Cisco Secure Firewall Reviews

ASA5585-SSP-60 was deployed after a migration from Juniper SRX5600. The solution is used for the protection of the mobile data network. It is protecting 3G/4G Internet customers and the Private APN.

So far, we are not satisfied by the move. The precedent solution is much more adapted to the Telco environment, although Cisco recommended this platform. Cisco ASA also brought our network down several times due to a memory leakage bug, which is still not resolved.

All features provided by the platform are quite the same for all other platforms. We rather missed some features we were used to, such as virtual routers

• VPN creation with Cisco is quite difficult: Some DH groups are not supported (compared to Juniper).
• Expected to see the enablement of virtual routing, which is key in a Telco environment. We need to provide this in LAN to LAN services with shared platforms (DNS, proxies, etc.).
• Application visibility 

Yes, a memory leakage issue which literally freeze the nodes (we have an HA environment). The issue is still not solved and the only recommendation from Cisco is to reboot the node.

Yes, the throughput highlighted on the datasheet (10Gbps) should be reviewed. This throughput is only for a UDP running environment, which you will never find in the real world. Rather consider a multiprotocol throughput.

Experience with technical support was mitigated. 

Technically, they denied any issues on the node and call the memory leak issue, "A cosmetic issue." They were stating that memory disappearance reported by SNMP was an error and will have no impact on the traffic. They have reviewed this since we have recorded several blackouts during the year.

We were using Juniper SRX5600. The switch was more a strategic decision than a technical one.

We are also using a 5520 for seven years in our datacenter and we are satisfied by this version.

The initial setup was very complex. Migration from Juniper (with wide usage of VR) to Cisco is complex and you should make sure to master all the flows on the node. Also, Juniper is more permissive on asymmetric traffic, which Cisco will deny by default. 

Implementation was performed by a Cisco recommended local partner. 

We were not satisfied at all (from the pre to post implementation). Their level of expertise was zero.

I do not know.

Nothing to highlight at this level. 

We did an evaluation with Check Point.

It is definitely not for Telco.

Starting in version 9.7 you could track a login history for audit purposes and, in 9.8, you are able to do active/backup HA with ASAv (Adaptive Security Virtual Appliance) deployed on MS Azure.

There is always room for improvement in virtually anything. However, the relatively new Firepower Threat Defense image (mix of ASA and Sourcefire network security) fills a lot of gaps and features that were missing on ASA. Moreover, with FMC (Firepower Management Console) you can complement it with even more admin and reporting capabilities for the entire platform.

No stability issues.

No scalability issues.

Excellent.

New version comes with initial setup tutorial, with very nice security policies baseline, set up by default.

Be sure of what features you are going to utilize to add/remove some from new bundles.

Best value will always be delivered by adding FMC (Firepower Management Console); at least their virtual edition.

It’s too early to say anything about this, as it’s still under implementation.

Management Console and user profiling to define activities.

As it’s a GenX firewall, expertise for both implementation and troubleshooting the pain points can be a challenge. This could be a concern when companies are thinking about buying this product.

Yes, unexpected failure and no RCA provided by the OEM.

Still working on this.

Technical support from OEM is a six out 10, as RCA report has still not been shared to date.

Check Point. We moved to Firepower as an internal firewall to manage internal access and other network load.

Straightforward, two-tire setup.

All our requirements which we need performed by the firewall (e.g. VPN, URL white-listing, or IP based white-listing, etc.) have separate licenses and costs.

Yes, a couple of other of OEMs: Fortinet, Barracuda, etc.

I rate it an eight out of 10, as it’s a new platform. Compared to Cisco ASA, it’s far better, per my usage to date.

Make sure you have an expert resource or subscribe to OEM technical support.

It helps us to identify key, persistent threats so we can set policies accordingly.

In-depth monitoring and analysis. It helps us to make better decisions and policies.

• Integration aspects
• Traffic shaping

Initially there were some stability issues, but in the long-run no.

It requires additional licensing to enable 10G ports.

Technical support is very good.

It is complex. We have to set up ASA, SFR module, and FMC separately, which sometimes requires extensive troubleshooting, even for smaller issues.

We evaluated Huawei, briefly.

It is a good datacenter firewall, as they have now overcome integration issues with latest versions.

Malicious URLs are being blocked.

Advanced malware protection, it blocks malicious attacks.

• Bandwidth allocation.
• SSL decryption (avoid installing the intermediate device certificate in the client) should happen from Firepower itself.
• Critical bugs need to be addressed before releasing the version.
• Need to reduce the time to for detection of new threats.
• Enable a feature for importing/exporting logs when required for analysis.
• Dynamic IP address in client systems mapping with respect to OS change or device change should be updated periodically in FireSIGHT management.
• Virtual patching would be helpful for servers that are not able to update patches due to compatibility issues.

Yes, there were stability issues due to memory issues in the cluster environment and Firepower misbehaved due to non-responding of service/process.

No scalability issues.

Good support.

We switched from our previous solution because of scalability issues.

It was straightforward, even though we migrated from a third-party to Cisco.

Price should be judged based on the above answers, among the most capable vendors.

FortiGate.

We are using ASA5585-X with Firepower SSP-20 (ASA version 9.6(1)3, Firepower version 6.1.0.5).

When looking at different solutions, take a deep look at the features.

Secured our network from outside and inside intruders.

• Network attack detection
• DoS and DDoS attack prevention
• Signature-based detection
• User-defined signatures with regular expressions
• Integrated URL and content filtering
• Custom URL categories filtering
• Integarted antrivirus
• Protocols scanning

License capacity needs to be extended and the vendor needs to work on the pricing.

No stability issues.

No scalability issues.

10 out of 10.

No, Cisco was part of our solution from the start.

Straightforward.

Value for your money, but bit a costly.

Good product, give it a chance.

This is our perimeter router. We used it purposely for NAT and to port forward traffic. Other essential features of a firewall are handled separately by a UTM.

The ASA needs to incorporate the different modules you have to integrate to achieve UTM functions, especially for small businesses.

No stability issues at all, the most stable firewall I’ve ever worked with.

No scalability issues.

Quite good.

We’ve always used ASA from the get go. We added the UTM is to compliment it.

Straightforward.

Pricing is why we had to go for a UTM. For us to achieve what we needed, if we had gone with the ASA, the cost would have been high compared to getting one box (UTM).

Juniper, Check Point, Astaro

Go for it. I really like how, once you get the ASA set up properly, it can run for a whole year without any major issues, apart from the normal daily administration.

We have been using this model for three years, to place a firewall between ISPs and our corporate network. As of now, we have configured some SSL VPNs on our end for our convenience.

Three years ago we encountered malicious attacks from the internet, most of which were Chinese attackers, so we deployed Cisco ASA to strengthen our network. Since the deployment, we haven't seen the risk we encountered before.

Manageability of Cisco ASA. It has a GUI interface, unlike the most of Cisco IOS. For beginners they can "sneak in" and apply the command and see the actual commands that the GUI launches. In addition, Cisco has the reputation regarding security.

There are more powerful firewalls, other than the Cisco NGFW, like Fortinet, Palo Alto and so on. I can't say Cisco is the leading firewall brand as of now, as the technology innovates. 

No stability issues yet.

No scalability issues yet.

Awesome.

I rate it an eight out of 10. 

I am only handling or supporting the ASA 5520 model in our company.