Most Helpful Review
Researched FireMon but chose Cisco Defense Orchestrator: The rule usage is a nice feature, but we have problems with it staying in sync when logging into the device
Find out what your peers are saying about Cisco Defense Orchestrator vs. FireMon and other solutions. Updated: March 2020.
408,459 professionals have used our research since 2012.
We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
We use a lot of image upgrades. We take some 20 devices and then we update everything at once, including the policies. We apply policies for groups. For certain groups, like anti-viruses, we send out policies and apply them to every single device. It's really easy and simple.
If our server is blocked, this solution shows us why it is blocked and allows us to update the network routing.
The bulk changes feature is definitely the most valuable.
The initial setup was straightforward. We spun up the VM onsite. We generated the key that it needed to talk to the Cloud Orchestrator. After that, as I started adding devices, it was relatively quick and easy.
The ability to see the uptimes on the different VPNs that we have configured for site-to-site.
If we have a firewall go down, I can hop into CDO, pull the latest configuration off and apply it. That's really good. It helps save time.
We have quite a few Active Stone by pairs. If they fail over... I'll see that there's a change on it and I'll have a look. The only change on it is that now this one is the standby, it took over the active role. I can go into that firewall and find out what happened... and troubleshoot based on that. That's pretty cool too.
I like the upgrade feature. That is pretty valuable to me because I have dual ASAs and when I go through CDO it does it for me pretty well. It's all done in the back-end and I don't really have to be involved. I just initiate, pick the image, and I pick when I want it done and it just does it, whether I have a single ASA or have a dual ASA.
It gives us the ability to go to one place to look for potential firewall rules that are inappropriate, or which don't meet compliance. Instead of manually searching hundreds of firewalls for a policy, we can go to this one location and find the rules which are now out of compliance.
It is the single place where we go to review all of our firewall changes. The solution makes it easier for us to track all the changes made. It is a central place where we can look at all the firewall rules, because we have three different firewall vendors. It save us time and creates efficiencies by looking at the general picture.
The most valuable feature is the reporting capability because everything that we do is a result of our being able to query a report, based on our environment and our PCI compliance efforts.
The Security Manager part of FireMon... gives me an eye on everything that's out there, everything that I cannot see. Because I'm not a network admin, I cannot go to a firewall itself, but at least I have FireMon so that I can go in and view everything that I want to view. And I can eliminate whatever I see that is wrong,
It provides us with a single pane of glass for our on-prem environment, to see configuration. We have not implemented into the cloud yet. We can search for an object group and see where it lives on any firewall in the enterprise or find security rules, no matter what firewall they're on.
The most valuable features are Policy Optimizer and Firewall Manager for different brands of firewall.
CDO doesn't have a report, an official report that I can check daily. It has another module called FTD, but it doesn't have that specifically for ASA. In the reporting, there are a lot of things that aren't there. There is also room for improvement in the daily monitoring.
The dashboard needs to be more customizable to provide better reporting for our network.
It should have more features to manage FirePOWER appliances.
When logging into the device, we sort of had problems with it staying in sync. If somebody made a change onsite, it wouldn't do an automatic sync. It would have to wait, as you would have to do a manual sync up.
I'd like CDO to be the one-stop-shop where we could do all the configurations easily. It would be nice, for ASA upgrades, if we could do them from a central repository and not have to reach out to Cisco. That would be a definite plus.
The main thing that would useful for us would the logging and monitoring. I have to check it out, to get the beta, because I don't have access to them... I wanted CDO to be a central place so where I could do everything but right now I don't think that's possible. I really don't want to go back and forth between this and FMC. Maybe the logging portion, when I look at it, will give me some similarities.
I've found dozens of bugs over the year we've been using it. The more I use it for different things, the more problems I find... Most of the problems have to do with the user interface. A lot of thought and work has gone into the back-end component to make the product do what it's intended to do, but the way it is presented for use hasn't gotten nearly as much thought to make it smart and bug-free.
There could be some slight improvements to navigation. In some of the navigation you've got to go back to be able to get into where you need to be once you've made a change. If I make a change, I've then got to go back to submit and send the change.
The AWS integration is still not mature for us to use. It is just not ready for our use case for AWS connectivity. Therefore, it does not provide us with a single pane of glass for our cloud environments, because we can't manage our cloud environment with the tool.
The stability has been fairly decent, but there have been a few issues. My coworker has had some issues in the past where he has had to work with support.
The current health and monitoring of the devices is atrocious... Imagine you have a list of 200 devices, and you can grade each of those devices as either green, yellow, or red. However, there might be three different reasons for you to go to red, or eight different reasons to go to yellow, and all of those things could be combined... Out of all those categories, I only find one or two of them that are, perhaps, pertinent.
We're working on implementing FireMon with our ticketing system service now. Having that would be an improvement.
Some of the core functionality in our environment doesn't seem to work. We will get buggy code releases. They need to work on their Q&A of every code release.
We are looking for more integration with SIEM and other tools.
Pricing and Cost Advice
It is covered under the CIsco Enterprise License Agreement (ELA). So, it is licensed and ours.
After our free trial was done we got a subscription for three years and it was under $3,000 or so. It's part of the EA we already paid for, so I don't know what it would be if it was a la carte.
It's around £500 per unit for a three-year license.
It is about a $100 per year for an ASA 5506 firewall, and from there it keeps going up if you have a bigger box. For example, the 5516 is $200 to $300 per year.
We don't license all of the devices in our network, so it does not provide us with a comprehensive visibility of all devices in a hybrid network at this time.
We pay for it yearly.
Regarding additional costs, if you want things like Policy Optimizer, extra features, that's extra.
The pricing is very good, very straightforward. It also came in cheaper than AlgoSec and Tufin.
out of 8 in Firewall Security Management
Average Words per Review
out of 8 in Firewall Security Management
Average Words per Review
Compared 32% of the time.
Compared 32% of the time.
Compared 19% of the time.
Compared 56% of the time.
Compared 24% of the time.
Compared 11% of the time.
Also Known As
Cisco Defense Orchestrator is a cloud based policy management solution to drive simple and consistent security policy across multiple Cisco security platforms.
|FireMon is the No.1 provider of Intelligent Security Management solutions worldwide, combining advanced benchmarking, simulation, and analysis to deliver next generation security intelligence. Since creating the first-ever network security management solution 15 years ago, FireMon solutions have continued to deliver visibility into and control over complex network security infrastructure, policies, and risk to over 1,500 customers around the world. Using the FireMon Intelligent Security Management platform, today’s leading enterprise organizations, government agencies and managed security providers have dramatically improved effectiveness of network defenses, accelerating business agility optimizing return on investment. For more information or a free 30-day trial, visit www.firemon.com.|
Learn more about Cisco Defense Orchestrator
Learn more about FireMon
|Insurance Company of British Columbia, Shawmut|
Information Not Available
Comms Service Provider39%
Software R&D Company23%
Financial Services Firm31%
Comms Service Provider8%
Software R&D Company33%
Comms Service Provider13%
Financial Services Firm7%