A recent reviewer wrote "Cisco firewalls can be difficult at first but once learned it's fine." Is that your experience?

Is that true of other firewalls you have tested?

See review at http://www.itcentralstation.com/product_reviews/cisco-asa-review-by-marcelo-zamorano

55 Answers

author avatar
Top 20PopularConsultant

Every vendor has their own perspective or approach or paradigm to security, and when you get that, things get easier from a deployment perspective.

That said, my personal feel is that it is easier to learn and master Fortinet firewalls than Cisco firewalls (and I have some experience with both). This comment is related to the older Cisco ASAs and does not necessarily apply to the Sourcefire technology, since I have no experience with that.

Whether GUI or CLI, the Fortinet devices give more flexibility and are more intuitive to learn than Cisco's ASA devices.

author avatar

In my opinion, you have to have a knowledge or background of what cisco routers can do and their firewall capability, cisco routers do have capabilites of a firewall, but ASA firewalls are more robust and granular in perspective.

author avatar

I would agree that they can be difficult to install and manage. Part of
the issue lies in the fact that Cisco is a router and switch company and
in my opinion, much of their incursion into the security world was
driven by a "me too" rationale. The result is that creating restrictive
policies and two way ACLs can sometimes be tricky in the Cisco world.
Also, resource issues that result in network latency and slow
performance can be problematic.

Manufacturers like Fortinet, Juniper, Palo Alto, and SonicWall built
their firewalls from the ground up. They often augment their
performance through the use of custom ASICs, and the user interface
focuses on security rather than routing and switching paradigms. UI
development is often designed to facilitate the building of two way
rules and policies and logging and auditing are critical features.

My philosophy has been and continues to be to use firewalls for policy
and access control and leave routing and switching to the router and
switch manufacturers like Cisco and HP.

For the record, I have experience with Fortinet, Juniper, McAfee
(formerly Stonesoft), Palo Alto, Raptor and Sonicwall.

Please let me know if there are specific features or capabilities that
you have questions about.

Kindest regards.

author avatar


Cisco Firewalls are routers with firewalls built onto them. Thus asa firewall takes some time getting used to the way they structure their firewalling, but if you know a lot about Cisco routers, it helps.

Each type of firewall has its quirks and once you have managed to get past that, all of them are a piece of cake.

author avatar
Top ReviewerReal User

Disclaimer: in the past years I have worked with security solutions coming from Cisco, Fortinet, Checkpoint and Websense. As a Lync expert I had also to manage many different reverse proxy solutions, sometimes integrated with a firewall and sometimes stand-alone.

To answer the question: All the security related software and appliances (if we are talking about the ones fit for a medium or large enterprise deployment) have a steep learning curve, with no exception.

Every vendor has a custom approach, different commands, interfaces and (also) different ways to manage the same kind of threat.

An additional level of complication is due to the fact that inside a single "box" we often find tools to manage different layers of the OSI stack and different threats. So it is necessary to know not only application security, but also routing, encryption (like IPSEC) and a long list of topics.

So, for example, a real expert with Cisco firewalls will find it a little easier to learn Fortinet or CheckPoint security if compared to a beginner (some basic concepts are the same everywhere) but some time on training and learning will be required anyway.

It is like jumping from a Windows O.S. to a Unix O.S.: they have similar features and are based on similar fundamentals but they are really different.

The most recent releases of security solutions try to help administrators, adding graphical UI and wizards, but my experience is that, sometimes, you have to use command lines to achieve a specific result (and this is true with a large number of vendors).
And, as I said, command lines vary much and this makes the work more difficult.

Learn what your peers think about Cisco ASA Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: June 2021.
509,820 professionals have used our research since 2012.