Cisco ASA NGFW Review

I'd like the ability to use IPS & CX modules simultaneously but overall it provides peace-of-mind against cyber-attacks.


What is most valuable?

The most valuable features are the IPS and Botnet software modules. These security features, working in tandem, truly provide a peace-of-mind against all levels of cyber-attacks.

How has it helped my organization?

Since the 5512-x is software license based, there is no need to purchase additional hardware to enable much needed features.

What needs improvement?

Since most features are license based and some licenses are time-based, there should be a way for the device to alert via SNMP that licenses are about to expire. Also, I would like to be able to use both the IPS and CX modules simultaneously, instead of one or the other.

For how long have I used the solution?

I have been using the 5512-x for almost one year now.

What was my experience with deployment of the solution?

Deployment of the 5512-x is very simple. The main issue I found was in deploying the firewall using the "new" style of configuring NAT statements.

What do I think about the stability of the solution?

I have not encountered any stability issues with the IOS version or the IPS version. I am currently running IOS 9.3.2 and IPS version 7.3(2)E4.

What do I think about the scalability of the solution?

The 5512-x with a BASE license does not have many options for scalability. However, the Security Plus option allows multiple contexts and ACTIVE/ACTIVE fail-over options. I currently do not use those features, but I can definitely see the need for both of these options.

How are customer service and technical support?

Customer Service:

Cisco customer services have always been excellent. I have never had any issues with them.

Technical Support:

Cisco TAC is always hit-or-miss. You either get a guru or a newbie, and there is nothing in between.

Which solution did I use previously and why did I switch?

The previous firewall was a Cisco SA520W. This device was great as it was a firewall, IPS and WLC all in one. I switched due to this device being EOL/EOS. Also, the main complaint about this device was that with the IPS enabled all traffic was slowed to a crawl. I would rate the SA520W as 3/10.

How was the initial setup?

The SA520W was a simple setup. There is no CLI option; it is all done within a straightforward GUI.

What about the implementation team?

All solutions are designed, configured, and maintained by me.

What was our ROI?

The ROI on the SA520W is 0. As this device is EOL/EOS.

What's my experience with pricing, setup cost, and licensing?

The original setup cost of the SA520W was approx. US$500. The setup for the 5512-x was approx. US$3000. For the 5512-x, additional costs were endured for the IPS and Botnet licenses approx. an additional US$1000/year. As for day-to-day costs, the 5512-x self-updates the security modules, so there is little interaction that I need to perform.

Which other solutions did I evaluate?

I was considering going to the ISA550W (the replacement for the SA520W) or a 5505. I ultimately went with the 5512-x due to its speed and software licensing model.

What other advice do I have?

The next-gen firewalls are a great solution. Be aware of the additional hardware costs (120GB SSD) that are needed to implement some features like the CX module. Also, if you do not need ACTIVE/ACTIVE fail-over there is no real need for the Security plus license. And finally, understand the true speed of the model you choose with and without the IPS module enabled before making a final decision.

Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a Cisco re-seller.
Add a Comment
Guest