We just raised a $30M Series A: Read our story

Cisco Firepower NGFW Firewall OverviewUNIXBusinessApplication

Cisco Firepower NGFW Firewall is the #4 ranked solution in our list of best firewalls. It is most often compared to Fortinet FortiGate: Cisco Firepower NGFW Firewall vs Fortinet FortiGate

What is Cisco Firepower NGFW Firewall?

Cisco NGFW firewalls deliver advanced threat defense capabilities to meet diverse needs, from
small/branch offices to high performance data centers and service providers. Available in a wide
range of models, Cisco NGFW can be deployed as a physical or virtual appliance. Advanced threat
defense capabilities include Next-generation IPS (NGIPS), Security Intelligence (SI), Advanced
Malware Protection (AMP), URL filtering, Application Visibility and Control (AVC), and flexible VPN
features. Inspect encrypted traffic and enjoy automated risk ranking and impact flags to reduce event
volume so you can quickly prioritize threats. Cisco NGFW firewalls are also available with clustering
for increased performance, high availability configurations, and more.
Cisco Firepower NGFWv is the virtualized version of Cisco's Firepower NGFW firewall. Widely
deployed in leading private and public clouds, Cisco NGFWv automatically scales up/down to meet
the needs of dynamic cloud environments and high availability provides resilience. Also, Cisco NGFWv
can deliver micro-segmentation to protect east-west network traffic.
Cisco firewalls provide consistent security policies, enforcement, and protection across all your
environments. Unified management for Cisco ASA and FTD/NGFW physical and virtual firewalls is
delivered by Cisco Defense Orchestrator (CDO), with cloud logging also available. And with Cisco
SecureX included with every Cisco firewall, you gain a cloud-native platform experience that enables
greater simplicity, visibility, and efficiency.
Learn more about Cisco’s firewall solutions, including virtual appliances for public and private cloud.

Cisco Firepower NGFW Firewall is also known as Cisco Firepower NGFW, Cisco Firepower Next-Generation Firewall, FirePOWER, Cisco NGFWv.

Cisco Firepower NGFW Firewall Buyer's Guide

Download the Cisco Firepower NGFW Firewall Buyer's Guide including reviews and more. Updated: October 2021

Cisco Firepower NGFW Firewall Customers

Rackspace, The French Laundry, Downer Group, Lewisville School District, Shawnee Mission School District, Lower Austria Firefighters Administration, Oxford Hospital, SugarCreek, Westfield

Cisco Firepower NGFW Firewall Video

Archived Cisco Firepower NGFW Firewall Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
JT
Network Administration Lead at Forest County Potawatomi Community
Real User
Highlights and helps us catch Zero-day vulnerabilities traveling across our network

Pros and Cons

  • "The most valuable features of Cisco firewalls are the IPS and IDS items. We find them very helpful. Those are the biggest things because we have some odd, custom-made products in our environment. What we've found through their IPS and IDS is that their vulnerability engines have caught things that are near-Zero-day items, inside of our network."
  • "The worst part of the entire solution, and this is kind of trivial at times, is that management of the solution is difficult. You manage FireSIGHT through an internet browser. I've had Cisco tell me to manage it through Firefox because that's how they develop it. The problem is, depending on the page you're on, they don't function in the same way. The pages can be very buggy, or you can't resize columns in this one, or you can't do certain things in that one. It causes a headache in managing it."

What is our primary use case?

We use them in multiple places on our network. We use them on the edge of our network, in more of the traditional sense for inbound and outbound filtering. We also use them as a center of our network between all of our users and servers, so that all user traffic going through our servers is IPS and IDS as well.

We have multiple Cisco 5000 Series firewalls and we also have a 4110 Series firewall, all running the FireSIGHT threat detection image. We keep that up to date within three months. If a new release comes out within three months, we're updating. The software deployment is on-prem.

How has it helped my organization?

We definitely feel that we're more secure now than we have been in the past. That goes back to those Zero-day vulnerabilities. An example would be some of the vulnerabilities with Adobe TIF files that were recognized. We run a document management system that wrote the extra, tailing zeros onto all the TIF files, and that was highly exploitable. The Cisco firewalls were able to catch that on the files traveling across our network and highlight it. Those are issues that, without the firewalls actually seeing the north-south traffic in our network, we just didn't have visibility into before. We were running blind and didn't even realize that we were vulnerable in those ways.

Cisco NGFW has excellent visibility through the constructs it has. New vulnerabilities come out and we have hit those multiple times thanks to their solution. We come in on a Monday and, all of a sudden, an application that was working on Friday isn't working. That's because a major vulnerability came out over the weekend. The firewalls, and being able to use the dashboards through FireSIGHT management, provide very good visibility into what's actually going on and why different items on the network are happening. Overall, I would say the visibility is very good.

In addition, among our multiple vendors for firewalls, etc., Cisco Talos really distinguishes Cisco from the Palo Altos and the Barracudas of the world. The work that they do to identify Zero-days and new threats out there, and then document all of that, is invaluable to our organization. I can't say enough about Cisco Talos.

What is most valuable?

The most valuable features of Cisco firewalls are the IPS and IDS items. We find them very helpful. Those are the biggest things because we have some odd, custom-made products in our environment. What we've found through the IPS and IDS is that their vulnerability engines have caught things that are near-Zero-day items, inside of our network. Those items are capable being exploited although they were not actually being exploited. Being able to see what those exploits are, the potential for vulnerabilities and exploits, is critical for us.

What needs improvement?

Cisco firewalls provide us with some application visibility and control but that's one of those things that are involved in the continuous evolution of the next-generation firewalls. We have pretty good visibility into our applications. The issue that we run into is when it comes to some of the custom apps and unusual apps that we have. It doesn't give us quite the visibility that we're looking for, but we have other products then that fill that gap.

There would also be a little bit room for improvement on Cisco's automated policy application and enforcement. The worst part of the entire solution, and this is kind of trivial at times, is that management of the solution is difficult. You manage FireSIGHT through an internet browser. I've had Cisco tell me to manage it through Firefox because that's how they develop it. The problem is, depending on the page you're on, they don't function in the same way. The pages can be very buggy, or you can't resize columns in this one, or you can't do certain things in that one. It causes a headache in managing it. That's part of the reason that we don't do some of the policies, because management of it can be a little bit funky at times. There are other products that are a little cleaner when it comes to that.

For how long have I used the solution?

I've been using Cisco next-gen for at least four years.

What do I think about the stability of the solution?

Stability-wise, we haven't had too many issues. Before the next-generation firewalls, we used ASAs. In the 15-plus years that I've been using them I've only had one fail on me. Software-wise, we really haven't run into too many major bugs that we couldn't can get workarounds for by working with TAC. Overall the stability is excellent.

What do I think about the scalability of the solution?

Scalability is also excellent. I don't have any complaints about it. As long as you're willing to put the money forward, they are very scalable, but it's going to cost you.

Their ability to future-proof our security strategy is also very good. They continuously improve on and add items, functionalities, and features to their software.

User-wise, the government side of our organization doesn't have that many. There are maybe 1200 altogether. We had to upgrade our 5555s to 4110s and our 4110s are just about maxed out. We're pushing the max of the capabilities of all the equipment that we have. The 4110s average about eight gigabits a second all day long, for about 12 hours a day, through each of the devices. There are terabytes of traffic that go through those things a day.

We're always increasing the usage of these devices. They are the core of our network. We use them as our core routers and all traffic goes through them. They are the integral part, the center of our network. They're everything for us.

We have three people on our network team who maintain the entire network, including those devices. 

How are customer service and technical support?

Cisco's technical support is very good, overall. I've only run into one or two instances in the last 20 years where I came away with a negative experience. Those were generally unknown bugs but I didn't appreciate the way they handled some of those situations. But overall, Cisco's technical support is better than most companies'.

How was the initial setup?

We used the Cisco partner for implementation, but overall it seemed pretty straightforward. The deployment has been an ongoing thing. I'd say that we're never done with deploying our firewalls because of that constant state of change of the network. But the original deployment took four to five weeks.

For the ongoing deployment, the amount of time somethings takes depends on what we're doing. We had some 5555 firewalls and all of a sudden they were no longer capable of handling the traffic that we send through. We had to operate those with 4110s. It all depends on what's going through them and what the scope of the project is. But most deployments take less than a week.

There is also the fact that when you upgrade FireSIGHT to the next version and there are new features, you have to go through all the firewalls and make sure that they're utilizing all those features. That's one of the reasons it's always ongoing. It depends on what's released, what's new, what's old, and keeping up on that.

What about the implementation team?

The partner that we utilized was Heartland Business Solutions, in Wisconsin.

Our experience with them, overall, has been pretty good. When it comes to the Cisco world, our organization's mix of experience comes in. There are items that we can do outside of the partner because we have some very talented individuals that work for us, some Cisco Certified individuals.

One issue is that, in their business, Heartland is always trying to upsell. They are an intermediary, they play that middle guy all the time, but there are items that we're capable of doing that they push. They don't really allow us to just run with it because they want to get the engineer time and the tech time. They want to make revenue off of some items that we're capable of doing. That would be one issue with them.

Another item that is frustrating has to do with the way they manage our Cisco licenses and Smart Nets for us. I'll give an example. We have Cisco firewalls across our entire network. Every year we have to buy the subscriptions for malware, and URL filtering, etc., to get full utilization out of them. All of our firewalls are subscribed to the max when it comes to IPS, IDS, and file inspection. To get the licenses, they have to know how many firewalls etc. we have. We have an issue where one of our firewalls went down — it's in an HA so we're still up and functional — but it's still in a down state and we're working through it right now. We contacted them because all of a sudden we found out, hey, we don't have Smart Net. We pay them to manage our Smart Net contracts because it can be quite a hassle.

The question is, how can we not have Smart Net on a product that we know that we own. To get the subscription they know that we have X number of firewalls. When they renewed Smart Net they should know that there are that X number of firewalls in there, but there weren't. We run into a lot of that. We buy subscriptions for this, or there are yearly costs associated with that, but then when we match it up to Smart Net, we find out we don't have Smart Net on it or vice-versa. They have the numbers for subscriptions so they should be able to take those numbers and make sure that the Smart Net numbers match up with them. Or, they have the numbers for Smart Net and should be able to make sure we have the proper subscriptions lined up with it as well. That's been a frustrating point for us.

Other than those couple items, we had really good luck with them and they've been really good to us.

What was our ROI?

We have absolutely seen return on our investment. For example, before Cisco started doing the AMP for Endpoints, just as an example of Cisco security overall, we had Norton Antivirus on all of our workstations and we ran McAfee across all our servers. Our helpdesk and support staff were cleaning up anywhere from six to 13 malware-infested PCs a week. It was a full-time job for two individuals going around and continuously cleaning these, even though we had McAfee and Norton, which are supposedly some of the better ones out there.

After deploying AMP, we might have one incident every three months that our helpdesk or support has to deal with. We freed up two full-time individuals. AMP definitely has a cost, but then you look at the cost to end-users of not being able to use their PCs, or of the payroll department not being able to run their reports for payroll because the PC is too slow because it's infected with malware. 

So not only was there the cost of the two IT resources we gained, but other departments also gained hours back by not losing their PCs and devices.

What's my experience with pricing, setup cost, and licensing?

Our subscription costs, just for the firewalls, is between $400,000 and $500,000 a year. In addition, there is Smart Net, but the subscription base is the most substantial. 

In an environment like ours where you're only looking at a little over 1,000 users, when you start figuring out it all, it's basically $400 a user per year to license our Cisco firewalls. Cisco is very good. From everything I've seen, I truly believe that they lead the industry in all of this, but you do pay for it.

Which other solutions did I evaluate?

There have been evaluations of other products over the years. We do layer some of them to filter things through multiple product vendors, so if there ever is a vulnerability with Cisco, hopefully one of these other ones would catch it, or vice-versa.

But we have never evaluated others with a view to potentially replacing Cisco in our network. That's because of Cisco's being the largest network company in the world. When you have Cisco, it's hard to go away from them for any reason.

When it comes with the firewall side, one of the major differences does have to do with Talos. I've been involved in networks where Palo Altos have been broken and owned by hackers. I've been brought in to work on networks that way. The solution in those cases has been to replace with Cisco, to get control of what's going on. A lot of that has to do with Talos and their frequency of updates and how well they do with all of the security items. That's probably one of the main reasons that we don't ever look at a replacement for Cisco. We'll use other products in conjunction with it, but never to replace it.

What other advice do I have?

My advice would be: Don't let the price scare you.

I would describe the maturity of our company's security implementation as "working on it." It is an evolving process. When it comes to the Cisco product line, we try to keep it as up to date as possible when they release new products. An example would be their DNA Center which we're looking at installing in the next year. From a product standpoint, we're pretty well off. From a policy and procedure standpoint, that is where we're somewhat lacking in our organization.

In terms of the number of security tools our organization uses, we have a lot of them. From a software standpoint, we use tools from eight to 12 vendors, but there is more than one tool from each. We have anywhere from 30 to 40 security suites that we run across our environment. When it comes to hardware manufacturers, Cisco isn't the only one that we use. We use products from three different hardware manufacturers and layer our security that way. The way this number of tools affects our security operations is that there's a lot of overlap. But there are different groups that look at and use each set of tools. It works because that way there are always the checks and balances of one group checking another group's work. Overall it works pretty well.

In terms of other products and services we use from Cisco, we're a Cisco shop. We have all of their routing and switching products, AMP for Endpoints for security, Cisco Prime Infrastructure. We also have their voice and whole collab system, their Contact Center. We have their CUCM as well as Unity Connection. A lot of our servers are Cisco UCSs, the Blade Servers are in our environment. We have Fabric Interconnects, fibre switches. Pretty well anything network related is Cisco, in our environment.

We do layer it. We do have some F5 firewalls deployed in front of the Ciscos. We have had Barracuda firewalls in line as well, along with spam filters, so that we get that layered security.

Cisco's cross-platform integration and data sharing between their products are very key. Cisco is really good at that. It's nice to be able to see the same data through multiple product sets and be able to view that data in different ways. Cisco-to-Cisco is really good. 

Cisco integration with other products depends on the product and what you're trying to get out of it. Most of it we have to send through different SIEMs to actually get usable data between the two product lines. It depends on what we're doing. Every scenario's a little different.

As for automated policy application and enforcement, we actually bought a couple of other tools to do that for us instead. We're getting into Tufin software to do automations, because it seems like they have a little bit better interface, once they pull the Cisco information in.

Overall — and I don't want to get too full of Cisco because everyone's vulnerable in a way— we've had very few issues, even when a lot of these Zero-days are attacking cities and organizations, and there are ransomware attacks as well. We've seen items like that hit our network, but not have any effect on it, due to a lot of the Cisco security that's in place. It has been very strong in helping us detect and prevent all of that. Overall, it's given us a certain comfort level, which is both good and bad. It's good because we haven't run into the issues, but it's bad in the sense that our organization, a lot of times, takes it for granted because we haven't run into issues. They tend to overlook security at times.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Dave Cooper
Network Engineer at CoVantage Credit Union
Real User
For any internet-related event, it's saving us hours of time

Pros and Cons

  • "Once you add Firepower onto to it and you start enabling some of its features, you get some IDS/IPS involved with it and you can even do web filtering."
  • "In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth."

How has it helped my organization?

It's hard to judge how much time it saves our organization because it's doing things you don't realize. For example, when it's blocking web advertisements, when it's blocking phishing, when it's blocking geolocation, the time it saves is because of the things you might have had to deal with that, now, you don't. Any time we have some kind of internet-related event, it's definitely going to take us hours worth of time. We have to do an investigation, we have to report on it, we have to write something up. By protecting our environment it probably saves our security analysts a fair number of hours during the week.

What is most valuable?

It's the brick wall that keeps us from the bad guys. It does a lot of things. In the beginning when you just have a firewall, of course, it's your NAT and it's your Access Control List. It's the thing that allows traffic in and out. There is some routing involved in that too. But once you add Firepower onto to it and you start enabling some of its features, you get some IDS/IPS involved with it and you can even do web filtering.

We used to do some web filtering on the Firepower but we moved into Umbrella once we started. We do use Firepower for one piece of web filtering because Umbrella has yet to provide it: advertisement blocking. We don't allow our end-users to go into advertisements. If they're going to go to a site, they have to know what the site is, not just try to hit some kind of Google ad to get to it because those can be dangerous.

What needs improvement?

In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth. It's definitely usable, though. You can get a lot of good information out of it.

It's hard to stay on the bleeding edge on firewalls because you have to be careful with how they integrate with Firepower. If you update one you have to update the other. They definitely have some documentation that says if you're at this version you can go to this version of Firepower, but you need to be careful with that.

For how long have I used the solution?

We've been using Firepower for two to three years.

What do I think about the stability of the solution?

It's pretty stable. There are times where I'll get an email saying a process has stopped. But a few seconds later, they'll say it restarted it on its own. It's hardy enough that if it is having problems, it's bringing things back up. For the most part, it's been very reliable.

It's been really good. And even so, if I've had to reboot the actual appliance, I'll bring it back up and it's good to go.

What do I think about the scalability of the solution?

We haven't hit that issue of scalability. We have increased the amount of traffic through it and it's handled it, but I think that's also a product of the ASA as well. If the ASA is going to choke, Firepower is going to choke as well.

We're going to be bringing in two new firewalls, as early as the fourth quarter or first quarter of 2020, and those are going to be pure FTD appliances. We'll probably be using those a little bit more extensively. I don't think we're going to be using the SSL portion, but we'll probably have the IDS/IPS, and we'll probably have the AMP turned on. That's because with the endpoints, we're not sure if we're going to be able to install an antivirus, so we can at least watch that. We'll probably use most of the suite on it.

How are customer service and support?

I've always liked Cisco support. We're a pretty big Cisco shop, so you're not going to hear a lot of complaints from me about support. And not only that, but if I do have a problem with Cisco support, we get ahold of somebody - our customer-success people and the salespeople from Cisco who are focused on our organization - and we get help. It's very good.

Sometimes, I'll have to contact the first tier of tech support. I'll still open up a case. But in case that, for whatever reason, is not going to our satisfaction, at least we have a chain of command we can go through and talk to some different people. We might get it escalated if we're just not getting something fixed on time. But Cisco has very top-notch support.

Which solution did I use previously and why did I switch?

We've been with Cisco and haven't had anything else yet. We haven't had a desire to move in a different direction. We've stayed with it because of how good it is.

We were initially introduced to Firepower by a consultant. At that time, it was for the web filtering because the web filtering we had was awful. We were using Sophos. Without getting too derogatory, it was just awful. There was no alerting and it was very hard to manage, whereas this is really easy to manage. With Cisco, it was very easy to set up content groups, to allow some users to get to some stuff and other users to not get to it. That's where it really started. There weren't any pros to Sophos that weren't in Firepower. We got rid of Sophos.

How was the initial setup?

Our organization is a big believer in training, So I attended a five-day class on this. From that, I was able to set it up pretty easily.

We have a virtual appliance. Once it actually installs and we set IPs and got some of the base set up, it was done within about a day. But the time it takes will depend. We're not an organization that has 10,000 users. We're probably a medium enterprise, of about 400+ users, rather than a large enterprise, so our ruleset is comparatively small. As a result, it didn't take me as long as it might for some, a total of two or three days, and that's even with fine-tuning. But because we're still using the ASA and the ASDM, we still have those rules in the firewall. We're not really at the FTD point where all the rules are in there. If we were, to migrate it would probably take some time.

For me, it was relatively simple because of the valuable training I had. There are some good resources online, don't get me wrong. It was just nice to be able to do something hands-on at a place, in training, and then come back and be able to do it.

The neat thing is that the gentleman who taught us, instead of just teaching us the material from a book or even, "This is how you can pass the Firepower test," taught us how he would go into a Fortune 100 and set up an organization. I had almost a step-by-step lesson on how to keep going through the configurations to get to a finished product.

With a firewall, you're always coming back to it to tweak it a little bit. You might find, "Oh, I'm not getting the logging a lot," or, "Oh boy, this rule is doing this, but maybe I want to tighten it down a little bit more." But to get the base configuration, to get the objects in, it takes about a couple of days. At that point, you can at least have traffic going through it. You may not be blocking anything, but you can be monitoring things.

What about the implementation team?

It was just me.

What was our ROI?

The return on investment would be the fact that I'm just not spending a lot of time either searching for things or trying to stop what's coming in and out of our network. The return on investment is the time I would have to spend during the day looking at things versus it proactively doing its job.

What's my experience with pricing, setup cost, and licensing?

We're going to get to a point, not this year and not the coming year, probably going into 2021, where we're going to want to replace the ASA appliances with either virtuals or actual physicals. But the Firepower series of appliances is not cheap.

I just got a quote recently for six firewalls that was in the range of over half-a-million dollars. That's what could push us to look to other vendors, if the price tag is just so up there. I'm using these words "fictitiously," but if it's going to be outlandish, as a customer, we would have to do our due diligence and look at other solutions at that point.

In addition to that cost, there are licensing fees for some of the individual things like AMP, the IPS/IDS piece. It depends on what you want to use, such as the SSL piece and the VPN piece, which we don't use.

Which other solutions did I evaluate?

We haven't evaluated any other options. The only thing that may ever force us in that direction would be cost. Only if the cost of the solution got so large would we have to look at something comparable.

What other advice do I have?

The neat part about this is how Cisco continues to evolve its product line and help us stay secure, while still doing our day-to-day business.

My advice would depend on how you want to use it. What are you looking for Firepower to do?

Firepower added features that, until we introduced into our environment, we could not have done. We probably could have added a third-party product but we would hate to keep doing all that. It's nice to be able to have our products from the same organization because then, if something's really wrong, we can talk to the same organization as we're trying to troubleshoot something through our environment. We use Cisco switches, Cisco routers, we use ISE, and Umbrella. We have a lot of products through Cisco.

We use the ACLs. We use the intrusion side, just to watch traffic. We have used the malware and have actually caught stuff in there. We do have a DNS policy so that at least we can check to make sure someone's not going to a bogus site; things can get blocked for that, but Umbrella is really good at what it does. We also have it connected to our Active Directory so I can see which users are going where, and that is valuable. But I can also see that in Umbrella, so there's some overlap.

For managing the solution it's me and at least one other person. I'm the primary resource on it.

We used to use AMP for endpoints through the Firepower but we decided to discontinue that. We have AMP on all our endpoints but with all the other things we have, such as Umbrella, we were satisfied enough with the security we have. We didn't want two different things possibly stopping files instead of having one console area to be able to see those kinds of things.

Overall, I would rate Firepower at eight out of ten. Every product can improve. But for what we're looking to do, it does a very good job.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Learn what your peers think about Cisco Firepower NGFW Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
541,462 professionals have used our research since 2012.
ON
Managing Director at Fasp
Real User
User-friendly, easily managed, and scalable

Pros and Cons

  • "The most valuable feature of the Firepower solution is FireSIGHT, which can be easily managed and is user-friendly."
  • "I would like to see the inclusion of more advanced antivirus features in the next release of this solution."

What is our primary use case?

We are a reseller and system integrator, and this is one of the solutions that we provide for our end users. We have experience with many firewall products from different vendors.

The specific use case depends on the customer and their environment. They design the firewalls, and we supply the appropriate equipment.

The majority of deployments are on private networks.

What is most valuable?

The most valuable feature of the Firepower solution is FireSIGHT, which can be easily managed and is user-friendly.

What needs improvement?

The performance and the level of throughput need to be improved. This would make things easier for us.

I would like to see the inclusion of more advanced antivirus features in the next release of this solution.

Adding internet accounting features would also be a good improvement.

What do I think about the stability of the solution?

This solution is completely stable, and we have not had any issues.

What do I think about the scalability of the solution?

Scalability of this solution is ok. They have the IPS (Intrusion Prevention System), online updates, and signature updates.

One customer might have, for example, two hundred and fifty users, whereas another might have one hundred users. There are different models for different numbers of end-users.

How are customer service and technical support?

Technical support is ok, and we have had no problem with them.

How was the initial setup?

The initial setup of this solution is straightforward.

What's my experience with pricing, setup cost, and licensing?

The price of this solution is not good or bad. It is ok.

What other advice do I have?

This is a solution that I recommend.

The biggest lesson that I have learned from working with this solution is to always update the firewall. If you do not have the latest updates then it will not function well, so always keep it up to date.

I would rate this solution an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
YS
Senior Network Support & Presales Engineer at a tech services company with 51-200 employees
Real User
Offers an easy way to manage the devices centrally but not all of its features are supported

Pros and Cons

  • "I like the way Firepower presents the data. It gives you two classifications for the evidence, something based on the priority of the evidence and another classification based on the impact of the evidence in your environment. This makes it very easy to spot the evidence that is most impactful to my environment. Instead of having to go through all the evidence based on that priority, I can focus on the evidence that has the most impact on my environment."
  • "Also, they have a Firepower source file that I can work on the ASA device and on Firepower devices. A problem here lies in the way that you manage these devices. Some devices do not support the FMC, and some devices have to be managed through ASDM, and others have to be managed through FMC."

How has it helped my organization?

A lot of companies have a lot of vulnerabilities and lots of exploitations that are going inside their network that the IT staff are not aware of. You actually need a security device like a next-generation firewall to protect your network.

Once we installed the Firepower system, we started looking at the evidence, and we found a lot of exploitations and a lot of bad things that are in the network. These things were invisible to IT, they were unaware of any of them.

What is most valuable?

The Firepower Management Center is an easy way to manage the devices centrally. I guess this is something that all vendors provide so it's nothing special. I like the way Firepower presents the data. It gives you two classifications for the evidence, something based on the priority of the evidence and another classification based on the impact of the evidence in your environment. This makes it very easy to spot the evidence that is most impactful to my environment. Instead of having to go through all the evidence based on that priority, I can focus on the evidence that has the most impact on my environment.

Sometimes you might have a high priority event but it has nothing to do with your environment. You have a vulnerability. You don't have to treat a vulnerability as an attack. Since you're not vulnerable, it's not impactful to your environment so you don't have to focus on it. This is something that other products don't provide. 

It is very flexible. You can have the next generation firewall work as a physical connection or as a Layer 2 device. You can have a combination of Layer 2 and Layer 3, which is really good. 

What needs improvement?

There are quite a few things that can be improved. Firepower is an acquisition from another company, Cisco's trying to put it together. Their previous ASA code with the source file code that they have acquired a few years ago still has some features that are not fully supported.

Also, they have a Firepower source file that I can work on the ASA device and on Firepower devices. A problem here lies in the way that you manage these devices. Some devices do not support the FMC, and some devices have to be managed through ASDM, and others have to be managed through FMC.

Most of the high-end devices do not support Onboard management. The Onboard management is only supported on the 2100 IP at the 1050 Firepower and on select ASA devices that bear the Firepower image.

It would be very nice if the Onboard management integrated with all the devices. Log key loading for the evidence at the logs, because clearly you only have loading on the remote on the FMP, you cannot store the logs located on the device.

For how long have I used the solution?

I have been using this solution for around two years.

What do I think about the scalability of the solution?

We have several thousand employees at the company.

How are customer service and technical support?

Their technical support is good. 

How was the initial setup?

The initial setup was straightforward. 

What's my experience with pricing, setup cost, and licensing?

The pricing is overrated. Prices for Cisco equipment are always a little bit higher than other vendors. Customers are always complaining about the high prices of Cisco equipment, so it would be very good if these prices can be lowered down, but that's how it is. Cisco equipment usually has higher prices than its competitors.

What other advice do I have?

I would recommend this solution to someone considering it. I would recommend to study and know what the requirements are exactly. One of the things that might be a problem, or might be a complex thing to do is to go through Cisco Firepower, because Firepower is a software that's complex to explain to somebody. There is the previous ASA code that Cisco had and there is the source file that they acquired. Cisco started to send it as ASA Firepower services. Then they combined the two codes together and they started to send a new code called the Firepower Threat Defense, FTD.

Any customer who wants to buy it needs to understand all of these options and what the limitations of each option are, the pros and cons. Any customer who wants to deploy Firepower needs to understand what Cisco has to offer so he can choose correctly.

I would rate it a seven out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Al Faruq Ibna Nazim
Head of Technology at BDPEER Ltd.
Real User
Enables us to monitor and confirm all of the traffic coming in or going out of our network

Pros and Cons

  • "Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching."
  • "One feature lacking is superior anti-virus protection, which must be added."

What is our primary use case?

Cisco has a new general firewall: the Firepower NGFW. If you take a look at the Cisco Firepower product line, they have three models available:

  1. A low-scale model: the 2000 series
  2. A high-end model: the 4000 series
  3. The carrier-grade model: the 9000 series

We have already used the 4000 and 2000 series over here. We've been using this solution in Bangladesh for some customers over the last eight months. 

We've been using FPR 2110, 2120, 2130, & 2140. We also employ the FPR 4130 and 4140. We have been using this equipment on our last few projects. We used it as a transfer and for firewalling. The most recent one we are using for firewall support as well.

How has it helped my organization?

I have a two-part business. First, we provide solution services as a vendor for multiple customers working as a consulting firm. I'm providing multiple customers with support on-premises for Cisco products right now.

We are not able to use these products internally in our company. The second part of the business is my status or core business which is basically operating as a software solution provider.

I have personally engineered these Cisco firewall solutions for clients. When we implemented it, it was easy. We have to maintain high-end abilities in order to ensure the availability of high-end support for the clients. I generally have to look at everything. Later on, we were able to upgrade the Cisco Firepower NGFW easily. We were able to connect from the beginning to implement the complete number of files in the system. 

What is most valuable?

Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching.

I would say the Cisco Firepower NGFW actually gives superior intelligent behavior to transfer its active/passive infrastructure. Overall, Cisco Firepower NGFW has been a good power element in our systems due to its central location.

What needs improvement?

I would say when Cisco is selling something called a firewall, they put a lot of services together to make a single box solution. When a company develops a firewall, they need to develop certain features like intrusion control and offer it pre-loaded in the product. 

On the mix of projects that I am responsible for, I feel comfortable using the Cisco firewall for management. One feature lacking is superior anti-virus protection, which must be added.

I have to say I am very proud of the Cisco Firepower 41400 as it can give you multiple layers of four-degree connectivity in operations. 

We do not use the Cisco 9000, but even the lower level firewalls are pretty expensive, considering the features and software included.

In summary, we would like Cisco to provide more features inside regarding network trafficking forecasting. Ideally, the belief is that this would add an immediate resolution.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

So far we haven't encountered any stability problems. You should have a lot of patches to apply to update the firmware. You can understand the firewall in less than a week.

We had some fraud introduced with our last box when Cisco produced an upgrade. The updated policy agreement was based on the wrong purchase date information. 

The faster integration that is available in our region is pretty smooth for the Cisco firewall right now. I haven't found that much of a limitation to any service. 

I used to have a lot of issues with firewall support. Now, I keep a good state of mind with Cisco. I can expect my capabilities going out of range eventually if we don't upgrade. 

Cisco has its own cloud platform. I am able to see a single dashboard with all of my firewall activities and network performance under diagnostics, which is really helping us out.

What do I think about the scalability of the solution?

I would put the Cisco Firepower NGFW firewall into Transport mode, as you can do with most firewall systems for scalability. We used to have about 60% of our users on hold during six-week events. We still have certain problems without a firewall, but these days with the Cisco Firepower, we have over 80% of the load working.

As the customer integrator for enterprise contracts, we've been able to introduce Cisco Firepower to around 10 of our new customers in Bangladesh. At least 50 of the previous Cisco customers are still using the firewall solution right now under our support.

These are enterprise customers who require Cisco firewall support. We used to have a specialty in that which is really like the holy grail in rocket science. It used to be like that but now with Cisco's enterprise user base, we offer operational system support to reduce complexity a lot. It's really easy. It's not like you have to be a specialist.

How are customer service and technical support?

In Bangladesh, we had a little issue with Cisco technical support. We run our own sidebar operations, so I am not so satisfied with Cisco customer support. 

Cisco Firepower devices have created a lot of differences with due dates over our service contract. Consequently, we don't really bother anymore with Cisco technical support. Bangladesh has a really good tech scene. That is the reason we are not that concerned about Cisco product support anymore. It's okay. We handle it our own.

Which solution did I use previously and why did I switch?

We previously used Cisco ASA as a firewall.

How was the initial setup?

The setup with the Cisco Firepower NGFW is very easy. I have used other networking and firewall equipment previously, including Juniper. I've implemented other solutions and those were really tricky compared to Cisco.

The Cisco firewall system has eliminated all our network setup problems. Earlier when we used other products for firewalls, it was very complex to set up. Cisco firewalls from the beginning have eliminated all of the difficult parts of the initial deployment. 

All you have to do is pull your management together and communicate to your team to follow the documentation provided by Cisco. Altogether, it is easy for our team to install the Cisco firewall products.

What about the implementation team?

I did the installation myself and it took 48-50 hours, approximately, in the Transfer mode. We had a further two-hour window of augmenting and transforming the data. We were able to do that successfully. Eventually, we were able to transform the entire network setup.

What's my experience with pricing, setup cost, and licensing?

The license in my country is available to subscribe for three years or one year. We wanted to go with the solutions for embedding a two-year subscription, but this was not possible.

The Cisco licensing agreement in Bangladesh is different than the one in India and in Dubai. It is not a problem, but if you want to subscribe to the yearly subscription, the original cost is really high. Also, if you go for an anti-virus, you pay for an additional yearly subscription. 

When we push customers to implement Cisco solutions, they can manage the subscription cost of Cisco internally to access these important solutions long term. Our clients have been able to secure surprisingly efficient service with the Cisco Firepower NGFW firewall solution.

Which other solutions did I evaluate?

This fall, we evaluated firewall equipment from Juniper Networks. This is a limitation for Cisco, as their pricing is too high. The fact is when I need to install and manage an enterprise network, Cisco has the capability of having support for the IC Treadway standards. Furthermore, I can actually manage my entire enterprise network in one dashboard. 

If I bring in tech from the outside, like Palo Alto Networks equipment, that won't be able to integrate with my regular Cisco environment. 

With Cisco devices, it was easier for me to grab the assets required on the network for installation. With other solutions providers, good luck managing that with any ease.

What other advice do I have?

In my opinion, I would rather ask everyone to have a simple network. If you need multiple networking lines, like for the Cisco ASA or the Firepower NGFW, make sure you have ample tech support. 

There are many issues with connectivity in firewall systems, but Cisco quality is good. The connectivity of your network can really reduce your complexity over firewalls. 

I would suggest if you want to configure a complicated network scenario, go for a next-generation firewall. I would also suggest making your firewall options go to Cisco as they have some influential products right now. 

Once you are pushing the Cisco firewall, you'll be able to actually monitor and confirm each and every traffic coming in or going out of your network. 

Palo Alto Networks or Juniper Networks firewalls are ideal, slightly better than Cisco. They are not as easy as Cisco to use right now, but considering the cost and everything else, Juniper Networks equipment is really good. 

The fact is you need to consider just what you're achieving when you put in Cisco firewalls and implement Cisco routers.  For those on the verge of a new purchase, I would say that going for an expired model of firewall is definitely a good buy.

I would rate the Cisco Firepower NGFW with an eight out of ten points.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
OC
Network Engineer at IT Security
Real User
Supports a secure environment and has easy administration

Pros and Cons

  • "An eight because it's a good security solution. It's more mature than its competitors."
  • "The security features in the URL category need more improvement."

What is our primary use case?

Our primary use case is to support a security environment. It has performed well.

How has it helped my organization?

I am a security business of consultant. I deploy this solution for our customers. 

What is most valuable?

I like the easy administration.

What needs improvement?

It could use more of a system interface.

The security features in the URL category need more improvement. 

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

It performs very well. 

What do I think about the scalability of the solution?

Scalability is good. 

How are customer service and technical support?

Cisco has the best technical support. 

Which solution did I use previously and why did I switch?

I worked with Check Point, but Cisco Firepower is better. It was an easy transfer to this solution. We chose Cisco because of its trustworthy reputation. They're a big, recognized brand.  

The most important criteria that we consider when evaluating a solution are performance, administration, and price.

How was the initial setup?

The initial setup was easy and simple. 

What other advice do I have?

I would rate this solution an eight out of ten. An eight because it's a good security solution. It's more mature than its competitors. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PR
Information Systems Manager at a non-profit with 1-10 employees
Real User
Top 10
Traffic comes into the house and gets filtered in and out the Firepower interface

Pros and Cons

  • "Because of the deeper inspection it provides we have better security and sections that allow users broader access."
  • "Cisco should redo their website so it's actually usable in a faster way."

What is our primary use case?

Our primary use case is for handling office traffic VPN tunnels and filtering the traffic. All the traffic comes into the house and gets filtered in and out the Firepower interface. It's performed well.

How has it helped my organization?

Because of the deeper inspection it provides we have better security and sections that allow users broader access.

What is most valuable?

With this solution, you can have an inspection of each package and see what the threat level it's at. It has made the work more dynamic. We don't have to block as much like we had to in the old days.

What needs improvement?

They should develop a web interface that is actually useful. Currently, we still have an issue where you have to go in and do manual configuring by the command line if you want certain functions in it. This means that we need to find people at a higher technical level to be able to do changes in those things. It would be much easier if you had a more friendly user interface basis where you don't have to go in and do the command line off.

They should be a little bit faster sometimes in updating their threat protection. Cisco should redo their website so it's actually usable in a faster way.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

Stability is fantastic. 

What do I think about the scalability of the solution?

We are a rather small firm so we don't have much growth leads but there is a wide range of firewalls that I can expand onto. We can also set up cluster solutions. It's rather indefinite in its expandable possibilities.

How are customer service and technical support?

I've only had to use their technical support once. Otherwise, I haven't had to use them.

Which solution did I use previously and why did I switch?

We were using SonicWall before.

How was the initial setup?

The initial setup is very complex but once it's done, it's fantastic. 

What other advice do I have?

I would rate it a nine out of ten. Not a ten because of the horrible initial setup and because you can't handle all operations from one interface. You have to go back into the command line to even be able to type program language, even though you have a graphic user interface for it but it doesn't work properly.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
GZ
Data Center Architect at Fronius International
Real User
Has the full package that we're looking for but the features aren't stable enough for us to use

Pros and Cons

  • "We chose Cisco because it had the full package that we were looking for."
  • "The stability and the product features have to really be worked on."

What is our primary use case?

Our primary use case of this solution is for firewalling. 

How has it helped my organization?

We have been using Cisco for a long time, and we use Firepower to replace other systems. It hasn't really been an improvement, but there are many features we want to use in the future. We haven't seen much improvement because we only installed it a short while ago. 

What is most valuable?

It has many features but not all of them work. The features aren't stable enough for us to use them. The most valuable features are the firewalling and the deep inspection. 

What needs improvement?

The stability and the product features have to really be worked on.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The stability is getting better but we had some firmware issues. 

What do I think about the scalability of the solution?

The scalability is good. We have scaled it but at a normal gross so it's not very high. We have designed it for our use case and we have the option to scale but we don't use it at the moment.

Which solution did I use previously and why did I switch?

We chose Cisco because it had the full package that we were looking for. 

How was the initial setup?

The initial setup was of normal complexity. It's not straightforward, and because we started so early, the migration tools were not so good at the beginning.

What about the implementation team?

We implemented through our partner and had a good experience with them. 

What other advice do I have?

Customers should take note that the migrations steps are not easy. The tools cannot solve all configurations and handle all configurations directly so you will have to do some coding by yourself. The solution is not complete at the moment but it will get better.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Ali Abdo
Technical Manager at a comms service provider with 1,001-5,000 employees
Real User
Gives more visibility into what's going on when traffic comes in and goes out from the company

Pros and Cons

  • "Stability is perfect. I haven't had any problems."
  • "I would like for them to develop better integration with other security platforms."

What is our primary use case?

My primary use case for this solution is for Internet access for the enterprise or for users, publishing, email, and to protect our network.

How has it helped my organization?

Before Firepower, we didn't have any visibility about what attack was happening or what's going on from the inside to outside or the outside to inside. After Firepower and the reporting that Firepower generates, I can see what's going on: which user visits the malicious website, or which user uploaded or downloaded malicious code, and what the name of the code is and from which country. This is very useful and helpful for me to detect what's going on. It enables me to solve any problem.

What is most valuable?

They give me more visibility of what's going on when traffic comes in and goes out from the company or comes in from the outside. I can see what's going on with this traffic, which is a nice feature. I also like the malware inspection and management of the dashboard features. The management of the dashboard is different from the old Cisco Firewall. This management brings everything together into one management platform. 

What needs improvement?

I would like for them to develop better integration with other security platforms. I would also like for them to make the Cloud configuration easier. 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Stability is perfect. I haven't had any problems. 

What do I think about the scalability of the solution?

Scalability is great. We have around 1,500 users. 

How are customer service and technical support?

Their technical support is good. I opened a ticket when we did the installation. We didn't have any issues with them.

Which solution did I use previously and why did I switch?

We were previously using Cisco ASA without Firepower. We switched to Cisco Firepower because Firepower has more features, like malware inspection, and more possibilities with identity management.

How was the initial setup?

The initial setup was a little complex. We required three staff members for deployment and maintenance.

What about the implementation team?

We implemented ourselves. Deployment took around six months. 

What's my experience with pricing, setup cost, and licensing?

It's more expensive than Fortinet and Juniper. The price is high compared to other vendors. In general, for the license, it's not that expensive.

Which other solutions did I evaluate?

We also evaluated Fortinet and Juniper.

What other advice do I have?

I would advise someone considering this solution to subscribe to the URL filtering and to use malware inspection.

I would rate this solution a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
EE
Senior Data Scientist & Analytics at a tech services company with 11-50 employees
Real User
Supports application visibility and control, and it has great deep packet inspection

Pros and Cons

  • "The architecture of FTD is great because it has an in-depth coverage and because it uses the AVC, (Application, Visibility, and Control) and also rate limits. Also, the architecture of fast paths is great."
  • "The license system is also good but it's not very impressive. It's a very regular licensing system. They call it a smart license which means that your device will connect to the internet. This is a little bit of a headache for some customers. It doesn't make the customer happy because most of the customers prefer not to connect their firewall or system to the internet."

What is our primary use case?

We are currently using version 6.3. Our primary use case of this solution is to put Firepower inside of the data center and at the Edge network.

How has it helped my organization?

This solution has improved my organization. I'm a solution provider and so I deploy in many different companies that are my customers right now. Before Firepower, we had some problems with the architecture of the firewall. Firepower can support two types of intelligence identity: it can support the application visibility and control, and it has a great deep inspection in the packet. Before this solution, we had some problems with malware detection. Right now, we can easily detect and filter all the applications. Before this solution, we never had any file trajectory, but right now we do, according to the file trajectory of Firepower that we have after attack solutions. 

We never had any solution or any workaround for after an attack. We never had any clue what the source of an attack was or how the attack could affect the company. Right now, because of the file trajectory and the great monitoring that FMC does, we know what's happened so we can analyze it after an attack.

What is most valuable?

The architecture of FTD is great because it has an in-depth coverage and because it uses the AVC, (Application, Visibility, and Control) and also rate limits. Also, the architecture of fast paths is great.

What needs improvement?

I would like to see real-time log systems because it's very helpful when you want to troubleshoot.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

Stability really depends on the software that you use. If you use the suggested software that Cisco suggests, you will see a highly robust and highly stable system. A crash or block will never happen to you. It really depends on the version that you are using. Definitely check the release notes before installation.

What do I think about the scalability of the solution?

I've worked with the 2000 series, the 4000, and the 9000. The 9000 series is really impressive because it's absolutely scalable for large deployments.

How are customer service and technical support?

I haven't had to contact their technical support. 

Which solution did I use previously and why did I switch?

We previously used ASA, which is a regular firewall. We switched to Firepower because it has a lot of features. It is one of the best firewalls in the world so we shifted to Firepower.

What about the implementation team?

The time it takes to implement depends on the policy of the customer. Practically speaking, it takes around three to four hours to deploy, but it can depend because the Firepower solutions have two parts. One part is the hardware, it is an actual firewall and actual device but the monitoring system and the control system is a software called FMC. Most of the customers deploy it over VMware. The time of deployment really depends on your resources, but on average will take three to four hours.

At least two to three people with professional knowledge, around three years of experience, are needed for the deployment and maintenance, not only for Firepower but in every security solution. The device is doing something, but the most important part is analyzing it. The device can give you logs, but the engineer should analyze the log and do something.

Deployment without inspection can require only one person but if you want to analyze the IPS, at least two people will be needed.

What's my experience with pricing, setup cost, and licensing?

Based on the services that you will get, especially the AMP license, the price is very reasonable. The license system is also good but it's not very impressive. It's a very regular licensing system. They call it a smart license which means that your device will connect to the internet. This is a little bit of a headache for some customers. It doesn't make the customer happy because most of the customers prefer not to connect their firewall or system to the internet.

What other advice do I have?

I would advise someone considering this solution to just read the release notes before doing anything. You should know what the exact architecture is and what the exact details of the software are before trying to deploy it.

I would rate this solution a ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
IY
Assistant Manager (Infrastructure) at SISTIC
User
It has improved the security posture and visibility of our traffic, but it could use more predefined security templates

What is our primary use case?

E-commerce environment, Enterprise data center.

How has it helped my organization?

It has improved the security posture and visibility of our traffic. It has been proven very reliable on the hardware finishing and network portion. Since Cisco have been very experience in networking.                                                                                                                                                                                   

What is most valuable?

  • Snort IPS with recommendation template
  • Extendable hardware module
  • Straightforward licensing
  • Cisco product integration

What needs improvement?

  • I would like to see more improvements made to the dashboard and UI, as well as to the reporting, the reporting is quite limited and not user friendly. 
  • I would like them to consider offering more predefined security templates.
  • Technical support product knowledge, licensing portal, activation process will need to be improved. 
  • The configuration is not straightforward, Cisco will need to improve this so the user can easily pick up the product.
  • Bugs are more than other firewall competitors, some bugs are quite serious. 



    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    Yes, we found some firmware bugs and Cisco took some time to fix them. We needed to escalate the issue to the account manager to expedite the escalation process.

    What do I think about the scalability of the solution?

    No.

    How are customer service and technical support?

    A five out of 10.

    Which solution did I use previously and why did I switch?

    How was the initial setup?

    Complex in configuration and understanding. It would be very challenging for a non-Cisco trained engineer.

    What about the implementation team?

    We implemented ourselves with some assistance from the vendor. Some vendor are not expertise in this deployment, possible because of the complexity of the product.

    What's my experience with pricing, setup cost, and licensing?

    Base hardware cost are average. Additional hardware modules are priced higher than the base module. They also offer very clear licensing and pricing.

    Which other solutions did I evaluate?

    Check Point, FortiGate, Palo Alto, SonicWall, Huawei, and Sophos.

    What other advice do I have?

    Cisco is still a very good hardware manufacture, but they need to catch up on the software portion. We used the Cisco product because we know they tried very hard to get back into the market and we were willing to give them a chance since we are still using a lot of Cisco product. For those who are non-Cisco trained, it would be very hard to pick up.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    NC
    Technology Associate at a financial services firm with 1-10 employees
    Real User
    The most valuable features are the IPsec VPN and web filtering. It seems very clunky and slow.

    Pros and Cons

    • "The most valuable features are the IPsec VPN and web filtering."
    • "It seems very clunky and slow. I would like to be able to tune it to be a more efficient product."
    • "I would like the ability to pick and choose different features of it to run in a packaged infrastructure or modules, therefore I would like to have more customizability over it."
    • "The use of it has really bogged down our response time for certain problems, given we have to go through AT&T for everything."

    What is our primary use case?

    Our primary use case is as a firewall and using it for web filtering. We use IPsec VPN services on it, as well as the router.

    I have been using the product for only a few months, but the company has been using it for a couple of years.

    How has it helped my organization?

    The use of it has really bogged down our response time for certain problems, given we have to go through AT&T for everything. I don't think really highly of it, though.

    What is most valuable?

    The IPsec VPN and web filtering.

    What needs improvement?

    I would like the ability to pick and choose different features of it to run in a packaged infrastructure or modules, therefore I would like to have more customizability over it. 

    It seems very clunky and slow. I would like to be able to tune it to be a more efficient product.

    For how long have I used the solution?

    Less than one year.

    What do I think about the stability of the solution?

    It has generally been okay in terms of stability. We haven't had it go down, but we do have some interruptions. I don't know if it is the ISP or the firewall. We have more frequent network disruptions, and other branches call in telling us that they are unable to use their services to do their job. Unfortunately, we can't really do anything about it. It just clears up in about five or six minutes. In terms of stability, I would give it a seven and a half out of 10.

    What do I think about the scalability of the solution?

    I don't see it being very scalable. I don't have access to the actual interface on it. However, it is an older product, so it probably doesn't have high availability features. So, it's scalability is probably limited. I know that we kind of put it through the ringer with our fewer than a hundred connections into it.

    How is customer service and technical support?

    AT&T handles our technical support, since it's leased through them.

    How was the initial setup?

    I was not involved with the initial setup.

    What's my experience with pricing, setup cost, and licensing?

    We pay a lot of money for it.

    For big organizations who are used to throwing around a lot of money for absolutely surety, this would probably be a good fit for them. For the average SME, this particular firewall system, as well as Cisco in general, this product would not be a good fit for them.

    Which other solutions did I evaluate?

    We are currently looking at WatchGuard, pfSense, and Fortinet FortiGate. Netgate would provide the hardware.

    We have still got nine months left on our contract with AT&T before we can actually do anything. We are just trying to do as much research and ask as many questions as we can before we get to that point.

    What other advice do I have?

    We just don't have a lot of the control or customizability that we would like to have over the system. A lot of this has to do with how AT&T is handling the access to it. Also, the hardware is outdated. We would like to go with a product in which everything is very transparent, clear, organized, all in the same place, and we can monitor clearly. The reason that we are looking to change is price: We pay a lot for it. If we had more control over it, we would be better able to control the quality and performance of the network and services, as well as the budget.

    The most important criteria when selecting a vendor:

    • IPsec VPN
    • Good stable connection
    • Failover support: We need to have dual-WAN, so we can get two WAN connections in there and have failover. 
    • Load balancing would be good, especially for those rough patches. 
    • Internal web filtering and blocking: We need to be able to control what our end users are looking at.
    • Monitoring: As much monitoring as we can get.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PT
    Support Engineer at a tech services company with 51-200 employees
    Reseller
    We can shift traffic, block certain content, or redirect policies

    Pros and Cons

    • "We can shift traffic, block certain content, or redirect policies."
    • "We would like to see MS Word BPM as a feature."

    What is our primary use case?

    It's primarily for managing our employees. So far, it has been working great. We don't have many problems.

    How has it helped my organization?

    It gives us all the features that we need.

    What is most valuable?

    We can shift traffic, block certain content, or redirect policies.

    What needs improvement?

    We would like to see MS Word BPM as a feature. 

    For how long have I used the solution?

    Three to five years.

    How are customer service and technical support?

    We don't use the technical support too much. It is not good, especially for Latin America. Therefore, we employ people who have skills or certifications, using them for technical support.

    Which solution did I use previously and why did I switch?

    We started with Cisco Firepower.

    How was the initial setup?

    It was a bit complex to set up. However, after some practice, it was not too difficult.

    What's my experience with pricing, setup cost, and licensing?

    It is a great solution for medium or big enterprises, not so much for small businesses, mainly due to the financial costs. Cisco Firepower is a great solution, but it is expensive compared to others that can provide similar benefits for much less.

    What other advice do I have?

    Most important criteria when selecting a vendor:

    • Quality of the product
    • Cost.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    asstmana149958
    Asst.Manager IT at a manufacturing company with 501-1,000 employees
    Real User
    Blocks threats from the application layer

    Pros and Cons

    • "The GUI is among the most valuable features,"
    • "It could use a web-based portal for VPN. Earlier they had it in the ASA model, but currently they don't have it."

    What is our primary use case?

    The primary use is to block incoming threats from the internet, at the edge of the network.

    It's performing well. We check the report of blocked pages, blocked attacks, etc.

    How has it helped my organization?

    Previously, we only had a normal firewall, it was not next generation. It was not blocking many of the threats from Layer 7, the application layer. Now, this solution has IP, an intrusion prevention system, and because of the URL filtering, it can block other malware. It seems with the cloud database and the signatures, it compares the receiving files, then it blocks the URLs, making us more secure.

    What is most valuable?

    All the features are good. The GUI is among the most valuable.

    What needs improvement?

    It is on multiple boxes so ISP load balancing, multiple network load balancing would be helpful.

    Also a web-based portal for VPN. Earlier they had it in the ASA model, but currently, they don't have it. The user needs to just click on the link so he can work.

    What do I think about the stability of the solution?

    It is quite stable, it is able to detect. But the malware part should probably be upgraded. Performance-wise it is good and it has a long life.

    What do I think about the scalability of the solution?

    It has limits. If your network is going beyond it, then you'll have to replace it with higher model.

    How are customer service and technical support?

    Technical support is good.

    Which solution did I use previously and why did I switch?

    We have been using Cisco for a long time, various models. We had PIX, then ASA. We were quite comfortable with the performance, it never failed. But our old solution was coming to end-of-life. Also, this is able to more block more threats from the application layer, etc.

    The most important criteria when selecting a vendor are 

    • reputation
    • technology
    • features
    • cost.

    How was the initial setup?

    The initial setup was a bit complex.

    What other advice do I have?

    My advice would depend on what your comfort level is. If you have already used Cisco, I would recommend this, to evaluate it at least. Evaluate it and learn how useful it is.

    It gives good performance, the technology is quite good, sufficient for our objectives, protecting our network, etc. The missing two points are because they have to do make more improvements.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user886188
    Presales Engineer
    Real User
    Monitoring via the dashboard enables customers to see what is happening in the system

    Pros and Cons

      • "It's lacking one feature: VPN. Also, the 2100 Series lacks a DDoS feature. If they could add that to those platforms, that would be good."

      What is our primary use case?

      The use case has been for the banking sector, for one of our banking customers. According to them, it's working perfectly.

      What is most valuable?

      Monitoring, of course - the dashboard. It enables you to see what is happening.

      What needs improvement?

      It's lacking one feature: VPN. That is a feature we're looking for. Otherwise, the new devices have very good support, and the performance is quite good.

      Also, the 2100 Series lacks a DDoS feature. If they could add that to those platforms, that would be good.

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      So far, since we installed it, there have been no issues.

      What do I think about the scalability of the solution?

      In terms of scalability, it is really expensive. It is scalable, but when it comes to pricing, the upgrading is a bit high.

      How was the initial setup?

      It's not straightforward. You need to know what you're doing, you need to be trained. I don't know for other vendors whether it's the same issue, but for Cisco you have to be trained on the system.

      Which other solutions did I evaluate?

      Check Point and Fortigate. Generally, our customers choose Firepower because they've seen the system work somewhere before, and they see it is stable and working perfectly. Those are the reasons they opt for Firepower.

      What other advice do I have?

      There are other solutions, like Fortigate, which are very good solutions, and cheaper for the customer. Even the support via subscription is favorable, in terms of pricing. I would really advise the customer to do some research first and come up with the best solution for their needs

      I rate Firepower as an eight out of 10. It is a good solution but it is expensive compared to other products, like Fortigate. Still, some of our customers do prefer Firepower over the others.

      Disclosure: My company has a business relationship with this vendor other than being a customer: Solutions provider/integrator.
      DH
      ‎Senior Vice President at a transportation company with 51-200 employees
      Real User
      Enables securing of various network segments based on use, but there are integration issues

      What is our primary use case?

      We use it as a firewall and it has performed adequately.

      How has it helped my organization?

      It allows the securing of various network segments, based on use.

      What is most valuable?

      DMZ segmentation, and IDS and IPS.

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      It is fairly stable. However, Cisco suffers from some integration issues with other products, but this product, as a standalone, is fine. There is a problem with the Cisco Catalyst Switches in terms of assembling bursts and having them interact properly with the Cisco Firepower.

      What do I think about the scalability of the solution?

      The scalability is good.

      How are customer service and technical support?

      Tech…

      What is our primary use case?

      We use it as a firewall and it has performed adequately.

      How has it helped my organization?

      It allows the securing of various network segments, based on use.

      What is most valuable?

      DMZ segmentation, and IDS and IPS.

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      It is fairly stable. However, Cisco suffers from some integration issues with other products, but this product, as a standalone, is fine. There is a problem with the Cisco Catalyst Switches in terms of assembling bursts and having them interact properly with the Cisco Firepower.

      What do I think about the scalability of the solution?

      The scalability is good.

      How are customer service and technical support?

      Tech support has been good.

      Which solution did I use previously and why did I switch?

      We've been using Cisco. Prior to this it was Cisco ASA. This was the next evolution.

      When selecting a vendor it is important that they have positive industry feedback, that they are a visionary leader.

      How was the initial setup?

      I was involved in the initial set up and it was complex.

      What other advice do I have?

      I give this solution a seven out of 10. Some of the tools are still a little bit difficult to use.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Yasir Al-Musawi
      Network Security Specialist at a financial services firm with 501-1,000 employees
      Real User
      It is easy to create interfaces and routing, but the product needs real-time logs

      What is our primary use case?

      Currently used for at our disaster recovery site as our internal firewall, not a lot of services are running through it. We are still going around learning how to use it.

      How has it helped my organization?

      Since we have used Firepower firewall, we are facing issues of getting real-time logs, as they are not available with the latest version.

      What is most valuable?

      It is easy to create interfaces and routing, which all can be done at the GUI level. For now, we are still going around the services and will add more in the future.

      What needs improvement?

      The product needs real-time logs to be able to monitor our services, so we can know if any our services have been blocked via the firewall or on the application side.

      For how long have I used the

      What is our primary use case?

      Currently used for at our disaster recovery site as our internal firewall, not a lot of services are running through it. We are still going around learning how to use it.

      How has it helped my organization?

      Since we have used Firepower firewall, we are facing issues of getting real-time logs, as they are not available with the latest version.

      What is most valuable?

      It is easy to create interfaces and routing, which all can be done at the GUI level. For now, we are still going around the services and will add more in the future.

      What needs improvement?

      The product needs real-time logs to be able to monitor our services, so we can know if any our services have been blocked via the firewall or on the application side.

      For how long have I used the solution?

      Less than one year.
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user697185
      Consultant
      Consultant
      Management Console and user profiling to define activities are key features

      Pros and Cons

      • "Management Console and user profiling to define activities."
      • "As it’s a GenX firewall, expertise for both implementation and troubleshooting the pain points can be a challenge. This could be a concern when companies are thinking about buying this product."

      How has it helped my organization?

      It’s too early to say anything about this, as it’s still under implementation.

      What is most valuable?

      Management Console and user profiling to define activities.

      What needs improvement?

      As it’s a GenX firewall, expertise for both implementation and troubleshooting the pain points can be a challenge. This could be a concern when companies are thinking about buying this product.

      For how long have I used the solution?

      Still implementing.

      What do I think about the stability of the solution?

      Yes, unexpected failure and no RCA provided by the OEM.

      What do I think about the scalability of the solution?

      Still working on this.

      How are customer service and technical support?

      Technical support from OEM is a six out 10, as RCA report has still not been shared to date.

      Which solution did I use previously and why did I switch?

      Check Point. We moved to Firepower as an internal firewall to manage internal access and other network load.

      How was the initial setup?

      Straightforward, two-tire setup.

      What's my experience with pricing, setup cost, and licensing?

      All our requirements which we need performed by the firewall (e.g. VPN, URL white-listing, or IP based white-listing, etc.) have separate licenses and costs.

      Which other solutions did I evaluate?

      Yes, a couple of other of OEMs: Fortinet, Barracuda, etc.

      What other advice do I have?

      I rate it an eight out of 10, as it’s a new platform. Compared to Cisco ASA, it’s far better, per my usage to date.

      Make sure you have an expert resource or subscribe to OEM technical support.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      Network Engineer at a tech vendor with 10,001+ employees
      Vendor
      Some of the valuable features are detecting malware and blocking blacklisted URLs.

      What is most valuable?

      Some of the valuable features are detecting malware and blocking blacklisted URLs.

      How has it helped my organization?

      It has enhanced the security in every network over time.

      What needs improvement?

      As of now, I can't find any flaws with the device or any improvement that I can suggest.

      For how long have I used the solution?

      I have been working with the device for the past two years.

      What was my experience with deployment of the solution?

      The upgrade is a bit of a pain in the neck.

      What do I think about the stability of the solution?

      There were no issues with the stability

      What do I think about the scalability of the solution?

      Scalability has been all-star perfect.

      How are customer service and technical support?

      Customer Service: I…

      What is most valuable?

      Some of the valuable features are detecting malware and blocking blacklisted URLs.

      How has it helped my organization?

      It has enhanced the security in every network over time.

      What needs improvement?

      As of now, I can't find any flaws with the device or any improvement that I can suggest.

      For how long have I used the solution?

      I have been working with the device for the past two years.

      What was my experience with deployment of the solution?

      The upgrade is a bit of a pain in the neck.

      What do I think about the stability of the solution?

      There were no issues with the stability

      What do I think about the scalability of the solution?

      Scalability has been all-star perfect.

      How are customer service and technical support?

      Customer Service:

      I would give customer service a rating of 10/10.

      Technical Support:

      I would give technical support a rating of 10/10.

      Which solution did I use previously and why did I switch?

      We have only used Cisco security devices.

      How was the initial setup?

      The setup was smooth and simple.

      What about the implementation team?

      We implemented it by ourselves and with some support from the Cisco TAC.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      AM
      IT Operation Manager
      Real User
      ​NGFW features software stability, quick software updates for known bugs/vulnerabilities.

      What is most valuable?

      NGFW features software stability, quick software updates for known bugs/vulnerabilities. Why no hardware reliability (see Clock Signal Component Issue -Cisco)? Because without NGFW features it is basically like a home router.

      How has it helped my organization?

      It is small, nobody knows where it is, nobody knows what it is, it works silently. So, as there is no issue, it is good for business and organization.

      What needs improvement?

      License politics, license price, precise vendor roadmap for this product.

      For how long have I used the solution?

      Two years.

      What do I think about the stability of the solution?

      Yes, FirePower is not stable, because every new software version comes with many features that cause problems. Cisco has to do it because other vendors have already added these features.

      What do I think about the scalability of the solution?

      No.

      How are customer service and technical support?

      High.

      Which solution did I use previously and why did I switch?

      3Com TippingPoint as IPS, Zyxel ZyWALL ZyXEL ZyWALLas VPN server. Cisco has good documentation and it is easy for Cisco certificated engineers.

      How was the initial setup?

      Complex, because of non-ready Firepower service software setup.

      What's my experience with pricing, setup cost, and licensing?

      The last years' experience showed that there is no full security, so why pay more. Any security vendor with a user-friendly interface, with good support, on-time updates for known vulnerabilities and reliable hardware, is acceptable for an organization.

      Which other solutions did I evaluate?

      No.

      What other advice do I have?

      Cisco's ASA product line will be replaced by Cisco FTD. And Cisco FTD software is not ready for production (lack of many basic NGFW features). So, maybe only high-performance Firepower 41xx/21xx/90xx Series is good as IPS.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Product Categories
      Firewalls
      Buyer's Guide
      Download our free Cisco Firepower NGFW Firewall Report and get advice and tips from experienced pros sharing their opinions.