Cisco Secure Firewall Reviews

Cisco ASA's CLI is very effective and fast to configure the firewall and make changes, but monitoring logs and connections can be eye bothering by reading all the line outputs. ASDM, however, have improved the overall ASA configuration from an GUI standpoint. I really enjoy the log monitor where I can see live logs in a more user friendly interface. The down side of ASDM is that it is build with JAVA and that means a lot vulnerabilities and it does not always work with the latest JAVA version and/or patches.

The packet tracer function, which I use the most, have provided me a packet flow through the firewall and see which rule or policy can cause a drop. Also, I can see if my NAT statement is working properly. This has allowed me to quickly troubleshoot potential firewall related issues for my organization.

L7 firewall is a key for the ASA to be competitive in the current and future market place. By integrating with SourceFire, now call FirePower, on the ASA has helped it to get into the next-generation firewall segment.

It blocks all outside to inside traffic and only permits the specific internet traffic from the outside. VPN functionality is very useful, we can create remote access and tunnel VPN in the simplest way.

It blocked all kinds of internet attacks from outside like DOS or DDOS and avoided any down time. We created a remote tunnel from head office to data center network for easy access of servers that make working fast and they are easily manageable.

It would be great if they would add web filtering functionality to this product.

5 years

No

No

No

Excellent

Good

It is a little difficult in newer IOS versions where the use of the NAT command is different. Otherwise its straightforward to configure.

I deployed it in-house with my team.

This solution reduces any downtime therefore business continuity is not disturbed - that is ultimately ROI.

It is one time cost of about $10,000 and there is no day to day cost.

Yes, I evaluated Fortigate, SonicWall and Juniper but found Cisco ASA to be the best solution for us above all of the others.

Cisco ASA is a reliable product and it benefits you a lot in your network.

It's a great solution that amalgamates a firewall and VPN into one device. It also has a well organized GUI- ASDM.

• Easy to setup VPNs
• Firewall ACL
• Easy to modify
• Easy to perform maintenance

The ADSM is incompatible with different versions of Java.

I've used it for six years.

I have issues with some versions of Java and ASDM.

It's high.

It's high.

I used a Cisco 881 router as a firewall and VPN solution. ASA allows conformity and various amounts of functionality in work.

It can be complex, since a lot of CLI commands are different with respect to the CLI of IOS routers.

We implemented ASA without vendor support. For first time implementation, it is good to have someone with ASA experience involved.

Prices could be a little bit lower to make the product more accessible.

NGFW: VPN (IPSec, SSL), NAT (provides great flexibility)

NGIPS: Application visibility, file policies (store files), network discovery, correlation features

SSL decryption for modules. Although I think it is better to separate SSL decryption as a service from the software module since it requires additional hardware, but I think it would be great if there is an option to use the ASA (not the software module) to decrypt the SSL.

Ex: Add a license to decrypt SSL traffic on the ASA itself. The ASA already supports SSL VPN. So if SSL decryption can be integrated that would be nice.

5 years+

Basic setup is easy, but if you need to do some advanced stuff, it can be intuitive, but some things require some kind of tutorial to understand how it can be done. Good thing is that this device is becoming popular and there are many 3rd party free tutorials and guides that can help.

I heard about defect that were encountered by my colleagues, but not something that cannot be fixed using an upgrade.

Clustering is available for ASA with firepower services.

Also for firepower appliances, there is stacking available for some models.

Great support. The engineers know what they are doing.

10/10

No

Well, it is straight forward as long as you understand the components available.

ASA can be configured using the CLI or ASDM.

For the Firepower you will need to use a FireSIGHT as a management solution.

Since you will be using two GUIs, I wouldn't call it straight forward.

The fact that it's a full inspection firewall.

In fact there is no relevant improvement, but this is the kind of device that every company must have.

• Recognition of appliances
• UTM features

I've used it for five years.

It was mainly issues regarding the management and VPN setup.

No issues encountered.

No issues encountered.

8/10.

8/10.

We previously used IPtables, and switched because there was a lack of technical support, RMA, etc.

It was an easy initial set-up.

We did it in-house.

No other options were looked at.

• Site-to-site IPsec VPN
• Remote IPsec VPN
• Reverse route injection

Cisco Context gave us the feature of creating a virtual firewall, which is good. It provides us with maximum network isolation. Also impressive is the ISP redundancy.

WCCP, and URLs, in the Cisco ASA Context both need work. When changing from single mode to multiple mode or back, the commands must be done from the command line (CLI) and cannot be done via the ASDM GUI interface. ASA context should be able to support site-to-site VPN, but the current Cisco Context does not support VPN

I've used them for six years.

During the deployment of WCCP, we noted some loopholes like it only supports ports 80 & 443. Application which is running on multiple ports doesn't work with WCCP and to make it work we need to allow respective traffic outside the firewall.

Sometimes there is an issue with the site-to-site VPN.

In certain cases, like an any access-list, if we add a URL the Cisco ASA access-list does not resolve that URL while this can be done in Juniper, and Fortinet.

9/10.

9/10,

I have migrated some set-ups from Cisco to Juniper, but not from Juniper to Cisco.

We have multiple ASA firewalls for different clients now we migrated to Cisco Context.

It was done in-house.

It's 8/10.

If it is for a banking domain, your organisation should use Cisco which can assure better security than any other vendors' products. Also, they have the best documentation, reliability and support.

• Firewall mode
• AnyConnect gateway
• Client-less SSL VPN

The versatility of the product has allowed us to solve a number of perimeter requirements without having to seek out different products or companies for solutions. It has allowed for a single management mechanism, and by having a single platform solution, it has allowed for simpler training.

The configuration/management interface is complex and can be confusing. Technical documentation is often sparse and can be incomplete when covering specific implementations.

I've used Cisco PIX and ASA firewalls since 2003.

Not with the ASAs, with some early version PIX products.

Not with the ASAs, with some early version PIX products.

The ASAs offer several different technologies for HA and we have used all of them successfully.

It's excellent.

Excellent, we have always been able to get the specific expertise needed to solve our challenges with the products.

Checkpoint Firewalls - the primary reason we switched was cost and limited support options.

It's pretty straightforward. I came at these products already having considerable firewall experience.

It was all in-house, as we all had 10 years plus experience when we moved to PIX firewalls and then a few years later we brought in the ASAs.

• Watchguard
• Sonicwall
• Checkpoint

The product line offers tremendous capability. Please look into all of the solutions it can provide for you to maximize your investment.

• Reliability
• Security
• Flexibility
• Functionality
• Availability - controllability anywhere and with different methods

I can tell that when we have started using the Cisco AnyConnect for remote access to business apps it makes the work for remote staff much simpler. It's also easier to provide remote IT support. Aside from this, the security officers can sleep better now.

The ASA is an almost perfect device.

I've used it for two years.

I have had no problems deploying it.

Occasionally, the packet rate falls unexpectedly.

I currently do not need to scale on my network.

9/10 - the regional online support could be better.

10/10.

We use MySQL and Nagios devices alongside the ASA as our network infrastructure needs expanding and required more serious hardware solutions.

When Cisco was installed, it did not go as expected.

It is not simple to calculate for IT hardware. To calculate the ROI for using the ASA, I would need to have a lot of statistics on the quality of services, both before and after.

Cisco ASA 5512-X was bought for $3,000, and a further $1,000 was needed for installation and pre-configuration.

• Fortinet
• Juniper

As a rule, any device upon delivery is obsolete. Pick up the solution for your business, based on your specific needs.