Cisco ASA NGFW Room for Improvement

NSA0898776
Network & Security Administrator at a financial services firm with 5,001-10,000 employees
The installation and integration of Cisco ASA with Firepower can be improved. I used Fortigate as well and I can say that Fortigate's features are more usable. The management with Fortigate is easier than Cisco ASA on Firepower. The management side of Cisco ASA can be improved so it can be more easily configured and used. View full review »
Beka Gurushidze
System Administrator at ISET
We installed a Cisco path a month ago. There was a new update for the Cisco firewall and there were security issues. We like Cisco filtering as a firewall, but in the current market, Cisco's passive firewall is not unique. We don't have any warranty problems with Cisco. I asked our carrier several times to provide the exact gap code for me, but there is no Cisco dealer in our region. There is also no software accessibility with Cisco ASA NGFW. You can't always access the product that way. I also tried pfSense. There is no support here in Georgia. If something goes wrong, support is not always very helpful with the other firewalls or other products. Cisco products are more supported by lots of companies who are producing technical services for cloud platforms. The certification is very easy in Georgia now. There are lots of people using Cisco in Georgia because their accessibility is better than the other products on the market. I also talked to several guys about the Barracuda firewall. The Barracuda firewall is very expensive. You need to pay three or four thousand dollars every three months, so it's very expensive for us. We are not a big company. View full review »
Jijish Gopi
Security Engineer at a tech services company with 201-500 employees
It doesn't have a proper GUI to do troubleshooting, so most people have to rely on the command line. Its a sort of legacy product nowadays. The firewalls which are the next generation have loads of features added to them, and they are all in one box. It should have packets, deep level inspections and controls, like the features which other IPS solutions have. It just doesn't have any. It's just a box which does firewalling. Threat management features also should be added into it. So, the first thing is that the GUI has to be improved. The second thing is that the UTM features have to be added to it in a much broader way; not by relating to other third-party solutions which is how it is done right now. It should have built-in UTM features like other firewalls have now. Plus it should have the ability to analyze any packets which have malicious behaviors. Currently it doesn't have anything like that. It's just a layer-3 firewall. Regarding the GUI, it's a very childish sort of attempt. It hasn't been improved since I started working with it. Yes, it shows the logs as they are but it doesn't have any option to do proper reporting. View full review »
Frank Theilen
IT Adviser/Manager with 51-200 employees
Firewalls, in general, were not really designed for normal IT personnel, but for firewall and network experts. Therefore, they missed a lot of options and did not provide any good reporting or improvement options. For example, to update or add a feature, you end up buying new support and licenses. The process is complex and changes so rapidly that you won't find a salesperson who will offer you the right products. New generation firewalls are cloud managed or provide a good interface. They integrate into the environment. They are application aware and come with security features that are especially designed for the purpose. View full review »
Ahmed Nagm
CEO at PCS
The two areas that need improvement are the URL filtering and content filtering features. These features are both very crucial to the end user environment. One of my main concerns and an area that could use some major improvement is the need to pay for licensing in order to enable necessary additional features. Included in the next release, I would like to see these features integrated into the products' functionality without having to pay for them on an individual basis. View full review »
Nadika Perera
CEO at Synergy IT
If I need to download AnyConnect in a rush, it will prompt me for my Cisco login account. Nobody wants to download a client to a firewall that they don't own. I would definitely love to have a much nicer web interface compared to the systems interface that it has now. I also would like to download utilities without having to login into the system. Nobody would want to download a client unless they're going to use it with a physical firewall. I don't understand the logic. If I was a hacker, I could get someone to download it for me and then I can use the client. There's no logic behind it. View full review »
In432TchMn89
Information Technology Manager at a financial services firm with 10,001+ employees
The only con that I have really seen with it is the reporting structure. FirePOWER is good. It has been a great help because, before that, it was not good at all. View full review »
Neil McFadyen
Supervisor of Computer Operations at a university
* It is confusing to have two management interfaces, e.g., ASDM and Firepower Management Center. It would be nice to have a Windows program instead of a virtual appliance for the Firepower Management Center. The ASA and Firepower module seem redundant, not sure which one to set the rules in, but maybe that was for backward compatibility. I am not sure that is very useful. * It is surprising that you need to have a virtual appliance for the Firepower Management Center. It is not good if you have to setup a VMware server just for it. * 10Gb interfaces should be available on more models. View full review »
Hassan Javaid
Senior Executive Technical Support at AITSL
It does not have a web access interface. We have to use Cisco ASDM and dial up network for console access, mostly. This needs a bit of improvement. Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems. It should have multiple features available in single product, e.g., URL filtering and a replication firewall. View full review »
reviewer818484
Information Security Officer at a government with 501-1,000 employees
The first thing that needs to be done is to finish building out Cisco ASA "Firepower Mode" in order for all features to work correctly in complex enterprise networks. It also needs a usable GUI like Palo Alto and FortiGate. There are lots of bug fixes to be done, and Cisco should consider performing a complete rebuild of the underlying code from the ground-on-up. View full review »
ipmplspr538920
Security Governance at a comms service provider with 1,001-5,000 employees
* VPN creation with Cisco is quite difficult: Some DH groups are not supported (compared to Juniper). * Expected to see the enablement of virtual routing, which is key in a Telco environment. We need to provide this in LAN to LAN services with shared platforms (DNS, proxies, etc.). * Application visibility View full review »
Christina Phillips, MBA
Principal Network Engineer at a tech services company with 51-200 employees
People tend to think of firewalls as firewalls and routers as routers. Going by the book, I had to create a number of static routes in the firewall so it could reach the various subnets in my client's internal network. I decided to turn on OSPF routing to simplify my deployment. This resolved a lot of issues with remote VPN and site-to-site VPN tunnels. In my experience, a number of engineers get tunnel vision with devices. This is exacerbated by vendors fostering a silo mentality in disciplines. I cannot name the organization, but a large national non-profit in the medical field had too many network configuration problems because of the silo mentality. Large Cisco ASA units have the capability to act as routers. This particular non-profit would not enable routing on the ASA until I explained that it resolve a number of issues that they were experiencing and resolving by static routes, a second Cisco ASA, and a proxy server. View full review »
Mbaunguraije Tjikuzu
Information Security Administrator at Bank of Namibia
Cisco should improve its user interface design. There is a deep learning curve to the product if you are a newcomer. View full review »
Seang Haing
User at deam
With Cisco ASA, we used the SMB of the model. The customers are usually satisfied, but I am going to recommend that all clients upgrade to Firepower management. For Cisco ASA Firepower, I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility. View full review »
Fabrizio Volpe
Senior Consultant at Unify Square
You have to know the ASA command line very well because not all operations are available in the graphical interface (or let's say that sometimes it is better to operate with the ASA CLI).If you are searching for an "all in one product" it is not for you View full review »
NetworkE721d
Network Engineer with 201-500 employees
ASDM can be improved. Also, a rollback option to a previous config in time will be a great option. Logging can be improved to a vast extent, I think Palo Alto has a pretty good logging structure. View full review »
Pete Nixon
Senior Network Security Engineer at a university
It's not perfect, and does have room for improvement with certain features. The SSL VPN is, and always has been, painful to configure and the Java plugin does not guarantee a uniform deployment. Certain documentation on the newer models of ASA (specifically, ASA 5500-X with FirePower services) is a little out of date and in some cases incorrect, although this may have been corrected since my last deployment. View full review »
Alin Prodea
Network Security Administrator at a tech company with 5,001-10,000 employees
It should have an additional “operating mode”, like a “candidate configuration mode”, where you would have the possibility to test the changes you are going to implement and also the possibility to validate these changes. In addition, a "testing" feature should be performed to let you know what would be the consequences of applying these new changes. Only after you would see the tests’ results (if they do not create any unwanted effect) would you go and commit them. View full review »
Danut Agache
Computer Networking Consultant and Contractor
The ability to integrate (as options) all-in-one features -- like anti-spam, anti-virus, etc. View full review »
Alexander Kostov
Senior IT Networking and Security Manager at a tech services company with 10,001+ employees
The next generations part of these products need a better approach. A lot of vendors are definitely a step or two in front of them. View full review »
Rizal Meijer
Networking Specialist at a insurance company with 1,001-5,000 employees
* The SSL VPN portal could be better. * The ASAs support both IPSEC as an SSL VPN. * For IPSEC you need a Cisco VPN client. * You can only have two SSL VPN sessions. * For more SSL sessions you have to pay (750 IPSEC sessions are included with an ASA). * With SSL, you connect through a browser, so it is clientless. The SSL portal offers a few functionalities which you can offer a user. Configuring this portal is not an easy task. View full review »
BogdanV
Presales Consultant at a tech services company with 51-200 employees
Management console – Firesight Management Center. When deploying Cisco FMC versions 6.0 and 6.1, some issues may appear when trying to register ASA sensors. The problem needs Cisco TAC involvement, adding more effort and time. I guess this will be fixed in version 6.2. View full review »
Sergei Chernooki
System Engineer at a tech services company with 501-1,000 employees
I would like to see new SW versions being more stable and HW performance increase. However, the new 2000 series has high performance, but it is not shipped widely so far. View full review »
ramesh1923
Technical Specialist with 5,001-10,000 employees
Area : URL filtering and content filtering. When Cisco ASA is presented as an enterprise firewall, that should be capable doing IPS/IDS, firewalling, VPN concentrator, application filtering, URL filtering and content filtering. Of course, the last three technologies can do by a proxy. But nowadays, all next generation firewalls like Fortinet, Check Point, and Palo Alto are each bundling the UTM features into a single box with multiple separate content processors (hardware) to do these jobs. This would enable single pane glass for management. No need to look at different devices for change management and troubleshooting. I would say Cisco ASA is the best except for its URL and content filtering module. And these modules in ASA are not straightforward, rather complex in managing the device. View full review »
Timothy Ames
Member of the Board of Directors at a tech services company with 1,001-5,000 employees
I’m not a fan of the new modular licensing model. Cisco moved from a base license to an a la carte SaaS model a couple of years back, wherein the customer is required to pay for feature sets on a case-by-case basis. This makes it difficult for people who want to study and trial new technologies and features. View full review »
Kiarash Barzoodeh
Security Engineer at ODI
After Firepower V6.1, Cisco added bandwidth shaping on the FTD product. This feature is a little bit weak. You cannot have customized shaping in different projects. View full review »
Syed Razvi
Network and System Engineer at a non-tech company with 201-500 employees
Pricing of this product needs improvement. View full review »
Johnsey Kivoto
IT Manager at a manufacturing company with 51-200 employees
It is a secure product. But, it is not very easy to configure. You need to be knowledgeable to be able to manage it. In addition, due to changes in management, we found Cisco slightly behind some of the competitors in the market. Furthermore, the internet protection system seems to be lacking, in comparison to some of the competitors. This is why we are currently looking at other possible solutions. View full review »
Alvaro Picado
Systems Manager at a non-profit with 201-500 employees
Our model, due to its age, does not have Layer 7 control or integration with Active Directory. Something that could be improved would be the log system. It's very cumbersome if you do not use an external Syslog server. View full review »
Rizwan Siddiqi
Network Security Consultant at a tech services company with 51-200 employees
Some improvements required on GUI interface called ASDM. It should include health check parameters like temperature, memory used. View full review »
ITmgr302604
IT Manager at a construction company with 11-50 employees
The solution that we have right now doesn't do what I want it to do. We don't have a ratified solution for all the things that I wanted to right across our business. We're doing similar functions using different technology and I want ratification. I want to be able to do more than what we are currently able to do with the existing service, all under the umbrella of improving security. View full review »
it_user588258
Network Administrator at a healthcare company with 501-1,000 employees
I think that there should be better security of other firewall appliances. Migration is another main issue. If you migrate from the ASA to the new Fire Power Threat Defense appliance, it is not an easy migration. You have to do some of the migration manually, and if you are relacing those firewalls it will take a long time. It should be a smoother migration process. Some of the new engineers are still not familiar with it, and I think that Cisco should rehire some of the engineers coming from Sourcefire to do so. View full review »
AccountMe9ae
Account Manager
* Bandwidth allocation. * SSL decryption (avoid installing the intermediate device certificate in the client) should happen from Firepower itself. * Critical bugs need to be addressed before releasing the version. * Need to reduce the time to for detection of new threats. * Enable a feature for importing/exporting logs when required for analysis. * Dynamic IP address in client systems mapping with respect to OS change or device change should be updated periodically in FireSIGHT management. * Virtual patching would be helpful for servers that are not able to update patches due to compatibility issues. View full review »
Azar Mammadli
IT Operation Manager
* License politics * License price * Precise vendor roadmap for this product View full review »
Meei Ling Tan
Senior Network Specialist
It would be useful to gather all security features in one box. For example, certain features like URL filtering and application control licenses need to be purchased separately and it depends on the hardware spec, as not all models are supporting these two features. This causes the user to be highly dependent on the pre-sales person. View full review »
it_user477366
Security Technical Architect at a tech services company with 10,001+ employees
Well tested software releases. We have had a number of bugs on the FirePOWER software across several clients which have been very inconsistent and have affected our ability to deliver. View full review »
Mahmoud Ashoub
Team Leader, Information Risk Engineer at National Bank of Egypt
Some of the features, like the stability, need to be improved. View full review »
BURAK YESILDERYA
IT System Administrator at a transportation company with 201-500 employees
The Cisco ASA device needs overall improvement, as configurations alone do not completely secure my network. The operational procedures in use on the network contribute as much to security as the configuration on devices. View full review »
Tulga352
Network Engineer at a mining and metals company with 1,001-5,000 employees
The next-generation firewall could improve. Still, they have NGFW 5525 but I haven’t tried it yet. View full review »
Sedef Koker
IT Manager at a manufacturing company
I need application user-IP blocking, Intrusion Prevention, QoS; I can't do these with Cisco and have to change it. View full review »
InfSec4893
Information Security Officer at a non-tech company with 10,001+ employees
I think the room for improvement of this solution is that there is a need for more of an application awareness capability. I just don't think it has the application awareness. It obviously looks at ports and what not, but it is not necessarily able to identify applications by their action, and what they're doing. View full review »
it_user456837
Project Manager with 11-50 employees
It could have more functions for load balance on the internet. View full review »
it_user346116
I.T Security Consultant
The ASA needs to incorporate the different modules you have to integrate to achieve UTM functions, especially for small businesses. View full review »
Joseph Kingori
IT Support Engineer
The equipment is too expensive compared with other firewall products. View full review »
Tahir Javed
Manager Network Security at a financial services firm with 5,001-10,000 employees
This product lacks in GUI format; that needs to be more mature and composed. View full review »
Reviewer8932
Technical Administrator at a tech services company
There are more powerful firewalls, other than the Cisco NGFW, like Fortinet, Palo Alto and so on. I can't say Cisco is the leading firewall brand as of now, as the technology innovates. View full review »
Ed Dallal
Founder, CEO, & President at Krystal Sekurity
Integration of advanced malware services with the firewall through Firepower services. View full review »
ICTmanager564855
ICT Manager with 1-10 employees
it is not very user-friendly for the administration. View full review »
Net823Eng2
Network Engineer at a media company with 51-200 employees
At times the product is sluggish and slow. Sometimes when deploying a new configuration or role, it is painstakingly slow. It should be a little faster than it is. View full review »
Aaron Solis
ESS Security with 201-500 employees
There is always room for improvement in virtually anything. However, the relatively new Firepower Threat Defense image (mix of ASA and Sourcefire network security) fills a lot of gaps and features that were missing on ASA. Moreover, with FMC (Firepower Management Console) you can complement it with even more admin and reporting capabilities for the entire platform. View full review »
Fabian de Wit
Corporate Information Security Officer
I would like to see the following made easier: * Objects * Removing objects * Correlating access rules and AnyConnect ACLs Sometimes we suffer from older versions, such as objects, object groups, and aliases (name). View full review »
reviewer994896
Center for Creative Leadership at a professional training and coaching company with 501-1,000 employees
The phishing emails could be improved. View full review »
Dorin Berbescu
Executive Manager with 11-50 employees
The price and compatibility with other vendors' products can be improved. View full review »
Alondra Tyler
Sales Manager at a tech services company with 11-50 employees
I needed to be well-versed with all the command lines for Cisco ASA in order to fully utilize it. I missed this info and wasted some operational costs. I would like to advise others to please be wary from the start. View full review »
Fadil Kadrat
Network Engineer at a tech services company with 201-500 employees
In terms of next-generation capabilities, Cisco is a little behind. It is way behind leaders like Palo Alto, Check Point and Fortinet. While Cisco is headed in the right direction, it will take several years for it to get there. View full review »
Mohamed Shehada
Senior Network & Data Communication Engineer at a tech services company with 201-500 employees
Some default inspection rules need better tuning. Focus development on CLI version. View full review »
NetworkO9ae4
Network Operations Center Team Leader at a financial services firm with 10,001+ employees
If there is old hardware, or old appliances, it does not necessarily work with the new Cisco generation firewalls. View full review »
Deanna Acre
Information Systems Manager at a manufacturing company with 201-500 employees
I would like it to be easier to work with and have a better user interface. It is not straightforward. You need to know the Cisco command-line interface. View full review »
Arshad Mohammad Khan
Security Consultant at Accenture
This product should have moved towards making UTMs. View full review »
Shaikh Muhammad Adeel
Sr Network Engineer at a tech services company with 501-1,000 employees
I think it's the perfect Firewall for SME. View full review »
Moraima Matilda
Coordinator Network Support at a manufacturing company with 501-1,000 employees
It needs improvement as a "Next-Generation" firewall solution. In addition, it needs to be more user-friendly. View full review »
reviewer916539
User at a tech services company with 10,001+ employees
We are looking for software taxi capabilities. View full review »
it_user413292
Regional Manager - Pre Sales at a tech services company with 51-200 employees
* Integration aspects * Traffic shaping View full review »
JuanMartinez1
Network Consulting Engineer at a energy/utilities company with 10,001+ employees
The needed features are already being done on Firepower, but this software is still in flux. View full review »
AhmadManzoor
Solutions Architect at a tech services company with 51-200 employees
License capacity needs to be extended and the vendor needs to work on the pricing. View full review »
Reviewer83902
Network Administrator at a financial services firm with 1,001-5,000 employees
The solution has two separate GUIs and at least three different CLIs (ASA CLI, Sourcefire CLI, and Firepower Management Center CLI). In addition, ASDM plus Firepower Management Center GUIs. If Cisco could stop rebranding, combine all the CLIs/GUIs, and give a consistent experience, this would be great. Also, AnyConnect is very difficult to manage and use. View full review »
reviewer847167
Network and Securirty Engineer at a tech vendor with 501-1,000 employees
The IPS and GUI are outdated. It is finally getting IPS inside, which will be a big improvement. The GUI is outdated, and they are slowly improving it. We will see if they go in the correct direction. Unfortunately, they usually just follow other vendors. It is slowly not supported and other vendors are a few years ahead of Cisco in development. View full review »
Heath Freel
President and CTO with 51-200 employees
* Integrated threat management * Route-based VPNs: VPNs are weak as this product still does not support route-based VPNs. * Single management interface * Better throughput for price point View full review »
reviewer824748
User at a comms service provider with 1,001-5,000 employees
ASDM needs to be able to customize applets. View full review »
JohnMorris
Manager with 11-50 employees
More intuitive support for SIP services are needed. This took a long time to configure properly for the user. View full review »
Anthony Hassiotis
Senior Network Manager with 51-200 employees
HTTPs inspection and higher throughput/spec would be good. Now, it has been replace by Firepower, which is a lot faster. View full review »
Gareth Munday
‎Enterprise Manager at a tech vendor with 1,001-5,000 employees
MSSP oriented interface: I would like a single console which would allow me to manage settings creating consistency across all customers. View full review »
Samuel May
Information Security Manager with 51-200 employees
The product would be improved if the GUI could be brought into the 21st Century. View full review »
Luke Guild
Tehcnician with 201-500 employees
* UTM features would be nice or some NextGen features. * The ASA has become a bit old and needs updating. View full review »
PetrPetrov
User
* Simplify licensing * Do not combine the IPS module with the main operating system. * In new products, leave the CLI. View full review »
Hector Carmenates
Information Technologies Consultant at a tech services company
Multiple WAN connections: Even though you can implement more than one interface to outside connections, it is lacking on load balances, etc. View full review »
davidstrom
Owner at David Strom Inc.
Prime manager is just for the CX line for now. CX features also add about a 30% overhead on throughput. View full review »
MohamedMostafa2
student
Intrusion prevention, we currently need to apply deep bracket inspection manually to use web filtering. View full review »
Luis_Garcia
Information Technology with 201-500 employees
It needs more tunneling capabilities. View full review »
Sikander Ali
IT Infrastructure Engineer at a comms service provider with 51-200 employees
Antivirus features must be integrated for end user security. They must be increased in the next version along with audit and restriction for the incoming user. Security must be increased when a new user connects over the LAN and an alarm must be generated. View full review »
Tony Petcou
Business Development Executive with 51-200 employees
Make the IPS baked-in. It is a good firewall, though not NextGen. View full review »

Sign Up with Email