Cisco firewalls provide us with some application visibility and control but that's one of those things that are involved in the continuous evolution of the next-generation firewalls. We have pretty good visibility into our applications. The issue that we run into is when it comes to some of the custom apps and unusual apps that we have. It doesn't give us quite the visibility that we're looking for, but we have other products then that fill that gap.

There would also be a little bit room for improvement on Cisco's automated policy application and enforcement. The worst part of the entire solution, and this is kind of trivial at times, is that management of the solution is difficult. You manage FireSIGHT through an internet browser. I've had Cisco tell me to manage it through Firefox because that's how they develop it. The problem is, depending on the page you're on, they don't function in the same way. The pages can be very buggy, or you can't resize columns in this one, or you can't do certain things in that one. It causes a headache in managing it. That's part of the reason that we don't do some of the policies, because management of it can be a little bit funky at times. There are other products that are a little cleaner when it comes to that.

View full review »

We use the FTD management platform for the boxes. The GUI that manages multiple Firepower boxes could be improved so that the user experience is better.

View full review »

Cisco Secure Firewall's integration with cloud providers has room for improvement. We could do more in terms of integration, for example, if we had a tag on an instance. 

I would also like to see tag rules with cloud objects. This would be a great improvement for Cisco Secure Firewall. 

As far as MX is concerned, I would like to see more interconnection. We would also like to be able to do BGP.

View full review »

Licensing is complex, and I'd like it to be simplified. This is an area for improvement.

If we could create a Firepower solution that became like an SD-WAN or a SASE solution in a box, then perhaps we could exploit that on remote sites. We've already kind of got that with Meraki, but if we could pull out some of the features from ASA Firepower and make those available in SD-WAN in SASE, then it would be pretty cool.

View full review »

The policies module in FMC specifically isn't the most user-friendly. Coming from Cisco ASA, Cisco ASA is a little bit easier to use. When you get into particularly complex deployments where you have a lot of different interfaces and all that kind of stuff, it's a little bit tricky. Some usability improvements there would be nice. 

For scalability, they could support a little bit more diverse deployments around clustering and high availability. Currently, it's very active standby, and being able to do a three firewall cluster or four or five firewall cluster would suit some of my deployments a little bit better. It would also help to keep the cost down for the customer because you're buying smaller devices and clustering them versus larger devices.

View full review »

There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so we need to be slightly careful, especially on the site track. 

We face challenges with Cisco when implementing some security vulnerability assessments, including the algorithms and implementing SSL 3.0. I may change the entire product line because traditional product lines don't support that.

Integration isn't typically a problem because the network is compatible, but Cisco could upgrade the threat database. They could integrate the threat database of the on-premise firewall with the cloud. Check Point has cloud integration with a market database of all the vulnerabilities. Cisco could add this to its roadmap to make the product more effective.

View full review »

One of the few things that are brought up is that for the overall management, it would be great to have a cloud instance of that. And not only just a cloud instance, but one of the areas that we've looked at is using an HA type of cloud. To have the ability to have a device file within a cloud. If we had an issue with one, the other one would pick up automatically.

The other part of that is that applying policy still takes longer than we expect. Every version that comes out, the speed is actually increased, but I would love to see that, even a little more as far as when we're actually deploying policy.

View full review »

I don't have any specific improvements to recommend. However, when you compare the throughput of a Cisco firewall to the competitors, especially Fortinet, what you find is that Cisco has lagged a little bit behind in terms of firewall throughput, especially for the price that you pay for that throughput.

View full review »

Setting firewall network rules should be more straightforward with a clearer graphical representation. The rule-setting method seems old-fashioned. The firewall and network rules are separate from the Firepower and web access rules. You can access the firewall rules through the Cisco ASDM application, not the web client. I'm using an older version, and I'm sure this issue will improve in the next edition.

Micro-segmentation is somewhat complex. It's not easy, but it's not too difficult, either, so it's somewhere in the middle. I used micro-segmentation for 10 or 15 VLANs, and ASA Firewall acts as a router for those VLANs. The visibility offered by micro-segmentation is pretty poor. It's not deep enough. 

View full review »

One con of Cisco Secure Firewalls is that Java is used a lot for the older generation of these firewalls. Java is used for the ASA and the ASDM tool for administration. It's an outdated way of administering, and it's also a security risk to use this kind of solution. This is a pro of Firepower or the newer generation of firewalls because they are using HTML for administration.

In general, they can make it easier to manage the solutions. They can make it easier in terms of administration and provide a single tool for different firewalling solutions. They have different tools to manage different firewalls, such as Firepower or ASA. Sometimes, both are on the same thing. You have ASA with Firepower modules, so you manage some of the things via HTML, and then you manage some of the things via another management tool. It's not seamless. It should be bundled together in one solution.

View full review »

One of the things that we got out of the Check Point, which we're finally getting out of the ASA, is being able to analyze the hit count, to see whether a rule is actually used or not. That is going to be incredibly beneficial. That still has ways to go, as far as being able to look into things, security-wise, and see whether or not rules or objects are being hit. It could help in clean-up, and that, in itself, would help with security. The FTD or the FirePOWER has a little way to go on that, but they're doing well implementing things that not only we at Orvis, but other people, are requesting and saying should be done and are needed.

In addition, if pushing policy could take a little less time — it takes about five minutes — that would be good. That's something they're working on. 

Finally, our latest experience with a code upgrade included a number of bugs and issues that we ran into. So more testing with their code, before it hits us, would help.

View full review »

I think that the solution can be improved with the integration of application-centric infrastructure. It could be used to have better solutions in one box.

View full review »

The one thing that the ASAs don't have is a central management point. We have a lot of our environments on FTD right now. So, we are using a Firewall Management Center (FMC) to manage all those. The ASAs don't really have that, but they are easy to use if you physically go into them and manage them. 

I would like ASAs to be easier to centrally manage. Currently, in our central management, we have almost 100 firewalls in our environment, and it is almost impossible to manage them all. ASAs are now about 20% of them. We have been slowly migrating them out, but we still have some. Normally, what we would do with ASAs is physically go into those devices and do what we need from there, whether it is find rules, troubleshoot, or upgrade.

View full review »

There should be more integration with Microsoft Identity.

View full review »

Its implementation was not straightforward. It was mainly because we were running two projects together. In terms of features, at this stage, I don't have inputs for the area of improvement. We are still in the implementation stage of our project. After we have the solution ready and we test it, we can go to phase two and see how to enhance the solution in the future. We can then see which features will allow us to do that. After we implement it, the next stages will be to maintain it, tune it, and build on it. We will then see how flexible it is.

View full review »

The Cisco Firewall UI could be improved. While having a centralized management console is a significant improvement, I believe there are several enhancements that could be made to the UI to enhance its user-friendliness and improve the overall flow. This is particularly important during troubleshooting, as we want to avoid wasting time navigating through different sections and excessive clicking. It would be beneficial to have everything readily accessible and a smoother flow to quickly reach the desired locations.

I believe Cisco needs to make the appliance more automated in order to provide us with additional time. This would eliminate the need for us to manually go through the firewall, search, find, and troubleshoot everything. It would be beneficial if the appliance had some form of AI integrated to generate such information, enabling us to quickly identify the problem. If necessary, we could then delve deeper into the issue.

View full review »

We see a lot of vendors in the market with a lot of niche products. I understand that it's difficult to cover everything, but making it more open for integration with other vendors would be a value add for Cisco. Usually, the case I see with my customers is that they always have a multi-vendor setup for security. They have many products. When they have multiple products, each product does something very specific standalone, but there is always a challenge in how to correlate all these solutions or make them as one framework for securing the network.

View full review »

We've seen, for a while, that the upcoming revisions are not supported on some of 5506 firewalls, which had some impact on our environment as some of our remote sites, with a handful of users, have them. 

We were also not too thrilled when Cisco announced that in the upcoming new-gen ASA, iOS was not going to be supported, or if you install them, they will not be able to be managed through the Sourcefire. However, it seems like Cisco is moving away from the ASA iOS to the Sourcefire FireSIGHT firmware for the ASA. We haven't had a chance to test it out. I would like to test it out and see what kind of improvements in performance it has, or at least what capabilities the Sourcefire FireSIGHT firmware is on the ASA and how well it works.

View full review »

In terms of ways that the firewall could be improved, third-party integration is already reasonable. We were able to integrate with our vulnerability management software, for example. 

However, I would say that when we're looking at full-stack visibility, it can be difficult to get the right information out of Firepower. For example, you may need to get a subset of it into your single pane of glass system and then refer back to Firepower, which can add time for an analyst to look at a threat or resolve a security incident. It would be nice if that integration was a little bit tighter. 

View full review »

There is room for improvement in the stability or software quality of the product. There were a few things in the past where we had a little bit of a problem with the product, so there is room for improvement. In the past, we had problems with new releases. 

Also, from the beginning, some functionalities or features have not worked properly. There are bugs. Every product has such problems, but sometimes, there are more problems than other products, so it's definitely something that can be improved, but Cisco seems to be working on it.

View full review »

If WSAP remains to be an active product, it might be an idea to integrate the configuration policy logic between Umbrella and WSAP. There should be one platform to manage both.

The integration between the on-prem proxy world and the cloud proxy would benefit us. One single policy setting would make sense.

View full review »

Our setup is quite interesting. We have a Sophos firewall that sits as a bridge behind the Cisco ASA. Once traffic gets in, it's taken to the Sophos and it does what it does before the traffic is allowed into the LAN, and it is a bridge out from the LAN to the Cisco firewall. The setup may not be ideal, but it was deployed to try to leverage and maximize what we already have. So far, so good; it has worked.

The Cisco doesn't come with SD-WAN capabilities which would allow me to load balance two or three ISPs. You can only configure a backup ISP, not necessarily an Active-Active, where it's able to load balance and shift traffic from one interface to the other.

When I joined the organization, we only had one ISP. We've recently added a second one for redundancy. The best scenario would be to load balance. We plan to create different traffic for different kinds of users. It's capable of doing that, but it would have been best if it could have done that by itself, in the way that Sophos or Cisco Meraki or even Fortigate can.

A feature that would allow me to load balance among multiple ISPs, especially since we have deployed it as a perimeter firewall, would be a great addition. While I'm able to configure it as a backup, the reality is that in a modern workplace, you can't rely on one service provider for the internet and your device should be able to give you optimal service by load balancing all the connections, all the IPSs you have, and giving you the best output.

I know Cisco has deployed other devices that are now capable of SD-WAN, but that would have been great on the 5516 as well. It has been an issue for us.

View full review »

When we first got it, we were doing individual configuring. Now, there is a way to manage from one location. We can control all our policies and upgrades with a push instead of having to touch every single piece.

View full review »

When comparing the graphical interface of this solution to other vendors it is more difficult to configure. There is a higher learning curve for administrators in this solution.

A lot of vendors, such as Palo Alto, are going toward cloud-based systems and Cisco should follow.

View full review »

The integration with all the necessary products needs improvement. Managing various product integrations, such as Umbrella, is challenging.

View full review »

For what we use it for, it ends up being the perfect product for us, but it would help if they could expand it into some of the other areas and other use cases working with speeding up and the reliability of the pushes from the policy manager.

View full review »

We have encountered problems when implementing new signatures and new versions on our firewall. Sometimes, there is a short outage of our services, and we have not been able to understand what's going on. This is an area for improvement, and it would be good to have a way to monitor and understand why there is an outage.

View full review »

The overall licensing structure could improve to make the solution better.

View full review »

I would like to see more configurable feature parity with Cisco ASA, which is the legacy product that Cisco is moving away from. When configuring remote access VPN, not all of the options are there. You have to download another tool, which means that the configuration takes a little bit longer with Cisco Secure Firewall. Though it's getting there, there are still some features lagging behind.

View full review »

We would like to be able to manage a set of firewalls rather than individual firewalls. We haven't really looked into it or yet implemented it, but a single pane of glass would be helpful. We also use another vendor's firewalls, and they have a centralized management infrastructure that we have implemented, which makes it a little bit easier when you're managing lots of firewalls.

View full review »

Some of our problems are related to software updates in remote sites where the internet connection is not stable. Sometimes, the image push just gets disrupted and fails.

The most annoying thing is having to replace the hardware so often. It's very difficult for us to do.

The integration between different tools could be improved. For example, with SecureX, I am yet to find out how to forward security events to different tools such as Microsoft Sentinel, which is what we use for log detection.

View full review »

It is easy to use. There is a GUI, and there is a backend that is being managed by our consultant. When we log in to the GUI, we are able to do anything we want to do. Its user interface is good, but it could be better. Currently, you have to know what to do before you can manage a device. If you don't know what to do, you can mess things up. There are some devices that are easier, such as FortiGate. The user interface of FortiGate is more intuitive. It is very easy to log in and configure things. With Cisco, there is also a lower limit on virtual accounts. In FortiGate, they could be in thousands. Cisco is also more expensive. 

View full review »

We saw a lot of improvements on Cisco Firepower when Snort 3 came along. Before, with Snort 2, we were able to do some stuff, but the bandwidth was impacted. With Snort 3, we now have much better performance.

I would like to see improvement when you create policies on Snort 3 IPS on Cisco Firepower. On Snort 2, it was more like a UI page where you had some multiple choices where you could tweak your config. On Snort 3, the idea is more to build some rules on the text file or JSON file, then push it. So, I would like to see a lot of improvements here.

View full review »

The solution lacks the abilities of an FTD type which are the abilities we need, and they are not in the firewall. We're looking for a next-generation firewall instead.

The graphical interface could be improved. From what I have seen, Fortinet, for example, has a nicer GUI.

The solution needs to be easier to use. Right now, it's overly complicated. 

The initial setup is a bit complex. 

The cost of the solution is very high.

The product should add free URL filtering. It's another product, or part of another product, however, it should be available as part of this offering as well.

View full review »

Cisco Secure Firewall’s customer support could be improved.

View full review »

The process of procuring modern-day technology within the DOD needs to improve.

View full review »

Cisco Secure Firewall could benefit from enhancements in its API, documentation, and automation tools. Additionally, we've noticed that the Terraform provider for FMC has only two stars, few contributors, and hasn't been updated in a year. It only has 15 to 20 resources, which limits our capabilities. We'd love to update it and add more resources. For example, we currently can't create sub-interfaces with the provider, so we have to add Python code to our Terraform provider and use local provisioners. Additionally, improvement in the API would be helpful so that we can create ACL on the GUI with a simple click, but at this time we cannot create requests via the API.

View full review »

It would be better if we could manage all of our firewalls as a set rather than individually. I would like to see a single pane of glass type of option. We also use another vendor's firewalls and they have a centralized management infrastructure that we have implemented. This infrastructure is a bit easier to manage.

View full review »

We would like to see dual power supplies for some Cisco Firewall products. Having to get an ATS in the Data Center application because there's an A+B power feed on such a vital device with high availability may be something that I want to put in there.

View full review »

It's a question of performance. When we talk about data centers, we are talking about 100 gig capacity or 400 gig capacity. When it comes to active-active solution clustering and resilience and performance, Cisco should look into these a little bit more.

View full review »

The reporting and other features are nice, but there is an issue with applying the configuration. That part needs some improvement.

Services from the outside, like financial services that are critical, should be protected by the NGFW. There are cyber attacks on these services. Therefore, adding this NGFW in front of those services will reduce our costs for cyber crime.

View full review »

It needs better patching and testing as well as less bugs. That would be nice.

I would like it to have faster deployment times. A typical deployment could take two to three minutes. Sometimes, it depends on the situation. It is better than it was in the past, but it could always use improvement.

View full review »

FlexConfig is there as a bridge for features that are not yet natively integrated into Firepower. It is a way of allowing you to be able to configure things that wouldn't otherwise be possible until the development team can add them into Firepower's native capability. There is still some work that needs to be done around FlexConfig. There are still quite a few complex things, like policy-based routing, that have to be done in FlexConfig, and it doesn't always work perfectly. Sometimes, there are some glitches. It is recommended that you configure FlexConfig policies with Cisco TAC. It would be good to see Cisco accelerate some of those configurations that you can only do in FlexConfig into the platform, so that they are there natively.

View full review »

It would be great if some of the load times were faster. My general sense is that it's probably related to them taking a couple of different technologies and marrying them together. We are using virtual, so the way that I handled that was to throw more RAM in it, which these days, is pretty cheap. I could see some improvement with the speed of deploying policies out, although it's not terrible by any means. One thing about Cisco is whatever they're doing, it keeps getting better.

The speed of deploying policies could be improved, although it is not terrible by any means.

Another legitimate criticism of Cisco that comes to mind is that you need to make sure you've got your licensing straightened out. I haven't had any problems in a long time, but I know people that haven't used Cisco products sometimes can run into issues because they haven't figured out so-called smart licensing. Depending on the Cisco person you're working with, make sure you have all that stuff all set to go before you start the implementation.

That's an area that Cisco has been working on, I know. But licensing is a common complaint about Cisco. I suggest making sure that you have that stuff in place and you've got all your licenses all ready to go. It seems like a dumb thing, but my most common complaint about Cisco before we entered into our enterprise agreement was licensing. When it's working, it's great, but God help you if you've got a licensing problem.

View full review »

I would say when Cisco is selling something called a firewall, they put a lot of services together to make a single box solution. When a company develops a firewall, they need to develop certain features like intrusion control and offer it pre-loaded in the product. 

On the mix of projects that I am responsible for, I feel comfortable using the Cisco firewall for management. One feature lacking is superior anti-virus protection, which must be added.

I have to say I am very proud of the Cisco Firepower 41400 as it can give you multiple layers of four-degree connectivity in operations. 

We do not use the Cisco 9000, but even the lower level firewalls are pretty expensive, considering the features and software included.

In summary, we would like Cisco to provide more features inside regarding network trafficking forecasting. Ideally, the belief is that this would add an immediate resolution.

View full review »

I'm not a big fan of the FDM (Firepower Device Manager) that comes with Firepower. I found out that you need to use the Firepower Management Center, the FMC, to manage the firewalls a lot better. You can get a lot more granular with the configuration in the FMC, versus the FDM that comes out-of-the-box with it.

FDM is like Firepower for dummies. I found myself to be limited in what I can do configuration-wise, versus what I can do in the FMC. FMC is more when you have 100 firewalls to manage. They need to come out with something better to manage the firewall, versus the FDM that comes out-of-the-box with it, because that set me back about two weeks fooling around with it.

View full review »

We are still running the original ASAs. The software that you are running for the ASDM software and Java application has never been a lot of fun to operate. It would have been nice to see that change update be redesigned with modern systems, which don't play nicely with Java sometimes. Cybersecurity doesn't seem to love how that operates. For us, a fresher application, taking advantage of the hardware, would have been a better approach.

View full review »

The maturity needs to be better. The product is not yet mature. A running product is hit with the software bugs most of the time, and whenever we then log a case with the tech team, they're sometimes helpless with that. They have to involve the software development team to fix that bug in the next release. It's not ideal. Being an enterprise product, it should be mature enough to handle these types of issues.

View full review »

The solution's deployment is time-consuming, which should be minimized and made more user-friendly for us.

The solution's graphical user interface could be made more user-friendly, and the configuration can be simple.

View full review »

The solution's price can be lowered because, currently, it is pricier than the tool its competitors offer in the market. If the product's prices are lowered, it may help Cisco to expand its market base.

If Cisco reduces the price of its product, then it can gain more advantage and become much more competitive in a market where there are solution providers like Fortinet FortiGate.

View full review »

There's a little bit of a disconnect between Firepower’s management and the rest of the products, like DNA and Prime. The solution should have fewer admin portals for network, security, and firewalls.

View full review »

One big pain point I have is the ASDM interface because it's Java, and sometimes, it's a bit buggy and has low performance. That's something that probably won't be improved because of backward compatibility. 

The CLI is not always clear. It's not always intuitive.

Some of the things, such as site-to-site VPN, are complicated to set up. The settings you have are all hidden away in crypto maps, and you can't have a setting per tunnel. When you want to change one particular tunnel, you automatically change them all. That's a drawback.

View full review »

Firepower's user experience should be a little bit better.

View full review »

In order to do an upgrade, we need to upload the software to the firewall, then upgrade the secondary and do a failover. Uploading this software into the firewall is old technology. For example, if you look at the Cisco Meraki firewall, you can schedule the software upgrade. Whereas, here we can't.

Recently, we have been having an issue with the ASA firewall. We haven't found the root cause yet and are still working on it. We failed over the firewall from active to passive and suddenly that resolved the issue. We are now working to find the root cause.

View full review »

The security market is a fast-changing market. The solution needs to always check if the latest threats are covered under the solution. 

It would always be helpful if the pricing was improved upon a bit.

In a future release, it would be ideal if they could offer an open interface to other security products so that we could easily connect to our own open industry standard.

View full review »

For the new line of FTDs, the performance could be improved. We sometimes have issues with the 41 series, depending on what we activate. If we activate too many intrusion policies, it affects the CPU. We have great hopes for the next version. We have integrated Snort 3.0, the new Snort, because it includes multi-threading. I hope we will get better performance with that.

View full review »

It's not unexpected, but it's a common scenario where customers request dual layers of security. For instance, when dealing with regulatory compliance, especially in financial sectors regulated by entities like the Central Bank, having two distinct units is often mandated. If a client predominantly uses a solution like Palo Alto, they may need to incorporate another vendor such as Cisco or Forti. Importantly, there's a significant disparity in interfaces and management platforms between these vendors, necessitating careful consideration when integrating them into the overall security architecture.

View full review »

Third-party integrations could be improved.

Not everything works out-of-the-box. Sometimes, you have to customize it to your needs. 

View full review »

The user interface is a little clunky and difficult to work with. Some things aren't as easy as they should be.

View full review »

The ease of use, when it comes to managing Cisco Firepower NGFW Firewalls, is getting better because the UI is improving. It was a bit cumbersome in previous versions. Checkpoint, for example, has one of the most intuitive user interfaces, and now Cisco is really improving.

The only drawback of the user interface is when it comes to policies. When you open it and click on the policies, you have to move manually left and right if you want to see the whole field within the cell. Checkpoint has a very detailed user interface. Cisco is getting better and becoming more and more user-friendly.

Cisco needs a more intuitive user interface. When you know what to do, it's easy. Otherwise, you need training. You can install it and do the initial configuration, but if you don't have the proper training it's also possible to configure it the wrong way. If that happens, some things might pass through that you don't know about.

View full review »

The operation of the ASA is good but the problem is that whenever you require an upgrade, there are multiple pieces of software that you have to upgrade. Extensive planning is required, because if you upgrade one piece of the software it has to be compatible with the others as well. You always need to check the compatibility metrics.

For example, if the ASA Firewall's software has to be upgraded, it has to be compatible with the IPS software—the FireSIGHT software. So that has to be upgraded as well, in addition to the ASDM software that you use to manage the firewall using the GUI. Besides that, if you are using the remote VPN part of the firewall, there is the AnyConnect hidden software that also requires an update.

So upgrading is a very extensive exercise, both when you're planning it and when you are doing it. The upgrades are very lengthy. Then Cisco introduced FTD as a unified approach, and that was a leap forward, but it has its own issues.

View full review »

When running multiple firewalls in your network, you need someone to manage them from a central point. Cisco’s answer is Cisco Security Manager (CSM). Unfortunately, this is a suite of applications that is in much need of an overhaul. It is riddled with bugs and lacks the intuitive experience found in competing vendor offerings. The counter-intuitive interface makes configuration management cumbersome and prone to mistakes. There are software defects within certain modules of the application, resulting in a frustrating experience. Reporting is almost useless. The best part about it is the logging component, but it still is lacking, compared to what you get from other competing vendors.

Aside from management, I think Cisco needs to become more application-focused, something that a few of their competitors shine in.

View full review »

Changes you make in the GUI sometimes do not reflect in the command line and vice versa.

View full review »

I would like to see an IE version of the solution where it is ruggedized. Most of what we do is infrastructure based on highways. Now that the product has a hardened switch, the only thing left in our hubs that isn't hardened is probably the firewall. It would be nice to pull the air conditioners out of the hubs.

View full review »

In today's world, cyberattacks have become a common occurrence. However, so far, we have not faced any issues with our systems. I hope the situation remains the same in the future. If Cisco introduces even more advanced security measures, it would be beneficial.

One of the major issues we face in the Middle East is the long delivery time for Cisco products. Currently, they are taking almost 10 months to deliver, which is much longer compared to before when we received the products within 70 to 80 days or even two to three months. For instance, we recently placed an order that has a delivery date in the middle of 2024. This delay is unacceptable as customers cannot wait that long, and they may opt for other alternatives, such as Huawei, Juniper, or HPE. Therefore, Cisco needs to improve its delivery time and ensure that they deliver products within a reasonable timeframe, as it did before.

View full review »

The usability of Cisco Firepower Threat Defense is an issue. The product is still under development, and the user interface is very difficult to deal with. That's one area where it should be improved. Another area for improvement, which is also related to the firewall, is stability. We are having stability issues, and we had some cases where customers had a network down situation for about one or two days, which is not great.

View full review »

The application detection feature of this solution could be improved as well as its integration with other solutions. 

View full review »

We cannot have virtual domains, which we can create with FortiGate. This is something they should add in the future. Additionally, there is a connection limit and the FMC could improve.

View full review »

Try to understand if there is a need, e.g., if there is a need to log this information, get these logs out, and forward to some sort of a SIEM technology or perhaps a data store that you could keep it for later. There is limited data storage on the appliance itself. So, you need to ship it out elsewhere in order for you to store it. The only point of consideration is around that area, basically limited storage on the machine and appliance. Consider logging it elsewhere or pushing it out to a SIEM to get better controls and manipulation over the data to generate additional metrics and visibility.

In some cases, I could see how SIEM is not an option for certain companies, perhaps they either cannot afford it, or they do not have the resources to dedicate a security analyst/engineer who could deploy, then manage the SIEM. In most cases, Firepower is a useful tool that a network engineer can help set up and manage, as opposed to a security engineer. To make the solution more effective and appealing, Cisco could continue to improve some of the reporting that is generated within the Firepower Management Console. Overall, that would give a suitable alternative to a full-fledged SIEM, at least on a network detection side, application identification side, and endpoint identification and attribution side. Potentially, a security analyst or network engineer could then simply access the Firepower Management Console, giving them the visibility and data needed to understand what is going on in their environment. If Cisco continues to improve anything, then I would suggest continuing to improve the dashboarding and relevant operational metrics present within the platform, as opposed to taking those logs and shipping them elsewhere.

View full review »

The solution has positively affected our organization’s security posture. I would rate the effects as an eight (out of 10). There is still concern about the engagement between Cisco Firepower and Cisco ASA, which we have in other offices. We are missing the visibility between these two products.

We would like more application visibility and an anti-malware protection system, because we don't have this at the enterprise level.

The central management tool is not comfortable to use. You need to have a specific skill set. This is an important improvement for management because I would like to log into Firepower, see the dashboard, and generate a real-time report, then I question my team.

View full review »

The product's user interface is an area with certain shortcomings where improvements are required.

From an improvement perspective, the product's price needs to be lowered.

View full review »

It needs to provide the next-generation firewall features that other vendors provide, like data analytics, telemetry, and deep packet inspection.

Also, the ASAs need to be improved a little bit to keep up with the demand for high bandwidth and session count applications.

View full review »

The virtualization aspect has room for improvement.

The scalability has room for improvement.

View full review »

We have seen some bugs come up with Cisco Secure Firewall in terms of high availability. The solution should be improved to avoid these bugs. 

View full review »

It can be improved when it comes to monitoring. Today, the logs from the firewalls could be improved a bit more without integrating with other devices.

I would like to see more identity awareness.

View full review »

One area that could be improved is its logging functionality. Your logs are usually displayed on the screen, but if you want to go back one or two days, then you need another solution in place because those logs are overwritten within minutes. 

To have that kind of feature, it's more than likely there would need to be some kind of storage on the device, but those boxes were designed a number of years ago now. They weren't really designed to have that built-in. Having said that, if you do reflash into the FTD image, and you've got the Firepower Management Center to control those devices, then all that logging is kept within the Firepower Management Center.

View full review »

The solution has not had any layer upgrades. It does not have layer five and upwards, it only has up to layer four. This has caused some problems for us.

In the future, it would be wonderful to have an antivirus, log analyzer, and PDF/Excel data exportation features build into the solution. The data export would be great to be able to look at the access list.

View full review »

When comparing this solution to other products, the Fortinet UTM bundle has some better features in their most receive product. For example, there are better configuration features, the Sandbox is better, and so is the web censoring. These are currently in the Cisco solution, but they are better in Fortinet. The Sandbox and the Web Censoring in this solution need to be improved.

This solution has to be more secure from the cloud. The current trend is moving towards private cloud and hybrid cloud, so it is very important to consider the cloud security aspects when the solution is installed. This includes things such as IoT and the existence of user connectivity on the cloud.

View full review »

We installed a Cisco path a month ago. There was a new update for the Cisco firewall and there were security issues.

We like Cisco filtering as a firewall, but in the current market, Cisco's passive firewall is not unique. We don't have any warranty problems with Cisco. 

I asked our carrier several times to provide the exact gap code for me, but there is no Cisco dealer in our region. There is also no software accessibility with Cisco ASA NGFW. You can't always access the product that way. I also tried pfSense.

There is no support here in Georgia. If something goes wrong, support is not always very helpful with the other firewalls or other products. 

Cisco products are more supported by lots of companies who are producing technical services for cloud platforms. The certification is very easy in Georgia now. There are lots of people using Cisco in Georgia because their accessibility is better than the other products on the market. I also talked to several guys about the Barracuda firewall.

The Barracuda firewall is very expensive. You need to pay three or four thousand dollars every three months, so it's very expensive for us. We are not a big company.

View full review »

I'm not very familiar with the largest Firepower models, but competitors like Palo Alto seem to have a more capable engine to do, for instance, TLS/SSL decryption. As I understand, Firepower doesn't let you export the decrypted traffic so that, for instance, the security department can look at the traffic or inspect traffic. It's all in the box. I've heard rumors that this is something Cisco is working on, but it isn't yet available.

View full review »

it is difficult to say what it needs in terms of what needs to be improved. I don't work with it on a daily basis.

I haven't heard anything negative about it.

While this applies to all vendors, pricing can be always lower. In my opinion, Cisco is the most expensive. 

The pricing can be reduced.

View full review »

They should work on making it a little more intuitive for users and not quite as complex. Still, it's a good product.

View full review »

Before an ASA, it was a live log. It was easy and comfortable to work with. After the next-generation firewall, Firepower, the live log became really slow. I cannot reach the information easily or quickly. This has only been the case since we migrated to next-generation firewalls.

There is some delay between the log itself. It's not really real-time. Let's say there's a delay of more than 20 seconds. If they had a monitoring system, something to minimize this delay, it would be good.

It would be ideal if I could give more bandwidth to certain sites, such as Youtube.

I work with Fortinet also, and I find that Fortinet is easier now. Before it was Cisco that was easier. Now Fortinet is simpler to work with.

On firewall features, Fortinet is better. Cisco needs to become more competitive and add more features or meet Fortinet's offering.

View full review »

The dashboard can be improved. 

View full review »

With the new FTD, there is a little bit of a learning curve. The learning curve could probably be simplified a little bit. I've come around that learning curve, and I'm able to get around it.

View full review »

Firepower's implementation and reliability need room for improvement. 

View full review »

The stability could be better because we have a lot of issues with the stability of Cisco Firepower.

View full review »

The access layer of this solution could be improved in terms of the way the devices interconnect with our network. We need to be able to analyze the traffic between the different interconnections in these areas.

In a future release, we would like to have an IP analyzer to try to identify the specific comportment of the customers.

View full review »

One of the challenges we've had with the Cisco ASA is the lack of a strong controller or central management console that is dependable and reliable all the time. There was a time I was using what I think was called CMC, a Cisco product that was supposed to manage other Cisco products, although not the ASA. It wasn't very stable.

The controller is probably the biggest differentiator and why people are choosing other products. I don't see any other reason.

View full review »

A major area of improvement would be to have more functionality in public clouds, especially in terms of simplifying it. The high availability doesn't work right now because of the limitations in the cloud. Other vendors find ways to make it work differently than with on-prem solutions.

This is very important because we have customers that build solutions in the cloud that are like what they had on-prem. They have done a lift-and-shift because it's easier for them. They lift their on-prem physical boxes and shift them to the cloud, convert them to virtual, and it continues to work that way. Many times it's not the most efficient or best way to do things, but it's the easiest. The easiest path is probably the way to go.

View full review »

Today, ASA firewalls are leaving the market and are being replaced by firepower equipment - a technology with which I am not very familiar. However, in the training or research, I have done on this new product, I see that it has many additional tools such as centralization of the administration through a single team (in the case the firepower management). It is something that we do not have, yet we are already considering it since this type of technology will help us to have better management and better administration of the equipment through a single platform. The management of additional services with this new module will certainly help us to have the internet network much more secure with connections to the outside.

View full review »

Its licensing cost and payment model can be improved. Cisco doesn't provide training and certification for engineers without payments. Other companies, such as Huawei, provide the training for free. Their subscription and licenses are also free and flexible. Other products are breaking the market by providing such features. 

It doesn't support all standard interfaces. It is also not suitable for big companies with high bandwidth traffic. Its capacity should be improved.

Other products are becoming easier to access and configure. They are providing UI interfaces to configure, take backup, synchronize redundant machines, and so on. It is very easy to take backup and upgrade the images in those products. Cisco ASA should have such features. If one redundant machine is getting upgraded, the technology and support should be there to upgrade other redundant machines. In a single window, we should be able to do more in terms of backups, restores, and upgrades.

View full review »

We haven't been working with the product for too long, and therefore I haven't really found any features that are lacking. So far, it's been pretty solid.

One of the things that would make my life easier on ASA, especially for the CLA, is if it had an ASBN feature, specifically for the CLA. This would allow you to be able to see at once where a particular object group is being used without having to copy out all the object groups that have already been created.

I don't have to see all the object groups that have been created on that firewall. That's just something that I would really appreciate on the CLA, even though it already exists on the GUI.

View full review »

It is my understanding that they are in the process of discontinuing this device.

They are in the process of shutting down this ASA series and will continue with Firepower.

In the next release, it could be more secure.

View full review »

The only con that I have really seen with it is the reporting structure. FirePOWER is good. It has been a great help because, before that, it was not good at all. 

View full review »

Cisco Secure Firewall should be easier to handle. It uses ASDM, which is not easy to understand. It would be better if there was direct access via HTTPS.

View full review »

The management of the firewalls could be improved because there are a lot of bugs.

View full review »

I think they need to review their whole UI because it feels like it was created by a whole bunch of different teams of developers who didn't fully talk to each other. The net policy screen is just a mess. It should look like the firewall policy screen, and they should both act the same, but they don't. I feel like it's two different buildings or programming, that don't talk to each other, and that really annoys me.

They should either build an application or get away from the web. They need to do something that's uniform and more streamlined.

We have a multi-person firewall team, and I can't look at a policy while somebody else is in it. It'll kick me out. I might be working on something that the other guy has to modify. I know that in the next versions they will be dealing with it with a soft lock, but it should've already been there.

One of Cisco's strengths is the knowledge depth of their staff. The solutions engineer we worked with knew the routing and each protocol. If he didn't know something, he would reach out to someone else at Cisco who did. He would even talk to a developer if he needed to.

View full review »

The ASAs are being replaced with the new Firepowers and they have a different type of structure in the configuration to be able to migrate from one to the other.

View full review »

Cisco ASA is starting to get old and Firepower is taking over. All the good things happening are with Firepower. Everything that I could wish for is in Firepower. We will probably not be doing too many new installations of ASAs since Firepower is mostly taking over.

View full review »

Cisco still has a lot of work to do. You can convert an ASA over to a Firepower, but the competitors, like Palo Alto and Juniper, are coming in. And believe it or not, they are a little bit more intuitive. Cisco has a little bit more work to do. They're playing catch up.

There is also content filtering. The bad actors are so smart nowadays, that they can masquerade as the data for a given port, and they can actually transfer data through that port. The only thing that the older firewalls know about is the port. They can't read the data going across it. That's where content filtering comes in, like Palo Alto has, with next-generation firewalls.

View full review »

They need a VTI. I know it's going to be available in the next software version, which is the 6.7 version. However, the problem with that is that the 6.7 is going to deprecate all the older IKEv1 deployment tunnels. Therefore, the problem is that we have a lot of customers which are using older encryptions. If I do that, update it, it's not going to work for me.

View full review »

I believe that the current feature set of the device is very good and the only thing that Cisco should work on is improving the user experience with the device. 

Also, they need to ensure that all of the implemented features are working as they should, and able to integrate with more third-party software in an easier manner.

As it stands currently, Cisco is doing this, but I am not confident enough to say that their QA team is doing as good a job as they should as there have been software releases that were immediately pulled back the same day as they were released.

View full review »

Cisco needs to work more on the security and tech parts. Palo Alto gives a complete solution. Customers are very happy to go with Cisco because they have been around a long time. But that's why we are expecting from Cisco to give us a solution like Palo Alto, a complete solution. 

Cisco provides us with application visibility and control, although it's not a complete solution compared to other vendors. Cisco needs to work on the application behavior side of things, in particular when it comes to the behavior of SSL traffic. There is a focus on SSL traffic, encrypted traffic. Cisco firewalls are not powerful enough to check the behavior of SSL traffic. Encrypted traffic is a priority for our company.

In addition, while Cisco Talos is good, compared to the market, they need to work on it. If there is an attack, Talos updates the IP address, which is good. But with Palo Alto, and possibly other vendors, if there is an attack or there is unknown traffic, they are dealing with the signature within five minutes. Talos is the worst around what an attacker is doing in terms of updating bad IPs. It is slower than other vendors.

Also, Cisco's various offerings are separate. We want to see a one-product, one-box solution from Cisco.

View full review »

• It is confusing to have two management interfaces, e.g., ASDM and Firepower Management Center. It would be nice to have a Windows program instead of a virtual appliance for the Firepower Management Center.  The ASA and Firepower module seem redundant, not sure which one to set the rules in, but maybe that was for backward compatibility. I am not sure that is very useful.
• It is surprising that you need to have a virtual appliance for the Firepower Management Center. It is not good if you have to setup a VMware server just for it.
  
• 10Gb interfaces should be available on more models. 
  

View full review »

The solution’s GUI could be better.

View full review »

The cloud does not precisely mimic what is on-premises. There are some new challenges with the features in Azure. Due to Azure limitations, we cannot synchronize configurations between an active standby. This aspect makes it difficult to perform such tasks in the cloud, requiring manual intervention.

View full review »

They have already improved it to some degree. It has become easier, but I've not drilled down much myself. I mostly use CLI, but I can see that it's a little bit more GUI-based. So, improvement is already there. It's a good thing that we now have GUI-based control over the details, and that would be the way to go.

It integrates with other security products from Cisco, but sometimes, there can be glitches or errors.

View full review »

One thing that Cisco could improve is the GUI. The graphic user interface should be more user-friendly. If you compare it with some of its competitor's GUIs, Cisco falls short in terms of how rules are pushed. 

We have also run into issues with functionality and flexibility. Cisco does fall behind its competitors in this regard. It's our opinion that Cisco is not a leader in security devices. 

View full review »

Sometimes my customers say that Cisco firewalls are a bit more difficult compared to Fortigate or Palo Alto. There is complexity in the configuration and the GUI could be improved.

View full review »

Cisco Firepower is not completely integrated with Active Directory. We are trying to use Active Directory to restrict users by using some security groups that are not integrated within the Cisco Firepower module. This is the main issue that we are facing. 

There are some other issues related to their reports where we want to extract some kind of user activity. When a user tries to connect to our website, we are unable to read its logs in a proper manner and the report is not per our requirement. These are two things that we are facing.

Per my requirements, this product needs improvement. For example, I want to use and integrate with Active Directory groups. 

View full review »

We only have an issue with time sync with Cisco ASA and NTP. If the time is out of sync, it will be a disaster for the failover.

View full review »

When you make any changes, irrespective of whether they are big or small, Firepower takes too much time. It is very time-consuming. Even for small changes, you have to wait for 60 seconds or maybe more, which is not good. Similarly, when you have many IPS rules and policies, it slows down, and there is an impact on its performance.

In terms of tracking users, the Palo Alto Networks firewall is better than Cisco Firepower.

View full review »

I would say that in inexperienced hands, the interface can be kind of overwhelming. There are just a lot of options. It's too much if you don't know what you are looking for or trying to do.  

The GUI still uses Java, which feels out of date today. That said, it's an excellent GUI.

The biggest downside is that Cisco has multiple firewall lines. The ASA line which is what we sell, and we sell most of the latest versions of it, are kind of two families. One is a little older, one's a little newer. We mostly sell the newer family. Cisco is kind of de-emphasizing this particular line of products in their firewall stable. That's unfortunate. 

They have the ASA line, Meraki, which is a company they bought some years ago where all the management is sort of cloud interface that they provide rather than a kind of interface that you manage right on the box. They also bought Snort and they integrated the Snort intrusion detection into the ASA boxes. In the last couple of years, they've come out with a sort-of replacement to Snort, a line of firewalls that don't use IOS.

It's always been that the intrusion prevention and the based firewalling features had separate interfaces within IOS. They've eliminated IOS in this new product line and built it from the ground up. We haven't started using that product yet. They have higher performance numbers on that line, and that's clearly the future for them, but it hasn't reached feature parity yet with the ASA. 

The main downside is that it feels a little bit like a dead end at this point. One needs to decide to move to one of these other Cisco lines or a non-Cisco line, at some point. We haven't done the research or made the plunge yet.

What I would like to see is a more inexpensive logging solution. They should offer either the ability to maintain longer-term logs right on the firewall or an inexpensive server-based logging solution. Cisco has logging solutions, however, they're very high end.

View full review »

Some products supersede others within Cisco. I have three platforms and some of the features are the same in two products. It's not clear for us, as a  customer, if Cisco intends to have just one platform for security in the future or if they will offer one product for a particular segment, such as one product for the big companies, one product for the financial segment, another product for enterprise, and another product for small business.

Sometimes, Cisco itself has two products which are doing the same things in some areas. That is something they could make clearer for customers: the position of each product or the roadmap for having just one product. 

For example, I have a management console for the next-gen firewalls we are deploying. But the SD-WAN also has some security features and I would have to use another management console. I don't have integration between the products. Having this integration or a roadmap would help. I don't know if there will be one product only in the future, but at least having better integration between their own products is one area for improvement.

Also, the user interface for the Firepower management console is a little bit different from traditional Cisco management tools. If you look at products we already use, like Cisco Prime or other products that are cloud-based, they have a more modern user interface for managing the products. For Firepower, the user interface is not very user-friendly. It's a little bit confusing sometimes. This is another area where they could improve.

View full review »

• VPN creation with Cisco is quite difficult: Some DH groups are not supported (compared to Juniper).
• Expected to see the enablement of virtual routing, which is key in a Telco environment. We need to provide this in LAN to LAN services with shared platforms (DNS, proxies, etc.).
• Application visibility 

View full review »

I have a lot of difficulties with the solution's Firewall Management Center (FMC) and the GUI. Neither is responsive enough and should be improved.

View full review »

Maybe the dashboard could be a bit better. There are some reports where we don't get it. We need a deep dive into a particular URL, however, it provides the URL and the IP address, and there is no more information that can show more details. Basically, the report models can be improved.

With their console, we have to build a separate VM. In some of the products, the management console comes along with the box itself. It'll be one solution to take the backup and keep it. Even if you want to build a DR, it'll be easy. However, the challenge we had is if that VM is down, my team may not able to access the Firepower remotely. Therefore, the management console itself should be built within the Firepower box itself, rather than expecting it to be built in a separate VM.

View full review »

Cisco is still catching up with its Firepower Next-Generation firewalls. It's naturally growing and getting better.

View full review »

It would be nice if it had the client to actually access the firewall. Though, web-based access over HTTPS is actually a lot nicer than having to put on a client just to access the device.

For Firepower Threat Defense and ASAs, I would like it if there was a centralized way to manage policies, then sticking with the network functions on the actual devices. That is probably the thing that frustrates me the most. I want a way that you can manage multiple policies at several different locations, all at one site. You then don't have to worry about the connectivity piece, in case you are troubleshooting because connectivity is down.

View full review »

I'd like to see Cisco continue its approach to making it easier to navigate the UI and FMC and make it easier to get from point A to point B. Generally, the room for improvement is going to be all UI-related. The platform, overall, is solid.

I'd also like them to continue to approach things from a policy-oriented perspective. They are moving more and more in that direction. 

Also, the change-deployment time can always be improved. Even at 50 seconds, it's longer than some of its competitors. I would challenge Cisco to continue to improve in that area. It's very reasonable at 50 seconds, it's not like it used to be in early versions of Firepower, where it was around seven minutes. Still, it could be quicker. The faster we can deploy changes, the faster we can roll back changes if we have messed something in the configuration. Low deploy times are really good to have. 

I would also like to see more features that will help us connect things to the cloud dynamically, and connect things to other sites dynamically. There should be more SD-WAN features in the boxes. If I can use one box to solve cloud connectivity problems, and not have to do stuff so statically, the way I have to do things today on them, that would be helpful.

View full review »

The virtual firewalls don't work very well with Cisco AnyConnect. 

There are two ways of managing it. You can manage it through the GUI-based software or command-line interface. I tried to use its GUI, but I couldn't understand it. It was hard for me. I know how to use the command line, so it was good for me. You should know how to use the command-line interface very well to make some changes to it. Its management through GUI is not easy.

View full review »

There's an upgraded version of the 5500 that has come to the market. It offers the latest encryption that they have. If they want to add better features to the current Cisco ASA, they can start by increasing the encryption. That is the only thing they need to improve. The rest is good.

View full review »

The firewall throughput is limited to something like 1.2 Gbps, but sometimes we require more. Cisco makes another product, Firepower Threat Defence (FTD), which is a dedicated appliance that can achieve more than ten or twenty gigabits per second in terms of throughput.

I have found that Cisco reporting capabilities are not as rich as other products, so the reporting could be improved.

View full review »

There used to be information displayed about the packets in a module called Packet Flow, but it is no longer there. In order to accomplish the same thing you now have to wade through lots of information in the Syslogs.

View full review »

The installation and integration of Cisco ASA with Firepower can be improved. I used Fortigate as well and I can say that Fortigate's features are more usable. 

The management with Fortigate is easier than Cisco ASA on Firepower. The management side of Cisco ASA can be improved so it can be more easily configured and used.

View full review »

It's already pretty good. In terms of functionality, there isn't much to improve. There could be more bandwidth and better interface speed.

View full review »

We're reaching [the point] where we want it to be. If you go 10 years back, we did miss the bus on bringing in the virtual versus the physical appliance, but now that we have had it, the ASAv, for a few years, I think we are doing the right things at the right place. 

The only improvement that we could make is maybe [regarding] the roadmap, to have better visibility as to what we are targeting ahead in the next few quarters. That is where we, as partners, can also leverage our repos with our customers and making them aware that there might be some major changes that we may have to introduce in their networks in the near future.

View full review »

Cisco wasn't first-to-market with NGFWs. That is one of the options now. They did make an acquisition, but other vendors got into that space first. I would tell Cisco to move faster, but everything moves at the speed of light and it's hard to move faster than that. But they should look at what other vendors are doing and try not only to be on the same wavelength but a little bit better. It's hard to be critical of Cisco given that they pave the way a lot, but they should see what their peers are doing and try to emulate that.

In terms of additional features, perhaps there could be some form of integration with the cloud. I don't know how much appetite we would have for that given the principle of keeping a lot of the sensitive data on-prem. But some integration with the cloud might be useful, given that the cloud is everything you see these days. We have our on-premises devices, but maybe they could provide an option where it fails over to a cloud in a worst-case scenario.

View full review »

I would like it if they made the newer generation a bit simpler. You can do ASA code and FXOS. It is just a bit confusing with the newer generational equipment on what it can do.

View full review »

When I deal with other firewalls like Palo Alto or Fortinet, I think there is some room for performance tuning and enhancement of the ASA. I'm not saying there is a performance issue with the product, but when compared to others, it seems the others perform a little bit better.

There could be enhancements to the cloud part of the solution. It's good now, but more enhancements would be helpful.

Finally, security generally requires integration with many devices, and the management side of that process could be enhanced somewhat. It would help if there was a clear view of the integrations and what the easiest way to do them is.

View full review »

We have the ASA integrated with Cisco ISE for network access control. The integration was done by our local Cisco partner. It took them about a month to really get the solution up and running. I would like to believe that there was some level of complexity there in terms of the integration. It seems it was not very easy to integrate if the experts themselves took that long to really come up with a working solution. Sometimes we had to roll back during the process.

Initially, when we put it up, we were having issues where maybe it would be barring things from users completely, things that we wanted the users to access. So we went through fine tuning and now I think it's working as we expect.

View full review »

Sometimes there is a lack of performance. One of my colleagues is using the firewall as an IPS, but he is worried about Firepower's performance. It is much lower than we expected. They need to improve the performance a lot. With the 10 Gb devices, when it gets to 5 Gbps, the CPU usage goes up a lot and he cannot manage the IPS.

View full review »

Most of the firewalls almost 90%, 95% of the firewalls will move to GUI. This is the area which needs to be improved. The graphical interface and the monitoring level of the firewall need to be worked on. 

Most of us are using the monitoring software where we get the alarm, then details of the servers, et cetera. This aspect needs to be much updated. 

From just the security point of view, in the security, it needs to be updated every day and every week. It is getting better day by day, however, from a monitoring point of view is not the same view as we have on the different monitoring servers or monitoring software, such as PRTG and Solarwinds. It needs to be changed and improved.

Cisco has launched its multiple products separately. Where there's a new version of the hardware, there is Firepower in it. However, there must be a solution for an integrated version that includes everything in your network and your firewall as well so that you can manage and integrate from the same web portal without going to every device and just configuring it and just doing everything separately. 

It would be ideal if a solution can be configured separately and then managed centrally on one end.

We have more than one Cisco firewall and it is difficult for me to integrate both on the single UI. If I have three firewalls and one is a normal firewall, I need to configure everything separately. I can't have it on the same port or integrated on the same single IP or bind it something like it.

View full review »

In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth. It's definitely usable, though. You can get a lot of good information out of it.

It's hard to stay on the bleeding edge on firewalls because you have to be careful with how they integrate with Firepower. If you update one you have to update the other. They definitely have some documentation that says if you're at this version you can go to this version of Firepower, but you need to be careful with that.

View full review »

Most users do not have awareness of this product's functionality and features. Cisco should do something to make them aware of them. That would be quite excellent and useful to organizations that are still using legacy data-center-security products.

View full review »

Since most features are license based and some licenses are time-based, there should be a way for the device to alert via SNMP that licenses are about to expire. Also, I would like to be able to use both the IPS and CX modules simultaneously, instead of one or the other.

View full review »

It should be easier for the IT management or the admin to configure products. For example, the firewall products are not very straightforward for many users. They should be easier to configure and should be more straightforward. 

Some competitors are very easy to configure, you don't need to spend a lot of time reading the documents and learning them.

View full review »

This product has a lot of issues with it. We are using it in a limited capacity, where it protects our DR site only. It is not used in full production.

The main problem we have is that things work okay until we upgrade the firmware, at which point, everything changes, and the net stops working. As a financial company, we have a lot of transactions and when the net suddenly stops working, it means that we lose transactions and it results in a huge loss.

We cannot research or test changes in advance because we don't have a spare firewall. If we had a spare then we would install the new firmware and test to see if it works, or not. The bottom line is that we shouldn't have to lose the network. If we upgrade the firmware then it should work but if you do upgrade it, some of the networks stop working. 

View full review »

The solution is overcomplicated in some senses. Simplifying it would be an improvement.

View full review »

We have an older version of the ASA and there are always improvements that could be made. Nowadays, nobody is in the office, so I need to figure out how to put the firewall outside. If I could have a centralized firewall that also receives information from external locations, like peoples' home offices, that would help us consolidate everything into one appliance.

View full review »

Sometimes, it is not easy to troubleshoot. You need to know where to go. It took me quite awhile. It's like, "Okay, if it doesn't go smoothly here, then go find the documentation." Once you do it, it is not so bad. However, it is sometimes a steep learning curve on the troubleshooting part of it.

View full review »

Most of the features don't work well, and some features are missing as well. The completeness of the solution is most important for me. It should be complete, but some parts are missing. Cisco should improve it.

Every part of the features should be developed. That includes the next-generation firewall parts, such as application recognition.

View full review »

The ease of use needs improvement. It is complex to operate the solution. The user interface is not friendly.

View full review »

It doesn't have Layer 7 security.

View full review »

An area for improvement is the graphical user interface. That is something that is coming up now. They could make the product more user-friendly. A better GUI is something that would make life much easier. Traditionally, Cisco products have been command-line-based.

View full review »

There is huge scope for improvement in URL filtering. The database that they have is not accurate. Their content awareness and categorization for URL filtering are not that great. We faced many challenges with their categorization and content awareness. They should improve these categorization issues.

View full review »

It can probably provide a holistic view of different appliances because many customers do not have only one brand, besides the traditional SNMP protocols, to cover all their devices. There are some specific requirements in terms of configurations or actions that sometimes have to be done in a very manual way because of the different versions or brands in a customer's infrastructure.

It could also have some additional analytics capabilities. It has some very interesting ways to monitor the traffic and identify false positives from the architecture and the environment. It would be good if there is a way to patch with some other industry-specific solutions and synchronize some of the information, such as what other customers experience in their operations and probably share some additional information that could be leveraged or shared among the industry. Such information would be something interesting to see. It could have AI capabilities related to how the appliances could benefit from learning the current environment and different exposures.

View full review »

Its interface is sometimes is a little bit slow, and it can be improved.

When you need to put your appliance in failover mode, it is a little difficult to do it remotely because you need to turn off the appliance in Cisco mode. 

In terms of new features, it would be good to have AnyConnect VPN with Firepower. I am not sure if it is available at the moment.

View full review »

The FMC could be a little bit faster.

It will be nice if they had what you traditionally would use a web application scanner for. If the solution could take a deeper look into HTTP and HTTPS traffic, that would be nice.

View full review »

It would be good if Cisco made sure that the solution supports all routing protocols. Sometimes it doesn't.

View full review »

I would like to see them update the GUI so that it doesn't look like it was made in 1995.

View full review »

The visibility for VPN is one big part. The policy administration could be improved in terms of customizations and flexibility for changing it to our needs.

View full review »

The Firepower FTD code is missing some old ASA firewalls codes. It's a small thing. But Firepower software isn't missing things that are essential, anymore.

View full review »

The intelligence has room for improvement. There are some hackers that we haven't seen before and its ability to detect those types of attacks needs to be improved.

There is a bit of an overlap in their offerings. Which causes clients to overpay for whatever they end up selecting. 

View full review »

I think Cisco would benefit from comparing its solutions to other products. There is a lot to learn from solutions like Palo Alto or FortiGate. These are top security products. For example, Palo Alto has better inspection visibility than Cisco. When we ask customers about Palo Alto, they say "I like Palo Alto. It helps me see problems on time. I can audit everything through it." Cisco could improve in this regard. Cisco's inspection visibility could be better. 

View full review »

We are replacing ASA with FTD which offers many new features. 

View full review »

Cisco should work on ASDM. One of the biggest drawbacks of Cisco ASA is ASDM GUI. Cisco should improve the ASDM GUI. The configuration through ASDM is really difficult as compared to CLI. Sometimes when you are doing the configuration in ASDM, it suddenly crashes. It also crashes while pushing a policy. Cisco should really work on this.

View full review »

Regarding the solution's ability to provide visibility into threats, I'm not as positive about that one. We had an event recently where we had inbound traffic for SIP and we experienced an attack against our SIP endpoint, such that they were able to successfully make calls out. There is no NAT for that. So we opened a case with the vendor asking how this was possible? They had to get several people on the line to explain to us that there was an invisible, hidden NAT and that is how that traffic was getting in, and that this was by design. That was rather frustrating because as far as the troubleshooting goes, I saw no traffic.

Both CTR, which is gathering data from multiple solutions that the vendor provides, as well as the FMC events connection, did not show any of those connections because there wasn't a NAT inbound which said either allow it or deny it. There just wasn't a rule that said traffic outside on SIP should be allowed into this system. They explained to us that, because we had an outbound PAT rule for SIP, it creates a NAT inbound for us. I've yet to find it documented anywhere. So I was blamed for an inbound event that was caused because a NAT that was not described anywhere in the configuration was being used to allow that traffic in. That relates to the behavior differences between the ASAs and the FirePOWERs and the maturity. That was one of those situations where I was a little disappointed. 

Most of the time it's very good for giving me visibility into the network. But in that particular scenario, it was not reporting the traffic at all. I had multiple systems that were saying, "Yeah, this is not a problem, because I see no traffic. I don't know what you're talking about." When I would ask, "Why are we having these outbound calls that shouldn't be happening?" there was nothing. Eventually, Cisco found another rule in our code and they said, "Oh, it's because you have this rule, that inbound NAT was able to be taken advantage of." Once again I said, "But we don't have an inbound NAT. You just decided to create one and didn't tell us."

We had some costs associated with those outbound SIP calls that were considered to be an incident.

For the most part, my impression of Cisco Talos is good. But again, I searched Cisco Talos for these people who were making these SIP calls and they were identified as legitimate networks. They had been flagged as utilized for viral campaigns in the past, but they weren't flagged at the time as being SIP attackers or SIP hijackers, and that was wrong. Obviously Talos didn't have the correct information in that scenario. When I requested that they update it based on the fact that we had experienced SIP attacks for those networks, Talos declined. They said no, these networks are fine. They should not be considered bad actors. It seemed that Talos didn't care that those particular addresses were used to attack us.

It would have protected other people if they'd adjusted those to be people who are actively carrying out SIP attacks against us currently. Generally speaking, they're top-of-the-game as far as security intelligence goes, but in this one scenario, the whole process seemed to fail us from end to end. Their basic contention was that it was my fault, not theirs. That didn't help me as a customer and, as an employee of the credit union, it certainly hurt me.

View full review »

I would like the ability to pick and choose different features of it to run in a packaged infrastructure or modules, therefore I would like to have more customizability over it. 

It seems very clunky and slow. I would like to be able to tune it to be a more efficient product.

View full review »

Being able to incorporate third party rules as the SourceFire rules often lag behind current threats. When the latest zero day or other threats hit the market and are high value threats, most departments want to have these signatures available and able to deploy automatically. SourceFire makes this a manual process with third party rules.

View full review »

I would like more features in conjunction with other solutions, like Fortinet.

View full review »

The ability to better integrate with other tools would be an improvement.

View full review »

There needs to be an improvement in the time it takes to deploy the configurations. It normally takes two to four minutes and they need to reduce this. The deployment for any configuration should be minimal. It's possibly improved on the very latest version. 

An additional feature I would like to have in Firepower would be for them to give us the data from the firewall - Cisco is probably working on that. 

View full review »

I have worked with the new FTD models and they have more features than the ASA line.

View full review »

We would like to see improvement in recovery. If there is an issue that forces us to do recovery, we have to restart or reboot. In addition, sometimes we have downtime during the maintenance windows. If Cisco could enhance this, so that upgrades would not necessarily require downtime, that would be helpful.

We would also like to have a solution on the cloud, where we could manage the configuration. CDO is in the ASA mode. If Cisco could do it in full FTD — the configuration, the administration, and everything — it would be very good, and easy.

View full review »

The service could use a little more web filtering. If I compare it to Cyberoam, Cyberoam has more the web filtering, so if you want to block a website, it's easier in other solutions than in Cisco. I think in Cisco it's more complicated to do that, in my opinion. 

It could also use a better web interface because sometimes it's complicated. The interface sometimes is not easy to understand, so maybe a better interface and better documentation.

View full review »

The two areas that need improvement are the URL filtering and content filtering features.

These features are both very crucial to the end user environment. One of my main concerns and an area that could use some major improvement is the need to pay for licensing in order to enable necessary additional features. Included in the next release, I would like to see these features integrated into the products' functionality without having to pay for them on an individual basis.  

View full review »

Even on a smaller scale, people are finding you need HA pairs, and there's no way that the ASA can do that, at least in the virtual version. We needed the ability to failover to one of the others to do maintenance, and this is a glaring issue. However, it is one of their cheaper products, so its understandable. It is just that we would hope by now, because it has been in use in a lot of different environments, for even moderately sized companies, the ability to have HA pairs would be extremely useful.

View full review »

FMC could be improved because management with FMC is quite difficult compared to using Firepower web-based management.

View full review »

When we bought it, it was really powerful, but with the emerging next-generation firewalls, it started to lack in capabilities. We couldn't put application filtering, and the IPS model was kind of outdated and wasn't as useful as the new one. For the current state of the network security, it was not enough.

One thing that we really would have loved to have was policy-based routing. We had a lot of connections, and sometimes, we would have liked to change the routing depending on the policies, but it was lacking this capability. We also wanted application filtering and DNS filtering.

View full review »

FirePOWER does a good job when it comes to providing us with visibility into threats, but I would like to see a more proactive stance to it. Maybe more of an IDS approach. I don't know a better way to say it, but more of a heavier proactive approach rather than a reactive one.

View full review »

Cisco makes horrible UIs, so the interface is something that should be improved. Usability is poor and it doesn't matter how good the feature set is. If the UI, whether the command-line interface or GUI, isn't good or isn't usable, then you're going to miss things. You may configure it wrong and you're going to have security issues.

Security vendors have this weird approach where they like to make their UIs a test of manhood, and frankly, that's a waste of my time.

The SNMP implementation is incredibly painful to use.

View full review »

In the future, I would like to be able to use an IP phone over a VPN connection.

View full review »

It would be ideal if the solution offered a web application firewall.

We've had some issues with stability.

The solution has some scalability limitations.

The firewall itself has become a bit dated.

The pricing on the solution is a bit high.

Some individuals find the setup and configuration challenging.

View full review »

They should improve their interface and ensure that people actually know what they're doing before they start programming; that would make me happy. But that's never going to happen — it's a total pipe dream.

Some of the next-generation stuff that Cisco is doing now allows you to add web filtering and provides more security inside the device. That's why we were looking at the Next-Generation Firewall.

View full review »

I would definitely say the pricing could be improved. If you're going to get the latest and greatest of this solution, it's very expensive and it's actually the reason my organization is moving away from it.

I'm working on a slightly older version, but what it needs is better alert management. It's pretty standard, but there are no real advanced features involved around it.

View full review »

My opinion is that the new direction Cisco is taking to improve its product is not correct. They want to make the old ASA firewall into a next-generation firewall. FirePower is a next-generation firewall and they want to combine the two solutions into one device. I think that this combination — and I know that even my colleagues who work with ASA and have more experience than me agree — everybody says that it's not a good combination. 

They shouldn't try to upgrade the older ASA solution from the older type Layer 4 firewall. It was not designed to be a next-generation firewall. As it is, it is good for simple purposes and it has a place in the market. If Cisco wants to offer a more sophisticated Layer 7 next-generation firewall, they should build it from scratch and not try to extend the capabilities of ASA.

Several versions ago they added support for BGP (Border Gateway Protocol). Many engineers' thought that their networks needed to have BGP on ASA. It was a very good move from Cisco to add support for that option because it was desired on the market. Right now, I don't think there are other features needed and desired for ASA.

I would prefer that they do not add new features but just continue to make stable software for this equipment. For me, and for this solution, it's enough. 

View full review »

Cisco should improve its user interface design. There is a deep learning curve to the product if you are a newcomer.

View full review »

It does not have a web access interface. We have to use Cisco ASDM and dial up network for console access, mostly. This needs a bit of improvement.

Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems.

It should have multiple features available in single product, e.g., URL filtering and a replication firewall.

View full review »

If I need to download AnyConnect in a rush, it will prompt me for my Cisco login account. Nobody wants to download a client to a firewall that they don't own. 

I would definitely love to have a much nicer web interface compared to the systems interface that it has now. I also would like to download utilities without having to login into the system. Nobody would want to download a client unless they're going to use it with a physical firewall. I don't understand the logic. If I was a hacker, I could get someone to download it for me and then I can use the client. There's no logic behind it.

View full review »

The ASA is an almost perfect device.

View full review »

I started to configure the device with version 7.2. After that, I had a problem. It was not a physical problem. It was a software problem. They advised me to install 7.0. I uninstalled and reinstalled everything. It took time, but it started to work normally.

I am not a programmer, but on the business side, they should fix all such issues in the future. We are Cisco partners, and when we recommend Cisco FirePower to customers, they always think that FirePower is bad. For a single installation of FirePower, if I have to write about 18 tickets to Cisco, it's a big problem. There was an issue related to Azure. We had Active Directory in Azure. The clients had to connect to FirePower through Azure. We had a lot of group policies. After two group policies, we had to make groups in Azure, and they had to sign in and sign back. It was a triple-layer authentication, and there was a big problem, so we didn't use it.

View full review »

It lacks management. For me, it still doesn't have a proper management tool or GUI for configuration, logging, and visualization. Its management is not that easy. It is also not very flexible and easy to configure. They used to have a product called CSM, but it is no longer being developed. FortiGate is better than this solution in terms of GUI, flexibility, and user-friendliness.

View full review »

To configure the FirePower it is required an external console. It would be nice to have the console embedded in the Firewall so you don't require an extra device. I'd like to see some kind of SD-WAN included as a feature. 

View full review »

The annual subscription cost is a bit high. They should try to make it comparable to other offerings. We have a number of Chinese products here in Pakistan, which are already very cheap and have less annual maintenance costs compared to Cisco.

View full review »

My concern in the 21st century, with ASA, is the front-end. I think Cisco missed the mark with all the configuration steps. They are a pain and, when doing them, it looks as if we're using a very old technology — yet the technology itself is not old, it's very good. But the front-end configuration is very tough. They probably still make a good profit even with the front-end being difficult, but it's not easy. It's not user-friendly. All the configuration procedures are not user-friendly.

Also, they launched the 1000 series for SMBs. They have all the same features as the enterprise solutions, but the throughput is less and, obviously, the price is less as well. It's a very nice appliance. However, imagine you buy one, take it out of the box to connect it and the device needs one hour or two hours to start up. That is a pain and that is not appropriate for the 21st century. They should solve that issue.

Another issue is that when you integrate different Cisco solutions with each other, there is an overlap of features and you need to turn some of them off, and that is not very good.  If you don't, and you have overlap, you will have problems. Disabling the overlap can be done manually or the solution can identify that there is already a process running, and will tell you to please disable that function.

For today's threats, for today's reality, you need to add solutions to the ASA, either from Cisco or from other vendors, to have a full security solution in an enterprise company.

View full review »

There was an error in the configuration, related to our uplink switches, that caused us to contact technical support, and it took a very long time to resolve the issue.

Some of the features should be baked-in by default.

View full review »

I tried to buy licenses, but I had trouble. Their licensing is too expensive.

If they can get the reporting to go into deeper detail, it would really be helpful because in order to get the reports in Cisco you have to go to look at the information that you don't necessarily need. 

Also, the pricing is quite high. 

View full review »

The overall application security features can be improved. 
It could also use a reporting dashboard. 

View full review »

At times the product is sluggish and slow.  Sometimes when deploying a new configuration or role, it is painstakingly slow. It should be a little faster than it is. 

View full review »

I would like for them to develop better integration with other security platforms. I would also like for them to make the Cloud configuration easier. 

View full review »

We didn’t find any huge issues. Obviously, there are always vulnerabilities that come up and there was one in early 2018 but this was patched with software updates.

Admin rights need to be given out carefully as they give overarching control to all devices - but that’s the same for everything.

View full review »

The artificial intelligence and machine learning (behavioral based threat detection), which I can this will be coming out in another year, these are what we need now.

View full review »

Multiple WAN connections: Even though you can implement more than one interface to outside connections, it is lacking on load balances, etc.

View full review »

The needed features are already being done on Firepower, but this software is still in flux. 

View full review »

Firewalls, in general, were not really designed for normal IT personnel, but for firewall and network experts. Therefore, they missed a lot of options and did not provide any good reporting or improvement options.

For example, to update or add a feature, you end up buying new support and licenses. The process is complex and changes so rapidly that you won't find a salesperson who will offer you the right products.

New generation firewalls are cloud managed or provide a good interface. They integrate into the environment. They are application aware and come with security features that are especially designed for the purpose.

View full review »

More centralization and simplification of product lines would help most engineers, but I think licensing is the key here. Most organizations won’t pay the money to have ELA licensing, so all the individual licenses for these products can be overwhelming. Plus, they never really synch for expiration time.

This is mainly due to reliance on other Cisco products and licensing. For example, Palo Alto includes several features in one whereas Cisco requires multiples. However, I still think Cisco offers great products but to get a "10" they might consolidate devices or simplify licensing.

View full review »

Cisco ASDM is a problem because it is old.

View full review »

I would like to see them add more next-generation features so that you don't need a lot of appliances to do just one task. It should be a single solution.

View full review »

It is hard to control the bandwidth of end-users with a Cisco Firewall. That is the main issue I've faced. I used Mikrotik for many years for this very reason. Mikrotik has the option to set a bandwidth restriction for a single IP or complete segments. Cisco should add this option to their firewall.

View full review »

The visibility the solution gives when doing deep packet inspection can be complex. I really like the visibility, but it's not always intuitive to use. I also help other customers. We are a contracting company that implements their solutions, and I've found that it's not always easy to get everyone to utilize some of the visibility features. But for me personally, I think they're very valuable. 

The ease of use when it comes to managing Cisco Firepower has a lot of room for improvement. When monitoring a large set of firewall policies, the user interface could be lighter. It's sometimes heavy in use, and there could be improvements there. I know they're trying to make improvements.

It's mainly the UI and the management parts that need improvement. The most impactful feature when you're using it is the user interface and the user experience.

View full review »

The configuration in Firepower Management Center is very slow. Deployment takes two to three minutes. You spend a lot of time on modifications. Whereas, in FortiGate, you press a button, and it takes one second.

Three years ago, the Firepower Management Center was very slow. The solution has improved a lot in the last couple of years. It is now faster. I hope that continues to improve. 

View full review »

The graphical interface should be improved to make the configuration easier, to do things with a single click.

There should be better integration with open-source products because some of our clients use them. It would be helpful if they integrated well.

View full review »

One feature I would like to see, that Firepower doesn't have, is email security. Perhaps in the future, Cisco will integrate Cisco Umbrella with Firepower. I don't see why we should have to pay for two separate products when both could be integrated in one box.

View full review »

The performance and the level of throughput need to be improved. This would make things easier for us.

I would like to see the inclusion of more advanced antivirus features in the next release of this solution.

Adding internet accounting features would also be a good improvement.

View full review »

One way the product could be improved is if you could monitor more than one rule at a time. We only have the option to have one monitor window up at a time if you're trying to troubleshoot something you end up switching back-and-forth and don't get the bigger picture all at once.

It's reliable and it does its job. It gives you the freedom to do other things while you get indications of any issues. The multi-monitor would be a huge improvement.

I'd definitely recommend the product. Even when you set it up for the first night, it definitely will tell you the status of the network. The important part in the setup is following the instructions to get it going.

View full review »

I don't have any experience with the price, but ASA is a comprehensive solution.

In the next update of the Cisco ASAv, I would like to see them release a patch for ASAv, i.e. to put the FirePower solution into the cross-platform integration.

View full review »

There definitely is room for improvement. We found it difficult to publish an antenna plug with the ASDM. Cisco should make the interface for the firewall more simple. 

View full review »

They should develop a web interface that is actually useful. Currently, we still have an issue where you have to go in and do manual configuring by the command line if you want certain functions in it. This means that we need to find people at a higher technical level to be able to do changes in those things. It would be much easier if you had a more friendly user interface basis where you don't have to go in and do the command line off.

They should be a little bit faster sometimes in updating their threat protection. Cisco should redo their website so it's actually usable in a faster way.

View full review »

The solution that we have right now doesn't do what I want it to do. We don't have a ratified solution for all the things that I wanted to right across our business. We're doing similar functions using different technology and I want ratification. I want to be able to do more than what we are currently able to do with the existing service, all under the umbrella of improving security.

View full review »

There are many areas for improvement despite the fact that we love the product, but because it is a newer version we’ve been working out lots of issues. Some of those issues are based on our environment.

View full review »

web filtering needs to improve because cisco firepower sync with bright cloud website for the website category. sometimes your URL is falling in the wrong category because of the bright cloud. so if you want to change the category you will have to drop the mail to the bright cloud and they will take action and it's a very long procedure. 

View full review »

The product line does not address the SMB market as it is supposed to do. Cisco already has an on-premises sandbox solution. They should include a cloud-based sandbox as part of the security subscription service. In my experience, apart from the expensive price, SMB customers are lured away by other vendor solutions because of these reasons.                      

View full review »

I would say the pricing could be improved. It's quite expensive, especially for the economy.

I'd like to see them more integration so that I don't need other parties for protecting my network. If I could just have ASA firewalls for perimeter protection and LAN protection, then I'm good. I don't need so many devices.

I would like to see improvements for client protection.

View full review »

• Interaction with the equipment
• Different interface with the product 
• A more simple procedure in delivering policies to the equipment  
• Simplified upgrade procedure
  
• Tracking flows
• Monitoring and logs should be easier.

View full review »

Area : URL filtering and content filtering.

When Cisco ASA is presented as an enterprise firewall, that should be capable doing IPS/IDS, firewalling, VPN concentrator, application filtering, URL filtering and content filtering.

Of course, the last three technologies can do by a proxy. But nowadays, all next generation firewalls like Fortinet, Check Point, and Palo Alto are each bundling the UTM features into a single box with multiple separate content processors (hardware) to do these jobs.

This would enable single pane glass for management. No need to look at different devices for change management and troubleshooting.

I would say Cisco ASA is the best except for its URL and content filtering module. And these modules in ASA are not straightforward, rather complex in managing the device.

View full review »

It's not perfect, and does have room for improvement with certain features.

The SSL VPN is, and always has been, painful to configure and the Java plugin does not guarantee a uniform deployment.

Certain documentation on the newer models of ASA (specifically, ASA 5500-X with FirePower services) is a little out of date and in some cases incorrect, although this may have been corrected since my last deployment.

View full review »

I’m not a fan of the new modular licensing model. Cisco moved from a base license to an a la carte SaaS model a couple of years back, wherein the customer is required to pay for feature sets on a case-by-case basis. This makes it difficult for people who want to study and trial new technologies and features.

View full review »

• The SSL VPN portal could be better.
• The ASAs support both IPSEC as an SSL VPN.
• For IPSEC you need a Cisco VPN client.
• You can only have two SSL VPN sessions.
• For more SSL sessions you have to pay (750 IPSEC sessions are included with an ASA).
• With SSL, you connect through a browser, so it is clientless. The SSL portal offers a few functionalities which you can offer a user. Configuring this portal is not an easy task.

View full review »

After Firepower V6.1, Cisco added bandwidth shaping on the FTD product. This feature is a little bit weak. You cannot have customized shaping in different projects.

View full review »

WCCP, and URLs, in the Cisco ASA Context both need work. When changing from single mode to multiple mode or back, the commands must be done from the command line (CLI) and cannot be done via the ASDM GUI interface. ASA context should be able to support site-to-site VPN, but the current Cisco Context does not support VPN

View full review »

The initial setup can be a bit complex for those unfamiliar with the solution.

There are better solutions in terms of border security. Palo Alto, for example, seems to be a bit more advanced. 

The cost of the solution is very high. Fortinet, as an example, has good pricing, whereas Cisco has very high costs in comparison.

View full review »

The initial setup could be simplified, as it can be complex for new users.

View full review »

Technical support could be improved, they take a long time to respond. 

View full review »

The management of the application can be improved with enhancements to the user interface.

I would like the ability to drill down into certain reports because currently, that cannot be done. In fact, this is one of the reasons that we want to move away from Cisco. Better reporting tools would be an improvement.

View full review »

I'm not really sure that much has to be improved. Compared to other firewall solutions probably the thing that could be improved is the interface — the GUI. Other than that I don't think there is anything else that could be better. I think it is a great product.

View full review »

The first thing that needs to be done is to finish building out Cisco ASA "Firepower Mode" in order for all features to work correctly in complex enterprise networks. It also needs a usable GUI like Palo Alto and FortiGate. There are lots of bug fixes to be done, and Cisco should consider performing a complete rebuild of the underlying code from the ground-on-up.

View full review »

• I would like to see more improvements made to the dashboard and UI, as well as to the reporting, the reporting is quite limited and not user friendly. 
• I would like them to consider offering more predefined security templates.
• Technical support product knowledge, licensing portal, activation process will need to be improved. 
• The configuration is not straightforward, Cisco will need to improve this so the user can easily pick up the product.
• Bugs are more than other firewall competitors, some bugs are quite serious. 

View full review »

Cost, it's very expensive. To migrate from a Cisco ASA 5550 and not drop in performance, you have to go to a Cisco ASA 5555-X with FirePOWER. To fully use the Cisco FirePOWER IPS, AMP and URL filtering, you are forced to (MUST) buy the Cisco FireSIGHT management centre. You also have to buy licensing for Cisco AnyConnect VPN client

View full review »

It would be ideal if the solution offered more integration capabilities with other vendors. For example, if you had a web security appliance, it would be great to be able to integrate everything in order to better report security events.

While I can't think of specific features I'd like improved, overall, they could do more to continue to refine the solution.

It would be nice if you didn't have to configure using a command-line interface. It's a bit technical that way.

View full review »

On the VPN side, Firepower could be better. It needs more monitoring on VPNs. Right now, it's not that good. You can set up a VPN in Firepower, but you can't monitor it. 

Firepower Management Center is slow. It could be better. And the Firepower Device Manager doesn't have all the features that the ASA has, and that's despite the fact that it's almost the same product. Cisco could use many more features from ASA in Firepower Device Manager.

View full review »

Cisco ASA Firewall could improve by adding more advanced features such as web filtering, which is available in the next-generation firewalls. However, the Cisco ASA Firewall I am using could be old and these features have been updated.

View full review »

There are other solutions that are better such as Palo Alto.

The management test needs improvement. The ACM requires Java and you need to know which version of Java is compatible with your Cisco version. It needs a client.

The pricing could be reduced.

I would like to see the issue with the client resolved. You shouldn't have to use the ASDM to help manage the client. Also, it should be subscription-based similar to Palo Alto.

View full review »

In NGFW, Cisco should be aligned with the new technology and inspection intelligence because Cisco is far behind in this pipeline. Nowadays IoT, Big Data, AI, Robotics, etc. are all evolving and shifting from automatic to intelligent. All brands that do not follow will be extinct.

View full review »

I would like for the user interface to be easier for the admin and network admin. I would also like to be able to access everything from the GUI interface. The way it is now, it needs somebody experience in iOS to be able to operate it. I would like to have a GUI interface. 

It should have integrated licenses with our other products. There should be a license bundle, like for firewalls and iOS. It would be better if it was a bundled license. 

View full review »

Some of the features, like the stability, need to be improved. 

View full review »

The stability and the product features have to really be worked on.

View full review »

I would like to see real-time log systems because it's very helpful when you want to troubleshoot.

View full review »

It is a secure product. But, it is not very easy to configure. You need to be knowledgeable to be able to manage it. 

In addition, due to changes in management, we found Cisco slightly behind some of the competitors in the market. Furthermore, the internet protection system seems to be lacking, in comparison to some of the competitors. This is why we are currently looking at other possible solutions.

View full review »

The Cisco ASA device needs overall improvement, as configurations alone do not completely secure my network. The operational procedures in use on the network contribute as much to security as the configuration on devices.

View full review »

I would like to see new SW versions being more stable and HW performance increase. However, the new 2000 series has high performance, but it is not shipped widely so far.

View full review »

The next generations part of these products need a better approach. A lot of vendors are definitely a step or two in front of them.

View full review »

Some ASA known features are still missing, but are being added bit by bit in each new version release, such as:

• Remote Access VPN (the last release only supported the 2100 series): The next firewall model version is expected to support Remote Access VPN in the next software release in July 2017.
• Virtualization of the appliance (multiple contexts) is still missing.
• You always need an external management system, the onboard one is not very good. You have to use FMC, FirePOWER Management Center, as external software. There's always an add-on, whereas all the competition has an onboard management interface.

I would like to see more integration with third-party devices in general. There is great integration with Cisco devices, but there's not much integration with third-party devices.

View full review »

People tend to think of firewalls as firewalls and routers as routers. Going by the book, I had to create a number of static routes in the firewall so it could reach the various subnets in my client's internal network. I decided to turn on OSPF routing to simplify my deployment. This resolved a lot of issues with remote VPN and site-to-site VPN tunnels.

In my experience, a number of engineers get tunnel vision with devices. This is exacerbated by vendors fostering a silo mentality in disciplines.

I cannot name the organization, but a large national non-profit in the medical field had too many network configuration problems because of the silo mentality.

Large Cisco ASA units have the capability to act as routers. This particular non-profit would not enable routing on the ASA until I explained that it resolve a number of issues that they were experiencing and resolving by static routes, a second Cisco ASA, and a proxy server.

View full review »

The overall product line is sound, but I'd like to see a roadmap for SSL decryption as part of the ASA with FirePOWER solution.

View full review »

Its configuration through GUI as well as CLI can be improved and made easier.

View full review »

In terms of what could be improved, the UTM part should be more integrated for one price, because if you buy ASA from Cisco, you need to buy another contract service from Cisco as a filter for the dictionary of attacks. In Fortinet, you buy a firewall and you have it all.

I would like to see all the features like Fortinet has. If I buy ASA, I would like to see a Fortinet-like interface.

It would be good if Cisco could improve their web interface to configure the equipment. Cisco is very reliable and very secure, but has to compete with Fortinet which is very hard.

On a scale of one to ten, I would give Cisco ASA Firewall a nine.

View full review »

Cisco ASA is not a next-generation firewall product.

View full review »

One of the problems that we have had is the solution requires Java to work. This has caused some problems with the application visibility and control. When the Java works, it is good, but Java wasn't a good choice. I don't like the Java implementation. It can be difficult to work with sometimes.

If you use Cisco ASDM with the command line configuration, it can look a bit messy. We have some people who use them both. If you use one, it's not a problem. If you use both, it can be an issue.

View full review »

I was trying to learn how this product actually operates and one thing that I see from internal processing is that it does fire-walling and then sends it to the IPS model and any other model that needs to be performed. For example, content checking or filtering will be done in a field processing manner. That is something that causes delays in the network, from a security perspective. That is something that can be improved upon. Palo Alto already has implemented this as a pilot passed processing. They put the same stream of data across multiple modules at the same time and see if it is giving a positive result by using an XR function. Something similar can be done in Cisco Firepower. Instead of single processing or in a sequential manner, they can do something similar to pile processing. An internal function that is something that they can improve upon.

They can also improve on cost because Cisco is normally expensive and that's the reason customers do not buy them.

Also, if they could provide integration with Cisco Umbrella, that would actually improve the store next level. Integration is one thing that I would definitely want.

From a technical perspective, maybe they could simplify the CLI. That is one thing that I would like to be implemented because Cisco ASA or Cisco, in general, is usually good at simple CLIs. That is one thing that I saw lacking in FTD. Maybe because they got it from another vendor. They're trying to integrate the product.

View full review »

I think the room for improvement of this solution is that there is a need for more of an application awareness capability. I just don't think it has the application awareness. It obviously looks at ports and what not, but it is not necessarily able to identify applications by their action, and what they're doing.

View full review »

The solution has two separate GUIs and at least three different CLIs (ASA CLI, Sourcefire CLI, and Firepower Management Center CLI). In addition, ASDM plus Firepower Management Center GUIs. If Cisco could stop rebranding, combine all the CLIs/GUIs, and give a consistent experience, this would be great. 

Also, AnyConnect is very difficult to manage and use. 

View full review »

You have to know the ASA command line very well because not all operations are available in the graphical interface (or let's say that sometimes it is better to operate with the ASA CLI).If you are searching for an "all in one product" it is not for you

View full review »

License politics, license price, precise vendor roadmap for this product.

View full review »

Only problem in my opinion is ease of use. You really need to know your way around the CLI and complex feature set to get things working. The ASDM GUI is good for some things but for the most part you'll need to stick to the CLI which is a bit difficult specially if you don't have a lot of experience around Cisco equipment.

View full review »

Cisco ASA lacks some functionalities, when compared with other vendors’ products. Cisco need to implement some more functionalities, like client-less VPN (HTML5), but I expect that Cisco will continue to add, and improve, features of the product. One of the features that should be improved is the URL filtering engine, as currently it has limited functionality. For full functionality, you will need an external URL filtering server, like Websense.

View full review »

When using this product, our network is slower. The performance should be improved.

The installation could be made easier.

View full review »

It would be a benefit to improve the integration with other similar products from other vendors on the market, for example, Huawei or Fortinet products. Comparing Cisco solution to others, it is expensive, it would be better for it to be cheaper.

View full review »

Cisco Firepower NGFW Firewall can be more secure. But no product is 100% secure, so it's a case of always wanting more security. The product is also really expensive. It would help if they provided free academic access to the enterprise edition for students for a whole month, two months, three months, or a year.

View full review »

In the next year, we are planning to migrate to the Cisco Firepower. Our planned product would be Cisco Firepower 20 or the 40 series.

In the next release, I would like to see the VPN and UTM features included.

View full review »

One area where the ASA could be improved is that it doesn't have AMP. When you get an ASA with the Firepower model, ASA with FTD, then you have advanced malware protection. Right now, threats and attacks are becoming more and more intense, and I don't think that the ASA is enough. I think this is why they created FTD.

Also, Cisco is not so easy to configure.

View full review »

There are quite a few things that can be improved. Firepower is an acquisition from another company, Cisco's trying to put it together. Their previous ASA code with the source file code that they have acquired a few years ago still has some features that are not fully supported.

Also, they have a Firepower source file that I can work on the ASA device and on Firepower devices. A problem here lies in the way that you manage these devices. Some devices do not support the FMC, and some devices have to be managed through ASDM, and others have to be managed through FMC.

Most of the high-end devices do not support Onboard management. The Onboard management is only supported on the 2100 IP at the 1050 Firepower and on select ASA devices that bear the Firepower image.

It would be very nice if the Onboard management integrated with all the devices. Log key loading for the evidence at the logs, because clearly you only have loading on the remote on the FMP, you cannot store the logs located on the device.

View full review »

I think the visibility of the network can be improved, at least from our current setup. I do not know everything about the solution and exactly how it can be modified.

Another way they can improve is their pricing. One thing I notice is about the price is that it would be good if they could adapt the price to the area where a company is. West Africa is not the same as in India or in the USA and it is much more difficult to afford. If Cisco can manage this for our people it would help us implement better solutions.

To upgrade to some Cisco solutions or features you have to invest resources to create the solution or pay the difference for that functionality to upgrade services or license. It is not really an all-in-one solution. So if Cisco could manage to build an all-in-one solution with most or all of the features we would be looking for in one solution, it would be better for us.

For example, if you want faithful service from the company and equipment, you have to pay more just to get the solutions. If it's included it would be easier for us to deploy.

View full review »

I see room for improvement when it comes to integrating all the devices into a central management system. Cisco doesn't provide this, but there are some good products in the market that can provide it.

Apart from the cost, I think Cisco is quite well-positioned in the market. Also, in terms of site capabilities, other companies are still in the lead. 

The price, integration, and licensing models are quite odd.

View full review »

The ability to integrate (as options) all-in-one features -- like anti-spam, anti-virus, etc.

View full review »

ASDM can be improved.

Also, a rollback option to a previous config in time will be a great option. Logging can be improved to a vast extent, I think Palo Alto has a pretty good logging structure.

View full review »

Some improvements required on GUI interface called ASDM. It should include health check parameters like temperature, memory used.

View full review »

The configuration/management interface is complex and can be confusing. Technical documentation is often sparse and can be incomplete when covering specific implementations.

View full review »

It is hard to collaborate with our filtered environment. 

If Cisco could combine the Bottleneck feature of ASA, their platform called Umbrella, and the other team they have that has similar malware protection into one, this would be perfect. 

View full review »

The solution could offer better control that would allow the ability to restrictions certain features from a website. For example, If we want to allow YouTube but not allow uploads or we want to allow Facebook but not allow the chat or to playing of videos. This ability to customize restrictions would be great.

View full review »

The program is very expensive.

View full review »

Cisco ASA should be easier to use. It is a bit tough to navigate and see what is going on. While I like the UI and dashboards of Cisco ASA, if you compare them to Palo Alto or Fortinet, they have much richer UIs. An analyst (or anyone) can see them, and say, "I have got all these important pointers on my dashboard." However, with Cisco ASA, we need to dig into many things and go to many views to see what is actually there.

View full review »

• Simplify licensing
• Do not combine the IPS module with the main operating system.
• In new products, leave the CLI.

View full review »

MSSP oriented interface: I would like a single console which would allow me to manage settings creating consistency across all customers.

View full review »

Prime manager is just for the CX line for now. CX features also add about a 30% overhead on throughput.

View full review »

This product lacks in GUI format; that needs to be more mature and composed.

View full review »

This solution could be more granular and user-friendly.

View full review »

The inclusion of an autofill feature would improve the ease of commands.

This solution would benefit from being more cost-effective.

View full review »

If there is old hardware, or old appliances, it does not necessarily work with the new Cisco generation firewalls.

View full review »

More intuitive support for SIP services are needed. This took a long time to configure properly for the user.

View full review »

It is on multiple boxes so ISP load balancing, multiple network load balancing would be helpful.

Also a web-based portal for VPN. Earlier they had it in the ASA model, but currently, they don't have it. The user needs to just click on the link so he can work.

View full review »

As of now, I can't find any flaws with the device or any improvement that I can suggest.

View full review »

Well tested software releases. We have had a number of bugs on the FirePOWER software across several clients which have been very inconsistent and have affected our ability to deliver.

View full review »

No idea -- I learn a lot from them

View full review »

The FirePOWER defense system has no integration with the firewall management of the ASA, I mean you can’t create ACLS, rules, VPNS NAT, and so on. All of this has to be done with the ASDM which, from my point of view, is very complex if you are not used to it, you should be able to manage the entire solution from one central software like Defense system, but right now you can’t. This is one of the biggest problems I see right now

View full review »

The content filtering on an application level is not as good as other solutions such as Palo Alto.

While the price is fair with all of the features that it has, it should be cheaper.

View full review »

The user interface isn't as good as it could be. They should work to improve it. It would make it easier for customer management if it was easier to use.

Cisco does not have a lot of web management. We have to use ASTM server management to make up for it.

View full review »

I think that there should be better security of other firewall appliances. Migration is another main issue. If you migrate from the ASA to the new Fire Power Threat Defense appliance, it is not an easy migration. You have to do some of the migration manually, and if you are relacing those firewalls it will take a long time. It should be a smoother migration process. Some of the new engineers are still not familiar with it, and I think that Cisco should rehire some of the engineers coming from Sourcefire to do so.

View full review »

I needed to be well-versed with all the command lines for Cisco ASA in order to fully utilize it. I missed this info and wasted some operational costs. I would like to advise others to please be wary from the start.

View full review »

The IPS and GUI are outdated. It is finally getting IPS inside, which will be a big improvement. The GUI is outdated, and they are slowly improving it. We will see if they go in the correct direction. Unfortunately, they usually just follow other vendors.

It is slowly not supported and other vendors are a few years ahead of Cisco in development.  

View full review »

It doesn't have a proper GUI to do troubleshooting, so most people have to rely on the command line.

Its a sort of legacy product nowadays. The firewalls which are the next generation have loads of features added to them, and they are all in one box.

It should have packets, deep level inspections and controls, like the features which other IPS solutions have. It just doesn't have any. It's just a box which does firewalling. 

Threat management features also should be added into it. 

So, the first thing is that the GUI has to be improved. The second thing is that the UTM features have to be added to it in a much broader way; not by relating to other third-party solutions which is how it is done right now. It should have built-in UTM features like other firewalls have now. Plus it should have the ability to analyze any packets which have malicious behaviors. Currently it doesn't have anything like that. It's just a layer-3 firewall.

Regarding the GUI, it's a very childish sort of attempt. It hasn't been improved since I started working with it. Yes, it shows the logs as they are but it doesn't have any option to do proper reporting.

View full review »

It would be great if they would add web filtering functionality to this product.

View full review »

Definitely the throughput could use an upgrade when running the SourceFIRE/AMP with the ASA. Also, it could use better troubleshooting capabilities. You are, most of the time, bound to have access to TAC for troubleshooting advanced problems.

View full review »

IPS, IDS, anti-virus etc. should be added to IOS instead of separate cards.

View full review »

The solution is difficult to use. There's more required than a typical firewall. It's different than, for example, Palo Alto and Fortinet, which we find are easier to set up. 

If the implementation was easier, it would be a lot better for us.

It would be such a great product for us if it was easier to manage.

View full review »

The cost is very high. Most organizations cannot afford it.

View full review »

In terms of improvement, we'd like to see a good graphical user interface. I'd also like to see the initial setup simplified. In comparison, if I were to implement the Fortigate firewall from scratch, it's a fairly simple set up. That is not the case with the ASA firewall, where you really need to have the skill and know what you're doing.

View full review »

The software was very buggy, to the point it had to be removed.

We are moving completely away from Cisco NGFW.  The product was pushed out before it was ready.

View full review »

Management console – Firesight Management Center.

When deploying Cisco FMC versions 6.0 and 6.1, some issues may appear when trying to register ASA sensors. The problem needs Cisco TAC involvement, adding more effort and time. I guess this will be fixed in version 6.2.

View full review »

• License politics
• License price
• Precise vendor roadmap for this product

View full review »

Change from Java for ASDM to HTML5. Better options to enable/disable site-to-site VPN tunnels.

View full review »

The VPN portion of the solution isn't the greatest.

The stability is not the best.

The solution is far too expensive.

View full review »

The SecureX ASA administration platform should be improved.

The orchestration of modules should be improved.

I would like to see the inclusion of a protocol that can be used to protect databases. This would be a good feature to have added.

View full review »

The interface needs improvement. I would like a better interface for Cisco. Other solutions such as Palo Alto have a user-friendly dashboard.

They need a user-friendly interface that we could easily configure.

It would be beneficial to have some of the features that Cisco has, integrating with other types of security.

View full review »

Normally in terms of design, the user prefers to use Cisco ASAv as a border router or a border firewall, because you have two different kinds of firewalls. You have a firewall when the data communication enters the network, and then you have a firewall, for when you've been inside the network. So, for the inside network firewall, Check Point is better because it can make a better notation of your network infrastructure. But, for the incoming data, or border firewall, ASAv is better. In terms of improving the interface, if you compared to the Check Point file, then I think that ASAv should be better. They should improve the interface so that it's similar to the Check Point firewall.

View full review »

It's lacking one feature: VPN. That is a feature we're looking for. Otherwise, the new devices have very good support, and the performance is quite good.

Also, the 2100 Series lacks a DDoS feature. If they could add that to those platforms, that would be good.

View full review »

ASDM needs to be able to customize applets.

View full review »

It would be useful to gather all security features in one box. For example, certain features like URL filtering and application control licenses need to be purchased separately and it depends on the hardware spec, as not all models are supporting these two features. This causes the user to be highly dependent on the pre-sales person.

View full review »

• Support for automation tools (Puppet)
• More granular logging

View full review »

• Throughput
• Price

View full review »

Extraordinary learning curve, especially if you do not have previous skill with Cisco PIX or routers. Even using the Java-based ASDM, it can take time to find your way. In addition, ASDM is not compatible with the latest version of Java (you will get an 'unconnected sockets' error). No support for DHCP reservations. I like to configure Servers and Printers this way, and cannot find any decent reason Cisco would not support it as they do on their routers and Layer 3 switches. View full review »

I do not like the assembly of this solution. For example, they should combine FirePOWER into one solution.

View full review »

They need to do an overhaul of the management console because they are still using the client-based management tool, which is quite outdated in terms of functionality and usability. The interface hasn't changed since the last generation many years back.

View full review »

With Cisco ASA, we used the SMB of the model. The customers are usually satisfied, but I am going to recommend that all clients upgrade to Firepower management.

For Cisco ASA Firepower, I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility.

View full review »

Antivirus features must be integrated for end user security. They must be increased in the next version along with audit and restriction for the incoming user. Security must be increased when a new user connects over the LAN and an alarm must be generated.

View full review »

It needs more tunneling capabilities. 

View full review »

The product needs real-time logs to be able to monitor our services, so we can know if any our services have been blocked via the firewall or on the application side.

View full review »

The equipment is too expensive compared with other firewall products.

View full review »

Integration of advanced malware services with the firewall through Firepower services.

View full review »

L7 firewall is a key for the ASA to be competitive in the current and future market place. By integrating with SourceFire, now call FirePower, on the ASA has helped it to get into the next-generation firewall segment.

View full review »

I think the ASA layer is thin. It's always Layer 3 or Layer 4 source controller and doesn't control the Layer 7 traffic at all. It's important, and you'll need an additional firewall. 

All next-generation firewalls don't have much control over Layer 7, but there's a little bit of control for inspection. ASA never controlled Layer 7, and it's a bad point.

 I don't like to use ASDM, a graphical interface, and other solutions for ASA. I wouldn't say I like this, and it's not good(ASDM).

View full review »

We don't have any serious problems. The firewall models that we have are quite legacy, and they have slower performance. We are currently investigating the possibility of migrating to next-generation firewalls.

View full review »

This is an older product and has reached end-of-life.

View full review »

It needs improvement as a "Next-Generation" firewall solution. In addition, it needs to be more user-friendly. 

View full review »

We would like to see MS Word BPM as a feature. 

View full review »

Make the IPS baked-in. It is a good firewall, though not NextGen.

View full review »

It needs better documentation for when we present solutions to non-technical people. They need to bring together all the information, across the various firewalls, so that we can more clearly explain them.

Also, pricing could be better.

View full review »

I think it's the perfect Firewall for SME.

View full review »

The ADSM is incompatible with different versions of Java.

View full review »

• Recognition of appliances
• UTM features

View full review »

This product is managed using the Firepower Management Center (FMC), but it would be better if it also supported the command-line interface (CLI). Cisco's FTD devices don't support the command-line interface and can only be configured using FMC.

View full review »

In terms of next-generation capabilities, Cisco is a little behind. It is way behind leaders like Palo Alto, Check Point and Fortinet. While Cisco is headed in the right direction, it will take several years for it to get there.

View full review »

• Bandwidth allocation.
• SSL decryption (avoid installing the intermediate device certificate in the client) should happen from Firepower itself.
• Critical bugs need to be addressed before releasing the version.
• Need to reduce the time to for detection of new threats.
• Enable a feature for importing/exporting logs when required for analysis.
• Dynamic IP address in client systems mapping with respect to OS change or device change should be updated periodically in FireSIGHT management.
• Virtual patching would be helpful for servers that are not able to update patches due to compatibility issues.

View full review »

It should have an additional “operating mode”, like a “candidate configuration mode”, where you would have the possibility to test the changes you are going to implement and also the possibility to validate these changes.

In addition, a "testing" feature should be performed to let you know what would be the consequences of applying these new changes. Only after you would see the tests’ results (if they do not create any unwanted effect) would you go and commit them.

View full review »

An area of improvement for this solution is the console visualization.

View full review »

You need to have a little bit of knowledge to be able to configure it. Otherwise, it would be very difficult to configure because there is no GUI. The latest software available in the market has a GUI and probably zero-touch provisioning and auto-configuration. All these things are not available in our version. You need to manually go and configure everything in the switch.

In terms of new features, we would definitely want to have URL-based filtering, traffic steering, and probably a little bit steering in the bandwidth based on the per-user level and per-user group. We will definitely need some of these features in the near future.

View full review »

The product would be improved if the GUI could be brought into the 21st Century.

View full review »

The phishing emails could be improved. 

View full review »

• UTM features would be nice or some NextGen features. 
• The ASA has become a bit old and needs updating.

View full review »

• Integration aspects
• Traffic shaping

View full review »

Pricing of this product needs improvement.

View full review »

Some default inspection rules need better tuning. Focus development on CLI version.

View full review »

I would like to see the following made easier:

• Objects
• Removing objects
• Correlating access rules and AnyConnect ACLs

Sometimes we suffer from older versions, such as objects, object groups, and aliases (name).

View full review »

SSL decryption for modules. Although I think it is better to separate SSL decryption as a service from the software module since it requires additional hardware, but I think it would be great if there is an option to use the ASA (not the software module) to decrypt the SSL.

Ex: Add a license to decrypt SSL traffic on the ASA itself. The ASA already supports SSL VPN. So if SSL decryption can be integrated that would be nice.

View full review »

The product has been introduced with UTM i.e. FirePower, and I would like to use it and comment on it.

View full review »

The ASA has room for improvement in the areas of layers four through seven. I would love to see application specific control, e.g.Facebook, Gmail, etc.

View full review »

No improvement needed.

View full review »

1. When I integrate Cisco ASA with Cisco IPS it creates lots of problem such as an increase in CPU utilization - as a result I have to stop the IPS service. 2. Cisco ASA does not provide a flash card for free so I cannot back up the firewall configuration for disaster recovery. View full review »

-Latency and delay due to configuration and monitoring of multiple VLANS and traffic -Increases the delay as the firewall and IPS polices increase -We faced usually a problem with NATING View full review »

The solution needs to have better logging features.

Cisco needs to migrate its ASA Firewall to a management console or to a web console.

View full review »

The ASA needs to incorporate the different modules you have to integrate to achieve UTM functions, especially for small businesses.

View full review »

The cost of this product should be reconsidered.

View full review »

The price can be better.

View full review »

Intrusion prevention, we currently need to apply deep bracket inspection manually to use web filtering.

View full review »

The next-generation firewall could improve. Still, they have NGFW 5525 but I haven’t tried it yet.

View full review »

This product should have moved towards making UTMs.

View full review »

I would like it to be easier to work with and have a better user interface. It is not straightforward. You need to know the Cisco command-line interface.

View full review »

There is always room for improvement in virtually anything. However, the relatively new Firepower Threat Defense image (mix of ASA and Sourcefire network security) fills a lot of gaps and features that were missing on ASA. Moreover, with FMC (Firepower Management Console) you can complement it with even more admin and reporting capabilities for the entire platform.

View full review »

As it’s a GenX firewall, expertise for both implementation and troubleshooting the pain points can be a challenge. This could be a concern when companies are thinking about buying this product.

View full review »

• Integrated threat management
• Route-based VPNs: VPNs are weak as this product still does not support route-based VPNs. 
• Single management interface
• Better throughput for price point 

View full review »

• URL
• AVC
• Advanced malware protection

View full review »

They should make the ASA accessible via the web instead of ASDM. Also, a big improvement is needed on the transparent mode.

View full review »

The configuration is an area that needs improvement.

In the next release, I would like to see the UI include or provide web access, and more integration.

View full review »

We are looking for software taxi capabilities.   

View full review »

It could use more of a system interface.

The security features in the URL category need more improvement. 

View full review »

It could have more functions for load balance on the internet.

View full review »

Security through integrated cloud and software based services.

View full review »

The price and SD-WAN capabilities are the areas that need improvement.

In the next release, I would like to see more of the FortiGate features added. FortiGate is compatible with Cisco ACI, but I can't see Firepower with Security Fabric. For example, if I had Fortinet activated, could I integrate with it?

View full review »

it is not very user-friendly for the administration.

View full review »

HTTPs inspection and higher throughput/spec would be good. Now, it has been replace by Firepower, which is a lot faster. 

View full review »

The price and compatibility with other vendors' products can be improved.

View full review »

• Routing
• It needs GRE supports
• Application visibility
• Context

View full review »

The 5505 does not support multiple mode. While running this device on multiple mode you cannot use dynamic routing protocols or multicast routing. Also the IPSEC and SSL VPNs are not supported while running in multiple mode. sometimes analysis might take too long while performing DPI in real-time traffic. The product is expensive. A 5580 series costs more than $50000. View full review »

License capacity needs to be extended and the vendor needs to work on the pricing.

View full review »

Report generation is an area that should be improved.

View full review »

There are more powerful firewalls, other than the Cisco NGFW, like Fortinet, Palo Alto and so on. I can't say Cisco is the leading firewall brand as of now, as the technology innovates. 

View full review »

I need application user-IP blocking, Intrusion Prevention, QoS; I can't do these with Cisco and have to change it.

View full review »

Speed of execution and security options needs to be improved.

View full review »