Cisco Secure Firewall Reviews

The fact that it's a full inspection firewall.

In fact there is no relevant improvement, but this is the kind of device that every company must have.

• Recognition of appliances
• UTM features

I've used it for five years.

It was mainly issues regarding the management and VPN setup.

No issues encountered.

No issues encountered.

8/10.

8/10.

We previously used IPtables, and switched because there was a lack of technical support, RMA, etc.

It was an easy initial set-up.

We did it in-house.

No other options were looked at.

• Site-to-site IPsec VPN
• Remote IPsec VPN
• Reverse route injection

Cisco Context gave us the feature of creating a virtual firewall, which is good. It provides us with maximum network isolation. Also impressive is the ISP redundancy.

WCCP, and URLs, in the Cisco ASA Context both need work. When changing from single mode to multiple mode or back, the commands must be done from the command line (CLI) and cannot be done via the ASDM GUI interface. ASA context should be able to support site-to-site VPN, but the current Cisco Context does not support VPN

I've used them for six years.

During the deployment of WCCP, we noted some loopholes like it only supports ports 80 & 443. Application which is running on multiple ports doesn't work with WCCP and to make it work we need to allow respective traffic outside the firewall.

Sometimes there is an issue with the site-to-site VPN.

In certain cases, like an any access-list, if we add a URL the Cisco ASA access-list does not resolve that URL while this can be done in Juniper, and Fortinet.

9/10.

9/10,

I have migrated some set-ups from Cisco to Juniper, but not from Juniper to Cisco.

We have multiple ASA firewalls for different clients now we migrated to Cisco Context.

It was done in-house.

It's 8/10.

If it is for a banking domain, your organisation should use Cisco which can assure better security than any other vendors' products. Also, they have the best documentation, reliability and support.

• Firewall mode
• AnyConnect gateway
• Client-less SSL VPN

The versatility of the product has allowed us to solve a number of perimeter requirements without having to seek out different products or companies for solutions. It has allowed for a single management mechanism, and by having a single platform solution, it has allowed for simpler training.

The configuration/management interface is complex and can be confusing. Technical documentation is often sparse and can be incomplete when covering specific implementations.

I've used Cisco PIX and ASA firewalls since 2003.

Not with the ASAs, with some early version PIX products.

Not with the ASAs, with some early version PIX products.

The ASAs offer several different technologies for HA and we have used all of them successfully.

It's excellent.

Excellent, we have always been able to get the specific expertise needed to solve our challenges with the products.

Checkpoint Firewalls - the primary reason we switched was cost and limited support options.

It's pretty straightforward. I came at these products already having considerable firewall experience.

It was all in-house, as we all had 10 years plus experience when we moved to PIX firewalls and then a few years later we brought in the ASAs.

• Watchguard
• Sonicwall
• Checkpoint

The product line offers tremendous capability. Please look into all of the solutions it can provide for you to maximize your investment.

• Reliability
• Security
• Flexibility
• Functionality
• Availability - controllability anywhere and with different methods

I can tell that when we have started using the Cisco AnyConnect for remote access to business apps it makes the work for remote staff much simpler. It's also easier to provide remote IT support. Aside from this, the security officers can sleep better now.

The ASA is an almost perfect device.

I've used it for two years.

I have had no problems deploying it.

Occasionally, the packet rate falls unexpectedly.

I currently do not need to scale on my network.

9/10 - the regional online support could be better.

10/10.

We use MySQL and Nagios devices alongside the ASA as our network infrastructure needs expanding and required more serious hardware solutions.

When Cisco was installed, it did not go as expected.

It is not simple to calculate for IT hardware. To calculate the ROI for using the ASA, I would need to have a lot of statistics on the quality of services, both before and after.

Cisco ASA 5512-X was bought for $3,000, and a further $1,000 was needed for installation and pre-configuration.

• Fortinet
• Juniper

As a rule, any device upon delivery is obsolete. Pick up the solution for your business, based on your specific needs.

• Network firewall
• FirePOWER services (URL filtering, IPS)

With the new FirePOWER services, Cisco has given the ASA new valuable features like URL filtering and a more simple and efficient IPS. With FirePOWER services, we have been able to have more insight of our network, something that we never had before, now we can see all the applications that our users are using the most and we can see if there is malware on our network.

The FirePOWER defense system has no integration with the firewall management of the ASA, I mean you can’t create ACLS, rules, VPNS NAT, and so on. All of this has to be done with the ASDM which, from my point of view, is very complex if you are not used to it, you should be able to manage the entire solution from one central software like Defense system, but right now you can’t. This is one of the biggest problems I see right now

I've used it for two years.

The FirePOWER deployment has to be done from the management port of the ASA. This port has to be dedicated because all the communication from the defense system to the appliance goes by that port, so you need to have different networks (inside and management port) to be able to implement this feature. It would be nice again if you can just configure this from one single point and not two (defense system and ASDM).

No, I have never had any problems with Cisco equipment regarding stability.

No issues encountered.

8/10.

6/10 - I mean you need luck when you open a case with Cisco to have someone with expertise on the product. I’ve had great TAC experiences and the worst ones too, if you have a loss of service they put you with people that know what they are doing, but if you want to configure something extra and you just ask the TAC how to do it, sometimes you get someone that appears to be learning the solution. Many times, I´ve been able to solve it by myself sooner than the TAC.

We previously used Microsoft ISA and switched because it's no longer supported.

In our case straightforward, because we do not have many rules on our firewall, but I’ve seen cases where the migration from one firewall to another can be very tedious.

We did it in-house.

If you are using Cisco, then you will be very familiar with the product, and maybe you won't encounter any problems at all. However, if Cisco is a new solution, you should ask for a demo to see the interface of the ASDM and the defense system in action, and then decide if this is the kind of insight you need of your network.

VPN - Both site to site (IPsec) and remote access (IPsec and SSL).

Through the use of VPNs, we were able to connect our branches together through the internet without the any additional cost.

• Throughput
• Price

Since 2008, so seven years, and I have been a heavy/daily user, and all of my jobs were related to network security.

No issues encountered.

Sometimes, due to software bugs, but in the long run the ASA is a very stable product when compared to other vendors firewall solutions.

One of the major disadvantages with the ASAs is the throughput, while the network evolves, the ASA was usually causing the bottle neck.

It's very good when compared to other vendors.

It's very good when compared to other vendors.

Mainly switching from the old Cisco PIX to a new Cisco ASA. The reason for switching is to get a higher throughput, and due to the fact the that the Cisco PIX went EoL.

It requires training, but after that it is straight forward.

I work for a vendor, and we implement the solution for multiple customers.

Yes, and we chose Cisco ASA mainly due to the fact that they have a very good, reliable and very responsive technical customer support.

I have worked on the best firewalls in the market, and Cisco ASA is one of the best.

The below screenshots are taken from a demo of ASDM.

With the ASA there are multiple products depending on your needs based on the two generations of the ASA. Roughly split-up there are 4 products.

1. 5500 Series basic/standard firewall - This I would rate as 7/10 due to the fact that it's easy to use, manage and deploy. Its scalable SSL, and IPSec VPN options, and is lacking throughput
2. 5500-X Series basic/standard firewall - This I would rate as 8/10 due to the fact that it's easy to use, manage and deploy. Its scalable SSL, and IPSec VPN options, and it has high throughput
3. ASA5500 Series with firewall and CX - This I would rate as 5/10 due to fact that even though the firewall and VPN part is easy to manage and deploy, the CX is lacking in stability, and features. Also, it is rather complex to deploy. Add to this the CX lowers the throughput even further
4. 5500-X Series with firewall and Sourcefire - This I would rate as 9/10 because it's easy to use, manage and deploy the firewall, VPN, and also the SourceFIRE. SourceFIRE works rather well and is by far the most advanced IPS system available. But it decreases the throughput more than you´d like

In general, I like both the SSL VPN and SourceFIRE. Firstly, for the VPN, both the client and client-less versions are very scalable, flexible, and dynamic in configuration and probably the best SSL VPN solution available in the marked. Secondly, SourceFIRE has improved the IPS functionality and stability of the ASA to a point where you can begin to enjoy the fruits of your solution and root out the bad seed in you network.

For many of my customers, the SourceFIRE solution has been an eye opener of exactly what their users are generating of traffic. Some customers, after reviewing the traffic application usage reports are astounded by the amount of traffic used, for example by Facebook and YouTube. My customers like the visibility into their network usage, and not necessarily wanting to block it, but just to know that they can control the network traffic and utilization if needed.

Definitely the throughput could use an upgrade when running the SourceFIRE/AMP with the ASA. Also, it could use better troubleshooting capabilities. You are, most of the time, bound to have access to TAC for troubleshooting advanced problems.

Customers where I have deployed these solutions have had them for three plus years, and most of them have, at the present moment have first generation solutions, or are planning an upgrade to the second generation ones (NGFW or NGIPS),

There are always issues when implementing key equipment like firewalls, especially if you are converting from an unfamiliar platform, activating SourceFIRE, or doing a general maintenance rule clear-up. If you don’t follow best practice, you can seriously impact network performance or unintentionally shut-down services.

In general the ASA has a great software stability reputation, and even though SourceFIRE for ASA is still young, the stability seems to be rather good. Of course you can’t avoid all issues, and you might have to reinstall the SourceFIRE software on the modules. If you're upgrading the ASA from pre code 8.3, you will need to redo the NAT and access rules of the ASA.

License scalability for SourceFIRE is really not good if you have an ASA in HA as you need two licenses of everything, which is really bad as you wont get double SourceFIRE other than that you need to remember to buy your ASA based on the SourceFIRE's throughput and not the inspection throughput.

If you have a service contract with Cisco you can have TAC assistance, software upgrades and next-business-day RMA (or faster) otherwise you are left to yourself or your Cisco partner. Basically without a Cisco service contract, you can't get any help or software from Cisco.

Should you have a Cisco service contract, you get access to TAC that will provide you technical assistance towards solving your issue. The TAC experience can vary a lot. In general I would rate it as very good, 4/5.

Mainly customers switch from other vendor because of VPN features, ease-of-management, and good consultant/partner relationship.

The initial setup is fairly easy and there are wizards for almost all the basic needs, including the initial setup and all types of VPN technologies that the ASA supports.

I am the vendor, and I am an expert with ASA.

Make sure you get the right product/license to do the job you need done. If you are in doubt ask a consultant or a Cisco Partner. I have seen cases where a firewall wasn't the right hardware for the job and you can't just switch off the firewall/inspector for some interfaces or networks.

• Modular scalability
• High availability
• VPN services

It provided more secure access to the resources of my organization and created a more stable environment for the business activities between us and our partners.

Security through integrated cloud and software based services.

I've used it for two years.

There were a few problems with the interaction between the ASDM client and ASA device.

No issues encountered.

No issues encountered.

10/10.

9/10.

I previously used a Fortinet solution. I switched to Cisco because Fortinet lacked
stability and robust troubleshooting features.

It was complex because I had to put the ASA directly into the production environment.

I implemented the solution in-house.

I also evaluated Juniper and CheckPoint solutions.

You should try it without restraints, and it is worth every penny.