Cisco Secure Firewall Reviews

Our primary use case for Cisco Secure Firewall is protection in our OT network. We have our OT network behind the commercial network and we do dual firewalls. The Cisco Secure Firewall is on the commercial network side and a different vendor and management group are on the OT network side.

Cisco Secure Firewall has not necessarily improved our organization as much as it has protected it against the impact of cyber threats. Our organization runs manufacturing plants that have hazardous material and we don't want that manufacturing process to be impacted by break-in exposure and cyber threats.

Cisco Secure Firewall is a good solution. In some ways, it is a reactive solution and we have it sitting in a whitelist mode rather than a blacklist mode. It seems to work fairly well for us.

It would be better if we could manage all of our firewalls as a set rather than individually. I would like to see a single pane of glass type of option. We also use another vendor's firewalls and they have a centralized management infrastructure that we have implemented. This infrastructure is a bit easier to manage.

We have used Cisco Secure Firewall for probably 10 years.

Cisco Secure Firewall has been a very stable solution for us. In general, if you keep it up to date and do sensible management on it, it will be a very stable solution.

Cisco Secure Firewall has met our scalability requirements as far as traffic and management goes.

We have an excellent account team and they go to bat for us inside of Cisco. We have access to TAC and Smart Net and that all seems to be working out very well. Cisco has a good team in place.

We did not previously use a different solution for this particular use case. 

I was not involved in the initial deployment of the solution. 

In this specific use case, the biggest return on investment is that we do not have incidents. This ultimately – in some of our factories – ends up being a health and human-safety use case.

We have all smart licensing and that works well. 

We ultimately chose Cisco Secure Firewall because it came with a strong recommendation from one of our strong partners.

My advice to those evaluating the solution right now is this: understand what you're trying to protect and what you're trying to protect it from. Also, understand how the solution is managed.

Cisco Secure Firewall has not necessarily freed up our staff's time as much as it has secured the infrastructure and the OT network behind it. Cisco Secure Firewall was not built as a time-saver. It is not a cost solution. It is a solution meant to isolate and control access to and from a specific set of infrastructure.

Cisco Secure Firewall has not helped us consolidate tools and applications. It allows us to get access. What we're seeing more and more of is business systems like SAP looking to get access to OT systems and this is how our systems get that way.

Cisco Secure Firewall requires the sort of maintenance that any software product would: updates, asset management, etc. Worldwide, we probably have 30 to 40 people managing the solution on the OT side on the various sites and then probably 10 to 15 people on our account team with our outside partner.

Our primary use cases lie mainly with high availability and the security features available doing Layer 3 routing that we would need on our internal network.

It has simplified the internal network, so we don't have to worry about one device failing and losing connectivity. High availability is always there.

Our top three features are the high-availability features, the VPN and the IPSec.

It has fantastic visibility. It's a 10 out of 10. 

Cisco Secure Firewall is fantastic at securing our infrastructure from end to end so we can detect and remediate threats. We have already caught things that have tried to get in. 

Cisco Secure Firewall has improved resilience by a huge margin. It has been a great help.

Cisco Secure Firewall has freed staff because we don't have IT staff worrying about a lot of the threats. We trust the device that we are going to catch the threat. We are going to get a notification and be able to act upon that. Cisco Secure Firewall has saved at least 25 hours a week

The newer versions have made it so that we do not have to worry about other appliances with feature sets that are already built into the Cisco firewall.

The solution has had a huge effect, especially from physical density when it comes to securing our infrastructure. A lot of people don't think about power availability and cooling aspects. You have a limit to how much power you can push, and every little bit helps. 

We chose Cisco because of its understanding, customer service, warranties, and the quality of the product

We would like to see dual power supplies for some Cisco Firewall products. Having to get an ATS in the Data Center application because there's an A+B power feed on such a vital device with high availability may be something that I want to put in there.

We have been using Cisco Firewall for the last 20 years.

The solution is very stable.

The solution is scalable because Cisco keeps up with new technology, the security application, bandwidth, optics, and the kind of speed that one can use.

Customer support has been very responsive, whether it is a hardware failure or calling for any kind of technical support.

Positive

We have seen a return on investment in the total cost of ownership.

The pricing is fair compared to competitors. Cisco is the Cadillac in its field. You get what you pay for. 

Cisco is amazing at upgrading, so even if we did have to upgrade a device, it is plug-and-play because of that availability option.

Cisco is doing a great job with all the improvements that are coming; they are allowing for GUI setups where many people aren't so used to CLI. Many of the younger grads coming into our field are more used to APIs and automation, so having that GUI feel is a lot better than CLI.

I rate the solution a ten out of ten.

We are Cisco partners. We have been selling Cisco products for more than 25 years, and we are a major player in various African markets, such as Morocco and French-speaking countries in Africa.

We have been offering a wide range of Cisco-branded security products. The most important ones were the ASA firewalls, and now, we have the next-generation ones, XDR, and all the applications or all hybrid security solutions offered by Cisco, including Umbrella, on-premise Identity Service Engine, and all the other third-party solutions.

Our main objective is to show customers the added value of Cisco products and how they can tackle all the security issues and all the threats or the cyber security issues rising on a daily basis nowadays. Cisco Talos, for instance, is something that we propose, and we also propose all the restrictions to be up-to-date. Cisco's ecosystem is very wide in security, so we have very good use cases. 

In the beginning, customers used to implement ASA firewalls mainly as the network firewall in data centers, branch offices, all locations, and also in the DMZ. Nowadays, the perspective has changed, and also with the design requirement, the nature of the cloud hybrid solutions leads us to use more sophisticated tools based in the cloud, but we still cover all the security aspects from the branch office to the data centers.

Cisco adds value by providing various solutions such as Umbrella and Duo. It's a combination. An existing firewall system only protects or controls flow on a daily basis in a normal production environment, but when it comes to security threats, we need to add more components. This is why Cisco is offering a wide range of products. Cisco is completely handling all the aspects from end to end with micro-segmentation, for instance. Identity Service Engine can handle the end-users' protection, and in the end, for the data center, we have different tools, and this is how we can cover end-to-end solutions.

The most valuable feature is IPS. It's a feature that's very interesting for tackling the most current attacks. We also have Umbrella with Secure DNS because all the threats nowadays are coming from email servers. We also have the DSA solution to limit the threats coming from ransomware. Combining all of these with Talos provides the best security solution.

It's a question of performance. When we talk about data centers, we are talking about 100 gig capacity or 400 gig capacity. When it comes to active-active solution clustering and resilience and performance, Cisco should look into these a little bit more.

We have been offering Cisco Security firewalls from the beginning of ASA, which was more than 20 years ago. We then started offering all types of firewalls, including the ones for data centers and then the next-generation firewalls.

The stability of the Cisco firewalls is the best in my opinion. We used to have ASA firewalls running for more than five years. Even when we did software upgrades, we had a very stable platform providing high performance without any outage, so customers can rely on Cisco firewall solutions.

For daily operations and projects, scalability is very important. Cisco provides a way of mixing and clustering firewalls to enhance scalability. We have many ways to scale, and as our clients grow, we can have the Cisco firewall solution grow as well.

We work with different vendors based on customer needs. We have a specification that we need to have a combination of different vendors, which is the best practice in the data center architecture and design. We cannot have one vendor at all levels, and we should have a combination. 

As a vendor, Cisco has a complete range of products to handle all the security aspects. When I look at the architecture design, the implementation of Cisco firewalls is the best. We have data centers based on Nexus for instance. We have routing components. All the compliance and architectural design requirements are met, and we can meet the customer needs according to the Cisco design guide and validation guide. When we look at the security aspect and the guidelines in terms of next-generation firewalls, in terms of redundancy on both sites or multi-sites, we have better performance with Cisco than other vendors in some cases.

Our customers use Cisco firewalls mainly in data centers, branch offices, and campus environments. They don't only use basic firewalls. They also use next-generation firewalls, which have email control, web filtering, and IPS. So, we have Cisco firewalling at all levels for providing the strongest protection policy.

The deployment of Cisco firewalls is very easy so far. We have the security expertise and all the knowledge that we need to deploy them and secure our customers' facilities. Networking and architecture are not really complicated, but you need a well-defined plan before doing implementation and going live.

Based on my 25 years of experience, 100% of our ROI expectations are met with Cisco products. The equipment is strong enough, stable, and well-developed. We have had the equipment running for more than five years without any outages, which leads to lesser costs of operations. There is also a reduction in cost in terms of upgrades or replacements, and this is why the ROI expectations have been met.

With the bundling mode with Duo licensing, it's now better. It's better to have one simplified global licensing mode, and this is what Cisco has done with bundling. The next-generation firewalls include a set of features such as filtering, emails, and IPS. This combination offers the best way for customers to manage their operating expenses.

One way to evaluate Cisco products is by looking at the experience. Gartner provides a good overview of Cisco products based on customer feedback, but the best way is by trying the product. Try-and-buy is a good model. Nowadays, all customers, enterprise service providers, and ISPs, are aware of Cisco solutions. They don't just purchase based on the technical specifications.

As a Cisco partner for over 25 years, we provide value by bringing our experience. We have worked so far with a different range of products, from the oldest Cisco firewall to the newest one, and we continue to promote them through design recommendation, capacity specification, deployment, engineering, high-level design, low-level design, migration, go-live, and maintenance and support. We cover the whole lifecycle of a product.

Our partnership with Cisco is a win-win partnership. Cisco provides us with the latest experiences and latest solutions, and on the other hand, we are doing business with our customers by using Cisco products, so it's a win-win relationship with Cisco, which leads to enhancing, promoting, and excelling in Cisco products. I would tell Cisco product managers to go fast with security platforms. Other vendors are going fast as well, and we need product managers to tackle the performance and capacity issues. It's not really an issue in itself, but it's something that can enhance and bring Cisco to the first place in security solutions.

I'd rate it an eight out of ten. The reason why I didn't give it a ten is that they have to make it better in terms of the capacity and performance for the 10 gig interface, 40 gig interface, and 100 gig interface, and in terms of how many ports and interfaces we have on appliances.

We use the Firepower as a perimeter firewall to protect from the outside network.

We are using Firepower to protect a number of services.

We are using it in a dynamic environment. This is important for our company's policies. The dynamic policy capabilities enable tight integration with Secure Workload at the application workload level.

The most valuable feature is the IPS. We also like the AnyConnect feature.

We monitor daily the final inspection activities and intelligence on Firepower. We also send logs from Firepower to our monitoring server, which is a nice feature.

The reporting and other features are nice, but there is an issue with applying the configuration. That part needs some improvement.

Services from the outside, like financial services that are critical, should be protected by the NGFW. There are cyber attacks on these services. Therefore, adding this NGFW in front of those services will reduce our costs for cyber crime.

We started using this next-generation firewall two years ago.

It is stable, but there are issues with the hybrid when you do the activation.

It is scalable. All our users utilize this firewall. We have more than 30,000 users who are end users, admins, and developers.

Cisco technical support team is perfect in their specific area, but they could improve their support for Cisco integration issues between products. I would rate them as eight out of 10.

Positive

We were previously using Cisco ASA for eight years. Now, we are using Firepower NGFW. We hope to continue using this product in the future, as long as there are no discouraging issues.

We are also using Check Point in conjunction with Cisco. We use Checkpoint for our internal networks and Secure Firewall for our outside network.

Installation wasn't that difficult, but there were some challenges on the integration. Sometimes, we face issues from the integration between another Cisco product's API and Firepower NGFW. We just integrated with our existing networks.

The firewall takes no more than two weeks to install. The integration with the API takes about six months.

We implemented ourselves. 

Two technical guys deployed it and now maintain it.

If we didn't use this NGFW, our company might have been charged by a number of attackers. Therefore, the firewall reduces our costs and operational expenses by around 40%.

Since the product is stable, we do not have to spend additional money to buy other firewalls. Once deployed, we can use the product for a long time. Thus, it is cost effective.

Pricing for Cisco is expensive. There are additional costs for the licensing part, support, and even the hardware part. The device cost is very high. I would be very happy with an improvement on the price.

From the user perspective, the reporting and other features are easy to use and user-friendly, but the Control feature of Firepower needs improvement, especially when comparing Firepower to Check Point NGFW.

For digital banking, this solution's firewalls have greatly improved our economy. Most enterprises in our country are using Cisco products because Cisco has worldwide support and cable devices.

I would rate this solution as eight out of 10.

We are using it for firewall and intrusion prevention.

I have deployed it into different environments: retail, commercial, law, real estate, and the public sector. Retail is the biggest environment that I have deployed this firewall into, with 43 different sensors and a range up to 10 GbE throughput.

I am using up to version 7.0 across the board as well as multiple models: 1000 Series or 2100 Series.

The integration of network and workload micro-segmentation help us provide unified segmentation policies across east-west and north-south traffic. It is important to have that visibility. If you can't detect it, then you can't protect it. That is the bottom line.

The solution has enabled us to implement dynamic policies for dynamic environments. These are important because they give us flexibility and more granular control of access.

• Ease of operability
• Security protection

It is usually a central gateway into an organization. Trying to keep it as secure as possible and have easy to use operability is always good. That way, you can manage the device.

The solution has very good visibility when doing deep packet inspection. It's great because I can get packet captures out of the device. Because if an intrusion fires, I can see the packet that it fired in. So, I can dive into it and look at what is going on, what fired it, or what caused it.

Cisco Secure Firewall is fine and works when it comes to integration of network and workload micro-segmentation. 

The integration of network and workload micro-segmentation is very good when it comes to visibility in our environment. It is about how you set it up and the options that you set it up for, e.g., you can be as detailed as you like or not at all, which is good.

Its Snort 3 IPS has better flexibility as far as being able to write rules. This gives me better granularity.

It needs better patching and testing as well as less bugs. That would be nice.

I would like it to have faster deployment times. A typical deployment could take two to three minutes. Sometimes, it depends on the situation. It is better than it was in the past, but it could always use improvement.

I have been using it for seven years.

Stability has been good so far. It has been much better than in the past. In the past, there were times where there were known issues or bugs.

Scalability has been fine. I haven't had an issue with it. I just haven't had a need to deal with scalability yet.

I would rate Cisco's support for this solution as nine out of 10 for this solution. The support has been very good. We got the job done. Sometimes, why it wasn't perfect, the challenge was getting a hold of someone.

I have used this solution to replace different vendors, usually Cisco ASA that is reaching end of life.

The initial setup is straightforward for me at this point. That is just because of the experience that I have in dealing with it. for a new person, it would be a little bit more complex. They have gotten better with some of the wizards. However, if you are not familiar with it, then that makes it a little more challenging.

Depending on the situation, we will go through the typical setups. We know what we want to configure and sort of follow a template.

We have seen ROI with a better, more secure environment. 

Cisco Secure Firewall has helped us to reduce our firewall operational costs. This is based on the fact that the newer models, where we have been replacing older models, have better throughput, capacity, and performance overall.

Pricing is the same as other competitors. It is comparable. The licensing has gotten better. It has been easier with Smart Licensing.

There are additional costs, but that depends on the feature sets that you get. However, that is the same with any firewall vendor at this point.

I have also worked with Check Point and Palo Alto. The support is much better with Cisco than Check Point. Check Point had a little bit better of a central management station. Whereas, Cisco with the FMC is a little different as far as there are still some features that are being added to the FMC, which is good. As far as Palo Alto goes, they are quite comparable as far as their functionality and feature sets. Cisco wins for me because it has Snort, which is a known standard for IPS, which is good. Also, Cisco has the Talos group, which is the largest group out there for security hunting.

Check Point was the easiest as far as user-friendliness and its GUI. After that, Cisco and Palo Alto would be kind of tied for ease of use.

Definitely do your research, e.g., how you want to set it up and how deep you want to go in with it. This will actually help you more. When we say Cisco Secure Firewall, is it Next-Generation, running ASA, or running Firepower? Or, does Meraki actually fit in there? So, there are different scales based on what you are trying to look for and how deep security-wise you want to go into it.

SecureX is a nice feature, but it has to be for the right environment. It is nice that we get it, but most people don't take advantage of it.

The dynamic policy capabilities can enable tight integration with Secure Workload at the application workload level, but I am not using much with Secure Workload at this point.

I would rate Cisco Secure Firewall as nine out of 10. I would not give it a 10 because of bugs.

The primary use case is mainly around perimeter security at the HQ and the branch. This will include using the Next-Generation Intrusion Prevention System (NGIPS), using advanced malware protection for networks on the firewall, and remote access VPN as well as site-to-site VPN.

I work for a Cisco partner and managed service provider. We have a number of customers. Typically, the standard setup that we have is a Firepower Management Center Virtual, running in VMware, with physical FTD appliances (as the firewalls) on-premises.

We work with more mid-size organizations who typically have email security, web security, endpoint security, and perimeter security. In terms of products, that would be:

• Cisco Umbrella
• Cisco Cloud Email Security
• Cisco Secure Endpoint
• Firepower, for the perimeter. 

That would be a typical technology mix. Sometimes, some customers will consume something like Duo Security for multi-factor authentication.

We are primarily running ASA Firewalls with the FTD image. We are also running some Firepower 1000 Series. 

One of the nice things about Firepower is that you can set it to discover the environment. If that is happening, then Firepower is learning about every device, software operating system, and application running inside or across your environment. Then, you can leverage the discovery intelligence to get Firepower to select the most appropriate intrusion prevention rules to use for your environment rather than picking one of the base policies that might have 50,000 IPS rules in it, which can put a lot of overhead on your firewall. If you choose the recommendations, as long as you update them regularly, you might be able to get your rule set down to only 1,000 or 1,500, which is a significant reduction in a base rule set. This means that the firewall will give you better performance because there are less rules being checked unnecessarily. That is really useful. 

Cisco implemented a role-based access control for Firepower, so you can have very granular accounts. For example, a service desk analyst could have read-only access. If we have a security operations team, then they could have access to update IPS vulnerability databases. A network engineer could have access to update ACLs, not rules, which is quite useful. Also, you can selectively push out parts of the policy package based on your role-based access control. So, if you have one job role and work on one part of the configuration, and I work on another job role working on a different part of the configuration, then I could just deploy the changes that I have made without affecting what you are doing (or without pushing out your changes). It is quite nice to be able to do that in that way.

The most valuable feature is the Next-Generation Intrusion Prevention System. For customers who don't have a SIEM platform, Firepower Management Center offers some SIEM-like functionality that clearly categorizes intrusion prevention alerts. So, they are rated with flags, from zero to four. If I see a level 1 flag, then this means that the attempted intrusion, not only relates to a real vulnerability, but we likely have a system in our environment somewhere that could be exploited by that vulnerability. In that sense, it helps us quickly target which intrusions should be investigated versus what is noise. A level 2 flag just identifies where an intrusion relates to a known vulnerability. It doesn't mean that you are vulnerable to it, because you may not have the particular hardware/software combination that the vulnerability relates to. Therefore, being able to quickly determine where to focus your investigation is important.

All Cisco security technologies have API integrations. We have all Cisco security products for all our customers integrated into SecureX for overall visibility of threat detections across all security appliances. Cisco Advanced Malware Protection is a good example. It is not just a product but a capability that has been integrated into multiple products or technologies. We see in Firepower that we can benefit from Advanced Malware Protection at a network level, but that same technology is also available on email security as well as endpoint security. So, if a threat is detected in one place that can be blocked everywhere, almost at the same time, then the integration is very good. 

If we look at something like Cisco Umbrella, then we see Umbrella integrated with Cisco Meraki appliances, both on firewalls and access points. So, there does seem to be a good level of integration.

Integrations are primarily API-driven. You just generate an API. You have an identifier and generate an API key. It is normally five minutes or under to integrate something. Cisco has SecureX, which is their security management platform. They also have Cisco SecureX threat response, which is a threat hunting tool. With both of these tools, they can take the API keys from any Cisco products as well as some third-party products, then you can integrate them in just a couple of minutes. It is pretty easy.

FlexConfig is there as a bridge for features that are not yet natively integrated into Firepower. It is a way of allowing you to be able to configure things that wouldn't otherwise be possible until the development team can add them into Firepower's native capability. There is still some work that needs to be done around FlexConfig. There are still quite a few complex things, like policy-based routing, that have to be done in FlexConfig, and it doesn't always work perfectly. Sometimes, there are some glitches. It is recommended that you configure FlexConfig policies with Cisco TAC. It would be good to see Cisco accelerate some of those configurations that you can only do in FlexConfig into the platform, so that they are there natively.

I have been using it for around 18 months.

The product has significantly improved over the last two years. I am aware that the Cisco product team has made significant strides forward in addressing oversights that may have previously existed in the platform. I don't have that much in the way of improvements now. We are running the latest code, the 6.7 code, on all our environments. It addresses so many issues that previously existed in earlier versions of the code. From 6.6, the code has improved significantly and introduced many feature benefits.

The new code, 6.6 and higher, seems to be very stable. Now, you don't need to deploy the entire policy package every time you make a change. You can just deploy the segment of the configuration that has been changed. This has increased how quickly you can deploy the configuration, which is a good improvement. We seem to have less bugs and glitches in the newer code. I can't think of any real bugs or glitches that I have seen since we have been running 6.6. With 6.5 and earlier, there were some problems. Now, it seems to be very stable.

The thing that restricts the scalability would be Firepower Management Center. It is constrained by how many events it can record. It suits customers who have a smaller number of sites, like a dozen or maybe 20 sites. You can still record your connection and intrusion event history for a significant period of time. But, if you are talking about a customer with hundreds of firewalls, then Firepower Management Center probably is not the right proposition.

If I am a customer with a dozen sites, I probably don't have the money to pay for a dedicated SIEM platform. So, Firepower Management Center is great for me because it is like a mini SIEM from a perimeter security perspective. I can store my connection and intrusion event history. I can get an idea of which IPS intrusions are things I should focus my attention on. These are the things that a SIEM could help you with. I can manage my firewalls from a single management location, which is really good. However, if I am a customer who has hundreds of firewalls, then it is not really scalable because I wouldn't be able to store the amount of intrusion and connection events that I would need for those firewalls.

Cisco Defense Orchestrator would probably be the better option if you had an environment that had hundreds of sites with hundreds of firewalls. Even if you acknowledge that Cisco Defense Orchestrator doesn't store events per se, it just allows you to manage and deploy policies to the firewalls, when you have an environment with hundreds of firewalls, then you will definitely have the budget for a SIEM platform. At that point, you would be scaling by having separate platforms for separate functions rather than one platform to do everything.

Firepower Management Center is great for some customers with whom we work because they don't have hundreds of sites with hundreds of firewalls. They just have somewhere between two and 10 sites. So, it is a good fit for that kind of customer.

Cisco Talos is one of the largest private security, threat hunting, research organizations, but non-governmental. It is quite powerful when we explain to customers the threat intelligence injected into Cisco products. I have attended some Cisco Talos workshops, webinars, etc., and they do seem to be amongst the best in their field. So, I have a high degree of confidence in Cisco Talos, and it is one of the most powerful capabilities that Cisco has as a security vendor. You could have the best features for a product, but if the security intelligence is not good nor current, and if it can't accurately predict new threat trends in a timely way, then it still may not help you.

The technical support is absolutely brilliant. When I call Cisco TAC and have a case, every single engineer that I get assigned to any case is an expert in their field. I feel like they understand the product that we are talking about inside out. I have never raised a case for Firepower and not been able to get a resolution. I have a high degree of confidence in them.

The support may not be one of the features documented in the data sheet, but I have worked with other vendors where their quality of support is not comparable. When you are looking at the total cost of a solution, you need to look at more than what the face value of the product is. You need to look at:

• How complicated is this going to be to configure? 
• How complicated will this be to operate? 
• How long will it take me to get a resolution if I have a problem? 

From my experience with Cisco TAC, the resolution will always be very quick. More often than not, it is within a couple of days, if it is a P3. If it is a P1, then it is the same day. I couldn't ask for better.

I find the initial setup fairly straightforward. I wouldn't say it is simple, but it is not a simple piece of technology. You have different policies for different areas of the system, e.g., you have a policy for access control, NAT, FlexConfig, remote access, VPN, etc. There are a lot of policies that you either have to create or configure. However, it is fairly intuitive. Once you have done it once, you know where everything is.

If we assume the most basic variables, one FMC and one FTD on the same LAN, then the FMC can be provisioned with the policies in a day. The appliance can be imaged and added to the FMC with the policies pushed out on another day. If you add remote access VPN into the mix, especially if you have an Active Directory integration, I would probably add another day. You could probably have a working setup in three to four days, depending on if you have any issues with the licensing portal. 

It is very easy to deploy site-to-site VPN tunnels between Firepowers. I appreciate that Cisco deprecated all legacy cypher standards. This means you need to use the modern, robust cipher standards that cannot be broken right now. This is a good thing. However, if you are using two Firepower devices, then it is easy to set up a site-to-site VPN tunnel and use the strongest cipher standard, which is also good.

We normally always try to pre-stage, spinning up virtual FMC and VMware, then configure as much as possible before adding an appliance in. It can be a bit more challenging if you have a lot of FTDs at different sites because you need to be aware that you may be managing a device on an internal IP address while you are pre-staging, but that address may change when you deploy the solution. You just have to think that through, in terms of how Firepower Management Center will keep its connectivity to the device once you deploy it. So, if Firepower Management Center and appliances are all on the same local area network, then it is straightforward. However, it is when you have multiple appliances at different sites that it can be a bit more tricky to make sure that the connectivity is maintained when you deploy. I think some more guidance around this would be good. We have a process that works for us, but it took a bit of figuring out with Cisco TAC to make sure we were not missing anything. If they could maybe document it a bit better, that would be good.

Normally, someone like myself could set everything up, so you wouldn't need a big team. However, if you are doing integrations with something like Active Directory, then you need the person who administers that system to be involved. Likewise, if you are doing site-to-site VPN tunnels with third-parties, then you probably need someone from that third-party organization involved. Most of the configurations can be done by one person. You do need to let the Firepower discovery run for around two weeks before you then run the recommendations around which IPS rules to apply, but it would be possible to just select one of the base policies and leave it at that.

You could choose to run the network discovery, which you should do anyway because there are added benefits, for two weeks then choose the Firepower recommendations. However, if you didn't have time to do that, or that wasn't an option for some reason, you could just choose one of the base IPS policies, like Security over Connectivity or Balance, and that would work out-of-the-box.

Everyone who uses the platform has felt more confident in their perimeter security. The Firepower platform makes it very easy to keep track of what software revision you are on, what your revision is versus what the latest is. It makes it really easy to schedule tasks to download the latest geolocation and vulnerability updates, automate backups, and copy backups to a remote location. Operationally as well as from a security perspective, everything has been positive in terms of the feedback.

I like the Smart Licensing, because it is more dynamic and easier to keep track of where you are at. If we have a high availability firewall pair and they are deployed in active/standby rather than active/active, I would expect that we would only pay for one set of licenses because you are using only one firewall at any one time. The other is there just for resiliency. The licensing, from a Firepower perspective, still requires you to have two licenses, even if the firewalls are in active/standby, which means that you pay for the two licenses, even though you might only be using one firewall any one time. This is probably not the best way to do it and doesn't represent the best value for money. This could be looked at to see if it could be done in a fairer way. For example, you can only deploy MX firewalls in active/standby. There are no other options. You only need one license for those firewalls because you can only use one at a time. This seems quite fair. They may need to look again at this from a Firepower perspective.

I work for a Cisco partner, so we are very Cisco-focused. Most of our customers consume predominantly all Cisco solutions. We have some customers who may have the odd product that is not Cisco, but a majority of their security suite will be Cisco.

I have some experience with budget firewall platforms, like SonicWall and WatchGuard, but these are not really comparable to Cisco in terms of being direct competitors. It would be like me trying to compare a performance car against a budget economy car. It is not a fair comparison.

I would probably ask, "How long do you want to keep the connection and intrusion events for?" You need to remember that Firepower Management Center can only keep a certain amount of events. I think you need to have that in mind as one criteria to make your decision against. 

You need to look at what hardware platform you are going to be deploying. We have a lot of customers who are running ASAs, but they are running the Firepower Threat Defense image on their ASA. For all intents and purposes, those ASAs act as FTDs. Now, try to remember those ASAs were never designed originally to run the FTD code. Now, they can run the FTD code, but some of the dedicated Firepower appliances have a split architecture. So, they have separate physical resources, CPU, and memory for running the traditional firewalling capabilities versus the next-generation firewall capabilities, like IPS, AMP for Networks, and AVC. Maybe, have a think about the hardware platform, because you need to try to assess what throughput you are trying to put through the firewall and how that will impact the performance of the box.

There is definitely some advantage moving to the dedicated Firepower appliances rather than putting the Firepower code on an ASA. Although, it does allow you to leverage an existing investment if you put the FTD code onto the ASA, but you need to be mindful of the limitations that it has. Also, if you are looking to do SSL decryption, then you need a much bigger firewall than you think you need because this puts a lot of overhead on the appliance. However, this would be the same for any vendor's firewall. It is not Cisco specific.

If 10 is the most secure, then our customers are typically in the middle, like a five, in terms of maturity of their organization’s security implementation. This will be because they won't necessarily have things like Network Access Control, such as Cisco ISE. They also won't necessarily have security analytics for anomaly detection, like Stealthwatch or Darktrace. For some of these more sophisticated security technologies, you need to be a large enterprise to be able to afford or invest in them.

While Firepower provides application visibility and control, we don't use it much simply because we use Cisco Umbrella. Firepower gives you application visibility control on a location-by-location basis. So, if we have a firewall at the head office or a firewall at the branch, then we get application visibility control by firewall. However, because we use Cisco Umbrella, that gives us very similar application and visibility control but on a global level. So, we tend to do application visibility and control more within Cisco Umbrella because we can apply it globally rather than on a site-by-site basis. Sometimes, it is useful to have that granular control for an individual site, but it is not something that we use all the time.

I would rate the solution as a nine out of 10.

I am an IT administrator and my job is probably 80% security analyst. We are a HIPAA environment, so we're a regulated industry and my job is to keep us from being breached. It's extremely difficult and an ever-changing, evolving problem. As such, I spend a couple of hours a day just reading everything threat report from every source I can get. 

We have a pair of 2110 models, with high availability set up.

There are multiple licenses that you can get with this firewall, and we subscribe to all three. A few months ago, we made the decision to do an enterprise agreement just because of the amount of security software we have. We subscribe to the threat, the URL, and the malware licensing. We use it for IPS, URL blocking, IP blocking, and domain blocking.

We've embraced the Cisco ecosystem primarily because I think they made some very intelligent acquisitions. We talk about security and depth and they've really done a good job of targeting their acquisition of OpenDNS Umbrella. It's all part of our ecosystem.

I take the firewall information and using SecureX, Cisco Threat Response, AMP for Endpoints, and Umbrella, I'm able to aggregate all that data with what I'm getting from the firewalls and from our email security, all into one location. From my perspective, being a medium-sized organization, threat hunting can be extremely difficult.

This product enriches all of the threat data, which I am able to see in one place.

There's nothing I personally have needed to do that I haven't been able to do with the firewall. It integrates so tightly into how I spend the majority of my day, which is threat response.

Much of this depends on any given organization's use case, but because I was an early adapter of Cisco Threat Response and was able to start pulling that data into it, and aggregate that with all of my other data. As I'm doing threat hunting, rather than jump into the firewall and look in the firewall at events, I'm able to pull that directly into Threat Response.

The ability to see the correlation of different event types in one place, these firewalls have definitely enriched that. You have Umbrella, but there are so many different attack types that it's good to have the DNS inspection at the firewall on the edge level too. So, the ability to take all of that firewall data and ingest it directly via SecureX and into our SIEM, where I have other threat feeds, including third-party thread feeds, gives our SIEM the ability to look at the firewall data as well. It lends to the whole concept of layering, where you don't have to have all of your eggs in one basket.

With our Rapid7 solution, I'm able to take the firewall data and dump it into our SIEM. The SIEM is using its threat feeds, as well as the threat feeds that are coming from Cisco Talos. In fact, I have other ones coming into the SIEM as well. So, I'm able to also make sure that something's not missed on the Talos side because it's getting dumped into our SIEM at the same time. All of this is easy to set up and in fact, I can automate it because I can get the threat data from the firewall.

In terms of its ability to future-proof our security strategy, every update they've done makes sense. We've been using one flavor or another of Cisco firewall products for a long time. Although I have friends that live and die by Fortinet or Palo Alto, I've never personally felt that I'm wanting for features.

We get the Security Intelligence Feeds refreshed every hour from Talos, which from my understanding is that they're the largest intelligence Security Intelligence Group outside of the government. My experience with Talos has been, they're pretty on top of things. Another driving factor towards Cisco: We get feeds every hour, automatically refreshed, and updated into the firewall.

If I had to rely on one security intelligence, which I wouldn't, but if I had to, I'm sure it would be Talos. The fact that it gets hourly updates from Talos gives me some peace of mind.

The real strength for the Cisco next-generation firewall is it'll do pretty much anything you want it to do, although it requires expertise and proper implementation. It's not an off-the-shelf product. For instance, there are some firewalls that may be easier to set up because they don't have the complexity, but at the same time, they don't have the feature set that the Cisco firewall has.

The firewall does DNS inspection, and you can create policies there.

The firewall integrates seamlessly and fully with our SIEM. We use a Rapid7 SIEM inside IDR and it now integrates seamlessly with that. Cisco's doing a lot more with APIs and automation, which we've been leveraging.

In terms of application visibility and control, I used the firewall and I also use Umbrella, but it depends on what it is that I'm seeing. One component that I use is network discovery. When you configure the policy properly, it'll go out and do network discovery so you're not loading up a bunch of rules you don't necessarily need. Instead, you're targeting rules that Cisco will say, "Hey, because of network discovery, we found that with this bind to whichever version server, we recommend you apply this ruleset." This is something that's been very helpful. You don't necessarily have to download every rule set, depending on your environment.

I have used it for application control. Right now, we're in the midst of doing tighter integration with ISE and the integration is very good. This is something that we would expect, given that it's a Cisco product.

I use the automated policy application and enforcement every chance I get. Using an automation approach, I would rather have a machine isolated even if it's a false positive because that can happen much faster than I can get an alert and react to it. On my end, I'm trying to automate everything that I can, and I haven't experienced a false positive yet.

Anything that's machine learning-based with automation, that's where I'm focusing a fair amount of attention. Another advantage to having Cisco is that their installed base is so huge. With machine learning, you're benefiting from that large base because the bigger their reach is, the bigger and better the dataset is for machine learning.

At some point, you have to trust that the data set is good. What's impressed me about Cisco is with all of our Cisco products, whether it's AMP or whatever, they're really putting an emphasis on automation, including workflows. For someone like me, if I get an alert in the middle of the night and I see it at 6:00 AM, it is going to be a case of valuable time lost, so anything that I can do to make my life easier, I'll definitely do it.

It would be great if some of the load times were faster. My general sense is that it's probably related to them taking a couple of different technologies and marrying them together. We are using virtual, so the way that I handled that was to throw more RAM in it, which these days, is pretty cheap. I could see some improvement with the speed of deploying policies out, although it's not terrible by any means. One thing about Cisco is whatever they're doing, it keeps getting better.

The speed of deploying policies could be improved, although it is not terrible by any means.

Another legitimate criticism of Cisco that comes to mind is that you need to make sure you've got your licensing straightened out. I haven't had any problems in a long time, but I know people that haven't used Cisco products sometimes can run into issues because they haven't figured out so-called smart licensing. Depending on the Cisco person you're working with, make sure you have all that stuff all set to go before you start the implementation.

That's an area that Cisco has been working on, I know. But licensing is a common complaint about Cisco. I suggest making sure that you have that stuff in place and you've got all your licenses all ready to go. It seems like a dumb thing, but my most common complaint about Cisco before we entered into our enterprise agreement was licensing. When it's working, it's great, but God help you if you've got a licensing problem.

They've been very reliable for us and we haven't had one fail, so we've never had to failover. That has been generally my experience with Cisco products, which is one reason that we tend to lean on Cisco hardware for switching, too. The reliability of the hardware over the years has been very good.

We have integrated these firewalls with other products, such as Cisco ISE, and it hasn't been a problem. ISE is a Cisco product so it would make sense that it integrates well, but ISE integrates with other firewalls as well.

Everything that I've done with these firewalls has been pretty seamless. We've had no downtime with them at all. They've been very rugged as we expanded usage through integration.

People knock Cisco TAC but in my experience, they have been very good. I've always found them to be extremely helpful. Friends that I have made from inside Cisco say, "Hey, you want me to look at this or that?", which is very helpful.

The big three solutions, Cisco, Fortinet, and Palo Alto, are all really good but I tend to lean on Cisco versus the others because one of their strengths, in general, is threat intelligence. When you put a bunch of security people in a room then you have a lot of consensuses, but like anything, you'll have a lot of disagreements, too.

Each of these products has its strengths and weaknesses. However, when you factor in AnyConnect, which most people will agree is state-of-the-art from a security standpoint in terms of VPN technology, especially when it's integrated with Umbrella, it plays into the firewall. But, it always comes back to configuration. Often, when you read about somebody having an attack, it's probably because they didn't set things up properly.

If you're a mom-and-pop shop, maybe you can get by with a pfSense or something like that, which I have in my house. But again, if you're in a regulated environment, you're looking at not just a firewall, you're looking at all sorts of things. The reality is, security is complicated.

Cisco gives you lots of options, which means that it can be complicated to set up. You have to know what you're doing and it's good to have somebody double-check your work. But, on the other hand, it does everything from deep packet inspection and URL filtering to whatever you want it to do, with world-class integration. It integrates with Umbrella, AnyConnect, ISE, StealthWatch, and other products.

It is important to remember that a firewall is only as good as it's configured. Sometimes, people will forget to configure a policy, or they will create the rules but forget to apply them. It comes back to the fact that it's a professional product and it's only as good as the person who's using it.

I do some security consulting and I've seen many misconfigurations. People will write a Rule Set but forget to apply it to a policy, for example. There is no foolproof product and I think it is a challenge to say, "Wow, this firewall is better than that firewall." These things are complex, but Cisco has always, in my mind, set many kinds of standards. I don't know any serious security person that would argue that.

Especially AnyConnect with an Umbrella module attached, I think most people would argue it's state-of-the-art. I know that I would because it allows me to do a couple of things at once. It's not just the firewall; it's AnyConnect, and it's what you can do with AnyConnect given its functionality with Umbrella. It gets kind of complicated and it depends on the use case, and some people don't need that.

Again, what makes it difficult to say something about a firewall is, the configuration possibilities are so varied and endless. How people license them is different. Some people think, "I prefer the IPS License," or whatever. But again, I think to get the strength of a Cisco firewall is just that.

I found our setup straightforward, but you don't go into it blind. You have to be clear on your requirements and you need to take the setup step-by-step. Whenever I deploy a firewall, I have a couple of people to double-check my work. These are people who only work on Cisco firewalls and they act as my proofreaders whenever I am doing a new deployment.

Cisco's documentation is very good and it's always very thorough. However, it's not for a novice, so you wouldn't want a novice setting up the firewall for an enterprise. Personally, I've never had any issues with policies not deploying properly or any other such problems.

Talking about how long it takes to deploy, it's a good weekend if it's a new deployment. It's not just clicking and you're done. I haven't installed a Fortinet product, but I can't imagine any of them are easy to install. Essentially, I found it straightforward, but it is involved. You've got to take your time with it.

You need to make sure anything you do with your networking, that you have it planned out well in advance. But once you do that, you go through the steps, which are well-documented by Cisco.

Cisco is not for a small mom-and-pop shop because of the cost, but if you're in a regulated industry where a breach could cost you a million dollars, it's a bargain. That's the way I look at it.

We also use Cisco Umbrella, and I may use features from that product, depending on where I am.

Every firewall has its pluses and minuses, but because we've taken such a layered approach and we're not relying on one thing to keep us safe, I've never really gone, "Oh, I've had it." I've heard some complaints about Cisco TAC, but generally speaking, I've been able to configure them and do whatever I need to with the Cisco firewall. There's nothing in my experience with Cisco that leads me to believe that that's going to stop.

I've always felt comfortable with every Cisco purchase we've made and every improvement they've made to it. I think they keep moving in a positive direction and they're pretty good with updates and fixes. You can have 10 people, networking people or security people, and they'll all have different takes on it. That said, I've always been very comfortable. I don't stay up at night and worry about our firewalls.

One thing to remember about Cisco is that whatever they're doing, it just keeps getting better. In my experience with Cisco, I have yet to have a product of theirs that they haven't improved over time. For example, we bought into OpenDNS Umbrella before Cisco acquired them. At the time, I was wondering whether they were going to improve it or what was going to happen with it, because you can never be sure. Again, Cisco has done nothing but improve it. It's a far more mature product than when we picked it up five or six years ago.

While not directly related to the NGFW, it speaks to Cisco's overarching vision for security, which again, I'm always looking at layers. If you're thinking that you're going to secure an environment by buying a firewall, yes, that's a really important piece of it, but it's only one piece of it.

Cisco is a company that is really open about vulnerabilities, which some people could see that as a negative but I see as a positive. I do security all the time, so I'm always going to be paranoid. That said, I've spent so much time doing this stuff that I've developed a lot of trust in Cisco. Again, I think there are other great products out there, but Cisco has made it really easy to integrate stuff into this ecosystem where you have multiple layers of not perfect, but state-of-the-art enterprise security.

My advice for anybody who is implementing this solution is, first of all, to know what you're doing. If you're not sure then get somebody that does. However, I would say that's probably true of any firewall. If your business relies on it, have all of your information ready beforehand, it's just all the straightforward stuff that any security person needs.

In summary, I think what I can say about them is there's nothing I needed to do that I haven't been able to do. I have incredible visibility into everything that's happening. We continue to leverage more features, to use it in different ways, and we haven't run into any limitations. I cannot say that the product is perfect, however, and I would deduct a mark for the interface loading. It's not terrible but sometimes, especially when you're doing the setup, it can chug away for a while. Considering what the device does, I think that it's a small complaint.

I would rate this solution a nine out of ten.

Cisco has a new general firewall: the Firepower NGFW. If you take a look at the Cisco Firepower product line, they have three models available:

1. A low-scale model: the 2000 series
2. A high-end model: the 4000 series
3. The carrier-grade model: the 9000 series

We have already used the 4000 and 2000 series over here. We've been using this solution in Bangladesh for some customers over the last eight months. 

We've been using FPR 2110, 2120, 2130, & 2140. We also employ the FPR 4130 and 4140. We have been using this equipment on our last few projects. We used it as a transfer and for firewalling. The most recent one we are using for firewall support as well.

I have a two-part business. First, we provide solution services as a vendor for multiple customers working as a consulting firm. I'm providing multiple customers with support on-premises for Cisco products right now.

We are not able to use these products internally in our company. The second part of the business is my status or core business which is basically operating as a software solution provider.

I have personally engineered these Cisco firewall solutions for clients. When we implemented it, it was easy. We have to maintain high-end abilities in order to ensure the availability of high-end support for the clients. I generally have to look at everything. Later on, we were able to upgrade the Cisco Firepower NGFW easily. We were able to connect from the beginning to implement the complete number of files in the system. 

Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching.

I would say the Cisco Firepower NGFW actually gives superior intelligent behavior to transfer its active/passive infrastructure. Overall, Cisco Firepower NGFW has been a good power element in our systems due to its central location.

I would say when Cisco is selling something called a firewall, they put a lot of services together to make a single box solution. When a company develops a firewall, they need to develop certain features like intrusion control and offer it pre-loaded in the product. 

On the mix of projects that I am responsible for, I feel comfortable using the Cisco firewall for management. One feature lacking is superior anti-virus protection, which must be added.

I have to say I am very proud of the Cisco Firepower 41400 as it can give you multiple layers of four-degree connectivity in operations. 

We do not use the Cisco 9000, but even the lower level firewalls are pretty expensive, considering the features and software included.

In summary, we would like Cisco to provide more features inside regarding network trafficking forecasting. Ideally, the belief is that this would add an immediate resolution.

So far we haven't encountered any stability problems. You should have a lot of patches to apply to update the firmware. You can understand the firewall in less than a week.

We had some fraud introduced with our last box when Cisco produced an upgrade. The updated policy agreement was based on the wrong purchase date information. 

The faster integration that is available in our region is pretty smooth for the Cisco firewall right now. I haven't found that much of a limitation to any service. 

I used to have a lot of issues with firewall support. Now, I keep a good state of mind with Cisco. I can expect my capabilities going out of range eventually if we don't upgrade. 

Cisco has its own cloud platform. I am able to see a single dashboard with all of my firewall activities and network performance under diagnostics, which is really helping us out.

I would put the Cisco Firepower NGFW firewall into Transport mode, as you can do with most firewall systems for scalability. We used to have about 60% of our users on hold during six-week events. We still have certain problems without a firewall, but these days with the Cisco Firepower, we have over 80% of the load working.

As the customer integrator for enterprise contracts, we've been able to introduce Cisco Firepower to around 10 of our new customers in Bangladesh. At least 50 of the previous Cisco customers are still using the firewall solution right now under our support.

These are enterprise customers who require Cisco firewall support. We used to have a specialty in that which is really like the holy grail in rocket science. It used to be like that but now with Cisco's enterprise user base, we offer operational system support to reduce complexity a lot. It's really easy. It's not like you have to be a specialist.

In Bangladesh, we had a little issue with Cisco technical support. We run our own sidebar operations, so I am not so satisfied with Cisco customer support. 

Cisco Firepower devices have created a lot of differences with due dates over our service contract. Consequently, we don't really bother anymore with Cisco technical support. Bangladesh has a really good tech scene. That is the reason we are not that concerned about Cisco product support anymore. It's okay. We handle it our own.

We previously used Cisco ASA as a firewall.

The setup with the Cisco Firepower NGFW is very easy. I have used other networking and firewall equipment previously, including Juniper. I've implemented other solutions and those were really tricky compared to Cisco.

The Cisco firewall system has eliminated all our network setup problems. Earlier when we used other products for firewalls, it was very complex to set up. Cisco firewalls from the beginning have eliminated all of the difficult parts of the initial deployment. 

All you have to do is pull your management together and communicate to your team to follow the documentation provided by Cisco. Altogether, it is easy for our team to install the Cisco firewall products.

I did the installation myself and it took 48-50 hours, approximately, in the Transfer mode. We had a further two-hour window of augmenting and transforming the data. We were able to do that successfully. Eventually, we were able to transform the entire network setup.

The license in my country is available to subscribe for three years or one year. We wanted to go with the solutions for embedding a two-year subscription, but this was not possible.

The Cisco licensing agreement in Bangladesh is different than the one in India and in Dubai. It is not a problem, but if you want to subscribe to the yearly subscription, the original cost is really high. Also, if you go for an anti-virus, you pay for an additional yearly subscription. 

When we push customers to implement Cisco solutions, they can manage the subscription cost of Cisco internally to access these important solutions long term. Our clients have been able to secure surprisingly efficient service with the Cisco Firepower NGFW firewall solution.

This fall, we evaluated firewall equipment from Juniper Networks. This is a limitation for Cisco, as their pricing is too high. The fact is when I need to install and manage an enterprise network, Cisco has the capability of having support for the IC Treadway standards. Furthermore, I can actually manage my entire enterprise network in one dashboard. 

If I bring in tech from the outside, like Palo Alto Networks equipment, that won't be able to integrate with my regular Cisco environment. 

With Cisco devices, it was easier for me to grab the assets required on the network for installation. With other solutions providers, good luck managing that with any ease.

In my opinion, I would rather ask everyone to have a simple network. If you need multiple networking lines, like for the Cisco ASA or the Firepower NGFW, make sure you have ample tech support. 

There are many issues with connectivity in firewall systems, but Cisco quality is good. The connectivity of your network can really reduce your complexity over firewalls. 

I would suggest if you want to configure a complicated network scenario, go for a next-generation firewall. I would also suggest making your firewall options go to Cisco as they have some influential products right now. 

Once you are pushing the Cisco firewall, you'll be able to actually monitor and confirm each and every traffic coming in or going out of your network. 

Palo Alto Networks or Juniper Networks firewalls are ideal, slightly better than Cisco. They are not as easy as Cisco to use right now, but considering the cost and everything else, Juniper Networks equipment is really good. 

The fact is you need to consider just what you're achieving when you put in Cisco firewalls and implement Cisco routers.  For those on the verge of a new purchase, I would say that going for an expired model of firewall is definitely a good buy.

I would rate the Cisco Firepower NGFW with an eight out of ten points.