Cisco Secure Firewall Reviews

Our primary use cases for FTD are IPS, intrusion detection, and to get visibility into the network and the traffic that is going on in some sites. We always have them in-line, meaning that they're between two networking connections, and we analyze the traffic for the purposes of internal detection.

In production, from the FTD line, we mostly have 2110s and 2130s because we have a lot of small sites, and we are starting to put in some 4110s. We only have FirePOWER here, but we don't use them most of the time as next-gen firewalls but more as an IPS.

Everything is on-premises. We don't use public clouds for security reasons.

When you put FTD between your internet and network units, you can get valuable insights about your encrypted traffic on the web, DNS traffic, and the like. It gives us statistics up to Layer 7.

Although I can't go into the details, the way the solution has helped our organization is more on the root-cause side when there is an incident, because we get very detailed information.

FTD's ability to provide visibility into threats is very good, if the traffic is clear. Like most companies, we have the issue that there is more and more encrypted traffic. That's why we use Stealthwatch instead, because we can get more information about encrypted traffic. But FTD is pretty good. It gives us a lot of details.

We put them in in-line and in blocking mode and they have stopped some weird things automatically. They help save time every day. We have 150,000 people all over the world, and there are times when computers get infected. It helps save time because those infections don't propagate over the network.

The fact that we can centrally manage clients for our IPS, and that we can reuse what we type for one IPS or one firewall, makes it easy to expand that to multiple sites and multiple devices. Overall, it has been a great improvement.

The IPS, as well as the malware features, are the two things that we use the most and they're very valuable.

Cisco Talos is also very good. I had the chance to meet them at Cisco Live and during the Talos Threat Research Summit. I don't know if they are the leader in the threat intelligence field but they are very competent. They are also very good at explaining complicated things easily. We use all of their blacklist, threat intelligence, and malware stuff on our FTDs. We also use the website from Talos where you can get web reputation and IP reputation.

For the new line of FTDs, the performance could be improved. We sometimes have issues with the 41 series, depending on what we activate. If we activate too many intrusion policies, it affects the CPU. We have great hopes for the next version. We have integrated Snort 3.0, the new Snort, because it includes multi-threading. I hope we will get better performance with that.

The stability depends on the version. The latest versions are pretty good. Most of the time, we wait for one or two minor version updates before using the new major version because the major versions go through a lot of changes and are still a bit unstable. For example, if you take 6.3, it started to be pretty stable with 6.3.03 or 6.3.04.

Scalability depends on the site. At some sites we have ten people while at others we have a data center with a full 10 Gig for all the group. We have had one issue. When there are a lot of small packets — for example, when our IPS is in front of a log server or the SNMP servers — sometimes we have issues, but only when we get a peak of small packets.

We've got a little history with tech support. We have very good knowledge within our team about the product now. We have a lab here in Montreal where we test and assess all the new versions and the devices. Sometimes we try to bypass level-one tech support because they are not of help. Now, we've have someone dedicated to work with us on complex issues. We use them a lot for RMAs to return defective products.

In our company, we have used another firewall which we developed based on FreeBSD.

I, personally, used to work with Juniper, Check Point, and Fortinet. I used Fortinet a lot in the past. If you use the device only for pure firewall, up to Layer 4, not as an application or next-gen firewall, Fortinet is a good and cheaper option. But when it comes to a UTM or next-gen, Cisco is better, in my opinion. FortiGate can do everything, but I'm not sure they do any one thing well. At least with Cisco, when you use the IPS feature, it's very good.

Setting up an FTD is a bit more complex with the new FTD line. They integrated the FXOS, but the OS is still not fully integrated. If you want to be able to fully manage the device, you still need to use two IP addresses: One for FXOS and one for the software. It's complicating things for the 4110 to have to, on the one hand manage the chassis and the hardware on one, and on the other hand to manage the logical device and the software from another one.

But overall, if you take them separately, it's pretty easy to set up and to manage.

The time it takes to deploy one really depends. I had to deploy one in Singapore and access the console remotely. But most of the time, once I get my hands on it, it can be very quick because we have central management with FMC. Setting up the basic configuration is quick. After that, you have to push the configuration that you use for your group IPS and that's it. My experience is a bit different because I lose time trying to get my hands on it since I'm on the other side of the world. But when I get access to it, it's pretty easy to deploy. We have about 62 of them in production, so we have a standard for how we implement them and how we manage them.

We have Professional Services and consultants who work with us on projects, but not for the deployment. We have our own data centers and our own engineers who are trained to do it. We give them the instructions so we don't need Cisco help for deployment. We have help from Cisco only for complex projects. In our case, it requires two people for deployment, one who will do the configuration of the device, and one who is physically in the data center to set up the cables into the device. But that type of setup is particular to our situation because we have data centers all around the world.

For maintenance, we have a team of a dozen people, which is based in India. They work in shifts, but they don't only work on the FTDs. They work on all the security devices. FTD is only a part of their responsibilities. Potentially we can be protecting 140,000 people, meaning all the employees who work on the internal network. But mostly, we work for international internal people, which would be roughly 12,000 people. But there are only three people on my team who are operators.

ROI is a difficult question. We have never done the calculations, but I would say we see ROI because of some security concerns we stopped.

Cisco changed its price model with the new FTD line, where the appliances are a bit cheaper but the licensing is a bit more expensive. But that's not only Cisco, a lot of suppliers are doing that. I don't remember a lot of the licensing for Fortinet and Check Point, but Cisco's pricing is high, at times, for what they provide.

FTD is pretty good. You can stop new threats very quickly because you can get the threat intelligence deployed to all your IPSs in less than two hours. Cisco works closely with Talos and anything that Talos finds is provided in the threat intelligence of the FTDs if you have the license. It's pretty good to have the Cisco and Talos teams working closely. I know Palo Alto has an similar arrangement, but not a lot of suppliers get that chance.

Our organization's security implementation is pretty mature because we try to avoid the false positives and we try to do remediation. We try to put threat intelligence over a link to our IPS next-gen firewalls.

Overall, we have too many tools for security in our organization — around a dozen. It's very complicated to integrate all of them. What we have done is to try to use the Elastic Assist Pack over all of them, as a main point of centralization of log information. The number of tools also affects training of teams. There are issues because one tool can't communicate with the another one. It can be very hard, in terms of technical issues and training time, to have everybody using all these processes.

We also use Cisco Stealthwatch, although not directly with the FTD, but we hope to make them work together. There is not enough integration between the two products.

Overall, FTD is one part of our security strategy. I wouldn't rely only on it because we've got more and more issues coming from the endpoints. It lets you decipher everything but sometimes it is very complicated. We try to use a mix and not rely only on the FTDs. But for sure it's great when you've got a large network, to give you some visibility into your traffic.

I rate it at eight out of ten because it's pretty good technology and pretty good at stopping threats, but it still needs some improvement in the management of the new FTD line and in performance.

For companies prioritizing security, the optimal choice is one that offers a range of feeds to cater to diverse needs. This is particularly crucial for organizations implementing DDoS mitigation. The preferred solutions typically align with the top server vendors, with Cisco, Forti, and Barracuda consistently ranking among the top three vendors we collaborate with.

It's not unexpected, but it's a common scenario where customers request dual layers of security. For instance, when dealing with regulatory compliance, especially in financial sectors regulated by entities like the Central Bank, having two distinct units is often mandated. If a client predominantly uses a solution like Palo Alto, they may need to incorporate another vendor such as Cisco or Forti. Importantly, there's a significant disparity in interfaces and management platforms between these vendors, necessitating careful consideration when integrating them into the overall security architecture.

I have been using Cisco Secure Firewall for the past ten years. 

The solution is extremely scalable and based on my experience, I would rate it 7 out of 10.

Cisco is a well-established company, and it offers accessible support, both locally and through online resources. The abundance of information makes it easy to find the necessary details and assistance.

Positive

The implementation timeline for our firewall is contingent on the readiness of the policy. If the policy is prepared, the deployment can occur within a day. However, if the policy is not finalized, a brief meeting is convened to gather the necessary data for rule establishment. Once the information is ready, the implementation on VMware proceeds. Notably, there is a requisite waiting period, such as fine-tuning for optimal rule configuration, as each customer has unique requirements. It's crucial to tailor the rules to fit the specific needs of each customer, as there is no one-size-fits-all best practice in this context.

It is extremely expensive compared to its competitors and I would rate it 2 out of 10. 

I would recommend this solution and rate it 8 out of 10.

We mainly use it for ICS security.

We definitely feel more secure. We have more control over things going in and out of our network.

Cybersecurity has been our top priority because of the last few attacks on our peers in the oil and gas industry.

The IPS solution helps us to not only navigate north-south traffic, but also east-west traffic.

Third-party integrations could be improved.

Not everything works out-of-the-box. Sometimes, you have to customize it to your needs. 

I have been using it for two years.

It is stable for the most part.

There is maintenance needed for software, firmware, and updates. Three or four people keep up with the updates, etc. 

It is pretty scalable. We can add as many devices as we want.

The technical support is good. I would rate them as 10 out of 10.

Positive

We previously had a different platform. We wanted to converge multiple platforms into one.

I switched companies. So, I have more experience with Palo Alto.

We saw immediate benefits after deployment from having more control and visibility.

Pretty much everything is included in the price for what we are using.

We looked at Check Point, Palo Alto, Fortinet, and a bunch of others. The management and support for the CIsco product is better.

Listen to your customers and see what their needs are.

The whole stack provided by Cisco is a holistic solution for cybersecurity experts, like myself, and companies who are looking to secure their network.

You should partner up with a good team to view all products available, which cater and are customized to your needs.

We haven't found any gaps where it is lacking.

I would rate this product as eight or nine out of 10.

We are using it for border firewalls, VPN access, and site-to-site VPN tunnels.

It is deployed at a single location with about 2,500 users.

So far, the remote VPN access has been a perfect solution for our company.

The user interface is a little clunky and difficult to work with. Some things aren't as easy as they should be.

I have been using it for five years.

So far, it has been very stable.

It does require maintenance. There is a team of two who manage it.

We haven't scaled it much at this point.

The technical support has been good so far. I would rate them as eight out of 10.

Positive

The VPN solution works much better than our previous solutions.

We previously used Palo Alto. The switch was driven by Cisco's pitch.

It was fairly straightforward. We stood it up side by side with our nesting firewalls. We did some testing during an outage window, then migrated it over.

We used a partner, CDW, to help us with the deployment. Our experience with CDW was good.

Internally, it was just me for the deployment.

The pricing seems fair. It is above average.

Take the time to really learn it, then it becomes a lot easier to use.

I would rate the solution as eight out of 10.

We primarily use it as a corporate, perimeter firewall for traffic to the internet and back, for surfing. We also have some site-to-site connections with customers.

So far, there hasn't been any breach, so we are very happy.

It has also helped to reduce the operational costs of our firewall. There is a report that is automatically generated. You don't have to search for and prepare everything by yourself. You don't need staff to prepare the information because it is automated. We only go through this report once a week and if there are some special events, we can take care of them.

The next-generation features, like IPS, among others, are the most valuable. IPS is mandatory in modern networks for protection against malicious attacks and network anomalies.

Also, it gives you great visibility when doing deep packet inspection, but you have to do HTTP inspection. If you don't do HTTP inspection, the visibility is not complete. That is the case for every firewall vendor.

The ease of use, when it comes to managing Cisco Firepower NGFW Firewalls, is getting better because the UI is improving. It was a bit cumbersome in previous versions. Checkpoint, for example, has one of the most intuitive user interfaces, and now Cisco is really improving.

The only drawback of the user interface is when it comes to policies. When you open it and click on the policies, you have to move manually left and right if you want to see the whole field within the cell. Checkpoint has a very detailed user interface. Cisco is getting better and becoming more and more user-friendly.

Cisco needs a more intuitive user interface. When you know what to do, it's easy. Otherwise, you need training. You can install it and do the initial configuration, but if you don't have the proper training it's also possible to configure it the wrong way. If that happens, some things might pass through that you don't know about.

We have been using Cisco Secure Firewall for about five years, from the beginning of the Cisco Firepower 2100 Series.

We were on version 6.2.2 but now we're up to version 7.7.0, and it has really improved. It was not hard to implement but there were many bugs in the earlier version and some were serious, but now it's stable. There are no more bugs. It's really getting better. I would recommend Firepower to every customer now because it's stable. It's a really nice firewall.

The model we have is okay for our environment, so it's scalable. We haven't seen any problems in that regard. There are 50 or 60 devices behind it and about 500 clients. It is used in a very specific environment for a large Slovenian system.

The device has achieved its purpose. We won't implement any other features.

Cisco support is the best, especially if you compare it to other vendors. Cisco may be a bit expensive compared to other vendors, but the support is really good. When you open a case they're really responsive and they resolve every case. This is my personal experience, not only when it comes to Firepower but for the whole Cisco portfolio, which I have been working with since 2005.

Positive

The initial configuration was done within a few hours, but getting all the policies in place took about a month. That was not related to the firewall, it was related to all the requirements from management and from other people as well. But the configuration to get it set up initially was straightforward, nothing special.

My colleagues and I did the deployment. We are an internal team. We are integrators, so we were able to do it by ourselves.

When it comes to XDR, the cost-effectiveness of this firewall depends on the use case because you don't always need XDR functionality. SecureX is included free of charge, so from that point of view, maybe Cisco is not that expensive compared to other vendors.  Other vendors' XDR products are not free of charge. 

But if you just look at just the firewall functionality, Checkpoint is expensive but Cisco is not the cheapest. Fortinet is cheaper.

Where we have seen ROI is due to the support, time savings, ease of management, and the reporting.

Aside from the user interface, which is getting better, Cisco is at the top for functionality and in all other respects. We work with Fortinet, Checkpoint, and we used to work with Juniper, in addition to Cisco.

With Cisco, there are a lot of features such as the network map. Cisco builds the whole network map of the machines you have behind your firewall and gives you insight into the vulnerabilities and attributes that the host has. Checkpoint and Fortinet don't have that functionality directly on the firewall. They don't give you that direct visibility into the host, such as which operating the host has.

We don't work with Juniper anymore because its user interface is really not okay. You only have the CLI or you have to use Security Director for management, which is very complex and not user-friendly. That is why we abandoned Juniper as a product.

I would rate Cisco at eight out of 10 overall, and Check Point would be a seven. Check Point fields a great solution in this space, but they have very bad support, and support is one of the most important things. Having great blogs doesn't help if support doesn't come through when you need it.

Cisco ASA has a well-written command-line interface. Cisco’s AnyConnect SSL VPN is by far the best client VPN technology I’ve ever had to deploy and manage. Upgrades are a breeze. Failovers between units are flawless. FirePower add-ons deepen security with intrusion prevention (IPS), anti-malware protection (AMP), and URL filtering. These particular services can run as a hardware or software module within the ASA. Unlike ASA with CSM, these modules are managed by FireSight, a single pane for all of your FirePower nodes. It’s intuitive and easy to use, but still lacks some automation capabilities (e.g., bulk edits, etc.).

Cisco is a huge name in the networking world. Having a solution that includes their firewall technology adds value from an operability and support perspective. Cisco, although sometimes considered to be "behind the times" with firewall technology, continues to prove it has momentum in the industry through acquisitions such as Sourcefire and OpenDNS, with rapid integration into their systems. Additionally, ASA is synergistic with other security offerings from Cisco, such as ISE, remote tele-office workers, etc.

When running multiple firewalls in your network, you need someone to manage them from a central point. Cisco’s answer is Cisco Security Manager (CSM). Unfortunately, this is a suite of applications that is in much need of an overhaul. It is riddled with bugs and lacks the intuitive experience found in competing vendor offerings. The counter-intuitive interface makes configuration management cumbersome and prone to mistakes. There are software defects within certain modules of the application, resulting in a frustrating experience. Reporting is almost useless. The best part about it is the logging component, but it still is lacking, compared to what you get from other competing vendors.

Aside from management, I think Cisco needs to become more application-focused, something that a few of their competitors shine in.

I've deployed and managed Cisco ASA's for over a decade. I've used the X-series models for about three years now.

I have not encountered any stability issues; this is a solid firewall platform. Stability is where it shines.

The newer clustering capabilities have introduced some solid scalability design options. From a cost perspective, scalability is quite intimidating.

Cisco's TAC engineers are competent, responsive and typically resolve issues in a timely fashion. Do not use them for "best practice"; this is what channel partners are for.

I previously used Check Point. Check Point relied on a thick, Windows-based client and, at the time, did not support transparent contexts. However, Check Point has a solid management platform, which is something Cisco should take some pointers from.

Initial setup is complex for a new user, straightforward for a seasoned user. Tons of documentation is available, but you can easily get lost for days if you've never touched one. Cisco offers ASDM, a GUI wizard that can help set up the firewalls. This is nice for newer folks.

Work very closely with your channel partners to verify you have all the licensing you need (VPN, Firepower, etc.). Pricing is always a challenge. Buy closer to Cisco's EOY and you might save a few bucks.

Before choosing this product, I also evaluated Palo Alto. I really liked their firewall platform, their Panorama management platform, and wildfire technology. Their SSL VPN was seriously lacking. This is a decent option to consider as well.

Read the Cisco Validated Designs (CVDs) regarding ASAs. Find some decent blogs, discuss topologies and scenarios with a seasoned engineer, and get your final design validated by Cisco. Your Cisco SE should be able to assist with this. If you need assistance implementing, work with your channel partner.

We mostly use Cisco Secure Firewall as a VPN concentrator and for its firewall features.

Using Cisco Secure Firewall has helped grow our familiarity with people that know Cisco.

The most valuable feature of Cisco Secure Firewall is its ease of configuration and that it's scalable for firewalls and VPNs.

Changes you make in the GUI sometimes do not reflect in the command line and vice versa.

We have been using the solution since its inception, so, for many years now.

We did not have any stability issues with Cisco Secure Firewall.

We did not see any limitations with Cisco Secure Firewall’s scalability.

We also use Aruba in our organization. We never have to factor in extra development time when we go to a new major version of Cisco. With Aruba, we have a pretty drawn-out development timeline for any upgrades or software improvements. Aruba and Cisco Secure Firewall are very different in their implementation and development.

The initial setup of the Cisco Secure Firewall is very straightforward. The average time it took to deploy the solution was very short. Deploying the VM and automating our configurations took a couple of minutes.

Cisco smart licensing is a hassle for a disconnected environment. However, I haven't licensed anything in a while. There have been many changes, making it easier to license disconnected devices connected to the internet.

ASAv uses the solution as a VPN concentrator and a firewall because it could be used for both. It can be used for landing AnyConnect clients on ASAv and as a firewall.

What sets Cisco Firewall apart from other products is that when we do an update, we know we're not going to break a lot of things, and there are not a lot of bugs. The integration on the Cisco side is pretty good.

Most of our team is familiar with Cisco, and everyone knows what to expect when they log in. So it's easy in that way.

I like the application visibility and control with Cisco Secure Firewall. My only complaint is that the changes made in the GUI sometimes do not reflect in the command line.

I haven't had any problems with Cisco Secure Firewall. It's very straightforward and reliable. Also, it's trustworthy because it has the Cisco name.

Cisco Secure Firewall has helped free up our IT staff for other projects. The product is quite heavy into automation. So with it being Cisco, it is very scalable in generating configs. The solution saves a week or two for implementation and integration.

Cisco Secure Firewall has helped our organization improve its cybersecurity resilience through the reliability aspect.

You know what you're getting when you use an ASAv from Cisco. Cisco Secure Firewall is a great product in terms of reliability and scalability.

Overall, I rate Cisco Secure Firewall ten out of ten.

I'm a design consultant. We primarily use the product to secure various client networks, major infrastructure, highways, and urban surveillance.

The solution is pretty easy to deploy. It is pretty ubiquitous too, so it is easy to get. It pretty much does the job we need it to do.

I would like to see an IE version of the solution where it is ruggedized. Most of what we do is infrastructure based on highways. Now that the product has a hardened switch, the only thing left in our hubs that isn't hardened is probably the firewall. It would be nice to pull the air conditioners out of the hubs.

I have been using the solution for 20 years.

I've never had a stability problem with firewalls.

The solution seems to be very scalable. I probably don't have much experience with scalability because, by the nature of how our networks work, we don't scale them; we just add another one.

Support is very good. I've never had a problem with any form of support.

Positive

I used only a couple of other products over the years due to client preference. In general, Cisco Secure Firewall is easier to deploy mostly because of the depth of personnel trained in it. Every other product seems to be a niche thing that two people know, but Cisco once again seems ubiquitous throughout the industry. Our customers choose Cisco for various reasons, from cost to a preference for Cisco. It meets the task that they need to meet. It's really the spectrum.

The deployment is pretty straightforward. It's the same as deploying any other Cisco equipment. If you know what you're doing, it's not a huge deal.

I believe our clients have seen an ROI. Their networks are more secure. Various agencies have tested a few of them to prove it, and they've proven okay. Since they weren't attacked, they have received an ROI.

The licensing is not so bad. The solution’s pricing could be lower. It's not horrible, though.

The application visibility and control are pretty good. It seems to do everything we've ever needed it to do. I've never asked the product to do something that it couldn't do. The solution has been pretty successful at securing our infrastructure from end to end. Most of our client’s staff have reported that the product is not as maintenance intensive as they would like. They never had to deal with maintenance before, but now they do. We deploy new systems for our clients.

I haven't had much experience with Cisco Talos directly. I know it's there, but I haven't really been involved. I haven't experienced it, which I believe is a good thing. It's doing its job if I don't have to get involved with it. The product has definitely helped improve our organization’s cybersecurity resilience. We weren't secure at all before, and we are a known target since we’re based in infrastructure. The solution has been very helpful in providing security.

It is a good product. I would definitely look into it. There is great value in going to a partner to a reseller to deploy the product. They understand the equipment and have expertise. Normally, they're local, so local knowledge is always useful. They have done deployments before, so sometimes they know tips or tricks that aren't in the manuals.

People evaluating the solution should give it a look. Definitely, it is worth taking a look at it.

Overall, I rate the product a nine out of ten.