Cisco ASA Firewall Room for Improvement

Security Officer at a government
We've seen, for a while, that the upcoming revisions are not supported on some of 5506 firewalls, which had some impact on our environment as some of our remote sites, with a handful of users, have them. We were also not too thrilled when Cisco announced that in the upcoming new-gen ASA, iOS was not going to be supported, or if you install them, they will not be able to be managed through the Sourcefire. However, it seems like Cisco is moving away from the ASA iOS to the Sourcefire FireSIGHT firmware for the ASA. We haven't had a chance to test it out. I would like to test it out and see what kind of improvements in performance it has, or at least what capabilities the Sourcefire FireSIGHT firmware is on the ASA and how well it works. View full review »
Cisco Security Specialist at a tech services company with 10,001+ employees
My concern in the 21st century, with ASA, is the front-end. I think Cisco missed the mark with all the configuration steps. They are a pain and, when doing them, it looks as if we're using a very old technology — yet the technology itself is not old, it's very good. But the front-end configuration is very tough. They probably still make a good profit even with the front-end being difficult, but it's not easy. It's not user-friendly. All the configuration procedures are not user-friendly. Also, they launched the 1000 series for SMBs. They have all the same features as the enterprise solutions, but the throughput is less and, obviously, the price is less as well. It's a very nice appliance. However, imagine you buy one, take it out of the box to connect it and the device needs one hour or two hours to start up. That is a pain and that is not appropriate for the 21st century. They should solve that issue. Another issue is that when you integrate different Cisco solutions with each other, there is an overlap of features and you need to turn some of them off, and that is not very good. If you don't, and you have overlap, you will have problems. Disabling the overlap can be done manually or the solution can identify that there is already a process running, and will tell you to please disable that function. For today's threats, for today's reality, you need to add solutions to the ASA, either from Cisco or from other vendors, to have a full security solution in an enterprise company. View full review »
Senior Network Engineer at Orvis Company, Inc
One of the things that we got out of the Check Point, which we're finally getting out of the ASA, is being able to analyze the hit count, to see whether a rule is actually used or not. That is going to be incredibly beneficial. That still has ways to go, as far as being able to look into things, security-wise, and see whether or not rules or objects are being hit. It could help in clean-up, and that, in itself, would help with security. The FTD or the FirePOWER has a little way to go on that, but they're doing well implementing things that not only we at Orvis, but other people, are requesting and saying should be done and are needed. In addition, if pushing policy could take a little less time — it takes about five minutes — that would be good. That's something they're working on. Finally, our latest experience with a code upgrade included a number of bugs and issues that we ran into. So more testing with their code, before it hits us, would help. View full review »
Learn what your peers think about Cisco ASA Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
442,041 professionals have used our research since 2012.
Othniel Atseh
Network Security Consultant at a consultancy with 1-10 employees
One area where the ASA could be improved is that it doesn't have AMP. When you get an ASA with the Firepower model, ASA with FTD, then you have advanced malware protection. Right now, threats and attacks are becoming more and more intense, and I don't think that the ASA is enough. I think this is why they created FTD. Also, Cisco is not so easy to configure. View full review »
Network & Security Administrator at Diamond Bank Plc
The installation and integration of Cisco ASA with Firepower can be improved. I used Fortigate as well and I can say that Fortigate's features are more usable. The management with Fortigate is easier than Cisco ASA on Firepower. The management side of Cisco ASA can be improved so it can be more easily configured and used. View full review »
Jonathan Muwanga
Head of Information Communication Technology at National Building Society
We have the ASA integrated with Cisco ISE for network access control. The integration was done by our local Cisco partner. It took them about a month to really get the solution up and running. I would like to believe that there was some level of complexity there in terms of the integration. It seems it was not very easy to integrate if the experts themselves took that long to really come up with a working solution. Sometimes we had to roll back during the process. Initially, when we put it up, we were having issues where maybe it would be barring things from users completely, things that we wanted the users to access. So we went through fine tuning and now I think it's working as we expect. View full review »
CEO at NPI Technology Management
I would say that in inexperienced hands, the interface can be kind of overwhelming. There are just a lot of options. It's too much if you don't know what you are looking for or trying to do. The GUI still uses Java, which feels out of date today. That said, it's an excellent GUI. The biggest downside is that Cisco has multiple firewall lines. The ASA line which is what we sell, and we sell most of the latest versions of it, are kind of two families. One is a little older, one's a little newer. We mostly sell the newer family. Cisco is kind of de-emphasizing this particular line of products in their firewall stable. That's unfortunate. They have the ASA line, Meraki, which is a company they bought some years ago where all the management is sort of cloud interface that they provide rather than a kind of interface that you manage right on the box. They also bought Snort and they integrated the Snort intrusion detection into the ASA boxes. In the last couple of years, they've come out with a sort-of replacement to Snort, a line of firewalls that don't use IOS. It's always been that the intrusion prevention and the based firewalling features had separate interfaces within IOS. They've eliminated IOS in this new product line and built it from the ground up. We haven't started using that product yet. They have higher performance numbers on that line, and that's clearly the future for them, but it hasn't reached feature parity yet with the ASA. The main downside is that it feels a little bit like a dead end at this point. One needs to decide to move to one of these other Cisco lines or a non-Cisco line, at some point. We haven't done the research or made the plunge yet. What I would like to see is a more inexpensive logging solution. They should offer either the ability to maintain longer-term logs right on the firewall or an inexpensive server-based logging solution. Cisco has logging solutions, however, they're very high end. View full review »
Beka Gurushidze
System Administrator at ISET
We installed a Cisco path a month ago. There was a new update for the Cisco firewall and there were security issues. We like Cisco filtering as a firewall, but in the current market, Cisco's passive firewall is not unique. We don't have any warranty problems with Cisco. I asked our carrier several times to provide the exact gap code for me, but there is no Cisco dealer in our region. There is also no software accessibility with Cisco ASA NGFW. You can't always access the product that way. I also tried pfSense. There is no support here in Georgia. If something goes wrong, support is not always very helpful with the other firewalls or other products. Cisco products are more supported by lots of companies who are producing technical services for cloud platforms. The certification is very easy in Georgia now. There are lots of people using Cisco in Georgia because their accessibility is better than the other products on the market. I also talked to several guys about the Barracuda firewall. The Barracuda firewall is very expensive. You need to pay three or four thousand dollars every three months, so it's very expensive for us. We are not a big company. View full review »
CSD Manager at BTC
When I deal with other firewalls like Palo Alto or Fortinet, I think there is some room for performance tuning and enhancement of the ASA. I'm not saying there is a performance issue with the product, but when compared to others, it seems the others perform a little bit better. There could be enhancements to the cloud part of the solution. It's good now, but more enhancements would be helpful. Finally, security generally requires integration with many devices, and the management side of that process could be enhanced somewhat. It would help if there was a clear view of the integrations and what the easiest way to do them is. View full review »
Network Engineer at a comms service provider with 1,001-5,000 employees
My opinion is that the new direction Cisco is taking to improve its product is not correct. They want to make the old ASA firewall into a next-generation firewall. FirePower is a next-generation firewall and they want to combine the two solutions into one device. I think that this combination — and I know that even my colleagues who work with ASA and have more experience than me agree — everybody says that it's not a good combination. They shouldn't try to upgrade the older ASA solution from the older type Layer 4 firewall. It was not designed to be a next-generation firewall. As it is, it is good for simple purposes and it has a place in the market. If Cisco wants to offer a more sophisticated Layer 7 next-generation firewall, they should build it from scratch and not try to extend the capabilities of ASA. Several versions ago they added support for BGP (Border Gateway Protocol). Many engineers' thought that their networks needed to have BGP on ASA. It was a very good move from Cisco to add support for that option because it was desired on the market. Right now, I don't think there are other features needed and desired for ASA. I would prefer that they do not add new features but just continue to make stable software for this equipment. For me, and for this solution, it's enough. View full review »
Amit Gumber
Senior Manager at HCL Technologies
Most users do not have awareness of this product's functionality and features. Cisco should do something to make them aware of them. That would be quite excellent and useful to organizations that are still using legacy data-center-security products. View full review »
Ryan Partington
Systems Administrator at Universal Audio
Even on a smaller scale, people are finding you need HA pairs, and there's no way that the ASA can do that, at least in the virtual version. We needed the ability to failover to one of the others to do maintenance, and this is a glaring issue. However, it is one of their cheaper products, so its understandable. It is just that we would hope by now, because it has been in use in a lot of different environments, for even moderately sized companies, the ability to have HA pairs would be extremely useful. View full review »
Tier 2 Network Engineer at a comms service provider with 1,001-5,000 employees
One of the problems that we have had is the solution requires Java to work. This has caused some problems with the application visibility and control. When the Java works, it is good, but Java wasn't a good choice. I don't like the Java implementation. It can be difficult to work with sometimes. If you use Cisco ASDM with the command line configuration, it can look a bit messy. We have some people who use them both. If you use one, it's not a problem. If you use both, it can be an issue. View full review »
Vikram Arsid
Cyber Security Software Engineer at FireEye
Cisco ASA should be easier to use. It is a bit tough to navigate and see what is going on. While I like the UI and dashboards of Cisco ASA, if you compare them to Palo Alto or Fortinet, they have much richer UIs. An analyst (or anyone) can see them, and say, "I have got all these important pointers on my dashboard." However, with Cisco ASA, we need to dig into many things and go to many views to see what is actually there. View full review »
Mustafa Ahmed
Network Security Engineer at qicard
I'm not really sure that much has to be improved. Compared to other firewall solutions probably the thing that could be improved is the interface — the GUI. Other than that I don't think there is anything else that could be better. I think it is a great product. View full review »
Technical Manager at a comms service provider with 501-1,000 employees
Normally in terms of design, the user prefers to use Cisco ASAv as a border router or a border firewall, because you have two different kinds of firewalls. You have a firewall when the data communication enters the network, and then you have a firewall, for when you've been inside the network. So, for the inside network firewall, Check Point is better because it can make a better notation of your network infrastructure. But, for the incoming data, or border firewall, ASAv is better. In terms of improving the interface, if you compared to the Check Point file, then I think that ASAv should be better. They should improve the interface so that it's similar to the Check Point firewall. View full review »
Sr. Network and Security Engineer at Eli Research
Cisco needs to work more on the security and tech parts. Palo Alto gives a complete solution. Customers are very happy to go with Cisco because they have been around a long time. But that's why we are expecting from Cisco to give us a solution like Palo Alto, a complete solution. Cisco provides us with application visibility and control, although it's not a complete solution compared to other vendors. Cisco needs to work on the application behavior side of things, in particular when it comes to the behavior of SSL traffic. There is a focus on SSL traffic, encrypted traffic. Cisco firewalls are not powerful enough to check the behavior of SSL traffic. Encrypted traffic is a priority for our company. In addition, while Cisco Talos is good, compared to the market, they need to work on it. If there is an attack, Talos updates the IP address, which is good. But with Palo Alto, and possibly other vendors, if there is an attack or there is unknown traffic, they are dealing with the signature within five minutes. Talos is the worst around what an attacker is doing in terms of updating bad IPs. It is slower than other vendors. Also, Cisco's various offerings are separate. We want to see a one-product, one-box solution from Cisco. View full review »
Senior Information Security Engineer at a financial services firm with 501-1,000 employees
I would definitely say the pricing could be improved. If you're going to get the latest and greatest of this solution, it's very expensive and it's actually the reason my organization is moving away from it. I'm working on a slightly older version, but what it needs is better alert management. It's pretty standard, but there are no real advanced features involved around it. View full review »
Jonathan LELOU
Ingénieur technico-commercial at Inter-Continental Business Machines (ICBM)
I think the visibility of the network can be improved, at least from our current setup. I do not know everything about the solution and exactly how it can be modified. Another way they can improve is their pricing. One thing I notice is about the price is that it would be good if they could adapt the price to the area where a company is. West Africa is not the same as in India or in the USA and it is much more difficult to afford. If Cisco can manage this for our people it would help us implement better solutions. To upgrade to some Cisco solutions or features you have to invest resources to create the solution or pay the difference for that functionality to upgrade services or license. It is not really an all-in-one solution. So if Cisco could manage to build an all-in-one solution with most or all of the features we would be looking for in one solution, it would be better for us. For example, if you want faithful service from the company and equipment, you have to pay more just to get the solutions. If it's included it would be easier for us to deploy. View full review »
IT Manager, Infrastructure, Solution Architecture at ADCI Group
When comparing this solution to other products, the Fortinet UTM bundle has some better features in their most receive product. For example, there are better configuration features, the Sandbox is better, and so is the web censoring. These are currently in the Cisco solution, but they are better in Fortinet. The Sandbox and the Web Censoring in this solution need to be improved. This solution has to be more secure from the cloud. The current trend is moving towards private cloud and hybrid cloud, so it is very important to consider the cloud security aspects when the solution is installed. This includes things such as IoT and the existence of user connectivity on the cloud. View full review »
Ahmed Nagm
IT Solution Consultant at PCS
The two areas that need improvement are the URL filtering and content filtering features. These features are both very crucial to the end user environment. One of my main concerns and an area that could use some major improvement is the need to pay for licensing in order to enable necessary additional features. Included in the next release, I would like to see these features integrated into the products' functionality without having to pay for them on an individual basis. View full review »
Heritier Daya
Network Administrator at a financial services firm with 1,001-5,000 employees
The firewall throughput is limited to something like 1.2 Gbps, but sometimes we require more. Cisco makes another product, Firepower Threat Defence (FTD), which is a dedicated appliance that can achieve more than ten or twenty gigabits per second in terms of throughput. I have found that Cisco reporting capabilities are not as rich as other products, so the reporting could be improved. View full review »
Senior Network Administrator at a construction company with 1,001-5,000 employees
The FMC could be a little bit faster. It will be nice if they had what you traditionally would use a web application scanner for. If the solution could take a deeper look into HTTP and HTTPS traffic, that would be nice. View full review »
Nadika Perera
CEO at Synergy IT
If I need to download AnyConnect in a rush, it will prompt me for my Cisco login account. Nobody wants to download a client to a firewall that they don't own. I would definitely love to have a much nicer web interface compared to the systems interface that it has now. I also would like to download utilities without having to login into the system. Nobody would want to download a client unless they're going to use it with a physical firewall. I don't understand the logic. If I was a hacker, I could get someone to download it for me and then I can use the client. There's no logic behind it. View full review »
Imad Awwad
Group IT Manager For ME Region at Malia Group
In NGFW, Cisco should be aligned with the new technology and inspection intelligence because Cisco is far behind in this pipeline. Nowadays IoT, Big Data, AI, Robotics, etc. are all evolving and shifting from automatic to intelligent. All brands that do not follow will be extinct. View full review »
Hassan Javaid
Senior Executive Technical Support at AITSL
It does not have a web access interface. We have to use Cisco ASDM and dial up network for console access, mostly. This needs a bit of improvement. Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems. It should have multiple features available in single product, e.g., URL filtering and a replication firewall. View full review »
Solutions Architect at a manufacturing company with 10,001+ employees
The inclusion of an autofill feature would improve the ease of commands. This solution would benefit from being more cost-effective. View full review »
Senior Network Administrator at Washington Trust Bank
One way the product could be improved is if you could monitor more than one rule at a time. We only have the option to have one monitor window up at a time if you're trying to troubleshoot something you end up switching back-and-forth and don't get the bigger picture all at once. It's reliable and it does its job. It gives you the freedom to do other things while you get indications of any issues. The multi-monitor would be a huge improvement. I'd definitely recommend the product. Even when you set it up for the first night, it definitely will tell you the status of the network. The important part in the setup is following the instructions to get it going. View full review »
George Karani
IT Manager
I would say the pricing could be improved. It's quite expensive, especially for the economy. I'd like to see them more integration so that I don't need other parties for protecting my network. If I could just have ASA firewalls for perimeter protection and LAN protection, then I'm good. I don't need so many devices. I would like to see improvements for client protection. View full review »
Information Security Officer at a government with 501-1,000 employees
The first thing that needs to be done is to finish building out Cisco ASA "Firepower Mode" in order for all features to work correctly in complex enterprise networks. It also needs a usable GUI like Palo Alto and FortiGate. There are lots of bug fixes to be done, and Cisco should consider performing a complete rebuild of the underlying code from the ground-on-up. View full review »
Farhad Foladi
Cloud Services Operation Engineer at Informatic Services Company (ISC)
I don't have any experience with the price, but ASA is a comprehensive solution. In the next update of the Cisco ASAv, I would like to see them release a patch for ASAv, i.e. to put the FirePower solution into the cross-platform integration. View full review »
Mbaunguraije Tjikuzu
Information Security Administrator at Bank of Namibia
Cisco should improve its user interface design. There is a deep learning curve to the product if you are a newcomer. View full review »
Seang Haing
Team Leader Network Egnieer at deam
With Cisco ASA, we used the SMB of the model. The customers are usually satisfied, but I am going to recommend that all clients upgrade to Firepower management. For Cisco ASA Firepower, I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility. View full review »
Farooq Bashir
Sr Network Administrator at Orient Petroleum Inc
The annual subscription cost is a bit high. They should try to make it comparable to other offerings. We have a number of Chinese products here in Pakistan, which are already very cheap and have less annual maintenance costs compared to Cisco. View full review »
Ahmad Alkoragaty
IT Consultant at MOD
I would like for the user interface to be easier for the admin and network admin. I would also like to be able to access everything from the GUI interface. The way it is now, it needs somebody experience in iOS to be able to operate it. I would like to have a GUI interface. It should have integrated licenses with our other products. There should be a license bundle, like for firewalls and iOS. It would be better if it was a bundled license. View full review »
Michael Collin
Senior System Engineer at a tech services company with 11-50 employees
The service could use a little more web filtering. If I compare it to Cyberoam, Cyberoam has more the web filtering, so if you want to block a website, it's easier in other solutions than in Cisco. I think in Cisco it's more complicated to do that, in my opinion. It could also use a better web interface because sometimes it's complicated. The interface sometimes is not easy to understand, so maybe a better interface and better documentation. View full review »
Olivier Ntumba
Network & Systems Administrator at T-Systems
It would be ideal if the solution offered more integration capabilities with other vendors. For example, if you had a web security appliance, it would be great to be able to integrate everything in order to better report security events. While I can't think of specific features I'd like improved, overall, they could do more to continue to refine the solution. It would be nice if you didn't have to configure using a command-line interface. It's a bit technical that way. View full review »
Donald Fitzai
LAN admin at Cluj County Council
There definitely is room for improvement. We found it difficult to publish an antenna plug with the ASDM. Cisco should make the interface for the firewall more simple. View full review »
Nasser Abd EL Rahman
IT Infrastructure Manager at Beltone financial
The overall application security features can be improved. It could also use a reporting dashboard. View full review »
Munish Gupta
Partner - Consulting & Advisory at Wipro Technologies
The artificial intelligence and machine learning (behavioral based threat detection), which I can this will be coming out in another year, these are what we need now. View full review »
Aimee White
Info Sec Consultant at Size 41 Digital
We didn’t find any huge issues. Obviously, there are always vulnerabilities that come up and there was one in early 2018 but this was patched with software updates. Admin rights need to be given out carefully as they give overarching control to all devices - but that’s the same for everything. View full review »
Shrijendra Shakya
C.T.O at Sastra Network Solution
The interface needs improvement. I would like a better interface for Cisco. Other solutions such as Palo Alto have a user-friendly dashboard. They need a user-friendly interface that we could easily configure. It would be beneficial to have some of the features that Cisco has, integrating with other types of security. View full review »
Network Security/Network Management at a K-12 educational company or school with 201-500 employees
The program is very expensive. View full review »
Cristian Serban
Network Engineer at a financial services firm with 5,001-10,000 employees
* Interaction with the equipment * Different interface with the product * A more simple procedure in delivering policies to the equipment * Simplified upgrade procedure * Tracking flows * Monitoring and logs should be easier. View full review »
Systems Administrator at a manufacturing company with 501-1,000 employees
The user interface is old fashioned. View full review »
Bashir Bashir
IT Administrator at Vodafone
I tried to buy licenses, but I had trouble. Their licensing is too expensive. If they can get the reporting to go into deeper detail, it would really be helpful because in order to get the reports in Cisco you have to go to look at the information that you don't necessarily need. Also, the pricing is quite high. View full review »
IT Specialist at a government with 1,001-5,000 employees
There was an error in the configuration, related to our uplink switches, that caused us to contact technical support, and it took a very long time to resolve the issue. Some of the features should be baked-in by default. View full review »
Integration / Wireless Engineer at J.B. Hunt Transport Services, Inc.
There used to be information displayed about the packets in a module called Packet Flow, but it is no longer there. In order to accomplish the same thing you now have to wade through lots of information in the Syslogs. View full review »
Security Solution Architect at a financial services firm with 5,001-10,000 employees
I see room for improvement when it comes to integrating all the devices into a central management system. Cisco doesn't provide this, but there are some good products in the market that can provide it. Apart from the cost, I think Cisco is quite well-positioned in the market. Also, in terms of site capabilities, other companies are still in the lead. The price, integration, and licensing models are quite odd. View full review »
Johnsey Kivoto
IT Manager at a manufacturing company with 51-200 employees
It is a secure product. But, it is not very easy to configure. You need to be knowledgeable to be able to manage it. In addition, due to changes in management, we found Cisco slightly behind some of the competitors in the market. Furthermore, the internet protection system seems to be lacking, in comparison to some of the competitors. This is why we are currently looking at other possible solutions. View full review »
Network Administrator at a healthcare company with 501-1,000 employees
I think that there should be better security of other firewall appliances. Migration is another main issue. If you migrate from the ASA to the new Fire Power Threat Defense appliance, it is not an easy migration. You have to do some of the migration manually, and if you are relacing those firewalls it will take a long time. It should be a smoother migration process. Some of the new engineers are still not familiar with it, and I think that Cisco should rehire some of the engineers coming from Sourcefire to do so. View full review »
Sr. Network Engineer at a construction company with 10,001+ employees
There are other solutions that are better such as Palo Alto. The management test needs improvement. The ACM requires Java and you need to know which version of Java is compatible with your Cisco version. It needs a client. The pricing could be reduced. I would like to see the issue with the client resolved. You shouldn't have to use the ASDM to help manage the client. Also, it should be subscription-based similar to Palo Alto. View full review »
Mahmoud Ashoub
Team Leader, Information Risk Engineer at National Bank of Egypt
Some of the features, like the stability, need to be improved. View full review »
Information Security Officer at a non-tech company with 10,001+ employees
I think the room for improvement of this solution is that there is a need for more of an application awareness capability. I just don't think it has the application awareness. It obviously looks at ports and what not, but it is not necessarily able to identify applications by their action, and what they're doing. View full review »
Network Engineer at a media company with 51-200 employees
At times the product is sluggish and slow. Sometimes when deploying a new configuration or role, it is painstakingly slow. It should be a little faster than it is. View full review »
Center for Creative Leadership at a professional training and coaching company with 501-1,000 employees
The phishing emails could be improved. View full review »
Fadil Kadrat
Network Engineer at Banque des Mascareignes
In terms of next-generation capabilities, Cisco is a little behind. It is way behind leaders like Palo Alto, Check Point and Fortinet. While Cisco is headed in the right direction, it will take several years for it to get there. View full review »
Network Operations Center Team Leader at a financial services firm with 10,001+ employees
If there is old hardware, or old appliances, it does not necessarily work with the new Cisco generation firewalls. View full review »
Moraima Matilda
Coordinator Network Support at a manufacturing company with 501-1,000 employees
It needs improvement as a "Next-Generation" firewall solution. In addition, it needs to be more user-friendly. View full review »
Tracey Jackson
Senior Network Engineer at Johnson & Wales University
The software was very buggy, to the point it had to be removed. We are moving completely away from Cisco NGFW. The product was pushed out before it was ready. View full review »
Samuel May
Information Security Manager at Tactical Air Support
The product would be improved if the GUI could be brought into the 21st Century. View full review »
Learn what your peers think about Cisco ASA Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
442,041 professionals have used our research since 2012.