personally felt that I'm wanting for features.

We get the Security Intelligence Feeds refreshed every hour from Talos, which from my understanding is that they're the largest intelligence Security Intelligence Group outside of the government. My experience with Talos has been, they're pretty on top of things. Another driving factor towards Cisco: We get feeds every hour, automatically refreshed, and updated into the firewall.

If I had to rely on one security intelligence, which I wouldn't, but if I had to, I'm sure it would be Talos. The fact that it gets hourly updates from Talos gives me some peace of mind.

The real strength for the Cisco next-generation firewall is it'll do pretty much anything you want it to do, although it requires expertise and proper implementation. It's not an off-the-shelf product. For instance, there are some firewalls that may be easier to set up because they don't have the complexity, but at the same time, they don't have the feature set that the Cisco firewall has.

The firewall does DNS inspection, and you can create policies there.

The firewall integrates seamlessly and fully with our SIEM. We use a Rapid7 SIEM inside IDR and it now integrates seamlessly with that. Cisco's doing a lot more with APIs and automation, which we've been leveraging.

In terms of application visibility and control, I used the firewall and I also use Umbrella, but it depends on what it is that I'm seeing. One component that I use is network discovery. When you configure the policy properly, it'll go out and do network discovery so you're not loading up a bunch of rules you don't necessarily need. Instead, you're targeting rules that Cisco will say, "Hey, because of network discovery, we found that with this bind to whichever version server, we recommend you apply this ruleset." This is something that's been very helpful. You don't necessarily have to download every rule set, depending on your environment.

I have used it for application control. Right now, we're in the midst of doing tighter integration with ISE and the integration is very good. This is something that we would expect, given that it's a Cisco product.

I use the automated policy application and enforcement every chance I get. Using an automation approach, I would rather have a machine isolated even if it's a false positive because that can happen much faster than I can get an alert and react to it. On my end, I'm trying to automate everything that I can, and I haven't experienced a false positive yet.

Anything that's machine learning-based with automation, that's where I'm focusing a fair amount of attention. Another advantage to having Cisco is that their installed base is so huge. With machine learning, you're benefiting from that large base because the bigger their reach is, the bigger and better the dataset is for machine learning.

At some point, you have to trust that the data set is good. What's impressed me about Cisco is with all of our Cisco products, whether it's AMP or whatever, they're really putting an emphasis on automation, including workflows. For someone like me, if I get an alert in the middle of the night and I see it at 6:00 AM, it is going to be a case of valuable time lost, so anything that I can do to make my life easier, I'll definitely do it.

It would be great if some of the load times were faster. My general sense is that it's probably related to them taking a couple of different technologies and marrying them together. We are using virtual, so the way that I handled that was to throw more RAM in it, which these days, is pretty cheap. I could see some improvement with the speed of deploying policies out, although it's not terrible by any means. One thing about Cisco is whatever they're doing, it keeps getting better.

The speed of deploying policies could be improved, although it is not terrible by any means.

Another legitimate criticism of Cisco that comes to mind is that you need to make sure you've got your licensing straightened out. I haven't had any problems in a long time, but I know people that haven't used Cisco products sometimes can run into issues because they haven't figured out so-called smart licensing. Depending on the Cisco person you're working with, make sure you have all that stuff all set to go before you start the implementation.

That's an area that Cisco has been working on, I know. But licensing is a common complaint about Cisco. I suggest making sure that you have that stuff in place and you've got all your licenses all ready to go. It seems like a dumb thing, but my most common complaint about Cisco before we entered into our enterprise agreement was licensing. When it's working, it's great, but God help you if you've got a licensing problem.

They've been very reliable for us and we haven't had one fail, so we've never had to failover. That has been generally my experience with Cisco products, which is one reason that we tend to lean on Cisco hardware for switching, too. The reliability of the hardware over the years has been very good.

We have integrated these firewalls with other products, such as Cisco ISE, and it hasn't been a problem. ISE is a Cisco product so it would make sense that it integrates well, but ISE integrates with other firewalls as well.

Everything that I've done with these firewalls has been pretty seamless. We've had no downtime with them at all. They've been very rugged as we expanded usage through integration.

People knock Cisco TAC but in my experience, they have been very good. I've always found them to be extremely helpful. Friends that I have made from inside Cisco say, "Hey, you want me to look at this or that?", which is very helpful.

The big three solutions, Cisco, Fortinet, and Palo Alto, are all really good but I tend to lean on Cisco versus the others because one of their strengths, in general, is threat intelligence. When you put a bunch of security people in a room then you have a lot of consensuses, but like anything, you'll have a lot of disagreements, too.

Each of these products has its strengths and weaknesses. However, when you factor in AnyConnect, which most people will agree is state-of-the-art from a security standpoint in terms of VPN technology, especially when it's integrated with Umbrella, it plays into the firewall. But, it always comes back to configuration. Often, when you read about somebody having an attack, it's probably because they didn't set things up properly.

If you're a mom-and-pop shop, maybe you can get by with a pfSense or something like that, which I have in my house. But again, if you're in a regulated environment, you're looking at not just a firewall, you're looking at all sorts of things. The reality is, security is complicated.

Cisco gives you lots of options, which means that it can be complicated to set up. You have to know what you're doing and it's good to have somebody double-check your work. But, on the other hand, it does everything from deep packet inspection and URL filtering to whatever you want it to do, with world-class integration. It integrates with Umbrella, AnyConnect, ISE, StealthWatch, and other products.

It is important to remember that a firewall is only as good as it's configured. Sometimes, people will forget to configure a policy, or they will create the rules but forget to apply them. It comes back to the fact that it's a professional product and it's only as good as the person who's using it.

I do some security consulting and I've seen many misconfigurations. People will write a Rule Set but forget to apply it to a policy, for example. There is no foolproof product and I think it is a challenge to say, "Wow, this firewall is better than that firewall." These things are complex, but Cisco has always, in my mind, set many kinds of standards. I don't know any serious security person that would argue that.

Especially AnyConnect with an Umbrella module attached, I think most people would argue it's state-of-the-art. I know that I would because it allows me to do a couple of things at once. It's not just the firewall; it's AnyConnect, and it's what you can do with AnyConnect given its functionality with Umbrella. It gets kind of complicated and it depends on the use case, and some people don't need that.

Again, what makes it difficult to say something about a firewall is, the configuration possibilities are so varied and endless. How people license them is different. Some people think, "I prefer the IPS License," or whatever. But again, I think to get the strength of a Cisco firewall is just that.

I found our setup straightforward, but you don't go into it blind. You have to be clear on your requirements and you need to take the setup step-by-step. Whenever I deploy a firewall, I have a couple of people to double-check my work. These are people who only work on Cisco firewalls and they act as my proofreaders whenever I am doing a new deployment.

Cisco's documentation is very good and it's always very thorough. However, it's not for a novice, so you wouldn't want a novice setting up the firewall for an enterprise. Personally, I've never had any issues with policies not deploying properly or any other such problems.

Talking about how long it takes to deploy, it's a good weekend if it's a new deployment. It's not just clicking and you're done. I haven't installed a Fortinet product, but I can't imagine any of them are easy to install. Essentially, I found it straightforward, but it is involved. You've got to take your time with it.

You need to make sure anything you do with your networking, that you have it planned out well in advance. But once you do that, you go through the steps, which are well-documented by Cisco.

Cisco is not for a small mom-and-pop shop because of the cost, but if you're in a regulated industry where a breach could cost you a million dollars, it's a bargain. That's the way I look at it.

We also use Cisco Umbrella, and I may use features from that product, depending on where I am.

Every firewall has its pluses and minuses, but because we've taken such a layered approach and we're not relying on one thing to keep us safe, I've never really gone, "Oh, I've had it." I've heard some complaints about Cisco TAC, but generally speaking, I've been able to configure them and do whatever I need to with the Cisco firewall. There's nothing in my experience with Cisco that leads me to believe that that's going to stop.

I've always felt comfortable with every Cisco purchase we've made and every improvement they've made to it. I think they keep moving in a positive direction and they're pretty good with updates and fixes. You can have 10 people, networking people or security people, and they'll all have different takes on it. That said, I've always been very comfortable. I don't stay up at night and worry about our firewalls.

One thing to remember about Cisco is that whatever they're doing, it just keeps getting better. In my experience with Cisco, I have yet to have a product of theirs that they haven't improved over time. For example, we bought into OpenDNS Umbrella before Cisco acquired them. At the time, I was wondering whether they were going to improve it or what was going to happen with it, because you can never be sure. Again, Cisco has done nothing but improve it. It's a far more mature product than when we picked it up five or six years ago.

While not directly related to the NGFW, it speaks to Cisco's overarching vision for security, which again, I'm always looking at layers. If you're thinking that you're going to secure an environment by buying a firewall, yes, that's a really important piece of it, but it's only one piece of it.

Cisco is a company that is really open about vulnerabilities, which some people could see that as a negative but I see as a positive. I do security all the time, so I'm always going to be paranoid. That said, I've spent so much time doing this stuff that I've developed a lot of trust in Cisco. Again, I think there are other great products out there, but Cisco has made it really easy to integrate stuff into this ecosystem where you have multiple layers of not perfect, but state-of-the-art enterprise security.

My advice for anybody who is implementing this solution is, first of all, to know what you're doing. If you're not sure then get somebody that does. However, I would say that's probably true of any firewall. If your business relies on it, have all of your information ready beforehand, it's just all the straightforward stuff that any security person needs.

In summary, I think what I can say about them is there's nothing I needed to do that I haven't been able to do. I have incredible visibility into everything that's happening. We continue to leverage more features, to use it in different ways, and we haven't run into any limitations. I cannot say that the product is perfect, however, and I would deduct a mark for the interface loading. It's not terrible but sometimes, especially when you're doing the setup, it can chug away for a while. Considering what the device does, I think that it's a small complaint.

I would rate this solution a nine out of ten.

I'm a Cybersecurity Designer working for a financial services company in London, England with about 4,500 employees. We've been using Cisco Secure Firewall for about a decade now.

Currently, our deployment is entirely on-premise. We do use a hybrid cloud, although we don't have any appliances in the cloud just yet, that is something that we're looking to do over the next five years. 

The primary use case is to provide the ability to silo components of our internal network. In the nature of our business, that means that we have secure enclaves within the network and we use Cisco Secure Firewall to protect those from other aspects of the network and to control access into those parts of the network. 

The greatest benefit that this has provided to our organization is that we've been able to adjust the time that it takes to implement firewall changes. It's gone from a week to less than half a day to implement a change, which means that our DevOps team can be much more agile, and there is much less overhead on the firewall team. 

I would say that the Cisco firewall has helped us to improve cyber resilience, particularly with node clustering. We're now much more confident that a firewall going offline or being subject to an attack won't impact a larger amount of the network anymore, it will be isolated to one particular element of the network. 

We use Cisco Talos to a limited extent. We are keen to explore ways that we could use more of the services that they offer. At the moment, the services that we do consume are mostly signatures for our Firepower systems, and that's proven invaluable. 

It sometimes gives us a heads-up of attacks that we might not have considered and would have written our own use cases for. But also the virtual patching function has been very helpful. When we look at Log4j, for example, it was very difficult to patch systems quickly, whereas having that intelligence built into our IDS and IPS meant that we could be confident that systems weren't being targeted. 

I would say the most valuable aspect of Cisco Secure Firewall is how scalable the solution is. If we need to spin up a new environment, we can very easily and quickly scale the number of firewall instances that are available for that environment. Using clustering, we just add a few nodes and away we go. 

In terms of time-saving or cost of ownership, the types of information that we can get out of the Cisco Secure Firewall suite of products means that our security responders and our security operations center are able to detect threats much faster and are able to respond to them in a much more comprehensive and speedy manner. 

In terms of application visibility, it's very good. There is still room for improvement, and we tend to complement the Cisco Secure Firewall with another tool link to help us do some application discovery. That said, with Firepower, we are able to do the introductory part of the discovery part natively. 

In terms of detecting and remediating threats, I would say on the whole, it is excellent. When we made the decision to go with the Cisco Secure Firewall compared to some other vendors, the integration with other third-party tools, and vulnerability management, for example, was a real benefit. It meant that we could have a single view of where those three threats were coming from and what type of threats would be realized on our network.

In recent years through the integration of Firepower threat defense to manage some of the firewalls. We were able to do away with some of our existing firewall management suite. We do still need to use some third-party tools, but that list is decreasing over time. 

In terms of ways that the firewall could be improved, third-party integration is already reasonable. We were able to integrate with our vulnerability management software, for example. 

However, I would say that when we're looking at full-stack visibility, it can be difficult to get the right information out of Firepower. For example, you may need to get a subset of it into your single pane of glass system and then refer back to Firepower, which can add time for an analyst to look at a threat or resolve a security incident. It would be nice if that integration was a little bit tighter. 

The stability of Cisco Secure Firewall was one of the primary reasons that we looked to Cisco when we were replacing our existing firewall estate. I would rate it very highly. We have not had any significant problems with outages. The systems are stable and very good. 

The scalability of the firewall is one of the main reasons why we looked to Cisco. The ability to add nodes and remove nodes from clusters has been hugely important, particularly in some of our more dynamic environments where we may need to speed up a few hundred machines just for a few days to test something and then tear it all back down again. 

Within our data centers, we have around 6,000 endpoints, and then our user estate is around 4,500 endpoints and all of that connectivity is controlled by Cisco Secure Firewall.

Tech support has been very good. There are occasions where it would be nice to be able to have a consistent engineer applied to our tickets, but on the whole, the service has been very good. We haven't had any real problems with the service. I would rate them an eight out of ten.

The areas that could be improved would be if we could have dedicated support, that would bring them up from an eight. 

Positive

Prior to using the Cisco Secure Firewall, we were using another vendor. The Secure Firewall was a big change for us. The legacy firewalls were very old and not particularly usable. We do still use another vendor's products as well. We believe in in-depth defense. 

Our perimeter firewall controls are a different vendor, and then our internal networks are the Cisco Secure Firewall. 

Comparing Cisco Secure Firewall to some other vendors, I would say that because we use a lot of other Cisco technologies, the integration piece is very good. We can get end-to-end visibility in terms of security. In terms of the cons, it can be quite difficult to manage firewall changes using the Cisco standard tools. So we do rely on third-party tools to manage that process for us. 

The firewall platform itself was not at all difficult to deploy in our environment. I would say that we do have a very complex set of requirements. So migrating the policy from our existing firewall estate to the new estate was quite difficult. The third parties helped us to achieve that. 

We've seen a good return on investment. The primary return that we have seen is fewer outages due to firewall issues, and also the time to detect and respond to security incidents has come down massively. That's been hugely useful to us. 

On a scale of one to ten, I would say Cisco Secure Firewall rates very highly. I'd give it an eight. There are still some places to improve. 

If we look at what some of the other vendors are doing, like Fortinet, for example, there are some next-gen features that it would be interesting to see introduced into the product suite. That said, there are other capabilities that other vendors do not have such as the Firepower IPS systems, which are very useful to us. On the whole, Cisco Secure Firewall is a great fit for us. 

If you were considering Cisco Secure Firewall, I would say your main considerations should be the size of your environment and how frequently it changes. If you're quite a dynamic environment that changes very frequently, then Cisco Secure Firewall is good, but you might want to consider complimenting it with some third-party tools to automate the policy distribution. 

Your other consideration should be around clustering and adding nodes quickly. If you have a dynamic environment, then it is quite hard to find a better product that can scale as quickly as the Cisco firewalls.

Our primary use cases lie mainly with high availability and the security features available doing Layer 3 routing that we would need on our internal network.

It has simplified the internal network, so we don't have to worry about one device failing and losing connectivity. High availability is always there.

Our top three features are the high-availability features, the VPN and the IPSec.

It has fantastic visibility. It's a 10 out of 10. 

Cisco Secure Firewall is fantastic at securing our infrastructure from end to end so we can detect and remediate threats. We have already caught things that have tried to get in. 

Cisco Secure Firewall has improved resilience by a huge margin. It has been a great help.

Cisco Secure Firewall has freed staff because we don't have IT staff worrying about a lot of the threats. We trust the device that we are going to catch the threat. We are going to get a notification and be able to act upon that. Cisco Secure Firewall has saved at least 25 hours a week

The newer versions have made it so that we do not have to worry about other appliances with feature sets that are already built into the Cisco firewall.

The solution has had a huge effect, especially from physical density when it comes to securing our infrastructure. A lot of people don't think about power availability and cooling aspects. You have a limit to how much power you can push, and every little bit helps. 

We chose Cisco because of its understanding, customer service, warranties, and the quality of the product

We would like to see dual power supplies for some Cisco Firewall products. Having to get an ATS in the Data Center application because there's an A+B power feed on such a vital device with high availability may be something that I want to put in there.

We have been using Cisco Firewall for the last 20 years.

The solution is very stable.

The solution is scalable because Cisco keeps up with new technology, the security application, bandwidth, optics, and the kind of speed that one can use.

Customer support has been very responsive, whether it is a hardware failure or calling for any kind of technical support.

Positive

We have seen a return on investment in the total cost of ownership.

The pricing is fair compared to competitors. Cisco is the Cadillac in its field. You get what you pay for. 

Cisco is amazing at upgrading, so even if we did have to upgrade a device, it is plug-and-play because of that availability option.

Cisco is doing a great job with all the improvements that are coming; they are allowing for GUI setups where many people aren't so used to CLI. Many of the younger grads coming into our field are more used to APIs and automation, so having that GUI feel is a lot better than CLI.

I rate the solution a ten out of ten.

Our main use case for Cisco Secure Firewall is helping clients who want to upgrade from an old firewall and move to a next-generation firewall. We also get a lot of clients who have a next-generation firewall provider, but the firewall is not up to the task. It doesn't have all the feature sets that they need, and Cisco Secure Firewall ticks those boxes.

Cisco Secure Firewall has improved our customers' security posture because it offers Next-Gen features, granularity, and reporting on the back of it. You can see the amount of users accessing Office 365, for example, and whether they're having a good or bad experience. You can see the threats that come into your network. You can see anyone who is compromised from within your network.

If customers already have Cisco solutions such as Cisco ISE, Duo, Umbrella, and Endpoint, Cisco Secure Firewall will integrate well with all of them. Our clients will be able to get more data and automate tasks. They can have Secure Firewall automatically shut things down if a threat is detected.

Without a doubt, the best features are the reporting and analytics. Some vendors provide the same feature set, but their product won't give you the power to figure out what's going on in your network. Whereas with Cisco Secure Firewall, especially with the management platform on top, you can have all of the analytics and see exactly what is going on. You can see not only the source and destination but also the application, the URL, the type of policy it's hitting, the specific rule it's hitting, and the amount of data transferred from it. Apart from that, you get all of the risk reports. You can see how much bad stuff is coming into the network at present and whether there's anything you need to act on immediately. That data is at your fingertips, and it's by far the best feature and the best selling point of Cisco Secure Firewall.

Cisco Secure Firewall has reduced our clients' mean time to repair because they are able to find possible issues quickly. The power of the reporting, the dashboards, and all of the analytics in the background also helps to alert and quickly act on the threat.

My impression of Cisco Talos is that it's well-regarded in the industry. Cisco is so well regarded that we know their security intelligence is up-to-date. Our clients have peace of mind because they have Cisco Talos in the background and know that Cisco Secure Firewall is up-to-date with the latest threats. They can be sure that they're acting on the best available data.

I would like to see more configurable feature parity with Cisco ASA, which is the legacy product that Cisco is moving away from. When configuring remote access VPN, not all of the options are there. You have to download another tool, which means that the configuration takes a little bit longer with Cisco Secure Firewall. Though it's getting there, there are still some features lagging behind.

We've been offering Cisco Secure Firewall since its first iteration 10 years ago.

We are resellers, and the value we add to our customers as resellers is our knowledge. We have 10 years' worth of experience deploying Cisco Secure Firewall. We can deploy it the correct way. We also know whether you would need the management platform, the level of licensing you may require, and the number of VPN licenses you may need. We add value by knowing how the solution should be deployed and installed in a network.

Secure Firewall's stability is good. I think the management platform needs a little bit of work. It's not as robust from a stability point of view. Deployment times of configuration have got better over the years, but there's still some work needed so that it deploys every time when you click that button.

The scalability of Cisco Secure Firewall is really good. That's down to the management platform and the way it structures your access policies, what allows traffic in and what allows traffic out. You can easily add multiple regions, locations, and types of firewalls to the management platform. As soon as you do, they get all of those policies. Previously, you'd have had to configure each one time and time again. With this version, you import it, and it's ready to go. Thus, for scalability it's easy.

Cisco's technical support across all their products is always good and reliable. If someone says they're going to get back to you in four hours, they do. They're always there with the right level of support. If we need a Secure Firewall engineer, that's whom we'll get. We won't get someone who's never seen the product before. As far as vendors go, Cisco's technical support is probably the gold standard. I would rate them at ten out of ten.

Positive

Secure Firewall is more complex to deploy than previous Cisco Firewall products. However, it's not so complex that it's not achievable. There are some products out there that require a lot of reading to be able to deploy them. Cisco Secure Firewall has not reached that level yet, but it is a complex product.

Our clients' Secure Firewall deployment models are edge firewalls, internal firewalls, and, most often, perimeter firewalls. Sometimes, our clients ask us to help them with deployment because we have the experience.

We've used the Cisco Firewall migration tool quite a few times to migrate to Cisco Secure Firewall. It has come on a long way, and it's a lot better than it used to be. When it initially came in, there wasn't as much trust that the tool would give you everything you needed, but where it is now is great. If you've got a firewall that you want to migrate, you'll feel confident using the Cisco Firewall migration tool.

We spend a lot of time developing our consultants and our sales staff to know the product and learn how to sell the product. As a result, our ROI is that we get more clients deploying Cisco Secure Firewall.

The licensing is not as complicated as that for some other Cisco products. There are a couple of tiers of licensing, but the price point is a little too high for the market. There are other vendors that come in lower and offer more for fewer licensing options. They may offer URL filtering or malware filtering with a single license rather than requiring two or three licenses. I think Cisco could do a bit more in this area.

I deal with a lot of other vendors who also offer the same features, but Cisco Secure Firewall stands out on the analytics. It is the best for analytics and getting the reporting data.

If you're a client evaluating Cisco Secure Firewall, my advice would be to put real-world data through it to get useful data out of it. You can't see the benefits of the solution if you just turn it on and look at the device as it is. It's when you see the traffic going through it that you'll see the power of the analytics and reporting and the event data that comes through. A technical team member will understand how much easier it's going to be to troubleshoot with this platform compared to that with any other platform they've had before. With regard to reporting, a report on how many malware attacks have occurred in a particular month takes one click to generate. That data can be stored for a long time.

Overall, I would rate Cisco Secure Firewall an eight out of ten because of the feature parity. It's not quite there in terms of being able to do everything on the GUI platform. The price point is still a bit too high as well.

We are an insurance company. The core of what we do is service. We manage people and security. We have all the implementation for security. 

We have one ERP running on-prem and another one is running on the GCP cloud. We have a cloud service that runs that ERP on GCP. Our other service is running with Microsoft 365. So, we have an in-house AD that syncs with the cloud AD, but it is the firewall that is managing the communication process in between. The on-prem AD sync with the cloud AD is managed by the firewall. It is like a gateway. 

A vendor implemented this system for us to use and manage the process. We have an integration with the GCP. We've integrated this system with our network in such a way that you cannot access the GCP applications or infrastructure if you are not on-premises. This integration with the GCP and our virtual network online has been done locally.

In general, the management of our infrastructure is now easy. I can manage remotely. I can manage on-prem. I can always log in. I have a couple of users who work remotely via VPN because of the license. Not everybody works remotely in my organization. For people who work remotely, we have licenses for them to log in remotely from where they are and use the service. So, managing people, resources, and devices is easy. It has been a good experience. I don't intend to change it because it's giving me the service I need.

In terms of money, it has saved a lot of money. A lot of other organizations that don't have this kind of easy-to-manage layer of security are going through different kinds of attacks. We have a culture of being careful, even though you cannot be a hundred percent careful. When I hear that people have some security issues, I come and check my devices, and I notice that my firewall has actually blocked a lot of things. It gives me rest and peace. So, it saves a lot when you consider the cost of the organization's operations going down, even for one, two, or three hours. We would lose a lot if that happens. It probably saves us over a million dollars a year. The investment is totally worth it.

Our network is a little bit flat. We have a load balancer before getting into our network. We have configured the load balancer on the device itself. We have two major service providers. We have a core business application, and there are some people who use the core business application. We also have some light users. We have set up criteria to give priority to the people who use the core business application. I have a provider that gives me 300 MB to 500 MB, and I have another provider that gives me 20 MB to 25 MB as a backup. I have set priority based on the usage. If you're using the core business application, it pushes you to the fast network. Otherwise, it sends you to the other network. All that has been done on the firewall. It has been very good for this. I have no complaints.

It enables us to implement dynamic policies for dynamic environments, which is important for us. We can control the network based on different kinds of users. We can quickly and easily define the policies. We can set priorities based on different applications, systems, and users on our network.

Its security and filtering are most valuable. Every layer of data that comes into the organization goes through it. After setting up the criteria, it automatically filters the traffic. We don't have to check it often. Sometimes, when users complain that they are not able to see a particular thing, we log in to check the scan and see what it has scanned and filtered. It is usually something it has filtered out. It works perfectly.

It is easy to use. There is a GUI, and there is a backend that is being managed by our consultant. When we log in to the GUI, we are able to do anything we want to do. Its user interface is good, but it could be better. Currently, you have to know what to do before you can manage a device. If you don't know what to do, you can mess things up. There are some devices that are easier, such as FortiGate. The user interface of FortiGate is more intuitive. It is very easy to log in and configure things. With Cisco, there is also a lower limit on virtual accounts. In FortiGate, they could be in thousands. Cisco is also more expensive. 

I have been using this solution for about three to four years.

It is very stable. I've not had any thought of reconfiguring it. I have just applied my criteria, and I'm good.

Scalability is not a problem because I still have a span of five to seven more years. After that, I might have to go for a bigger device. For now, I have no issues. I can scale up or down. I'm good with that.

Their support is very good. We had an issue where the OS got corrupted. We got Cisco to log in. They did the reset on it, reformatted it, and sent it back to us. Because of the subscription we have with Cisco, we got a copy back in no time. We're now good. We've not been calling their tech support very often. We only call them when we have a very serious issue. I would rate them a nine out of ten.

Positive

It wasn't simple. Its implementation doesn't take much time, but we had to get a consultant in. Implementing a Cisco solution from scratch is harder than implementing FortiGate. With FortiGate, I can do my implementation and put all the criteria easily, but with Cisco, I need to do a lot more research, and I need to get someone to help me, but after implementation, it just works.

We had a consultant from a local vendor here called Incognito. Our experience with him was good. I can refer him to anybody.

When we have issues and we need improvement, he comes in. There was a time we noticed that we had lag on our network. We were trying to figure out the cause for it. We were using two service providers but the same backbone. We called him to make the required modifications.

It is more expensive than the other solutions. 

I'm the CIO here. When I came here, I did an audit of the IT infrastructure to see what was there. I looked at what was existing and thought of improvement. I got in all the vendors and had a meeting with them. I also got in a Cisco vendor and sat down with him and told him about the implementation I wanted. Because of the cost, I didn't change any equipment. So, he did the implementation. At any other place, I would look at the users and implement what is easy for them to manage. For a big enterprise with a whole crew, I would definitely consider Cisco. For any other place, I would go for Fortinet. Cisco is harder to implement and manage, but its stability is good. It is also more expensive. There are other cheaper solutions I would have gone for, but I had to focus on what was existing and improve. I had to make sure I worked with what was existing. We also have Cisco switches.

What it's been configured to do, it does it well. I would rate this solution a nine out of ten.

We were looking to consolidate some of our equipment and technology. When we switched over, ASA was a little bit more versatile as firewalls or VPN concentrators. So, we were able to use the same technology to solve multiple use cases.

We have data centers across the United States as well as AWS and Azure. 

We use it at multiple locations. We have sites in Dallas and Nashville. So, we have them at all our locations as either a VPN concentrator or an actual firewall.

Cybersecurity resilience is very much important for our organization. We are in the healthcare insurance industry, so we have a lot of customer data that goes through our data center for multiple government contracts. Making sure that data is secure is good for the company and beneficial to the customer.

It provides the overall management of my entire enterprise with an ease of transitioning. We have always been a Cisco environment. So, it was easy to transition from what we had to the latest version without a lot of new training.

• Speed
• Its capabilities
• Versatility

When we first got it, we were doing individual configuring. Now, there is a way to manage from one location. We can control all our policies and upgrades with a push instead of having to touch every single piece.

We have been using ASAs for quite a number of years now. 

We have other things around it going down, but we really don't have an issue with our ASAs going down. They are excellent for what we have.

There is rarely maintenance. We have our pushes for updates and vulnerabilities, but we have never really had an issue. 

It is very scalable with the ability to virtualize, which is really easy. We do it during our maintenance window. Now, if we plan it, we know what we are doing. We can spin up another virtual machine and keep moving. 

The technical support is excellent. I would rate it as 10 out of 10. When there has been an issue, we have had a good response from them.

Positive

We were previously using a Cisco product. We replaced them awhile back when I first started, and we have been working with ASAs ever since.

We did have Junipers in our environment, then we transitioned. We still have a mix because some of our contracts have to be split between vendors and different tiers. Now, we mostly have Apollos and ASAs in our environment.

I was involved with the upgrades. Our main firewall was a Cisco module, so we integrated from that because of ASA limitations. This gave us a better benefit.

The deployment was a little complex at first because we were so used to the one-to-one. Being able to consolidate into a single piece of hardware was a little difficult at first, but once we got past the first part, we were good.

We have seen ROI. When I first started, everything was physical and one-to-one. Now, with virtualization, we are able to leverage a piece of hardware and use it in multiple environments. That was definitely a return on investment right out of the gate.

The licensing has definitely improved and got a lot easier. It is customizable depending on what the customer needs, which is a good benefit, instead of just a broad license that everybody has to pay.

It is a good product. I would rate it as 10 out of 10.

Resilience is a definite must. You need to have it because, as we say, "The bad guys are getting worse every day. They are attacking, and they don't care." Therefore, we need to make sure that our customers' data and our data is secure.

It depends on what you need. If there is not a need for multiple vendors or pieces of equipment per contract, you should definitely look at what ASAs could be used for. If you are splitting, you can consolidate using this product.