Try our new research platform with insights from 80,000+ expert users
reviewer1657845 - PeerSpot reviewer
Senior Network Security Engineer at a tech services company with 11-50 employees
Real User
Its Snort 3 IPS gives us flexibility and more granular control of access
Pros and Cons
  • "Its Snort 3 IPS has better flexibility as far as being able to write rules. This gives me better granularity."
  • "I would like it to have faster deployment times. A typical deployment could take two to three minutes. Sometimes, it depends on the situation. It is better than it was in the past, but it could always use improvement."

What is our primary use case?

We are using it for firewall and intrusion prevention.

I have deployed it into different environments: retail, commercial, law, real estate, and the public sector. Retail is the biggest environment that I have deployed this firewall into, with 43 different sensors and a range up to 10 GbE throughput.

I am using up to version 7.0 across the board as well as multiple models: 1000 Series or 2100 Series.

How has it helped my organization?

The integration of network and workload micro-segmentation help us provide unified segmentation policies across east-west and north-south traffic. It is important to have that visibility. If you can't detect it, then you can't protect it. That is the bottom line.

The solution has enabled us to implement dynamic policies for dynamic environments. These are important because they give us flexibility and more granular control of access.

What is most valuable?

  • Ease of operability
  • Security protection

It is usually a central gateway into an organization. Trying to keep it as secure as possible and have easy to use operability is always good. That way, you can manage the device.

The solution has very good visibility when doing deep packet inspection. It's great because I can get packet captures out of the device. Because if an intrusion fires, I can see the packet that it fired in. So, I can dive into it and look at what is going on, what fired it, or what caused it.

Cisco Secure Firewall is fine and works when it comes to integration of network and workload micro-segmentation. 

The integration of network and workload micro-segmentation is very good when it comes to visibility in our environment. It is about how you set it up and the options that you set it up for, e.g., you can be as detailed as you like or not at all, which is good.

Its Snort 3 IPS has better flexibility as far as being able to write rules. This gives me better granularity.

What needs improvement?

It needs better patching and testing as well as less bugs. That would be nice.

I would like it to have faster deployment times. A typical deployment could take two to three minutes. Sometimes, it depends on the situation. It is better than it was in the past, but it could always use improvement.

Buyer's Guide
Cisco Secure Firewall
April 2025
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
849,190 professionals have used our research since 2012.

For how long have I used the solution?

I have been using it for seven years.

What do I think about the stability of the solution?

Stability has been good so far. It has been much better than in the past. In the past, there were times where there were known issues or bugs.

What do I think about the scalability of the solution?

Scalability has been fine. I haven't had an issue with it. I just haven't had a need to deal with scalability yet.

How are customer service and support?

I would rate Cisco's support for this solution as nine out of 10 for this solution. The support has been very good. We got the job done. Sometimes, why it wasn't perfect, the challenge was getting a hold of someone.

Which solution did I use previously and why did I switch?

I have used this solution to replace different vendors, usually Cisco ASA that is reaching end of life.

How was the initial setup?

The initial setup is straightforward for me at this point. That is just because of the experience that I have in dealing with it. for a new person, it would be a little bit more complex. They have gotten better with some of the wizards. However, if you are not familiar with it, then that makes it a little more challenging.

What about the implementation team?

Depending on the situation, we will go through the typical setups. We know what we want to configure and sort of follow a template.

What was our ROI?

We have seen ROI with a better, more secure environment. 

Cisco Secure Firewall has helped us to reduce our firewall operational costs. This is based on the fact that the newer models, where we have been replacing older models, have better throughput, capacity, and performance overall.

What's my experience with pricing, setup cost, and licensing?

Pricing is the same as other competitors. It is comparable. The licensing has gotten better. It has been easier with Smart Licensing.

There are additional costs, but that depends on the feature sets that you get. However, that is the same with any firewall vendor at this point.

Which other solutions did I evaluate?

I have also worked with Check Point and Palo Alto. The support is much better with Cisco than Check Point. Check Point had a little bit better of a central management station. Whereas, Cisco with the FMC is a little different as far as there are still some features that are being added to the FMC, which is good. As far as Palo Alto goes, they are quite comparable as far as their functionality and feature sets. Cisco wins for me because it has Snort, which is a known standard for IPS, which is good. Also, Cisco has the Talos group, which is the largest group out there for security hunting.

Check Point was the easiest as far as user-friendliness and its GUI. After that, Cisco and Palo Alto would be kind of tied for ease of use.

What other advice do I have?

Definitely do your research, e.g., how you want to set it up and how deep you want to go in with it. This will actually help you more. When we say Cisco Secure Firewall, is it Next-Generation, running ASA, or running Firepower? Or, does Meraki actually fit in there? So, there are different scales based on what you are trying to look for and how deep security-wise you want to go into it.

SecureX is a nice feature, but it has to be for the right environment. It is nice that we get it, but most people don't take advantage of it.

The dynamic policy capabilities can enable tight integration with Secure Workload at the application workload level, but I am not using much with Secure Workload at this point.

I would rate Cisco Secure Firewall as nine out of 10. I would not give it a 10 because of bugs.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
reviewer1570647 - PeerSpot reviewer
Senior Information Security Analyst at a manufacturing company with 10,001+ employees
Real User
Useful access controls, reliable, and good support
Pros and Cons
  • "I have found the most valuable feature to be the access control and IPsec VPN."
  • "When comparing the graphical interface of this solution to other vendors it is more difficult to configure. There is a higher learning curve for administrators in this solution."

What is our primary use case?

I am using this solution for monitoring incoming and outgoing network traffic. This includes many types of traffic, such as VPN users.

What is most valuable?

I have found the most valuable feature to be the access control and IPsec VPN. There are a lot of people moving towards the next-generation versions of firewalls which have some advanced features such as this one. You can define rules based on the application instead of how they are traditionally are done. There are more general and traffic controls, and additional features for intrusion prevention for malware analysis.

What needs improvement?

When comparing the graphical interface of this solution to other vendors it is more difficult to configure. There is a higher learning curve for administrators in this solution.

A lot of vendors, such as Palo Alto, are going toward cloud-based systems and Cisco should follow.

For how long have I used the solution?

I have been using this solution for approximately two years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

Since this is a hardware solution it does not scale as well as cloud versions. We have approximately 20,000 people using this solution in my organization.

How are customer service and technical support?

The support of this solution is very good.

What about the implementation team?

We have security specialists to manage the solution.

Which other solutions did I evaluate?

I have previously used FortiGate and Palo Alto solutions. When comparing them to this solution they have more standard features in their normal firewall this one does not.

What other advice do I have?

My advice to those wanting to implement the solution is to look at their use case and see if it meets those requirements for what they are looking for. There are a lot of security features that people may not be aware of and do not use. Explore the solution and all its features which will help you understand the configurations.

I rate Cisco ASA Firewall an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Cisco Secure Firewall
April 2025
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
849,190 professionals have used our research since 2012.
IT Infrastructure Specialist at RANDON S.A
Real User
Shows the top-consuming applications to help determine if there is a deviation or if we need to increase bandwidth
Pros and Cons
  • "The protection and security features, like URL filtering, the inspection, and the IPS feature, are also very valuable for us. We don't have IT staff at most of the sites so for us it's important to have a robust firewall at those sites"
  • "The user interface for the Firepower management console is a little bit different from traditional Cisco management tools. If you look at products we already use, like Cisco Prime or other products that are cloud-based, they have a more modern user interface for managing the products. For Firepower, the user interface is not very user-friendly. It's a little bit confusing sometimes."

What is our primary use case?

Currently, we have 16 remote sites. Some of them are sales offices and some of them are industrial plants. And we have a centralized IT department here in Brazil. The business asked me to support those remote sites. We started using the Firepower Threat Defense, which is one of the versions of next-gen firewalls from Cisco, at some of the sites. We have them operating at five sites, and we are deploying at a sixth site, in Mexico, with the same architecture. That architecture has the firewall running on the site's router, and we manage them all from here in Brazil.

How has it helped my organization?

Overall, I would summarize Firepower NGFW's effect on our company's security position by saying that, until now, we haven't had any major security incidents. The investment we made, and the investment we are still making in that platform, have worked because they are protecting us from any risks we are exposed to, having all these remote sites and using the internet as the way to connect those sites. They are doing what they promised and they are doing what we paid for.

What is most valuable?

For us, the main feature is due to the fact that we have internet connections for all these sites, and we use the internet to communicate with our data center using VPN. So the VPN support in these boxes is one of the most valuable features.

Also, with the firewall itself, the protection and security features, like URL filtering, the inspection, and the IPS feature, are also very valuable for us. We don't have IT staff at most of the sites so for us it's important to have a robust firewall at those sites, to support the business and give us peace of mind. If we do have an incident, since we don't have any IT personnel there for support, we need to do everything remotely.

It provides us with application visibility and control. We can see, on the dashboard, all the applications that are most used and which are under some sort of risk or vulnerability. From my perspective, which is more related to the network itself and the infrastructure, not the security aspect, it helps a lot when we need to check some situation or issue that could be related to any attack or any violation. We can see that there are one or two or three applications that are the top-consuming applications. We can use this information to analyze if there is a deviation or if it's something that we need to consider as normal behavior and increase the bandwidth on the site. It's very important to have this analytic view of what's happening. That's especially true for us, since we have information on all these remote sites but we don't have IT resources on-premises. Having this view of all the sites in the same pane of glass is very important.

It's not just the visibility of things, but the management of application behavior is very important. If I see that, for example, Facebook is consuming too much bandwidth, I can make a policy on the console here and deploy it to our remote offices. So the application visibility feature is one of the key parts of the solution.

NGFW's ability to provide visibility into threats is also one of the important features. Although we have several applications that are based on-premises — we have databases and file servers that only exist inside the company or inside those remote sites — we see more traffic going to and coming from the internet every day. It's not optional anymore to have visibility into all this traffic. More and more, we are moving things to Office 365 or other SaaS platforms which are hosted on the internet. We need to see this traffic crossing our network. It's a top priority for us.

When it comes to Talos, I recognized the importance of it before they were even calling it Cisco Talos. As a user of the URL filtering product, the IronPort appliances, for six or seven years, perhaps or more, I was introduced, at that time, to a community that was called SenderBase.org, which was like the father of the Cisco Talos. Knowing them from that time, and now, the work they do is very important. It provides knowledge of what is happening in the security space. The information they can collect from all the hardware and software they have deployed with their customers is great. But the intelligence they also have to analyze and provide fixes for things like Zero-day attacks, for example, is crucial. They are able to map and categorize risks. They're unbeatable, currently. Although we know that other vendors have tried to replicate this service or feature, the history they have and the way they do their work, make it unbeatable currently.

What needs improvement?

Some products supersede others within Cisco. I have three platforms and some of the features are the same in two products. It's not clear for us, as a  customer, if Cisco intends to have just one platform for security in the future or if they will offer one product for a particular segment, such as one product for the big companies, one product for the financial segment, another product for enterprise, and another product for small business.

Sometimes, Cisco itself has two products which are doing the same things in some areas. That is something they could make clearer for customers: the position of each product or the roadmap for having just one product. 

For example, I have a management console for the next-gen firewalls we are deploying. But the SD-WAN also has some security features and I would have to use another management console. I don't have integration between the products. Having this integration or a roadmap would help. I don't know if there will be one product only in the future, but at least having better integration between their own products is one area for improvement.

Also, the user interface for the Firepower management console is a little bit different from traditional Cisco management tools. If you look at products we already use, like Cisco Prime or other products that are cloud-based, they have a more modern user interface for managing the products. For Firepower, the user interface is not very user-friendly. It's a little bit confusing sometimes. This is another area where they could improve.

For how long have I used the solution?

We have been using Cisco NGFWs for about for two years.

What do I think about the stability of the solution?

The stability is okay. It's robust enough to support the business we have. We haven't had any major issues with the product itself. Of course, we don't touch them frequently because it's a security deployment so it's not the type of thing where we make changes every day. Once we deploy them, and deploy the policies, we don't touch them frequently.

We have one issue at one of the sites, at times. There is a power outage at the site and the virtual machine itself crashes. We have to recover from the crash and reinstall the backup. It's something that is not related to the product itself. It's more that our infrastructure has a problem with power which led to a firewall problem, but the product itself is not the root cause.

What do I think about the scalability of the solution?

It is scalable in our scenario. It is scalable the way we deploy it. It's the same template or architecture, and that was our intention, for all our remote sites. From this point of view, the scalability is okay. But if one of those remote sites increases in demand, in the number of users or in traffic, we don't have too much space to increase the firewall itself inside that deployment. We would probably need to replace or buy a new, more robust appliance. So the scalability for the architecture is fine. It's one of the major requirements for our distributed architecture. But scalability for the appliance itself, for the platform itself, could be a problem if we grow too much in a short period of time.

I don't know how to measure how extensively we use it, but it's very important because without it, we can't have VPN and we can't communicate with our headquarters. We have SAP as our ERP software and it's located in our data center here at our headquarters. If we can't communicate with the data center, we lose the ability to communicate with SAP. So if we don't have the firewall running on those remote sites, it is a major problem for us. We must have it running. Otherwise, our operations at these remote sites will be compromised. In terms of volume, 40 percent of our sites are deployed and we still have plans to deploy the other 60 percent, this year and next year.

Regarding future demands, if we create new business, like we are doing now in Mexico, our basic template has this next-gen firewall as part of it. So any other new, remote sites we deploy in the future, would use the same architecture and the same next-gen firewall.

Which solution did I use previously and why did I switch?

For our remote sites we didn't use a specific security platform. We had the Cisco router itself and the protection that the Cisco router offers. But of course you can't compare that with a next-gen firewall. But here in our headquarters, we currently use Palo Alto for our main firewall solution. And before Palo Alto, we used Check Point.

The decision to use Cisco was because Cisco could offer us an integrated platform. We could have only one router at our remote sites which could support switch routing with acceleration, for IP telephony and for security. In the future we also intend to use SD-WAN in the same Cisco box. So the main advantage of using Cisco, aside from the fact that Cisco is, course, well-positioned between the most important players in this segment, is that Cisco could offer this solution in a single box. For us, not having IT resources at those remote sites, it was important to have a simple solution, meaning we don't have several boxes at the site. Once we can converge to a single box to support several features, including security, it's better for us.

The main aspect here is that if we had Fortinet or Check Point or Palo Alto, we would need another appliance just to manage security, and it wouldn't be integrated with what we have. Things like that would make the remote site more complex.

We don't currently have a big Cisco firewall to compare to our Palo Alto. But one thing that is totally different is the fact that Cisco can coexist with the router we have.

How was the initial setup?

I participated in the first deployment. I know it's not hard to do, but it's also not easy. It requires some knowledge, the way we deploy it. We use next-gen firewalls inside the Cisco router. It's virtualized inside the Cisco router. So you need to set settings on the router itself to allow the traffic that comes to the router to go to the firewall and return to the router to. So it's not an easy setup but it's not very complex. It requires some knowledge, not only of security, but also of routing and related things. It's in the middle between complex and simple.

Once you have the templates for it, it's easier. It can take a day or two to deploy, or about 20 hours for the whole configuration.

What about the implementation team?

The name of the local partner we use here in Brazil is InfraTI.

For the first deployment we had to understand how to do it because of the constraints. We have the router and we have the next-gen firewalls running inside the router. Until we decided how to deploy, it took a little while. But now we have the knowledge to do that more easily. They are able to deploy it satisfactorily. We are happy with them.

For deployment and maintenance of the solution, it requires two people and our partner. On our side there is an engineer to discuss the details, and then there is the person who does the deployment itself.

What other advice do I have?

You must know exactly what features are important for you, and how you can manage all this infrastructure in the future. Sometimes you can have a product that is superior but it might demand an increase in manpower to manage all the software or platforms. Another point to consider is how good the integration is between products? You should check what features you need, what features you can have, and the integration with other products.

In terms of the maturity of our security implementation, we have had security appliances, software or hardware, for more than 15 years. So we have a long history of using security products. We started using Cisco competitors in the past and we still use them for our headquarters, where I am. Our main firewall is not currently Cisco, although we are in the process of evaluation and we will replace this firewall soon. Cisco is one of the brands being evaluated for that.

In the past, while it's not a next-gen firewall, we also used a Cisco product for URL filtering, up until this year.

We are moving to the cloud. We are starting to use Office 365, so we are moving email, for example, from on-premises to the cloud. But until June of this year, we mainly used security from Cisco. But we also have antivirus for endpoint protection. We also had Cisco IPS in the past, which was a dedicated appliance for that, but that was discontinued about two years ago. Those are the major products we use currently. In addition — although it's not specifically a security product — we use Cisco ISE here to support our guest network for authentication. We plan, in the near future, to increase the use of Cisco Identity Services Engine. When we start to use that to manage policies and the like, we will probably increase the integration. I know that both products can be integrated and that will be useful for us.

There's one other product which we use along with Cisco next-gen which is a SIEM from Splunk. Currently, that is the only integration we have with Cisco. We send logs from next-gen firewalls to the Splunk machine to be analyzed and correlated. 

Although I'm not involved on a daily basis in operations, I helped in the process of integrating it. It was very easy to integrate and it's a very valuable integration, because we can analyze and correlate all the events from the next-gens from Cisco, along with all the other logs we are collecting in our infrastructure. For example, we also collect logs from the Windows machine that we use to authenticate users. Having those logs correlated on the Splunk box is very valuable. The integration is very easy. I don't know who built what, but there's a kind of add-on on the Splunk that is made for connection to firewalls, or vice versa. The integration is very simple. You just point to the name of the server and a user name to integrate both.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
it_user212682 - PeerSpot reviewer
Network Consultant at a tech consulting company with 51-200 employees
Consultant
I'd like the ability to use IPS & CX modules simultaneously but overall it provides peace-of-mind against cyber-attacks.

What is most valuable?

The most valuable features are the IPS and Botnet software modules. These security features, working in tandem, truly provide a peace-of-mind against all levels of cyber-attacks.

How has it helped my organization?

Since the 5512-x is software license based, there is no need to purchase additional hardware to enable much needed features.

What needs improvement?

Since most features are license based and some licenses are time-based, there should be a way for the device to alert via SNMP that licenses are about to expire. Also, I would like to be able to use both the IPS and CX modules simultaneously, instead of one or the other.

For how long have I used the solution?

I have been using the 5512-x for almost one year now.

What was my experience with deployment of the solution?

Deployment of the 5512-x is very simple. The main issue I found was in deploying the firewall using the "new" style of configuring NAT statements.

What do I think about the stability of the solution?

I have not encountered any stability issues with the IOS version or the IPS version. I am currently running IOS 9.3.2 and IPS version 7.3(2)E4.

What do I think about the scalability of the solution?

The 5512-x with a BASE license does not have many options for scalability. However, the Security Plus option allows multiple contexts and ACTIVE/ACTIVE fail-over options. I currently do not use those features, but I can definitely see the need for both of these options.

How are customer service and technical support?

Customer Service:

Cisco customer services have always been excellent. I have never had any issues with them.

Technical Support:

Cisco TAC is always hit-or-miss. You either get a guru or a newbie, and there is nothing in between.

Which solution did I use previously and why did I switch?

The previous firewall was a Cisco SA520W. This device was great as it was a firewall, IPS and WLC all in one. I switched due to this device being EOL/EOS. Also, the main complaint about this device was that with the IPS enabled all traffic was slowed to a crawl. I would rate the SA520W as 3/10.

How was the initial setup?

The SA520W was a simple setup. There is no CLI option; it is all done within a straightforward GUI.

What about the implementation team?

All solutions are designed, configured, and maintained by me.

What was our ROI?

The ROI on the SA520W is 0. As this device is EOL/EOS.

What's my experience with pricing, setup cost, and licensing?

The original setup cost of the SA520W was approx. US$500. The setup for the 5512-x was approx. US$3000. For the 5512-x, additional costs were endured for the IPS and Botnet licenses approx. an additional US$1000/year. As for day-to-day costs, the 5512-x self-updates the security modules, so there is little interaction that I need to perform.

Which other solutions did I evaluate?

I was considering going to the ISA550W (the replacement for the SA520W) or a 5505. I ultimately went with the 5512-x due to its speed and software licensing model.

What other advice do I have?

The next-gen firewalls are a great solution. Be aware of the additional hardware costs (120GB SSD) that are needed to implement some features like the CX module. Also, if you do not need ACTIVE/ACTIVE fail-over there is no real need for the Security plus license. And finally, understand the true speed of the model you choose with and without the IPS module enabled before making a final decision.

Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a Cisco re-seller.
PeerSpot user
Infrastructure Architect - Network at a manufacturing company with 1,001-5,000 employees
Real User
Provides flexibility in terms of management and is easy to deploy
Pros and Cons
  • "Cisco Secure Firewall made it easier so that more than one person can handle things. We are able to have a bigger team that can handle simple tasks and have a smaller team focus on the deep-dive needs."
  • "The integration between different tools could be improved. For example, with SecureX, I am yet to find out how to forward security events to different tools such as Microsoft Sentinel, which is what we use for log detection."

What is our primary use case?

We started with the old ASA 5510 and migrated to Firepower, first using ASA as the basic operating system. Lately, we've been using FTD because it simplifies operations a lot. We are a very small networking team, and being able to push one policy to many firewalls eases our workload.

We are a global company, and we don't always have IT staff in all corners of the world. Therefore, having one place to do everything is very nice.

How has it helped my organization?

Cisco Secure Firewall has made it easier so that more than one person can handle things. We are able to have a bigger team that can handle simple tasks and have a smaller team focus on the deep-dive needs.

We have the same basic policies everywhere now, which makes it more flexible for us to manage.

What is most valuable?

I like the central management and IPS features. Having everything in one place is very valuable.

Cisco Secure Firewall is very good at detecting threats. We see a lot getting blocked by the IPS in our DMZ, that is, our internet-facing web service.

It helped free up IT staff time. Before, we would have to manually configure every single firewall. Every time we configure something on a firewall, it takes five to ten minutes, and we have more than 50 firewalls around the globe. We do changes every week, and the automated policy and upgrades saved us a lot of time.

In terms of the organization, we have been able to save time by getting things out faster. However, the only downside is that the policy push takes quite a while. Thus, a quick fix still takes at least 15 minutes, and troubleshooting can take time as well.

What needs improvement?

Some of our problems are related to software updates in remote sites where the internet connection is not stable. Sometimes, the image push just gets disrupted and fails.

The most annoying thing is having to replace the hardware so often. It's very difficult for us to do.

The integration between different tools could be improved. For example, with SecureX, I am yet to find out how to forward security events to different tools such as Microsoft Sentinel, which is what we use for log detection.

For how long have I used the solution?

We've been using Cisco Secure Firewalls for a very long time.

How are customer service and support?

We had to get in touch with technical support a few times, and our experience was good. I would give them a rating of nine out of ten. 

How would you rate customer service and support?

Positive

How was the initial setup?

The initial deployment is easy, and I have not had any issues.

The solution is deployed on-premises. We have an on-premises FMC that connects everything.

What's my experience with pricing, setup cost, and licensing?

The cost of the firewalls versus the ROI is okay.

What other advice do I have?

We are quite Cisco-centric because of the performance we get for the price range. We have a lot of smaller sites, and we are not a very big organization. The price fits us perfectly.

Overall, I would rate Cisco Secure Firewall at nine on a scale from one to ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Ken Mohammed - PeerSpot reviewer
UC Solutions Engineer at Diversified
Video Review
Reseller
Enabled my client to have thousands of remote users connect seamlessly through VPN
Pros and Cons
  • "You can also put everything into a nice, neat, little package, as far as configuration goes. I was formerly a command-line guy with the ASA, and I was a little nervous about dealing with a GUI interface versus a command line, but after I did my first deployment, I got a lot more comfortable with doing it GUI based."
  • "I'm not a big fan of the FDM (Firepower Device Manager) that comes with Firepower. I found out that you need to use the Firepower Management Center, the FMC, to manage the firewalls a lot better. You can get a lot more granular with the configuration in the FMC, versus the FDM that comes out-of-the-box with it. FDM is like Firepower for dummies."

What is our primary use case?

I typically deploy firewalls to set up VPNs for remote users, and, in general, for security. I have a number of use cases.

With theUI basedpandemic, the customer really didn't have a VPN solution for their remote users, so we had to go in and deploy a high-availability cluster with Firepower. And I set up single sign-on with SAML authentication and multi-factor authentication.

How has it helped my organization?

We deploy for other organizations. I don't work on our own corporate firewalls, but I do believe we have some. But it definitely improved things. It enabled my clients to have remote users, thousands of them, and they're able to connect seamlessly. They don't have to come into the office. They can go home, connect to the VPN, log on, and do what they need to do.

What is most valuable?

I like that you can get really granular, as far as your access lists and access control go. 

You can also put everything into a nice, neat, little package, as far as configuration goes. I was formerly a command-line guy with the ASA, and I was a little nervous about dealing with a GUI interface versus a command line, but after I did my first deployment, I got a lot more comfortable with doing it GUI-based.

What needs improvement?

I'm not a big fan of the FDM (Firepower Device Manager) that comes with Firepower. I found out that you need to use the Firepower Management Center, the FMC, to manage the firewalls a lot better. You can get a lot more granular with the configuration in the FMC, versus the FDM that comes out-of-the-box with it.

FDM is like Firepower for dummies. I found myself to be limited in what I can do configuration-wise, versus what I can do in the FMC. FMC is more when you have 100 firewalls to manage. They need to come out with something better to manage the firewall, versus the FDM that comes out-of-the-box with it, because that set me back about two weeks fooling around with it.

For how long have I used the solution?

I have been using Cisco Firepower NGFW Firewall for two or three years now.

What do I think about the stability of the solution?

It's good. It's stable. I haven't heard anything [from my customer]. No news is good news.

What do I think about the scalability of the solution?

It scales because you can deploy a cluster. You could have up to 16 Firepowers in a cluster, from the class I [was learning] in yesterday. I only had two in that particular cluster. It scales up to 16. If you have a multi-tenant situation, or if you're offering SaaS, or cloud-based firewall services, it's great that it can scale up to 16.

How are customer service and support?

They're always great to me. They're responsive, they're very knowledgeable. They offer suggestions, tell you what you need to do going forward, [and give you] a lot of helpful hints. It was good because I had to work with them a lot on this past deployment. 

Now I can probably do it by myself, without TAC's help.

How would you rate customer service and support?

Positive

How was the initial setup?

The deployment was complex because that was my first time doing a Firepower. I did ASAs prior, no problem. I had to get used to the GUI and the different order of deploying things. I had to reset it to factory defaults several times because I messed something up. And then I had to get with Cisco TAC, for them to help me, and they said, "Okay, you need to default it and start over again".

But now, going forward, I know I need to deploy the FMC first, and then you deploy the Firepowers, and tell them where the FMC is, and then they connect, and then you can go in and configure it. I had it backward and it was a big thing. I had to keep resetting it. It was a good learning experience, though, and thankfully, I had a patient customer.

[In terms of maintenance] I've not heard anything back from my customer, so I'm assuming once it's in, it's in. It's not going to break. It's an HA pair. My customer doesn't really know too much about it. I don't know that they would know if one of them went down, because it fails over to the other one. I demonstrated to them, "Look, this is how it fails over. If I turn one off, it fails over." VPN doesn't disconnect, everything's good. Users don't know that the firewall failed over unless they're actually sitting there looking at AnyConnect. I don't think they know. So, I'll wait for them to call me and see if they know if something's broken or not.

What was our ROI?

As far as return on investment [goes], I would imagine there is some. For the users, as far as saving on commuting costs, they don't have to come into the office. They can stay home and work, and connect to the enterprise from anywhere in the world, essentially.

Which other solutions did I evaluate?

I've done a Palo Alto before, and a Juniper once, but mostly ASAs and Firepowers.

Naturally, I prefer Cisco stuff. [For the Palo Alto deployment] they just said, "Oh, you know, firewalls", and that's why the customer wanted Palos, so that's what I had to do. I had to figure it out. I learned something new, but my preference is Cisco firewalls.

I just like the granularity of the configuration [with Cisco]. I've never had any customers complain after I put it in, "Hey, we got hacked," or "There are some holes in the firewall," or any type of security vulnerabilities, malware, ransomware, or anything like that. You can tighten up the enterprise really well, security-wise.

Everything is GUI-based now, so to me, that's not really a difference. The Palos and the Junipers, I don't know what improvements they have made because [I worked on] those over five or six years ago. I can't even really speak to that.

What other advice do I have?

Because I don't like the management tool that comes out-of-the-box with it, the FDM, I'll give the Firepower an eight out of 10. That was a real pain dealing with, until they said, "Okay, let's get him an FMC." That was TAC's suggestion, actually. They said, "You really need FMC. The FDM is really trash."

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
ArunSingh7 - PeerSpot reviewer
Computer Operator at a retailer with 5,001-10,000 employees
Real User
Top 5
A tool that offers protection and security features that needs to improve its price
Pros and Cons
  • "The solution's dashboard is fine, and in terms of support, Cisco is better than other OEMs in the market."
  • "If you need to reschedule a call with the support team when you face a new issue with the product, then it may get a bit of a problem to get a hold of someone from the support team of Cisco."

What is our primary use case?

My company uses Cisco Secure Firewall for its protection and security features.

What is most valuable?

I won't be able to speak about the strong points of the product. I will need the input from my team to be able to speak about the advantages of the product. The solution's dashboard is fine, and in terms of support, Cisco is better than other OEMs in the market.

What needs improvement?

The solution's price can be lowered because, currently, it is pricier than the tool its competitors offer in the market. If the product's prices are lowered, it may help Cisco to expand its market base.

If Cisco reduces the price of its product, then it can gain more advantage and become much more competitive in a market where there are solution providers like Fortinet FortiGate.

For how long have I used the solution?

I have been using Cisco Secure Firewall for five years.

I don't remember the version of the solution since there is a support team in my company to manage it. My company has a partnership with Cisco.

What do I think about the stability of the solution?

Stability-wise, I rate the solution an eight out of ten.

What do I think about the scalability of the solution?

Scalability-wise, I rate the solution an eight out of ten.

Around 2,500 people use the solution in my company.

How are customer service and support?

Most of the time, the solution's technical support is helpful and responsive. There have been a few cases where a few black spots have been noticed, which I think is because Cisco opted for localization of support because, during holidays, nighttime, or weekends, it becomes difficult for users to reach the support team, though the rest of the time the support is good.

If you have already scheduled a call with the support team of Cisco, then it is good. If you need to reschedule a call with the support team when you face a new issue with the product, then it may get a bit of a problem to get a hold of someone from the support team of Cisco. Earlier, there were no problems with Cisco's support team. Recently, there have been a few issues cropping up related to the technical team of Cisco. Technically speaking, the support team is good, but the availability offered by the technical team has deteriorated.

I rate the technical support a seven out of ten.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I work with Palo Alto, Fortinet, and Check Point for different parts of our IT environment.

How was the initial setup?

The product's initial setup phase was taken care of by another team in my company before I joined my current company.

On our company's core payroll, we have a very small support team, but we do have a support team in my company for the product. The support team in my company consists of around 20 to 25 engineers who work around the clock.

The solution is deployed on an on-premises model.

What's my experience with pricing, setup cost, and licensing?

I rate the product's price a seven on a scale of one to ten, where one is expensive, and ten is cheap. If we compare Cisco with other OEMs available in the market, Cisco needs to work on price improvement. Nowadays, there is a lot of competition in the market with newer solutions, like Fortinet, gaining popularity, amongst a few other names like Cyberoam, a product from a local Indian vendor. Palo Alto has also gained a lot of market share in recent years.

Which other solutions did I evaluate?

From a security perspective, generally, there are only three solutions that our company looks at, which include Check Point in the last four or five years, among other options like Palo Alto and Cisco.

What other advice do I have?

I recommend the solution for SMB businesses.

I rate the overall tool a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer:
PeerSpot user
reviewer2212707 - PeerSpot reviewer
Security Engineer at a government with 501-1,000 employees
Real User
Helped us consolidate tools and applications and provides excellent documentation and support
Pros and Cons
  • "The product is easy to manage and simple. It works with the rest of our Cisco products. You can drop in new ones if you need more performance. The training and documentation provided are good."
  • "There's a little bit of a disconnect between Firepower’s management and the rest of the products, like DNA and Prime. The solution should have fewer admin portals for network, security, and firewalls."

What is our primary use case?

I'm in network security, so I care more about security than the network architecture. I mostly just pull all the data out and throw it into Splunk. I use threat intelligence and some of the integrations like Talos. My company uses the product for east-west traffic, data center, and Edge.

What is most valuable?

The product is easy to manage and simple. It works with the rest of our Cisco products. You can drop in new ones if you need more performance. The training and documentation provided are good.

What needs improvement?

There's a little bit of a disconnect between Firepower’s management and the rest of the products, like DNA and Prime. The solution should have fewer admin portals for network, security, and firewalls.

For how long have I used the solution?

I have been using the solution for a year and a half. My company has been using it for at least five years.

What do I think about the stability of the solution?

I haven’t had a product die. The products failover really fast, and we can cluster them. The product is definitely many nines of reliability.

How are customer service and support?

I have contacted support in my previous jobs for things beyond firewalls, like servers, switches, and call centers. It's always been pretty good. They know their stuff. Sometimes we have to have a few calls to get really deep down into the issue. Eventually, we’ll get an engineer who's a senior and knows how to fix it. They do a pretty good job finding a resource that can be helpful.

Which solution did I use previously and why did I switch?

In my previous jobs, I used Palo Alto and Fortinet. My current organization chose Cisco Secure Firewall because we use Cisco for the rest of our network, and it just made sense.

What was our ROI?

We have definitely seen a return on investment. It works pretty well. It is important to have everything work together. Our time is probably more valuable than our money. We're not going to go out and grab ten other network engineers to set up another complicated platform when we can just save the hassle.

What other advice do I have?

The solution has improved our organization. I think my company was using Check Point back in the day. My company has 12 Cisco products. We used Palo Alto in my old organization. It’s what I'm most familiar with.

The application visibility and control with Secure Firewall are not bad. The product’s alerting is pretty good. There were a couple of things that surprised me about the solution. It works really well because we use it with Secure Client and Secure Endpoint. Sometimes the solutions can cross-enrich each other, which we wouldn’t get with a dedicated, standalone firewall.

The solution has helped free up our IT staff for other projects. We don't even have a dedicated firewall person. I sometimes do some stuff. Mostly the dedicated network admins run it, and they have time to do the rest of their job. Our whole network infrastructure team's only five to six people, and they can manage multiple sites across all different firewalls. It's not unreasonable to demand at all.

The product has helped us consolidate tools and applications. If we were using another solution, we would have had their firewall, management plane, and other appliances to back that up. Having a product in the Cisco universe definitely does help. It's all right there when we're using Secure Client and Umbrella. I want more of what Cisco Identity Services Engine and DNA do. I don't like switching tabs in my browser.

We use a relatively basic subset of Cisco Talos for general threat intel. It's definitely helpful. It's mostly about just getting the Talos definitions into the firewall so it can do all the heavy lifting so we don't have to. Now that Cisco has the XDR product, it will probably make it even more useful because then we can combine the network side, the security operations, and the threat intelligence into one thing to work harder for us.

Cisco Secure Firewall has definitely helped our organization improve its cybersecurity resilience. I like the IDS a lot. The definitions work really well. Making custom ones is pretty trivial. We don't have to do complicated packet captures or anything of that kind.

My advice would be to lean really hard on your sales engineer to explain the stack to you. There's definitely a learning curve to it. Cisco does things in a very particular way that's maybe a little bit different than other firewall vendors. Generally, it's pretty helpful talking to post-sales about what you need because you're probably not going to be able to figure it out. It's definitely a pretty top-shelf tool. If an organization already uses Cisco, they probably want to invest in the solution.

Overall, I rate the solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.
Updated: April 2025
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros sharing their opinions.