What needs improvement with Cisco ASA Firewall?

We're reaching [the point] where we want it to be. If you go 10 years back, we did miss the bus on bringing in the virtual versus the physical appliance, but now that we have had it, the ASAv, for a few years, I think we are doing the right things at the right place. The only improvement that we could make is maybe [regarding] the roadmap, to have better visibility as to what we are targeting ahead in the next few quarters. That is where we, as partners, can also leverage our repos with our customers and making them aware that there might be some major changes that we may have to introduce in their networks in the near future.

Our setup is quite interesting. We have a Sophos firewall that sits as a bridge behind the Cisco ASA. Once traffic gets in, it's taken to the Sophos and it does what it does before the traffic is allowed into the LAN, and it is a bridge out from the LAN to the Cisco firewall. The setup may not be ideal, but it was deployed to try to leverage and maximize what we already have. So far, so good; it has worked. The Cisco doesn't come with SD-WAN capabilities which would allow me to load balance two or three ISPs. You can only configure a backup ISP, not necessarily an Active-Active, where it's able to load balance and shift traffic from one interface to the other. When I joined the organization, we only had one ISP. We've recently added a second one for redundancy. The best scenario would be to load balance. We plan to create different traffic for different kinds of users. It's capable of doing that, but it would have been best if it could have done that by itself, in the way that Sophos or Cisco Meraki or even Fortigate can. A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition. While I'm able to configure it as a backup, the reality is that in a modern workplace, you can't rely on one service provider for the internet and your device should be able to give you optimal service by load balancing all the connections, all the IPSs you have, and giving you the best output. I know Cisco has deployed other devices that are now capable of SD-WAN, but that would have been great on the 5516 as well. It has been an issue for us.

This solution could be more granular and user-friendly.

There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so we need to be slightly careful, especially on the site track. We face challenges with Cisco when implementing some security vulnerability assessments, including the algorithms and implementing SSL 3.0. I may change the entire product line because traditional product lines don't support that. Integration isn't typically a problem because the network is compatible, but Cisco could upgrade the threat database. They could integrate the threat database of the on-premise firewall with the cloud. Check Point has cloud integration with a market database of all the vulnerabilities. Cisco could add this to its roadmap to make the product more effective.

Cisco wasn't first-to-market with NGFWs. That is one of the options now. They did make an acquisition, but other vendors got into that space first. I would tell Cisco to move faster, but everything moves at the speed of light and it's hard to move faster than that. But they should look at what other vendors are doing and try not only to be on the same wavelength but a little bit better. It's hard to be critical of Cisco given that they pave the way a lot, but they should see what their peers are doing and try to emulate that. In terms of additional features, perhaps there could be some form of integration with the cloud. I don't know how much appetite we would have for that given the principle of keeping a lot of the sensitive data on-prem. But some integration with the cloud might be useful, given that the cloud is everything you see these days. We have our on-premises devices, but maybe they could provide an option where it fails over to a cloud in a worst-case scenario.

We are replacing ASA with FTD which offers many new features.

Third-party integrations could be improved. Not everything works out-of-the-box. Sometimes, you have to customize it to your needs.

The access layer of this solution could be improved in terms of the way the devices interconnect with our network. We need to be able to analyze the traffic between the different interconnections in these areas. In a future release, we would like to have an IP analyzer to try to identify the specific comportment of the customers.

It would be good if Cisco made sure that the solution supports all routing protocols. Sometimes it doesn't.

It needs to provide the next-generation firewall features that other vendors provide, like data analytics, telemetry, and deep packet inspection. Also, the ASAs need to be improved a little bit to keep up with the demand for high bandwidth and session count applications.

One area that could be improved is its logging functionality. Your logs are usually displayed on the screen, but if you want to go back one or two days, then you need another solution in place because those logs are overwritten within minutes. To have that kind of feature, it's more than likely there would need to be some kind of storage on the device, but those boxes were designed a number of years ago now. They weren't really designed to have that built-in. Having said that, if you do reflash into the FTD image, and you've got the Firepower Management Center to control those devices, then all that logging is kept within the Firepower Management Center.

The one thing that the ASAs don't have is a central management point. We have a lot of our environments on FTD right now. So, we are using a Firewall Management Center (FMC) to manage all those. The ASAs don't really have that, but they are easy to use if you physically go into them and manage them. I would like ASAs to be easier to centrally manage. Currently, in our central management, we have almost 100 firewalls in our environment, and it is almost impossible to manage them all. ASAs are now about 20% of them. We have been slowly migrating them out, but we still have some. Normally, what we would do with ASAs is physically go into those devices and do what we need from there, whether it is find rules, troubleshoot, or upgrade.

It is easy to use. There is a GUI, and there is a backend that is being managed by our consultant. When we log in to the GUI, we are able to do anything we want to do. Its user interface is good, but it could be better. Currently, you have to know what to do before you can manage a device. If you don't know what to do, you can mess things up. There are some devices that are easier, such as FortiGate. The user interface of FortiGate is more intuitive. It is very easy to log in and configure things. With Cisco, there is also a lower limit on virtual accounts. In FortiGate, they could be in thousands. Cisco is also more expensive.

The ease of use needs improvement. It is complex to operate the solution. The user interface is not friendly.

The operation of the ASA is good but the problem is that whenever you require an upgrade, there are multiple pieces of software that you have to upgrade. Extensive planning is required, because if you upgrade one piece of the software it has to be compatible with the others as well. You always need to check the compatibility metrics. For example, if the ASA Firewall's software has to be upgraded, it has to be compatible with the IPS software—the FireSIGHT software. So that has to be upgraded as well, in addition to the ASDM software that you use to manage the firewall using the GUI. Besides that, if you are using the remote VPN part of the firewall, there is the AnyConnect hidden software that also requires an update. So upgrading is a very extensive exercise, both when you're planning it and when you are doing it. The upgrades are very lengthy. Then Cisco introduced FTD as a unified approach, and that was a leap forward, but it has its own issues.

It is hard to control the bandwidth of end-users with a Cisco Firewall. That is the main issue I've faced. I used Mikrotik for many years for this very reason. Mikrotik has the option to set a bandwidth restriction for a single IP or complete segments. Cisco should add this option to their firewall.

The virtual firewalls don't work very well with Cisco AnyConnect. There are two ways of managing it. You can manage it through the GUI-based software or command-line interface. I tried to use its GUI, but I couldn't understand it. It was hard for me. I know how to use the command line, so it was good for me. You should know how to use the command-line interface very well to make some changes to it. Its management through GUI is not easy.

Cisco ASA Firewall could improve by adding more advanced features such as web filtering, which is available in the next-generation firewalls. However, the Cisco ASA Firewall I am using could be old and these features have been updated.

It doesn't have Layer 7 security.

When we bought it, it was really powerful, but with the emerging next-generation firewalls, it started to lack in capabilities. We couldn't put application filtering, and the IPS model was kind of outdated and wasn't as useful as the new one. For the current state of the network security, it was not enough. One thing that we really would have loved to have was policy-based routing. We had a lot of connections, and sometimes, we would have liked to change the routing depending on the policies, but it was lacking this capability. We also wanted application filtering and DNS filtering.

Its licensing cost and payment model can be improved. Cisco doesn't provide training and certification for engineers without payments. Other companies, such as Huawei, provide the training for free. Their subscription and licenses are also free and flexible. Other products are breaking the market by providing such features. It doesn't support all standard interfaces. It is also not suitable for big companies with high bandwidth traffic. Its capacity should be improved. Other products are becoming easier to access and configure. They are providing UI interfaces to configure, take backup, synchronize redundant machines, and so on. It is very easy to take backup and upgrade the images in those products. Cisco ASA should have such features. If one redundant machine is getting upgraded, the technology and support should be there to upgrade other redundant machines. In a single window, we should be able to do more in terms of backups, restores, and upgrades.

The solution lacks the abilities of an FTD type which are the abilities we need, and they are not in the firewall. We're looking for a next-generation firewall instead. The graphical interface could be improved. From what I have seen, Fortinet, for example, has a nicer GUI. The solution needs to be easier to use. Right now, it's overly complicated. The initial setup is a bit complex. The cost of the solution is very high. The product should add free URL filtering. It's another product, or part of another product, however, it should be available as part of this offering as well.

There is huge scope for improvement in URL filtering. The database that they have is not accurate. Their content awareness and categorization for URL filtering are not that great. We faced many challenges with their categorization and content awareness. They should improve these categorization issues.

The solution has not had any layer upgrades. It does not have layer five and upwards, it only has up to layer four. This has caused some problems for us. In the future, it would be wonderful to have an antivirus, log analyzer, and PDF/Excel data exportation features build into the solution. The data export would be great to be able to look at the access list.

Most of the firewalls almost 90%, 95% of the firewalls will move to GUI. This is the area which needs to be improved. The graphical interface and the monitoring level of the firewall need to be worked on. Most of us are using the monitoring software where we get the alarm, then details of the servers, et cetera. This aspect needs to be much updated. From just the security point of view, in the security, it needs to be updated every day and every week. It is getting better day by day, however, from a monitoring point of view is not the same view as we have on the different monitoring servers or monitoring software, such as PRTG and Solarwinds. It needs to be changed and improved. Cisco has launched its multiple products separately. Where there's a new version of the hardware, there is Firepower in it. However, there must be a solution for an integrated version that includes everything in your network and your firewall as well so that you can manage and integrate from the same web portal without going to every device and just configuring it and just doing everything separately. It would be ideal if a solution can be configured separately and then managed centrally on one end. We have more than one Cisco firewall and it is difficult for me to integrate both on the single UI. If I have three firewalls and one is a normal firewall, I need to configure everything separately. I can't have it on the same port or integrated on the same single IP or bind it something like it.

I do not like the assembly of this solution. For example, they should combine FirePOWER into one solution.

It lacks management. For me, it still doesn't have a proper management tool or GUI for configuration, logging, and visualization. Its management is not that easy. It is also not very flexible and easy to configure. They used to have a product called CSM, but it is no longer being developed. FortiGate is better than this solution in terms of GUI, flexibility, and user-friendliness.

I think the ASA layer is thin. It's always Layer 3 or Layer 4 source controller and doesn't control the Layer 7 traffic at all. It's important, and you'll need an additional firewall. All next-generation firewalls don't have much control over Layer 7, but there's a little bit of control for inspection. ASA never controlled Layer 7, and it's a bad point. I don't like to use ASDM, a graphical interface, and other solutions for ASA. I wouldn't say I like this, and it's not good(ASDM).

They need to do an overhaul of the management console because they are still using the client-based management tool, which is quite outdated in terms of functionality and usability. The interface hasn't changed since the last generation many years back.

The solution is difficult to use. There's more required than a typical firewall. It's different than, for example, Palo Alto and Fortinet, which we find are easier to set up. If the implementation was easier, it would be a lot better for us. It would be such a great product for us if it was easier to manage.

The solution needs to have better logging features. Cisco needs to migrate its ASA Firewall to a management console or to a web console.

The configuration is an area that needs improvement. In the next release, I would like to see the UI include or provide web access, and more integration.

It is hard to collaborate with our filtered environment. If Cisco could combine the Bottleneck feature of ASA, their platform called Umbrella, and the other team they have that has similar malware protection into one, this would be perfect.

The VPN portion of the solution isn't the greatest. The stability is not the best. The solution is far too expensive.

The price can be better.

Technical support could be improved, they take a long time to respond.

In the future, I would like to be able to use an IP phone over a VPN connection.

It would be ideal if the solution offered a web application firewall. We've had some issues with stability. The solution has some scalability limitations. The firewall itself has become a bit dated. The pricing on the solution is a bit high. Some individuals find the setup and configuration challenging.

The SecureX ASA administration platform should be improved. The orchestration of modules should be improved. I would like to see the inclusion of a protocol that can be used to protect databases. This would be a good feature to have added.

The graphical interface should be improved to make the configuration easier, to do things with a single click. There should be better integration with open-source products because some of our clients use them. It would be helpful if they integrated well.

In the next year, we are planning to migrate to the Cisco Firepower. Our planned product would be Cisco Firepower 20 or the 40 series. In the next release, I would like to see the VPN and UTM features included.

We haven't been working with the product for too long, and therefore I haven't really found any features that are lacking. So far, it's been pretty solid. One of the things that would make my life easier on ASA, especially for the CLA, is if it had an ASBN feature, specifically for the CLA. This would allow you to be able to see at once where a particular object group is being used without having to copy out all the object groups that have already been created. I don't have to see all the object groups that have been created on that firewall. That's just something that I would really appreciate on the CLA, even though it already exists on the GUI.

The content filtering on an application level is not as good as other solutions such as Palo Alto. While the price is fair with all of the features that it has, it should be cheaper.

Its configuration through GUI as well as CLI can be improved and made easier.

It is my understanding that they are in the process of discontinuing this device. They are in the process of shutting down this ASA series and will continue with Firepower. In the next release, it could be more secure.

We don't have any serious problems. The firewall models that we have are quite legacy, and they have slower performance. We are currently investigating the possibility of migrating to next-generation firewalls.

It would be a benefit to improve the integration with other similar products from other vendors on the market, for example, Huawei or Fortinet products. Comparing Cisco solution to others, it is expensive, it would be better for it to be cheaper.

It can probably provide a holistic view of different appliances because many customers do not have only one brand, besides the traditional SNMP protocols, to cover all their devices. There are some specific requirements in terms of configurations or actions that sometimes have to be done in a very manual way because of the different versions or brands in a customer's infrastructure. It could also have some additional analytics capabilities. It has some very interesting ways to monitor the traffic and identify false positives from the architecture and the environment. It would be good if there is a way to patch with some other industry-specific solutions and synchronize some of the information, such as what other customers experience in their operations and probably share some additional information that could be leveraged or shared among the industry. Such information would be something interesting to see. It could have AI capabilities related to how the appliances could benefit from learning the current environment and different exposures.

In terms of what could be improved, the UTM part should be more integrated for one price, because if you buy ASA from Cisco, you need to buy another contract service from Cisco as a filter for the dictionary of attacks. In Fortinet, you buy a firewall and you have it all. I would like to see all the features like Fortinet has. If I buy ASA, I would like to see a Fortinet-like interface. It would be good if Cisco could improve their web interface to configure the equipment. Cisco is very reliable and very secure, but has to compete with Fortinet which is very hard. On a scale of one to ten, I would give Cisco ASA Firewall a nine.

The cost is very high. Most organizations cannot afford it.

In terms of improvement, we'd like to see a good graphical user interface. I'd also like to see the initial setup simplified. In comparison, if I were to implement the Fortigate firewall from scratch, it's a fairly simple set up. That is not the case with the ASA firewall, where you really need to have the skill and know what you're doing.

The management of the application can be improved with enhancements to the user interface. I would like the ability to drill down into certain reports because currently, that cannot be done. In fact, this is one of the reasons that we want to move away from Cisco. Better reporting tools would be an improvement.

The user interface isn't as good as it could be. They should work to improve it. It would make it easier for customer management if it was easier to use. Cisco does not have a lot of web management. We have to use ASTM server management to make up for it.

Cisco ASA is not a next-generation firewall product.

I have worked with the new FTD models and they have more features than the ASA line.

This is an older product and has reached end-of-life.

You need to have a little bit of knowledge to be able to configure it. Otherwise, it would be very difficult to configure because there is no GUI. The latest software available in the market has a GUI and probably zero-touch provisioning and auto-configuration. All these things are not available in our version. You need to manually go and configure everything in the switch. In terms of new features, we would definitely want to have URL-based filtering, traffic steering, and probably a little bit steering in the bandwidth based on the per-user level and per-user group. We will definitely need some of these features in the near future.

Before an ASA, it was a live log. It was easy and comfortable to work with. After the next-generation firewall, Firepower, the live log became really slow. I cannot reach the information easily or quickly. This has only been the case since we migrated to next-generation firewalls. There is some delay between the log itself. It's not really real-time. Let's say there's a delay of more than 20 seconds. If they had a monitoring system, something to minimize this delay, it would be good. It would be ideal if I could give more bandwidth to certain sites, such as Youtube. I work with Fortinet also, and I find that Fortinet is easier now. Before it was Cisco that was easier. Now Fortinet is simpler to work with. On firewall features, Fortinet is better. Cisco needs to become more competitive and add more features or meet Fortinet's offering.

They should improve their interface and ensure that people actually know what they're doing before they start programming; that would make me happy. But that's never going to happen — it's a total pipe dream. Some of the next-generation stuff that Cisco is doing now allows you to add web filtering and provides more security inside the device. That's why we were looking at the Next-Generation Firewall.

The annual subscription cost is a bit high. They should try to make it comparable to other offerings. We have a number of Chinese products here in Pakistan, which are already very cheap and have less annual maintenance costs compared to Cisco.

I would say that in inexperienced hands, the interface can be kind of overwhelming. There are just a lot of options. It's too much if you don't know what you are looking for or trying to do. The GUI still uses Java, which feels out of date today. That said, it's an excellent GUI. The biggest downside is that Cisco has multiple firewall lines. The ASA line which is what we sell, and we sell most of the latest versions of it, are kind of two families. One is a little older, one's a little newer. We mostly sell the newer family. Cisco is kind of de-emphasizing this particular line of products in their firewall stable. That's unfortunate. They have the ASA line, Meraki, which is a company they bought some years ago where all the management is sort of cloud interface that they provide rather than a kind of interface that you manage right on the box. They also bought Snort and they integrated the Snort intrusion detection into the ASA boxes. In the last couple of years, they've come out with a sort-of replacement to Snort, a line of firewalls that don't use IOS. It's always been that the intrusion prevention and the based firewalling features had separate interfaces within IOS. They've eliminated IOS in this new product line and built it from the ground up. We haven't started using that product yet. They have higher performance numbers on that line, and that's clearly the future for them, but it hasn't reached feature parity yet with the ASA. The main downside is that it feels a little bit like a dead end at this point. One needs to decide to move to one of these other Cisco lines or a non-Cisco line, at some point. We haven't done the research or made the plunge yet. What I would like to see is a more inexpensive logging solution. They should offer either the ability to maintain longer-term logs right on the firewall or an inexpensive server-based logging solution. Cisco has logging solutions, however, they're very high end.

It would be ideal if the solution offered more integration capabilities with other vendors. For example, if you had a web security appliance, it would be great to be able to integrate everything in order to better report security events. While I can't think of specific features I'd like improved, overall, they could do more to continue to refine the solution. It would be nice if you didn't have to configure using a command-line interface. It's a bit technical that way.

The interface needs improvement. I would like a better interface for Cisco. Other solutions such as Palo Alto have a user-friendly dashboard. They need a user-friendly interface that we could easily configure. It would be beneficial to have some of the features that Cisco has, integrating with other types of security.

There are other solutions that are better such as Palo Alto. The management test needs improvement. The ACM requires Java and you need to know which version of Java is compatible with your Cisco version. It needs a client. The pricing could be reduced. I would like to see the issue with the client resolved. You shouldn't have to use the ASDM to help manage the client. Also, it should be subscription-based similar to Palo Alto.

One of the problems that we have had is the solution requires Java to work. This has caused some problems with the application visibility and control. When the Java works, it is good, but Java wasn't a good choice. I don't like the Java implementation. It can be difficult to work with sometimes. If you use Cisco ASDM with the command line configuration, it can look a bit messy. We have some people who use them both. If you use one, it's not a problem. If you use both, it can be an issue.

We have the ASA integrated with Cisco ISE for network access control. The integration was done by our local Cisco partner. It took them about a month to really get the solution up and running. I would like to believe that there was some level of complexity there in terms of the integration. It seems it was not very easy to integrate if the experts themselves took that long to really come up with a working solution. Sometimes we had to roll back during the process. Initially, when we put it up, we were having issues where maybe it would be barring things from users completely, things that we wanted the users to access. So we went through fine tuning and now I think it's working as we expect.

One area where the ASA could be improved is that it doesn't have AMP. When you get an ASA with the Firepower model, ASA with FTD, then you have advanced malware protection. Right now, threats and attacks are becoming more and more intense, and I don't think that the ASA is enough. I think this is why they created FTD. Also, Cisco is not so easy to configure.

My concern in the 21st century, with ASA, is the front-end. I think Cisco missed the mark with all the configuration steps. They are a pain and, when doing them, it looks as if we're using a very old technology — yet the technology itself is not old, it's very good. But the front-end configuration is very tough. They probably still make a good profit even with the front-end being difficult, but it's not easy. It's not user-friendly. All the configuration procedures are not user-friendly. Also, they launched the 1000 series for SMBs. They have all the same features as the enterprise solutions, but the throughput is less and, obviously, the price is less as well. It's a very nice appliance. However, imagine you buy one, take it out of the box to connect it and the device needs one hour or two hours to start up. That is a pain and that is not appropriate for the 21st century. They should solve that issue. Another issue is that when you integrate different Cisco solutions with each other, there is an overlap of features and you need to turn some of them off, and that is not very good. If you don't, and you have overlap, you will have problems. Disabling the overlap can be done manually or the solution can identify that there is already a process running, and will tell you to please disable that function. For today's threats, for today's reality, you need to add solutions to the ASA, either from Cisco or from other vendors, to have a full security solution in an enterprise company.

When I deal with other firewalls like Palo Alto or Fortinet, I think there is some room for performance tuning and enhancement of the ASA. I'm not saying there is a performance issue with the product, but when compared to others, it seems the others perform a little bit better. There could be enhancements to the cloud part of the solution. It's good now, but more enhancements would be helpful. Finally, security generally requires integration with many devices, and the management side of that process could be enhanced somewhat. It would help if there was a clear view of the integrations and what the easiest way to do them is.

Cisco needs to work more on the security and tech parts. Palo Alto gives a complete solution. Customers are very happy to go with Cisco because they have been around a long time. But that's why we are expecting from Cisco to give us a solution like Palo Alto, a complete solution. Cisco provides us with application visibility and control, although it's not a complete solution compared to other vendors. Cisco needs to work on the application behavior side of things, in particular when it comes to the behavior of SSL traffic. There is a focus on SSL traffic, encrypted traffic. Cisco firewalls are not powerful enough to check the behavior of SSL traffic. Encrypted traffic is a priority for our company. In addition, while Cisco Talos is good, compared to the market, they need to work on it. If there is an attack, Talos updates the IP address, which is good. But with Palo Alto, and possibly other vendors, if there is an attack or there is unknown traffic, they are dealing with the signature within five minutes. Talos is the worst around what an attacker is doing in terms of updating bad IPs. It is slower than other vendors. Also, Cisco's various offerings are separate. We want to see a one-product, one-box solution from Cisco.

We've seen, for a while, that the upcoming revisions are not supported on some of 5506 firewalls, which had some impact on our environment as some of our remote sites, with a handful of users, have them. We were also not too thrilled when Cisco announced that in the upcoming new-gen ASA, iOS was not going to be supported, or if you install them, they will not be able to be managed through the Sourcefire. However, it seems like Cisco is moving away from the ASA iOS to the Sourcefire FireSIGHT firmware for the ASA. We haven't had a chance to test it out. I would like to test it out and see what kind of improvements in performance it has, or at least what capabilities the Sourcefire FireSIGHT firmware is on the ASA and how well it works.

One of the things that we got out of the Check Point, which we're finally getting out of the ASA, is being able to analyze the hit count, to see whether a rule is actually used or not. That is going to be incredibly beneficial. That still has ways to go, as far as being able to look into things, security-wise, and see whether or not rules or objects are being hit. It could help in clean-up, and that, in itself, would help with security. The FTD or the FirePOWER has a little way to go on that, but they're doing well implementing things that not only we at Orvis, but other people, are requesting and saying should be done and are needed. In addition, if pushing policy could take a little less time — it takes about five minutes — that would be good. That's something they're working on. Finally, our latest experience with a code upgrade included a number of bugs and issues that we ran into. So more testing with their code, before it hits us, would help.

The software was very buggy, to the point it had to be removed. We are moving completely away from Cisco NGFW. The product was pushed out before it was ready.

In NGFW, Cisco should be aligned with the new technology and inspection intelligence because Cisco is far behind in this pipeline. Nowadays IoT, Big Data, AI, Robotics, etc. are all evolving and shifting from automatic to intelligent. All brands that do not follow will be extinct.

Most users do not have awareness of this product's functionality and features. Cisco should do something to make them aware of them. That would be quite excellent and useful to organizations that are still using legacy data-center-security products.

The firewall throughput is limited to something like 1.2 Gbps, but sometimes we require more. Cisco makes another product, Firepower Threat Defence (FTD), which is a dedicated appliance that can achieve more than ten or twenty gigabits per second in terms of throughput. I have found that Cisco reporting capabilities are not as rich as other products, so the reporting could be improved.

When comparing this solution to other products, the Fortinet UTM bundle has some better features in their most receive product. For example, there are better configuration features, the Sandbox is better, and so is the web censoring. These are currently in the Cisco solution, but they are better in Fortinet. The Sandbox and the Web Censoring in this solution need to be improved. This solution has to be more secure from the cloud. The current trend is moving towards private cloud and hybrid cloud, so it is very important to consider the cloud security aspects when the solution is installed. This includes things such as IoT and the existence of user connectivity on the cloud.

The program is very expensive.

The FMC could be a little bit faster. It will be nice if they had what you traditionally would use a web application scanner for. If the solution could take a deeper look into HTTP and HTTPS traffic, that would be nice.

I would like for the user interface to be easier for the admin and network admin. I would also like to be able to access everything from the GUI interface. The way it is now, it needs somebody experience in iOS to be able to operate it. I would like to have a GUI interface. It should have integrated licenses with our other products. There should be a license bundle, like for firewalls and iOS. It would be better if it was a bundled license.

I'm not really sure that much has to be improved. Compared to other firewall solutions probably the thing that could be improved is the interface — the GUI. Other than that I don't think there is anything else that could be better. I think it is a great product.

I tried to buy licenses, but I had trouble. Their licensing is too expensive. If they can get the reporting to go into deeper detail, it would really be helpful because in order to get the reports in Cisco you have to go to look at the information that you don't necessarily need. Also, the pricing is quite high.

I would definitely say the pricing could be improved. If you're going to get the latest and greatest of this solution, it's very expensive and it's actually the reason my organization is moving away from it. I'm working on a slightly older version, but what it needs is better alert management. It's pretty standard, but there are no real advanced features involved around it.

I think the visibility of the network can be improved, at least from our current setup. I do not know everything about the solution and exactly how it can be modified. Another way they can improve is their pricing. One thing I notice is about the price is that it would be good if they could adapt the price to the area where a company is. West Africa is not the same as in India or in the USA and it is much more difficult to afford. If Cisco can manage this for our people it would help us implement better solutions. To upgrade to some Cisco solutions or features you have to invest resources to create the solution or pay the difference for that functionality to upgrade services or license. It is not really an all-in-one solution. So if Cisco could manage to build an all-in-one solution with most or all of the features we would be looking for in one solution, it would be better for us. For example, if you want faithful service from the company and equipment, you have to pay more just to get the solutions. If it's included it would be easier for us to deploy.

I see room for improvement when it comes to integrating all the devices into a central management system. Cisco doesn't provide this, but there are some good products in the market that can provide it. Apart from the cost, I think Cisco is quite well-positioned in the market. Also, in terms of site capabilities, other companies are still in the lead. The price, integration, and licensing models are quite odd.

Normally in terms of design, the user prefers to use Cisco ASAv as a border router or a border firewall, because you have two different kinds of firewalls. You have a firewall when the data communication enters the network, and then you have a firewall, for when you've been inside the network. So, for the inside network firewall, Check Point is better because it can make a better notation of your network infrastructure. But, for the incoming data, or border firewall, ASAv is better. In terms of improving the interface, if you compared to the Check Point file, then I think that ASAv should be better. They should improve the interface so that it's similar to the Check Point firewall.

One way the product could be improved is if you could monitor more than one rule at a time. We only have the option to have one monitor window up at a time if you're trying to troubleshoot something you end up switching back-and-forth and don't get the bigger picture all at once. It's reliable and it does its job. It gives you the freedom to do other things while you get indications of any issues. The multi-monitor would be a huge improvement. I'd definitely recommend the product. Even when you set it up for the first night, it definitely will tell you the status of the network. The important part in the setup is following the instructions to get it going.

The inclusion of an autofill feature would improve the ease of commands. This solution would benefit from being more cost-effective.

There was an error in the configuration, related to our uplink switches, that caused us to contact technical support, and it took a very long time to resolve the issue. Some of the features should be baked-in by default.

There used to be information displayed about the packets in a module called Packet Flow, but it is no longer there. In order to accomplish the same thing you now have to wade through lots of information in the Syslogs.

My opinion is that the new direction Cisco is taking to improve its product is not correct. They want to make the old ASA firewall into a next-generation firewall. FirePower is a next-generation firewall and they want to combine the two solutions into one device. I think that this combination — and I know that even my colleagues who work with ASA and have more experience than me agree — everybody says that it's not a good combination. They shouldn't try to upgrade the older ASA solution from the older type Layer 4 firewall. It was not designed to be a next-generation firewall. As it is, it is good for simple purposes and it has a place in the market. If Cisco wants to offer a more sophisticated Layer 7 next-generation firewall, they should build it from scratch and not try to extend the capabilities of ASA. Several versions ago they added support for BGP (Border Gateway Protocol). Many engineers' thought that their networks needed to have BGP on ASA. It was a very good move from Cisco to add support for that option because it was desired on the market. Right now, I don't think there are other features needed and desired for ASA. I would prefer that they do not add new features but just continue to make stable software for this equipment. For me, and for this solution, it's enough.

I would say the pricing could be improved. It's quite expensive, especially for the economy. I'd like to see them more integration so that I don't need other parties for protecting my network. If I could just have ASA firewalls for perimeter protection and LAN protection, then I'm good. I don't need so many devices. I would like to see improvements for client protection.

The overall application security features can be improved. It could also use a reporting dashboard.

I don't have any experience with the price, but ASA is a comprehensive solution. In the next update of the Cisco ASAv, I would like to see them release a patch for ASAv, i.e. to put the FirePower solution into the cross-platform integration.

The service could use a little more web filtering. If I compare it to Cyberoam, Cyberoam has more the web filtering, so if you want to block a website, it's easier in other solutions than in Cisco. I think in Cisco it's more complicated to do that, in my opinion. It could also use a better web interface because sometimes it's complicated. The interface sometimes is not easy to understand, so maybe a better interface and better documentation.

There definitely is room for improvement. We found it difficult to publish an antenna plug with the ASDM. Cisco should make the interface for the firewall more simple.

The first thing that needs to be done is to finish building out Cisco ASA "Firepower Mode" in order for all features to work correctly in complex enterprise networks. It also needs a usable GUI like Palo Alto and FortiGate. There are lots of bug fixes to be done, and Cisco should consider performing a complete rebuild of the underlying code from the ground-on-up.

The product would be improved if the GUI could be brought into the 21st Century.

Cisco should improve its user interface design. There is a deep learning curve to the product if you are a newcomer.

We installed a Cisco path a month ago. There was a new update for the Cisco firewall and there were security issues. We like Cisco filtering as a firewall, but in the current market, Cisco's passive firewall is not unique. We don't have any warranty problems with Cisco. I asked our carrier several times to provide the exact gap code for me, but there is no Cisco dealer in our region. There is also no software accessibility with Cisco ASA NGFW. You can't always access the product that way. I also tried pfSense. There is no support here in Georgia. If something goes wrong, support is not always very helpful with the other firewalls or other products. Cisco products are more supported by lots of companies who are producing technical services for cloud platforms. The certification is very easy in Georgia now. There are lots of people using Cisco in Georgia because their accessibility is better than the other products on the market. I also talked to several guys about the Barracuda firewall. The Barracuda firewall is very expensive. You need to pay three or four thousand dollars every three months, so it's very expensive for us. We are not a big company.

The installation and integration of Cisco ASA with Firepower can be improved. I used Fortigate as well and I can say that Fortigate's features are more usable. The management with Fortigate is easier than Cisco ASA on Firepower. The management side of Cisco ASA can be improved so it can be more easily configured and used.

With Cisco ASA, we used the SMB of the model. The customers are usually satisfied, but I am going to recommend that all clients upgrade to Firepower management. For Cisco ASA Firepower, I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility.

If I need to download AnyConnect in a rush, it will prompt me for my Cisco login account. Nobody wants to download a client to a firewall that they don't own. I would definitely love to have a much nicer web interface compared to the systems interface that it has now. I also would like to download utilities without having to login into the system. Nobody would want to download a client unless they're going to use it with a physical firewall. I don't understand the logic. If I was a hacker, I could get someone to download it for me and then I can use the client. There's no logic behind it.

It does not have a web access interface. We have to use Cisco ASDM and dial up network for console access, mostly. This needs a bit of improvement. Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems. It should have multiple features available in single product, e.g., URL filtering and a replication firewall.

The two areas that need improvement are the URL filtering and content filtering features. These features are both very crucial to the end user environment. One of my main concerns and an area that could use some major improvement is the need to pay for licensing in order to enable necessary additional features. Included in the next release, I would like to see these features integrated into the products' functionality without having to pay for them on an individual basis.