Cisco Secure Firewall Reviews

We are using it for border firewalls, VPN access, and site-to-site VPN tunnels.

It is deployed at a single location with about 2,500 users.

So far, the remote VPN access has been a perfect solution for our company.

The user interface is a little clunky and difficult to work with. Some things aren't as easy as they should be.

I have been using it for five years.

So far, it has been very stable.

It does require maintenance. There is a team of two who manage it.

We haven't scaled it much at this point.

The technical support has been good so far. I would rate them as eight out of 10.

Positive

The VPN solution works much better than our previous solutions.

We previously used Palo Alto. The switch was driven by Cisco's pitch.

It was fairly straightforward. We stood it up side by side with our nesting firewalls. We did some testing during an outage window, then migrated it over.

We used a partner, CDW, to help us with the deployment. Our experience with CDW was good.

Internally, it was just me for the deployment.

The pricing seems fair. It is above average.

Take the time to really learn it, then it becomes a lot easier to use.

I would rate the solution as eight out of 10.

We use it for VPN access for our two-factor authentication. We were looking to get access through AnyConnect, to gain access to devices behind boundaries and firewalls.

It has improved things greatly by giving us easier and better access, easier configuration, and allowing users to gain the access they need. We have also had less downtime using these firewalls.

AnyConnect has been very helpful, along with the ability to use LDAP for authentication. It's very robust and we are able to do many different things that we were looking to do.

The ASAs are being replaced with the new Firepowers and they have a different type of structure in the configuration to be able to migrate from one to the other.

I have been using Cisco ASA Firewalls for 20 years.

The stability is very good. It has been a very stable environment. Since the new AnyConnect came out, it's been very easy to use and very much self-sufficient.

You can vary scalability from very few users to thousands of users.

Technical support has been very helpful at times, helping us to know what bugs and what things are getting fixed in the next releases.

Positive

As an architecture team, we had a pretty good idea of what we wanted to do and how we wanted to do it, so it was pretty straightforward and easy. We have each one across many different avenues and many different boundaries, so each one took about a day to deploy.

We needed two to three people to deploy them and another one to go over some things to make sure everything was good to go.

There is routine maintenance, keeping it up to date and making sure the licensing versions are all good to go. We have a four-man team for maintenance and they work a regular shift of eight hours.

We used a reseller, FedData. Our experience with them was good.

It took us about six months to see benefits from our ASA Firewalls. We've seen return on our investment in terms of the timeframe of downtime, and the ability to get users connected faster and more easily has been a big benefit.

The pricing of the products isn't terrible. They're not too expensive. They're a little more expensive than other products, but you are getting the name, the company, and the support.

It's also nice that you can buy different avenues of licensing, depending on how you want to go about using them.

We buy a support license to get support if we have any issues or problems or need help on how we want to implement things.

We evaluated other options, but that was a long time ago. We went with Cisco because it is so robust as well as because they have been able to integrate their solutions into many different architectures. That makes their products easier to use.

Each use case is different and things depend upon your cost analysis and how much you need. We have these firewalls in different avenues over about 30 different sites.

The biggest lesson from using the solution is being agile which has included learning to understand how to use the ASDM and figuring out how to configure everything—the little nuances—and what can and can't be done on the CLI.

These firewalls, along with the upcoming Firepower that they're being replaced by, are going to be very good assets for two-factor authentication and VPN access.

We are using it for security on everything from small customers to big data centers.

It is stable. We saw benefit from this in just a few days.

Cisco AnyConnect is my favorite. It is awesome. It also exists on Firepower and newer things.

Cisco ASA is starting to get old and Firepower is taking over. All the good things happening are with Firepower. Everything that I could wish for is in Firepower. We will probably not be doing too many new installations of ASAs since Firepower is mostly taking over.

I have been using it for 15 to 20 years.

It is stable and secure. There are a few bugs, etc. Overall, we are very happy with it. We have never looked at anything else because it works so well. I would rate the stability as 10 out of 10. It is very good.

There is maintenance. We have to keep an eye out for software upgrades and forced changes to the configuration. We have a network operations team of 15 people who take care of these things from day to day.

The solution's scalability is very good.

We use it on customers who have two employees up to customers with 5,000 employees. It is also used for customers who have one site or several sites. It is all over the place

Cisco tech is always good and helpful. I would rate them as 10 out of 10.

Positive

I didn't use another solution previously.

All our deployments have been different. Some have been really easy and others have been really complex. It could go either way: some are complex and some are easy. The complex solutions could take days or a couple of weeks to deploy. Easy solutions take a day.

If it was a big project, there would be a pre-project identifying what we were going to do and making a plan for it, then we would realize that plan. If it was a smaller thing, we would just jump into it.

It was deployed in-house. Depending on the solution and its complexity, it could take a single person to a team of 20 people to deploy it.

Our return on investment is having a network that we don't need to think too much about. It works, and that is it.

Cisco is always expensive, but you get what you pay for. It is expensive for a reason. It is a good solution, and good solutions cost money.

AnyConnect is an extra license. If you want the IDS/IPS things, those are usually extra too.

I evaluated Check Point, Palo Alto, and Fortinet, but Cisco won the race. Since we were already running most of our other networking with Cisco, it felt natural to land on Cisco.

I would rate the solution as 10 out of 10.

We are using it for our VPN. We have a remote VPN and then a VPLS connection. Overall, it is a pretty big design.

We were looking for an opportunity to integrate our Firepower with Cisco ASA.

We mainly have these appliances on the data center side and in our headquarters.

It did help my organization. The firewall pretty much covers most stuff. They have next-gen firewalls as well, which have more threat analysis and stuff like that. 

The firewall solution is really important, not just for our company, but for every organization. It keeps away threats trying to come into my organization.

With the pandemic, people began working from home. That was a pretty big move, having all our users working from a home. More capacity needed to be added to our remote VPN. ASA did this very well.

The most valuable features are the remote VPN and site-to-site VPN tunnels.

I use the solution to write policies and analyze the data coming in via the firewalls.

It can be improved when it comes to monitoring. Today, the logs from the firewalls could be improved a bit more without integrating with other devices.

I would like to see more identity awareness.

I have been using it for over six years.

The stability is pretty good. They are keeping up the good work and making updates to the current platform. 

The support is good. They have been there every time that we need them. I would rate them as nine out of 10.

Positive

We have used Check Point and Palo Alto. We are still using those but for more internal stuff. For external use, we are using the Cisco client.

The initial deployment was straightforward. We have worldwide data centers. For one data center, it took three days from design to implementation. 

It was a self-deployment. It took eight people to deploy.

It was pretty good and not expensive on the subscription side. Cisco is doing a good job on this.

We also evaluated Zscaler, which is more cloud-based. It was pretty new and has a lack of support on the system side.

They have been keeping up by adding more features to the next-gen and cooperating with other vendors.

I would rate this solution as nine out of 10. It is pretty good compared to its competitors. Cisco is doing well. They have kept up their old traditional routing and fiber policies while bringing on new next-gen features.

We use it as a security solution. It is our firewall.

We run three data centers and have three ASAs at each data center.

It is pretty user-friendly and straightforward to use.

It is secure and very reliable.

I like the heartbeat between the two devices that we have. Because if something fails, it immediately fails over.

I have been using ASAs for 15 years at two different companies.

Cybersecurity resilience has been outstanding because it is very stable. There are not a whole lot of upgrades that we need to do for the firmware.

Four engineers support it. From time to time, there are firmware upgrades that we need to keep up to date with. Sometimes, we need to run debugs to figure out what's going on with it, and if it needs a patch, then we will figure it out. Usually, Cisco has been really good about getting us that.

Scalability is actually pretty exponential. In the grand scheme of things, we are a small network. We only have 15,000 subscribers. However, if we need to expand, it is reasonable.

The TAC is always very helpful. We pay for Tier 1 support, so we get whatever we need from them. They always give us a solution. If they can't give us an answer that day, they get back to us within at least 24 hours with a solution or fix. I have never had a problem with the TAC. I would rate them as 10 out of 10.

Positive

We haven't really used anything different. The only thing that we run inline with Cisco ASAs is Barracuda Networks. We kind of run that in tandem with this firewall, and it works really well.

We wanted to integrate Firepower with our solution, but it didn't have the capability to accommodate our bandwidth since they only had two 10 gig interfaces on the box. We run way more than that through our network because we are a service provider, providing Internet to our customers.

Do your homework and know what you are doing. Know how to use your product, stay current, and hire smart people.

I would rate the solution as eight out of 10.

We mainly use it for site-to-site VPNs, connecting to other businesses. I work in manufacturing and hospitals.

We connect to remote networks: manufacturing-to-businesses and hospital-to-hospital.

It was deployed in our data center across multiple sites. At the hospital where I last worked, it was deployed at 18 sites, then we did VPNs between our hospital and clinics.

We don't have to worry about when something goes down. Instead of saying, "Oh my gosh, this went down and now we have a gap here," it has automatic failovers and built-in redundancy. So, it says, "I don't have a gap anymore." This is one less thing to worry about, which was a big benefit for me. If our security group comes back, and says, "Hey, this is down." Then, it is like, "Yeah, we got it covered."

Our security groups are always very adamant that things stay up. If something went down, they say, "Why did it go down? How do we prevent it?" Since resiliency is already built-in on its initial design, we don't have to go back in every time, and say, "Here, this is what we did. This is why it was done like this." Instead, it is just, "Yes, they blessed it, and it's approved," and we don't have to go back and keep reinventing the wheel every time.

I like the ASDM for the firewall because it is visual. With the command line, it is harder to visualize what is going on. A picture is worth a thousand words.

Sometimes, it is not easy to troubleshoot. You need to know where to go. It took me quite awhile. It's like, "Okay, if it doesn't go smoothly here, then go find the documentation." Once you do it, it is not so bad. However, it is sometimes a steep learning curve on the troubleshooting part of it.

I have been using this solution for more than 20 years.

I have never had any problems with stability. In the 20-plus years that I have used them, I don't think I have ever had a failure on them. They have always been rock-solid.

We haven't done much with scalability. We have always just done active standby. However, it scales once you figure out how to do it. If there are site-to-site VPNs within your own location, it is easier because there is a template, where it is, "Here, change this IP address. Change this IP address. There, it's done." 

Third-parties weren't bad. Once my side was done, then we could easily cut and paste it, and say, "Okay, here's what my side's configured for. If you have something that is not working, then you can tell me what it is and I will help you." However, we never really had anything that we couldn't fix. It was also possible to scale on the other side.

I haven't called tech support very often. When I did call them, they could tell me what the problem was. That is where I started learning, "Here are the commands that you should be using to debug this." They have been very helpful. I would rate them as nine out of 10.

Positive

I have used Palo Alto and Fortinet. We switched mainly because we were trying to unify all our products. Instead of using multiple systems, everything with the Cisco solution is end-to-end with different views of security. Some of them wanted to be diverse, keeping things separate. For others, it was easier if everything was just with one vendor. Also, if you are Cisco-centric, it is also easier.

Since I have been using this solution, I have seen it grow. When they first started doing it, it was more like, "Here's the command line. Here's what you got to do." Now, it's easier for a new engineer to come on, and say, "Okay. Here, you are going to start supporting this, and here is how you do it," which has made life easier. Since it is a repeatable thing, no matter which company you go to, it is the same. If you get somebody who is doing it on the other side of the VPN, it is a lot easier. So, I like the Cisco product. I have used several different ones, and it's like, "Well, this is the easiest one." It might be just the easiest one because I have used it long enough, but it is also a good product. It just helps us be consistent.

We did a lot of site-to-site VPNs. We also did a third-party, which is Palo Alto or something. Though, some of them were SonicWall. It is like, "Okay, I don't know how the site is configured, then I spend hours trying to troubleshoot a VPN." The more you use it, the easier it gets. It used to take days to do it. Whereas, the last one that I built took about 30 minutes. The more we use it, the better the outcome is and the faster we can do it. Now, I am not spending days building a VPN, which should only take 10 to 15 minutes.

There is ROI when you use it more.

Once you know what the product is, it is not that bad. Yes, it is expensive. When you try to get a license, it is like, "Well, I don't know which one of these I need. And, if I don't buy it now, then I will probably be back later. Now, I have to justify the money." Typically, you end up just buying everything that you don't use most of the time. It is one of those solutions where you get what you pay for. If you don't know what you need, just buy everything. We have additional licenses that we don't use.

Take your time with it. Actually, read the documentation. Don't just assume you know what stuff means since that will sometimes come back and bite you. I have done that too many times. If you go from version to version, it changes a little bit, and so it is like, "Well I don't know why it doesn't work." Then, you go read the notes, "Oh, yeah. This changed and it is done over here now."

Building more resiliency should be a priority, and it's going to take money to do that. So, you need to actually believe and invest in it. Otherwise, it's an idea. It's great, because we all want redundancy, but nobody typically wants to spend the money to do it. Or, they want to do it as cheaply as possible. It's like, "Okay, I can do that," but you're going to have more gaps. Then, it is not really worth it. Therefore, invest the money the first time and do it right.

I would rate it as nine out of 10.

For our customers, Firepower is a classic perimeter firewall. Sometimes it's also for branch connections, but for those cases, we prefer Meraki because it's simpler. If a customer has Meraki and requires advanced security features, we will offer Firepower as a perimeter solution for them. Meraki is for SD-WAN and Firepower is for the perimeter.

Firewalls are not a new technology but they have a very distinct role in an enterprise for defending the perimeter. Firepower is for organizations that have traditional infrastructures, rather than those that are heavily utilizing cloud services. For us, the clients are government agencies and ministries, and we have a lot of them as our customers in Latvia.

Most firewalls do the same things, more or less. Because we have to compete with other vendors, it's the things that are different that are important. With Cisco, it's the security intelligence part. It's quite simple to configure and it's very effective. It cuts down on a lot of trouble in the early phases.

IPS and Snort are very important because they also differentiate Cisco from other vendors and competitors.

I also like that, in recent years, they have been developing the solution very quickly and adding a lot of new, cool features. I really love the new web interface of Cisco Secure Firewall Management Center. It looks like a modern web-user interface compared to the previous one. And the recent release, 7.2, provided even more improvements. I like that you have the option to switch between a simplified view and the classic view of firewall policies. That was a good decision.

A major area of improvement would be to have more functionality in public clouds, especially in terms of simplifying it. The high availability doesn't work right now because of the limitations in the cloud. Other vendors find ways to make it work differently than with on-prem solutions.

This is very important because we have customers that build solutions in the cloud that are like what they had on-prem. They have done a lift-and-shift because it's easier for them. They lift their on-prem physical boxes and shift them to the cloud, convert them to virtual, and it continues to work that way. Many times it's not the most efficient or best way to do things, but it's the easiest. The easiest path is probably the way to go.

I have been using Cisco Firepower NGFW Firewalls for four or five years now, but before that, I worked with ASA Firewalls a lot. It was just a transition. I have been using Firepower almost from day one.

We are an integrator and we resell as well as provide professional services. We do everything from A to Z.

There are a lot of things that can be improved. As a Cisco partner, I usually take the first hit if something doesn't work. In recent years, the solution has improved and is more stable. But it has to continue to improve in that direction.

A Firepower firewall is a very important point of exit and entry to a network. It's a critical piece of infrastructure. They should have high availability.

By comparison, I am also a huge fan of Stealthwatch (Cisco Secure Network Analytics) and I use it everywhere. I've been working with that solution for 15 years but it's not mission-critical. If it doesn't work, your boss is not calling you. If it doesn't work, it is not collecting telemetry and it doesn't do its job, but you are not stressed to fix it. With firewalls, it's a little different.

Tech support really depends on how lucky you are. It depends on when you create a TAC case and in which time zone the case is created. That determines which part of TAC takes ownership of your case. I have had a few unpleasant cases but, at the end of the day, they were resolved. I didn't feel like I was alone in the field with an angry customer.

Positive

We made a gradual transition from ASA to Firepower because they first had this as Sourcefire services. That is what we used to install first for our customer base. Then Firepower defense appliances and firmware came out. It was a natural process.

My view may be a little bit biased because I do a lot of Cisco deployments, and I have a lab where I play all the time. But overall the deployment is not too complicated.

The deployment time depends on what type of deployment you have. If it's a physical deployment, it may be a little bit faster because you don't have to set up virtual machines. But I recently had a project in AWS, and I used Terraform Templates and it was easy. I still had to configure some additional things like interfaces, IP addresses, and routing. 

Because I know where everything is in the UI, the deployment is okay. One thing I miss a little bit is being able to configure things, like routing, via the command line, which is how it used to be done with the ASA Firewalls. But I understand why they've taken that ability away.

With ASA Firewalls, even when you were upgrading them, the experience was much better because it didn't have those advanced Snort features and you could usually do an upgrade in the middle of day and no one would notice. You didn't have any drops. With Firepower, that's not always the case.

It's hard to talk about pricing when you compare firewalls because firewall functionality is almost the same, regardless of whether it's a small box or a large box. The difference is just the throughput. Leaving aside things like clustering, what you have to look at are the throughput and the price.

Cisco's pricing is more or less okay. In other areas where we work with Cisco solutions, like other security solutions and networking, Cisco is usually much more expensive than others. But when it comes to firewalls, Cisco is cheaper than Check Point although it is not as cheap as Fortigate. But with the latest improvements in hardware and speed, the pricing is okay.

To me, as a partner, the licensing is quite simple. I'm responsible for providing estimates to my sales guys and, sometimes, as an architect, I create solutions for my customers and give them estimates. There are other Cisco solutions that have much more complicated licensing models than Firepower. In short, the licensing is quite okay.

Not all of our customers use Cisco and that means we have competition inside our company with Check Point. We also made some attempts with Palo Alto Firewalls, long before we became Cisco partners, but somehow it didn't work for us.

I enjoy working with Cisco because it's more of a networking-guy approach. It reminds me a lot of all the other Cisco equipment, like their switches and routers. The experience is similar.

I haven't worked a lot with Checkpoint firewalls, but I like how they look. What I don't really like is the way you configure them because it's very different from what networking guys are used to doing. I'm not saying it's bad, it's just different. It's not for me. Maybe it appeals more to server guys. Cisco has a more network-centric approach.

This product protects our computer systems. I use it as a traditional firewall service. I don't have any special use cases for it.

Firepower has reduced our firewall operational costs by about 25 percent.

Sometimes there is a lack of performance. One of my colleagues is using the firewall as an IPS, but he is worried about Firepower's performance. It is much lower than we expected. They need to improve the performance a lot. With the 10 Gb devices, when it gets to 5 Gbps, the CPU usage goes up a lot and he cannot manage the IPS.

I have been using Cisco Firepower NGFW Firewall for more than two years.

The most valuable property is the stability. It doesn't crash.

When I have had issues with the software, I don't think they have given me the right answers. The support for the software isn't that good, but support for the hardware is very good.

Neutral

Although I work in Korea, I needed a means of deploying computer systems in other countries. Two or three years ago I was looking for a proper solution that would cover global sites. I chose Cisco products because Cisco has a very large presence all over the world.

Once I got used to this product, it was easy to use other products, but it was not easy for me the first time.

Firepower is a little bit expensive, although there are no additional costs beyond the standard ones.

We have several brands of firewalls in our organization. Compared to them, the ease of management of the Cisco firewalls is pretty good.

When you calculate the capacity you need, you should add a buffer for performance.

There are 25 users of the solution on my team and they are all network security specialists.