Cisco Secure Firewall Reviews

It has been great for blocking incoming bad actors. The new Firepower modules have been a welcome additive to that.

Cybersecurity resilience has helped us be able to react and respond in a quick fashion to anything that may be happening or any anomalies within the environment.

The solution has provided us a sense of security, reliability, and trustworthiness.

The most valuable feature would be the IP blocking. It gets rid of things that you don't need in your environment.

Its resilience helps offer being able to react and self-heal.

The solution is overcomplicated in some senses. Simplifying it would be an improvement.

I have used the ASA solutions for a better part of 10 years.

The stability is unparalleled.

All solutions require maintenance, and we do that routinely. Anywhere from three to four people from the network teams to application owners are involved in the maintenance. This is a firewall in production, so we need to do maintenances after hours, but it would be nice if we didn't need to do it after hours

Scalability is unparalleled. It is easy to scale.

We don't have plans to increase our usage at this time.

In previous years, Cisco's tech support has been great. Although, I have seen it declining. I would rate their support as seven out of 10.

Neutral

We have used the Check Point firewalls as well as several different vendors.

It secures the network. The ROI is really incalculable at this point as keeping our data secure is keeping the company's assets secure.

We did evaluate other vendors.

You need to be always looking ahead and proactively developing to build resilience.

I would rate the solution as eight out of 10. It is a world-class firewall.

The use case is protecting our building. We have one office and we use it to protect the network.

The fact that we can use Firepower Management Center gives us visibility. It allows us to see and manage the traffic that is going through the network.

We have an older version of the ASA and there are always improvements that could be made. Nowadays, nobody is in the office, so I need to figure out how to put the firewall outside. If I could have a centralized firewall that also receives information from external locations, like peoples' home offices, that would help us consolidate everything into one appliance.

I have been using Cisco ASA Firewalls for over 10 years.

We've had issues with it because we always run it in pairs for high availability. We've had issues with the unit, but not in the last five or six years. It's pretty, pretty stable.

The product we have has some limitations when it comes to scalability. That's one of the things we're looking to address with a new solution.

Technical support was good when I used it, but I haven't needed support for the solution lately. I know people complain about support, but I don't have experience with it for this device because I haven't needed support recently.

We do pay the annual fee for support and I expect them to be there in four hours with a new device, if we need one, as they've done in the past.

Positive

We didn't have a previous solution.

My system engineer did the initial setup and he's the person who manages it, day in and day out.

I don't think we've tracked enough data points to see ROI data points, but the value comes from the fact that it's still running and that we are still happy with it. That is definitely a good return on our investment.

The pricing is too high and the licensing is too confusing.

Go for it.

We use it for content management and filtering. We wanted to separate DMZ traffic from normal customer traffic. We were also looking to set up portals for outside interests that needed to come in. We have our firewall set up for VPN and, with COVID breaking out, that became more important. We also use it for remote access control.

It improved our security. It keeps the outsiders on the outside and enables us to monitor the content that's going out from within the organization.

The ASDM (Adaptive Security Device Manager) which is the graphical user interface, works out, and Cisco keeps it current.

Cisco still has a lot of work to do. You can convert an ASA over to a Firepower, but the competitors, like Palo Alto and Juniper, are coming in. And believe it or not, they are a little bit more intuitive. Cisco has a little bit more work to do. They're playing catch up.

There is also content filtering. The bad actors are so smart nowadays, that they can masquerade as the data for a given port, and they can actually transfer data through that port. The only thing that the older firewalls know about is the port. They can't read the data going across it. That's where content filtering comes in, like Palo Alto has, with next-generation firewalls.

I have been using Cisco ASA Firewalls from the beginning, when they moved over from the PIX.

They're pretty reliable. Even from a hardware perspective, we haven't lost any power supplies or the like. An ASA works until we remove it. The maintenance is very minimal. 

It's very scalable. Every organization sets it up differently, but we've been able to perform upgrades with minimal service disruption. We have ASAs in multiple locations.

Being a government-supported organization, the technical support is great. They send us equipment. It's top-notch.

Positive

Cisco has been a leader in firewalls, and the US government primarily chooses Cisco first, before it chooses competitors.

We have a variety of providers from Juniper to Palo Alto, et cetera. But the Cisco GUI is pretty consistent, so most individuals catch on. But when it comes to the Firepower, we're going to need some more training on that, as we're upgrading and moving to the Firepower.

I like the ASA product, maybe because I'm an old guy, more so than the transition to the Firepower. The ASAs have worked ever since the PIX days and they work very reliably. Even with the upgrades, your rules don't change. That's true even with a major OS upgrade.

Things are changing and the ASAs are becoming dated. People want content filtering and so on now.

We use it as a next-generation firewall for the perimeter. I generally use it on-premises.

It helps protect my servers from hackers.

The most valuable feature is the Intrusion Prevention System.

Most of the features don't work well, and some features are missing as well. The completeness of the solution is most important for me. It should be complete, but some parts are missing. Cisco should improve it.

Every part of the features should be developed. That includes the next-generation firewall parts, such as application recognition.

I have been using Cisco Firepower NGFW Firewalls for about five years. I am an integrator and reseller of multiple vendors' products.

The stability is getting better day by day, but I would expect a more stable solution, to be honest. It is stable now, but we have solutions that are more stable.

Technical support is nice, but most of the limitations or problems are caused by the product itself. There's nothing that a technical engineer can do about them.

The licensing package is good, but the licensing fee should be decreased.

I have used CheckPoint, Palo Alto, Juniper, and FortiGate. The Palo Alto solution is complete. 

If I choose Cisco Firepower it is mostly because of its integration with other solutions. When the customer has several Cisco solutions, I put Cisco Firepower on top of them. But if the customer has a complex environment, I generally prefer other solutions.

For specific needs, like VPN, you can use Cisco Firepower. But our expectation is for a next-generation Firewall or UTM solution that includes all the features. I cannot recommend Firepower to others, at the moment, as a unified threat management solution.

Generally, if the customer's number of users is greater than 100, that's when the Cisco solution is more likely to be effective.

Maintenance of the solution requires one or two people.

Typically, we use them on the internet edge for protecting customer networks from the internet. It's a delimiter between the local area network and the wider internet. Other use cases include securing data centers or protecting certain areas within a network. It's not particularly internet-based, but it gives you that added layer of security between networks or between VLANs and your network, rather than using a Layer 3 switch.

Ultimately, it's about securing data. Data is like your crown jewels and you need to be able to secure it from different user groups. Obviously, you need to protect your data from the internet and that's why we generally deploy Cisco ASAs.

The usability, with the GUI front end, certainly helps and it means you don't have to be a command-line person. We have to get away from that now because if you put the typical IT admin in front of a CLI they might struggle. Having something graphical, where they can click in logs to see what's going through the firewall— what's been denied, what's being allowed—very quickly, helps to get to a diagnosis or know something has been blocked. And when it comes to making changes within the environment, that can be done very quickly as well. I've seen something be blocked within a couple of minutes, and any IT admin can make a change through the GUI.

One of the most valuable features is the GUI front end, which is very easy to use. But I'm also a command-line guy, and being able to access the device via command-line for advanced troubleshooting is quite important.

One area that could be improved is its logging functionality. Your logs are usually displayed on the screen, but if you want to go back one or two days, then you need another solution in place because those logs are overwritten within minutes. 

To have that kind of feature, it's more than likely there would need to be some kind of storage on the device, but those boxes were designed a number of years ago now. They weren't really designed to have that built-in. Having said that, if you do reflash into the FTD image, and you've got the Firepower Management Center to control those devices, then all that logging is kept within the Firepower Management Center.

I've been using Cisco ASA Firewalls since they came out. Before ASA, I used Cisco PIX Firewalls. I've been using them since about 1999 or 2000.

I'm involved in the presale events as well as the implementation and post-sale support. We do everything. That is probably different from a lot of organizations. We are quite a small company, so we have to be involved at all levels. I see it from all angles.

One of the reasons I've stuck with Cisco all these years is that you always get excellent support. If a network goes down due to major issues, I know I can raise a case with TAC and get through to subject matter experts very quickly.

Obviously, you need a SMARTnet contract. That means if a device has completely failed, you can get a box replaced according to the SLAs of that contract. That's very important for customers because if you have an internet edge failure and you just have a single device, you want to know that the replacement box is going to be onsite within four hours.

When a network goes down, you're going to know about it. You want to be safe in the knowledge that someone is going to be there for you and have your back. Cisco do have your back on those kinds of things.

Cisco support is a major selling point.

Positive

In terms of deployment, a lot of organizations are moving to the cloud. People are looking at the ASAv image for deploying into the public cloud on Azure or AWS. But there are still a lot of organizations that use ASAs as their internet edge.

The on-prem and the cloud-based deployments are very similar. When you're designing a solution, you need to look at the customer's business requirements and what business outcomes they actually want from a solution. From there, you develop architecture. Then it's a matter of selecting the right kinds of kits to go into the architecture to deliver those business outcomes. We talk to customers to understand what they want and what they're trying to achieve, and we'll then develop a solution to hopefully exceed their requirements. 

Once we've gotten that far, we're down to creating a low-level design and fitting the components that we're going to deploy into that design, including the ASA firewalls and the switches, et cetera. We then deploy it for the customer.

Your investments are protected because of the innovations over time and the fact that you're able to migrate to the latest and greatest technology, through Cisco. 

There are also a lot of Cisco ASA skills out there in the marketplace, so if you have ASAs deployed and you get a new employee, it's more than likely they have had experience with ASAs and that means you're not having to retrain people.

We do deploy other manufacturers' equipment as well, but if I were to deploy a solution with firewalling, my number-one choice would probably be Cisco ASA or the FTD image or Cisco Meraki MX.

The flexibility you have in a Cisco ASA solution is generally much greater than that of others in the marketplace. 

For any Cisco environment, we choose Cisco because it comes down to support. If the network is Cisco, then you have one throat to choke. If there is a network issue, there's no way that Cisco can say, "It's the HP switch you've got down in the access layer."

ASA morphed from being just a traditional firewall, when they introduced the Firepower Next-Generation Firewall side. There has also been progress because you can reflash your old ASAs and turn them into an FTD (Firepower Threat Defense) solution. So you've got everything from your traditional ASA to an ASA with Firepower.

Cisco ASA has been improved over time, from what it was originally to what it is now. Your investments are being protected by Cisco because it has moved from a traditional firewall through to being a next-gen firewall. I'm a fan of ASA.

I think ASAs are coming towards the end of their lifespan and will be replaced by the FTDs. It's only a matter of time. But there are still a lot of Cisco customers who use ASAs, so migrating that same level of knowledge those customers have of the ASA platform across to the FPR/FTD image, will be a challenge and will require investment.

The primary use is as edge firewalls to the Internet.

We are only on-premise. There is still no cloud plan.

It provides visibility and information to the organization about what is being accessed on the Internet as well as the applications that it is protecting.

It is part of our security strategy.

• Anti-malware protection
• Web Filtering
• VPN Remote-Access

The most valuable feature is the anti-malware protection. It protects the endpoints on my network.

We use the application visibility and control feature of Cisco firewalls.

The ease of use needs improvement. It is complex to operate the solution. The user interface is not friendly.

I have been using it for eight to 10 years.

We have 200 users using this solution.

The technical support is good, but it could be better. I would rate them as six out of 10.

Neutral

The setup is not too complex. We implemented it on all our ports.

We have five people on our cybersecurity team.

The solution's ability to provide visibility into threats is fine, but the Fortinet and Check Point solutions have better dashboards and information about visibility.

We are also using Cisco AnyConnect, Umbrella (as a cloud proxy), and ISE. We have between five or six antivirus, proxy, anti-malware, data loss prevention, VPN client, and firewall tools.

I would rate this Cisco product as six out of 10.

It is hard to control the bandwidth of end-users with a Cisco Firewall. That is the main issue I've faced. I used Mikrotik for many years for this very reason. Mikrotik has the option to set a bandwidth restriction for a single IP or complete segments. Cisco should add this option to their firewall.

We have been using Cisco for about five years. All our products, switches, routers, and firewalls are Cisco devices.

Cisco Firewall's scalability is fine. 

I rate Cisco ASA Firewall eight out of 10. Cisco offers a great educational series to train users on their devices.

One of the things that we have solved the most with this solution is the P2P connection that we have with different clients. It gives us greater connection security with good management of the configured rules. 

Likewise, it has made it easier for us to have this type of equipment under monitoring, and, since we have implemented them, we have not been presented with any performance problems in the equipment as they have not presented CPU or RAM saturation or that for some reason it fails without any cause. We all have them managed and monitored. We always receive an email notifying us if there's something that the equipment has detected as well.

The ASA firewalls have undoubtedly helped us to improve our infrastructure throughout the corporation and currently we have just over 50 firewalls - all of them in different parts of Mexico. 

This infrastructure has been improved since, in our corporation, we handle the dynamic EIGRP protocol, which Cisco owns, and this solution has given us a geo-redundancy in our company. In case of presenting a problem with a firewall or a link, it performs an immediate convergence where end-users do not detect a failure, helping us to maintain a 99.99% operational level at all times.

I am very happy to use this type of Cisco equipment in my infrastructure. It has given us the most value is the management of dynamic routing, in this case, EIGRP. This protocol, together with a series of additional configurations, has helped us to maintain an automatic redundancy in all our infrastructure, keeping us with very high numbers of operability and without failures that take more than 1 minute or that have not been resolved automatically. With this solution, we only speak with our suppliers either for a link or equipment report, and even if the box or circuit is out of operation, the operation continues to work without problems.

Today, ASA firewalls are leaving the market and are being replaced by firepower equipment - a technology with which I am not very familiar. However, in the training or research, I have done on this new product, I see that it has many additional tools such as centralization of the administration through a single team (in the case the firepower management). It is something that we do not have, yet we are already considering it since this type of technology will help us to have better management and better administration of the equipment through a single platform. The management of additional services with this new module will certainly help us to have the internet network much more secure with connections to the outside.

I've used the solution for more than seven years.

The solution is great in terms of stability.

The scalability is great.

Technical support is great.

We previously used Fortigate.

The initial setup was not complex.

We handled the implementation in-house. 

We've seen an 80% ROI.

Cisco is not cheap, however, it is worth investing in these technologies.

We always evaluate various other options.