What advice do you have for others considering Cisco ASA NGFW?

If you're looking for a complete solution, such as URL filtering and threat protection, we recommend Palo Alto firewalls, but this Cisco product is also good. We are using three to four security tools: one for web security, and another tool for application security, and another for email security. For email we have an Office 365 email domain so we are using other tools for that. For firewall security we are using Cisco ASA, Palo Alto, and Fortinet for protecting our business. We have about 15 people on my team managing the solutions. They are network admins, and some are in security.

I would recommend this solution. If you have the money, it's a very stable product. Make sure to keep critical spare parts. You might have for instance some modules that will need acceleration cards and those types of things. I would rate it a nine out of ten.

The biggest lesson I've learned so far from using the next-gen firewall is that it has visibility up to Layer 7. Traditionally, it was IP or port, TCP or any protocol we were looking for. But now we can go all the way up to Layer 7, and make sure STTP traffic is not a bit torn. That was something that we did not have before on the up-to-Layer-3 firewall. Do your research, do your homework, so you know what you're looking for, what you're trying to protect, and how much you can manage. Use that to narrow down the devices out there. So far, in our environment, we haven't had any issues with the ASA firewalls. From the first-gen, we have seen that they are pretty good. We are pretty content and happy with them. The solution can help with the application visibility and control but that is one portion we have really not dived into. That's one of the things we are looking forward to. As a small utility, a small organization, with our number of employees available, we can only stretch things so far. It has helped us to identify and highlight things to management. Hopefully, as our staff grows, we'll be able to devote more towards application visibility and all the stuff we really want to do with it. Similarly, when it comes to automated policy application and enforcement, we don't use it as much as we would like to. We're a small enough environment that we can do most of that manually. I'm still a little hesitant about it, because I've talked to people where an incident has happened and quite a bit of their devices were locked out. That is something we try to avoid. But as we grow, and there are more IoT things and more devices get on the network, that is something we'll definitely have to do. As DevNet gets going and we get more involved with it, I'm pretty sure more automation on the ASA, on the network side and security side, will take place on our end. We do find most of the features we are looking on the ASA. Between the ASA firewall and the Sourcefire management console, we have pretty much all the features that we need in this environment. In terms of how the solution future-proofs our organization, that depends. I'm waiting to find out from Cisco what their roadmap is. They're still saying they're going to stick with ASA 55 series. We're also looking at the Sourcefire FireSIGHT product that they have for the firewalls. It depends. Are they going to continue to stick with the 55s or are they going to migrate all that into one product? Based on that, we'll have to adjust our needs and strategize. If I include some of the hiccups we had with the 5506 models, which was a sad event, I would give the ASAs a nine out of ten.

The biggest lesson I've learned from using the ASAs is the fact that they can do a lot. It's just figuring out how to do it. We don't do a lot, although once in a while we will do something a little interesting. These things can do more than what we're using them for. It's just a matter of our trying to figure it out or getting with our Cisco rep to figure it out. My advice would be to have a good handle on your rules and, if you can, take the upgrades easily. We have desktop security, application security, and then we have Umbrella. We use five or six different tools for security, at least. It would be nicer to have fewer but as far as I know there isn't one tool that does it all. We do application firewall rules where it does deep packet inspection and looks at certain things. We don't use it as much as we should, but we do application inspection and have rules that are based on just an application. We usually have two people on a call when we do maintenance, and we usually have Cisco involved. It's usually me and a colleague who is also a network/security engineer. I would rate the ASA overall at eight out of ten. The thing that comes to mind with that rating is the code. As I said, we just upgraded to 6.4.04 and we ran into a handful of bugs. We've done upgrades before and we've run into a bug as well. Just last week, we finished upgrading, and I still have one final service request, a TAC case, open. I had four open at one point. That's at the forefront of my thoughts right now.

Think before you buy, as this solution can be your success or failure. Always work with professionals and not promoters.

For any organization looking for a secure solution that can be deployed in their domain or infrastructure, my advice is to go with Cisco Next-Generation Firewalls because they have a complete bundle of security features. There is a single pane of glass with complete management capabilities and analytic features to understand and gather information about the traffic. The lessons that most of our clients have learned is that in deployment it is easy to configure and it is easy to manage. It's quite stable and they do not get into difficulties in terms of day-to-day operations. We haven't faced any problems with this product. Compared to other OEMs, such as Juniper and Fortinet, Cisco's product is excellent. There are no bugs and I don't see any lack in terms of backend and technical support. In my opinion, at the moment, there is no room for product enhancement. Most of the users are system administrators working on their own domains. The minimum number of users among our clients is a team of 15 to 20 we have clients with up to 700 users at the largest site. The product is quite extensively used in each department, to protect assets and data centers. We are using the attack prevention engine and URL filtering is also used at most of our sites. We are also using it for data center connectivity and for offloading transactions. I would rate Cisco at ten out of ten for the functionality and the features they provide.

My advice to anybody who is considering this solution is not to think twice about it. There are a lot of features that come with the cost. These institutions secure our network and they have to do research. The price of this solution is justified when you consider that it secures our network and protects our valuable assets. This is a very good solution but it is not perfection. I would rate this solution a nine out of ten.

This is the number one firewall product that I recommend. I would rate this solution an eight out of ten.

We are using the on-premises deployment model. My advice for those considering the solution is this: if you want to migrate something, plan enough time for testing before you come over to the solution. You should also watch as many webinars as you can about that solution, or get a consultant and do a proper lab set up and go through the whole thing with them. It's is definitely worthwhile, given the complexity of the whole product. I would rate the solution nine out of ten.

In the future, I would like to see friendlier configuration and only one license because everything needs a license. You need a URL license, security license, everything is based on a license. I would like to have one license that covers everything. But I am really impressed by the program and my rating is nine out of ten.

I would advise someone considering this solution to have a technical support or maintenance contract with the vendor or a third-party to help maintain the product. Without help with maintenance, there is no value to the product. You should have a good technician and admin support for all this product in order to maximize the value and benefits. I would rate it an eight out of ten.

On a scale of one to ten with one being worst and ten being best, I would rate Cisco SourceFire Firewall as a nine. It could easily be a ten if it had a better GUI interface. As far as making recommendations to other people about the product, I recommend they buy it if they need an enterprise solution. Also, I would recommend other Cisco solutions like Cisco AMP (Advanced Malware Protection). I think most large companies that require strong security should always use Cisco because it's stable, scalable, and has many features. Enterprise organizations will benefit from Cisco because their business requirement will be more complicated and require a better solution and more flexibility. I think all the companies should use Cisco because it's number one the market and has the best security, better stability, and better scalability.

I would recommend this solution. I would rate this solution as eight out of ten.

As far as rating this product, I would give it a nine out of ten. The only real drawbacks are the lack of multi-monitoring and not really having clear instructions prior to jumping in and implementing it.

This is a good product from a trustworthy vendor, but it is not perfect. I would rate this solution an eight out of ten.

This is a very straightforward firewall. There is a management platform with its own operating system. Just make sure that everything is set up properly for your uplink switches because that is an issue that we ran into. I would rate this solution a nine out of ten.

With this solution, we have everything that we need. I don't know about other people's use cases, but ours is pretty straightforward. My advice to anybody researching this type of solution is to stick with Cisco products, no matter which one it is. We've had pretty good luck with everything from Cisco. I don't have any issues with this solution, so I would rate it a ten out of ten.

I would advise that If you want something robust, a good hardware solution, I think it's competitive and you have a good warranty, you have to choose Cisco. I would rate the solution 8 out of 10.

Watch out for the marketing hype vs objective reality. Do the advertised features actually work correctly/effectively? We chose a different solution after performing in-house testing.

For the Cisco ASA NGFW, it is a bit more expensive than other products, but their method is a lot more stable in my experience. It has all the features that you would need in a next-generation firewall. They are always developing new features and introducing them. I don't have anything that I'm currently missing with Cisco. On a scale from one to ten, I would rate the product at eight.

In Georgia, there is no problem using the Cisco firewall, because it's accessible. You cannot use other products, because they are not accessible. That's the whole problem. I would rate Cisco ASA NGFW an 8 out of 10.

Cisco ASA is a good solution. I never had a problem with. I will say that I mostly recommend Fortinet because of their ease of management and Palo Alto Networks because of their reputation for business efficiency. I would rate Cisco ASA with an 8 out of 10 points.

I always encourage our existing customers to move to the Cisco ASA Firepower version, i.e. the next generation Firepower like 2100, 4000, or 9300. I would rate Cisco ASA an eight out of ten. An eight and not a ten because some of the features are limited and some are awful. We had to install other solutions for security and had to spend a lot on other hardware. Other vendors like Fortinet or Palo Alto Networks focus more on offering complete solutions.

I would advise someone considering this solution to just go for it. It's expensive but it's a robust solution. The only thing is that you have to convince your finance guy to go for it. I would rate it a nine out of ten.

I would recommend the product, but cost is a big factor. Some companies cannot afford expensive products, like Cisco and Palo Alto.

I am satisfied with the current facility and the management environment of the Cisco ASA, it's great for me. I think that the cost would be the main factor when evaluating solutions since some of the companies or some of our clients ask about costs upfront. Once the client has made their initial request and inquired about any subsequent subsystem connectivity integration ideas, they always want to know how much everything will cost. The deciding factor is mainly based on the price point of the total user solution. Overall, the criteria that we consider when constructing an integration decision depends largely on the client company we are working with. We evaluate clients based according to their size, industry function, and the total budget that would be recommended for an effective solution. I would give this product a rating of 9 out of 10!

I would rate this solution a nine out of ten. Not a ten because I'm reserving the one point for whatever new surprises they are going to provide.

I would rate it a seven out of ten. I would recommend this solution to a colleague. No product will give you 100% of what you're looking for but this solution is close.

This solution has good security and it's a good product. You can trust Cisco, and there's support as well, which is really good. I would rate this solution an eight out of ten.

We like that Cisco has a lot of experience on the market trends.

Yes, it's a good provider when it comes to firewall solution, but maybe limiting when you are looking at the wall UTM management. It's delayed behind some of the competitors.

Talk to your peers in the industry, find out what they use and why, and then look at exactly what you're using it for. We changed a great deal of our infrastructure, adding a lot of extra tunnels, so that made a complicated product even harder to manage. Look at what you're comfortable in managing with their interface. We start looking at upgrade cost, our constant licensing cost. I look at other products that rank very high in industry ratings. Now I'm looking at similar products that are a little bit easier to manage. That is another fault of the ASA. They're very complicated to manage, but that’s because they have so many features. It's a very feature-rich product. When selecting a vendor the most important factors are * Security - obviously that is number one because we are a financial institution * stability of the vendor * how the product is ranked in the market. In terms of security, right now is a really tough time for us because, even as a smaller community bank, we’re targeted. We have huge targets on us right now from hackers. I have to have a product that is stable, that will hold up, from a reputable company. I'm looking at companies that are top-tier. I would rate the ASA equipment itself a nine out of 10. The software and manageability would rate a seven and the reason for that is the complexity of it. It is extremely complicated, even for our Cisco-certified person who manages it for us.

Do your research, know what you want to achieve. Cisco ASA needs to be more reliable. Because of the nature of the product, it has to be rock solid and, unfortunately, it's not.