Please share with the community what you think needs improvement with Cisco ASAv.
What are its weaknesses? What would you like to see changed in a future version?
I tried to buy licenses, but I had trouble. Their licensing is too expensive. If they can get the reporting to go into deeper detail, it would really be helpful because in order to get the reports in Cisco you have to go to look at the information that you don't necessarily need. Also, the pricing is quite high.
I would definitely say the pricing could be improved. If you're going to get the latest and greatest of this solution, it's very expensive and it's actually the reason my organization is moving away from it. I'm working on a slightly older version, but what it needs is better alert management. It's pretty standard, but there are no real advanced features involved around it.
I think the visibility of the network can be improved, at least from our current setup. I do not know everything about the solution and exactly how it can be modified. Another way they can improve is their pricing. One thing I notice is about the price is that it would be good if they could adapt the price to the area where a company is. West Africa is not the same as in India or in the USA and it is much more difficult to afford. If Cisco can manage this for our people it would help us implement better solutions. To upgrade to some Cisco solutions or features you have to invest resources to create the solution or pay the difference for that functionality to upgrade services or license. It is not really an all-in-one solution. So if Cisco could manage to build an all-in-one solution with most or all of the features we would be looking for in one solution, it would be better for us. For example, if you want faithful service from the company and equipment, you have to pay more just to get the solutions. If it's included it would be easier for us to deploy.
Normally in terms of design, the user prefers to use Cisco ASAv as a border router or a border firewall, because you have two different kinds of firewalls. You have a firewall when the data communication enters the network, and then you have a firewall, for when you've been inside the network. So, for the inside network firewall, Check Point is better because it can make a better notation of your network infrastructure. But, for the incoming data, or border firewall, ASAv is better. In terms of improving the interface, if you compared to the Check Point file, then I think that ASAv should be better. They should improve the interface so that it's similar to the Check Point firewall.
My opinion is that the new direction Cisco is taking to improve its product is not correct. They want to make the old ASA firewall into a next-generation firewall. FirePower is a next-generation firewall and they want to combine the two solutions into one device. I think that this combination — and I know that even my colleagues who work with ASA and have more experience than me agree — everybody says that it's not a good combination. They shouldn't try to upgrade the older ASA solution from the older type Layer 4 firewall. It was not designed to be a next-generation firewall. As it is, it is good for simple purposes and it has a place in the market. If Cisco wants to offer a more sophisticated Layer 7 next-generation firewall, they should build it from scratch and not try to extend the capabilities of ASA. Several versions ago they added support for BGP (Border Gateway Protocol). Many engineers' thought that their networks needed to have BGP on ASA. It was a very good move from Cisco to add support for that option because it was desired on the market. Right now, I don't think there are other features needed and desired for ASA. I would prefer that they do not add new features but just continue to make stable software for this equipment. For me, and for this solution, it's enough.
I would say the pricing could be improved. It's quite expensive, especially for the economy. I'd like to see them more integration so that I don't need other parties for protecting my network. If I could just have ASA firewalls for perimeter protection and LAN protection, then I'm good. I don't need so many devices. I would like to see improvements for client protection.
The overall application security features can be improved. It could also use a reporting dashboard.
I don't have any experience with the price, but ASA is a comprehensive solution. In the next update of the Cisco ASAv, I would like to see them release a patch for ASAv, i.e. to put the FirePower solution into the cross-platform integration.
The user interface is old fashioned.
There definitely is room for improvement. We found it difficult to publish an antenna plug with the ASDM. Cisco should make the interface for the firewall more simple.
* Interaction with the equipment * Different interface with the product * A more simple procedure in delivering policies to the equipment * Simplified upgrade procedure * Tracking flows * Monitoring and logs should be easier.
We didn’t find any huge issues. Obviously, there are always vulnerabilities that come up and there was one in early 2018 but this was patched with software updates. Admin rights need to be given out carefully as they give overarching control to all devices - but that’s the same for everything.
The artificial intelligence and machine learning (behavioral based threat detection), which I can this will be coming out in another year, these are what we need now.
Even on a smaller scale, people are finding you need HA pairs, and there's no way that the ASA can do that, at least in the virtual version. We needed the ability to failover to one of the others to do maintenance, and this is a glaring issue. However, it is one of their cheaper products, so its understandable. It is just that we would hope by now, because it has been in use in a lot of different environments, for even moderately sized companies, the ability to have HA pairs would be extremely useful.
Cisco ASA should be easier to use. It is a bit tough to navigate and see what is going on. While I like the UI and dashboards of Cisco ASA, if you compare them to Palo Alto or Fortinet, they have much richer UIs. An analyst (or anyone) can see them, and say, "I have got all these important pointers on my dashboard." However, with Cisco ASA, we need to dig into many things and go to many views to see what is actually there.