Cisco ASA NGFW Review

The FirePower IPS, AMP and URL filtering add value to the firewall.

Valuable Features

Cisco ASA has a well-written command-line interface. Cisco’s AnyConnect SSL VPN is by far the best client VPN technology I’ve ever had to deploy and manage. Upgrades are a breeze. Failovers between units are flawless. FirePower add-ons deepen security with intrusion prevention (IPS), anti-malware protection (AMP), and URL filtering. These particular services can run as a hardware or software module within the ASA. Unlike ASA with CSM, these modules are managed by FireSight, a single pane for all of your FirePower nodes. It’s intuitive and easy to use, but still lacks some automation capabilities (e.g., bulk edits, etc.).

Improvements to My Organization

Cisco is a huge name in the networking world. Having a solution that includes their firewall technology adds value from an operability and support perspective. Cisco, although sometimes considered to be "behind the times" with firewall technology, continues to prove it has momentum in the industry through acquisitions such as Sourcefire and OpenDNS, with rapid integration into their systems. Additionally, ASA is synergistic with other security offerings from Cisco, such as ISE, remote tele-office workers, etc.

Room for Improvement

When running multiple firewalls in your network, you need someone to manage them from a central point. Cisco’s answer is Cisco Security Manager (CSM). Unfortunately, this is a suite of applications that is in much need of an overhaul. It is riddled with bugs and lacks the intuitive experience found in competing vendor offerings. The counter-intuitive interface makes configuration management cumbersome and prone to mistakes. There are software defects within certain modules of the application, resulting in a frustrating experience. Reporting is almost useless. The best part about it is the logging component, but it still is lacking, compared to what you get from other competing vendors.

Aside from management, I think Cisco needs to become more application-focused, something that a few of their competitors shine in.

Use of Solution

I've deployed and managed Cisco ASA's for over a decade. I've used the X-series models for about three years now.

Stability Issues

I have not encountered any stability issues; this is a solid firewall platform. Stability is where it shines.

Scalability Issues

The newer clustering capabilities have introduced some solid scalability design options. From a cost perspective, scalability is quite intimidating.

Customer Service and Technical Support

Cisco's TAC engineers are competent, responsive and typically resolve issues in a timely fashion. Do not use them for "best practice"; this is what channel partners are for.

Previous Solutions

I previously used Check Point. Check Point relied on a thick, Windows-based client and, at the time, did not support transparent contexts. However, Check Point has a solid management platform, which is something Cisco should take some pointers from.

Initial Setup

Initial setup is complex for a new user, straightforward for a seasoned user. Tons of documentation is available, but you can easily get lost for days if you've never touched one. Cisco offers ASDM, a GUI wizard that can help set up the firewalls. This is nice for newer folks.

Pricing, Setup Cost and Licensing

Work very closely with your channel partners to verify you have all the licensing you need (VPN, Firepower, etc.). Pricing is always a challenge. Buy closer to Cisco's EOY and you might save a few bucks.

Other Solutions Considered

Before choosing this product, I also evaluated Palo Alto. I really liked their firewall platform, their Panorama management platform, and wildfire technology. Their SSL VPN was seriously lacking. This is a decent option to consider as well.

Other Advice

Read the Cisco Validated Designs (CVDs) regarding ASAs. Find some decent blogs, discuss topologies and scenarios with a seasoned engineer, and get your final design validated by Cisco. Your Cisco SE should be able to assist with this. If you need assistance implementing, work with your channel partner.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
1 visitor found this review helpful

The management platform is a major draw back. Without a third party reporting platform you will find no inbuilt reporting features and likely to fly blind. I agree this is the major weakness with Cisco ASA if one were to compare with Checkpoint....

13 September 16
Manager of Engineering with 1,001-5,000 employeesReal UserTOP REVIEWER

The only thing I miss about Checkpoint is their SmartDashboard. That thing is amazing, and Cisco could really learn a thing or two from it.

13 September 16
Managing Director with 11-50 employeesUser

Imho the ASA is a solid product offering which is very well supported through both formal and informal channels. Thats the thing about most Cisco products, you can always get help on a problem due Cisco's sheer market size.

I also like the adsm and in particular the packet tracer for troubleshooting.

What could be improved though is the consistency in the CLI between the ASA and the ISR routers. Sometimes it feels like two different teams worked on the CLI....not a big problem, just something which could be improved.

13 September 16
Hamza_FarhanReal User

I don’t have a solid experience with Cisco ASA and Checkpoint. The only experience with checkpoint was during my CCSA course.

-The architecture of CP is the same as Imperva where you have management server and gateway.

-The management server is very strong product with countless capabilities such as reporting tools which Cisco don’t have or lacking these capacities.

-Troubleshooting CP is not an easy job and you need to have a solid experience with Linux commands.

-I know from pricing prospective going with Cisco you can save some money.

13 September 16
Manager of Engineering with 1,001-5,000 employeesReal UserTOP REVIEWER

Brian, this is one reason I continue to use ASA. Cisco makes a solid, stable and consistent firewall platform. It withstands time and continues to be a widely deployed firewall in the industry.

ASDM is great for a single firewall management, but once you want to manage multiple firewalls at once, you're limited in your offerings from Cisco. I'm hopeful for the future with their plans for FXOS, consolidating these seemingly disparate services (ASA, IPS, VPN) into a single platform.

ASA and IOS teams are definitely separate within Cisco. I don't think these CLIs will ever merge, but we can dream.

13 September 16
Sign Up with Email