Cisco Secure Firewall Room for Improvement

Paul Nduati - PeerSpot reviewer
Assistant Ict Manager at a transportation company with 51-200 employees

Our setup is quite interesting. We have a Sophos firewall that sits as a bridge behind the Cisco ASA. Once traffic gets in, it's taken to the Sophos and it does what it does before the traffic is allowed into the LAN, and it is a bridge out from the LAN to the Cisco firewall. The setup may not be ideal, but it was deployed to try to leverage and maximize what we already have. So far, so good; it has worked.

The Cisco doesn't come with SD-WAN capabilities which would allow me to load balance two or three ISPs. You can only configure a backup ISP, not necessarily an Active-Active, where it's able to load balance and shift traffic from one interface to the other.

When I joined the organization, we only had one ISP. We've recently added a second one for redundancy. The best scenario would be to load balance. We plan to create different traffic for different kinds of users. It's capable of doing that, but it would have been best if it could have done that by itself, in the way that Sophos or Cisco Meraki or even Fortigate can.

A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition. While I'm able to configure it as a backup, the reality is that in a modern workplace, you can't rely on one service provider for the internet and your device should be able to give you optimal service by load balancing all the connections, all the IPSs you have, and giving you the best output.

I know Cisco has deployed other devices that are now capable of SD-WAN, but that would have been great on the 5516 as well. It has been an issue for us.

View full review »
SB
Director & CIO of IT services at Connectivity IT Services Private Limited

There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so we need to be slightly careful, especially on the site track. 

We face challenges with Cisco when implementing some security vulnerability assessments, including the algorithms and implementing SSL 3.0. I may change the entire product line because traditional product lines don't support that.

Integration isn't typically a problem because the network is compatible, but Cisco could upgrade the threat database. They could integrate the threat database of the on-premise firewall with the cloud. Check Point has cloud integration with a market database of all the vulnerabilities. Cisco could add this to its roadmap to make the product more effective.

View full review »
Mohamed Al Maawali - PeerSpot reviewer
Infrastructure Planner at Petroleum Development Oman

Its implementation was not straightforward. It was mainly because we were running two projects together. In terms of features, at this stage, I don't have inputs for the area of improvement. We are still in the implementation stage of our project. After we have the solution ready and we test it, we can go to phase two and see how to enhance the solution in the future. We can then see which features will allow us to do that. After we implement it, the next stages will be to maintain it, tune it, and build on it. We will then see how flexible it is.

View full review »
Buyer's Guide
Cisco Secure Firewall
March 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
763,955 professionals have used our research since 2012.
Tushar Gaba - PeerSpot reviewer
Technical Solutions Architect at NIL Data Communications

We're reaching [the point] where we want it to be. If you go 10 years back, we did miss the bus on bringing in the virtual versus the physical appliance, but now that we have had it, the ASAv, for a few years, I think we are doing the right things at the right place. 

The only improvement that we could make is maybe [regarding] the roadmap, to have better visibility as to what we are targeting ahead in the next few quarters. That is where we, as partners, can also leverage our repos with our customers and making them aware that there might be some major changes that we may have to introduce in their networks in the near future.

View full review »
BB
Cybersecurity Designer at a financial services firm with 1,001-5,000 employees

In terms of ways that the firewall could be improved, third-party integration is already reasonable. We were able to integrate with our vulnerability management software, for example. 

However, I would say that when we're looking at full-stack visibility, it can be difficult to get the right information out of Firepower. For example, you may need to get a subset of it into your single pane of glass system and then refer back to Firepower, which can add time for an analyst to look at a threat or resolve a security incident. It would be nice if that integration was a little bit tighter. 

View full review »
Josh Schmookler - PeerSpot reviewer
Network Engineer at Aton Computing

The policies module in FMC specifically isn't the most user-friendly. Coming from Cisco ASA, Cisco ASA is a little bit easier to use. When you get into particularly complex deployments where you have a lot of different interfaces and all that kind of stuff, it's a little bit tricky. Some usability improvements there would be nice. 

For scalability, they could support a little bit more diverse deployments around clustering and high availability. Currently, it's very active standby, and being able to do a three firewall cluster or four or five firewall cluster would suit some of my deployments a little bit better. It would also help to keep the cost down for the customer because you're buying smaller devices and clustering them versus larger devices.

View full review »
SM
Team Leader Network and Mail Team at a energy/utilities company with 10,001+ employees

The operation of the ASA is good but the problem is that whenever you require an upgrade, there are multiple pieces of software that you have to upgrade. Extensive planning is required, because if you upgrade one piece of the software it has to be compatible with the others as well. You always need to check the compatibility metrics.

For example, if the ASA Firewall's software has to be upgraded, it has to be compatible with the IPS software—the FireSIGHT software. So that has to be upgraded as well, in addition to the ASDM software that you use to manage the firewall using the GUI. Besides that, if you are using the remote VPN part of the firewall, there is the AnyConnect hidden software that also requires an update.

So upgrading is a very extensive exercise, both when you're planning it and when you are doing it. The upgrades are very lengthy. Then Cisco introduced FTD as a unified approach, and that was a leap forward, but it has its own issues.

View full review »
Anthony Smith - PeerSpot reviewer
Principal Security Consultant at Vohkus

I would like to see more configurable feature parity with Cisco ASA, which is the legacy product that Cisco is moving away from. When configuring remote access VPN, not all of the options are there. You have to download another tool, which means that the configuration takes a little bit longer with Cisco Secure Firewall. Though it's getting there, there are still some features lagging behind.

View full review »
Isaiah Etuk - PeerSpot reviewer
Chief Digital & Technical Officer at Capital Express Assurance Limited

It is easy to use. There is a GUI, and there is a backend that is being managed by our consultant. When we log in to the GUI, we are able to do anything we want to do. Its user interface is good, but it could be better. Currently, you have to know what to do before you can manage a device. If you don't know what to do, you can mess things up. There are some devices that are easier, such as FortiGate. The user interface of FortiGate is more intuitive. It is very easy to log in and configure things. With Cisco, there is also a lower limit on virtual accounts. In FortiGate, they could be in thousands. Cisco is also more expensive. 

View full review »
AlexEng - PeerSpot reviewer
Systems Engineer at a healthcare company with 201-500 employees

A major area of improvement would be to have more functionality in public clouds, especially in terms of simplifying it. The high availability doesn't work right now because of the limitations in the cloud. Other vendors find ways to make it work differently than with on-prem solutions.

This is very important because we have customers that build solutions in the cloud that are like what they had on-prem. They have done a lift-and-shift because it's easier for them. They lift their on-prem physical boxes and shift them to the cloud, convert them to virtual, and it continues to work that way. Many times it's not the most efficient or best way to do things, but it's the easiest. The easiest path is probably the way to go.

View full review »
KB
CTO at Intelcom

It's a question of performance. When we talk about data centers, we are talking about 100 gig capacity or 400 gig capacity. When it comes to active-active solution clustering and resilience and performance, Cisco should look into these a little bit more.

View full review »
BL
Enterprise Architect at a tech services company with 51-200 employees

Sometimes, it is not easy to troubleshoot. You need to know where to go. It took me quite awhile. It's like, "Okay, if it doesn't go smoothly here, then go find the documentation." Once you do it, it is not so bad. However, it is sometimes a steep learning curve on the troubleshooting part of it.

View full review »
Simon Watkins - PeerSpot reviewer
Senior Network Architect at Prosperity247

One area that could be improved is its logging functionality. Your logs are usually displayed on the screen, but if you want to go back one or two days, then you need another solution in place because those logs are overwritten within minutes. 

To have that kind of feature, it's more than likely there would need to be some kind of storage on the device, but those boxes were designed a number of years ago now. They weren't really designed to have that built-in. Having said that, if you do reflash into the FTD image, and you've got the Firepower Management Center to control those devices, then all that logging is kept within the Firepower Management Center.

View full review »
DavidMayer - PeerSpot reviewer
Solution Architect at a energy/utilities company with 1,001-5,000 employees

There is room for improvement in the stability or software quality of the product. There were a few things in the past where we had a little bit of a problem with the product, so there is room for improvement. In the past, we had problems with new releases. 

Also, from the beginning, some functionalities or features have not worked properly. There are bugs. Every product has such problems, but sometimes, there are more problems than other products, so it's definitely something that can be improved, but Cisco seems to be working on it.

View full review »
Ken Mohammed - PeerSpot reviewer
UC Solutions Engineer at Diversified

I'm not a big fan of the FDM (Firepower Device Manager) that comes with Firepower. I found out that you need to use the Firepower Management Center, the FMC, to manage the firewalls a lot better. You can get a lot more granular with the configuration in the FMC, versus the FDM that comes out-of-the-box with it.

FDM is like Firepower for dummies. I found myself to be limited in what I can do configuration-wise, versus what I can do in the FMC. FMC is more when you have 100 firewalls to manage. They need to come out with something better to manage the firewall, versus the FDM that comes out-of-the-box with it, because that set me back about two weeks fooling around with it.

View full review »
NH
Network Engineer at a healthcare company with 10,001+ employees

For what we use it for, it ends up being the perfect product for us, but it would help if they could expand it into some of the other areas and other use cases working with speeding up and the reliability of the pushes from the policy manager.

View full review »
MC
System programmer 2 at a government with 10,001+ employees

I think they need to review their whole UI because it feels like it was created by a whole bunch of different teams of developers who didn't fully talk to each other. The net policy screen is just a mess. It should look like the firewall policy screen, and they should both act the same, but they don't. I feel like it's two different buildings or programming, that don't talk to each other, and that really annoys me.

They should either build an application or get away from the web. They need to do something that's uniform and more streamlined.

We have a multi-person firewall team, and I can't look at a policy while somebody else is in it. It'll kick me out. I might be working on something that the other guy has to modify. I know that in the next versions they will be dealing with it with a soft lock, but it should've already been there.

One of Cisco's strengths is the knowledge depth of their staff. The solutions engineer we worked with knew the routing and each protocol. If he didn't know something, he would reach out to someone else at Cisco who did. He would even talk to a developer if he needed to.

View full review »
MW
Executive Vice President, Head of Global Internet Network (GIN) at a tech services company with 10,001+ employees

The usability of Cisco Firepower Threat Defense is an issue. The product is still under development, and the user interface is very difficult to deal with. That's one area where it should be improved. Another area for improvement, which is also related to the firewall, is stability. We are having stability issues, and we had some cases where customers had a network down situation for about one or two days, which is not great.

View full review »
Chuck Holley - PeerSpot reviewer
Director of Networking at Albemarle Corporation

The Cisco Firewall UI could be improved. While having a centralized management console is a significant improvement, I believe there are several enhancements that could be made to the UI to enhance its user-friendliness and improve the overall flow. This is particularly important during troubleshooting, as we want to avoid wasting time navigating through different sections and excessive clicking. It would be beneficial to have everything readily accessible and a smoother flow to quickly reach the desired locations.

I believe Cisco needs to make the appliance more automated in order to provide us with additional time. This would eliminate the need for us to manually go through the firewall, search, find, and troubleshoot everything. It would be beneficial if the appliance had some form of AI integrated to generate such information, enabling us to quickly identify the problem. If necessary, we could then delve deeper into the issue.

View full review »
Jure Martinčič - PeerSpot reviewer
Engineer Specialist at Telekom Slovenije

The ease of use, when it comes to managing Cisco Firepower NGFW Firewalls, is getting better because the UI is improving. It was a bit cumbersome in previous versions. Checkpoint, for example, has one of the most intuitive user interfaces, and now Cisco is really improving.

The only drawback of the user interface is when it comes to policies. When you open it and click on the policies, you have to move manually left and right if you want to see the whole field within the cell. Checkpoint has a very detailed user interface. Cisco is getting better and becoming more and more user-friendly.

Cisco needs a more intuitive user interface. When you know what to do, it's easy. Otherwise, you need training. You can install it and do the initial configuration, but if you don't have the proper training it's also possible to configure it the wrong way. If that happens, some things might pass through that you don't know about.

View full review »
PS
System Engineer at Telekom Deutschland GmbH

One con of Cisco Secure Firewalls is that Java is used a lot for the older generation of these firewalls. Java is used for the ASA and the ASDM tool for administration. It's an outdated way of administering, and it's also a security risk to use this kind of solution. This is a pro of Firepower or the newer generation of firewalls because they are using HTML for administration.

In general, they can make it easier to manage the solutions. They can make it easier in terms of administration and provide a single tool for different firewalling solutions. They have different tools to manage different firewalls, such as Firepower or ASA. Sometimes, both are on the same thing. You have ASA with Firepower modules, so you manage some of the things via HTML, and then you manage some of the things via another management tool. It's not seamless. It should be bundled together in one solution.

View full review »
Joseph Lofaso - PeerSpot reviewer
Senior Network Engineer at Pinellas County Government

The one thing that the ASAs don't have is a central management point. We have a lot of our environments on FTD right now. So, we are using a Firewall Management Center (FMC) to manage all those. The ASAs don't really have that, but they are easy to use if you physically go into them and manage them. 

I would like ASAs to be easier to centrally manage. Currently, in our central management, we have almost 100 firewalls in our environment, and it is almost impossible to manage them all. ASAs are now about 20% of them. We have been slowly migrating them out, but we still have some. Normally, what we would do with ASAs is physically go into those devices and do what we need from there, whether it is find rules, troubleshoot, or upgrade.

View full review »
Ryan Page - PeerSpot reviewer
IT Network Manager at MLSE

We are still running the original ASAs. The software that you are running for the ASDM software and Java application has never been a lot of fun to operate. It would have been nice to see that change update be redesigned with modern systems, which don't play nicely with Java sometimes. Cybersecurity doesn't seem to love how that operates. For us, a fresher application, taking advantage of the hardware, would have been a better approach.

View full review »
JATINNAGPAL - PeerSpot reviewer
Manager/Security Operations Center Manager at RailTel Corporation of India Ltd

The maturity needs to be better. The product is not yet mature. A running product is hit with the software bugs most of the time, and whenever we then log a case with the tech team, they're sometimes helpless with that. They have to involve the software development team to fix that bug in the next release. It's not ideal. Being an enterprise product, it should be mature enough to handle these types of issues.

View full review »
Daniel Going - PeerSpot reviewer
Managing architect at Capgemini

Licensing is complex, and I'd like it to be simplified. This is an area for improvement.

If we could create a Firepower solution that became like an SD-WAN or a SASE solution in a box, then perhaps we could exploit that on remote sites. We've already kind of got that with Meraki, but if we could pull out some of the features from ASA Firepower and make those available in SD-WAN in SASE, then it would be pretty cool.

View full review »
Marijo Sutlovic - PeerSpot reviewer
Head of Information Security at Otp banka d.d.

We have encountered problems when implementing new signatures and new versions on our firewall. Sometimes, there is a short outage of our services, and we have not been able to understand what's going on. This is an area for improvement, and it would be good to have a way to monitor and understand why there is an outage.

View full review »
Tim Maina - PeerSpot reviewer
Network Engineer at a tech vendor with 5,001-10,000 employees

One of the challenges we've had with the Cisco ASA is the lack of a strong controller or central management console that is dependable and reliable all the time. There was a time I was using what I think was called CMC, a Cisco product that was supposed to manage other Cisco products, although not the ASA. It wasn't very stable.

The controller is probably the biggest differentiator and why people are choosing other products. I don't see any other reason.

View full review »
CW
Security Engineer at a government with 501-1,000 employees

There's a little bit of a disconnect between Firepower’s management and the rest of the products, like DNA and Prime. The solution should have fewer admin portals for network, security, and firewalls.

View full review »
SV
Network Support Engineer at a manufacturing company with 51-200 employees

This product has a lot of issues with it. We are using it in a limited capacity, where it protects our DR site only. It is not used in full production.

The main problem we have is that things work okay until we upgrade the firmware, at which point, everything changes, and the net stops working. As a financial company, we have a lot of transactions and when the net suddenly stops working, it means that we lose transactions and it results in a huge loss.

We cannot research or test changes in advance because we don't have a spare firewall. If we had a spare then we would install the new firmware and test to see if it works, or not. The bottom line is that we shouldn't have to lose the network. If we upgrade the firmware then it should work but if you do upgrade it, some of the networks stop working. 

View full review »
ZK
Sr. NetOps Engineer at Smart Cities

Cisco Secure Firewall could benefit from enhancements in its API, documentation, and automation tools. Additionally, we've noticed that the Terraform provider for FMC has only two stars, few contributors, and hasn't been updated in a year. It only has 15 to 20 resources, which limits our capabilities. We'd love to update it and add more resources. For example, we currently can't create sub-interfaces with the provider, so we have to add Python code to our Terraform provider and use local provisioners. Additionally, improvement in the API would be helpful so that we can create ACL on the GUI with a simple click, but at this time we cannot create requests via the API.

View full review »
RV
Principal Network Engineer at a retailer with 10,001+ employees

We use the FTD management platform for the boxes. The GUI that manages multiple Firepower boxes could be improved so that the user experience is better.

View full review »
SG
Network Automation Engineer at a financial services firm with 1,001-5,000 employees

Cisco wasn't first-to-market with NGFWs. That is one of the options now. They did make an acquisition, but other vendors got into that space first. I would tell Cisco to move faster, but everything moves at the speed of light and it's hard to move faster than that. But they should look at what other vendors are doing and try not only to be on the same wavelength but a little bit better. It's hard to be critical of Cisco given that they pave the way a lot, but they should see what their peers are doing and try to emulate that.

In terms of additional features, perhaps there could be some form of integration with the cloud. I don't know how much appetite we would have for that given the principle of keeping a lot of the sensitive data on-prem. But some integration with the cloud might be useful, given that the cloud is everything you see these days. We have our on-premises devices, but maybe they could provide an option where it fails over to a cloud in a worst-case scenario.

View full review »
Augustus Herriot - PeerSpot reviewer
Senior Infrastructure Engineer at a insurance company with 10,001+ employees

When we first got it, we were doing individual configuring. Now, there is a way to manage from one location. We can control all our policies and upgrades with a push instead of having to touch every single piece.

View full review »
FS
Networking Project Management Specialist at Bran for Programming and Information Technology

In today's world, cyberattacks have become a common occurrence. However, so far, we have not faced any issues with our systems. I hope the situation remains the same in the future. If Cisco introduces even more advanced security measures, it would be beneficial.

One of the major issues we face in the Middle East is the long delivery time for Cisco products. Currently, they are taking almost 10 months to deliver, which is much longer compared to before when we received the products within 70 to 80 days or even two to three months. For instance, we recently placed an order that has a delivery date in the middle of 2024. This delay is unacceptable as customers cannot wait that long, and they may opt for other alternatives, such as Huawei, Juniper, or HPE. Therefore, Cisco needs to improve its delivery time and ensure that they deliver products within a reasonable timeframe, as it did before.

View full review »
ArunSingh7 - PeerSpot reviewer
Computer Operator at a retailer with 5,001-10,000 employees

The solution's price can be lowered because, currently, it is pricier than the tool its competitors offer in the market. If the product's prices are lowered, it may help Cisco to expand its market base.

If Cisco reduces the price of its product, then it can gain more advantage and become much more competitive in a market where there are solution providers like Fortinet FortiGate.

View full review »
KH
Systems Engineer at a engineering company with 5,001-10,000 employees

I would like to see an IE version of the solution where it is ruggedized. Most of what we do is infrastructure based on highways. Now that the product has a hardened switch, the only thing left in our hubs that isn't hardened is probably the firewall. It would be nice to pull the air conditioners out of the hubs.

View full review »
reviewer1448693099 - PeerSpot reviewer
Senior Network Engineer at a comms service provider with 1-10 employees

The integration with all the necessary products needs improvement. Managing various product integrations, such as Umbrella, is challenging.

View full review »
Ahmed Alsharafi - PeerSpot reviewer
Solution Architect at Dimension Data

We see a lot of vendors in the market with a lot of niche products. I understand that it's difficult to cover everything, but making it more open for integration with other vendors would be a value add for Cisco. Usually, the case I see with my customers is that they always have a multi-vendor setup for security. They have many products. When they have multiple products, each product does something very specific standalone, but there is always a challenge in how to correlate all these solutions or make them as one framework for securing the network.

View full review »
RS
Senior network security, engineer and architect at a computer software company with 5,001-10,000 employees

The ASAs are being replaced with the new Firepowers and they have a different type of structure in the configuration to be able to migrate from one to the other.

View full review »
Jordan De Sousa - PeerSpot reviewer
Network Manager at a computer software company with 501-1,000 employees

Cisco Secure Firewall's integration with cloud providers has room for improvement. We could do more in terms of integration, for example, if we had a tag on an instance. 

I would also like to see tag rules with cloud objects. This would be a great improvement for Cisco Secure Firewall. 

As far as MX is concerned, I would like to see more interconnection. We would also like to be able to do BGP.

View full review »
VW
Network Engineer at a computer software company with 201-500 employees

It would be nice if it had the client to actually access the firewall. Though, web-based access over HTTPS is actually a lot nicer than having to put on a client just to access the device.

For Firepower Threat Defense and ASAs, I would like it if there was a centralized way to manage policies, then sticking with the network functions on the actual devices. That is probably the thing that frustrates me the most. I want a way that you can manage multiple policies at several different locations, all at one site. You then don't have to worry about the connectivity piece, in case you are troubleshooting because connectivity is down.

View full review »
TI
Senior Network Consultant at a healthcare company with 1,001-5,000 employees

I'm not very familiar with the largest Firepower models, but competitors like Palo Alto seem to have a more capable engine to do, for instance, TLS/SSL decryption. As I understand, Firepower doesn't let you export the decrypted traffic so that, for instance, the security department can look at the traffic or inspect traffic. It's all in the box. I've heard rumors that this is something Cisco is working on, but it isn't yet available.

View full review »
FC
Global Network Architect at a agriculture with 10,001+ employees

It would be better if we could manage all of our firewalls as a set rather than individually. I would like to see a single pane of glass type of option. We also use another vendor's firewalls and they have a centralized management infrastructure that we have implemented. This infrastructure is a bit easier to manage.

View full review »
PC
Senior Engineer at Teracai Corporation

They should work on making it a little more intuitive for users and not quite as complex. Still, it's a good product.

View full review »
Samson Belete - PeerSpot reviewer
Network Engineer at a financial services firm with 5,001-10,000 employees

The reporting and other features are nice, but there is an issue with applying the configuration. That part needs some improvement.

Services from the outside, like financial services that are critical, should be protected by the NGFW. There are cyber attacks on these services. Therefore, adding this NGFW in front of those services will reduce our costs for cyber crime.

View full review »
DonaldFitzai - PeerSpot reviewer
Network Administrator at Cluj County Council

Setting firewall network rules should be more straightforward with a clearer graphical representation. The rule-setting method seems old-fashioned. The firewall and network rules are separate from the Firepower and web access rules. You can access the firewall rules through the Cisco ASDM application, not the web client. I'm using an older version, and I'm sure this issue will improve in the next edition.

Micro-segmentation is somewhat complex. It's not easy, but it's not too difficult, either, so it's somewhere in the middle. I used micro-segmentation for 10 or 15 VLANs, and ASA Firewall acts as a router for those VLANs. The visibility offered by micro-segmentation is pretty poor. It's not deep enough. 

View full review »
FC
Global Network Architect at a agriculture with 10,001+ employees

We would like to be able to manage a set of firewalls rather than individual firewalls. We haven't really looked into it or yet implemented it, but a single pane of glass would be helpful. We also use another vendor's firewalls, and they have a centralized management infrastructure that we have implemented, which makes it a little bit easier when you're managing lots of firewalls.

View full review »
IK
Network Engineer at a tech services company with 5,001-10,000 employees

With the new FTD, there is a little bit of a learning curve. The learning curve could probably be simplified a little bit. I've come around that learning curve, and I'm able to get around it.

View full review »
BB
Network Engineer at a university with 1,001-5,000 employees

I would like it if they made the newer generation a bit simpler. You can do ASA code and FXOS. It is just a bit confusing with the newer generational equipment on what it can do.

View full review »
SV
Critical Infrastructure at Wintek Corporation

We would like to see dual power supplies for some Cisco Firewall products. Having to get an ATS in the Data Center application because there's an A+B power feed on such a vital device with high availability may be something that I want to put in there.

View full review »
AS
Senior Network Architect at a tech services company with 10,001+ employees

Cisco ASA is starting to get old and Firepower is taking over. All the good things happening are with Firepower. Everything that I could wish for is in Firepower. We will probably not be doing too many new installations of ASAs since Firepower is mostly taking over.

View full review »
Fredrik Vikstrom - PeerSpot reviewer
IT Architect at Skellefteå Kommun

There should be more integration with Microsoft Identity.

View full review »
TO
Solutions Architect at Acacia Group Company

Changes you make in the GUI sometimes do not reflect in the command line and vice versa.

View full review »
CN
Infrastructure Architect - Network at a manufacturing company with 1,001-5,000 employees

Some of our problems are related to software updates in remote sites where the internet connection is not stable. Sometimes, the image push just gets disrupted and fails.

The most annoying thing is having to replace the hardware so often. It's very difficult for us to do.

The integration between different tools could be improved. For example, with SecureX, I am yet to find out how to forward security events to different tools such as Microsoft Sentinel, which is what we use for log detection.

View full review »
MM
Founder CCIE

I think Cisco would benefit from comparing its solutions to other products. There is a lot to learn from solutions like Palo Alto or FortiGate. These are top security products. For example, Palo Alto has better inspection visibility than Cisco. When we ask customers about Palo Alto, they say "I like Palo Alto. It helps me see problems on time. I can audit everything through it." Cisco could improve in this regard. Cisco's inspection visibility could be better. 

View full review »
BW
Network Security Team Lead at a government with 10,001+ employees

Cisco Secure Firewall’s customer support could be improved.

View full review »
JK
Specialist WINTEL Services at Descon Engineering Limited

Cisco Firepower is not completely integrated with Active Directory. We are trying to use Active Directory to restrict users by using some security groups that are not integrated within the Cisco Firepower module. This is the main issue that we are facing. 

There are some other issues related to their reports where we want to extract some kind of user activity. When a user tries to connect to our website, we are unable to read its logs in a proper manner and the report is not per our requirement. These are two things that we are facing.

Per my requirements, this product needs improvement. For example, I want to use and integrate with Active Directory groups. 

View full review »
FH
Product Owner at a manufacturing company with 10,001+ employees

If WSAP remains to be an active product, it might be an idea to integrate the configuration policy logic between Umbrella and WSAP. There should be one platform to manage both.

The integration between the on-prem proxy world and the cloud proxy would benefit us. One single policy setting would make sense.

View full review »
CE
Network engineer at a government with 10,001+ employees

Cisco still has a lot of work to do. You can convert an ASA over to a Firepower, but the competitors, like Palo Alto and Juniper, are coming in. And believe it or not, they are a little bit more intuitive. Cisco has a little bit more work to do. They're playing catch up.

There is also content filtering. The bad actors are so smart nowadays, that they can masquerade as the data for a given port, and they can actually transfer data through that port. The only thing that the older firewalls know about is the port. They can't read the data going across it. That's where content filtering comes in, like Palo Alto has, with next-generation firewalls.

View full review »
KB
Data center design at a comms service provider with 10,001+ employees

It needs to provide the next-generation firewall features that other vendors provide, like data analytics, telemetry, and deep packet inspection.

Also, the ASAs need to be improved a little bit to keep up with the demand for high bandwidth and session count applications.

View full review »
CM
System Engineer at a computer software company with 201-500 employees

Firepower's implementation and reliability need room for improvement. 

View full review »
CT
Analytical Engineer at a pharma/biotech company with 10,001+ employees

It can be improved when it comes to monitoring. Today, the logs from the firewalls could be improved a bit more without integrating with other devices.

I would like to see more identity awareness.

View full review »
Orla Larsen - PeerSpot reviewer
Network specialist at a retailer with 10,001+ employees

The overall licensing structure could improve to make the solution better.

View full review »
MK
Security admin at a wholesaler/distributor with 10,001+ employees

The application detection feature of this solution could be improved as well as its integration with other solutions. 

View full review »
MF
Network Engineer at a financial services firm with 10,001+ employees

It's already pretty good. In terms of functionality, there isn't much to improve. There could be more bandwidth and better interface speed.

View full review »
NJ
CTO at a tech vendor with 1-10 employees

FMC could be improved because management with FMC is quite difficult compared to using Firepower web-based management.

View full review »
MS
VSO at Navitas Life Sciences

Maybe the dashboard could be a bit better. There are some reports where we don't get it. We need a deep dive into a particular URL, however, it provides the URL and the IP address, and there is no more information that can show more details. Basically, the report models can be improved.

With their console, we have to build a separate VM. In some of the products, the management console comes along with the box itself. It'll be one solution to take the backup and keep it. Even if you want to build a DR, it'll be easy. However, the challenge we had is if that VM is down, my team may not able to access the Firepower remotely. Therefore, the management console itself should be built within the Firepower box itself, rather than expecting it to be built in a separate VM.

View full review »
Sergiy Ovsyannyk - PeerSpot reviewer
VP Network Engineering at a computer software company with 501-1,000 employees

Cisco is still catching up with its Firepower Next-Generation firewalls. It's naturally growing and getting better.

View full review »
TM
Solutions Consultant at a comms service provider with 10,001+ employees

Sometimes my customers say that Cisco firewalls are a bit more difficult compared to Fortigate or Palo Alto. There is complexity in the configuration and the GUI could be improved.

View full review »
RW
System Administrator at a healthcare company with 501-1,000 employees

it is difficult to say what it needs in terms of what needs to be improved. I don't work with it on a daily basis.

I haven't heard anything negative about it.

While this applies to all vendors, pricing can be always lower. In my opinion, Cisco is the most expensive. 

The pricing can be reduced.

View full review »
HG
Daglig leder at a tech services company with 1-10 employees

They have already improved it to some degree. It has become easier, but I've not drilled down much myself. I mostly use CLI, but I can see that it's a little bit more GUI-based. So, improvement is already there. It's a good thing that we now have GUI-based control over the details, and that would be the way to go.

It integrates with other security products from Cisco, but sometimes, there can be glitches or errors.

View full review »
PK
System Engineer

I have a lot of difficulties with the solution's Firewall Management Center (FMC) and the GUI. Neither is responsive enough and should be improved.

View full review »
Rene Geiss - PeerSpot reviewer
Network Engineer at a computer software company with 51-200 employees

One big pain point I have is the ASDM interface because it's Java, and sometimes, it's a bit buggy and has low performance. That's something that probably won't be improved because of backward compatibility. 

The CLI is not always clear. It's not always intuitive.

Some of the things, such as site-to-site VPN, are complicated to set up. The settings you have are all hidden away in crypto maps, and you can't have a setting per tunnel. When you want to change one particular tunnel, you automatically change them all. That's a drawback.

View full review »
Ibrahim Elmetwaly - PeerSpot reviewer
Presales Manager at IT Valley

It's not unexpected, but it's a common scenario where customers request dual layers of security. For instance, when dealing with regulatory compliance, especially in financial sectors regulated by entities like the Central Bank, having two distinct units is often mandated. If a client predominantly uses a solution like Palo Alto, they may need to incorporate another vendor such as Cisco or Forti. Importantly, there's a significant disparity in interfaces and management platforms between these vendors, necessitating careful consideration when integrating them into the overall security architecture.

View full review »
HR
Director of network ops at a non-profit with 51-200 employees

We have an older version of the ASA and there are always improvements that could be made. Nowadays, nobody is in the office, so I need to figure out how to put the firewall outside. If I could have a centralized firewall that also receives information from external locations, like peoples' home offices, that would help us consolidate everything into one appliance.

View full review »
James-Buchanan - PeerSpot reviewer
Infrastructure Architect at a healthcare company with 10,001+ employees

I don't have any specific improvements to recommend. However, when you compare the throughput of a Cisco firewall to the competitors, especially Fortinet, what you find is that Cisco has lagged a little bit behind in terms of firewall throughput, especially for the price that you pay for that throughput.

View full review »
BL
Network Engineer at a construction company with 1,001-5,000 employees

The cloud does not precisely mimic what is on-premises. There are some new challenges with the features in Azure. Due to Azure limitations, we cannot synchronize configurations between an active standby. This aspect makes it difficult to perform such tasks in the cloud, requiring manual intervention.

View full review »
JP
Network Engineer at Ulta Beauty

In order to do an upgrade, we need to upload the software to the firewall, then upgrade the secondary and do a failover. Uploading this software into the firewall is old technology. For example, if you look at the Cisco Meraki firewall, you can schedule the software upgrade. Whereas, here we can't.

Recently, we have been having an issue with the ASA firewall. We haven't found the root cause yet and are still working on it. We failed over the firewall from active to passive and suddenly that resolved the issue. We are now working to find the root cause.

View full review »
MH
Security architect at a computer software company with 51-200 employees

We are replacing ASA with FTD which offers many new features. 

View full review »
MH
IT Service Technician at Scaltel AG

Cisco Secure Firewall should be easier to handle. It uses ASDM, which is not easy to understand. It would be better if there was direct access via HTTPS.

View full review »
HN
Network Lead at a tech company with 10,001+ employees

One thing that Cisco could improve is the GUI. The graphic user interface should be more user-friendly. If you compare it with some of its competitor's GUIs, Cisco falls short in terms of how rules are pushed. 

We have also run into issues with functionality and flexibility. Cisco does fall behind its competitors in this regard. It's our opinion that Cisco is not a leader in security devices. 

View full review »
ON
Network & Systems Administrator Individual Contributor at T-Systems

It would be ideal if the solution offered more integration capabilities with other vendors. For example, if you had a web security appliance, it would be great to be able to integrate everything in order to better report security events.

While I can't think of specific features I'd like improved, overall, they could do more to continue to refine the solution.

It would be nice if you didn't have to configure using a command-line interface. It's a bit technical that way.

View full review »
Imran Rashid - PeerSpot reviewer
IT/Solutions Architect at a financial services firm with self employed

We only have an issue with time sync with Cisco ASA and NTP. If the time is out of sync, it will be a disaster for the failover.

View full review »
DJ
Network Systems Manager at a computer software company with 5,001-10,000 employees

I would like to see them update the GUI so that it doesn't look like it was made in 1995.

View full review »
Ahmet Orkun Kenber - PeerSpot reviewer
Technical Network Expert at NXP Semiconductors Netherlands B.V. Internet EMEA

I think that the solution can be improved with the integration of application-centric infrastructure. It could be used to have better solutions in one box.

View full review »
JC
Engineer at a tech services company with 501-1,000 employees

It should be easier for the IT management or the admin to configure products. For example, the firewall products are not very straightforward for many users. They should be easier to configure and should be more straightforward. 

Some competitors are very easy to configure, you don't need to spend a lot of time reading the documents and learning them.

View full review »
ZM
Network Engineer at EURODESIGN

I started to configure the device with version 7.2. After that, I had a problem. It was not a physical problem. It was a software problem. They advised me to install 7.0. I uninstalled and reinstalled everything. It took time, but it started to work normally.

I am not a programmer, but on the business side, they should fix all such issues in the future. We are Cisco partners, and when we recommend Cisco FirePower to customers, they always think that FirePower is bad. For a single installation of FirePower, if I have to write about 18 tickets to Cisco, it's a big problem. There was an issue related to Azure. We had Active Directory in Azure. The clients had to connect to FirePower through Azure. We had a lot of group policies. After two group policies, we had to make groups in Azure, and they had to sign in and sign back. It was a triple-layer authentication, and there was a big problem, so we didn't use it.

View full review »
FS
Security engineer at a energy/utilities company with 10,001+ employees

Third-party integrations could be improved.

Not everything works out-of-the-box. Sometimes, you have to customize it to your needs. 

View full review »
GD
Cybersecurity Architect at a financial services firm with 5,001-10,000 employees

The solution is overcomplicated in some senses. Simplifying it would be an improvement.

View full review »
YP
Principal Network Security Manager at a tech vendor with 10,001+ employees

Sometimes there is a lack of performance. One of my colleagues is using the firewall as an IPS, but he is worried about Firepower's performance. It is much lower than we expected. They need to improve the performance a lot. With the 10 Gb devices, when it gets to 5 Gbps, the CPU usage goes up a lot and he cannot manage the IPS.

View full review »
Achilleas Katsaros - PeerSpot reviewer
Head of IT Network Fixed & Mobile at OTE Group

We have seen some bugs come up with Cisco Secure Firewall in terms of high availability. The solution should be improved to avoid these bugs. 

View full review »
AliTadir - PeerSpot reviewer
Owner at Nexgen IT Solutions

Most of the features don't work well, and some features are missing as well. The completeness of the solution is most important for me. It should be complete, but some parts are missing. Cisco should improve it.

Every part of the features should be developed. That includes the next-generation firewall parts, such as application recognition.

View full review »
LA
Lead Network Engineer

I would like to see them add more next-generation features so that you don't need a lot of appliances to do just one task. It should be a single solution.

View full review »
Akshit Chhokar - PeerSpot reviewer
Technical Solutions Specialist - Networking at Google

The product's user interface is an area with certain shortcomings where improvements are required.

From an improvement perspective, the product's price needs to be lowered.

View full review »
ME
Director of network engineering

It would be good if Cisco made sure that the solution supports all routing protocols. Sometimes it doesn't.

View full review »
Nagendra Nekkala - PeerSpot reviewer
Senior Manager ICT & Innovations at Bangalore International Airport Limited

The solution's deployment is time-consuming, which should be minimized and made more user-friendly for us.

The solution's graphical user interface could be made more user-friendly, and the configuration can be simple.

View full review »
Francisco Gaytan Magana - PeerSpot reviewer
Network Architecture Design Engineer at a comms service provider with 10,001+ employees

The access layer of this solution could be improved in terms of the way the devices interconnect with our network. We need to be able to analyze the traffic between the different interconnections in these areas.

In a future release, we would like to have an IP analyzer to try to identify the specific comportment of the customers.

View full review »
Catalin Enea - PeerSpot reviewer
System Engineer at a computer software company with 5,001-10,000 employees

Firepower's user experience should be a little bit better.

View full review »
WN
CTO at a government with 10,001+ employees

The process of procuring modern-day technology within the DOD needs to improve.

View full review »
DJ
IT Consultant at ACP IT Solutions AG

The management of the firewalls could be improved because there are a lot of bugs.

View full review »
PR
Senior Network Engineer at a manufacturing company with 1,001-5,000 employees

The user interface is a little clunky and difficult to work with. Some things aren't as easy as they should be.

View full review »
Juan Carlos Saavedra - PeerSpot reviewer
Coordinador de Tecnología at a tech vendor with 1,001-5,000 employees

The ease of use needs improvement. It is complex to operate the solution. The user interface is not friendly.

View full review »
MZ
Senior Network Administrator at a comms service provider with 201-500 employees

The stability could be better because we have a lot of issues with the stability of Cisco Firepower.

View full review »
BW
Network analysis at a government with 1,001-5,000 employees

The ability to better integrate with other tools would be an improvement.

View full review »
FV
Admin Network Engineer at Grupo xcaret

I would like more features in conjunction with other solutions, like Fortinet.

View full review »
MS
Network Architect at a tech vendor with 10,001+ employees

This solution could be more granular and user-friendly.

View full review »
EL
Network Engineer at a government with 10,001+ employees

Cisco ASDM is a problem because it is old.

View full review »
CD
Senior Solution Architect at Teras Solutions Limited

The solution’s GUI could be better.

View full review »
Md Mahbubul Alam - PeerSpot reviewer
Head of Information Security Division at Prime Bank Ltd.

The virtualization aspect has room for improvement.

The scalability has room for improvement.

View full review »
Buyer's Guide
Cisco Secure Firewall
March 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
763,955 professionals have used our research since 2012.