Cisco ASA Firewall Review

It makes the discovery of applications and classification of user traffic simple but I'd like to see a roadmap for SSL decryption.

What is most valuable?

I'm most impressed with the visibility and control SourceFire solutions provide in to the types of traffic flowing in and out of an environment. It makes the discovery of applications and classification of user traffic simple, which in turn allows an organization to more effectively develop security policies and enforce acceptable use for its enterprise users.

How has it helped my organization?

I've worked with customers that have dealt with malware issues in the past and preventing its spread laterally within the environment has always been a concern. With SourceFire, we've been able to detect malicious files and stop them at the network edge before internal systems are compromised. Leveraging AMP in addition to FireAMP, which is the endpoint malware solution, is incredibly effective at blocking malware at the host level.The other good news is FireAMP can be leveraged along side traditional endpoint anti-virus software. The Defense Center also provides visibility into how malware is moving within the environment so tracking down infected machines becomes much easier for IT staff.

What needs improvement?

The overall product line is sound, but I'd like to see a roadmap for SSL decryption as part of the ASA with FirePOWER solution.

For how long have I used the solution?

I've been working with SourceFire product offerings since Cisco's acquisition of the company in late 2014. Prior to the officially branded Cisco solution, I'd worked with open source Snort in various capacities for several years. I've been using Cisco ASA with FirePOWER services, Cisco SourceFire NGIPS/NGFW most recently.

What was my experience with deployment of the solution?

Learning the advanced capabilities of the system can take time, but it's rather intuitive. I have not encountered issues deploying base functionality with the offerings at this point.

What do I think about the stability of the solution?

Overall, the systems are stable and IT admins have control in to how the sensors operate within the network in the event of failure.

What do I think about the scalability of the solution?

There are scalability limitations with FirePOWER on the ASA, so determining anticipated throughput requirements is critical. The standalone IPS sensors can be stacked for increased throughput, so depending on your organizations needs, this may be a better path for some organizations concerned about scalability.

How are customer service and technical support?

Customer Service:


Technical Support:


Which solution did I use previously and why did I switch?

I've used Palo Alto's FW/IPS offerings and Cisco's older IPS platform on the ASA. Usually, I don't decide what organizations purchase, but I am impressed with SourceFire's capabilities over the latter.

How was the initial setup?

Initial set up is straight forward, but there is not much documentation available if you have no experience with the offering. I'd recommend training for all network admins that administer SourceFire systems, especially if you want to leverage some of the advanced features.

What other advice do I have?

Do research in to the types of offerings out there and make a determination of what may be the best fit for your organizations requirements and future security goals.

**Disclosure: My company has a business relationship with this vendor other than being a customer: The company I work for is partners with many tech vendors
More Cisco ASA Firewall reviews from users
...who work at a Financial Services Firm
...who compared it with Fortinet FortiGate
Learn what your peers think about Cisco ASA Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2021.
474,857 professionals have used our research since 2012.
Add a Comment

author avatarChris Gurley (Rubrik)
Top ReviewerVendor

Hey Nick, regarding your room for improvement, as I understand it, the SSL Decryption feature seems to be a resource limitation within the integrated module deployment. The Series 3 hardware required for it likely provides the necessary compute power for the CPU-intensive decryption, inspection, and re-encryption.

It's actually for this exact reason that we are seeking to move our newly deployed FirePOWER Services out of the ASA and into a 7000-family appliance. You can see my soon-to-be-posted review for more info on the limitations I've discovered thus far. Thanks for sharing your take!

author avatarit_user383757 (User)

Hey All,
I am using frotinet porduct for more than 10 years, I am studying to move to Cisco ASA5516 with source power, I would like to know how is it stable against fortigate FG300D

Fortigate firewall throughput numbers are totally different from the Cisco ASA5516,
any help?