Cisco Secure Firewall Reviews

We mainly use it for policy-based VPNs to IPSec one of the businesses. We also use it as a firewall solution for remote VPN users. We have vendors who have access to our VPN solution, and they get a dedicated network.

We can automate the VPN. The build process and how we've standardized it makes it very easy for us to focus on other tasks. We know that an end user can push a button, and the VPN will get built. They only bring us in for troubleshooting or higher-level issues with the other vendor. Because of that program, the ability to use Cisco ASA every time, in the same way, makes our job easy.

Once we started standardizing and using the same solution, we've been able to correlate that so we know what we are doing. We can train even less experienced and newer guys to do the tasks that in turn frees up the higher-level engineers. It has cut out the VPN work for higher-level engineers. They may have been spending ten hours a week previously, and now they may spend ten hours in the quarter.

It has improved our cybersecurity resilience. It has allowed us to see some differences with partners using weaker ciphers, which allows us to validate what we're using and reevaluate it. We put exceptions in cases where we have to. The security risk team is as well aware of those, and they can essentially go back on a buy-in or see if the vendor has upgraded to plug in a security hole. It has given us that visibility to see where we are weak with our vendors.

Being able to use it as a policy-based VPN is valuable. It's very easy to understand. 

It's very easy to troubleshoot. It may be because I'm comfortable with it or because I've used it for so long, but it's easy to use for me. I don't have any problems with how to set it up or use it.

For what we use it for, it ends up being the perfect product for us, but it would help if they could expand it into some of the other areas and other use cases working with speeding up and the reliability of the pushes from the policy manager.

We've been using Cisco ASA at least for the last six years. That's how long I've been in this organization, but my organization has been using it longer. 

We don't open bugs for it. It just works for what we've used it for. The last time we opened up an ASA bug would have probably been three years ago. From a reliability standpoint of what we're using it for, it's fantastic.

We've had no problems with scaling our business. We went from using probably 200 active VPNs an hour to over 600 VPNs without blinking an eye at that.

I enjoy Cisco's tech support. Just like any tech support out there, you could get a great or fantastic engineer, or you may get somebody who has just learned, so you just have to work with it. However, working with Cisco TAC, you find less of that than you do with other companies. 

Just to give them a shout-out, whenever we hit the Australian TAC, they're absolutely fantastic. Sometimes I feel that we should wait our hours when we open a ticket just so that we get one of them. They know their stuff. They absolutely do, so whoever they're hiring there, they got to keep that up and spread that out. I'd rate them a nine out of ten.

Positive

I've worked with Check Point's firewall, and I've worked with Palo Alto's firewall. Things like packet capturing and packet tracing that I can manipulate to pretend I'm doing traffic through the firewall are a lot easier to do with ASAs than with other products.

We have other firewalls in our environment. We still use Palo Alto. We do have a little bit of a mix with Palo Alto in our environment, but in terms of VPN specifically, the way that Palo Alto does route-based VPN by default doesn't flow well with most people out there. It works great with cloud providers. Cisco can do route-based VPNs too. We have a route-based VPN solution with Cisco as well. We just use an ISR for that instead of a firewall.

I've been part of the deployment. Specifically, how NATTING and the firewalls work, that part is not difficult at all, but there are some challenges when you take any product and manipulate the order of operations, but that's not a Cisco challenge. You're pairing different information. There are some tools that usually try to help with those conversions, but most of the time, I find it just easier to develop what you need and just build it from scratch.

We implemented it on our own.

We've seen an ROI in terms of our high-level engineers having to work less on the product. I've been able to provide it to the NOC because of the use of the solution. They see value in that.

Pricing is more for my leadership, but I give them the quotes, and if they approve, they're happy. They've never wavered, so I wouldn't say it's out of the realm where they're considering another product. It must be in the direct price range for our leadership to not blink an eye when we give it to them.

To those evaluating this solution, I'd say that it's a solid product. It works. It does what we need. It gives us peace of mind to sleep at night. I'd definitely put it up there with some of the other firewalls to consider.

I'd rate Cisco ASA a nine out of ten.

One of the most important roles of Cisco Secure Firewall is as a central firewall for the internet. We use it for segmentation of the outside network, DMZ networks, inside networks, and also as an intrusion prevention system for protecting our resources from the internet. All Access Control Lists are implemented on this firewall.

These days, it's normal to require that networks be more open because of the recent changes brought about by the COVID pandemic. The need for hybrid work environments and more collaborations has made securing the network more challenging. However, Cisco offers us monitoring and configuration, and with one platform, we are able to be more flexible and be able to control our security and our network.

The security features that protect our networks are the most valuable for me and my department, as we are responsible for the security of our network. We investigate cases and analyze traffic to see what's going on. These features are also very valuable when we are investigating communication between some services in the bank and what's happening in the network.

We are very satisfied with Cisco Secure Firewall for securing our infrastructure from end to end so we can detect and remediate threats. We have not seen a lot of false positives, and we haven't seen many situations when the traffic was interrupted without a proper cause. We are confident that the signatures that Cisco Secure Firewall uses are very good and reliable. For us, this is very important because we are a relatively small security team, and we don't have much manpower to be able to analyze every signature or event. By default, Cisco Secure Firewall is reliable, and that is the most important factor for us. Cisco is a large company that invests in security, and if it has reliable signatures and processes in intrusion detection, then that is very good for us.

Implementing Cisco Secure Firewall has saved us time because we rely on most of the out-of-the-box signatures. It has reduced the time and effort spent in configuration within the security network.

We have encountered problems when implementing new signatures and new versions on our firewall. Sometimes, there is a short outage of our services, and we have not been able to understand what's going on. This is an area for improvement, and it would be good to have a way to monitor and understand why there is an outage.

We use Cisco Secure Firewall and Cisco ISE.

In general, Cisco Secure Firewall is stable. We have had problems when we automatically deployed some signatures. There have been issues with the memory of the Firewall Management Center, and we've had to reload the system.

Our company has approximately 2,500 employees and 500 devices. In terms of scalability, Cisco Secure Firewall is sufficient for our needs.

We usually work with our local partner because it's much more convenient and faster. Because of their experience, they are able to solve some of our problems or issues without Cisco's technical support. For bigger problems such as bugs, we work with Cisco's technical support.

Because we mainly work with our local partner for technical support, I would rate them at ten out of ten.

Positive

The initial setup was relatively simple for us. During migration, we used the Cisco Firewall migration tool. From our point of view, the migration tool was okay.

We have a very reliable partner who helps us with Cisco products. They helped us to deploy Cisco Secure Firewall. I think it's important for every company to have local partners with enough knowledge and experience on whom they can rely. 

Our experience working with our partner was great. They have a lot of knowledge and experience with implementation.

We have always used Cisco firewalls. Cisco products have been the standard in networking in our company for many years. This has been beneficial because some of our core IT activities are connected with Cisco. Also, it has been proven that Cisco Secure Firewall is a reliable product that can help us have stable and reliable networks and services.

We have some experience with Check Point, which we started using recently. Cisco is more hardware-oriented, and Check Point is more application-orientated. The two vendors have a slightly different approach to the same problem.

On a scale from one to ten, I would rate Cisco Secure Firewall at eight because it's a very reliable product. We can use predefined signatures and don't have to do a lot of customization. However, we have had a few small issues with the deployment of some signatures and with the availability of Firewall Management Center.

We are currently utilizing the Cisco Secure Firewall, partially due to its historical relevance and partly because Cisco continues to maintain a prominent position in providing client VPN access.

We have employed Cisco Firepower and ASA on Firepower to facilitate client VPN access and to enforce fundamental layer four security policies.

We utilize security products in central locations to provide VPN access for clients throughout Europe.

The implementation of the Cisco Secure Firewall has had a positive impact on our organization, as evidenced by our ability to use our store apps on mobile devices through AnyConnect even when Wi-Fi is unavailable. This is made possible by the utilization of 3G, 4G, or 5G internet access while maintaining a secure connection on our mobile devices.

Cisco Secure has enabled my organization to save time, as demonstrated by our ability to swiftly open new stores by utilizing applications on mobile devices without having to establish the entire infrastructure at once. The amount of time saved varies depending on the country we are operating in, ranging from weeks to months.

The most beneficial aspect of the Cisco Secure Firewall is the AnyConnect component within the firewall package, which we selected specifically for VPN usage due to its exceptional integration with various third-party devices and applications.

The overall licensing structure could improve to make the solution better.

I have been using Cisco Secure Firewall for approximately 15 years.

My experiences with the Cisco Secure Firewall support have varied. Since we access it through a partner, some issues are quickly resolved, while others require more time and effort.

I rate the support from Cisco Secure Firewall a six out of ten.

Neutral

While I have not personally utilized other security products, our organization also employs FortiGate devices and applications for security purposes alongside Cisco Secure Firewall.

Acquiring licensing for Cisco Secure Firewall can be a bit cumbersome, therefore a more straightforward licensing process would be preferable. 

The licensing process can be frustrating, as it requires selecting between on-box or per-client options and other related considerations. Simplifying this process would be beneficial.

We are using access switches, routers, catalysts, and ISR products. Additionally, we are using Cisco as a platform, which is somewhat old, and Cisco ASA on Firepower devices.

I would advise others to thoroughly evaluate their requirements before selecting a security solution. While some products may seem like an obvious choice, it is important to take the time to assess the available options and determine which one best suits your specific needs. This approach is wise and can ultimately lead to a more effective security solution.

I rate Cisco Secure Firewall a seven out of ten.

The primary use case is as one-layer protection of our OT network. The way we're set up is that we have our OT network behind the commercial network, and we do dual firewalls. We've Cisco firewalls on the commercial network side and a different vendor and a different management group on the OT network side.

It's a good solution. It's in some ways a reactive solution where we have it sitting in a whitelist mode rather than a blacklist mode. So, we are blocking everything and permitting specific things, and it seems to work fairly well for us.

It hasn't necessarily freed up the time, but it has helped in securing the infrastructure and the OT network behind it. The intent of this particular solution is not time-saving. It's not a cost solution. It's meant to isolate and control access to and from a specific set of infrastructure.

It allows us to get access. We're seeing more and more that business systems like SAP are looking to get access to OT systems, and this is how our systems get that.

It's protecting the organization against the impact of cyber threats and cybersecurity. We run manufacturing plants that have hazardous material, and we don't want that manufacturing process to be impacted by break-in exposure, cyber threats, or any other similar thing.

We would like to be able to manage a set of firewalls rather than individual firewalls. We haven't really looked into it or yet implemented it, but a single pane of glass would be helpful. We also use another vendor's firewalls, and they have a centralized management infrastructure that we have implemented, which makes it a little bit easier when you're managing lots of firewalls.

We've been using Cisco firewalls for 10 years or more.

It has been a very stable solution. If you keep it up to date and do sensible management on it, it's a very stable solution.

So far, in this use case, it has met our scalability requirements in terms of traffic and management.

We have an excellent account team, and they go to bat for us inside of Cisco. We also have access to TAC and things like Smart Net, and all that seems to go very well. It's a good team. I'd rate them a nine out of ten.

Positive

We weren't using anything similar in this particular use case. We chose Cisco because they originally came on the recommendation of our networking partner. They came in with a strong recommendation from a strong partner.

I wasn't involved in its deployment. That was before I started working in this space.

In this specific use case, the biggest return on investment is that we do not have incidents, and this ultimately, in some of our factories, ends up being a health and human-safety use case.

We've gone to all smart licensing, so that works well. 

Understand what you're trying to protect and what you're trying to protect it from, and then also understand how the solution is managed.

I'd rate Cisco Secure Firewall a nine out of ten.

We started with the old ASA 5510 and migrated to Firepower, first using ASA as the basic operating system. Lately, we've been using FTD because it simplifies operations a lot. We are a very small networking team, and being able to push one policy to many firewalls eases our workload.

We are a global company, and we don't always have IT staff in all corners of the world. Therefore, having one place to do everything is very nice.

Cisco Secure Firewall has made it easier so that more than one person can handle things. We are able to have a bigger team that can handle simple tasks and have a smaller team focus on the deep-dive needs.

We have the same basic policies everywhere now, which makes it more flexible for us to manage.

I like the central management and IPS features. Having everything in one place is very valuable.

Cisco Secure Firewall is very good at detecting threats. We see a lot getting blocked by the IPS in our DMZ, that is, our internet-facing web service.

It helped free up IT staff time. Before, we would have to manually configure every single firewall. Every time we configure something on a firewall, it takes five to ten minutes, and we have more than 50 firewalls around the globe. We do changes every week, and the automated policy and upgrades saved us a lot of time.

In terms of the organization, we have been able to save time by getting things out faster. However, the only downside is that the policy push takes quite a while. Thus, a quick fix still takes at least 15 minutes, and troubleshooting can take time as well.

Some of our problems are related to software updates in remote sites where the internet connection is not stable. Sometimes, the image push just gets disrupted and fails.

The most annoying thing is having to replace the hardware so often. It's very difficult for us to do.

The integration between different tools could be improved. For example, with SecureX, I am yet to find out how to forward security events to different tools such as Microsoft Sentinel, which is what we use for log detection.

We've been using Cisco Secure Firewalls for a very long time.

We had to get in touch with technical support a few times, and our experience was good. I would give them a rating of nine out of ten. 

Positive

The initial deployment is easy, and I have not had any issues.

The solution is deployed on-premises. We have an on-premises FMC that connects everything.

The cost of the firewalls versus the ROI is okay.

We are quite Cisco-centric because of the performance we get for the price range. We have a lot of smaller sites, and we are not a very big organization. The price fits us perfectly.

Overall, I would rate Cisco Secure Firewall at nine on a scale from one to ten.

We are an insurance company. The core of what we do is service. We manage people and security. We have all the implementation for security. 

We have one ERP running on-prem and another one is running on the GCP cloud. We have a cloud service that runs that ERP on GCP. Our other service is running with Microsoft 365. So, we have an in-house AD that syncs with the cloud AD, but it is the firewall that is managing the communication process in between. The on-prem AD sync with the cloud AD is managed by the firewall. It is like a gateway. 

A vendor implemented this system for us to use and manage the process. We have an integration with the GCP. We've integrated this system with our network in such a way that you cannot access the GCP applications or infrastructure if you are not on-premises. This integration with the GCP and our virtual network online has been done locally.

In general, the management of our infrastructure is now easy. I can manage remotely. I can manage on-prem. I can always log in. I have a couple of users who work remotely via VPN because of the license. Not everybody works remotely in my organization. For people who work remotely, we have licenses for them to log in remotely from where they are and use the service. So, managing people, resources, and devices is easy. It has been a good experience. I don't intend to change it because it's giving me the service I need.

In terms of money, it has saved a lot of money. A lot of other organizations that don't have this kind of easy-to-manage layer of security are going through different kinds of attacks. We have a culture of being careful, even though you cannot be a hundred percent careful. When I hear that people have some security issues, I come and check my devices, and I notice that my firewall has actually blocked a lot of things. It gives me rest and peace. So, it saves a lot when you consider the cost of the organization's operations going down, even for one, two, or three hours. We would lose a lot if that happens. It probably saves us over a million dollars a year. The investment is totally worth it.

Our network is a little bit flat. We have a load balancer before getting into our network. We have configured the load balancer on the device itself. We have two major service providers. We have a core business application, and there are some people who use the core business application. We also have some light users. We have set up criteria to give priority to the people who use the core business application. I have a provider that gives me 300 MB to 500 MB, and I have another provider that gives me 20 MB to 25 MB as a backup. I have set priority based on the usage. If you're using the core business application, it pushes you to the fast network. Otherwise, it sends you to the other network. All that has been done on the firewall. It has been very good for this. I have no complaints.

It enables us to implement dynamic policies for dynamic environments, which is important for us. We can control the network based on different kinds of users. We can quickly and easily define the policies. We can set priorities based on different applications, systems, and users on our network.

Its security and filtering are most valuable. Every layer of data that comes into the organization goes through it. After setting up the criteria, it automatically filters the traffic. We don't have to check it often. Sometimes, when users complain that they are not able to see a particular thing, we log in to check the scan and see what it has scanned and filtered. It is usually something it has filtered out. It works perfectly.

It is easy to use. There is a GUI, and there is a backend that is being managed by our consultant. When we log in to the GUI, we are able to do anything we want to do. Its user interface is good, but it could be better. Currently, you have to know what to do before you can manage a device. If you don't know what to do, you can mess things up. There are some devices that are easier, such as FortiGate. The user interface of FortiGate is more intuitive. It is very easy to log in and configure things. With Cisco, there is also a lower limit on virtual accounts. In FortiGate, they could be in thousands. Cisco is also more expensive. 

I have been using this solution for about three to four years.

It is very stable. I've not had any thought of reconfiguring it. I have just applied my criteria, and I'm good.

Scalability is not a problem because I still have a span of five to seven more years. After that, I might have to go for a bigger device. For now, I have no issues. I can scale up or down. I'm good with that.

Their support is very good. We had an issue where the OS got corrupted. We got Cisco to log in. They did the reset on it, reformatted it, and sent it back to us. Because of the subscription we have with Cisco, we got a copy back in no time. We're now good. We've not been calling their tech support very often. We only call them when we have a very serious issue. I would rate them a nine out of ten.

Positive

It wasn't simple. Its implementation doesn't take much time, but we had to get a consultant in. Implementing a Cisco solution from scratch is harder than implementing FortiGate. With FortiGate, I can do my implementation and put all the criteria easily, but with Cisco, I need to do a lot more research, and I need to get someone to help me, but after implementation, it just works.

We had a consultant from a local vendor here called Incognito. Our experience with him was good. I can refer him to anybody.

When we have issues and we need improvement, he comes in. There was a time we noticed that we had lag on our network. We were trying to figure out the cause for it. We were using two service providers but the same backbone. We called him to make the required modifications.

It is more expensive than the other solutions. 

I'm the CIO here. When I came here, I did an audit of the IT infrastructure to see what was there. I looked at what was existing and thought of improvement. I got in all the vendors and had a meeting with them. I also got in a Cisco vendor and sat down with him and told him about the implementation I wanted. Because of the cost, I didn't change any equipment. So, he did the implementation. At any other place, I would look at the users and implement what is easy for them to manage. For a big enterprise with a whole crew, I would definitely consider Cisco. For any other place, I would go for Fortinet. Cisco is harder to implement and manage, but its stability is good. It is also more expensive. There are other cheaper solutions I would have gone for, but I had to focus on what was existing and improve. I had to make sure I worked with what was existing. We also have Cisco switches.

What it's been configured to do, it does it well. I would rate this solution a nine out of ten.

We are using it for border firewalls, VPN access, and site-to-site VPN tunnels.

It is deployed at a single location with about 2,500 users.

So far, the remote VPN access has been a perfect solution for our company.

The user interface is a little clunky and difficult to work with. Some things aren't as easy as they should be.

I have been using it for five years.

So far, it has been very stable.

It does require maintenance. There is a team of two who manage it.

We haven't scaled it much at this point.

The technical support has been good so far. I would rate them as eight out of 10.

Positive

The VPN solution works much better than our previous solutions.

We previously used Palo Alto. The switch was driven by Cisco's pitch.

It was fairly straightforward. We stood it up side by side with our nesting firewalls. We did some testing during an outage window, then migrated it over.

We used a partner, CDW, to help us with the deployment. Our experience with CDW was good.

Internally, it was just me for the deployment.

The pricing seems fair. It is above average.

Take the time to really learn it, then it becomes a lot easier to use.

I would rate the solution as eight out of 10.

We have multiple use cases for Cisco Firepower. We have two types of use cases:

• Protect the perimeter of the enterprise.
• Inter-VRF zoning and routing. 

The goal is to have some Firewall protection with a Layer 7 features, like URL filtering, IPS, malware at the perimeter level as well as inspecting the traffic going through that firewall, because all traffic is encrypted. We want visibility, ensuring that we can protect ourselves as much as we can.

In production, I am currently using Cisco Firepower version 6.7 with the latest patch, and we are starting to roll out version 7.0.

I have multiple customers who are running Cisco Firepower on-prem. Increasingly, customers are going through the cloud, using Cisco Firepower on AWS and Azure.

We are implementing Cisco Firepower at the Inter-VRF level so we can have some segmentation. For example, between ACI and all the Inter-VRF being done through Firepower, we are able to inspect local east-west traffic. It is great to use Cisco Firepower for segmentation, because on the Firepower, we now have a feature called VRF. So, you can also expand the VRF that you have locally on your network back to the firewall and do some more tweaking and segmentation. Whereas, everything was coming into a single bucket previously and you had to play around with some features to make sure that the leaking of the prefixes was not advertised. Now, we are really working towards segmentation in terms of routing in Firepower.

The integration of network and workload micro-segmentation helps a lot to provide unified segmentation policies across east-west and north-south traffic. One concrete example is with Cisco ACI for the data center. Not only are we doing what is called a service graph on the ACI to make sure that we can filter traffic east-west between two endpoints in the same network, but when we go north-south or east-west, we can then leverage what we have on the network with SGTs on Cisco ISE. Once you build your matrix, it is very easy to filter in and out on east-west or north-south traffic.

Since SecureX was released, this has been a big advantage for Cisco Firepower. You can give a tool to a customer to do some analysis, where before they were doing it manually. So, this is a very big advantage. 

The IPS is one of the top features that I love.

The dashboard of the Firepower Management Center (FMC) has improved. The UI has been updated to look like a 2021 UI, instead of what it was before. It is easy to use and navigate. In the beginning, the push of the config was very slow. Now, we are able to push away some conflicts very quickly. We are also getting new features with each release. For example, when you are applying something and have a bad configuration, then you can quickly roll back to when it was not there. So, there have been a lot of improvements in terms of UI and configuration.

We saw a lot of improvements on Cisco Firepower when Snort 3 came along. Before, with Snort 2, we were able to do some stuff, but the bandwidth was impacted. With Snort 3, we now have much better performance.

I would like to see improvement when you create policies on Snort 3 IPS on Cisco Firepower. On Snort 2, it was more like a UI page where you had some multiple choices where you could tweak your config. On Snort 3, the idea is more to build some rules on the text file or JSON file, then push it. So, I would like to see a lot of improvements here.

I have been using Cisco Firepower for multiple years, around four to five years.

In terms of Firepower's stability, we had some issues with Snort 2 CPUs when using older versions in the past. However, since using version 6.4 until now, I haven't seen any big issues. We have had some issues, just like any other vendor, but not in terms of stability. We have had a few bugs, but stability is something that is rock-solid in terms of Firepower.

Cisco Firepower scalability is something that can be done easily if you respect the best practices and don't have any specific use cases. If I take the example of one of my customers moving to the cloud, there is one FMC and he is popping new Firepower devices on the cloud, just attaching them to the existing policy and knots. This is done in a few minutes. It is very easy to do.

When you open a ticket with Cisco tech support for Cisco FMC, you can be quite confident. Right away, the engineer onboarding is someone skilled and can help you out very quickly and easily. This is something that is true 90% of the time. For sure, you always have 10% of the time where you are fighting to get the right guy. But, most of the time, the guy who does the onboarding can right away help you out.

The initial setup and implementation of Cisco Firepower is very easy. I am working with a lot more vendors of firewalls, and Cisco Firepower is one of the best today. It is one of the easiest to set up.

The minimum deployment time depends on really what you want to do. If you just want to initiate a quick setup with some IPS and have already deployed FMC, then it takes less than one hour. It is very easy. 

What takes more time is deploying the OVA of Cisco Firepower Management Center and doing all the cabling stuff. All the rest, it is very easy. 

If you are working without a Firepower Management Center and using Firepower Device Manager with Cisco on the cloud, then it is even easier. It is like the Meraki setup, where you just plug and play everything and everything will be connected to the cloud. It is very easy.

If you configure Cisco Firepower, it has to be based on Cisco's recommendations. You can view all the traffic and have full visibility in terms of applications, support, URL categorization, and inspect malware or whatever file is being exchanged. We also love to interconnect Cisco Firepower with some Cisco ISE appliances so we can do some kind of threat containment. If something is seen as a virus coming in from a user, we can directly tell Cisco ISE to block that user right away.

I am working for a Cisco Professional Services Partner. We have only one guy deploying the devices. We don't require a big team to deploy it. In terms of configuration, it takes more people based on each person's skills because you have multiple areas: firewalls, IPS, knots, and routing. So, it depends on which skills will be required the most.

For maintenance on an average small to medium customer, it takes one to two people. When it is a big customer with multiple sites, you should have a small team of four to five people. This is because it is mostly not about creating the rules, but more about checking and analyzing the logs coming through Cisco Firepower Manager Center.

Whether Cisco Firepower reduces costs depends on the architecture that you are on. I had some of my customers answer, "Totally, yes," but for some of them that is not really true.

When we are fighting against other competitors for customers, whether it is a small or big business, we feel very comfortable with the price that Firepower has today.

I have worked with Palo Alto, Fortinet, and Sophos. I work a lot more with Palo Alto and Cisco Firepower. I find them to be very easy in terms of management operations. Fortinet is also a vendor where we see the ease of use, but in terms of troubleshooting, it is more complex than Firepower and Palo Alto. Sophos is the hardest one for me to use.

I love the IPS more on the Cisco Firepower, where you can do more tweaking compared to the other solutions. Where I love Palo Alto and Fortinet more compared to Firepower is that you still have CLI access to some configs instead of going through the UI and pushing some configs. When you are in big trouble, sometimes the command line is easier to push a lot more configs than doing some clicks and pushing them through the UI.

Compared to the other vendors, Firepower requires more deep dive skills on the IPS stuff to make it work and ensure that you are protected. If you go with the basic one in the package, you will be protected, but not so much. So, you need to have more deep dive knowledge on the IPS to be sure that you can tweak it and you can protect yourself.

Another Cisco Firepower advantage would be the Talos database. That is a big advantage compared to other solutions.

In terms of threat defense, we have a feature of TLS 1.3 that is free where we can see applications without doing any SSL inspection, which can increase the performance of the firewall without doing some deep dive inspection. At the same time, we keep some visibility of what application is going through. Therefore, we have a win-win situation if one wants to protect against some specific applications.

Do not just look at the data sheet that vendors are publishing. Sometimes, they make sense. But, in reality, these documents are made based on specific use cases. Just do a proof of concept and test every single feature. You will find out that Cisco Firepower is much better and more tweakable than other solutions.

When you start using Cisco Firepower Management Center, you need a few days to get used to it. Once you know all the menus, it is kind of easy to find your way out and analyze traffic, not only in terms of the firewall but also in terms of IPS or SSL decryption. Different users are split away who can help you to troubleshoot what you want to troubleshoot, not having everything in one view.

Today, the only use cases that we have for dynamic policies are leveraging the API on Cisco FMC to push some config or change the config. There isn't a feature built automatically on the FMC to build a new policy, so we are leveraging APIs.

I would rate Cisco Firepower between eight and nine. The only reason that I am not giving a full nine is because of the Snort 3 operations, where there is a need for improvement.