Please share with the community what you think needs improvement with Cisco ASA NGFW.
What are its weaknesses? What would you like to see changed in a future version?
Cisco needs to work more on the security and tech parts. Palo Alto gives a complete solution. Customers are very happy to go with Cisco because they have been around a long time. But that's why we are expecting from Cisco to give us a solution like Palo Alto, a complete solution. Cisco provides us with application visibility and control, although it's not a complete solution compared to other vendors. Cisco needs to work on the application behavior side of things, in particular when it comes to the behavior of SSL traffic. There is a focus on SSL traffic, encrypted traffic. Cisco firewalls are not powerful enough to check the behavior of SSL traffic. Encrypted traffic is a priority for our company. In addition, while Cisco Talos is good, compared to the market, they need to work on it. If there is an attack, Talos updates the IP address, which is good. But with Palo Alto, and possibly other vendors, if there is an attack or there is unknown traffic, they are dealing with the signature within five minutes. Talos is the worst around what an attacker is doing in terms of updating bad IPs. It is slower than other vendors. Also, Cisco's various offerings are separate. We want to see a one-product, one-box solution from Cisco.
We've seen, for a while, that the upcoming revisions are not supported on some of 5506 firewalls, which had some impact on our environment as some of our remote sites, with a handful of users, have them. We were also not too thrilled when Cisco announced that in the upcoming new-gen ASA, iOS was not going to be supported, or if you install them, they will not be able to be managed through the Sourcefire. However, it seems like Cisco is moving away from the ASA iOS to the Sourcefire FireSIGHT firmware for the ASA. We haven't had a chance to test it out. I would like to test it out and see what kind of improvements in performance it has, or at least what capabilities the Sourcefire FireSIGHT firmware is on the ASA and how well it works.
One of the things that we got out of the Check Point, which we're finally getting out of the ASA, is being able to analyze the hit count, to see whether a rule is actually used or not. That is going to be incredibly beneficial. That still has ways to go, as far as being able to look into things, security-wise, and see whether or not rules or objects are being hit. It could help in clean-up, and that, in itself, would help with security. The FTD or the FirePOWER has a little way to go on that, but they're doing well implementing things that not only we at Orvis, but other people, are requesting and saying should be done and are needed. In addition, if pushing policy could take a little less time — it takes about five minutes — that would be good. That's something they're working on. Finally, our latest experience with a code upgrade included a number of bugs and issues that we ran into. So more testing with their code, before it hits us, would help.
The software was very buggy, to the point it had to be removed. We are moving completely away from Cisco NGFW. The product was pushed out before it was ready.
In NGFW, Cisco should be aligned with the new technology and inspection intelligence because Cisco is far behind in this pipeline. Nowadays IoT, Big Data, AI, Robotics, etc. are all evolving and shifting from automatic to intelligent. All brands that do not follow will be extinct.
Most users do not have awareness of this product's functionality and features. Cisco should do something to make them aware of them. That would be quite excellent and useful to organizations that are still using legacy data-center-security products.
The firewall throughput is limited to something like 1.2 Gbps, but sometimes we require more. Cisco makes another product, Firepower Threat Defence (FTD), which is a dedicated appliance that can achieve more than ten or twenty gigabits per second in terms of throughput. I have found that Cisco reporting capabilities are not as rich as other products, so the reporting could be improved.
When comparing this solution to other products, the Fortinet UTM bundle has some better features in their most receive product. For example, there are better configuration features, the Sandbox is better, and so is the web censoring. These are currently in the Cisco solution, but they are better in Fortinet. The Sandbox and the Web Censoring in this solution need to be improved. This solution has to be more secure from the cloud. The current trend is moving towards private cloud and hybrid cloud, so it is very important to consider the cloud security aspects when the solution is installed. This includes things such as IoT and the existence of user connectivity on the cloud.
The FMC could be a little bit faster. It will be nice if they had what you traditionally would use a web application scanner for. If the solution could take a deeper look into HTTP and HTTPS traffic, that would be nice.
The program is very expensive.
I would like for the user interface to be easier for the admin and network admin. I would also like to be able to access everything from the GUI interface. The way it is now, it needs somebody experience in iOS to be able to operate it. I would like to have a GUI interface. It should have integrated licenses with our other products. There should be a license bundle, like for firewalls and iOS. It would be better if it was a bundled license.
I'm not really sure that much has to be improved. Compared to other firewall solutions probably the thing that could be improved is the interface — the GUI. Other than that I don't think there is anything else that could be better. I think it is a great product.
I see room for improvement when it comes to integrating all the devices into a central management system. Cisco doesn't provide this, but there are some good products in the market that can provide it. Apart from the cost, I think Cisco is quite well-positioned in the market. Also, in terms of site capabilities, other companies are still in the lead. The price, integration, and licensing models are quite odd.
There used to be information displayed about the packets in a module called Packet Flow, but it is no longer there. In order to accomplish the same thing you now have to wade through lots of information in the Syslogs.
There was an error in the configuration, related to our uplink switches, that caused us to contact technical support, and it took a very long time to resolve the issue. Some of the features should be baked-in by default.
The inclusion of an autofill feature would improve the ease of commands. This solution would benefit from being more cost-effective.
One way the product could be improved is if you could monitor more than one rule at a time. We only have the option to have one monitor window up at a time if you're trying to troubleshoot something you end up switching back-and-forth and don't get the bigger picture all at once. It's reliable and it does its job. It gives you the freedom to do other things while you get indications of any issues. The multi-monitor would be a huge improvement. I'd definitely recommend the product. Even when you set it up for the first night, it definitely will tell you the status of the network. The important part in the setup is following the instructions to get it going.
The service could use a little more web filtering. If I compare it to Cyberoam, Cyberoam has more the web filtering, so if you want to block a website, it's easier in other solutions than in Cisco. I think in Cisco it's more complicated to do that, in my opinion. It could also use a better web interface because sometimes it's complicated. The interface sometimes is not easy to understand, so maybe a better interface and better documentation.
The first thing that needs to be done is to finish building out Cisco ASA "Firepower Mode" in order for all features to work correctly in complex enterprise networks. It also needs a usable GUI like Palo Alto and FortiGate. There are lots of bug fixes to be done, and Cisco should consider performing a complete rebuild of the underlying code from the ground-on-up.
The product would be improved if the GUI could be brought into the 21st Century.
Cisco should improve its user interface design. There is a deep learning curve to the product if you are a newcomer.
We installed a Cisco path a month ago. There was a new update for the Cisco firewall and there were security issues. We like Cisco filtering as a firewall, but in the current market, Cisco's passive firewall is not unique. We don't have any warranty problems with Cisco. I asked our carrier several times to provide the exact gap code for me, but there is no Cisco dealer in our region. There is also no software accessibility with Cisco ASA NGFW. You can't always access the product that way. I also tried pfSense. There is no support here in Georgia. If something goes wrong, support is not always very helpful with the other firewalls or other products. Cisco products are more supported by lots of companies who are producing technical services for cloud platforms. The certification is very easy in Georgia now. There are lots of people using Cisco in Georgia because their accessibility is better than the other products on the market. I also talked to several guys about the Barracuda firewall. The Barracuda firewall is very expensive. You need to pay three or four thousand dollars every three months, so it's very expensive for us. We are not a big company.
The installation and integration of Cisco ASA with Firepower can be improved. I used Fortigate as well and I can say that Fortigate's features are more usable. The management with Fortigate is easier than Cisco ASA on Firepower. The management side of Cisco ASA can be improved so it can be more easily configured and used.
With Cisco ASA, we used the SMB of the model. The customers are usually satisfied, but I am going to recommend that all clients upgrade to Firepower management. For Cisco ASA Firepower, I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility.
If I need to download AnyConnect in a rush, it will prompt me for my Cisco login account. Nobody wants to download a client to a firewall that they don't own. I would definitely love to have a much nicer web interface compared to the systems interface that it has now. I also would like to download utilities without having to login into the system. Nobody would want to download a client unless they're going to use it with a physical firewall. I don't understand the logic. If I was a hacker, I could get someone to download it for me and then I can use the client. There's no logic behind it.
It does not have a web access interface. We have to use Cisco ASDM and dial up network for console access, mostly. This needs a bit of improvement. Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems. It should have multiple features available in single product, e.g., URL filtering and a replication firewall.
The two areas that need improvement are the URL filtering and content filtering features. These features are both very crucial to the end user environment. One of my main concerns and an area that could use some major improvement is the need to pay for licensing in order to enable necessary additional features. Included in the next release, I would like to see these features integrated into the products' functionality without having to pay for them on an individual basis.
Some of the features, like the stability, need to be improved.
The phishing emails could be improved.
In terms of next-generation capabilities, Cisco is a little behind. It is way behind leaders like Palo Alto, Check Point and Fortinet. While Cisco is headed in the right direction, it will take several years for it to get there.
It needs improvement as a "Next-Generation" firewall solution. In addition, it needs to be more user-friendly.
I think that there should be better security of other firewall appliances. Migration is another main issue. If you migrate from the ASA to the new Fire Power Threat Defense appliance, it is not an easy migration. You have to do some of the migration manually, and if you are relacing those firewalls it will take a long time. It should be a smoother migration process. Some of the new engineers are still not familiar with it, and I think that Cisco should rehire some of the engineers coming from Sourcefire to do so.
More intuitive support for SIP services are needed. This took a long time to configure properly for the user.
I think the room for improvement of this solution is that there is a need for more of an application awareness capability. I just don't think it has the application awareness. It obviously looks at ports and what not, but it is not necessarily able to identify applications by their action, and what they're doing.
It is a secure product. But, it is not very easy to configure. You need to be knowledgeable to be able to manage it. In addition, due to changes in management, we found Cisco slightly behind some of the competitors in the market. Furthermore, the internet protection system seems to be lacking, in comparison to some of the competitors. This is why we are currently looking at other possible solutions.
At times the product is sluggish and slow. Sometimes when deploying a new configuration or role, it is painstakingly slow. It should be a little faster than it is.
If there is old hardware, or old appliances, it does not necessarily work with the new Cisco generation firewalls.
The only con that I have really seen with it is the reporting structure. FirePOWER is good. It has been a great help because, before that, it was not good at all.
We are looking for software taxi capabilities.
The solution that we have right now doesn't do what I want it to do. We don't have a ratified solution for all the things that I wanted to right across our business. We're doing similar functions using different technology and I want ratification. I want to be able to do more than what we are currently able to do with the existing service, all under the umbrella of improving security.
* Simplify licensing * Do not combine the IPS module with the main operating system. * In new products, leave the CLI.
Intrusion prevention, we currently need to apply deep bracket inspection manually to use web filtering.
Multiple WAN connections: Even though you can implement more than one interface to outside connections, it is lacking on load balances, etc.
* It is confusing to have two management interfaces, e.g., ASDM and Firepower Management Center. It would be nice to have a Windows program instead of a virtual appliance for the Firepower Management Center. The ASA and Firepower module seem redundant, not sure which one to set the rules in, but maybe that was for backward compatibility. I am not sure that is very useful. * It is surprising that you need to have a virtual appliance for the Firepower Management Center. It is not good if you have to setup a VMware server just for it. * 10Gb interfaces should be available on more models.
I needed to be well-versed with all the command lines for Cisco ASA in order to fully utilize it. I missed this info and wasted some operational costs. I would like to advise others to please be wary from the start.
* UTM features would be nice or some NextGen features. * The ASA has become a bit old and needs updating.
The solution has two separate GUIs and at least three different CLIs (ASA CLI, Sourcefire CLI, and Firepower Management Center CLI). In addition, ASDM plus Firepower Management Center GUIs. If Cisco could stop rebranding, combine all the CLIs/GUIs, and give a consistent experience, this would be great. Also, AnyConnect is very difficult to manage and use.
The Cisco ASA device needs overall improvement, as configurations alone do not completely secure my network. The operational procedures in use on the network contribute as much to security as the configuration on devices.
Antivirus features must be integrated for end user security. They must be increased in the next version along with audit and restriction for the incoming user. Security must be increased when a new user connects over the LAN and an alarm must be generated.