Cisco Secure Firewall Reviews

The way we've installed Firepower was for the migration process. For example, there was a data center consolidation, and therefore we had to move everything. We offer data center products to our customers across VPN funnels. We had to move away from older ASAs, so it's a lift and shift. We move older ASAs, which were dispersed in many sites, and we consolidated a couple of services in a single site. Firepower was left there in place. I came in and I took over the administration duties, and now I'm trying to put everything together in a way that it makes sense.

With Firepower, they have better hardware. It's fitted for more throughput, more load. I'm trying to centralize service delivery on this high-availability pair and move all the remote access to Firepower. Then, it's all part of a transition process from a hybrid cloud to a full cloud deployment on a cloud provider. It's mostly just a necessary pain, until we move away from our on-prem deployments. Currently, I'm working with Azure, etc. and I try to look at the main design of the whole process, even though it's going to take two years. 

COVID has also made everything very, very slow for us as we try to move away from our initial plan.

The 2100 models are extremely useful for us.

It's got the capabilities of amassing a lot of throughput with remote access and VPNs. 

They need a VTI. I know it's going to be available in the next software version, which is the 6.7 version. However, the problem with that is that the 6.7 is going to deprecate all the older IKEv1 deployment tunnels. Therefore, the problem is that we have a lot of customers which are using older encryptions. If I do that, update it, it's not going to work for me.

We've been using the solution for about a year.

The solution is pretty solid in terms of stability, however, I prefer Palo Alto. For the enterprise world, it's better to have Palo Alto. For the service provider field, Firepower is quite well suited, I'd say. That said, Palo Alto, is definitely the enterprise way to go. For a smaller deployment, you can also go with FortiGate. It's simple, however, it works for smaller offices.

The scalability of the product is pretty good. If you need to expand it, you can do so with relative ease.

The technical support is amazing. They do reply quickly, and often within an hour. It's been great. I've worked at Cisco before, however, with the type of contract we are in, I find it super fast right now. We're quite satisfied with the level of support.

I don't have any knowledge as to what the product costs. It's not part of the business I deal with.

Palo Alto, it's my understanding, is a little more expensive, however, it depends on the users and on the design. It always depends on the contract

We're just customers. We don't have a business relationship with Cisco.

It's a solid, reliable product, however, if it's right for a company depends on the use case and the size of the organization. For a startup, this might not be a suitable option.

Overall, I'd rate this solution nine out of ten. As a comparison, if I was rating Palo Alto, I would give it a ten out of ten.

We are a Cisco partner and we implement solutions for our customers who are generally in the banking sector and other private sectors.

They are using it as a data center firewall and to secure their internet connections. Our customers usually integrate the firewall with ISE, with a Firepower module for IPS, and there are some NAC solutions.

The solution enhances the performance of the network. It blocks most of the threats and it updates attack signatures so it protects customer data better. The loss of data would be a crisis for any customer. With the deep inspection and analysis and the threat updates, it gives you more protection and safety.

Our clients use automated policy application and enforcement. For example, when you have a very big deployment or a bank needs to deploy more branches, this saves a lot of time when doing the implementation. Similarly, when you add more users or you add more devices, when you create a profile of the policies, they will be available in a matter of minutes, regardless of the number of branches or users or applications. It reduces the time involved in that by 75 percent.

The traffic inspection and the Firepower engine are the most valuable features. It gives you full details, application details, traffic monitoring, and the threats. It gives you all the containers the user is using, especially at the application level. The solution also provides application visibility and control.

The integration between the ASA and Cisco ISE is very easy because they are from the same vendor. We don't face any integration problems. This is one of the valuable points of Cisco firewalls. They can be easily integrated with different Cisco security products.

Our clients also use other products with Cisco ASA, such as Aruba ClearPass and different NAC solutions. The integration of these other products is also easy with Cisco. 

It integrates with email security and Firepower. For example, if you have an attached file infected or you have attacks through email, the traffic will be forwarded to the email security and it will be blocked by the firewall. It gives you a clear view of the file and it can be blocked at every stage, protecting your network from this threat.

One of the best parts is the traffic management and the inspection of the traffic packets. The Device Manager is easy to use to supervise things, and the Firepower application gives you clear threat detection and blocking of all threats. Cisco also provides a better analysis of the traffic.

In addition, Talos is an enhancement to Cisco firewalls, and provides a better view.

The device management options, such as Firepower Device Manager (FDM), Cisco Firepower Management Center (FMC), or Cisco Defense Orchestrator (CDO) add a lot of enhancements in the initial deployment and configuration. In migrating, they can help to create the migration configuration and they help in managing encryption and automation. They add a lot enhancements to the device. They make things easier. In the past, you had to use the CLI and you could not control all this. Now you have a GUI which provides visibility and you can easily integrate and make changes.

When I deal with other firewalls like Palo Alto or Fortinet, I think there is some room for performance tuning and enhancement of the ASA. I'm not saying there is a performance issue with the product, but when compared to others, it seems the others perform a little bit better.

There could be enhancements to the cloud part of the solution. It's good now, but more enhancements would be helpful.

Finally, security generally requires integration with many devices, and the management side of that process could be enhanced somewhat. It would help if there was a clear view of the integrations and what the easiest way to do them is.

I have been using Cisco ASA NGFW for more than 10 years.

The ASA is stable. There may be some small stability issues, when compared to others, but it is a stable product. There could be enhancements to the ASA in this area when compared to other vendors, but it is not a problem with the product.

It is scalable, with virtualization and other features.

In terms of future-proofing our customers' security, we recommend the ASA. We have tested it in large environments and it's working well. The lesson I have learned from using Cisco ASA is that Cisco's research is continuous. They provide enhancements every day. It's a product for the future.

Technical support is a very strong point in Cisco's favor. I would rate it very highly. The support is excellent.

The setup is of medium difficulty. It is not very complex. Generally, when working in the security field, things are a little bit complex because you are integrating with many vendors and you are defending against a lot of different kinds of attacks.

The amount of time it takes to deploy the ASA depends on the complexity of the site where it is being set up. On average, it can take about a week. It could be that there are many policies that need to be migrated, and it depends on the integration. For the initial setup, it takes one day but the amount of time it takes beyond that depends on the security environment.

Our customers definitely see return on investment with Cisco ASA because when you protect your network there is ROI. If you lose your data you have a big loss. The ROI is in the security level and the protection of data.

The value of the pricing needs to be enhanced from Cisco because there are a lot of competitors in the market. There is room for improvement in the pricing when compared to the market. Although, when you compare the benefits of support from Cisco, you can adjust the value and it becomes comparable, because you usually need very good support. So you gain value there with this device.

My advice is to take care of and monitor your policies and be aware of the threats. You also have to be careful when changing policies. When you do, don't leave unused policies around, because that will affect performance. You should have audits of your firewall and its policies and follow the recommendations from Cisco support.

Among the things I have learned from using Cisco ASA is that integration is easy, especially with Cisco products. And the support helps you to integrate with anything, so you can integrate with products outside of the Cisco family as well.

Cisco has a new general firewall: the Firepower NGFW. If you take a look at the Cisco Firepower product line, they have three models available:

1. A low-scale model: the 2000 series
2. A high-end model: the 4000 series
3. The carrier-grade model: the 9000 series

We have already used the 4000 and 2000 series over here. We've been using this solution in Bangladesh for some customers over the last eight months. 

We've been using FPR 2110, 2120, 2130, & 2140. We also employ the FPR 4130 and 4140. We have been using this equipment on our last few projects. We used it as a transfer and for firewalling. The most recent one we are using for firewall support as well.

I have a two-part business. First, we provide solution services as a vendor for multiple customers working as a consulting firm. I'm providing multiple customers with support on-premises for Cisco products right now.

We are not able to use these products internally in our company. The second part of the business is my status or core business which is basically operating as a software solution provider.

I have personally engineered these Cisco firewall solutions for clients. When we implemented it, it was easy. We have to maintain high-end abilities in order to ensure the availability of high-end support for the clients. I generally have to look at everything. Later on, we were able to upgrade the Cisco Firepower NGFW easily. We were able to connect from the beginning to implement the complete number of files in the system. 

Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching.

I would say the Cisco Firepower NGFW actually gives superior intelligent behavior to transfer its active/passive infrastructure. Overall, Cisco Firepower NGFW has been a good power element in our systems due to its central location.

I would say when Cisco is selling something called a firewall, they put a lot of services together to make a single box solution. When a company develops a firewall, they need to develop certain features like intrusion control and offer it pre-loaded in the product. 

On the mix of projects that I am responsible for, I feel comfortable using the Cisco firewall for management. One feature lacking is superior anti-virus protection, which must be added.

I have to say I am very proud of the Cisco Firepower 41400 as it can give you multiple layers of four-degree connectivity in operations. 

We do not use the Cisco 9000, but even the lower level firewalls are pretty expensive, considering the features and software included.

In summary, we would like Cisco to provide more features inside regarding network trafficking forecasting. Ideally, the belief is that this would add an immediate resolution.

So far we haven't encountered any stability problems. You should have a lot of patches to apply to update the firmware. You can understand the firewall in less than a week.

We had some fraud introduced with our last box when Cisco produced an upgrade. The updated policy agreement was based on the wrong purchase date information. 

The faster integration that is available in our region is pretty smooth for the Cisco firewall right now. I haven't found that much of a limitation to any service. 

I used to have a lot of issues with firewall support. Now, I keep a good state of mind with Cisco. I can expect my capabilities going out of range eventually if we don't upgrade. 

Cisco has its own cloud platform. I am able to see a single dashboard with all of my firewall activities and network performance under diagnostics, which is really helping us out.

I would put the Cisco Firepower NGFW firewall into Transport mode, as you can do with most firewall systems for scalability. We used to have about 60% of our users on hold during six-week events. We still have certain problems without a firewall, but these days with the Cisco Firepower, we have over 80% of the load working.

As the customer integrator for enterprise contracts, we've been able to introduce Cisco Firepower to around 10 of our new customers in Bangladesh. At least 50 of the previous Cisco customers are still using the firewall solution right now under our support.

These are enterprise customers who require Cisco firewall support. We used to have a specialty in that which is really like the holy grail in rocket science. It used to be like that but now with Cisco's enterprise user base, we offer operational system support to reduce complexity a lot. It's really easy. It's not like you have to be a specialist.

In Bangladesh, we had a little issue with Cisco technical support. We run our own sidebar operations, so I am not so satisfied with Cisco customer support. 

Cisco Firepower devices have created a lot of differences with due dates over our service contract. Consequently, we don't really bother anymore with Cisco technical support. Bangladesh has a really good tech scene. That is the reason we are not that concerned about Cisco product support anymore. It's okay. We handle it our own.

We previously used Cisco ASA as a firewall.

The setup with the Cisco Firepower NGFW is very easy. I have used other networking and firewall equipment previously, including Juniper. I've implemented other solutions and those were really tricky compared to Cisco.

The Cisco firewall system has eliminated all our network setup problems. Earlier when we used other products for firewalls, it was very complex to set up. Cisco firewalls from the beginning have eliminated all of the difficult parts of the initial deployment. 

All you have to do is pull your management together and communicate to your team to follow the documentation provided by Cisco. Altogether, it is easy for our team to install the Cisco firewall products.

I did the installation myself and it took 48-50 hours, approximately, in the Transfer mode. We had a further two-hour window of augmenting and transforming the data. We were able to do that successfully. Eventually, we were able to transform the entire network setup.

The license in my country is available to subscribe for three years or one year. We wanted to go with the solutions for embedding a two-year subscription, but this was not possible.

The Cisco licensing agreement in Bangladesh is different than the one in India and in Dubai. It is not a problem, but if you want to subscribe to the yearly subscription, the original cost is really high. Also, if you go for an anti-virus, you pay for an additional yearly subscription. 

When we push customers to implement Cisco solutions, they can manage the subscription cost of Cisco internally to access these important solutions long term. Our clients have been able to secure surprisingly efficient service with the Cisco Firepower NGFW firewall solution.

This fall, we evaluated firewall equipment from Juniper Networks. This is a limitation for Cisco, as their pricing is too high. The fact is when I need to install and manage an enterprise network, Cisco has the capability of having support for the IC Treadway standards. Furthermore, I can actually manage my entire enterprise network in one dashboard. 

If I bring in tech from the outside, like Palo Alto Networks equipment, that won't be able to integrate with my regular Cisco environment. 

With Cisco devices, it was easier for me to grab the assets required on the network for installation. With other solutions providers, good luck managing that with any ease.

In my opinion, I would rather ask everyone to have a simple network. If you need multiple networking lines, like for the Cisco ASA or the Firepower NGFW, make sure you have ample tech support. 

There are many issues with connectivity in firewall systems, but Cisco quality is good. The connectivity of your network can really reduce your complexity over firewalls. 

I would suggest if you want to configure a complicated network scenario, go for a next-generation firewall. I would also suggest making your firewall options go to Cisco as they have some influential products right now. 

Once you are pushing the Cisco firewall, you'll be able to actually monitor and confirm each and every traffic coming in or going out of your network. 

Palo Alto Networks or Juniper Networks firewalls are ideal, slightly better than Cisco. They are not as easy as Cisco to use right now, but considering the cost and everything else, Juniper Networks equipment is really good. 

The fact is you need to consider just what you're achieving when you put in Cisco firewalls and implement Cisco routers.  For those on the verge of a new purchase, I would say that going for an expired model of firewall is definitely a good buy.

I would rate the Cisco Firepower NGFW with an eight out of ten points.

We mostly use Cisco Secure Firewall as a VPN concentrator and for its firewall features.

Using Cisco Secure Firewall has helped grow our familiarity with people that know Cisco.

The most valuable feature of Cisco Secure Firewall is its ease of configuration and that it's scalable for firewalls and VPNs.

Changes you make in the GUI sometimes do not reflect in the command line and vice versa.

We have been using the solution since its inception, so, for many years now.

We did not have any stability issues with Cisco Secure Firewall.

We did not see any limitations with Cisco Secure Firewall’s scalability.

We also use Aruba in our organization. We never have to factor in extra development time when we go to a new major version of Cisco. With Aruba, we have a pretty drawn-out development timeline for any upgrades or software improvements. Aruba and Cisco Secure Firewall are very different in their implementation and development.

The initial setup of the Cisco Secure Firewall is very straightforward. The average time it took to deploy the solution was very short. Deploying the VM and automating our configurations took a couple of minutes.

Cisco smart licensing is a hassle for a disconnected environment. However, I haven't licensed anything in a while. There have been many changes, making it easier to license disconnected devices connected to the internet.

ASAv uses the solution as a VPN concentrator and a firewall because it could be used for both. It can be used for landing AnyConnect clients on ASAv and as a firewall.

What sets Cisco Firewall apart from other products is that when we do an update, we know we're not going to break a lot of things, and there are not a lot of bugs. The integration on the Cisco side is pretty good.

Most of our team is familiar with Cisco, and everyone knows what to expect when they log in. So it's easy in that way.

I like the application visibility and control with Cisco Secure Firewall. My only complaint is that the changes made in the GUI sometimes do not reflect in the command line.

I haven't had any problems with Cisco Secure Firewall. It's very straightforward and reliable. Also, it's trustworthy because it has the Cisco name.

Cisco Secure Firewall has helped free up our IT staff for other projects. The product is quite heavy into automation. So with it being Cisco, it is very scalable in generating configs. The solution saves a week or two for implementation and integration.

Cisco Secure Firewall has helped our organization improve its cybersecurity resilience through the reliability aspect.

You know what you're getting when you use an ASAv from Cisco. Cisco Secure Firewall is a great product in terms of reliability and scalability.

Overall, I rate Cisco Secure Firewall ten out of ten.

The main use cases are firewalling, routing, site-to-site VPN, and remote access. We have some older 5585-X ASAs in place. We do have Firepower 2000 Series and 4000 Series. 

For most setups, we do have high availability in place. We've at least two devices in active-active or active-standby. If it's a highly secure setup, we sometimes have two firewalls.

Cisco has a huge variety of products and features. It's a benefit to have the knowledge of all those things and also put it in the firewalling products. The knowledge that comes from other products or solutions that Cisco is selling is finding a place in security as well, and that's one of the key benefits.

There are time savings when you have a good solution in place for stopping or preventing security risks. In general, it isn't saving me time on a daily basis, but there is peace of mind knowing that you are being protected.

Basic firewalling is obviously the most valuable. In addition to that, secure access and remote access are also very useful for us. When COVID came, a lot of people had to stay at home, and that was the basic use case for having remote access.

One con of Cisco Secure Firewalls is that Java is used a lot for the older generation of these firewalls. Java is used for the ASA and the ASDM tool for administration. It's an outdated way of administering, and it's also a security risk to use this kind of solution. This is a pro of Firepower or the newer generation of firewalls because they are using HTML for administration.

In general, they can make it easier to manage the solutions. They can make it easier in terms of administration and provide a single tool for different firewalling solutions. They have different tools to manage different firewalls, such as Firepower or ASA. Sometimes, both are on the same thing. You have ASA with Firepower modules, so you manage some of the things via HTML, and then you manage some of the things via another management tool. It's not seamless. It should be bundled together in one solution.

I have been using this solution for six to seven years.

They have been very stable. I did not have any cases where a network was down due to firewalling. Fortunately, I did not have any hacker attacks, but that's being lucky. It's not something I would point out to firewalling or configuration. It's just that sometimes you're lucky and sometimes you're not.

It's very scalable. Cisco is for mid to large businesses. For small businesses, there are solutions that are cheaper, but that's not the main focus. 

A large environment comprises several thousand users. We have small to large size environments, but we mostly have mid to large.

Cisco's tech support is good in general. It varies and depends on with whom you're speaking and how the knowledge on the other side is. That's basically the same for our company. I'd rate them an eight out of ten. A ten would be perfect, and no one is perfect. You can reach maybe a nine, but no one can reach a ten.

Positive

For more security, we sometimes have two firewalls. We have other vendors in place, such as FortiGate or Palo Alto. We have Cisco at the front or at the end, and another vendor on the other side so that there is more security, and if there is a security breach in one solution, we still have the other one. These firewalls differ mostly in administration and how you configure things but not so much in terms of features. They may differ in small things, but in the end, they are all doing the same things.

I deploy and manage them afterward. I'm not only in the designing and implementing; I'm also in the operational business. Its deployment is not more complicated than other solutions. It's fine. When it comes to documentation, in general, Cisco is very good.

We mostly try to do it ourselves. Our approach is to have knowledge or any certification of the topic we are trying to take.

I'm not a salesperson. I'm more from the technical perspective, and I don't know if there are any savings at the end, but I believe that all that was bought in the past was used the way we wanted it to use. So, the money was well spent.

Licensing is not only for Secure Firewalls, and it's too complicated.

To someone evaluating or considering Cisco Secure Firewall, I'd advise having a good greenfield approach regarding what component to use. If there is no greenfield, you should evaluate what solutions you need and what type of use case you have and then decide based on that.

I'd rate Cisco Secure Firewall an eight out of ten. Cisco is a big player in networking and security, and that's basically the pro on their side.

Remote access through the VPN wasn't available in the old firewall that we used, so that was a value-add. That's one way Cisco ASA has impacted our company. Also, from an administrator's perspective, newcomers have a shorter learning curve working with the ASA firewalls.

Also, when we deployed it on the data center firewalls, we did some microsegmentation using different subnets for the whole environment, including UAT and production. We didn't have segmentation before, but with the growing security needs, we segmented the servers. For each of the subnets we made different gateways on the firewall. That helped us achieve the requirements of the latest standards.

Thanks to the IPS, the malicious traffic has dropped. Initially, when we deployed the IPS, it gave us some problems. But after a week or two, it worked very well. I used a balanced security policy when I integrated it with the FMC server. On the FMC, the GUI gives me a very good, extensive view of what traffic is getting dropped and at what time. It gives me all the visibility that I need.

• The normal firewalling features are very good. You can easily create objects and work with them. 
• The AnyConnect software for remote VPN is an added feature on the firewall that works very well in our environment.
• The IPS is another important feature that I use. It doesn't impact the overall performance of the ASAs.

All of these features work fine.

Cisco ASA works very nicely from an administration perspective. The management of the device is very nice. The ASDM (Adaptive Security Device Manager) is the software that we use and it is very easy to configure using the GUI. If you are familiar with the ASDM software, it's very easy for anyone to handle. The CLI isn't different from other Cisco CLIs, so that makes it easy as well.

Also, the visibility when doing packet inspection on the ASA, using the ASDM GUI, works well. You can go to the monitoring part and see the live logs, the syslogs. All the traffic events are displayed in the syslog. You can filter on whatever event you are interested in and it is visible to you in no time. It provides a real-time display of the traffic. Troubleshooting issues is very easy using ASDM. 

In addition, if you want to do some captures at the interface level, there's a packet tracer, a tool within the ASDM and the ASA, which is available on both the GUI and the CLI. That is on the newer firewalls as well and it's very nice. It shows you the life cycle of a packet within the firewall, from entry to the exit, and how many steps it goes through. It really helps while troubleshooting. I'm very satisfied with that.

The operation of the ASA is good but the problem is that whenever you require an upgrade, there are multiple pieces of software that you have to upgrade. Extensive planning is required, because if you upgrade one piece of the software it has to be compatible with the others as well. You always need to check the compatibility metrics.

For example, if the ASA Firewall's software has to be upgraded, it has to be compatible with the IPS software—the FireSIGHT software. So that has to be upgraded as well, in addition to the ASDM software that you use to manage the firewall using the GUI. Besides that, if you are using the remote VPN part of the firewall, there is the AnyConnect hidden software that also requires an update.

So upgrading is a very extensive exercise, both when you're planning it and when you are doing it. The upgrades are very lengthy. Then Cisco introduced FTD as a unified approach, and that was a leap forward, but it has its own issues.

I've been working as a Cisco partner for about four years. Before that, I was using Cisco firewalls as a network admin. I've been engaged with Cisco firewalls since 2015.

On the FTD (Firepower Threat Defense) model, I've been working with version 6.7. I haven't tried the latest 7.0 version.

The robustness of the ASA is very good. Whenever you upgrade it, it does very well. There are no hiccups or hitches, post-upgrade.

Cisco's TAC provides very good support. If you have any issues, you can contact them and they provide assistance. You need a subscription for that. The subscription comes with a notable cost but you get great value from it. I'm very satisfied with it. 

The tech support of Cisco is unparalleled if I compare it to any other product that I have used. I've been using Citrix, Juniper, and even Palo Alto, but the support that I get from Cisco is very good. It's easy to get support and the engineers get engaged. Sometimes they provide more than you need. For example, if there are design-level issues, they will tell you that it isn't implemented well and that there are things that need to be corrected. That's not their responsibility but they'll provide that feedback.

I consider Cisco support to be the industry standard.

Positive

I've seen Cisco deployed for five to seven years. The product life cycle is good and they're continuing to support things. If you add more features and utilize it to the maximum, using the remote VPN and the like, it becomes more cost-effective. 

Having the IPS part within one box also saves you on costs. Back in 2015, the IPS was a different box that had to be deployed separately. At that time, it cost more if I had to buy another IPS and a box.

Before ASA, we were using Juniper. It had a GUI, but the CLI part of Juniper was difficult. The network administrators required a little bit of a different type of expertise. Juniper was very good, but its CLI wasn't as simple as Cisco's. When somebody new comes into the company to work on the firewall, the Cisco learning curve is relatively short and easy.

Nowadays, everybody is working with Cisco. Juniper has almost been phased out. Some people use Juniper for certain reasons, but there's a very specific clientele for it.

We went with Cisco because it is very easy to operate. It provided next-generation firewalling when it came out with ASA plus Sourcefire IPS. That was very effective at that time, compared to the others.

These days, Palo Alto is matching Cisco and, in some ways, Palo Alto is better. From 2015 to 2018/19, Cisco was considered to be the best. The security leaders are always preferred and Cisco was a leader. That's why we preferred it.

We were also always happy with Cisco support. It was very convenient to get to Cisco support, and it was very prompt and effective. They really solved our problems.

The Nextgen firewalls have a good IPS, but that IPS part wasn't very configurable using the ASDM. Later, they introduced the FMC (Firewall Management Center) and we could integrate the ASA with the FMC and get the IPS configured from the FMC GUI. That was good, but you needed two things to monitor one box. For the IPS you needed an FMC server, and for the firewalls, you needed the ASDM or the CLI.

In terms of integration with other solutions, it is a simple firewall that is integrated with the syslog servers and the SNMP monitoring from the NMS. Those types of simple things work very well. I haven't worked with much integration beyond that. You can't attach that many feeds to it. That's more a function of the Next-Generation Firewall with the IPS and FMC.

SecureX is a relatively new cloud-based solution. It's been around for one or two years. It's offered for free if you have any Cisco security solution. It encompasses ADR and NDR. The clients I work with in Pakistan are mostly financial institutions. Because it's a cloud-based security solution, they are not interested. They want on-prem solutions.

It is the primary data firewall for our organization and our data centers.

We have faced multiple issues regarding bugs with Cisco Firepower products. A running product is hit with bugs most of the time, and we had a lot of challenges in using the Cisco Firepower product, actually. In the future, we are planning to replace it, or at least use it instead as a secondary firewall.

The content filtering is good. 

The maturity needs to be better. The product is not yet mature. A running product is hit with the software bugs most of the time, and whenever we then log a case with the tech team, they're sometimes helpless with that. They have to involve the software development team to fix that bug in the next release. It's not ideal. Being an enterprise product, it should be mature enough to handle these types of issues.

I've been using the solution for the last three years. 

The performance is okay, however, the product is not stable. It is all hit with CVL software bugs routinely. That portion requires attention from Cisco and the tech support in this area is somewhat delayed. An open ticket can sometimes take more than two to three months to resolve. For the production setup, it is tough to rely on the tech team alone for the closure of the case.

The solution is very scalable. 

Cisco support is always available. However, multiple times, it has been tough for them to fix the software bugs in the product. They have to then deploy their development team for the same ticket.

Earlier we used the Cisco ASA Firewall. Now, it has been phased out. Firepower is categorized as the next-generation firewall, however, we haven't found the utility of that level in this product. It lacks maturity at many levels.

We have two data centers at two geographical locations. We have two firewalls - one in one data center, at the perimeter, and another at a different location.

The initial setup was okay. We had more of an in-between partner doing the installation part since the product was also new to us. The product was part of my overall product solution. We procured a firewall and another ACL fabric portion for the data center. Overall, the solution installation took over seven to eight months.

We had two people assist with the deployment process. 

We used an integrator for deployment. Overall, the experience was positive. 

There is no ROI. It is functioning as a normal firewall, as a data center perimeter, however, we expected much more than that. At times, there has been downtime with the firewall, and our custom modifications have won at a very high level. The product has to be mature when it is being used at the enterprise level.

The solution offers mid-range pricing. We can get a cheaper product like Fortinet, and we can get a costlier product like Palo Alto, and these are all in the same category.

There's only one license based on the support. Cisco Firepower is priced on the support of the product that we require: with SSL and without SSL. Currently, we are not doing any SSL inspection. We have an ATP report firewall.

When we were looking for a product, we put it through tender and we put out specifications of the product that we required. Cisco had the lowest price. We evaluated the L1 after it was technically qualifying. That is how we acquired it.

We looked at Palo Alto, however, it was far too costly.

We are a customer and an end-user. 

It was earlier named Sourcefire. Cisco acquired that company and rebranded it as Firepower.

We are actually a public cloud provider. We offer data center services to clients.

I'd advise others considering the solution that, for implementation, the product needs some stability and maturity to be offered as a next-generation firewall at an enterprise level. If a company is in need of an enterprise-level solution, they need to be aware of this.

I'd rate the solution a five out of ten. 

The product needs maturity in terms of running without hitting a bug. We have used other products also. A running product is never hit with a bug. It is normally some vulnerability or something that needs to be attended to, however, a running product is seldom hit with a bug and the operation gets stalled. We rarely find this kind of thing in an enterprise scenario. That is what we ask from Cisco, to build a stable product before offering it to customers.

We use the Cisco firewall for a number of things. We've got VPN tunnels, IPsec tunnels. We also use it for basic network layer filtering for our internal service, because we have a number of services that we offer out to clients, so that is the first device that they come across when they get into the network.

We have a network of six remote sites and we use proxy to go to the internet, and from the internet Cisco is the first line of defense. We have internet banking services that we offer to our clients, and that also makes use of the Cisco firewall as the first line of defense. And we've got a number of servers, a Hyper-V virtual environment, and we've got a disaster recovery site.

We had VAPT (vulnerability assessment and pen testing) done by external people to see our level of security from inside and outside and they managed to find some deficiencies inside. That's when they recommended that we should put in network access control. By integrating the ASA with Cisco ISE, that is what we are trying to achieve.

The whole idea is to make sure that any machines that are not on our domain should not be able to connect to the network. They should be blocked.

We also have Cisco switches deployed in our environment. All our active switches are Cisco. The ASA is integrated with them. This integration was done by a combination of our Cisco partner and in-house, because we did this at the time of setting up the infrastructure in 2016.

The benefits we see from the ASA are connected to teleworking as well as, of course, having the basic functionality of a firewall in place and the prevention of attacks. The VPN is also helpful.

Among the most valuable features are the reports which are generated according to the rules that we've put in place to either block traffic or report suspicious attempts to connect to our network. They would come standard with any firewall and we're always monitoring them and taking any corrective steps needed.

We have the ASA integrated with Cisco ISE for network access control. The integration was done by our local Cisco partner. It took them about a month to really get the solution up and running. I would like to believe that there was some level of complexity there in terms of the integration. It seems it was not very easy to integrate if the experts themselves took that long to really come up with a working solution. Sometimes we had to roll back during the process.

Initially, when we put it up, we were having issues where maybe it would be barring things from users completely, things that we wanted the users to access. So we went through fine tuning and now I think it's working as we expect.

We have been using Cisco ASA NGFW since 2016, when we launched.

The ASA is utilized 100 percent of the time. It's up all the time as it's a perimeter firewall. It's always up. It's our first line of defense. It's quite robust, we've never had issues with it. It's very stable.

We haven't maxed it out in terms of its capacity, and we've got up to about 200 users browsing the internet at any given time. In terms of throughput, we've got an ASA 5525 so it handles capacity pretty well. There aren't any issues there.

We have a Cisco partner, so if ever we did have issues we'd go through them, but up until now — this bank has been open for four years — we've never had an issue with the Cisco firewall.

We went with Cisco because it's a reputable brand and we also have CCNP engineers in our team as well. It's the brand of choice. We were also familiar with it from our past jobs.

The ROI is the fact that we haven't been attacked.

It's a brilliant firewall, and the fact that it comes with a perpetual license really does go far in terms of helping the organization in not having to deal with those costs on an annual basis. That is a pain point when it comes to services like the ones we have on FortiGate. That's where we really give Cisco firewalls the thumbs up.

From the point of view of total cost of ownership, the perpetual licensing works well in countries like ours, where we are facing challenges with foreign exchange. Trying to set up foreign payments has been a challenge in Zimbabwe, so the fact that we don't have to be subscribed and pay licenses on an annual basis works well. If you look at FortiGate, it's a good product, but we are always under pressure when renewal time comes.

Where Cisco falls a bit short is because of the fact that, if I want IPS, I have to buy another license. That's why I have my reservations with it. If I want Cisco AnyConnect, I have to buy another license. That's where we have challenges. That's unlike our next-gen FortiGate where everything comes out-of-the-box.

My advice is "go for it," 100 percent. If ever I was told to implement a network, ASA would definitely be part and parcel of the solution.

The biggest lesson we've learned from using the product is about the rapid growth of the product's offerings.

In terms of the maturity of our organization's security implementation, I would like to believe that we are about midway. We still need to harden our security. We need to conduct penetration testing every two years and, resources permitting, maybe yearly. The guys out there who do cyber security crimes are becoming more and more advanced, so there is a need for us to also upgrade our security.

We have a two-layer firewall setup, which is what is recommended as the standard for the payment card industry. We probably need solutions linked with cloud providers from the likes of Cisco, and to put in some bank-grade intrusion detection solutions. Because we have already adopted two technologies, Cisco and FortiGate, we might be looking at solutions from those two providers.

We're also looking at end-point security solutions. We've been using the one which comes with our Office 365 and Microsoft product, Windows Defender. We are going to be trialing their new end-point management solution. We are trying to balance things from a cost point of view and providing the right level of security.

In addition to Windows Defender and the firewalls — ASA and FortiGate — and the network access control, we also have SSL for the website.

As for application visibility and control, currently we're just using logging. We don't have the Firepower installed, so it's just general logging and scheduled checks here and there. As for threat visibility, for us the ASA is a perimeter firewall. Behind that firewall we have an IDS and an IPA. We actually have the license for Firepower but we haven't implemented it; it was just an issue of priorities at the time.