Cisco Firepower NGFW Firewall Overview

Cisco Firepower NGFW Firewall is the #5 ranked solution of our best firewalls. It's rated 4.2 out of 5 stars, and is most commonly compared to Cisco ASA Firewall: Cisco Firepower NGFW Firewall vs Cisco ASA Firewall

What is Cisco Firepower NGFW Firewall?

Cisco NGFW firewalls deliver advanced threat defense capabilities to meet diverse needs, from
small/branch offices to high performance data centers and service providers. Available in a wide
range of models, Cisco NGFW can be deployed as a physical or virtual appliance. Advanced threat
defense capabilities include Next-generation IPS (NGIPS), Security Intelligence (SI), Advanced
Malware Protection (AMP), URL filtering, Application Visibility and Control (AVC), and flexible VPN
features. Inspect encrypted traffic and enjoy automated risk ranking and impact flags to reduce event
volume so you can quickly prioritize threats. Cisco NGFW firewalls are also available with clustering
for increased performance, high availability configurations, and more.
Cisco Firepower NGFWv is the virtualized version of Cisco's Firepower NGFW firewall. Widely
deployed in leading private and public clouds, Cisco NGFWv automatically scales up/down to meet
the needs of dynamic cloud environments and high availability provides resilience. Also, Cisco NGFWv
can deliver micro-segmentation to protect east-west network traffic.
Cisco firewalls provide consistent security policies, enforcement, and protection across all your
environments. Unified management for Cisco ASA and FTD/NGFW physical and virtual firewalls is
delivered by Cisco Defense Orchestrator (CDO), with cloud logging also available. And with Cisco
SecureX included with every Cisco firewall, you gain a cloud-native platform experience that enables
greater simplicity, visibility, and efficiency.
Learn more about Cisco’s firewall solutions, including virtual appliances for public and private cloud.

Cisco Firepower NGFW Firewall is also known as Cisco Firepower NGFW, Cisco Firepower Next-Generation Firewall, FirePOWER, Cisco NGFWv.

Cisco Firepower NGFW Firewall Buyer's Guide

Download the Cisco Firepower NGFW Firewall Buyer's Guide including reviews and more. Updated: April 2020

Cisco Firepower NGFW Firewall Customers

Rackspace, The French Laundry, Downer Group, Lewisville School District, Shawnee Mission School District, Lower Austria Firefighters Administration, Oxford Hospital, SugarCreek, Westfield

Cisco Firepower NGFW Firewall Video

Cisco Firepower NGFW Firewall Reviews

Filter by:
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
reviewer1217634
Lead Network Administrator at a financial services firm with 201-500 employees
Real User
Nov 24, 2019
Enables analysis, diagnosis, and deployment of fixes quickly, but the system missed a SIP attack

What is our primary use case?

These are our primary edge firewalls at two data centers.

Pros and Cons

  • With the FMC and the FirePOWERs, the ability to quickly replace a piece of hardware without having to have a network outage is useful. Also, the ability to replace a piece of equipment and deploy the config that the previous piece of equipment had is pretty useful.
  • We had an event recently where we had inbound traffic for SIP and we experienced an attack against our SIP endpoint, such that they were able to successfully make calls out... Both CTR, which is gathering data from multiple solutions that the vendor provides, as well as the FMC events connection, did not show any of those connections because there was not a NAT inbound which said either allow it or deny it.

What other advice do I have?

The biggest lesson I have learned from using this solution is that you can't always trust that console. In the particular case of the traffic which I was used to seeing identified in CTR, not seeing that traffic but knowing that it was actually occurring was a little bit of a concern. It wasn't until we actually put rules in that said "block that traffic" that I started to see the traffic in the console and in the CTR. Overall, my confidence in Cisco as a whole was shaken by that series of events. I have a little bit less trust in the brand, but so far I've been happy with the results…
JoshuaThums
Network Administration Lead at Forest County Potawatomi Community
Real User
Top 20
Oct 13, 2019
Highlights and helps us catch Zero-day vulnerabilities traveling across our network

What is our primary use case?

We use them in multiple places on our network. We use them on the edge of our network, in more of the traditional sense for inbound and outbound filtering. We also use them as a center of our network between all of our users and servers, so that all user traffic going through our servers is IPS and IDS as well. We have multiple Cisco 5000 Series firewalls and we also have a 4110 Series firewall, all running the FireSIGHT threat detection image. We keep that up to date within three months. If a new release comes out within three months, we're updating. The software deployment is on-prem.

Pros and Cons

  • The most valuable features of Cisco firewalls are the IPS and IDS items. We find them very helpful. Those are the biggest things because we have some odd, custom-made products in our environment. What we've found through their IPS and IDS is that their vulnerability engines have caught things that are near-Zero-day items, inside of our network.
  • The worst part of the entire solution, and this is kind of trivial at times, is that management of the solution is difficult. You manage FireSIGHT through an internet browser. I've had Cisco tell me to manage it through Firefox because that's how they develop it. The problem is, depending on the page you're on, they don't function in the same way. The pages can be very buggy, or you can't resize columns in this one, or you can't do certain things in that one. It causes a headache in managing it.

Cost and Licensing Advice

  • Our subscription costs, just for the firewalls, is between $400,000 and $500,000 a year.

What other advice do I have?

My advice would be: Don't let the price scare you. I would describe the maturity of our company's security implementation as "working on it." It is an evolving process. When it comes to the Cisco product line, we try to keep it as up to date as possible when they release new products. An example would be their DNA Center which we're looking at installing in the next year. From a product standpoint, we're pretty well off. From a policy and procedure standpoint, that is where we're somewhat lacking in our organization. In terms of the number of security tools our organization uses, we have a lot…
Learn what your peers think about Cisco Firepower NGFW Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
447,546 professionals have used our research since 2012.
EduardoViero
IT Infrastructure Specialist at RANDON S.A
Real User
Nov 8, 2019
Shows the top-consuming applications to help determine if there is a deviation or if we need to increase bandwidth

What is our primary use case?

Currently, we have 16 remote sites. Some of them are sales offices and some of them are industrial plants. And we have a centralized IT department here in Brazil. The business asked me to support those remote sites. We started using the Firepower Threat Defense, which is one of the versions of next-gen firewalls from Cisco, at some of the sites. We have them operating at five sites, and we are deploying at a sixth site, in Mexico, with the same architecture. That architecture has the firewall running on the site's router, and we manage them all from here in Brazil.

Pros and Cons

  • The protection and security features, like URL filtering, the inspection, and the IPS feature, are also very valuable for us. We don't have IT staff at most of the sites so for us it's important to have a robust firewall at those sites
  • The user interface for the Firepower management console is a little bit different from traditional Cisco management tools. If you look at products we already use, like Cisco Prime or other products that are cloud-based, they have a more modern user interface for managing the products. For Firepower, the user interface is not very user-friendly. It's a little bit confusing sometimes.

What other advice do I have?

You must know exactly what features are important for you, and how you can manage all this infrastructure in the future. Sometimes you can have a product that is superior but it might demand an increase in manpower to manage all the software or platforms. Another point to consider is how good the integration is between products? You should check what features you need, what features you can have, and the integration with other products. In terms of the maturity of our security implementation, we have had security appliances, software or hardware, for more than 15 years. So we have a long…
Dave Cooper
Network Engineer at CoVantage Credit Union
Real User
Top 20
Sep 16, 2019
For any internet-related event, it's saving us hours of time

Pros and Cons

  • Once you add Firepower onto to it and you start enabling some of its features, you get some IDS/IPS involved with it and you can even do web filtering.
  • In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth.

Cost and Licensing Advice

  • The Firepower series of appliances is not cheap. I just got a quote recently for six firewalls that was in the range of over half-a-million dollars. That's what could push us to look to other vendors...

What other advice do I have?

The neat part about this is how Cisco continues to evolve its product line and help us stay secure, while still doing our day-to-day business. My advice would depend on how you want to use it. What are you looking for Firepower to do? Firepower added features that, until we introduced into our environment, we could not have done. We probably could have added a third-party product but we would hate to keep doing all that. It's nice to be able to have our products from the same organization because then, if something's really wrong, we can talk to the same organization as we're trying to…
PaulChauchis
Security Architect
Real User
Top 20
Nov 7, 2019
Gives us valuable insights about encrypted traffic on the web, with statistics up to Layer 7

What is our primary use case?

Our primary use cases for FTD are IPS, intrusion detection, and to get visibility into the network and the traffic that is going on in some sites. We always have them in-line, meaning that they're between two networking connections, and we analyze the traffic for the purposes of internal detection. In production, from the FTD line, we mostly have 2110s and 2130s because we have a lot of small sites, and we are starting to put in some 4110s. We only have FirePOWER here, but we don't use them most of the time as next-gen firewalls but more as an IPS. Everything is on-premises. We don't use… more »

Pros and Cons

  • The IPS, as well as the malware features, are the two things that we use the most and they're very valuable.
  • For the new line of FTDs, the performance could be improved. We sometimes have issues with the 41 series, depending what we activate. If we activate too many intrusion policies, it affects the CPU.

Cost and Licensing Advice

  • Cisco's pricing is high, at times, for what they provide.

What other advice do I have?

FTD is pretty good. You can stop new threats very quickly because you can get the threat intelligence deployed to all your IPSs in less than two hours. Cisco works closely with Talos and anything that Talos finds is provided in the threat intelligence of the FTDs if you have the license. It's pretty good to have the Cisco and Talos teams working closely. I know Palo Alto has an similar arrangement, but not a lot of suppliers get that chance. Our organization's security implementation is pretty mature because we try to avoid the false positives and we try to do remediation. We try to put threat…
Al Faruq Ibna Nazim
Head of Technology at BDPEER Ltd.
Real User
Top 20
Apr 15, 2019
Enables us to monitor and confirm all of the traffic coming in or going out of our network

What is our primary use case?

Cisco has a new general firewall: the Firepower NGFW. If you take a look at the Cisco Firepower product line, they have three models available: * A low-scale model: the 2000 series * A high-end model: the 4000 series * The carrier-grade model: the 9000 series We have already used the 4000 and 2000 series over here. We've been using this solution in Bangladesh for some customers over the last eight months. We've been using FPR 2110, 2120, 2130, & 2140. We also employ the FPR 4130 and 4140. We have been using this equipment on our last few projects. We used it as a transfer and for firewalling… more »

Pros and Cons

  • Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching.
  • One feature lacking is superior anti-virus protection, which must be added.

Cost and Licensing Advice

  • The Cisco licensing agreement in Bangladesh is different than the one in India and in Dubai. It is not a problem, but if you want to subscribe to the yearly subscription, the original cost is really high. Also, if you go for an anti-virus, you pay for an additional yearly subscription.

What other advice do I have?

In my opinion, I would rather ask everyone to have a simple network. If you need multiple networking lines, like for the Cisco ASA or the Firepower NGFW, make sure you have ample tech support. There are many issues with connectivity in firewall systems, but Cisco quality is good. The connectivity of your network can really reduce your complexity over firewalls. I would suggest if you want to configure a complicated network scenario, go for a next-generation firewall. I would also suggest making your firewall options go to Cisco as they have some influential products right now. Once you are…
Girish Vyas
Architect - Cloud Serviced at a comms service provider with 10,001+ employees
Real User
Top 5Leaderboard
Nov 30, 2019
Has next gen features like application awareness and intrusion protection but the CLI needs to be simplified

What is our primary use case?

Our primary use case is whatever is best for our customer. I'm the service provider. The customer's main purpose is to use the malware services protection and the firewall itself, as well as the application awareness feature.

Pros and Cons

  • They wanted to leverage something which is equivalent that can give them the next gen features like application awareness and intrusion protection. So that is a major reason they were looking forward to this. The original ASA firewall did not have these features. This was the major reason the customer moved on to Cisco Firepower Threat Defense (FTD). Now they can go ahead and leverage those functionalities.
  • I was just trying to learn how this product actually operates and one thing that I see from internal processing is it does fire-walling and then sends it to the IPS model and any other model that needs to be performed. For example, content checking or filtering will be done in a field processing manner. That is something that causes delays in the network, from a security perspective. That is something that can be improved upon. Palo Alto already has implemented this as a pilot passed processing. So they put the same stream of data across multiple modules at the same time and see if it is giving a positive result by using an XR function. So, something similar can be done in the Cisco Firepower. Instead of single processing or in a sequential manner, they can do something similar to pile processing. Internal function that is something that they can improve upon.

Cost and Licensing Advice

  • We normally license on a yearly basis. The hardware procurement cost should be considered. If you're virtual maybe that cost is eradicated and just the licensing cost is applied. If you have hardware the cost must be covered by you. All the shipping charges will be paid by you also. I don't thing there are any other hidden charges though.

What other advice do I have?

If you're really looking into Cisco Firepower, they have a good product, but I would say study hard and look around. If you want an easier product, you can always use Palo Alto. If you are a Cisco guy and you want to be with Cisco, you'll need to get an integration service engineer from the Cisco side. That will actually help you out a lot. Alternatively, maybe you can go for Palo Alto. That would be the best thing to do. If you are not worried about the technical integration part and learning how it works and how well it can go with the environment, I would recommend you go ahead and take an…
Maharajan S
Associate Vice President - IT Infrastructure at Navitas Life Sciences
Real User
Top 20
Jun 8, 2020
Gives us more visibility into the inbound/outbound traffic being managed

What is our primary use case?

We have an offshore development center with around 1,400 users (in one location) where we have deployed this firewall. The maturity of our organization’s security implementation is a four out of five (with five being high). We do have NOC and SOC environments along with in-built access to our systems. We use Acunetix as one of our major tools. We do have some open source. There are a couple of networks where we are using the Tenable tool. We have implemented an SIEM along with a Kaspersky at the cloud level. In the Cisco firewall, we installed Kaspersky in the firewall logs which upload to… more »

Pros and Cons

  • Being able to determine our active users vs inactive users has led us to increased productivity through visibility. Also, if an issue was happening with our throughput, then we wouldn't know without research. Now, notifications are more proactively happening.
  • The central management tool is not comfortable to use. You need to have a specific skill set. This is an important improvement for management because I would like to log into Firepower, see the dashboard, and generate a real-time report, then I question my team.

Cost and Licensing Advice

  • Cisco pricing is premium. However, they gave us a 50 to 60 percent discount.
  • There are additional implementation and validation costs.

What other advice do I have?

We are using Cisco at a global level. We have internally integrated this solution with Cisco Unified Communications Manager in a master and slave type of environment that we built. It uses a country code for each extension. Also, there is Jabber, which our laptop users utilize when connecting from home. They call through Jabber to connect with customers. Another tool that we use is Cisco Meraki. This is our all time favorite product for the office WiFi environment. However, we are not currently integrating our entire stack because then we would have to change everything. We may integrate the…
See 17 more Cisco Firepower NGFW Firewall Reviews
Buyer's Guide
Download our free Cisco Firepower NGFW Firewall Report and get advice and tips from experienced pros sharing their opinions.
Product Categories
Firewalls