Cisco Secure Firewall Reviews

The ability to intercept unwanted traffic, and prevent attacks without interrupting everyday work, and the stability of this product are the key functionalities in our deployment.

This product, and our implementation, are not directly correlated with the core business of our company. It is designed to protect our company from outside threats and reduce impact on other network elements, such as the backend firewall, DMZ zone and VPN concentrators.

Cisco ASA lacks some functionalities, when compared with other vendors’ products. Cisco need to implement some more functionalities, like client-less VPN (HTML5), but I expect that Cisco will continue to add, and improve, features of the product. One of the features that should be improved is the URL filtering engine, as currently it has limited functionality. For full functionality, you will need an external URL filtering server, like Websense.

We have used it for more than five years, and have implemented it for perimeter network protection. It is designed for basic network protection for our corporate environment.

No issues during the deployment, as we had good planning.

No issues with stability. The device is designed for hard work 24/7. I never have a lack of resources like RAM or CPU. The only reason I need to restart the device is during a software upgrade.

In our deployment, we did not have a scalability issue.

It is very high.

We did not have any technical problems with this product, so we have not had need of technical support

We implemented ASA after a complete redesign of our network, and we believe that Cisco ASA is the right solution for our needs.

The initial setup is straightforward, as there is a lot of documentation available on the Cisco site, and other sites, which makes planning and deployment pass without any problems. However, the ASA is a complex device, with a lot of features and further tuning is complex and you must have the right knowledge to do it. Configuration can be done through a Java based application called ASDM or through the CLI interface. Using ASDM is much more simple and easy, but ASDM is not compatible with the newer Java version, so before implementation you must read the compatibility notes. Also, keep in mind that when upgrading ASA software, you must also upgrade the ASDM package.

Initial implementation was through a vendor. I would rate their experience and expertise as 9/10.

Calculating the ROI for network security or IT security is complex and dependent on many factors, like the implementation, role, expectation etc. IT security cannot be compromised, but on the other hand, we must ask how much is enough. In our case, we do not have a defined ROI for this product.

The cost of the setup was only the product price, local vendor support for the implementation, and employee training. This product is set it and forget it, so we do not have day to day costs.

We did not evaluate other products. One reason was that we believe that the ASA is a reliable product and fits our needs. Another reason, was the lack of local support for other solutions.

Unfortunately, the ASA 5500 is EoS and EoL, and I hope that Cisco’s NGF 5500-X series will be a worthy successor. This does not mean that Cisco will stop software support and will continue to release new software versions with new and improved features for the ASA 5500 series.

As with any other product, the main things for a successful implementation are to decide what you want to achieve, and what your main goal is, and then, you need good planning, not only for your current needs, but you also need to keep in mind further grow and needs. Good planning is, at least, 80% of successful implementation.

It has very advanced security features including FirePOWER threat management, which is the most valuable, but also URL filtering, FireSIGHT, and advanced malware protection.

The cost of this product should be reconsidered.

I've used it for almost a year.

So far, I have found this model very smooth.

We had a slight issue with IPS, as the signature update was, sometimes, getting stuck.

I believe this product is very scalable with our current needs and requirements.

Yes, I used a normal model of Cisco ASA and found it a  very successful experience. Therefore we have it to a more advanced ASA box for improved, and more advanced, security management.

Cisco implementations are always very straightforward.

Evaluation is mandatory in IT, and we have found this device has better features and reliability when compared to other products.

I would suggest implementing this product ascand has advanced security features.

• Stateful inspection
• CLI of the firewall

It has increased the security and works best for VPN users.

The product has been introduced with UTM i.e. FirePower, and I would like to use it and comment on it.

I've used it for three years.

Encountered IOS related bugs in later versions.

No issues encountered.

No issues encountered.

10/10.

It depends on the support contract that you have.

I previously used CheckPoint, and switched because of the UTM features.

It was straightforward.

I implemented it myself.

I think evaluated other options with reference to our architecture.

You should analyze the current setup and implement it as per the customers' requirement.

• Scalability
• Debugging messages
• Context modes

Context modes as this means there is no need to buy additional firewall for different customers.

IPS, IDS, anti-virus etc. should be added to IOS instead of separate cards.

I've used it for three years.

No issues encountered.

No issues encountered.

No issues encountered.

Dedicated experts are available in support contract with Cisco.

100% skilled engineers with knowledge are available 24/7.

It is straightforward.

We implemented it in-house.

It is £2,000 to set up, and the running costs, depend on the customers' issue(s) or tickets raised.

• Juniper
• FortiGate

Its a nice professional product with lots of scalability. Easy to troubleshoot and there is tool called PACKET TRACER which simulates the packet and it will tell you whether a packet is allowed inbound or outbound for testing purposes.

• VPN
• ASDM configuration

For FirePOWER:

• IPS
• AMP
• URL filtering

It's pretty easy to connect between different branches using site to site VPN.

Cost, it's very expensive. To migrate from a Cisco ASA 5550 and not drop in performance, you have to go to a Cisco ASA 5555-X with FirePOWER. To fully use the Cisco FirePOWER IPS, AMP and URL filtering, you are forced to (MUST) buy the Cisco FireSIGHT management centre. You also have to buy licensing for Cisco AnyConnect VPN client

I've been using it since October 2004, so for 10 years.

Due to the cost, I am still waiting for more funds to deploy the final phase, FirePOWER IPS, AMP and URL filtering.

Cisco did an upgrade from v8.2 to v8.3 of the migration system. NAT configuration is different from 8.2 to 8.3. It's not easy to upgrade to 8.3 and above leading to running different software versions.

V8.2 is very stable. With the latest versions it's still early to tell.

Upgrading from v8.2 to v8.3 is a nightmare. The risks of down time are so high that I am forced to run different versions. Stay with 8.2 on all NAT dependent on your ASA, but again it's all about the cost.

Excellent customer service. Cisco listens to their customers.

Excellent customer service and documentation.

We previously used Checkpoint, and I switched because Checkpoint was expensive but now it looks like Cisco is following the same route.

It was not that complex because I was using Cisco routers and switches five years prior.

It was an in-house implementation.

I can't tell right now as I am still investing.

The initial investment on the Cisco ASAs was around one million South African Rand and there's a R200,000 annual maintenance cost with Cisco's partners.

No. I went straight to Cisco because of my experience with their CUCM IPT solutions, routers and switches.

Budget a lot of money, especially on the initial setup and the annual licensing and maintenance cost.

• Content filtering
• VPN features
• User interface is also very friendly

Users can VPN into the network from remote locations. It has given us a very robust and well firewalled LAN, that we use for authentication as well for our core network infrastructure.

I've used it for seven years.

No issues encountered.

It's a very stable product.

No issues encountered.

It's good.

It's good.

No previous solution was used.

It was a straightforward setup.

Implementation was in-house as we have Cisco experts.

The initial cost was approximately $6,000.

No other products were evaluated.

ASA is a very reliable product and I have been using it since I cam across it. I strongly recommend the use of the product

The features that we use are:

• The stateful firewall
• VPN with AnyConnect
• Site-to-site IPSEC solutions
• High availability

The ASA gives us a secure appliance at the perimeter and allows us to provide VPN connectivity to our users. We have the ability to control our VPN users as well as use two-factor authentication if needed (using an outside Radius source).

The ASA has room for improvement in the areas of layers four through seven. I would love to see application specific control, e.g.Facebook, Gmail, etc.

I have used this solution for five years.

No issues with the deployment of the ASA as long as you are using it for what it is intended for.

No issues encountered.

As long as you buy the correct model for your company, in regards to throughput, licenses etc., you will be fine.

8/10.

8/10.

I believe it is straightforward, but again it depends on what you are trying to accomplish.