Cisco Secure Firewall Reviews

Our use case is mostly for the data center. We are introducing a security zone in the data center, and Cisco is helping us to identify the traffic that is coming from north to south or from outside the data center to inside the data center. It helps us to manage the traffic and ensure that it's secure and allowed to go inside the data center. We have almost completed the project. We are currently tuning the access policies to only allow what's allowed to go inside.

We are using all the firewall models for the data center. AMP, detection, and prevention are a part of the solution.

It was a requirement from our security and compliance team that any traffic going to the data center needs to be checked and secured. We are almost at the final stage of this project to allow only secure access to the data center. We are almost there. We haven't yet completed the project, but it will definitely be a very critical service for us. Our data center is huge with more than 1,000 applications. It will protect and secure our services.

We are using Cisco firewalls not only in the data center but also on the internet edge. We also have it on the OT system or OT network. We are using most of the products from Cisco, and it was easy to integrate with other services. We have the Cisco ACI solution in the data center. We could integrate Cisco ACI with our firewall. We also have Cisco Stealthwatch and Cisco ISE. We can easily integrate different technologies.

Integration and troubleshooting are the main challenges of having multiple vendors. Having an end-to-end solution from one vendor makes life a lot easier because there is an ease of integration. We don't need a third party. It is also easy in terms of support. One engineer from the same vendor can help us with various technologies. We don't need engineers from different vendors, and we also avoid that common scenario where they start to blame the other one for the issue.

Having an end-to-end solution from the same vendor simplifies the implementation. We are able to have centralized management of different products. We were able to integrate and centrally manage even the older versions of Cisco firewalls.

I'm not a security person. I'm a planner, and we were interested in the advanced features of the firewall to allow us to manage the traffic. At the current stage of implementation, their help in implementing a policy has been valuable. It simplified the implementation. Cisco's engineer helped us with a lot of scripting to see what existed. Previously, we didn't have a proper policy. In fact, we didn't have any policy because we didn't have any firewall for the data center, so generating a policy was a big challenge. Cisco's engineer helped us to do some scripting and find out what kind of policy we can have and organize those policies. That was nice.

Its implementation was not straightforward. It was mainly because we were running two projects together. In terms of features, at this stage, I don't have inputs for the area of improvement. We are still in the implementation stage of our project. After we have the solution ready and we test it, we can go to phase two and see how to enhance the solution in the future. We can then see which features will allow us to do that. After we implement it, the next stages will be to maintain it, tune it, and build on it. We will then see how flexible it is.

I've been using Cisco firewalls for about 20 years. The last model we bought for the data center is 9300.

Cisco is always there to support customers and their businesses. They are there 24/7. Whenever you have an issue or challenge, they are always there. For us, a good thing about Cisco is that there is a Cisco office in Oman. Our colleagues coordinate and communicate with them almost daily. They are always there to support us through any challenge or issue. All vendors are not available in Oman, so having a trusted partner who would always help us was a key factor for investing in Cisco. 

When we open a ticket with Cisco support, we always get someone to help us. We have a dedicated engineer who knows our infrastructure and can help us and track the issues. We are a big organization, and we have critical services. We are the biggest oil producer in Oman, which is the main economy of the country. We can't afford any interruptions. We are trying our best, and Cisco always supports us. They handle our cases in an urgent manner because they know the criticality.

For the data center, we didn't have a security zone previously. It was one of the key requirements to come up with the security zone. We chose Cisco firewalls because we were implementing ACI in the data center, and we thought that having one vendor for both activities will reduce our time of implementation, which didn't turn out to be true.

It was not a straightforward implementation. The main challenge was that we were running two projects together, so we ended up doing the same activity twice. We had two requirements: refresh the data center devices and secure them because there was no security zone. We went for the ACI implementation, which was new for us and required a lot of discussions, and when we tried to introduce the firewall, we again had a lot of discussions with Cisco about whether to go with clustering or active standby.

We discovered that our ACI was not compatible with the firewall that we are introducing. So, we ended up upgrading our ACI. That was a big activity because we had to interrupt our data center. It should have been a seamless upgrade, but because some of our services didn't have dual links, we had to do some maintenance for that. After that, we also ended up upgrading our switches because they were not supporting 40 gigs, which is what the firewall interface supported. That was another challenge that we had. After that, going to active-standby or clustering was another challenge because the switch fabric didn't work well with our design. So, we ended up going with active-standby.

It was a journey, but in the end, we managed to overcome those challenges and implemented our solution.

We've definitely seen an ROI. It was a requirement, and looking at the way it went, especially in terms of coming up with the policy and securing our data center, there has been a value-add. We now have a security zone, and we have policies. We can manage and monitor the traffic coming in and going out.

In addition, we have the flexibility of sending any traffic to the firewall, even internally from the data center. Whenever we have a doubt about any application or traffic to any application, we can just send it to the firewall and let it check and monitor. We have this visibility that we didn't have before. We can see any traffic that comes in. 

We bought a three-year license as a part of the enterprise agreement, which includes help with implementation and troubleshooting. We have a big data center with many applications, so implementation was not straightforward. We had to put effort into it. It wasn't an easy or straightforward implementation. The support that we got from Cisco engineers with the three-year premium license was helpful. The enterprise agreement helped to consume the licenses in a practical and faster way and streamline the implementation.

We are very pleased with Cisco for the automation they did to help us in coming up with a policy. That was a big challenge because we didn't have any policy in place. It was a big help for us that they came up with a policy or at least proposed a policy for us.

Our engineers are familiar with Cisco firewalls, and they are not new to them. However, things are changing and technology is changing, and new features are getting added. Automation will be the main challenge for us. Some of our engineers are not yet very good at scripting. They're still learning. The way forward would be to have people do some amount of programming to come up with useful information to enhance the solution in the future.

I'd rate Cisco Secure Firewall a seven out of ten.

We are currently using the Cisco Firepower 2140 model because it fits our sizing and performance needs.

We use Cisco Secure Firewall as the internal firewall to protect our retail PCI networks from the rest of the corporate business.

We are a global company, and we have multiple data centers. There are two in Europe, and we deployed Cisco Firepower in all of our worldwide data centers. In each region in the world, we have two data centers with Cisco Firepower to separate retail from corporate and Firepower for IPS services. This solution protects around 1,500 stores, and our corporate office has around 10,000 people.

I like the basic firewall features. We use Cisco Firepower to separate PCI from corporate, so we're not using it at the edge. If we were to use Firepower at the edge, then we would enable other features like IDS and SSL inspection. However, since we only use it as an internal firewall, plain level-four firewalling is enough for us.

Cisco Firepower is useful for securing our infrastructure from end to end so that we can detect and remediate any threats. I like the Cisco products because they are very stable and what you see is what you get. There are no vague or gray areas. We log all of our logs to Splunk, for example, and everything we see in Splunk is very useful. Finding errors or finding reasons why something is or is not working is very easy.

This solution helped to free up our IT staff's time so that they can focus on other projects. The management platform makes deployment and management, that is, day-to-day changes, very easy.

Cisco Firepower saved our organization's time because it has role-based access. We can give some engineers the ability to do day-to-day tasks and give more experienced engineers more in-depth tasks.

We have been able to consolidate our tools and applications. The FTD tool also manages our Firepower IDS nodes. As a result, we have a consolidated single pane of glass for all of our Cisco Firepower security tools.

We use the FTD management platform for the boxes. The GUI that manages multiple Firepower boxes could be improved so that the user experience is better.

We have been using Cisco Firewall for the last 15 years. We started off using Cisco ASA and have now migrated to Cisco Firepower.

The stability is very good; there's no vagueness. Either it works or it doesn't, and it's also very easy to find out why.

There haven't been any performance issues. We run HA clusters and don't do multiple clusters for scaling. We scale the boxes to our performance needs. We have nine staff members who work with this solution.

Cisco's technical support staff have always been helpful and have been able to solve our issues. I would rate them a nine out of ten.

Positive

We used Cisco ASAs, and they were all individually managed. We went from individually managed IDS and Firepower IDS solutions to this consolidated single management platform.

We chose Cisco Firewall over competing solutions because what you see is what you get. We liked that the changes are immediate. The way the logs come into our Splunk system gives us a good feeling about the stability and performance of Cisco products.

We have seen an ROI. Compared to that of other vendors, Cisco's pricing is in a good range. We use Cisco products for their complete lifespan. With the support context that we have, we also know what we spend over the lifetime of the solution.

The pricing of Cisco's boxes is pretty good.

My advice would be to talk to people who work with different vendors and get some hands-on experience. Don't just listen to or look at sales documents. See whether the performance actually matches that mentioned in the sales documents. Check with other competitors for hands-on experience as well.

I would give Cisco Secure Firewall an overall rating of eight out of ten because I'm not 100% happy with the management dashboard.

We're a partner so we work with all sorts of different end-users to deploy them for their use cases, including a lot of internet edge, some data center segmentation, east-west firewalls, and not so much in the cloud, but mostly on-prem today.

We use them for securing the internet perimeter and preventing malware from coming into the environment, as well as providing content filtering for CIPA compliance or other sorts of compliance out there. That's a big use case with our customers. 

The integration with the other Cisco products is something that a lot of our customers are looking forward to, with SecureX and ISE and Secure Endpoint. Things like that are a lot of the use cases that customers bring to us to help them solve. It integrates really well.

It's allowed them (our clients) to feel or know that their network is secure, and to put those guidelines in place, or those controls in place, to prevent their users from going out and unintentionally doing something dumb by clicking on the wrong link. It's able to prevent malware. And the Umbrella integration prevents them from getting to those websites if they do happen to be too busy and click on a phishing link or something like that.

As far as metrics or examples, I don't have any that I can specifically say off the top of my head. I will say I definitely have lots of happy customers that are running it and they feel it's a stable solution and one that they can rely on.

I'm a big fan of SecureX, Cisco's platform for tying together all the different security tools. It has a lot of flexibility and even a lot of third-party or non-Cisco integration. I feel like that's a really valuable tool.

From the Firepower solution, all the features that you would think of when you're thinking about a Firewall [are valuable], including some that I stated: content filtering, the IPS, IDS, and malware prevention. All of those are big use cases and great features that work well.

I've been using Cisco Firewalls and Cisco Firepower for at least 10 years.

It's stable. I have multiple clients that run it. There are always going to be some bugs and issues that we run into, but that's where their TAC definitely jumps in and helps and recommends code versions and things like that. Overall, the stability is pretty good.

In terms of scalability, they've got all different sizes of firewalls for different scales. Being able to understand how to size the firewalls appropriately is definitely key in that. That's where a partner can help, or even the customer Cisco account team can help with the scalability. They have the big multi-instance 9300 chassis down to the small 1000 series. There's a lot of scalability within the portfolio.

Cisco has a huge TAC organization. Experiences can differ. Sometimes it's really good, sometimes you get a newer TAC engineer who needs to start at step one to investigate the issue. But they're always there. They always pick up the phone and there's always a person, a TAC engineer to escalate to, who can provide really good support. You know that they've got someone in there. It's a matter of getting to the right individual.

They could improve by having more skilled, high-level engineers that are available around the clock. I know that's an easy thing to say and a hard thing to do. 

We have engineers that do the deployments. They're very skilled and have done many Firepower deployments. The methodology that Cisco has, the documentation they have out there on how to install it and how to configure it, are top-notch. That really helps us install it for a customer and get the customer up to speed on how well it works. A firewall is never a super simple thing to install and configure, but Cisco does a really good job with some of their automation tools and the documentation.

Usually, we assign a single engineer to a firewall deployment project and he's able to complete that. The amount of time it takes to deploy will vary. A small branch, may be several hours' worth of work to deploy a firewall. A large corporate site, obviously, that's going to be much more time-consuming, with lots of policies to configure and talk through with the customers and things like that. It varies depending on the size and application.

In terms of return on investment, I have multiple clients that have been through multiple generations of ASA to Firepower to the next generation of Firepower. They definitely find the return on investment there. They find it's a valuable product to have in their network. It definitely checks that ROI box for them.

Cisco is known as a premier product and it comes with a premier price point sometimes. Sometimes that makes it challenging for some customers to bite off. They see the value when we get into a proof-of-value scenario. Price points can tend to be high, but the new line of the 3000 series Firepowers definitely solves that issue and it's very attractive.

In terms of improving it, they're doing a really good job in a competitive landscape against some of the other vendors out there. The new Firepower 3000 series was a great addition to the portfolio and really stacks up, price-wise, well against some of the other vendors out there. A year ago, that was one thing that I would've commented on, but they've done a pretty good job of filling that niche.

There are some other good solutions out there. There are a lot of other successful firewall vendors. But when I compare a Palo Alto, or a Fortinet, or SonicWall, or something like that against Cisco, it's a tough comparison. Cisco has the ecosystem of security products that all tie in together, integrate really well together. There are lots of good dashboards and observability built into the product. That's where they've got a leg up on their competition. 

My advice for others looking to use the solution is to get [together] with a good partner, someone who's got engineers and architects that know the product well, and get their thoughts on it. We can always help compare and contrast against other options out there in the market. My job is knowing the market landscape and being able to help differentiate.

And always take advantage of a proof of value. It's always best to get that box into your network, see how it works with your particular traffic mix and your set of policies. I would always put a PoC/PoV as a checkbox in a buying decision.

I would rate the product somewhere between a seven or eight out of 10. Sometimes there are stability issues, as I referenced before, or just the general TAC support, while good, could be better. There's always room for improvement there. But I feel like it's a really good product that Cisco has definitely improved as time has gone on.

We have two devices in Active-Active mode, acting as a perimeter firewall. It is the main firewall that filters traffic in and out of our organization. This is where there are many rules and the mapping is done to the outside world. We use it as a next-generation firewall, for intrusion detection and prevention.

It's also linked also to Firepower, the software for network policies that acts as our network access control. 

I find it very useful when we're publishing some of our on-prem servers to the public. I am able to easily do the NATing so that they are published. It also comes in very handy for aspects of configuration. It has made things easy, especially for me, as at the time I first started to use it I was a novice.

I have also added new requirements that have come into our organization. For example, we integrated with a server that was sitting in an airport because we needed to display the flight schedule to our customers. We needed to create the access rules so that the server in our organization and the server in the other organization could communicate, almost like creating a VPN tunnel. That experience wasn't as painful as I thought it would be. It was quite dynamic. If we had not been able to do that, if the firewall didn't have that feature, linking the two would have been quite painful.

In addition, we have two devices configured in an Active-Active configuration. That way, it's able to load balance in case one firewall is overloaded. We've tested it where, if we turn off one, the other appliance is able to seamlessly pick up and handle the traffic. It depends on how you deploy the solution. Because we are responsible for very critical, national infrastructure, we had to ensure we have two appliances in high-availability mode.

I love the ASDM (Adaptive Security Device Manager) which is the management suite. It's a GUI and you're able to see everything at a glance without using the command line. There are those who love the CLI, but with ASDM it is easier to see where everything is going and where the problems are.

The ASDM makes it very easy to navigate and manage the firewall. You can commit changes with it or apply them before you save them to be sure that you're doing the right thing. You can perform backups easily from it.

It also has a built-in Packet Tracer tool, ping, and traceroute, all in a graphical display. We are really able to troubleshoot very quickly when there are issues. With the Packet Tracer, you're able to define which packet you're tracing, from which interface to which other one, and you're able to see an animation that shows where the traffic is either blocked or allowed. 

In addition, it has a monitoring module, which also is a very good tool for troubleshooting. When you fill in the fields, you can see all the related items that you're looking for. In that sense, it gives you deep packet inspection. I am happy with what it gives me.

It also has a dashboard when you log in, and that gives you a snapshot of all the interfaces, whether they're up or down, at a glance. You don't need to spend a lot of time trying to figure out issues.

Our setup is quite interesting. We have a Sophos firewall that sits as a bridge behind the Cisco ASA. Once traffic gets in, it's taken to the Sophos and it does what it does before the traffic is allowed into the LAN, and it is a bridge out from the LAN to the Cisco firewall. The setup may not be ideal, but it was deployed to try to leverage and maximize what we already have. So far, so good; it has worked.

The Cisco doesn't come with SD-WAN capabilities which would allow me to load balance two or three ISPs. You can only configure a backup ISP, not necessarily an Active-Active, where it's able to load balance and shift traffic from one interface to the other.

When I joined the organization, we only had one ISP. We've recently added a second one for redundancy. The best scenario would be to load balance. We plan to create different traffic for different kinds of users. It's capable of doing that, but it would have been best if it could have done that by itself, in the way that Sophos or Cisco Meraki or even Fortigate can.

A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition. While I'm able to configure it as a backup, the reality is that in a modern workplace, you can't rely on one service provider for the internet and your device should be able to give you optimal service by load balancing all the connections, all the IPSs you have, and giving you the best output.

I know Cisco has deployed other devices that are now capable of SD-WAN, but that would have been great on the 5516 as well. It has been an issue for us.

I have been using Cisco ASA Firewalls since November 2019.

Cisco products are quite resilient. We've had problems due to power failures and our UPSs not being maintained and their batteries being drained. With the intermittent on and off, the Cisco ASAs, surprisingly, didn't have any issue at all. The devices really stood on their own. We didn't even have any issue in terms of losing configs. I'm pretty satisfied with that.

I've had experience with some of the new Cisco devices and they're quite sensitive to power fluctuations. The power supply units can really get messed up. But the ASA 5516 is pretty resilient. We've deployed in a cluster, but even heating up, over-clocking, or freezing, has not happened.

We also have the Sophos as a bridge, although it's only a single device, it is not in a cluster or in availability mode, but we've had issues with it freezing. We have had to reboot it.

It's easy to scale it up and extend it to other operations. When we merged with another company, we were able to extend its usage to serve the other company. It became the main firewall for them as well. It works and it's scalable.

It's the main perimeter firewall for all traffic. Our organization has around 1,000 users spread across the country. It's also our MPLS solution for the traffic for branch networks. It's able to handle at least 1,000 connections simultaneously, give or take.

Prior to my joining the organization, there was a ransomware attack that encrypted data. It necessitated management to invest in network security.

When I joined the project to upgrade the network security infrastructure in our organization, I found that there was a legacy ASA that had been decommissioned, and was being replaced by the 5516. Being a type-for-type, it was easy to pick up the configs and apply them to the new one.

When I joined this organization, the solution had just been deployed. I was tasked with administrating and managing it. Managing it has been quite a learning curve. Prior to that, I had not interacted with ASAs at all. It was a deep-dive for me. But it has been easy to understand and learn. It has a help feature, a floating window where you can type in whatever you're looking for and it takes you right there.

We had a subsidiary that reverted back to our organization. That occurred just after I started using the 5516 and I needed to configure the integration with the subsidiary. That was what I would consider to be experience in terms of deployment because we had to integrate with Meraki, which is what the subsidiary was using.

The process wasn't bad. It was relatively easy to integrate, deploy, and extend the configurations to the other side, add "new" VLANs, et cetera. It wasn't really difficult. The ASDM is a great feature. It was easy to navigate, manage, and deploy. As long as you take your backups, it's good.

It was quite a big project. We had multiple solutions, including Citrix ADC and ESA email security among others. The entire project from delivery of equipment to commissioning of the equipment took from July to November. That includes the physical setup and racking.

Two personnel are handling the day-to-day maintenance.

We have seen ROI with the Cisco ASA, especially because we've just come to the end of the three-year subscription. We are now renewing it. We've not had any major security incident that was a result of the firewall not being able to detect or prevent something. That's a good return on investment.

Our device, the 5516, has been declared end-of-life. The cost of upgrading is almost equivalent to deploying a new appliance. But having had it for three years, it has served its purpose.

As with any security solution, the return on investment must be looked at in terms of what could happen. If you have a disaster or a cyber attack, that is when you can really see the cost of not having this. 

Cost-wise, it's in the same range as its competitors. It's likely cheaper than Palo Alto. Cisco is affordable for a large organization of 500 to 1,000 users and above.

You need a Cisco sales partner or engineer to explain to you the licensing aspects. Out-of-the-box, Firepower is the module that you use to handle your network access policy for the end-user. It's a separate module that you need to include, it's not bundled. You need to ensure you have that subscription.

A Cisco presales agent is key for you to know what you need. Once they understand your use cases, they'll be able to advise you about all the licenses you need. You need guidance. I wouldn't call it straightforward.

With any Cisco product, you need a service level agreement and an active contract to maximize the support and the features. We have not had an active service contract. We just had the initial, post-implementation support.

As a result, we've wasted a bit of time in terms of figuring out how best to troubleshoot things here and there. It would be best to ensure you are running an active contract with SLAs, at least with a Cisco partner. 

Also, we were not able to use its remote VPN capabilities, Cisco AnyConnect, because of a licensing limitation.

I would encourage people to go for the newer version of Cisco ASA. 

When you are procuring that device, be sure to look at the use cases you want it for. Are you also going to use it to serve as your remote VPN and, in that case, do you need more than the out-of-the-box licenses it comes with? How many concurrent users will you need? That is a big consideration when you're purchasing the device. Get a higher version, something that is at least three years ahead of being declared end-of-life or end-of-support.

We use Cisco Secure Firewalls to secure our business.

Cisco Secure Firewall is a Layer 7 next-generation firewall, providing us with a significant amount of visibility into our traffic patterns and the traffic passing through the firewall. It informs us about the zones that facilitate a smooth data flow, where the data is being directed, and covers ingress and egress all the way up to layer seven. Therefore, I believe the visibility it offers is excellent.

Cisco Secure Firewall is effective in securing our infrastructure from end to end, enabling us to detect and remediate threats. However, the way we currently utilize it may not be the most optimal approach to fully leverage its end-to-end capabilities. Nonetheless, considering its purpose within our usage, it effectively fulfills its intended role.

The ability of Cisco Secure Firewall to enhance our organization's cybersecurity posture and resilience is commendable. Cisco Secure Firewall serves as our primary line of defense, deployed at the Internet edge of every site across the globe.

The most valuable feature is zone segmentation, which we utilize through the Firepower management console. This allows for centralized management, which proves highly useful. In the past, when using Cisco Firewalls, we had to manage them independently. However, now we have a single unified interface to manage all our Cisco Firewalls worldwide.

The Cisco Firewall UI could be improved. While having a centralized management console is a significant improvement, I believe there are several enhancements that could be made to the UI to enhance its user-friendliness and improve the overall flow. This is particularly important during troubleshooting, as we want to avoid wasting time navigating through different sections and excessive clicking. It would be beneficial to have everything readily accessible and a smoother flow to quickly reach the desired locations.

I believe Cisco needs to make the appliance more automated in order to provide us with additional time. This would eliminate the need for us to manually go through the firewall, search, find, and troubleshoot everything. It would be beneficial if the appliance had some form of AI integrated to generate such information, enabling us to quickly identify the problem. If necessary, we could then delve deeper into the issue.

I have been using Cisco Secure Firewall for 19 years.

Cisco Secure Firewall is stable.

The scalability of Cisco Secure Firewall depends on the different models available, as each model may have a fixed scalability level. Therefore, the scalability we obtain will vary depending on the specific model we utilize.

The quality of technical support varies. We occasionally receive excellent technicians, while other times we do not. Consequently, I believe it is preferable to rely more on the competent ones rather than the subpar ones.

Neutral

We had previously used Check Point but decided to switch to Cisco Secure Firewall. The reason for this switch was the lower cost and our company's desire to remove Check Point from our environment. It was an excellent deal, and the technology was on par. We did not lose any functionality or experience any drawbacks by choosing Cisco over Check Point. In fact, I believe we gained additional features, and Cisco is more widely adopted and supported compared to Check Point. Therefore, I am confident that we made the right decision.

The initial setup was complex. Firstly, we were migrating from a completely different platform and vendor to Cisco. Therefore, the ruleset migration was not only complex but also tedious because there was no suitable migration tool available for transitioning from Check Point to Cisco Firepower. The second part involved a complete change in our design, as we opted for a more zone-based approach where our checkpoints are more streamlined. This complexity was a result of our own decision-making.

We utilized our partner, ConvergeOne, for the integration, and they were exceptional. They demonstrated sharp skills, and together we successfully completed the job. The entire process took us a year during which we managed to cover every site within our company.

We have witnessed a return on investment through the capabilities of Cisco Secure Firewall itself, along with its numerous threat defense technologies. As a result, we do not need to purchase additional tools to enhance the firewall; everything is already integrated. Therefore, I believe this was a significant victory for us.

The pricing structure for Cisco Secure Firewall can be challenging to manage. It involves separate line items that need to be carefully tracked, such as SmartNet, FCD licenses, and other license features. This complexity adds to the difficulty of dealing with the pricing.

I rate Cisco Secure Firewall an eight out of ten.

Cisco Secure Firewall has not helped consolidate any of our applications or tools.

We use Cisco Talos to pull the signatures for everything we download. However, we don't rely on Cisco Talos for our day-to-day operations. 

Cisco Secure Firewall is a commendable product and holds a leadership position in the industry. While there are other competitors available, it is certainly worth considering, particularly for organizations that already utilize Cisco switching, routing, and related infrastructure. Cisco Secure Firewall can seamlessly integrate into the existing ecosystem, making it an appealing option to explore.

Having in-house expertise in Cisco and its products is indeed valuable when making a decision to go with Cisco Secure Firewall. The fact that our team already had a lot of expertise and experience with Cisco products played a significant role in the decision-making process.

We are Cisco partners. We have been selling Cisco products for more than 25 years, and we are a major player in various African markets, such as Morocco and French-speaking countries in Africa.

We have been offering a wide range of Cisco-branded security products. The most important ones were the ASA firewalls, and now, we have the next-generation ones, XDR, and all the applications or all hybrid security solutions offered by Cisco, including Umbrella, on-premise Identity Service Engine, and all the other third-party solutions.

Our main objective is to show customers the added value of Cisco products and how they can tackle all the security issues and all the threats or the cyber security issues rising on a daily basis nowadays. Cisco Talos, for instance, is something that we propose, and we also propose all the restrictions to be up-to-date. Cisco's ecosystem is very wide in security, so we have very good use cases. 

In the beginning, customers used to implement ASA firewalls mainly as the network firewall in data centers, branch offices, all locations, and also in the DMZ. Nowadays, the perspective has changed, and also with the design requirement, the nature of the cloud hybrid solutions leads us to use more sophisticated tools based in the cloud, but we still cover all the security aspects from the branch office to the data centers.

Cisco adds value by providing various solutions such as Umbrella and Duo. It's a combination. An existing firewall system only protects or controls flow on a daily basis in a normal production environment, but when it comes to security threats, we need to add more components. This is why Cisco is offering a wide range of products. Cisco is completely handling all the aspects from end to end with micro-segmentation, for instance. Identity Service Engine can handle the end-users' protection, and in the end, for the data center, we have different tools, and this is how we can cover end-to-end solutions.

The most valuable feature is IPS. It's a feature that's very interesting for tackling the most current attacks. We also have Umbrella with Secure DNS because all the threats nowadays are coming from email servers. We also have the DSA solution to limit the threats coming from ransomware. Combining all of these with Talos provides the best security solution.

It's a question of performance. When we talk about data centers, we are talking about 100 gig capacity or 400 gig capacity. When it comes to active-active solution clustering and resilience and performance, Cisco should look into these a little bit more.

We have been offering Cisco Security firewalls from the beginning of ASA, which was more than 20 years ago. We then started offering all types of firewalls, including the ones for data centers and then the next-generation firewalls.

The stability of the Cisco firewalls is the best in my opinion. We used to have ASA firewalls running for more than five years. Even when we did software upgrades, we had a very stable platform providing high performance without any outage, so customers can rely on Cisco firewall solutions.

For daily operations and projects, scalability is very important. Cisco provides a way of mixing and clustering firewalls to enhance scalability. We have many ways to scale, and as our clients grow, we can have the Cisco firewall solution grow as well.

We work with different vendors based on customer needs. We have a specification that we need to have a combination of different vendors, which is the best practice in the data center architecture and design. We cannot have one vendor at all levels, and we should have a combination. 

As a vendor, Cisco has a complete range of products to handle all the security aspects. When I look at the architecture design, the implementation of Cisco firewalls is the best. We have data centers based on Nexus for instance. We have routing components. All the compliance and architectural design requirements are met, and we can meet the customer needs according to the Cisco design guide and validation guide. When we look at the security aspect and the guidelines in terms of next-generation firewalls, in terms of redundancy on both sites or multi-sites, we have better performance with Cisco than other vendors in some cases.

Our customers use Cisco firewalls mainly in data centers, branch offices, and campus environments. They don't only use basic firewalls. They also use next-generation firewalls, which have email control, web filtering, and IPS. So, we have Cisco firewalling at all levels for providing the strongest protection policy.

The deployment of Cisco firewalls is very easy so far. We have the security expertise and all the knowledge that we need to deploy them and secure our customers' facilities. Networking and architecture are not really complicated, but you need a well-defined plan before doing implementation and going live.

Based on my 25 years of experience, 100% of our ROI expectations are met with Cisco products. The equipment is strong enough, stable, and well-developed. We have had the equipment running for more than five years without any outages, which leads to lesser costs of operations. There is also a reduction in cost in terms of upgrades or replacements, and this is why the ROI expectations have been met.

With the bundling mode with Duo licensing, it's now better. It's better to have one simplified global licensing mode, and this is what Cisco has done with bundling. The next-generation firewalls include a set of features such as filtering, emails, and IPS. This combination offers the best way for customers to manage their operating expenses.

One way to evaluate Cisco products is by looking at the experience. Gartner provides a good overview of Cisco products based on customer feedback, but the best way is by trying the product. Try-and-buy is a good model. Nowadays, all customers, enterprise service providers, and ISPs, are aware of Cisco solutions. They don't just purchase based on the technical specifications.

As a Cisco partner for over 25 years, we provide value by bringing our experience. We have worked so far with a different range of products, from the oldest Cisco firewall to the newest one, and we continue to promote them through design recommendation, capacity specification, deployment, engineering, high-level design, low-level design, migration, go-live, and maintenance and support. We cover the whole lifecycle of a product.

Our partnership with Cisco is a win-win partnership. Cisco provides us with the latest experiences and latest solutions, and on the other hand, we are doing business with our customers by using Cisco products, so it's a win-win relationship with Cisco, which leads to enhancing, promoting, and excelling in Cisco products. I would tell Cisco product managers to go fast with security platforms. Other vendors are going fast as well, and we need product managers to tackle the performance and capacity issues. It's not really an issue in itself, but it's something that can enhance and bring Cisco to the first place in security solutions.

I'd rate it an eight out of ten. The reason why I didn't give it a ten is that they have to make it better in terms of the capacity and performance for the 10 gig interface, 40 gig interface, and 100 gig interface, and in terms of how many ports and interfaces we have on appliances.

Our main use case for Cisco Secure Firewall is helping clients who want to upgrade from an old firewall and move to a next-generation firewall. We also get a lot of clients who have a next-generation firewall provider, but the firewall is not up to the task. It doesn't have all the feature sets that they need, and Cisco Secure Firewall ticks those boxes.

Cisco Secure Firewall has improved our customers' security posture because it offers Next-Gen features, granularity, and reporting on the back of it. You can see the amount of users accessing Office 365, for example, and whether they're having a good or bad experience. You can see the threats that come into your network. You can see anyone who is compromised from within your network.

If customers already have Cisco solutions such as Cisco ISE, Duo, Umbrella, and Endpoint, Cisco Secure Firewall will integrate well with all of them. Our clients will be able to get more data and automate tasks. They can have Secure Firewall automatically shut things down if a threat is detected.

Without a doubt, the best features are the reporting and analytics. Some vendors provide the same feature set, but their product won't give you the power to figure out what's going on in your network. Whereas with Cisco Secure Firewall, especially with the management platform on top, you can have all of the analytics and see exactly what is going on. You can see not only the source and destination but also the application, the URL, the type of policy it's hitting, the specific rule it's hitting, and the amount of data transferred from it. Apart from that, you get all of the risk reports. You can see how much bad stuff is coming into the network at present and whether there's anything you need to act on immediately. That data is at your fingertips, and it's by far the best feature and the best selling point of Cisco Secure Firewall.

Cisco Secure Firewall has reduced our clients' mean time to repair because they are able to find possible issues quickly. The power of the reporting, the dashboards, and all of the analytics in the background also helps to alert and quickly act on the threat.

My impression of Cisco Talos is that it's well-regarded in the industry. Cisco is so well regarded that we know their security intelligence is up-to-date. Our clients have peace of mind because they have Cisco Talos in the background and know that Cisco Secure Firewall is up-to-date with the latest threats. They can be sure that they're acting on the best available data.

I would like to see more configurable feature parity with Cisco ASA, which is the legacy product that Cisco is moving away from. When configuring remote access VPN, not all of the options are there. You have to download another tool, which means that the configuration takes a little bit longer with Cisco Secure Firewall. Though it's getting there, there are still some features lagging behind.

We've been offering Cisco Secure Firewall since its first iteration 10 years ago.

We are resellers, and the value we add to our customers as resellers is our knowledge. We have 10 years' worth of experience deploying Cisco Secure Firewall. We can deploy it the correct way. We also know whether you would need the management platform, the level of licensing you may require, and the number of VPN licenses you may need. We add value by knowing how the solution should be deployed and installed in a network.

Secure Firewall's stability is good. I think the management platform needs a little bit of work. It's not as robust from a stability point of view. Deployment times of configuration have got better over the years, but there's still some work needed so that it deploys every time when you click that button.

The scalability of Cisco Secure Firewall is really good. That's down to the management platform and the way it structures your access policies, what allows traffic in and what allows traffic out. You can easily add multiple regions, locations, and types of firewalls to the management platform. As soon as you do, they get all of those policies. Previously, you'd have had to configure each one time and time again. With this version, you import it, and it's ready to go. Thus, for scalability it's easy.

Cisco's technical support across all their products is always good and reliable. If someone says they're going to get back to you in four hours, they do. They're always there with the right level of support. If we need a Secure Firewall engineer, that's whom we'll get. We won't get someone who's never seen the product before. As far as vendors go, Cisco's technical support is probably the gold standard. I would rate them at ten out of ten.

Positive

Secure Firewall is more complex to deploy than previous Cisco Firewall products. However, it's not so complex that it's not achievable. There are some products out there that require a lot of reading to be able to deploy them. Cisco Secure Firewall has not reached that level yet, but it is a complex product.

Our clients' Secure Firewall deployment models are edge firewalls, internal firewalls, and, most often, perimeter firewalls. Sometimes, our clients ask us to help them with deployment because we have the experience.

We've used the Cisco Firewall migration tool quite a few times to migrate to Cisco Secure Firewall. It has come on a long way, and it's a lot better than it used to be. When it initially came in, there wasn't as much trust that the tool would give you everything you needed, but where it is now is great. If you've got a firewall that you want to migrate, you'll feel confident using the Cisco Firewall migration tool.

We spend a lot of time developing our consultants and our sales staff to know the product and learn how to sell the product. As a result, our ROI is that we get more clients deploying Cisco Secure Firewall.

The licensing is not as complicated as that for some other Cisco products. There are a couple of tiers of licensing, but the price point is a little too high for the market. There are other vendors that come in lower and offer more for fewer licensing options. They may offer URL filtering or malware filtering with a single license rather than requiring two or three licenses. I think Cisco could do a bit more in this area.

I deal with a lot of other vendors who also offer the same features, but Cisco Secure Firewall stands out on the analytics. It is the best for analytics and getting the reporting data.

If you're a client evaluating Cisco Secure Firewall, my advice would be to put real-world data through it to get useful data out of it. You can't see the benefits of the solution if you just turn it on and look at the device as it is. It's when you see the traffic going through it that you'll see the power of the analytics and reporting and the event data that comes through. A technical team member will understand how much easier it's going to be to troubleshoot with this platform compared to that with any other platform they've had before. With regard to reporting, a report on how many malware attacks have occurred in a particular month takes one click to generate. That data can be stored for a long time.

Overall, I would rate Cisco Secure Firewall an eight out of ten because of the feature parity. It's not quite there in terms of being able to do everything on the GUI platform. The price point is still a bit too high as well.

Our primary use case for Cisco Secure is through Cisco FMC, which we have automated using Cisco's Terraform provider for FMC. Our automation journey began with the Cisco ACI fabric, where we leveraged the Terraform provider for ACI. Eventually, we realized we could also automate firewalls and our HA clusters using the Terraform provider for FMC. This allowed us to create DMZ networks, specify IPS and IDS rules, and follow the infrastructure as a code concept. Our cross-common security team can review the repository in GitLab and approve it with a simple click of a button. This is the primary benefit we get from automation. Additionally, we can use the infrastructure as a code concept with the management center. Cisco FMC also has a great API, which makes it easy to integrate with our code, ACI, and other systems.

Cisco Security and Cisco Firewalls have been effective in protecting our organization from external threats, such as DDoS attacks.

We have several integrations. One of them is between Cisco ISE and FMC, which allows us to monitor and control our users. Additionally, we integrated Cisco ISE with FTDs to function as a remote VPN server and control the traffic and behavior in our VPN network. We also use ISE as a TACAC server and integrated it with Cisco ACI and all of our devices. Furthermore, we use NetBox as a source of truth for our ISE, which helps us track all of our devices from the network and ISE.

The primary benefits of using Cisco Secure solutions are time-saving, a robust API, and convenience for the security team. 

Cisco Secure Firewall could benefit from enhancements in its API, documentation, and automation tools. Additionally, we've noticed that the Terraform provider for FMC has only two stars, few contributors, and hasn't been updated in a year. It only has 15 to 20 resources, which limits our capabilities. We'd love to update it and add more resources. For example, we currently can't create sub-interfaces with the provider, so we have to add Python code to our Terraform provider and use local provisioners. Additionally, improvement in the API would be helpful so that we can create ACL on the GUI with a simple click, but at this time we cannot create requests via the API.

I have used Cisco Secure Firewall within the last 12 months.

Cisco TAC support is excellent. Having worked with other support companies in the past. Cisco TAC is much more helpful and friendly. They always seem eager to assist with any issues and are particularly responsive in urgent situations. For example, if there is a problem in my production zone, they are quick to reassure and assist. Overall, I have a great appreciation for their support.

I rate the support from Cisco Secure a ten out of ten.

Positive

In our business, we have implemented a number of Cisco Secure products in our network infrastructure, including Cisco ISE as a AAA server, Cisco FMC Management Center for our firewalls, and Cisco FTD for Firepower Threat Defenses. We also use a TACACS+ server for our hardware. Cisco products make up the entirety of our infrastructure, including Cisco Nexus Switches, Cisco ACI fabric for our data centers, Cisco ASR Routers, and Cisco Wireless Solutions, which include WLC controllers, access points, and other relevant hardware. In our organization, Cisco is strongly preferred.

There has been a positive return on investment observed with the implementation of Cisco Secure solutions. The use of these solutions as our primary security products has been beneficial in terms of cost and security measures.

In the past, I encountered several difficulties and misunderstandings with Cisco licensing, but now the situation has improved. The Cisco Smart Software portal is an excellent resource for keeping track of, upgrading, and researching information related to Smart Licensing and other relevant topics. It is extremely helpful. Unfortunately, since it is not my money and there is only one vendor, I am unable to provide any comments on the prices. Nevertheless, the system, along with its provision through the Cisco Smart Software portal, as well as the traditional license and subscription models, are excellent and highly beneficial.

I rate Cisco Secure a seven out of ten.

My rating of seven out of ten for the Cisco Secure is because it's not excellent, but not poor either. It was enjoyable and overall satisfactory.