Cisco ASA NGFW Review

Enables us to to track traffic in inbound and outbound patterns so we can set expectations for network traffic


What is our primary use case?

I am a banker. I'm working in the bank and our equipment is mostly based on Cisco for the moment. We have some incoming projects to deploy from Fortigate to firewalls.

Cisco ASA is that something I used when I was preparing for my CCNP exams. I've been using it on the incoming project that we want to do right now. 

It is easy to deploy Cisco ISP solution in the bank I'm working in, i.e. Cisco Identity Services Engine. We're already used Cisco ISSO. 

I have three Cisco ASA modules:

  1. Security for perimeters
  2. Security for data centers
  3. Data center recovery

I have been using Cisco ASA since I've been at the bank for more than two years now. The model is 5515X. I have two modules of 5515X and the third one is the old 55105. 

My primary use of Cisco ASA is to take advantage of all the features. I use it to enforce security policy and also to take advantage of the Firepower module.

I have a firewall module on my two instances of 5515X. On the Firepower side, I use all features on Firepower modules that are included in the AMP.

How has it helped my organization?

The biggest improvement has been in the internet features. We have been asked to prohibit internet access for all users except the bank services division and that is improved. 

For AMP features, we use Cisco ASA to track traffic in inbound and outbound patterns, so we can set expectations for network traffic. I also used the exception for encrypted traffic. 

One problem: Before installing encrypted traffic, I had to decrypt it first. Before setting it back, I encrypt it again. That's just the way Cisco ASA functions.

What is most valuable?

I would say the Firepower module is most valuable. I'm trying more to transition to this kind firewall. I had to study a little of the Palo Alto Networks equipment. There is a lot I have to learn about the difference. 

Based on my certification, I had to do a lot of lab work, a lot of projects, a lot of technical work with Cisco ASA. Now, I'm moving to other vendors, like Palo Alto Networks and Fortinet so that I can empower my level of technical experience.

  • All my change requests are for Cisco ASA to work more on ease of management. 
  • All of the features of Cisco ASA are used by all of the other vendors on the market. 
  • The firewall solutions are all based on the same network equipment. 

The difference is why each business chooses to use it and how they implement the architecture for their solution using Cisco ASA and Firepower features.

What needs improvement?

The installation and integration of Cisco ASA with Firepower can be improved. I used Fortigate as well and I can say that Fortigate's features are more usable. 

The management with Fortigate is easier than Cisco ASA on Firepower. The management side of Cisco ASA can be improved so it can be more easily configured and used.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The stability of the Cisco ASA platform is okay. I know that Palo Alto is the first rated one, followed by Fortinet.

What do I think about the scalability of the solution?

The scalability is based on module support. We have a stand-alone version. It is not 100% applicable to talk about scalability at this point. 

There is another Cisco ASA module available that is more scalable than ours. For the module I have, the stand-alone, the scalability is not as good as on the higher model. 

The 5585 model, allocated for data center security, can be facilitated into the switching spot or the working spot in our data center. We can recommend the scalability there. 

For the module I have, I'm using it as a stand-alone. I don't think it is scalable too much at this point. 

I'm using Cisco ASA in my organization to support about 150 staff. For maintenance, I do all of the work myself.

How are customer service and technical support?

I do everything if you need a Cisco ASA solution to be deployed for an infrastructure requirement. We are just a team of three. There is just me and my colleagues. 

I'm in charge of all the infrastructure system, including the network and security infrastructure. On all tasks related to the system security and network infrastructure, I'm in charge of it.

I had to work with Cisco customer support two or three times, a long time ago. I had to work with them based on a problem with my call manager. We had a good ability to work together with Cisco customer support. It was normal. 

They asked about the information on the installation. I had to upload it to them. They took that and came back to my problem with the results. I had a good experience with them.

If you previously used a different solution, which one did you use and why did you switch?

I didn't use a different solution in my bank, but on some other enterprise jobs, I used some unique firewall solutions. 

Since I have been at the bank, only Cisco ASA has been deployed. We just added two new modules. In the bank, we only use Cisco ASA solutions.

How was the initial setup?

I will say Cisco ASA has a complex setup just based on the security policy we have to enforce (asked by the chief, the CIO). For me, it's not complex. 

Cisco ASA is not difficult because I am in it for a year so it's easy for me to understand. I have no problem on the technical side. I always manage to do what I'm asked to do on security-side enforcement. I have no problem with that. It's normal for me. 

It was 2 years ago that we were trying to deploy our facility equipment. We took advantage to deploy the Cisco ASA firewall (model 5515X). 

For now, it's the only one. Since then, we're using it in an upcoming project. I will have to deploy some Fortigate and Cisco ISL as well.

What about the implementation team?

I don't have a technical problem implementing Cisco ASA. I am a double CCNNP and I'm preparing for my CCIE. On the technical side, I don't need help.

I had to work with external partners because they provide us with uptake equipment. They're available to follow up on the project with us. 

We just had to make some tests to deploy some labs. However, when it comes to configuring Cisco ASA for production, I was alone. 

On a security basis, we couldn't let the partner know the details of our address space. This is prohibited within our organization by security policies. 

I had to re-do everything from scratch. For this implementation of Cisco ASA & Firepowe, I was alone.

What's my experience with pricing, setup cost, and licensing?

The licensing for Cisco ASA is on a yearly basis. We have to renew the Firepower module license. We are in the process of renewing this one. 

I just made the demand. They have the management who is charge asking about the price and payment terms on different offers. 

Which other solutions did I evaluate?

We are just a branch bank. The decision is not made here and the branches just have to follow the central policy.

What other advice do I have?

Cisco ASA is a good solution. I never had a problem with. I will say that I mostly recommend Fortinet because of their ease of management and Palo Alto Networks because of their reputation for business efficiency.

I would rate Cisco ASA with an 8 out of 10 points.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Free Trial

Start your two week free trial.

Add a Comment
Guest

Sign Up with Email