Cisco Secure Firewall Reviews

We primarily use the solution as a firewall for our data centers. We have a medium-sized data center right now. It's about six or seven servers. We actually store the data for students and schools and need to protect it.

Overall, the solution works very well.

The solution is quite fast. We found that the speed was good and the throughput was good.

The stability has been very good.

The solution can scale as necessary.

The product is quite robust and durable. 

The solution lacks the abilities of an FTD type which are the abilities we need, and they are not in the firewall. We're looking for a next-generation firewall instead.

The graphical interface could be improved. From what I have seen, Fortinet, for example, has a nicer GUI.

The solution needs to be easier to use. Right now, it's overly complicated. 

The initial setup is a bit complex. 

The cost of the solution is very high.

The product should add free URL filtering. It's another product, or part of another product, however, it should be available as part of this offering as well.

I've been using this solution for about seven or eight years at this point. It's been a while. 

The stability is excellent and the performance is good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.

The product can scale nicely. If a company would like to expand it, it can do so. 

We have about 10,000 schools use the solution in general, and 1,000 to 2,000 that use it simultaneously daily. 

I don't directly deal with technical support. Typically, that's something that others on the team deal with. We have our own team within the company that, if I run into issues, I would reach out to first. I can't speak to how helpful or responsive they are. I've never had a chance to contact them. 

I have not used other firewalls.

The initial setup is not easy or straightforward. It's a bit complex and a little difficult.

We have three engineers on staff. They are capable of handling any maintenance.  

The solution is quite expensive. Fortinet and other competitors are about half the price. Cisco is very expensive in comparison. They need to work to be more competitive.

We're currently looking into a new firewall - something that is Next Generation. We don't know what it will be yet, however, we are considering Cisco, Fortinet, or Palo Alto.

It's my understanding that Fortinet is better in graphics and has a better user experience than Cisco, however, I haven't had a chance to test anything out.

We're just a customer and an end-user. 

We no longer have an SLA for this solution. We're potentially looking for something new.

I'd recommend the solution to others. It works well. It's durable and fast and you don't have to check up on it daily as it is rather reliable. That said, it is pricey.

In general, I would rate the solution at a seven out of ten.

We are a large company in the country in which we operate. We are a government agency dealing with taxes and we provide services for all taxpayers within the country. We have services for internal users, as well as services for public users. The main reason we use these firewalls is to protect our environment and to provide our services efficiently so that we are up and running 24/7.

Our solution is deployed in a private cloud. Everything is hosted in our environment and provided as cloud services. We are in the process of moving our infrastructure from the previous environment to the new environment where Cisco firewalls are installed.

In terms of our security maturity as an organization, we are young. In fact, we are young as a country. We have been providing electronic services for more than 10 years for our clients. We have a huge number of clients, with over 120,000 users who subscribe to our system and who access our services on a daily basis or, at a minimum, three to four times per year.

We use a few tools for security in terms of management, both internal and external, but we are mainly relying on Cisco. Our network is based on Cisco, and we also protect our mail system with Cisco. Previously, and in parallel, we used Sophos next-generation firewalls.

The solution provides us with application visibility and control and, at this stage, we are happy with it. Similarly, we are very happy with Cisco Firepower Management Center. We're still at an early stage, but we haven't seen any problems with the Cisco products. We are still switching on features and looking at how they are working.

When it comes to the integration among Cisco tools, we find it easy. It's a very practical integration with other components as well.

We also believe that Cisco is updated about all security issues and threats and efficient enough to provide us with the features and protection we need.

We just installed them recently. We started installation at the end of 2020 and we completed it this month, April 2021.

It's still early, but we believe the stability is alright.

The scalability of the solution is better than the other firewalls we have, due to technical features. Our technicians have realized that this is much more scalable compared to other solutions.

So far, the technical support has been excellent.

The initial setup was a bit complex. It wasn't a major challenge, but due to our requirements and network, it was not very straightforward but still easy enough.

We did a proper implementation plan according to the complexity of our network and our requirements. Then we used the best method for implementing it while mitigating our risks and meeting our requirements. We found a good way to implement it.

The setup took us two calendar months, but in terms of the actual time required to configure it, it was not so long. The setup took approximately as long as for other firewalls we have used.

It's hard to talk about ROI when it comes to security, but security now is expensive. You have to pay for it.

For us, the pricing was more economical than other products we used. There were no extra costs.

We evaluated a lot of the providers: Juniper, Palo Alto, Check Point, and Fortinet. Our technical team really researched things for a considerable amount of time, and they came up with a decision that this would be the best.

Cisco was chosen because there were many features according to assessments made by other users and as noted in technical data sheets we looked at during the research. They came up with a few features which are better than what other products have. 

Also, especially when you have been a long-time user of Cisco products and services, we found that from a budget perspective it was going to be much more preferable than the others.

We are very satisfied with the service and the product. I don't think that any product would be better than Cisco when it comes to next-generation firewalls.

We are primarily using the solution for VLAN implementations and also for remote VPN capability - basically it's used for connecting to remote offices securely.

After implementing tools, including Cisco ASA, unauthorized access comes down a lot. We are not facing asset issues as of now. We are not facing an issue related to malicious traffic or any bad activity in our network.

The solution can allow and block traffic over the VLANs.Some of the unauthorized actions and malicious traffic can also be blocked effectively, as we are following PCI DSS compliance. We are a card industry. We are using cards as a payment method, and therefore we need to follow the compliance over the PCI DSS. That's why we chose one of the best products. ASA Firewall is very secure.

It's always easy to integrate Cisco with the same company products. If you are using other CIsco products, there's always easy integration.

Cisco is one of the most popular brands, and therefore the documentation is easily available over the internet.

They are best-in-class.

The remote VPN feature is one of the best features we've found. 

We like that there is two-factor authentication on offer.  We can integrate a Google authenticator with Cisco ASA so that whenever a person is logging on to any network device, they need to enter the password as well as the security code that is integrated by Google. It's a nice added security feature.

Cisco ASA provides us with very good application visibility and control. The Cisco CLI command line is one of the easiest we found on the market due to the fact that the GUI and the user interface are very familiar. If you're a beginner, you can easily access it. There's no complicated UI.

When compared to other products available, the cost is pretty similar. There's no big gap when you compare Cisco pricing to other products. 

There are multiple features in a single appliance, which is quite beneficial to us.

Support that is on offer 24/7. Whenever we face some technical issue, we can reach out to them easily.

We have not had any security breaches. 

They provide a helpful feature that allows us to configure email. 

We are getting a lot from the appliance in real-time.

There's an upgraded version of the 5500 that has come to the market. It offers the latest encryption that they have. If they want to add better features to the current Cisco ASA, they can start by increasing the encryption. That is the only thing they need to improve. The rest is good.

We've been using the solution for about five or more years at this point. It's been a while. 

The stability and availability are very good. there are no bugs or glitches. It doesn't crash or freeze. it's a reliable solution. 

We have it in our infrastructure for around 15 plus users, including Fortinet sites.

We have found that whenever the traffic spikes at peak times, the product automatically scales up to the requirement. We have also implemented the single sign-on it, and therefore, it automatically scales up. We haven't felt any limitations. Currently, we are using it for 1500 plus users. At any given time, there are around 700 plus users available in the office. It's a 24/7 infrastructure. We have tested it for up to 750 plus users, and it's perfectly fine.

Technical support is excellent. they are always available, no matter the time of day, or day of the week. We are quite satisfied with their level of support. They are quite helpful and very responsive. I'd rate them at a ten out of ten. They deserve perfect marks.

We did not previously use a different solution. When the office was launched we implemented Cisco as a fresh product.

We are using a Cisco ASA Firewall, as well as Sophos at the remote sites. We are using another product is for log collecting. There are three solutions that basically cover us for security purposes. Those, at least, are the physical devices we are using as of now. The rest are cloud solutions such as Nexus. 

That said, I personally, have used Sophos XG as a firewall in the past. Sophos is good in terms of traffic blocking and identifying interruptions to the traffic. The features are better on Cisco's side. For example, there is two-factor authentication and a remote VPN. The only benefit I found in Sophos was the way it dealt with the traffic. 

The initial setup was not overly complex or difficult. It was quite straightforward and very easy to implement. 

Deployment takes about 20 to 25 minutes. 

In terms of the implementation strategy, at first, we put up the appliances in the data center. After that, we connected it with the console. After connecting the console, we had an in-house engineer that assisted. Cisco provided us onboarding help and they configured our device for us. We have just provided them the IP address and which port we wanted up. Our initial configuration has been done by them.

While most of the setup was handled in-house, we did have Cisco help us with the initial configurations.

The ROI we are getting from Cisco ASA is higher availability, which we are getting all the time. On top of that, it's good at blocking traffic and protecting us from cyber-crime issues.

The pricing is pretty reasonable. it's standard and comparable to other solutions. The maximum difference between products might be $20 to $40. It's not much of a difference. 

We did not evaluate other solutions. We trust Cisco. It's a very good product and well known in the market.

We are a customer and an end-user.

We are using physical Cisco appliances.

We use a lot of Cisco products, Cisco router (the 3900-series routers), and Cisco switches.

In the next quarter, we will implement SD-WAN. Once the SD-WAN is implemented, then we will go with an automated policy and DNS kinds of tools. We are in the process of upgrading to Cisco ASA Firepower in the next quarter. We have not integrated Cisco ASA with Cisco's SecureX solution.

I'd recommend the solution, especially for medium-sized or larger companies and those who are looking for long-term solutions (for example those with a user base of around 2,000 plus users in and around 20 plus applications). It's reliable and offers users a lot of features. This helps companies avoid having to rely on other third-party solutions.

If you are new to Cisco, you should take advantage of the education they have on offer. Cisco provides access to training and it's worth taking advantage of this.

Overall, I'd are the solution at a nine out of ten.

I am an IT administrator and my job is probably 80% security analyst. We are a HIPAA environment, so we're a regulated industry and my job is to keep us from being breached. It's extremely difficult and an ever-changing, evolving problem. As such, I spend a couple of hours a day just reading everything threat report from every source I can get. 

We have a pair of 2110 models, with high availability set up.

There are multiple licenses that you can get with this firewall, and we subscribe to all three. A few months ago, we made the decision to do an enterprise agreement just because of the amount of security software we have. We subscribe to the threat, the URL, and the malware licensing. We use it for IPS, URL blocking, IP blocking, and domain blocking.

We've embraced the Cisco ecosystem primarily because I think they made some very intelligent acquisitions. We talk about security and depth and they've really done a good job of targeting their acquisition of OpenDNS Umbrella. It's all part of our ecosystem.

I take the firewall information and using SecureX, Cisco Threat Response, AMP for Endpoints, and Umbrella, I'm able to aggregate all that data with what I'm getting from the firewalls and from our email security, all into one location. From my perspective, being a medium-sized organization, threat hunting can be extremely difficult.

This product enriches all of the threat data, which I am able to see in one place.

There's nothing I personally have needed to do that I haven't been able to do with the firewall. It integrates so tightly into how I spend the majority of my day, which is threat response.

Much of this depends on any given organization's use case, but because I was an early adapter of Cisco Threat Response and was able to start pulling that data into it, and aggregate that with all of my other data. As I'm doing threat hunting, rather than jump into the firewall and look in the firewall at events, I'm able to pull that directly into Threat Response.

The ability to see the correlation of different event types in one place, these firewalls have definitely enriched that. You have Umbrella, but there are so many different attack types that it's good to have the DNS inspection at the firewall on the edge level too. So, the ability to take all of that firewall data and ingest it directly via SecureX and into our SIEM, where I have other threat feeds, including third-party thread feeds, gives our SIEM the ability to look at the firewall data as well. It lends to the whole concept of layering, where you don't have to have all of your eggs in one basket.

With our Rapid7 solution, I'm able to take the firewall data and dump it into our SIEM. The SIEM is using its threat feeds, as well as the threat feeds that are coming from Cisco Talos. In fact, I have other ones coming into the SIEM as well. So, I'm able to also make sure that something's not missed on the Talos side because it's getting dumped into our SIEM at the same time. All of this is easy to set up and in fact, I can automate it because I can get the threat data from the firewall.

In terms of its ability to future-proof our security strategy, every update they've done makes sense. We've been using one flavor or another of Cisco firewall products for a long time. Although I have friends that live and die by Fortinet or Palo Alto, I've never personally felt that I'm wanting for features.

We get the Security Intelligence Feeds refreshed every hour from Talos, which from my understanding is that they're the largest intelligence Security Intelligence Group outside of the government. My experience with Talos has been, they're pretty on top of things. Another driving factor towards Cisco: We get feeds every hour, automatically refreshed, and updated into the firewall.

If I had to rely on one security intelligence, which I wouldn't, but if I had to, I'm sure it would be Talos. The fact that it gets hourly updates from Talos gives me some peace of mind.

The real strength for the Cisco next-generation firewall is it'll do pretty much anything you want it to do, although it requires expertise and proper implementation. It's not an off-the-shelf product. For instance, there are some firewalls that may be easier to set up because they don't have the complexity, but at the same time, they don't have the feature set that the Cisco firewall has.

The firewall does DNS inspection, and you can create policies there.

The firewall integrates seamlessly and fully with our SIEM. We use a Rapid7 SIEM inside IDR and it now integrates seamlessly with that. Cisco's doing a lot more with APIs and automation, which we've been leveraging.

In terms of application visibility and control, I used the firewall and I also use Umbrella, but it depends on what it is that I'm seeing. One component that I use is network discovery. When you configure the policy properly, it'll go out and do network discovery so you're not loading up a bunch of rules you don't necessarily need. Instead, you're targeting rules that Cisco will say, "Hey, because of network discovery, we found that with this bind to whichever version server, we recommend you apply this ruleset." This is something that's been very helpful. You don't necessarily have to download every rule set, depending on your environment.

I have used it for application control. Right now, we're in the midst of doing tighter integration with ISE and the integration is very good. This is something that we would expect, given that it's a Cisco product.

I use the automated policy application and enforcement every chance I get. Using an automation approach, I would rather have a machine isolated even if it's a false positive because that can happen much faster than I can get an alert and react to it. On my end, I'm trying to automate everything that I can, and I haven't experienced a false positive yet.

Anything that's machine learning-based with automation, that's where I'm focusing a fair amount of attention. Another advantage to having Cisco is that their installed base is so huge. With machine learning, you're benefiting from that large base because the bigger their reach is, the bigger and better the dataset is for machine learning.

At some point, you have to trust that the data set is good. What's impressed me about Cisco is with all of our Cisco products, whether it's AMP or whatever, they're really putting an emphasis on automation, including workflows. For someone like me, if I get an alert in the middle of the night and I see it at 6:00 AM, it is going to be a case of valuable time lost, so anything that I can do to make my life easier, I'll definitely do it.

It would be great if some of the load times were faster. My general sense is that it's probably related to them taking a couple of different technologies and marrying them together. We are using virtual, so the way that I handled that was to throw more RAM in it, which these days, is pretty cheap. I could see some improvement with the speed of deploying policies out, although it's not terrible by any means. One thing about Cisco is whatever they're doing, it keeps getting better.

The speed of deploying policies could be improved, although it is not terrible by any means.

Another legitimate criticism of Cisco that comes to mind is that you need to make sure you've got your licensing straightened out. I haven't had any problems in a long time, but I know people that haven't used Cisco products sometimes can run into issues because they haven't figured out so-called smart licensing. Depending on the Cisco person you're working with, make sure you have all that stuff all set to go before you start the implementation.

That's an area that Cisco has been working on, I know. But licensing is a common complaint about Cisco. I suggest making sure that you have that stuff in place and you've got all your licenses all ready to go. It seems like a dumb thing, but my most common complaint about Cisco before we entered into our enterprise agreement was licensing. When it's working, it's great, but God help you if you've got a licensing problem.

They've been very reliable for us and we haven't had one fail, so we've never had to failover. That has been generally my experience with Cisco products, which is one reason that we tend to lean on Cisco hardware for switching, too. The reliability of the hardware over the years has been very good.

We have integrated these firewalls with other products, such as Cisco ISE, and it hasn't been a problem. ISE is a Cisco product so it would make sense that it integrates well, but ISE integrates with other firewalls as well.

Everything that I've done with these firewalls has been pretty seamless. We've had no downtime with them at all. They've been very rugged as we expanded usage through integration.

People knock Cisco TAC but in my experience, they have been very good. I've always found them to be extremely helpful. Friends that I have made from inside Cisco say, "Hey, you want me to look at this or that?", which is very helpful.

The big three solutions, Cisco, Fortinet, and Palo Alto, are all really good but I tend to lean on Cisco versus the others because one of their strengths, in general, is threat intelligence. When you put a bunch of security people in a room then you have a lot of consensuses, but like anything, you'll have a lot of disagreements, too.

Each of these products has its strengths and weaknesses. However, when you factor in AnyConnect, which most people will agree is state-of-the-art from a security standpoint in terms of VPN technology, especially when it's integrated with Umbrella, it plays into the firewall. But, it always comes back to configuration. Often, when you read about somebody having an attack, it's probably because they didn't set things up properly.

If you're a mom-and-pop shop, maybe you can get by with a pfSense or something like that, which I have in my house. But again, if you're in a regulated environment, you're looking at not just a firewall, you're looking at all sorts of things. The reality is, security is complicated.

Cisco gives you lots of options, which means that it can be complicated to set up. You have to know what you're doing and it's good to have somebody double-check your work. But, on the other hand, it does everything from deep packet inspection and URL filtering to whatever you want it to do, with world-class integration. It integrates with Umbrella, AnyConnect, ISE, StealthWatch, and other products.

It is important to remember that a firewall is only as good as it's configured. Sometimes, people will forget to configure a policy, or they will create the rules but forget to apply them. It comes back to the fact that it's a professional product and it's only as good as the person who's using it.

I do some security consulting and I've seen many misconfigurations. People will write a Rule Set but forget to apply it to a policy, for example. There is no foolproof product and I think it is a challenge to say, "Wow, this firewall is better than that firewall." These things are complex, but Cisco has always, in my mind, set many kinds of standards. I don't know any serious security person that would argue that.

Especially AnyConnect with an Umbrella module attached, I think most people would argue it's state-of-the-art. I know that I would because it allows me to do a couple of things at once. It's not just the firewall; it's AnyConnect, and it's what you can do with AnyConnect given its functionality with Umbrella. It gets kind of complicated and it depends on the use case, and some people don't need that.

Again, what makes it difficult to say something about a firewall is, the configuration possibilities are so varied and endless. How people license them is different. Some people think, "I prefer the IPS License," or whatever. But again, I think to get the strength of a Cisco firewall is just that.

I found our setup straightforward, but you don't go into it blind. You have to be clear on your requirements and you need to take the setup step-by-step. Whenever I deploy a firewall, I have a couple of people to double-check my work. These are people who only work on Cisco firewalls and they act as my proofreaders whenever I am doing a new deployment.

Cisco's documentation is very good and it's always very thorough. However, it's not for a novice, so you wouldn't want a novice setting up the firewall for an enterprise. Personally, I've never had any issues with policies not deploying properly or any other such problems.

Talking about how long it takes to deploy, it's a good weekend if it's a new deployment. It's not just clicking and you're done. I haven't installed a Fortinet product, but I can't imagine any of them are easy to install. Essentially, I found it straightforward, but it is involved. You've got to take your time with it.

You need to make sure anything you do with your networking, that you have it planned out well in advance. But once you do that, you go through the steps, which are well-documented by Cisco.

Cisco is not for a small mom-and-pop shop because of the cost, but if you're in a regulated industry where a breach could cost you a million dollars, it's a bargain. That's the way I look at it.

We also use Cisco Umbrella, and I may use features from that product, depending on where I am.

Every firewall has its pluses and minuses, but because we've taken such a layered approach and we're not relying on one thing to keep us safe, I've never really gone, "Oh, I've had it." I've heard some complaints about Cisco TAC, but generally speaking, I've been able to configure them and do whatever I need to with the Cisco firewall. There's nothing in my experience with Cisco that leads me to believe that that's going to stop.

I've always felt comfortable with every Cisco purchase we've made and every improvement they've made to it. I think they keep moving in a positive direction and they're pretty good with updates and fixes. You can have 10 people, networking people or security people, and they'll all have different takes on it. That said, I've always been very comfortable. I don't stay up at night and worry about our firewalls.

One thing to remember about Cisco is that whatever they're doing, it just keeps getting better. In my experience with Cisco, I have yet to have a product of theirs that they haven't improved over time. For example, we bought into OpenDNS Umbrella before Cisco acquired them. At the time, I was wondering whether they were going to improve it or what was going to happen with it, because you can never be sure. Again, Cisco has done nothing but improve it. It's a far more mature product than when we picked it up five or six years ago.

While not directly related to the NGFW, it speaks to Cisco's overarching vision for security, which again, I'm always looking at layers. If you're thinking that you're going to secure an environment by buying a firewall, yes, that's a really important piece of it, but it's only one piece of it.

Cisco is a company that is really open about vulnerabilities, which some people could see that as a negative but I see as a positive. I do security all the time, so I'm always going to be paranoid. That said, I've spent so much time doing this stuff that I've developed a lot of trust in Cisco. Again, I think there are other great products out there, but Cisco has made it really easy to integrate stuff into this ecosystem where you have multiple layers of not perfect, but state-of-the-art enterprise security.

My advice for anybody who is implementing this solution is, first of all, to know what you're doing. If you're not sure then get somebody that does. However, I would say that's probably true of any firewall. If your business relies on it, have all of your information ready beforehand, it's just all the straightforward stuff that any security person needs.

In summary, I think what I can say about them is there's nothing I needed to do that I haven't been able to do. I have incredible visibility into everything that's happening. We continue to leverage more features, to use it in different ways, and we haven't run into any limitations. I cannot say that the product is perfect, however, and I would deduct a mark for the interface loading. It's not terrible but sometimes, especially when you're doing the setup, it can chug away for a while. Considering what the device does, I think that it's a small complaint.

I would rate this solution a nine out of ten.

We are using this solution for the site-to-site VPN tunnels and VPN Connections.

I like all of the features.

It is my understanding that they are in the process of discontinuing this device.

They are in the process of shutting down this ASA series and will continue with Firepower.

In the next release, it could be more secure.

I have been using Cisco ASA Firewall for six years.

We are not using the latest version.

It's a stable solution. I have not had any issues.

This product is scalable. We have 100 users in our organization.

We will not continue to use this solution. We will be upgrading to either Firepower or Check Point.

Technical support is perfect.

I was using Dell SonicWall before Cisco ASA Firewall.

The initial setup was straightforward. 

It's easy to install and it doesn't take a lot of time for the initial configuration.

It took an hour to install.

I completed the installation myself. We did not use a vendor or vendor team.

There are licensing costs.

I would not recommend this solution. The technology is old and they should move to Firepower or NextGen Firewall.

I would rate the Cisco ASA Firewall an eight out of ten.

The way we've installed Firepower was for the migration process. For example, there was a data center consolidation, and therefore we had to move everything. We offer data center products to our customers across VPN funnels. We had to move away from older ASAs, so it's a lift and shift. We move older ASAs, which were dispersed in many sites, and we consolidated a couple of services in a single site. Firepower was left there in place. I came in and I took over the administration duties, and now I'm trying to put everything together in a way that it makes sense.

With Firepower, they have better hardware. It's fitted for more throughput, more load. I'm trying to centralize service delivery on this high-availability pair and move all the remote access to Firepower. Then, it's all part of a transition process from a hybrid cloud to a full cloud deployment on a cloud provider. It's mostly just a necessary pain, until we move away from our on-prem deployments. Currently, I'm working with Azure, etc. and I try to look at the main design of the whole process, even though it's going to take two years. 

COVID has also made everything very, very slow for us as we try to move away from our initial plan.

The 2100 models are extremely useful for us.

It's got the capabilities of amassing a lot of throughput with remote access and VPNs. 

They need a VTI. I know it's going to be available in the next software version, which is the 6.7 version. However, the problem with that is that the 6.7 is going to deprecate all the older IKEv1 deployment tunnels. Therefore, the problem is that we have a lot of customers which are using older encryptions. If I do that, update it, it's not going to work for me.

We've been using the solution for about a year.

The solution is pretty solid in terms of stability, however, I prefer Palo Alto. For the enterprise world, it's better to have Palo Alto. For the service provider field, Firepower is quite well suited, I'd say. That said, Palo Alto, is definitely the enterprise way to go. For a smaller deployment, you can also go with FortiGate. It's simple, however, it works for smaller offices.

The scalability of the product is pretty good. If you need to expand it, you can do so with relative ease.

The technical support is amazing. They do reply quickly, and often within an hour. It's been great. I've worked at Cisco before, however, with the type of contract we are in, I find it super fast right now. We're quite satisfied with the level of support.

I don't have any knowledge as to what the product costs. It's not part of the business I deal with.

Palo Alto, it's my understanding, is a little more expensive, however, it depends on the users and on the design. It always depends on the contract

We're just customers. We don't have a business relationship with Cisco.

It's a solid, reliable product, however, if it's right for a company depends on the use case and the size of the organization. For a startup, this might not be a suitable option.

Overall, I'd rate this solution nine out of ten. As a comparison, if I was rating Palo Alto, I would give it a ten out of ten.

The solution is primarily used for protecting the environment, or the cloud environments for our customers.

All the specific features you find within the NextGen firewall are quite useful. The touch intel feature is specifically useful to us. We deliberately choose this kind of product due to its set of features. 

The implementation is pretty straightforward.

The security market is a fast-changing market. The solution needs to always check if the latest threats are covered under the solution. 

It would always be helpful if the pricing was improved upon a bit.

In a future release, it would be ideal if they could offer an open interface to other security products so that we could easily connect to our own open industry standard.

We've been using the solution for about five or more years at this point.

The solution is stable. It's very reliable. It doesn't crash or freeze and doesn't seem to be plagued by bugs or glitches.

The solution can scale quite well. A company that needs to expand it can do so easily.

In our case, we have clients with anywhere between 1,000 and 10,000 users.

We have our own in-house team that can assist our clients should they need technical support. They're quite knowledgeable and can handle any issues.

I also have experience with Fortinet and Check Point.

The implementation isn't complex. It's straightforward. However, it also depends on the specifications of the customer. Normally we check that out first and then we can make a judgment of how to best implement the solution.

Typically, the deployment takes about two days to complete.

In terms of maintenance, we have about five people, who are engineers, who can handle the job.

We deliver the solution to our customers.

You do need to pay for the software license. In general, it's a moderately expensive solution. It's not the cheapest on the market.

We're a partner. We aren't an end-user. We are a managed security provider, and therefore we use this solution for our customers.

We always provide the latest version of the solution to our clients.

Typically, we use both cloud and on-premises deployment models.

I'd recommend the solution to others. It's quite good.

On a scale from one to ten, I would rate it at an eight.

Our primary use cases for FTD are IPS, intrusion detection, and to get visibility into the network and the traffic that is going on in some sites. We always have them in-line, meaning that they're between two networking connections, and we analyze the traffic for the purposes of internal detection.

In production, from the FTD line, we mostly have 2110s and 2130s because we have a lot of small sites, and we are starting to put in some 4110s. We only have FirePOWER here, but we don't use them most of the time as next-gen firewalls but more as an IPS.

Everything is on-premises. We don't use public clouds for security reasons.

When you put FTD between your internet and network units, you can get valuable insights about your encrypted traffic on the web, DNS traffic, and the like. It gives us statistics up to Layer 7.

Although I can't go into the details, the way the solution has helped our organization is more on the root-cause side when there is an incident, because we get very detailed information.

FTD's ability to provide visibility into threats is very good, if the traffic is clear. Like most companies, we have the issue that there is more and more encrypted traffic. That's why we use Stealthwatch instead, because we can get more information about encrypted traffic. But FTD is pretty good. It gives us a lot of details.

We put them in in-line and in blocking mode and they have stopped some weird things automatically. They help save time every day. We have 150,000 people all over the world, and there are times when computers get infected. It helps save time because those infections don't propagate over the network.

The fact that we can centrally manage clients for our IPS, and that we can reuse what we type for one IPS or one firewall, makes it easy to expand that to multiple sites and multiple devices. Overall, it has been a great improvement.

The IPS, as well as the malware features, are the two things that we use the most and they're very valuable.

Cisco Talos is also very good. I had the chance to meet them at Cisco Live and during the Talos Threat Research Summit. I don't know if they are the leader in the threat intelligence field but they are very competent. They are also very good at explaining complicated things easily. We use all of their blacklist, threat intelligence, and malware stuff on our FTDs. We also use the website from Talos where you can get web reputation and IP reputation.

For the new line of FTDs, the performance could be improved. We sometimes have issues with the 41 series, depending on what we activate. If we activate too many intrusion policies, it affects the CPU. We have great hopes for the next version. We have integrated Snort 3.0, the new Snort, because it includes multi-threading. I hope we will get better performance with that.

The stability depends on the version. The latest versions are pretty good. Most of the time, we wait for one or two minor version updates before using the new major version because the major versions go through a lot of changes and are still a bit unstable. For example, if you take 6.3, it started to be pretty stable with 6.3.03 or 6.3.04.

Scalability depends on the site. At some sites we have ten people while at others we have a data center with a full 10 Gig for all the group. We have had one issue. When there are a lot of small packets — for example, when our IPS is in front of a log server or the SNMP servers — sometimes we have issues, but only when we get a peak of small packets.

We've got a little history with tech support. We have very good knowledge within our team about the product now. We have a lab here in Montreal where we test and assess all the new versions and the devices. Sometimes we try to bypass level-one tech support because they are not of help. Now, we've have someone dedicated to work with us on complex issues. We use them a lot for RMAs to return defective products.

In our company, we have used another firewall which we developed based on FreeBSD.

I, personally, used to work with Juniper, Check Point, and Fortinet. I used Fortinet a lot in the past. If you use the device only for pure firewall, up to Layer 4, not as an application or next-gen firewall, Fortinet is a good and cheaper option. But when it comes to a UTM or next-gen, Cisco is better, in my opinion. FortiGate can do everything, but I'm not sure they do any one thing well. At least with Cisco, when you use the IPS feature, it's very good.

Setting up an FTD is a bit more complex with the new FTD line. They integrated the FXOS, but the OS is still not fully integrated. If you want to be able to fully manage the device, you still need to use two IP addresses: One for FXOS and one for the software. It's complicating things for the 4110 to have to, on the one hand manage the chassis and the hardware on one, and on the other hand to manage the logical device and the software from another one.

But overall, if you take them separately, it's pretty easy to set up and to manage.

The time it takes to deploy one really depends. I had to deploy one in Singapore and access the console remotely. But most of the time, once I get my hands on it, it can be very quick because we have central management with FMC. Setting up the basic configuration is quick. After that, you have to push the configuration that you use for your group IPS and that's it. My experience is a bit different because I lose time trying to get my hands on it since I'm on the other side of the world. But when I get access to it, it's pretty easy to deploy. We have about 62 of them in production, so we have a standard for how we implement them and how we manage them.

We have Professional Services and consultants who work with us on projects, but not for the deployment. We have our own data centers and our own engineers who are trained to do it. We give them the instructions so we don't need Cisco help for deployment. We have help from Cisco only for complex projects. In our case, it requires two people for deployment, one who will do the configuration of the device, and one who is physically in the data center to set up the cables into the device. But that type of setup is particular to our situation because we have data centers all around the world.

For maintenance, we have a team of a dozen people, which is based in India. They work in shifts, but they don't only work on the FTDs. They work on all the security devices. FTD is only a part of their responsibilities. Potentially we can be protecting 140,000 people, meaning all the employees who work on the internal network. But mostly, we work for international internal people, which would be roughly 12,000 people. But there are only three people on my team who are operators.

ROI is a difficult question. We have never done the calculations, but I would say we see ROI because of some security concerns we stopped.

Cisco changed its price model with the new FTD line, where the appliances are a bit cheaper but the licensing is a bit more expensive. But that's not only Cisco, a lot of suppliers are doing that. I don't remember a lot of the licensing for Fortinet and Check Point, but Cisco's pricing is high, at times, for what they provide.

FTD is pretty good. You can stop new threats very quickly because you can get the threat intelligence deployed to all your IPSs in less than two hours. Cisco works closely with Talos and anything that Talos finds is provided in the threat intelligence of the FTDs if you have the license. It's pretty good to have the Cisco and Talos teams working closely. I know Palo Alto has an similar arrangement, but not a lot of suppliers get that chance.

Our organization's security implementation is pretty mature because we try to avoid the false positives and we try to do remediation. We try to put threat intelligence over a link to our IPS next-gen firewalls.

Overall, we have too many tools for security in our organization — around a dozen. It's very complicated to integrate all of them. What we have done is to try to use the Elastic Assist Pack over all of them, as a main point of centralization of log information. The number of tools also affects training of teams. There are issues because one tool can't communicate with the another one. It can be very hard, in terms of technical issues and training time, to have everybody using all these processes.

We also use Cisco Stealthwatch, although not directly with the FTD, but we hope to make them work together. There is not enough integration between the two products.

Overall, FTD is one part of our security strategy. I wouldn't rely only on it because we've got more and more issues coming from the endpoints. It lets you decipher everything but sometimes it is very complicated. We try to use a mix and not rely only on the FTDs. But for sure it's great when you've got a large network, to give you some visibility into your traffic.

I rate it at eight out of ten because it's pretty good technology and pretty good at stopping threats, but it still needs some improvement in the management of the new FTD line and in performance.