What is our primary use case?
We use it for our university department firewall. It replaced our 12-year-old Cisco ASA 5520, which used to protect web servers, mail servers, SVN repositories, office computers, research computers, and computer labs. It was used for blocking the internet for exams. It was not used for IPS, so we did not buy the new threat protection or malware license. We connected it to a Layer 3 switch for faster Inter-VLAN routing.
How has it helped my organization?
It works better through specs than our old ASA 5520. It seems to perform the same functionality unless you buy the additional threat protection licenses, so this is a disappointment. I found a bug where the ASDM could not be used with Windows 2016, but it did work with Windows 10.
What is most valuable?
- Most of same old ASA 5520 config could be used for the new 5516-X model. The ASDM interface is improved and can also be configured to the Firepower settings.
- I am used to the ASA syntax, therefore it is quite easy to make up new rules. I have found that DNS doctoring rules are useful, and I am not sure how other firewalls handle the issue of internal versus external DNS, so this was a reason to keep the same type of firewall.
- Customizing logging event of syslog to feed into Splunk is very useful for management and monitoring just for the importance events instead of a huge stream of thousands of unneeded events.
- I found it quite easy to block computers from the internet, e.g, in a computer lab with students doing an exam using software for the course when needed.
- I use access to a list to block IPs which have attacked our web servers on the outside interface, since I do not have IPS.
- I found that setting up rules for HTTPS and SSH access to the management interface are straightforward, including setting the cypher type.
- It is very useful to use the command line interface for modifying or adding to the config because sometimes the ASDM interface is hard to find when the setting is more complicated.
- The text config file is great to have, to know what is in the config, instead of having to check every setting in the GUI.
- While the CLI is used the most, sometimes the ASDM is faster and easier to use to set some settings.
What needs improvement?
- It is confusing to have two management interfaces, e.g., ASDM and Firepower Management Center. It would be nice to have a Windows program instead of a virtual appliance for the Firepower Management Center. The ASA and Firepower module seem redundant, not sure which one to set the rules in, but maybe that was for backward compatibility. I am not sure that is very useful.
- It is surprising that you need to have a virtual appliance for the Firepower Management Center. It is not good if you have to setup a VMware server just for it.
- 10Gb interfaces should be available on more models.
For how long have I used the solution?
What's my experience with pricing, setup cost, and licensing?
ASA pricing seems high compared to other firewalls, such as the Sophos XG models.
The licensing features are getting more complicated. These should be simplified.