Is that true of other firewalls you have tested?
See review at http://www.itcentralstation.com/product_reviews/cisco-asa-review-by-marcelo-zamorano
Every vendor has their own perspective or approach or paradigm to security, and when you get that, things get easier from a deployment perspective.
That said, my personal feel is that it is easier to learn and master Fortinet firewalls than Cisco firewalls (and I have some experience with both). This comment is related to the older Cisco ASAs and does not necessarily apply to the Sourcefire technology, since I have no experience with that.
Whether GUI or CLI, the Fortinet devices give more flexibility and are more intuitive to learn than Cisco's ASA devices.
In my opinion, you have to have a knowledge or background of what cisco routers can do and their firewall capability, cisco routers do have capabilites of a firewall, but ASA firewalls are more robust and granular in perspective.
I would agree that they can be difficult to install and manage. Part of
the issue lies in the fact that Cisco is a router and switch company and
in my opinion, much of their incursion into the security world was
driven by a "me too" rationale. The result is that creating restrictive
policies and two way ACLs can sometimes be tricky in the Cisco world.
Also, resource issues that result in network latency and slow
performance can be problematic.
Manufacturers like Fortinet, Juniper, Palo Alto, and SonicWall built
their firewalls from the ground up. They often augment their
performance through the use of custom ASICs, and the user interface
focuses on security rather than routing and switching paradigms. UI
development is often designed to facilitate the building of two way
rules and policies and logging and auditing are critical features.
My philosophy has been and continues to be to use firewalls for policy
and access control and leave routing and switching to the router and
switch manufacturers like Cisco and HP.
For the record, I have experience with Fortinet, Juniper, McAfee
(formerly Stonesoft), Palo Alto, Raptor and Sonicwall.
Please let me know if there are specific features or capabilities that
you have questions about.
Cisco Firewalls are routers with firewalls built onto them. Thus asa firewall takes some time getting used to the way they structure their firewalling, but if you know a lot about Cisco routers, it helps.
Each type of firewall has its quirks and once you have managed to get past that, all of them are a piece of cake.
Disclaimer: in the past years I have worked with security solutions coming from Cisco, Fortinet, Checkpoint and Websense. As a Lync expert I had also to manage many different reverse proxy solutions, sometimes integrated with a firewall and sometimes stand-alone.
To answer the question: All the security related software and appliances (if we are talking about the ones fit for a medium or large enterprise deployment) have a steep learning curve, with no exception.
Every vendor has a custom approach, different commands, interfaces and (also) different ways to manage the same kind of threat.
An additional level of complication is due to the fact that inside a single "box" we often find tools to manage different layers of the OSI stack and different threats. So it is necessary to know not only application security, but also routing, encryption (like IPSEC) and a long list of topics.
So, for example, a real expert with Cisco firewalls will find it a little easier to learn Fortinet or CheckPoint security if compared to a beginner (some basic concepts are the same everywhere) but some time on training and learning will be required anyway.
It is like jumping from a Windows O.S. to a Unix O.S.: they have similar features and are based on similar fundamentals but they are really different.
The most recent releases of security solutions try to help administrators, adding graphical UI and wizards, but my experience is that, sometimes, you have to use command lines to achieve a specific result (and this is true with a large number of vendors).
And, as I said, command lines vary much and this makes the work more difficult.
I'm looking at firewalls. Which of these firewall solutions is the latest: