Cisco ASA NGFW Review

Policy rulesets are key, and upgrades are relatively seamless in terms of packet loss


What is our primary use case?

We use them to block or allow traffic out to the internet and to control a handful of DMZs. Overall, they're for access control. We do IPS and IDS as well.

We have the FMC (FirePOWER Management Center) which manages the 4110s and we have 5516s and the ASA5545-Xs. It's an ASA running the Next Generation Firewall code. We're using all of the FMC with 6.4.04, so they're all running the Next Generation Firewall code. We deploy the software on-prem.

How has it helped my organization?

The information coming from Talos does a good job. It marks that information and bumps it up to us. We have rules where we are getting alerts and it does a good job as far as giving us alerts goes. Talos is pretty well-respected. I like the fact that Cisco is working with them and getting the information from them and updating the firewall. We get the vulnerability database stuff updated, and the location stuff gets sent out. I like all that.

In terms of how the ASAs have affected our security posture as an organization, it's done well. We're growing with ASA, with the FirePOWER. When we first started there were a lot of bugs and a lot of issues. But now they're coming forward and acting on requests, things that we want.

What is most valuable?

The majority of what I use is the policy ruleset. We have another company that deals with the IPS and the IDS. That's helpful, but I can't necessarily speak to that because that's not the majority of what I do. The majority of what I do is create rules and work with the customers to make sure that things are getting in and out of the environment.

I work with our e-commerce team to make sure that new servers that are spun up have the appropriate access to other DMZ servers. I also make sure that they have access to the internet. I make sure they have a NAT so that something can come into them if need be.

We use Umbrella, Cisco's DNS, which used to be OpenDNS. We use that to help with security so that we're not going to sites that are known to be bad. They work well together. They're two different things. One is monitoring DS and doing web URLs, while the firewall I'm doing is traffic in and out, based on source destination and ports protocols.

One of the things I like is that the upgrades are relatively seamless, as far as packet loss is concerned. If you have a firewall pair, upgrading is relatively painless, which is really nice. That's one of the key features. We do them off-hours, but we could almost do them during the day. We only lose a few packets when we do an upgrade. That's a bonus and if they keep that up that would be great. Check Point does a reasonably good job at it as well, but some of the other ones I've dealt with don't. I've heard from people with other firewalls and they don't have as good an experience as we do. I've heard other people complain about doing upgrades.

What needs improvement?

One of the things that we got out of the Check Point, which we're finally getting out of the ASA, is being able to analyze the hit count, to see whether a rule is actually used or not. That is going to be incredibly beneficial. That still has ways to go, as far as being able to look into things, security-wise, and see whether or not rules or objects are being hit. It could help in clean-up, and that, in itself, would help with security. The FTD or the FirePOWER has a little way to go on that, but they're doing well implementing things that not only we at Orvis, but other people, are requesting and saying should be done and are needed.

In addition, if pushing policy could take a little less time — it takes about five minutes — that would be good. That's something they're working on. 

Finally, our latest experience with a code upgrade included a number of bugs and issues that we ran into. So more testing with their code, before it hits us, would help.

For how long have I used the solution?

We've been using them for about two years. We used to have Check Point and we moved to the ASAs. We didn't really do a whole lot with them, just got them running in the first year. So in the last year-and-a-half to two years we've just been getting our feet wet with them.

What do I think about the stability of the solution?

The code has been reasonably good. It's getting better. The stability depends on the code and this last version of code we went through did give us a number of issues. It all depends on what the stability is in the code.

What do I think about the scalability of the solution?

The devices we have can scale pretty well. We have 600 to 700 people and we have an e-commerce site. It's deployed across the entire organization, although we have multiple firewalls.

We have plans to increase usage. We're going to do more DMZ to protect ourselves. So we'll be having more interfaces off the firewalls and we'll be protecting more VLANs. That's probably as big as we are going to get. I don't see us doing too much more than that.

How are customer service and technical support?

Tech support is good. We have an exceptional sales rep or project manager. Jenny Phelps is the person we work with and if we have any questions or anything that needs to be escalated, we send it to her and it's usually done very quickly. That relationship is a huge value. Jenny is worth her weight in gold.

How was the initial setup?

I wasn't around for the initial setup, I was just starting. We were moving from Check Point to the ASA. It took about six months for them to engineer it and put it in place.

The implementation strategy was to try to determine all the rules in the Check Point and duplicate all those rules in the FirePOWER. We had to roll back twice before it finally took. That wasn't anything to do with the FirePOWER or the ASA. It had more had to do with the person who had to put the rules in and understanding what was actually needed and how they should be put in.

What about the implementation team?

We did it through a consultant, Presidio. They had two people on it. Other than that, they were pretty good.

What was our ROI?

Just in terms of cost, the Check Point number was ten times as expensive as the Cisco number, so there was "instant" ROI in that sense. But we needed to replace our firewalls. Check Point had been in for five or six years. They did a bake-off to see which one was the best one to go to.

What's my experience with pricing, setup cost, and licensing?

We used Check Point and the two are comparable. Cost was really what put us onto the ASAs. They both do what it is we need them to do. At Orvis, what we need to do is very basic. But the price tag for Check Point was exorbitantly more than what it is for the ASA solution.

We pay Cisco for maintenance on a yearly basis. There are no additional fees that I'm aware of.

Which other solutions did I evaluate?

My understanding is that Check Point and Fortinet that were evaluated, at the end.

I wasn't around when we did the actual bake-off. I came in when a solution was picked. I was told why the solution was picked and I was there when they did the final install. It was managed for a little while by Presidio and then it was given to us.

What other advice do I have?

The biggest lesson I've learned from using the ASAs is the fact that they can do a lot. It's just figuring out how to do it. We don't do a lot, although once in a while we will do something a little interesting. These things can do more than what we're using them for. It's just a matter of our trying to figure it out or getting with our Cisco rep to figure it out.

My advice would be to have a good handle on your rules and, if you can, take the upgrades easily.

We have desktop security, application security, and then we have Umbrella. We use five or six different tools for security, at least. It would be nicer to have fewer but as far as I know there isn't one tool that does it all.

We do application firewall rules where it does deep packet inspection and looks at certain things. We don't use it as much as we should, but we do application inspection and have rules that are based on just an application.

We usually have two people on a call when we do maintenance, and we usually have Cisco involved. It's usually me and a colleague who is also a network/security engineer.

I would rate the ASA overall at eight out of ten. The thing that comes to mind with that rating is the code. As I said, we just upgraded to 6.4.04 and we ran into a handful of bugs. We've done upgrades before and we've run into a bug as well. Just last week, we finished upgrading, and I still have one final service request, a TAC case, open. I had four open at one point. That's at the forefront of my thoughts right now.

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Add a Comment
Guest