We had legacy Sourcefire Sensors and ASA state full firewalls.
Cisco offered the FTD NGFW solution, but the implementation of the two systems was not successful.
Cisco ASA firewalls deliver enterprise-class firewall functionality with highly scalable and flexible VPN capabilities to meet diverse needs, from small/branch offices to high performance data centers and service providers. Available in a wide range of models, Cisco ASA can be deployed as a physical or virtual appliance. Flexible VPN capabilities include support for remote access, site-to-site, and clientless VPN. Also, select appliances support clustering for increased performance, VPN load balancing to optimize available resources, advanced high availability configurations, and more.
Cisco ASAv is the virtualized version of the Cisco ASA firewall. Widely deployed in leading private and public clouds, Cisco ASAv is ideal for remote worker and multi-tenant environments. The solution scales up/down to meet performance requirements and high availability provides resilience. Also, Cisco ASAv can deliver micro-segmentation to protect east-west network traffic.
Cisco firewalls provide consistent security policies, enforcement, and protection across all your environments. Unified management for Cisco ASA and FTD/NGFW physical and virtual firewalls is delivered by Cisco Defense Orchestrator (CDO), with cloud logging also available. And with Cisco SecureX included with every Cisco firewall, you gain a cloud-native platform experience that enables greater simplicity, visibility, and efficiency.
Cisco ASA Firewall is also known as Cisco Adaptive Security Appliance (ASA) Firewall, Cisco ASA NGFW, Cisco ASA, Adaptive Security Appliance, ASA, Cisco Sourcefire Firewalls, Cisco ASAv.
Download the Cisco ASA Firewall Buyer's Guide including reviews and more. Updated: October 2021
There are more than one million Adaptive Security Appliances deployed globally. Top customers include First American Financial Corp., Genzyme, Frankfurt Airport, Hansgrohe SE, Rio Olympics, The French Laundry, Rackspace, and City of Tomorrow.
We had legacy Sourcefire Sensors and ASA state full firewalls.
Cisco offered the FTD NGFW solution, but the implementation of the two systems was not successful.
The firepower sensors have been great; they do a good job of dropping unwanted traffic.
The VDB updates run on schedule, so less hands-on configuration is needed.
The software was very buggy, to the point it had to be removed.
We are moving completely away from Cisco NGFW. The product was pushed out before it was ready.
The primary use case is to protect our departments. We have sub-departments or sites categorized by the number of users and types of applications. We categorize the latter in terms of small, medium, or large. Based on that, we select a firewall in terms of throughput and the number of concurrent sessions it can handle. We then deploy the firewall with a predefined set of rules which we require for inbound and outbound traffic.
We are in operations delivery and we need to support multiple clients. We have different departments where our primary responsibility is to protect our organization's assets and data and to store them in a centralized data center. Apart from that, we have responsibility to support our clients in terms of infrastructure.
All the devices are on-premise. Nothing is on the cloud or is virtualized.
One of the most valuable features in the current version is the dashboard where we have a complete analytical view of the traffic behavior. We can immediately find anomalies.
The most important point is the detection engine which is now part of the next-generation firewalls and which is supported by Cisco Talos.
Most users do not have awareness of this product's functionality and features. Cisco should do something to make them aware of them. That would be quite excellent and useful to organizations that are still using legacy data-center-security products.
The product's stability is perfect. From my observation, the mean time to failure is once in seven years or eight years. All the hardware in the device is quite stable. I haven't seen any crashing of the operating system.
Scaling is quite easy.
On a scale of one to ten, I would evaluate Cisco support as a ten. I get support in a fraction of time. There is no problem in getting support.
Since I have worked in this organization, Cisco has been the primary product that has been deployed.
The initial setup is quite straightforward. It's quite simple, without any complexities. Whenever we find any issue during the primary phase, we reach out to the Cisco technical support team for assistance and within a short period of time we get support from them.
The most recent deployment we did took about three weeks.
In terms of deployment plan, we go with a pre-production consultation. We create a virtual model, taking into account all the rules, all the cabling, and how it should work in the environment. Once everything on the checklist and the prerequisites are in place, then we migrate the existing devices into production.
As consultants, most of the time we deploy ASA by ourselves. If there is any complexity or issue, we get in touch with a system integrator or we open a ticket with the technical support team.
There would definitely be return on investment by going with Cisco products. They are stable.
For any organization looking for a secure solution that can be deployed in their domain or infrastructure, my advice is to go with Cisco Next-Generation Firewalls because they have a complete bundle of security features. There is a single pane of glass with complete management capabilities and analytic features to understand and gather information about the traffic.
The lessons that most of our clients have learned is that in deployment it is easy to configure and it is easy to manage. It's quite stable and they do not get into difficulties in terms of day-to-day operations.
We haven't faced any problems with this product.
Compared to other OEMs, such as Juniper and Fortinet, Cisco's product is excellent. There are no bugs and I don't see any lack in terms of backend and technical support. In my opinion, at the moment, there is no room for product enhancement.
Most of the users are system administrators working on their own domains. The minimum number of users among our clients is a team of 15 to 20 we have clients with up to 700 users at the largest site.
The product is quite extensively used in each department, to protect assets and data centers. We are using the attack prevention engine and URL filtering is also used at most of our sites. We are also using it for data center connectivity and for offloading transactions.
I would rate Cisco at ten out of ten for the functionality and the features they provide.
Our primary use case for this solution is to protect data from unauthorized access.
The most valuable feature of this solution is AMP (Advanced Malware Protection), as this is really needed to protect against cyber threats.
The IPS is a must for a firewall.
The firewall throughput is limited to something like 1.2 Gbps, but sometimes we require more. Cisco makes another product, Firepower Threat Defence (FTD), which is a dedicated appliance that can achieve more than ten or twenty gigabits per second in terms of throughput.
I have found that Cisco reporting capabilities are not as rich as other products, so the reporting could be improved.
This is a reliable solution.
We started with version 5.4, but there were many releases available on the website and we were obliged to aggregate, step by step, to reach the current version.
This solution is really scalable and reliable. In my opinion, Cisco products are always scalable.
Cisco has a very good team for support. They are always available, and they give you a flexible solution. It is not just about getting a solution. We are learning, as well, when we request assistance. They also have a knowledge base that we can access in order to find resolutions for problems.
We were using the SonicWall solution prior to this one, but it reached end-of-life because we had updated our architecture. This is why we migrated to a next-generation firewall. We had also been using Fortinet FortiGate.
The initial setup of this solution was a bit complex because it was a new technology for us. We did find documentation on the vendor's website, and it also helped that we found some videos on how to do the configuration.
Our initial deployment took approximately three months because we were learning from scratch. We still had some service requests open because we could not fine-tune the solution, and ultimately it took a full year to fully deploy.
This solution is managed by the qualified people in our network engineering team.
We tried to deploy this solution by ourselves, but our team was not quite qualified to implement this solution. It was a good opportunity for us to learn about it.
We are in the process of renewing our three-year license, which costs approximately $24,000 USD for the thirty-six months. In terms of licensing, this product costs a lot, but this cost can save my assets that could be millions for my company. There is no choice.
We did have knowledge of other products, but we chose this solution because it facilitates the sharing of information with their knowledge base. It helps you learn from scratch.
My advice to anybody who is considering this solution is not to think twice about it. There are a lot of features that come with the cost. These institutions secure our network and they have to do research. The price of this solution is justified when you consider that it secures our network and protects our valuable assets.
This is a very good solution but it is not perfection.
I would rate this solution a nine out of ten.
This solution is running behind the infrastructure and behind the hypervisor itself. We have two firewalls and two nodes in the cluster environment.
This solution is suitable for both cloud and hybrid-cloud deployments. I have implemented a cloud project, and one hybrid as well. The hybrid was between a public and a local cloud.
The Cisco security rules are very strict and very strong.
I like the Cisco ASDM (Adaptive Security Device Manager), which is the configuration interface for the Cisco firewall.
When comparing this solution to other products, the Fortinet UTM bundle has some better features in their most receive product. For example, there are better configuration features, the Sandbox is better, and so is the web censoring. These are currently in the Cisco solution, but they are better in Fortinet. The Sandbox and the Web Censoring in this solution need to be improved.
This solution has to be more secure from the cloud. The current trend is moving towards private cloud and hybrid cloud, so it is very important to consider the cloud security aspects when the solution is installed. This includes things such as IoT and the existence of user connectivity on the cloud.
The stability of this solution is great. The Cisco name and hardware are enough. The product is used in tier four data centers, so it is very trusted and very dependable. If you compare Cisco to others, the high industry and high workload have gone to Cisco. Stability is very, very high.
This is a scalable solution.
In terms of the number of users, it depends on the customer. A small customer may have less than twenty users. A larger customer can be complicated by having different branches with different users and different security rules. This means that you can reach up to the hundreds.
Technical support for this solution is good. Most of the technicians are technical people that have certifications such as CCNA, CCNP, CCIE, and CCISP. I think that they are well knowledged and well educated about the Cisco culture, industry, and products.
The Cisco distributors are everywhere, even if I'm speaking about the Middle East. I can find distributors everywhere in Dubai. Here in Dubai, the support is great, including for firmware updates, and even replacing the hardware when the firewalls crash.
The initial setup of this solution is straightforward.
The deployment does not take much time. It is just a matter of installing the firewall and configuring the basic system to get it up and running. That's it.
There are, of course, different models of deployment, like deploying customers, that have to be considered. However, for the most part, deployment time is not an issue at all.
The pricing for Cisco products is higher than others, but Cisco is a very good, strong, and stable technology. If we compare Huawei or FortiGate or others then the prices are lower, but the higher Cisco price is acceptable because of the stability, trust, and reliability.
This is my first recommendation for firewalls, and my second recommendation is Fortinet FortiGate.
This is the number one firewall product that I recommend.
I would rate this solution an eight out of ten.
Our primary use case of this program is network protection.
Up until now we haven't been down due to issues with the internet connection or denial of service, so the program does what it claims to do.
The firewalls of this program protects my internet from dangerous internet sites. For us, Cisco is the number one in firewall protection. We are seeking to buy another UTM solution for band management.
The program is very expensive.
We haven't had any problems with the stability so far.
We have 500 users working on the solution and I believe it may increase, so I believe the program is scalable.
The technical support from the company is very good. They are always available when we have problems.
We did use another UTM solution before for firewall, URL and band management. We didn't switch, we just have two layers now. If we want to use Cisco for band management or URL safety, we have to pay a license fee and it is very expensive.
The initial setup was straightforward and it took the company about a day to deploy the firewalls.
The licensing is very expensive.
In the future, I would like to see friendlier configuration and only one license because everything needs a license. You need a URL license, security license, everything is based on a license. I would like to have one license that covers everything. But I am really impressed by the program and my rating is nine out of ten.
We primarily use the solution for internet access firewalls.
The solution allows you to be more agile and react faster.
The Sourcefire stuff itself is the most valuable feature. Signature detection, intrusion detection, IDS, and IPS are all very good. AMP is very useful. I like that you can put it onto devices as well. The aggregated views in FMC that you get when you're a global shop which is centralized, and then offers gateways per region. In Europe, America and APAC, you have all the data coming together in the FMC. That's quite nice.
The FMC could be a little bit faster.
It will be nice if they had what you traditionally would use a web application scanner for. If the solution could take a deeper look into HTTP and HTTPS traffic, that would be nice.
The stability of the solution is very good. We can see that it gets even better with every release.
For us, the scalability is good, because we sized everything right, right from the beginning. If you size it right, it's very good. We don't plan on adding more firewalls, unless we suddenly grow exponentially, which we're not expecting to do at this point.
We only contacted technical support during initial implementation and that was all handled by the consultant. I have a lot of other Cisco related tickets open, so we're used to the process.
I would say, however, that we're also using Meraki, and the Meraki support is way better, in my opinion.
Cisco support tends to take longer, and I mean really long given the fact that subject matter is sometimes also more complicated, so it really depends. When you compare that directly to Meraki, Meraki answers the same day, and I cannot say that about the legacy Cisco support items. I can understand that the market for the legacy service is so much bigger for Cisco, so I can see why it takes longer.
The initial setup was complex because we had to migrate old ASA firewalls. The ACLs, or rather the policies, are very different now, and way more elaborate, so that that took some tweaking, and some consulting and some time.
Deployment took two months. We had to make sure that our old ACL base settings from the ASAs were correctly translated and implemented into the new FTD setups.
We used a consultant to assist with implementation.
We've looked at a few options, but we have an internal policy that says, unless noted otherwise, network equipment has to be Cisco based. We had to go with a Cisco product.
We are using the on-premises deployment model.
My advice for those considering the solution is this: if you want to migrate something, plan enough time for testing before you come over to the solution. You should also watch as many webinars as you can about that solution, or get a consultant and do a proper lab set up and go through the whole thing with them. It's is definitely worthwhile, given the complexity of the whole product.
I would rate the solution nine out of ten.
Our primary use case is to protect our network from external threats. We need to keep our portal safe.
We use the public cloud model of this solution.
The most valuable feature is that it has the ability to divide the network into three parts; internal, external, and DMZ.
I would like for the user interface to be easier for the admin and network admin. I would also like to be able to access everything from the GUI interface. The way it is now, it needs somebody experience in iOS to be able to operate it. I would like to have a GUI interface.
It should have integrated licenses with our other products. There should be a license bundle, like for firewalls and iOS. It would be better if it was a bundled license.
It's very stable.
The scalability is good. We have around 1,500 users. The users are regular end-users, network admins, technicians, etc.
We require three admins for this solution. We require five staff members for the deployment and maintenance.
It is used weekly. We do plan to increase the users.
Their technical support is good. We have a maintenance contract with them for two years and we plan to renew the contract.
The initial setup was straightforward. It took around two to three days to implement.
We used a Cisco partner for the implementation. They were knowledgable and did a good job.
There are no additional costs to the standard licensing fees.
We don't evaluate different solutions because our infrastructure is Cisco-based. We wanted it to be homogeneous with our infrastructure.
I would advise someone considering this solution to have a technical support or maintenance contract with the vendor or a third-party to help maintain the product. Without help with maintenance, there is no value to the product.
You should have a good technician and admin support for all this product in order to maximize the value and benefits.
I would rate it an eight out of ten.
Our primary use for the solution is as a firewall. We implemented it as an IT tech solution for our accesses through Sourcefire. It provides security.
The main product in our company is dependent on Cisco as a security solution. Cisco has a great reputation in the market. We are using Cisco as our main firewall in the company because it provides the best security.
The most valuable feature is for IT security management. It is extremely valuable to protection so that is the most valuable feature.
I'm not really sure that much has to be improved. Compared to other firewall solutions probably the thing that could be improved is the interface — the GUI. Other than that I don't think there is anything else that could be better. I think it is a great product.
I believe that Cisco is one of the most stable firewall solutions. Compared to other solutions, Cisco has a better stability record than others. That's why we like it a lot.
I don't know that we have plans to scale the business on this site. But Cisco products are expandable. If we want to expand the functionality with new feature sets we can add modules. So in that way, it is a flexible and scalable solution.
We currently have 200 to 500 users who are using this solution at any time.
We have used technical support quite a bit and always contact them if we have an issue. They will always respond as soon as possible. So I think the support is great. We don't have any issue with them being unresponsive or providing bad solutions. I like to check with them on solutions sometimes and they respond as soon as possible. It saves time and helps me to be sure I am doing the right thing before I go in the wrong direction.
I don't know the exact product they were using before but I think it was just proxy. When I came to the company, the Cisco solution had already been installed, so I don't know the exact product from before.
I think the main reason why they would have switched is the stability and possibilities are better than just proxy. Cisco is very different and more powerful than the other simple products. It's very stable.
I wasn't part of the company at the time of the initial setup, and I am just performing additional tasks. We have a staff of a maximum of three or four persons so once the deployment is live it doesn't need much effort.
I'm not sure if the company has plans to increase usage and grow our responsibilities. It's not not for me to decide. I think the company is growing and traffic is increasing. But my superior is the person responsible for determining when it is time to scale.
We used a consultant for the implementation. They actually continue to help a lot when we need them for something.
I don't know if the company evaluated other solutions before choosing Cisco. When I came to the company, it was already there. Cisco is a very popular enterprise solution so they may have just chosen it without other evaluations.
On a scale of one to ten with one being worst and ten being best, I would rate Cisco SourceFire Firewall as a nine. It could easily be a ten if it had a better GUI interface.
As far as making recommendations to other people about the product, I recommend they buy it if they need an enterprise solution. Also, I would recommend other Cisco solutions like Cisco AMP (Advanced Malware Protection).
I think most large companies that require strong security should always use Cisco because it's stable, scalable, and has many features. Enterprise organizations will benefit from Cisco because their business requirement will be more complicated and require a better solution and more flexibility. I think all the companies should use Cisco because it's number one the market and has the best security, better stability, and better scalability.
We use this solution as a firewall and for the segregation of our servers from the rest of the environment.
Instead of using multiple firewalls, we only need to rely on this solution. It has a small footprint.
The most valuable features are the flexibility and level of security that this solution provides.
There was an error in the configuration, related to our uplink switches, that caused us to contact technical support, and it took a very long time to resolve the issue.
Some of the features should be baked-in by default.
Stability has been pretty good, so far.
This solution is very scalable.
We have contacted technical support about an issue that we were having, and it took a very long time for them to figure it out. We were on the phone for six or seven hours with them.
We previously used an ASA 5500, and it was simply time to upgrade it. We used this solution as a direct replacement.
The initial setup of this solution is pretty straightforward.
We are not restricted to any one vendor, but this solution worked well as a direct replacement for our previous one. We considered both Juniper and FortiGate.
This is a very straightforward firewall. There is a management platform with its own operating system. Just make sure that everything is set up properly for your uplink switches because that is an issue that we ran into.
I would rate this solution a nine out of ten.
We use it as a network firewall.
For business purposes, it's a very detailed solution, which is it's greatest benefit, as you can get almost any piece of information you need from the solution. It allows for admins to be able to troubleshoot pretty easily.
The solution is part of a suite. If you pay for it, it has basically a view that's called Firepower, and it's really good at being able to analyze exact bits of a pack, at the packet level, and has the ability to allow you to examine that traffic. It is really good. That's probably my favorite part of the suite.
I would definitely say the pricing could be improved. If you're going to get the latest and greatest of this solution, it's very expensive and it's actually the reason my organization is moving away from it.
I'm working on a slightly older version, but what it needs is better alert management. It's pretty standard, but there are no real advanced features involved around it.
We haven't had any major issues in regards to stability. In general, there are best practices in the industry to use. It's never really mattered because generally, with firewalls, you have two in any given location or service. They seem to be redundant of each other. So there's never been a problem where we lost functionality because of the firewall.
It's pretty scalable. Cisco is a large enterprise solution and it's designed to be able to serve large enterprise, so, it's fairly scalable. We're using the solution minimally at this point, and we're decreasing usage because it's too expensive to upgrade.
They have pretty good customer support. The solution's technical support is great.
I had not previously used another solution.
I was not with the organization when they originally rolled it out, so I can't speak to how straightforward or complex the initial setup was. There are about six people who manage the solution. We have security engineers and network engineers. If someone is trying to get an idea of how many people are required, it varies because a lot of organizations will have multiple firewalls in different locations. Six for one organization may be way more than somebody needs or way fewer than somebody needs.
We didn't use any other group for the deployment. We did all the work in-house.
My company is moving away from the solution because it is quite expensive.
We've looked at the Fortinet solution. The Fortinet FortiGate.
I would just say that it's expensive. The product is fine on its own, it's high end. It's got a high brand name attached to it. I would recommend the product, however. The product works great. It does everything it's supposed to do. There's no issues with it, no real concerns. It's just expensive.
I would rate it an eight out of 10 because it does everything it's designed to do, but it is not any better than other industry-leading solution, and it's far more expensive.
The primary use of Cisco ASA (Adaptive Security Appliances) for us it to protect from external threats to our network as a firewall and VPN solution.
Cisco ASA serves a purpose more than it improves us. It is good at what it does. We are using other vendors and splitting the traffic to different devices based on what they do best. Even though we use other products the trend at our company is that we will increase the traffic through Cisco ASA.
It's difficult to say what features are most valuable because ASA is not a cutting-edge device. It's rather more stable and proven than modern. It's difficult to suggest adding features because with new features we are adding something new, and that means it could be less stable and. New features are not the reason we use the solution — it is almost the opposite. The most valuable part of the solution is dependability.
It's already a mature and stable product. I prefer to not to use the newest software — even if Cisco suggests using the newest — because this is a critical security device.
My opinion is that the new direction Cisco is taking to improve its product is not correct. They want to make the old ASA firewall into a next-generation firewall. FirePower is a next-generation firewall and they want to combine the two solutions into one device. I think that this combination — and I know that even my colleagues who work with ASA and have more experience than me agree — everybody says that it's not a good combination.
They shouldn't try to upgrade the older ASA solution from the older type Layer 4 firewall. It was not designed to be a next-generation firewall. As it is, it is good for simple purposes and it has a place in the market. If Cisco wants to offer a more sophisticated Layer 7 next-generation firewall, they should build it from scratch and not try to extend the capabilities of ASA.
Several versions ago they added support for BGP (Border Gateway Protocol). Many engineers' thought that their networks needed to have BGP on ASA. It was a very good move from Cisco to add support for that option because it was desired on the market. Right now, I don't think there are other features needed and desired for ASA.
I would prefer that they do not add new features but just continue to make stable software for this equipment. For me, and for this solution, it's enough.
It is a stable solution. It is predictable when using different protocol and mechanics.
We've used several models of the product, from the smallest to the biggest. I think that this family of the ASAs is scalable enough for everything up to an enterprise environment. I think the family of products is able to handle small and large company needs.
Cisco is a well-known vendor and its support is good. In my previous company, we sometimes used a vendor rather than direct Cisco support, but sometimes we used Cisco. For ASA in my current company, we have additional support from the local vendor. If we have a problem we can also initiate a ticket directly on the Cisco support site.
About one-and-a-half years ago we implemented a different solution to handle certain situations like BGP. But when we upgraded our Cisco devices just few months ago, we could have BGP on ASA. Now our devices from Cisco have enhanced capability, not just something new and maybe less dependable. Implementing BGP on ASA was a late addition. It had been tested, the bugs were worked out and engineers wanted the solution. The stability of ASA as an older solution is what is important.
I think it is not the simplest solution to set up because it is sophisticated equipment. For engineers to work with vendors and incorporate totally different solutions, it could be difficult. It is also different from the other Cisco devices like Cisco Router IOS. It differs in a strange way, I would say, because the syntax or CRI differs. If you are used to other OSs, it is not easy to switch to ASA because you have to learn the syntax differences.
It's common for there to be differences in syntax between vendors. But, I would say that this is more complex. The learning curve for start-up and configuration of ASA is at mid-level when it comes to the difficulty of implementation.
I did the implementation myself. ASA is not the newest solution for Cisco or the newest equipment. You can use the vendor and ask for help if you need it during the installation and for support. Because it was an older solution, it was already somewhat familiar to me.
My current company has been using ASA for quite a long time, so I was not involved in the choices.
I have been participating in choosing a new vendor and new equipment for some specific purposes as we go forward. For a next-generation firewall, Cisco's product — a combination of ASA and Firepower — is not the best solution. We are choosing a different vendor and going with Palo Alto for next-generation solutions because we feel it is better.
I think I can rate this product as an eight out of ten. A strong eight. The newest version of software and solutions often have bugs and functional problems because they have not been rigorously tested in a production environment. It is not the modern, next-generation firewall, but it solidly serves simple purposes. For simple purposes, it's the best in my opinion. I am used to its CRI (Container Runtime Interface) and its environment, so for me, familiarity and stability are the most important advantages.
We haven't deployed all the possible services from Cisco yet, but I started to research more of the ones that are available and I think Firepower will end up being the best, most valuable solution for us.
I think the visibility of the network can be improved, at least from our current setup. I do not know everything about the solution and exactly how it can be modified.
Another way they can improve is their pricing. One thing I notice is about the price is that it would be good if they could adapt the price to the area where a company is. West Africa is not the same as in India or in the USA and it is much more difficult to afford. If Cisco can manage this for our people it would help us implement better solutions.
To upgrade to some Cisco solutions or features you have to invest resources to create the solution or pay the difference for that functionality to upgrade services or license. It is not really an all-in-one solution. So if Cisco could manage to build an all-in-one solution with most or all of the features we would be looking for in one solution, it would be better for us.
For example, if you want faithful service from the company and equipment, you have to pay more just to get the solutions. If it's included it would be easier for us to deploy.
For me it is stable. It is amongst the best products in that way.
It is a scalable solution. It may cost money and resources to scale.
I have not had direct experience with technical support for the firewall. I contacted support for the switching. For the firewall, I have not had to contact them at all.
Before I used Fortinet FortiGate. But when I moved from the previous company to this company they had a different solution. That is why I switched.
The initial setup was a little complex for me because I had been using a different solution. But how complex something is will depend on the mind of that person. For me, it was a little complex for me. However, it really only took one day to set it up.
Step by step, when I work with the product for a longer period of time and gain experience, it will be very easy for me.
I did the implementation by myself.
If people want to build a solid security solution for their company, I think this solution is the best but it would depend on the configuration of your company. For a good company to have a good solution for security, you can choose the Cisco firewall for that and be confident.
I think I can give that product an eight out of ten. It comes down to the user interface. It needs to be easier so that more people can quickly develop the skills to manage the product. It would be better for us right now for more people to have certification or to just develop the skills to use the product. But if Cisco made it easier and took away the need for certification, it would be easier for us to use company-wide and have more people involved.
We primarily use this solution for network security.
This product has increased the visibility in our network.
The most valuable feature of this solution is its ability to integrate vertically.
There used to be information displayed about the packets in a module called Packet Flow, but it is no longer there. In order to accomplish the same thing you now have to wade through lots of information in the Syslogs.
This is a highly stable solution.
This solution is very scalable.
Technical support for this solution is good. The response times meet our expectations and we have not had any issues.
We have always been using this same solution, but previous versions. We update them in trying to keep up with the amount of data coming through, such as more streaming.
The initial setup of this solution was straightforward. We had the proper documentation to reference.
We deployed this solution in-house.
I don't work with the numbers, but I can say that it's great for security and has improved our effectiveness at the office.
The cost of this solution is high.
We did evaluate another option, but we stayed with the Cisco solution because it's trustworthy.
This is a good product from a trustworthy vendor, but it is not perfect.
I would rate this solution an eight out of ten.
The VPN and monitoring are the most valuable features.
I tried to buy licenses, but I had trouble. Their licensing is too expensive.
If they can get the reporting to go into deeper detail, it would really be helpful because in order to get the reports in Cisco you have to go to look at the information that you don't necessarily need.
Also, the pricing is quite high.
The stability is good. Very simple. Upgrades are great. But when we upgrade it, things break. You have to upgrade about three things before you get something stable.
I haven't had to scale, so I can't speak to this aspect of the solution.
I haven't had to deal with technical support, so I don't have much to say.
We didn't previously use a different solution.
The initial setup was straightforward.
I did the setup myself. The budget I had didn't allow me to get support. I would use Google a lot. The first implementation took me about three weeks because I did not know what I was doing. So it took me a while. It took me about three weeks, but everything else took about two days, maybe three days and I was done.
We did look at Barracuda.
They really need support for deployment.
I would rate this solution nine out of 10 because I think if you have the budget and you plan it properly I think you won't have the initial deployment problems I faced.
Our primary use for the solution is for checking on and verifying the security of our customer data.
Our organization has been improved by the solution because we can be assured that the firewall is secure. It gives us more flexibility to monitor other things. Because we have safe firewalls, we don't have to worry about that and can direct resources elsewhere. If our internet goes down in one location we can bring it back up pretty easily.
The thing we've found most valuable is the efficiency. The firewalls are easy to configure and deploy. Overall it is an easy system to manage.
Another valuable feature is just how granular we can get with it so we can keep users seeing what they are supposed to and don't compromise security.
One way the product could be improved is if you could monitor more than one rule at a time. We only have the option to have one monitor window up at a time if you're trying to troubleshoot something you end up switching back-and-forth and don't get the bigger picture all at once.
It's reliable and it does its job. It gives you the freedom to do other things while you get indications of any issues. The multi-monitor would be a huge improvement.
I'd definitely recommend the product. Even when you set it up for the first night, it definitely will tell you the status of the network. The important part in the setup is following the instructions to get it going.
The solution itself is good as far as stability.
The technical support is good and the response time quick. We had some firewalls down and gave them a call. They helped resolve the issue and it was all positive.
Previous to this we had just a normal firewall that I didn't like. It didn't provide enough.
The setup was straightforward, even without initially having all the information we needed. It was very intuitive. When I went in to get help, help was there.
We got the product from a reseller and we did the installation ourselves.
We certainly have seen a return on investment at the very least from being able to reallocate human resources.
Before selecting this as a solution we really didn't evaluate other options at all.
As far as rating this product, I would give it a nine out of ten. The only real drawbacks are the lack of multi-monitoring and not really having clear instructions prior to jumping in and implementing it.
We use this solution to join our private network to the customer's network.
In our business, we don't have to be on the customer's network, so a lot of people will install cheap equipment. We're trying to push it to where we can standardize the equipment, although the cost of Cisco products would have to come down a little bit in order for us to be more competitive.
Firewalls are difficult, and this solution gives us outside access to connect with the customer's network and service them better. It makes us more efficient.
This solution is easy to use if you know how to set it up.
The most valuable features are on the routing side, with the control between the two networks and the rules that are in there.
The inclusion of an autofill feature would improve the ease of commands.
This solution would benefit from being more cost-effective.
This solution is very stable, and I haven't seen any issues with it.
Scalability doesn't really apply to us, as it is just a firewall client.
Technical support for this solution is really good. We had an issue with a firewall and it was a good turnaround that was quick.
Our implementation of this solution was driven by the customer.
The initial setup of this solution is pretty straightforward. We did have some rules that somebody had put on it that didn't match up, but we got it all worked out.
We implemented this solution in-house.
With respect to the routers and switches, or the core stacks that we get, they seem to be pretty comparable so I don't have any issues with the licensing.
Some of our customers would be more likely to standardize on Cisco equipment if the cost was lower because a lot of people install cheap equipment.
While we have a partnership with Cisco, there are other products that have been used within the company. After evaluating other products such as those by Barracuda, it just happened that this solution worked out better for us. I like the Cisco reputation.
With this solution, we have everything that we need. I don't know about other people's use cases, but ours is pretty straightforward.
My advice to anybody researching this type of solution is to stick with Cisco products, no matter which one it is. We've had pretty good luck with everything from Cisco.
I don't have any issues with this solution, so I would rate it a ten out of ten.
The feature I find most valuable is the Cisco VPN Interconnection.
The file features are useful as well. They're good at packet tracing. They are very straightforward. I would say that the Cisco ASA ASDM makes it very easy to manage the firewall.
I would say the pricing could be improved. It's quite expensive, especially for the economy.
I'd like to see them more integration so that I don't need other parties for protecting my network. If I could just have ASA firewalls for perimeter protection and LAN protection, then I'm good. I don't need so many devices.
I would like to see improvements for client protection.
My impression is it's a stable solution. I could sound biased, but if you have a device working for four years and it's still working and people are using it, then it's stable.
Scalability depends on which device you have.
It's quite scalable if you have either the ASA, even if you had the new ASA firewall services, even if you had the one with the capacity of about 500 MDP. It isn't scalable for three hundred people connecting to it. I would say it is good for medium branch offices.
I'm not sure if we have plans to extend the service.
Technical support is good. The only thing is that Cisco cannot support you unless you have a contract with them. You have to go through the reseller in Africa. I don't see why Cisco cannot communicate directly with the customer, especially when I can prove that I have the device. They should allow customers to talk to them directly instead of having to go through the reseller.
I previously used SonicWall. I'm not the one who decided to switch, I just know that previously we used SonicWall.
The initial setup was straightforward. Within in an hour you're done, including with your basic training. For implementation, you need one to two people. You should have one senior network administrator. Two people can maintain it if they have the skill.
I did the implementation by myself. If you decide to do it by yourself, you need basic knowledge. If you don't have that you would need a contractor.
This solution might be expensive, but it is economical in the long run.
The functionality is fine.
When they prove to me they cannot be hacked then I can give them a ten.
I would rate this solution as eight out of ten.
One of the important aspect when deploying Ciso ASA firewall, it’s oblige you at the beginning to define your security level, which will make it easier when making your security policy ( traffic allow From Source to Destination)
A security level will define how trusted is an interface in relation to another interface on the Cisco ASA.
The Higher is the security level, is the more trusted is the interface.
The highest security level is , “ Security Level 100” .
Nowadays other Firewall manufacturer try to adopt the same deployment principle as the Cisco ASA with security level, however the Cisco ASA do have other interesting features which I think are very useful:
- Firepower services
- Security context
- Firepower management
Normally in terms of design, the user prefers to use Cisco ASAv as a border router or a border firewall, because you have two different kinds of firewalls. You have a firewall when the data communication enters the network, and then you have a firewall, for when you've been inside the network. So, for the inside network firewall, Check Point is better because it can make a better notation of your network infrastructure. But, for the incoming data, or border firewall, ASAv is better. In terms of improving the interface, if you compared to the Check Point file, then I think that ASAv should be better. They should improve the interface so that it's similar to the Check Point firewall.
The Cisco ASAv is really stable, especially if you compare it to Check Point. Not long ago Check Point did release one virtual firewall, and the virtual firewall of Check Point is not stable.
The hardware version of the firewall is more stable than the virtual one. In terms of the data center, many companies have a virtual data center in a group environment. Many companies want to have a virtual firewall, but the one from Check Point, in comparison to Cisco, is not stable at the moment.
The solution is really scalable.
I haven't dealt with technical support. We just check online, and if we have to contact Cisco about major issues, it's an internal department dealing with that. I don't know how technical support is, because our technical support team is located in Sofia, and I am in the Netherlands, so I don't have any view on that.
The setup is always different. If you have a small company, the setup is quite easy, but if you have a bigger company the setups are quite complex. Cisco is pretty good in routing. So in bigger situations, configuring the ASAv file is pretty straightforward.
The deployment also depends on the customer's site. So, the time changes because most of the time we have to do a migration. For example, some customers have an old firewall, and you have to migrate things to a new one. And sometimes, it's just copy/paste, but in some situations, we cannot migrate all firewall configurations to a new one.
In terms of how many people you need for deployment and maintenance, again, it's dependent on the company strategy around the help desk. You should have a maintenance engineer who should be part of a team. The deployment will be done in a team. You can have one person to do the deployment but usually, you always have a backup, so it would be two. And then, for the maintenance, it can be one person or two. The maintenance can be done on the site desk, operating after office hours, so it depends.
It's difficult to give specific advice on the solution because it always depends on the design solution and the strategy. So what I would recommend is to use different firewalls and to use Cisco ASAv as a border firewall.
I would rate this solution as 7.5 out of 10. I wish the Cisco interface was not so granular. Check Point was easier to create specific rules than on ASAv, so that's why I say this. If you want to make things easier for an engineer, you always have to work on the interface. But the product, in and of itself, there's nothing wrong with it.
I worked for a Telecom provider, and we gave this solution to our customers.
The most important feature is its categorization because on the site and social media you are unified in the way they are there.
I see room for improvement when it comes to integrating all the devices into a central management system. Cisco doesn't provide this, but there are some good products in the market that can provide it.
Apart from the cost, I think Cisco is quite well-positioned in the market. Also, in terms of site capabilities, other companies are still in the lead.
The price, integration, and licensing models are quite odd.
We didn't have any problem with its stability.
Scalability depends on the requirements of the license. The licensing scheme is complicated and not straightforward. I think there were around 200 users, sometimes more.
We used to use Fortinet, but we switched because of the lack of integration.
The initial setup was of a medium complexity. This was especially true when it came to integration of the data servers.
We used a consultant. They were very helpful. The documentation was quite easy to find for configuring the devices. We thought the boxes would be more parceled or more completely behind, but it was not a problem. The data was there.
I would recommend this solution. I would rate this solution as eight out of ten.
We are using both Cisco ASAv and FTD (Firepower Threat Defense). FTD has a better interface, but we have both of them running.
We are using Cisco ASAv for the FirePower service. We use a custom interface for our firewall.
Cisco ASAv is part of our central solution. You can use the ASA family or go on the portal for normal ASAv. We use FirePower at the edge of the network.
If you are working with cloud services, it's better to use the ASAv family or other Cisco solutions.
We are using the Cisco AnyConnect for our end-user VPN with the ASA.
If a user wants to connect to our network, they access it via the Cisco intranet and connect to the firewall at the edge.
I don't have any experience with the price, but ASA is a comprehensive solution.
In the next update of the Cisco ASAv, I would like to see them release a patch for ASAv, i.e. to put the FirePower solution into the cross-platform integration.
Normally, in ASA, we have good stability.
The scalability of ASAv we can easily manage. We can have good scalability in different times but we don't have HA in ASAv. Some features are removed in ASAv.
If it's a normal ASA, i.e. a physical device, you have many more ways to scalability.
For technical support, I have little experience with Cisco, unless they patch some issues. I raised a ticket and got the response immediately. They are very supportive.
For me, ASA is easy. The deployment of ASAv is done in 20 minutes.
We used both an integrator and reseller for the deployment. For the initialization, it was me for our company. If we have an issue, we can raise a ticket or call for a Cisco patch.
For the Cisco ASAv installation, I did it myself.
The pricing for Cisco ASAv depends on your license. With AnyConnect, it depends on your license. It depends on the number of concurrent users you want to connect.
Our license is for one year only, renewable at variable pricing.
On a scale from one to ten, I would rate this product at nine. Cisco ASAv is good in many advanced networking features.
I'm working with Cisco. They have competition with many vendors.
Our primary use case of this solution is for a firewall.
The user interface is old fashioned.
The stability is fine. There's nothing wrong with Cisco.
The scalability of the solution is fine.
We bought it from a supplier and they supplied the support, as well, and that's been fine.
We previously use a Cisco solution but it was a different version.
The basic setup is fine. We're just one person. It's only when you want to do some more sophisticated setup like channeling and stuff like that that it's more complicated. Deployment takes about 4 hours.
The product was expensive. Also, a lot of features weren't there even though they can be implemented. There are so many additional subscriptions that are needed to get the full features.
I liked that it had a full feature set from the beginning instead of having to buy features along the way. It's not like it's a cheap device. So, when you pay a lot of money for a device and then have to pay extra for facilities, that's a bit annoying.
I would rate the solution 7 out of 10. If you are a large business with a lot of Cisco devices or Cisco knowledge in the house already, then the Cisco firewall is the way to go. You might also have some better agreements with Cisco if you have a lot of stuff already. If you're a small company, I don't think I'd choose Cisco.
I primarily use it for my small company to protect 5-10 users.
The web interface was easy for me. The configuration is logical, so it's easy to use and easy to understand how to protect, how to open a port, how to manage and how to route a device. That's why I prefer Cisco. It's robust and I never have issues with the hardware. That's why I choose Cisco and not another vendor.
The service could use a little more web filtering. If I compare it to Cyberoam, Cyberoam has more the web filtering, so if you want to block a website, it's easier in other solutions than in Cisco. I think in Cisco it's more complicated to do that, in my opinion.
It could also use a better web interface because sometimes it's complicated. The interface sometimes is not easy to understand, so maybe a better interface and better documentation.
My impression of the stability of the solution is that it's very good.
I don't have a sense of the scalability. I never extend the processes or usage.
My experience with customer service is very good in general. When I have a good person on the phone, or on the email, it's in general very fast and the reply is good. It's a good solution in general.
I previously used Juniper before Cisco, but only for one year. I switched because my company only used Cisco.
The initial setup was not complex, it's just difficult to find out how to do it. The FAQ is not clear. In terms of deployment, it depends on the client, but deployment takes about an average of six hours.
In general, I implement the solution myself.
I would advise that If you want something robust, a good hardware solution, I think it's competitive and you have a good warranty, you have to choose Cisco.
I would rate the solution 8 out of 10.
We have around 250 users and security is extremely important for us.
The features I found most valuable in this solution are the overall security features.
The overall application security features can be improved.
It could also use a reporting dashboard.
I found that Cisco ASAv is a really stable solution.
I haven't tested scalability yet, but I believe it is a very scalable solution. We currently have 250 employees working on it without any issues.
The few times I've had to call in technical support, the service was excellent. I've had no issues.
Our company has used various other solutions in the past. We've decided to also install Cisco ASAv to add extra features to our system.
The initial setup was straightforward and it took me about two days to do the installation. The fine tuning took about a week. I am the IT Infrastructure Manager of our company, but I don't believe that individuals without IT knowledge would struggle to do the installation themselves.
We didn't use any consultant for the deployment - we installed and implemented Cisco ASAv ourselves and we didn't experience any problems.
We pay an annual fee.
We have used many other solutions in the past and we constantly look out for other options. So we didn't switch to Cisco ASAv, we simply started using it together with another solution. We now use two products in the same time.
I rate this solution an eight out of ten and I would definitely recommend it to other users. If the developers would add a reporting dashboard, and perhaps lower the pricing, I will rate it higher. But overall I am really satisfied with Cisco ASAv.
We need a good and generic firewall which is why I bought Cisco ASAv. I also needed a secure VPN. The real reason I bought it though, was for the firewall.
The firewall power that comes with Cisco ASAv is the most valuable asset. They are very easy to manage and configure.
There definitely is room for improvement. We found it difficult to publish an antenna plug with the ASDM. Cisco should make the interface for the firewall more simple.
This product is very stable. Before installing Cisco ASAv, I had two or three viruses in my network. Since installing ASA, I have not had any problems with viruses. There is a huge difference with and without ASA.
I am satisfied with the customer service because the assistance I got from the Cisco engineer was very good.
I used a different solution before. I used Meraki and it was a little simpler to use. However, currently, I only have Cisco routers.
The initial setup for Cisco ASAv was fairly simple. It wasn't very complicated, it would be okay for an intermediate professional. It can be made easier. I believe almost anybody could set up an ASA in a few hours. It took about two to three weeks for the platform to work properly.
The installation wasn't complicated at all and I got help from a Cisco engineer.
I bought a license for three years and it was really affordable.
I did consider other options as I have experience with Meraki and other devices. Meraki is simpler to use, but I decided on Cisco ASAv.
I am really satisfied with the product and I rate this an 8.5 out of ten. The reason why I wouldn't rate it a ten, is because I find it a little more complicated to set up a firewall for publishing than when using Meraki. I therefore believe there is room for improvement.
We performed an in-house evaluation of Cisco ASA NGFW for use as an Internet Gateway Firewall and internal East-West traffic firewall between security zones. We are historically a Cisco shop and were planning on it being the top contender for our NGFW solution.
Cisco ASA NGFW running in "Firepower" mode - aka the actual NGFW mode was not "fully baked", so it didn't meet all our requirements to fit our network architecture. It requires a completely different language than ASA and we found it to be difficult compared to other top firewall vendor offerings.
Integration with all the other Cisco tools is valuable. However, we've moved away from all Cisco security tools since this evaluation. Firewall choice was key to what direction we went and we found not only was the competing firewall solution superior, but their endpoint protection solution was as well.
The first thing that needs to be done is to finish building out Cisco ASA "Firepower Mode" in order for all features to work correctly in complex enterprise networks. It also needs a usable GUI like Palo Alto and FortiGate. There are lots of bug fixes to be done, and Cisco should consider performing a complete rebuild of the underlying code from the ground-on-up.
With regards to stability, we had a critical bug come out during our evaluation.
It should be well scalable. However, we didn't see a good centralized management/monitoring system like the one that Palo Alto has.
Customer support was decent, although we definitely don't feel like you get the value of the mandatory support/maintenance fees.
We used Fortinet FortiGate, but as an early gen "NGFW" it was outdated. We have issues we don't believe would be resolved with their latest offering, so we didn't even evaluate it.
We found the initial setup much more difficult to do even simple things, like setting up VPN tunnels.
Our in-house team tested and evaluated the solution.
Watch out for hidden licensing and incredibly high annual maintenance costs. We bought much beefier Palo Altos for a less expensive one-time and annual cost.
Palo Alto Networks NGFW Firewall was compared in-house using the same configuration and testing, and it won hands-down.
Watch out for the marketing hype vs objective reality. Do the advertised features actually work correctly/effectively?
We chose a different solution after performing in-house testing.
Our primary use case for this solution is to protect the Internet Edge, and our VPN (Virtual Private Network).
We moved from a Legacy firewall to the ASA with Firepower, increasing our internet Edge defense dramatically.
The most valuable features for us are Firepower and the VPN concentration. These are easy to use and have good insights.
The product would be improved if the GUI could be brought into the 21st Century.
We are using the Cisco ASA NGFW as a next-generation firewall. We are using the 5516-X version. Our primary use case of this is as an X firewall for external connections.
Cisco ASA NGFW significantly improves our bank. It protects any high-value products that we use from hackers, viruses, malware, and script-bots. It gives us metrics on network traffic as well as what kind of attacks we are getting from the outside.
The most valuable features are the firewall capabilities, filtering, and intrusion prevention.
I respect the capability of the Cisco firewall. We fully use it all as a complete firewall solution. Cisco also has excellent anti-malware detection and other similar features.
Cisco should improve its user interface design. There is a deep learning curve to the product if you are a newcomer.
Stability is excellent.
It can easily scale. If you want, you can scale it to a lot of traffic. It's an X file, so all of our users are going through it.
We only require one administrator for the solution. For deployment and maintenance, it depends on how many developers you have. We require two dedicated staff at a minimum.
Naturally, we employ both security technicians and administrators. Cisco ASA NGFW is being used at all our branches, and we'll continue using it in the future.
The technical support from Cisco is excellent.
We have only been using Cisco solutions.
The initial setup of the Cisco ASA NGFW is not easy, but at the same time also it is not complex. It's somewhere in the middle. It took about 4 weeks, then it was activated.
We used a reseller consultant for the deployment.
Our licensing costs for this solution is on a yearly basis. Just for the firewall, it's about $1.5 million USD.
We evaluated Palo Alto Networks, Fortinet FortiGate, and Checkpoint products.
For the Cisco ASA NGFW, it is a bit more expensive than other products, but their method is a lot more stable in my experience. It has all the features that you would need in a next-generation firewall. They are always developing new features and introducing them.
I don't have anything that I'm currently missing with Cisco. On a scale from one to ten, I would rate the product at eight.
I have been using the Cisco ASA NGFW for about four months. Everything works fine right now. We have only been using this device for a very short period of time.
Thus far, we are using it as a web filter to filter the data against incoming traffic. We are an educational organization, so there is no gambling allowed. We don't want to allow students access to gambling sites or adult sites, etc. We use lots of web filters. That's the primary reason I installed the Cisco firewall.
We are also happy with the Cisco ASA NGFW router firewall. It protects your small server infrastructure, but it's not complete. We purchased the Cisco ASA NGFW for the web filter. That's why we moved to the firewall.
Right now, Cisco ASA NGFW has given us a lot of improvement. We are planning to move to a new facility and will be a much larger organization.
We have an opportunity to grow now. The Cisco ASA NGFW firewall can be upgraded to another version, so it's better for us long term. It is much better because we can control the traffic that students are accessing and downloading. There are still a lot of improvements that can be done.
For organization security, Cisco ASA NGFW has robust cyber-security features. We are planning to increase the number of firewalls installed, especially for wireless connections.
We installed a Cisco path a month ago. There was a new update for the Cisco firewall and there were security issues.
We like Cisco filtering as a firewall, but in the current market, Cisco's passive firewall is not unique. We don't have any warranty problems with Cisco.
I asked our carrier several times to provide the exact gap code for me, but there is no Cisco dealer in our region. There is also no software accessibility with Cisco ASA NGFW. You can't always access the product that way. I also tried pfSense.
There is no support here in Georgia. If something goes wrong, support is not always very helpful with the other firewalls or other products.
Cisco products are more supported by lots of companies who are producing technical services for cloud platforms. The certification is very easy in Georgia now. There are lots of people using Cisco in Georgia because their accessibility is better than the other products on the market. I also talked to several guys about the Barracuda firewall.
The Barracuda firewall is very expensive. You need to pay three or four thousand dollars every three months, so it's very expensive for us. We are not a big company.
For our users, there are rules for the students and staff have another RF for authorization. There are small file servers also within the domain controller.
There is no special restriction for the students. They can print. They can visit outside websites online, but there is no gambling allowed at other sites.The students can access whatever they want over email or HTTP. Only the gambling and the betting sites, they cannot install the software. There are restrictions.
The students can use their own mobile phones or wireless devices, whatever they want. They are using the shared public key authorization. Our institution doesn't have any restrictions about accessing legal data. Except in Georgia, we have a very big problem with gambling websites. There are a lot of gambling websites, so we are trying to restrict all of the gambling sites at our company. We have a contract for the next year.
We are growing. In the next two years, we will have an additional 600 users, so we will double the capacity. We will see even more in the next three years.
It will be like very tough. In about five-year cycles, you need to update the firewall and add other new Cisco devices for the next generation of innovation.
In five years, we will be ready for a complete upgrade cycle for everything. The stability and scalability of the Cisco ASA NGFW are good for when we need to grow.
For the next five years, everything is fine. After that, we will see because there will be a lot of changes.
Technical support with Cisco is very good. We feel the company is very reliable and very competent. I have very good feelings about the future for project operations.
We had the old version of the Kerio firewall, but because in our country, there is no official dealer for Kerio, we moved to the Cisco ASA NGFW. This is the main reason why we moved to the Cisco firewall.
We announced the tender and bought this product with the installation plus setup included in the price. I was not involved in the installation or in the setup.
The company just asked a consultant to do it. The whole process, after we announced the tender, took about one to two weeks. The consultant company installed the software. They also helped us to optimize other parts of the network such as the routers and switches.
The setup of the Cisco ASA NGFW was complex, not only for us as a firewall. We have now submitted another tender for a device router with two-node switchless support. We updated almost everything on the Cisco ASA NGFW with the core and distribution level software upgrades.
We paid about $7,000 for the Cisco firewall, plus another small Cisco router and the lead switch. It was under the combined license. It's a final agreement.
The Cisco license was not yearly. It was a yearly license for the firewall. For the router and switch, it was a lifetime license.
The other option we considered was Kerio. I tried to contact their office in Russia, but it is in the UK. I wanted to communicate with them because we cannot buy things without a warranty.
We considered buying Kerio products with the warranty, but they said we needed to send the device to them to repair it. This meant it would take too much time to replace it. In Georgia, we need a local distributor, i.e. a local representative here who we can work with, so that's the problem.
In Georgia, there is no problem using the Cisco firewall, because it's accessible. You cannot use other products, because they are not accessible. That's the whole problem.
I would rate Cisco ASA NGFW an 8 out of 10.
The primary use case for this solution is on the client side. PCS stands for
Perfect Computer Systems. We are an integration company, we specialize in solution integration, bringing together component subsystems into a whole and ensuring that those subsystems function together.
Cisco ASA NGFW has improved our organization by providing more internet protection. Also, for the end user, it provides easy access from outside for users accessing the site.
The feature that I found the most valuable is the overall stability of the product.
The two areas that need improvement are the URL filtering and content filtering features.
These features are both very crucial to the end user environment. One of my main concerns and an area that could use some major improvement is the need to pay for licensing in order to enable necessary additional features. Included in the next release, I would like to see these features integrated into the products' functionality without having to pay for them on an individual basis.
My impression of the stability of this solution is that it's great, excellent!
As far as scalability, I haven't had any performance issues so far. There really isn't high utilization coming from the operations environment, so I don't need to upgrade the tier at the moment.
I don't have much experience with technical support since contacting tech support incurs additional costs. I have been relying on my technical knowledge and experience so far.
The initial setup was straightforward, though I find as we proceed we need an extra feature or two to enable all the functionalities and protection of the tool. It's an ongoing process. We have to be quick and agile to provide client support.
We implemented through an in-house team.
The stability is the greatest ROI for this solution.
My advice, since I have to pay for licensing each feature that I need to enable, like URL filtering, is to look at a pfSense. That is what we are doing because you have to pay for greater protection, a total solution can be very costly. We are looking at a pfSense, to bring down the total cost. The correct price point, in comparison to other platforms, is the main factor here.
During our initial decision-making process, we evaluated other options but the distinctions between all the options were quite minimal.
I am satisfied with the current facility and the management environment of the Cisco ASA, it's great for me.
I think that the cost would be the main factor when evaluating solutions since some of the companies or some of our clients ask about costs upfront. Once the client has made their initial request and inquired about any subsequent subsystem connectivity integration ideas, they always want to know how much everything will cost. The deciding factor is mainly based on the price point of the total user solution.
Overall, the criteria that we consider when constructing an integration decision depends largely on the client company we are working with. We evaluate clients based according to their size, industry function, and the total budget that would be recommended for an effective solution.
I would give this product a rating of 9 out of 10!
We use Cisco ASA with Firepower. Currently, we have been implementing the solution for around four years. Our company has been around for a long time, more than ten years. We cover the solutions for Network Direct Turbo ATM at the moment, it's a lot of the security work.
Cisco ASA is best at the technical part of the business, related to our selling and management services. We have to improve the technical functionality of the product as part of making an efficient service for the customer. We need to improve the customer's technical experience with Cisco ASA & Firepower.
There are two main ways that using Cisco ASA & Firepower has improved our organization:
With Cisco ASA, we used the SMB of the model. The customers are usually satisfied, but I am going to recommend that all clients upgrade to Firepower management.
For Cisco ASA Firepower, I want Cisco to improve the feature called anti-spam. We use a Cisco only email solution, that's why we need the anti-spam on email facility.
The stability of Cisco ASA is excellent compared to other products on the market. The performance is good. Compared to Fortinet on the watchband firewall, it is indispensable. Because of our customer experience as an integration company, our clients never report any performance problems. We have good performance from Cisco ASA.
ASA is limited in terms of its scalability because of our customer environments. They are in the banking and microfinance sector. Our clients always want to move to the next generation firewall so they like FirePOWER. When we move clients to Firepower, they need to integrate with Sourcefire and move into more complicated management.
We have the staff perform the migrations to Firepower. We redirected traffic with Sourcefire and also require the use of FMC by our management center with Firepower.
I've been exploring the technical support for Cisco ASA. I haven't had any problems with it.
The initial setup is straightforward.
I always encourage our existing customers to move to the Cisco ASA Firepower version, i.e. the next generation Firepower like 2100, 4000, or 9300.
I would rate Cisco ASA an eight out of ten. An eight and not a ten because some of the features are limited and some are awful. We had to install other solutions for security and had to spend a lot on other hardware. Other vendors like Fortinet or Palo Alto Networks focus more on offering complete solutions.
I am a banker. I'm working in the bank and our equipment is mostly based on Cisco for the moment. We have some incoming projects to deploy from Fortigate to firewalls.
Cisco ASA is that something I used when I was preparing for my CCNP exams. I've been using it on the incoming project that we want to do right now.
It is easy to deploy Cisco ISP solution in the bank I'm working in, i.e. Cisco Identity Services Engine. We're already used Cisco ISSO.
I have three Cisco ASA modules:
I have been using Cisco ASA since I've been at the bank for more than two years now. The model is 5515X. I have two modules of 5515X and the third one is the old 55105.
My primary use of Cisco ASA is to take advantage of all the features. I use it to enforce security policy and also to take advantage of the Firepower module.
I have a firewall module on my two instances of 5515X. On the Firepower side, I use all features on Firepower modules that are included in the AMP.
The biggest improvement has been in the internet features. We have been asked to prohibit internet access for all users except the bank services division and that is improved.
For AMP features, we use Cisco ASA to track traffic in inbound and outbound patterns, so we can set expectations for network traffic. I also used the exception for encrypted traffic.
One problem: Before installing encrypted traffic, I had to decrypt it first. Before setting it back, I encrypt it again. That's just the way Cisco ASA functions.
I would say the Firepower module is most valuable. I'm trying more to transition to this kind firewall. I had to study a little of the Palo Alto Networks equipment. There is a lot I have to learn about the difference.
Based on my certification, I had to do a lot of lab work, a lot of projects, a lot of technical work with Cisco ASA. Now, I'm moving to other vendors, like Palo Alto Networks and Fortinet so that I can empower my level of technical experience.
The difference is why each business chooses to use it and how they implement the architecture for their solution using Cisco ASA and Firepower features.
The installation and integration of Cisco ASA with Firepower can be improved. I used Fortigate as well and I can say that Fortigate's features are more usable.
The management with Fortigate is easier than Cisco ASA on Firepower. The management side of Cisco ASA can be improved so it can be more easily configured and used.
The stability of the Cisco ASA platform is okay. I know that Palo Alto is the first rated one, followed by Fortinet.
The scalability is based on module support. We have a stand-alone version. It is not 100% applicable to talk about scalability at this point.
There is another Cisco ASA module available that is more scalable than ours. For the module I have, the stand-alone, the scalability is not as good as on the higher model.
The 5585 model, allocated for data center security, can be facilitated into the switching spot or the working spot in our data center. We can recommend the scalability there.
For the module I have, I'm using it as a stand-alone. I don't think it is scalable too much at this point.
I'm using Cisco ASA in my organization to support about 150 staff. For maintenance, I do all of the work myself.
I do everything if you need a Cisco ASA solution to be deployed for an infrastructure requirement. We are just a team of three. There is just me and my colleagues.
I'm in charge of all the infrastructure system, including the network and security infrastructure. On all tasks related to the system security and network infrastructure, I'm in charge of it.
I had to work with Cisco customer support two or three times, a long time ago. I had to work with them based on a problem with my call manager. We had a good ability to work together with Cisco customer support. It was normal.
They asked about the information on the installation. I had to upload it to them. They took that and came back to my problem with the results. I had a good experience with them.
I didn't use a different solution in my bank, but on some other enterprise jobs, I used some unique firewall solutions.
Since I have been at the bank, only Cisco ASA has been deployed. We just added two new modules. In the bank, we only use Cisco ASA solutions.
I will say Cisco ASA has a complex setup just based on the security policy we have to enforce (asked by the chief, the CIO). For me, it's not complex.
Cisco ASA is not difficult because I am in it for a year so it's easy for me to understand. I have no problem on the technical side. I always manage to do what I'm asked to do on security-side enforcement. I have no problem with that. It's normal for me.
It was 2 years ago that we were trying to deploy our facility equipment. We took advantage to deploy the Cisco ASA firewall (model 5515X).
For now, it's the only one. Since then, we're using it in an upcoming project. I will have to deploy some Fortigate and Cisco ISL as well.
I don't have a technical problem implementing Cisco ASA. I am a double CCNNP and I'm preparing for my CCIE. On the technical side, I don't need help.
I had to work with external partners because they provide us with uptake equipment. They're available to follow up on the project with us.
We just had to make some tests to deploy some labs. However, when it comes to configuring Cisco ASA for production, I was alone.
On a security basis, we couldn't let the partner know the details of our address space. This is prohibited within our organization by security policies.
I had to re-do everything from scratch. For this implementation of Cisco ASA & Firepowe, I was alone.
The licensing for Cisco ASA is on a yearly basis. We have to renew the Firepower module license. We are in the process of renewing this one.
I just made the demand. They have the management who is charge asking about the price and payment terms on different offers.
We are just a branch bank. The decision is not made here and the branches just have to follow the central policy.
Cisco ASA is a good solution. I never had a problem with. I will say that I mostly recommend Fortinet because of their ease of management and Palo Alto Networks because of their reputation for business efficiency.
I would rate Cisco ASA with an 8 out of 10 points.
Primarily, we are just using it as a firewall, mostly to protect our internal SQL network (our primary network). At the moment, we are not using Cisco Firepower for our services. We just use it as a firewall.
We have multiple secure internal networks linked with our plants. We are from a oil company, so we have multiple plant areas which need to have restricted network access. Therefore, we are using it for restricting access to the plant area, where they cannot directly connect onto the Internet.
It does not have a web access interface. We have to use Cisco ASDM and dial up network for console access, mostly. This needs a bit of improvement.
Most of the time, when I try to run Java, it is not compatible with ASA's current operating systems.
It should have multiple features available in single product, e.g., URL filtering and a replication firewall.
It is very stable. We have routers entirely from Cisco, which are still working after ten years of deployment. I would rate the stability as a nine out of ten.
We have two people maintaining it. It does not require intensive work. We have an expert in switching technology, and another person who is knowledgeable in routing and network security.
The scalability is good.
The technical support of Cisco is very good. Nowadays, you can get anything over the Internet. They provide help over the Internet. There is a very full forum, which is manually supported.
The initial setup was completely straightforward.
However, we have to rely on Cisco ASDM to access the firewall interface. This needs improvement. Because we have a web-based interface, and it is a lot more user-friendly.
Deployment takes two or three days. We are continuously deploying the solution to our plants over time.
We do the deployment in-house.
ROI is part of the infrastructure costs. The product has saved us a lot of time, and once we deployed the solution, it worked.
The cost is a big factor for us. This is why we are using it only in our restricted area. They are very much higher than their competitors in the market.
I would rate the cost as a six or seven out of ten.
Nine or ten years ago, there were few options at the time.
Currently, we are using Barracuda for our more general Internet access. We use Cisco for our more protected environment.
I would recommend the product, but cost is a big factor. Some companies cannot afford expensive products, like Cisco and Palo Alto.
We use remote desktop services from our data center. We can clean the client and the remote desktop server and from there we can establish a VPN channel.
We can create a profile and we can give them access depending on the access level they need to be on. All the way from level one to level 16. I just create the user and from the dropdown, I select what access level they need to be on and that's it. I don't need to go individually to each and every account and do the configuration.
I like the user interface because the navigation is very easy and straightforward. On the left side pane, you have all the sites that you need to browse. Unlike any other firewalls, it's pretty straightforward.
If I need to download AnyConnect in a rush, it will prompt me for my Cisco login account. Nobody wants to download a client to a firewall that they don't own.
I would definitely love to have a much nicer web interface compared to the systems interface that it has now. I also would like to download utilities without having to login into the system. Nobody would want to download a client unless they're going to use it with a physical firewall. I don't understand the logic. If I was a hacker, I could get someone to download it for me and then I can use the client. There's no logic behind it.
I would rate their stability a nine out of ten. It's pretty stable. I never come across a situation where the firewall hangs and then I need to reboot it.
Cisco is expensive and when you want to grow, it means you're going to need to spend some money but you can justify it.
We have closer to 50 users on the firewall at the moment and do have plans to increase usage.
We were previously using Sophos firewall but it had a lot of issues.
The initial setup is a little difficult compared to other firewalls but once you get it right, especially the assistant control list, it's fine. It's a little difficult compared to other firewalls.
The deployment took us about three days because we did some testing and we also did certain attacks and checked some hackers which is why it took some time. We wanted to make sure that it was at least 99.99% protected.
We implemented through a UK company called Rackspace.
Licensing is expensive compared to other solutions. Especially in other regions because people are very careful when it comes to spending on IT infrastructure. My suggestion is, first test it, once you see how good it is you will definitely want to renew it.
I would advise someone considering this solution to just go for it. It's expensive but it's a robust solution. The only thing is that you have to convince your finance guy to go for it.
I would rate it a nine out of ten.
It helps the firewall in our network and the VPN (Virtual Private Network). It creates a secure tunnel for our network.
The IPS (In-plane switching) is the most valuable feature. This enables visibility to our networks and to outside attacks. It is a solution to maintain the visibility.
At times the product is sluggish and slow. Sometimes when deploying a new configuration or role, it is painstakingly slow. It should be a little faster than it is.
It is a very stable solution.
It is a scalable product. We have a lot of demand. But, it supports any additional network that we add. It expands easily.
Normally the Cisco tech support team are good. But, we have had some problems with tech support with this product. Some of the tech support team are really not familiar with how the IPS works. And, there is some disconnect between the tech support. Maybe they're not trained well. They're helpful, but not knowledgeable.
We use it on several layers of our network like in the border, internet edge, DMZ, some extranet parts of our network, and in the data center.
It's a reliable solution and a stable firewall. It helps us to manage the security policies in different areas of our network.
We use ASA as a simple, scalable firewall. Its main advantages are the stability. We use it as an active standby and as a failover solution. We depend on this solution, we've used it for several years.
It's quite stable. In the past though, colleagues have had issues during the upgrade process. The failover didn't work and production was down.
It's not so scalable.
I haven't had any major problems so I haven't had to open a ticket with technical support.
The initial setup was not so complex. Most of it was straightforward. We just needed to discuss different scenarios that we had to consider regarding the deployment scenario, what could go wrong and what could happen in the future.
We used Telekom Romania for the deployment. We did most of the job internally but they helped us to clarify some aspects regarding the architecture design.
We also considered Check Point. We chose Cisco because of its capabilities. We didn't need something so complex for this solution, just a straightforward firewall. It met our requirements.
I would rate it a nine out of ten.
Our primary use case is for security. We are a bank in India and the data is very important for us. We use ASA for our security and protection.
Data protection is a big benefit we see from this solution. It protects our customers, our customer's accounts, and money, as we are one of the biggest banks in Egypt and the Middle East.
Its ability to discover attacks is a valuable feature. All of the other features that have to do with security are good.
Some of the features, like the stability, need to be improved.
The scalability is good.
Their support is good and helpful but sometimes it takes them a while to respond. We have been stuck in critical situations so we opened a critical ticket but it took them a while to respond.
The initial setup is easy. If we have an issue we contact their support.
We implemented ourselves.
I would rate it a seven out of ten. I would recommend this solution to a colleague. No product will give you 100% of what you're looking for but this solution is close.
We mainly use this solution for our firewall and it's one layer of our security. From the time that we've used it, the organization as a whole got a sense of security because Cisco is a known product. When we do need support locally or online, we get it instantaneously. We use this solution for a couple of things: for security, for their technical support, and in terms of the knowledge and skills of the team here that gave us a good grip and confidence in the use of the product.
It gives the organization a higher vote of confidence. When I joined the organization more than six years ago, we were using the old Cisco, and some of the products already reached their end of life. Some of the products were not in its latest state, in terms of security or license. We've learned a very good lesson there. Since then, when we upgraded we made sure that all the licenses and all the security facets are in place. It gives the organization a higher vote of confidence. There may have been one or two incidences of malicious threats, but it did not really bring down the organization to a level that we would all be sorry for. The greatest benefit for the organization is the confidence that we are secured.
Cisco is known as a popular and trusted product. Because of its constant RND, we're assured that all updates, all patches, all fixes are done instantaneously. As far as the feature is concerned, it gives us a certain layer of protection. As a CIO, my vote of confidence is in the product itself. After making sure that we always have all the updates on the licenses we're assured that we're getting all the necessary security protection.
I would rate this solution a nine out of ten. Not a ten because I'm reserving the one point for whatever new surprises they are going to provide.
Its security is the most valuable feature.
The phishing emails could be improved.
It is stable.
The scalability is good. I'm happy with the service. We are around twenty users. Some are in finance, some are in a mid-user roles, and some are in other official roles.
We did not previously use a different solution.
The initial setup was straightforward. Implementation took two days. We needed two people for the deployment.
Pricing is high, but it is corporate's decision.
We didn't look at any other solutions. All of our campuses use Cisco products. This is why we chose this solution.
This solution has good security and it's a good product. You can trust Cisco, and there's support as well, which is really good.
I would rate this solution an eight out of ten.
I have deployed Cisco ASA as a terminator firewall. Normally, I would have preferred to have a sandwich configuration for firewalls: One possible firewall that would make an internal firewall and another for an external firewall.
Cisco ASA is best suited for our external firewall protection.
In terms of next-generation capabilities, Cisco is a little behind. It is way behind leaders like Palo Alto, Check Point and Fortinet. While Cisco is headed in the right direction, it will take several years for it to get there.
When I need support, Cisco has provided quality support. I like working with them because of their support system.
The setup was straightforward. I was happy with the configuration and deployment of the solution, as it was quick.
Whatever you have that’s potentially public-facing, you need to protect it. As our technology moves to the cloud, so our need for security transfers from physical appliances to virtual ones. This is the classic Cisco ASA device, virtualised.
Ease of spinning one up: The hourly charge has made demos and testing better because it’s a truer representation of a real-life situation.
It has allowed us to reduce costs and to make sure we provide rounded, secure products to customers.
We didn’t find any huge issues. Obviously, there are always vulnerabilities that come up and there was one in early 2018 but this was patched with software updates.
Admin rights need to be given out carefully as they give overarching control to all devices - but that’s the same for everything.
We went with this solution via the AWS Marketplace because it’s been made so easy to use an ASAv on AWS with simple drop downs to set it up. Our demo machines were also in AWS so we wanted a one-stop shop where we could spin them up or down as needed and configure the ASAv before it was launched.
Almost all IT staff have used, or can easily learn how to use, the Cisco ASA appliance because it’s been around for years and is so popular (with good reason). For us, we stuck with what we know. It was an easy sell to get it signed off by higher-ups as they’d also heard of the ASA device from their time in IT.
This solution gets an eight out of ten because it is easy, has the features we need, keeps costs low, and provides granular control using appliances that are already familiar to the team.
It is our firewall solution. We connect to other locations, as well as use programs in-house.
The most valuable feature is the security that it provides our company and users.
Furthermore, our company uses it for making rules for the bank to connect to our server in the DMZ, which is a security challenge.
It needs improvement as a "Next-Generation" firewall solution. In addition, it needs to be more user-friendly.
There is no downtime, and it is working great.
It is scalable. We have had no issues.
The initial setup was complex. But, after that, to maintain and keep creating rules it was easy.
We evalutated Cisco ASA vs Fortinet FortiGate VM.
Our primary use case is security.
From a security perspective, we are getting assurance with the respect to the the infrastructure which is getting built or the threats which are emanating from the Internet. With these, we can obtain the visibility that we need to know where we need to improve.
The transparency of the single UI to ensure security. A product has to be simple so that an administrator can use it.
The artificial intelligence and machine learning (behavioral based threat detection), which I can this will be coming out in another year, these are what we need now.
The stability is alright.
Scalability is not an issue.
Its technical support is the main reason why we selected the product.
The integration and configuration are transparent and easy.
We are partners with Cisco. They are always one call away, which is good. They know how to keep their customers happy.
We evaluated VMware Virtual Networking and Check Point.
We chose Cisco because of the support and their roadmap for the changing technology landscape is good. Therefore, it is always better to be partnered with them.
When you are going to select a product, don't look at the cost, but at the functionality. Also, look at the stability. These days, the startups will show a new function or functionality, but when looking for a partner, make sure the company is sustainability for the new four years? Do they have the funding?
We have a large ecosystem system: Symantec, McAfee, Splunk, Check Point firewalls, Cisco firewalls and IPS IDS from Cisco. They integrate and work well together. Cisco has been security leader for the last 20 years, so the products are quite stable working in sync.
We are using every version of the product: On-premise, Azure, and AWS, which is a new offering.
It's our firewall for our AWS VPC on the internal side that connects our VPC to headquarters.
I have been using the product for two years, but it has been installed in my company for four years.
Even on a smaller scale, people are finding you need HA pairs, and there's no way that the ASA can do that, at least in the virtual version. We needed the ability to failover to one of the others to do maintenance, and this is a glaring issue. However, it is one of their cheaper products, so its understandable. It is just that we would hope by now, because it has been in use in a lot of different environments, for even moderately sized companies, the ability to have HA pairs would be extremely useful.
It has been relatively stable, in the sense that it stays up. It doesn't die on us.
Scalability has been a pain point for us.
It's great for what it does. Just make sure you know whatever environment you are using it in is not going to have to scale. Just use it for sandbox. As long as they stay competitive, use the ASA, but make sure you have a plan to grow out of it.
We have definitely made some calls to Cisco regarding issues. While it is time consuming, they are thorough. Sometimes depending on the urgency, if there is a real P1 problem going on, it would be more helpful to go straight to the chase than to have to go through troubleshooting steps that are mandated. A lot of times, it is understandable why they're there, but I wish they had a different, expedited process, especially when they're dealing with our senior network engineer who has already ruled out some things. Cisco tends to make you go through the steps, which is part of any normal troubleshooting. However, when you're dealing with an outage, it can be very frustrating.
The integration and configuration were pretty straightforward.
The AWS Marketplace been great, but it could be a bit more user-friendly from an aesthetic perspective. It is fully functional and easy to figure out once you are in it. However, the layout of the AMIs has a lot missing, e.g., you have to side click to find the area for community AMIs. It would be awesome if AWS Marketplace would put up a wider range of AMIs.
With the Cisco ASA, you do get what you pay for. What would really be awesome is to see Cisco blow out a real cheap version where you can use the sandbox, but leave it step-wise and go to another product relatively easily, like getting you hooked on candy. The problem is that we already paid for the ASAs, and we grew quickly. Now, we have found ourselves in a situation where we have to wait for next year's budget and everyone is using it. We've gone from a sandbox model to full production. If Cisco was a bit more on the ball with this type of thing, such as pay a smaller lump sum, then scale as a pay by use or have an option to switch models. This would be good because then we could actually leverage this type of model.
Right now, we want to go to the rocket stuff, and our people who make the decisions financially will just have a heart attack. They will choke on it. However, if we can roll it into our AWS bill, and slowly creep it in, it is usually more palatable. As crazy as that sounds, even if its more expensive to do it this way.
Our network guy looked at alternatives and settled on Cisco ASA. It was the cheapest available option, virtualized, and he was familiar with Cisco, like many people are because it's a great company. It made the most sense at the time, because our VPC was a sandbox at first. Now, it has grown, which is where the pain point is: the scalability of the ASA. We have sort of wedged ourselves into a corner.
We are now looking into Cisco Meraki, the CSR stuff, and the SD-WAN technology.
For the AWS version, Cisco is our primary use. We have our own appliances and products, which are indicated as Cisco ASA. So, we test these product against Cisco ASA using different types of rules for new cases. During the test process, we make sure the integration works.
We have been using the solution for two years.
Right now, it serves a purpose and has everything that we need. Performance-wise, it is top-notch.
It is a comprehensive suite and complete package. We have the following with the product:
We find that virtual instances are helpful because they are easy to use on AWS Marketplace, as they are On Demand. We have a lot of traffic on AWS. Therefore, to monitor the traffic rather than using on-premise, we use virtual instances of Cisco ASA. This is pretty easy to use and we receive value off of it.
Cisco ASA should be easier to use. It is a bit tough to navigate and see what is going on. While I like the UI and dashboards of Cisco ASA, if you compare them to Palo Alto or Fortinet, they have much richer UIs. An analyst (or anyone) can see them, and say, "I have got all these important pointers on my dashboard." However, with Cisco ASA, we need to dig into many things and go to many views to see what is actually there.
It is stable. We put a good amount of stress on it.
Especially for the AWS version, we can spin up multiple instances and do load-balancing.
We have 15 to 20 Cisco ASA switches with a couple of physical appliances and twelve machines. Our team is using four to five machines.
It is all self-guided, and we were already using the physical appliances. Therefore, we knew how to use the product.
Our individual release cycle has been quicker because the entire development and testing environment has been automated because of these virtual instances. It has aligned our development workflow. This is where we have seen the ROI increase.
For example, if you are working with a physical appliance, then you need to have a dedicated lab administrator to work with it, even to test a simple use case. This takes time because we would need to frequently reset that appliance and load all the data. It is no longer like that.
Purchasing from the AWS Marketplace was easy. It was just point and click.
It is pay-as-you-go, so it much cheaper than buying in the plants.
We also checked Fortinet and Palo Alto, their AWS versions.
When compared products, Cisco ASA is easy on AWS. We received a trial version. It is easy to setup and evaluate.
We also already had Cisco products. This provided a tighter integration with what we already had. Since most of our traffic stays in AWS, it made sense to use AWS Cisco ASAv.
Once you deploy a virtual database or virtual machine for any product, like Cisco. The first thing to do with your data is test it. So, you need to be prepared with the test that you want to test before you deploy the instances. Because after deploying instances, you wait and see what the data come back with, how to configure it, and review what doesn't work. Therefore, you need to do some background homework before starting, such as what type of data you need to put into it, how to test it, and will the system process it.
We have used both the on-premise and AWS version. We started using AWS in the past six to seven months. Prior to that, we used the on-premise version. The AWS version is better as it is quick to spin up and configure. Also, with AWS, everything is preset, and it is more flexible.
We have it integrated with many other products, like threat intelligence and analytics. For example, all our logs go into Splunk, then we receive our analytics from there. We also have Splunk on AWS. Thus, all the data stays on the cloud, so there is no latency, etc.
I have been using this product for over ten years. Most of the features fulfill my requirements. It protects our network.
The most valuable feature is the section payover. But, I think that kind of function may also come from similar products. In addition, they have the integrated IDS/IPS source powered modules. This is a new screen for us, and it is also very useful.
More than five years.
The stability of the product is good.
The scalability of the solution is OK for me. It basically fulfills my requirement.
I would rate the technical support a rating of seven out of ten.
I always consider the stability and scalability of a product when choosing a vendor.
The cost is a bit high compared to other solutions in the market.
We have looked at Juniper, Palo Alto and other brands.
We like that Cisco has a lot of experience on the market trends.
It is primarily used as a firewall. I think that all firewalls basically work the same, but some have different configurations of the switches. Cisco ASA is very strong.
I think that there should be better security of other firewall appliances. Migration is another main issue. If you migrate from the ASA to the new Fire Power Threat Defense appliance, it is not an easy migration. You have to do some of the migration manually, and if you are relacing those firewalls it will take a long time. It should be a smoother migration process. Some of the new engineers are still not familiar with it, and I think that Cisco should rehire some of the engineers coming from Sourcefire to do so.
There is not much to say about the stability of the product. Migration is the painful aspect of the solution.
During the mitigation process, I used tech support. But, I still have not had a completely clean migration process.
I do not like to have too many vendors it becomes difficult to diagnose and deal with. If all the switches also ran the same, I would be OK. But, this does not usually happen. Often there are many configurations of switches and we end up switching on the switches.
Cisco has recently become very expensive. Other solutions on the market are cheaper than this solution.
We have also evaluated Fortinet and Sophos UTM as possible solutions.
Our primary use case is to use it as a firewall.
I find that the product is a very good, and secure firewall. The benefits of this product is that it is a strong firewall solution.
It is a secure product. But, it is not very easy to configure. You need to be knowledgeable to be able to manage it.
In addition, due to changes in management, we found Cisco slightly behind some of the competitors in the market. Furthermore, the internet protection system seems to be lacking, in comparison to some of the competitors. This is why we are currently looking at other possible solutions.
It is a stable solution.
The scalability is a bit limiting, to be honest. In terms of when you look to changing landscape in terms of threats, I think to me, my personal it's a bit limiting.
I have not used the technical support for Cisco ASA.
It was a bit complex to setup this solution. When we used the command line, it was not easy to implement. We needed Cisco technical knowledge to be able to manage the implementation.
The cost is a bit higher than other competitive solutions on the market.
Yes, it's a good provider when it comes to firewall solution, but maybe limiting when you are looking at the wall UTM management. It's delayed behind some of the competitors.
We primarily use this product for networking. We are a Cisco shop, as far as networking goes.
I think the room for improvement of this solution is that there is a need for more of an application awareness capability. I just don't think it has the application awareness. It obviously looks at ports and what not, but it is not necessarily able to identify applications by their action, and what they're doing.
We have not encountered issues with stability of the solution.
The scalability is fine. We have no problems with the solution. We have two of them in a standby configuration.
If I were to rank the tech support, I would give it an eight or a nine. They have not been able to resolve all of my problems. I had to find my solutions on the web myself. I found other users with similar issues to what I had experienced. Then, I resolved the issues by myself.
I would consider this solution on the "high end" of the pricing spectrum.
I have considered Check Point and Juniper in the past.
Generally, it has highly productive platforms and it has good capabilities.
It just works like an internal firewall. It's an ordinary role of this platform, nothing special.
At this point, we find that this product has high productivity and high availability and there is no need for improvement.
If there is old hardware, or old appliances, it does not necessarily work with the new Cisco generation firewalls.
It is a highly stable product. We rarely receive any serious outdates, so it works quite well.
Yes, we use the technical support maybe twice a year. We received a very fast response time.
It was very straightforward. It was not complex at all.
When evaluating a possible solution, I always consider:
It was used for a remote office deployment connect back via VPN to the corporate office and services.
Cisco ASA works out-of-the-box. With the setup wizard, it was easy to get it deployed quickly, even by novice IT users.
The ability to have a protected home network on the unit and a separate secured office network linked back to corporate.
More intuitive support for SIP services are needed. This took a long time to configure properly for the user.
The primary use is that it manages all of our incoming and outgoing VOIP transmissions as well as data transmissions between our branches and our third-party bank processor. It has performed well.
The ASAs are very stable firewalls, and they've been very good at protecting our assets here at the bank. They have done exactly what they were purchased for. They have done a great job.
I've always looked at Cisco products as being the industry standard. They're wonderful at being able to lockdown and manage that.
The only con that I have really seen with it is the reporting structure. FirePOWER is good. It has been a great help because, before that, it was not good at all.
Three to five years.
The scalability is very good. We use the 5600 models and the lower 5000s. We were able to upgrade as needed. We added a ton of VPN tunnels to them and they handled all that traffic quite well.
Support has been very good, very professional, got right to the point. My third-party administrator got stuck on setting up some tunnels. We called ASA support and they walked him right through how to do it. That was good.
The third-party did all of the setup. I told him what I wanted and he set everything up and got the tunnels for us as well.
The cost of keeping the licensing up on the ASA is very expensive. It has a lot of positives, but the cost of going with it is really starting to be a major negative right now.
Talk to your peers in the industry, find out what they use and why, and then look at exactly what you're using it for. We changed a great deal of our infrastructure, adding a lot of extra tunnels, so that made a complicated product even harder to manage. Look at what you're comfortable in managing with their interface.
We start looking at upgrade cost, our constant licensing cost. I look at other products that rank very high in industry ratings. Now I'm looking at similar products that are a little bit easier to manage. That is another fault of the ASA. They're very complicated to manage, but that’s because they have so many features. It's a very feature-rich product.
When selecting a vendor the most important factors are
In terms of security, right now is a really tough time for us because, even as a smaller community bank, we’re targeted. We have huge targets on us right now from hackers. I have to have a product that is stable, that will hold up, from a reputable company. I'm looking at companies that are top-tier.
I would rate the ASA equipment itself a nine out of 10. The software and manageability would rate a seven and the reason for that is the complexity of it. It is extremely complicated, even for our Cisco-certified person who manages it for us.
IT landscape is dynamic, requiring security policy, controls, and visibility to be better than ever.
This applies to all ASA-related Management/to-the-box traffic, like SNMP, SSH, etc., with Firepower services combined with our proven network firewall along with the industry’s most effective next-generation IPS and advanced malware protection. Therefore, you can get more visibility, be more flexible, save more, and protect better.
Historic events related to security incidents. My organization must have a unified strategy for event logging and correlation.
The Cisco ASA device needs overall improvement, as configurations alone do not completely secure my network. The operational procedures in use on the network contribute as much to security as the configuration on devices.
There is 24/7 support anytime, anywhere.
Before, I did not manage my private network well (or professionally). For this reason, I have been updating products.
Commercial leasing is the best option.
We needed a way to monitor threat protection and not cause latency.
It allowed us to consolidating multiple security devices into a single appliance. It consolidated and helped us eliminate firmware upgrade issues across multiple devices. The "Keep It Simple" method.
We are looking for software taxi capabilities.
Going forward, we are evaluating Anomali. The founder of ArcSight founded Anomali. The product has the ability to be a consumer of threat intelligence, and be a contributor showing the maturity in threat protection posture.
Firewall and VPN.
I can't really say how it has improved our organization, but the benefits are that we have a necessary firewall with which we can create VPNs.
Pro user-based firewall rules.
The solution that we have right now doesn't do what I want it to do. We don't have a ratified solution for all the things that I wanted to right across our business. We're doing similar functions using different technology and I want ratification. I want to be able to do more than what we are currently able to do with the existing service, all under the umbrella of improving security.
The product crashes. We have a cluster of firewalls and we regularly get failovers.
I have used technical support once, and they were superb.
When selecting a vendor, the most important criteria include:
I was involved in the initial setup. It was complex.
Do your research, know what you want to achieve.
Cisco ASA needs to be more reliable. Because of the nature of the product, it has to be rock solid and, unfortunately, it's not.
This solution is involved in the protection of the network perimeter and the VPN gateway.
It allows you to fine-tune and create flexible circuits, as well as unites a large number of different types of connections.
We offer publishing services. It depends on our business, but we use this solution for security.
ASA 5505 and ASA 5506 are very powerful tools to use in a business environment, and provide a lot of security.
Intrusion prevention, we currently need to apply deep bracket inspection manually to use web filtering.
Some branches are joint through Cisco ASA 5500-X VPNs. Executives or employees are connected via AnyConnect.
It joins all branches and permits employees to work outside their offices, but everything is based on high securities standards (PCI compliance).
Multiple WAN connections: Even though you can implement more than one interface to outside connections, it is lacking on load balances, etc.
These firewalls are used in enterprise level environments, which require granular control and customization to meet security and compliance guidelines for an organization. Once configured to suit your needs, they are rock solid appliances.
These firewalls are not for beginners.
My confidence continues to build upon using Cisco firewalls. I prefer to use Cisco firewalls to any others.
Antivirus features must be integrated for end user security. They must be increased in the next version along with audit and restriction for the incoming user. Security must be increased when a new user connects over the LAN and an alarm must be generated.
We use it for our university department firewall. It replaced our 12-year-old Cisco ASA 5520, which used to protect web servers, mail servers, SVN repositories, office computers, research computers, and computer labs. It was used for blocking the internet for exams. It was not used for IPS, so we did not buy the new threat protection or malware license. We connected it to a Layer 3 switch for faster Inter-VLAN routing.
It works better through specs than our old ASA 5520. It seems to perform the same functionality unless you buy the additional threat protection licenses, so this is a disappointment. I found a bug where the ASDM could not be used with Windows 2016, but it did work with Windows 10.
ASA pricing seems high compared to other firewalls, such as the Sophos XG models.
The licensing features are getting more complicated. These should be simplified.
I am using Cisco ASA as the firewall for my business to guard the boundary of my business. It has been very helpful in my sector of media with my clients, essentially focusing on how secure their data is, especially when we are working on a few projects which involve multiple citations across Europe.
Our content, which is the main asset for our firm, is pretty elusive behind the firewall of Cisco ASA.
It has improved my client's trust.
VPN load balancing: This has been particularly essential for my connections to integrate via multiple time zones.
I needed to be well-versed with all the command lines for Cisco ASA in order to fully utilize it. I missed this info and wasted some operational costs. I would like to advise others to please be wary from the start.
It was initially heavy on my pocket, but it soon actualised its worth.
Remote network access: We primarily use ASA for VPN, NAT, PAT routing, SLA, and multiple ISP providers.
Ease of configuration: It has gotten a lot easier to configure compared to the original Cisco Pix.
ASDM provides GUI for configurations. ASDM has made configuring ASA easy. No need to memorize CLI commands.
Edge security and Sourcefire have been nice. Sourcefire was a major improvement over the legacy IDS that it previously had.
Sourcefire has been a great addition. The visibility and control have been nice.
I also like the active/standby HA.
The solution has two separate GUIs and at least three different CLIs (ASA CLI, Sourcefire CLI, and Firepower Management Center CLI). In addition, ASDM plus Firepower Management Center GUIs. If Cisco could stop rebranding, combine all the CLIs/GUIs, and give a consistent experience, this would be great.
Also, AnyConnect is very difficult to manage and use.
The gateway firewall is where we use it the most.
The firewall and policy side are easy to use.
Make the IPS baked-in. It is a good firewall, though not NextGen.
We use it to protect the perimeter of the network.
It is reliable, and does the job that it is supposed to be doing.
it is not very user-friendly for the administration.
The Cisco solution that we have now is very stable. That is why we are interested in continuing with the Cisco solution and upgrading to the next generation.
It can be used by multiple users.
We use the technical support of Cisco through a partner, so I do not have direct access to the Cisco IT technical support.
We just shortlisted Cisco and Fortinet.
We needed a Cisco technician to do the initial setup. We had to outsource the implementation.
We need to upgrade our security requirements due to the new security requirement applicable in Europe (from GDPR) and the cyber security guidelines for our vessel (we are a US shipping company).
Most important criteria when selecting a vendor: familiarity, reliability, and price.
I have been using the 5510 a lot, and have been working with it for many years. I have also used the 5505 and other firewalls.
It is much better than most of the other firewalls that I have worked with.
It needs more tunneling capabilities.
It is worth every penny that we have invested in it.
We provide managed services based on the Cisco ASA product. The brand is reassuring to customers when procuring our services.
These features allow us to deliver services to meet client needs across various industry verticals.
MSSP oriented interface: I would like a single console which would allow me to manage settings creating consistency across all customers.
We use it as a perimiter firewall and do VPNs and filtering.
As a reseller, because Cisco includes different companies like Sourcefire, Meraki, and Talos, I think Cisco has a good portfolio for the security business, with their own devices too. For example, we have our firewall, we have a Web security appliance, things like OpenDNS with Umbrella. I think Cisco can cover with all the platforms.
All the visibility the device gives us as well as management and administration facilities.
It needs better documentation for when we present solutions to non-technical people. They need to bring together all the information, across the various firewalls, so that we can more clearly explain them.
Also, pricing could be better.
It's very stable.
When we implement a firewall we need to be aware of whether it is growing over a short time period or a long time period. I think the scalability, from our implementation, is good because you can use the same configuration for another platform. If you implement on a small platform, it It is easy to implement the same configuration to another, bigger device.
I think tech support is a large part of Cisco. It's good, it provides support around the clock, answers problems. I would rate it nine out of 10.
For some things it is very easy, but configuring other things is a little complex. It depends on the use case.
Cisco may be a little expensive but it has everything, and they support very well.
I think Cisco has all the solutions: switching, routing, security, they have wireless. You can cover all the devices with Cisco. They have all the network and engineered tools to help resolve the issues that we have. They are really very good devices.
In terms of advice, I would say Cisco is the best company. They're very stable, there aren't too many issues. And when there is an issue they have many engineers who can solve the problem.
We use it for security of branch offices and data centers.
It works like a firewall for security reasons.
Filtering is the best feature, as I have gotten used to using it. .
The IPS and GUI are outdated. It is finally getting IPS inside, which will be a big improvement. The GUI is outdated, and they are slowly improving it. We will see if they go in the correct direction. Unfortunately, they usually just follow other vendors.
It is slowly not supported and other vendors are a few years ahead of Cisco in development.
Configuration on Firepower is currently madness as you have to redeploy it again with all its configurations if you use it as a module.
Business use. It has performed well.
Its ability to work with the traffic.
I would like it to be easier to work with and have a better user interface. It is not straightforward. You need to know the Cisco command-line interface.
Stability has been fine.
It is good.
I have not used technical support.
We have always been with Cisco.
Initial setup was fairly complex. Just having to know the command prompt rather than having a better user interface.
We looking for a possible new solution because of the licensing and VPN.
We evaluated Cisco and Meraki.
Look through what your needs are.
Solid datacenter firewall, but the ASA software is old with no application recognition. If only a Layer 4 FW is needed, this is a good solution.
Do not use it in cluster mode. It is not worth it. These firewalls can do 10G, so just design the rest of the network around this.
Do not do cluster to add more bandwidth.
Nothing fancy about ASA capabilities, it does its job and does it well as long as you only care about filtering ports and protocols.
The needed features are already being done on Firepower, but this software is still in flux.
It is very stable.
Setting it up is not as intuitive as other more modern NGFWs.
Service Provider Operations manipulating thousands of firewall rules deploying Network Access Translations (NAT) for various multiservice networks.
Clustering architecture which offers zero downtime upgrades, keeping uptime close to 99.999%. This creates less stress on operations and network stability throughout the various maintenance tasks.
ASDM needs to be able to customize applets.
REST API stability needs improvement in order for customizing resource allocation available to the user rather than just being there transparently. This way users can customize REST API and tailor it to their needs.
HTTPs inspection and higher throughput/spec would be good. Now, it has been replace by Firepower, which is a lot faster.
ASA5585-SSP-60 was deployed after a migration from Juniper SRX5600. The solution is used for the protection of the mobile data network. It is protecting 3G/4G Internet customers and the Private APN.
So far, we are not satisfied by the move. The precedent solution is much more adapted to the Telco environment, although Cisco recommended this platform. Cisco ASA also brought our network down several times due to a memory leakage bug, which is still not resolved.
All features provided by the platform are quite the same for all other platforms. We rather missed some features we were used to, such as virtual routers
Yes, a memory leakage issue which literally freeze the nodes (we have an HA environment). The issue is still not solved and the only recommendation from Cisco is to reboot the node.
Yes, the throughput highlighted on the datasheet (10Gbps) should be reviewed. This throughput is only for a UDP running environment, which you will never find in the real world. Rather consider a multiprotocol throughput.
Experience with technical support was mitigated.
Technically, they denied any issues on the node and call the memory leak issue, "A cosmetic issue." They were stating that memory disappearance reported by SNMP was an error and will have no impact on the traffic. They have reviewed this since we have recorded several blackouts during the year.
We were using Juniper SRX5600. The switch was more a strategic decision than a technical one.
We are also using a 5520 for seven years in our datacenter and we are satisfied by this version.
The initial setup was very complex. Migration from Juniper (with wide usage of VR) to Cisco is complex and you should make sure to master all the flows on the node. Also, Juniper is more permissive on asymmetric traffic, which Cisco will deny by default.
Implementation was performed by a Cisco recommended local partner.
We were not satisfied at all (from the pre to post implementation). Their level of expertise was zero.
I do not know.
Nothing to highlight at this level.
We did an evaluation with Check Point.
It is definitely not for Telco.
Starting in version 9.7 you could track a login history for audit purposes and, in 9.8, you are able to do active/backup HA with ASAv (Adaptive Security Virtual Appliance) deployed on MS Azure.
There is always room for improvement in virtually anything. However, the relatively new Firepower Threat Defense image (mix of ASA and Sourcefire network security) fills a lot of gaps and features that were missing on ASA. Moreover, with FMC (Firepower Management Console) you can complement it with even more admin and reporting capabilities for the entire platform.
No stability issues.
No scalability issues.
New version comes with initial setup tutorial, with very nice security policies baseline, set up by default.
Be sure of what features you are going to utilize to add/remove some from new bundles.
Best value will always be delivered by adding FMC (Firepower Management Console); at least their virtual edition.
It helps us to identify key, persistent threats so we can set policies accordingly.
In-depth monitoring and analysis. It helps us to make better decisions and policies.
Initially there were some stability issues, but in the long-run no.
It requires additional licensing to enable 10G ports.
Technical support is very good.
It is complex. We have to set up ASA, SFR module, and FMC separately, which sometimes requires extensive troubleshooting, even for smaller issues.
We evaluated Huawei, briefly.
It is a good datacenter firewall, as they have now overcome integration issues with latest versions.
Malicious URLs are being blocked.
Advanced malware protection, it blocks malicious attacks.
Yes, there were stability issues due to memory issues in the cluster environment and Firepower misbehaved due to non-responding of service/process.
No scalability issues.
We switched from our previous solution because of scalability issues.
It was straightforward, even though we migrated from a third-party to Cisco.
Price should be judged based on the above answers, among the most capable vendors.
We are using ASA5585-X with Firepower SSP-20 (ASA version 9.6(1)3, Firepower version 220.127.116.11).
When looking at different solutions, take a deep look at the features.
Secured our network from outside and inside intruders.
License capacity needs to be extended and the vendor needs to work on the pricing.
No stability issues.
No scalability issues.
10 out of 10.
No, Cisco was part of our solution from the start.
Value for your money, but bit a costly.
Good product, give it a chance.
This is our perimeter router. We used it purposely for NAT and to port forward traffic. Other essential features of a firewall are handled separately by a UTM.
The ASA needs to incorporate the different modules you have to integrate to achieve UTM functions, especially for small businesses.
No stability issues at all, the most stable firewall I’ve ever worked with.
No scalability issues.
We’ve always used ASA from the get go. We added the UTM is to compliment it.
Pricing is why we had to go for a UTM. For us to achieve what we needed, if we had gone with the ASA, the cost would have been high compared to getting one box (UTM).
Juniper, Check Point, Astaro
Go for it. I really like how, once you get the ASA set up properly, it can run for a whole year without any major issues, apart from the normal daily administration.
We have been using this model for three years, to place a firewall between ISPs and our corporate network. As of now, we have configured some SSL VPNs on our end for our convenience.
Three years ago we encountered malicious attacks from the internet, most of which were Chinese attackers, so we deployed Cisco ASA to strengthen our network. Since the deployment, we haven't seen the risk we encountered before.
Manageability of Cisco ASA. It has a GUI interface, unlike the most of Cisco IOS. For beginners they can "sneak in" and apply the command and see the actual commands that the GUI launches. In addition, Cisco has the reputation regarding security.
There are more powerful firewalls, other than the Cisco NGFW, like Fortinet, Palo Alto and so on. I can't say Cisco is the leading firewall brand as of now, as the technology innovates.
No stability issues yet.
No scalability issues yet.
I rate it an eight out of 10.
I am only handling or supporting the ASA 5520 model in our company.
If you compare it with other products, other firewall products in the market, at this moment, it doesn't have that many features, no impressive feature in it, in fact.
The one thing I like about the product is the logging features, the way it logs, the way it forwards the logs in Syslog. It generates the particular Syslog. Compared to other products, that is the only feature, I feel, that is good. I have worked with other firewall products, so I know it very well. The logs are pretty good. Then it forwards. When it forwards the logs to a third-party syslog server, it then writes the Syslog very well. That is the only feature I like about it.
It doesn't have a proper GUI to do troubleshooting, so most people have to rely on the command line.
Its a sort of legacy product nowadays. The firewalls which are the next generation have loads of features added to them, and they are all in one box.
It should have packets, deep level inspections and controls, like the features which other IPS solutions have. It just doesn't have any. It's just a box which does firewalling.
Threat management features also should be added into it.
So, the first thing is that the GUI has to be improved. The second thing is that the UTM features have to be added to it in a much broader way; not by relating to other third-party solutions which is how it is done right now. It should have built-in UTM features like other firewalls have now. Plus it should have the ability to analyze any packets which have malicious behaviors. Currently it doesn't have anything like that. It's just a layer-3 firewall.
Regarding the GUI, it's a very childish sort of attempt. It hasn't been improved since I started working with it. Yes, it shows the logs as they are but it doesn't have any option to do proper reporting.
Stability is really good, actually.
Scalability is not that good, I think. Other firewalls, upgrading is a very easy task; from the graphical user interface, you just need to import the firmware versions into it and install it. In this firewall, you need to have a third-party solution in both. It's a process. It's a procedure, a hard procedure, actually, so there is no straightforward procedure for upgrading.
I have never called the tech support, apart from a hardware issue, but that is done through the vendor, a third-party support team.
I was actually using ASA and I switched to another one.
I actually have lots of experience working on multiple firewalls and technical solutions, so for me I don't have any problem doing things by the command line. But for others, for a person who has two years of experience or one year of experience in general, they will definitely face issues working in the command line. You have to remember all of the commands, to search for the commands. If you're in a graphical user interface, you can go search somewhere and find some options. So I would say in that way it is complex.
If I were to advise others who are looking into implementing this product I would say I don't think they will like it. They would be able to meet business requirements better with other products, other vendors' firewalls. That's what I think, that's what I know from my own experience, from dealing with customers.
If those features, which I mentioned above in the first few questions, if they can add those features into the firewall as a standalone box, it can definitely become a player on the stage. They already have a good platform, even if it's a legacy product, it has that bit of maturity. So if, on top of that very good platform, they can add those features - security, threat intelligence features - they can get back into the market.
Firewall only - no advanced services.
In the early days, before UTM and NGFW, this product was awesome. Cisco tried to add Firepower, but it requires a different management interface and is still too expensive.
Price point is too high for features and throughput available.
Overall, this is a legacy product.
Cisco ASA has better application granularity, a more flexible means of policy creation, and easier to use controls and more powerful reports than its predecessors. We tested the ASA-5525-X in January 2013 and found a much improved user interface and lots of content-aware features.
Cisco ASA is born as an hardware firewall. The user case is security check on company's external connections (Internet and VPN access).
Most recent versions include antivirus and intrusion prevention to add security layers (including the above scenarios and the internal network)
Cisco ASA have been the main security device for many years, slowly replaced with Check Point on the main datacentre.
ASA is stable and with a low level of work required on the maintenance side. It is a dedicated firewall, so you do not have to manage additional topics like spam, web sites filtering and so on.The routing part is high level as usual with Cisco products.
You have to know the ASA command line very well because not all operations are available in the graphical interface (or let's say that sometimes it is better to operate with the ASA CLI).If you are searching for an "all in one product" it is not for you
No, stability is a really strong point with ASA.
No, an assessment about the workload is important to select the right device.
Over many year, the only kind of support we needed directly from Cisco was (really seldom) for parts replacement
The previous solution was based on software firewalls that where not able to perform as the Cisco ASA
Setup of a firewall, on a medium / large deployment is always a complex work.
Cisco ASA (more than other vendors' solutions) require a lot of know-how and real world expertise to be configured properly.
More than one external team (Cisco partners) has been involved over time.
All of them were outstanding in their work.
Positive. The devices serves thousands of users for many years, outliving other vendors solutions.
Cisco devices are for sure costly and budget could be an important constrain on selecting them as our security solution.
When the choice was made, some comparison was made with other market leaders but integration with the existing Cisco network was a really important positive side in the final decision.
ASA is one of the the state-of-the-art firewall devices for security.
It is affordable and not too complicated to use if you are doing standard operations (modifying ACLs, natting and so on) on an existing deployment.
The user interface of the Prime Security Manager is, well, prime and one of the best pieces of software I have seen from them, and the features are on par if not better than what their competitors offer.
Cisco has done a nice job of integrating global IP reputation management into the firewall with its Security Intelligence and Operations module for insights and malware collection.
Prime manager is just for the CX line for now. CX features also add about a 30% overhead on throughput.
I enjoy the interface of Cisco products, especially the CLI version. I think the IPS feature in the product is best compared to products of other vendors. All the IPS features can be accessed from a separate interface, e.g., Cisco IDM.
We are an educational institute, and we are required to block many websites that are not suitable for students and teachers. Most of the sites, like YouTube uses an https version, thus blocking with IP address was becoming problematic. Moreover, certificate domains for Gmail and YouTube are the same. But the IPS feature in this product helps us to overcome this limitation.
Pricing of this product needs improvement.
I have used this solution for two years.
I did not encounter any issues with stability.
I did not encounter any issues with scalability.
I would give technical support a rating of a nine out of 10.
I worked with Cyberoam and Fortinet UTM at my previous job. When I joined my present company, they were already using the Cisco ASA solution. But my present company may switch to other vendors, especially Fortinet, because of the license renewal price.
As I enjoy working on CLI, I would say that the initial setup was not complex.
License and appliance costs are more expensive as compared to other vendors on the market.
If your company is small or mid-range, it is better to go with other vendors, because of the pricing.
The ASA 55-x range is a solid and reliable firewall. It secures the traffic for normal purposes.
If you ask how a firewall can improve our business: It can’t. It is securing our business IT network.
But if you want to know what the ASA5520 can do to secure our network:
Not much more than any firewall. It is a solid port firewall, nothing more, nothing less.
The Cisco ASDM management tool was helpful.
Firewalls, in general, were not really designed for normal IT personnel, but for firewall and network experts. Therefore, they missed a lot of options and did not provide any good reporting or improvement options.
For example, to update or add a feature, you end up buying new support and licenses. The process is complex and changes so rapidly that you won't find a salesperson who will offer you the right products.
New generation firewalls are cloud managed or provide a good interface. They integrate into the environment. They are application aware and come with security features that are especially designed for the purpose.
There were no stability issues.
You need to buy a new product if you want to scale. I once tried to put in another network card and ended up in a support nightmare. I had to buy more support, licenses, and it was more expensive than buying a new one.
Customer service is non-existent. You need to go through a very complex and annoying approval system before you can get any help. The support then gets asked a question and you get one word answers. It takes you hours to find out what version of an update you need to install, and then another day to find out how to install it.
I would give technical support a rating of zero out of 10. It is clear that Cisco is not for the end-customer, but rather for resellers and providers. They might have better contracts and get more technical support.
I usually have to take what is there. If I had a choice, I would now take something newer.
You can start very easy and set up the network cards, but it also has many traps to find out the right setting for your environment.
For example, you need fixed network settings on your switch to connect with full duplex 100Mb/s. There is no autonegotiation nor other settings. This is the same problem with the WAN connection. You need to know exactly what to configure to match the WAN, or it will not work.
I once had support from a reseller and once from a provider. Both depended on the level of the person you speak with. Most have some knowledge.
Once installed, they last a long time. I would recommend replacing them after some years to get better security features.
If you look for user internet access, many new products can help with filtering and rules or procedures, like Meraki. This replaces the purpose of proxy servers.
If you have to secure web servers from the internet, you need a decent firewall with web features to process the requests and redirect traffic to web servers.
Cisco is no longer the only vendor offering these features. With Microsoft TMG out of the race, others have to push in. But firewalls are also no longer the first frontier of security. Cloud services are in there as well.
I had no choice.
Get someone to help you plan and set up the firewall concept, as well as the initial setup and testing. Waiting for later is not the time to test or change anything without an outage.
Classic ASA features such as NAT, Stateful Firewall, and VPN are basic functions for average organizations, but next generation features such as the granular control of port hopping applications, IPs, and malware protection are mandatory, considering current advanced security threats.
One of the most valuable features is the correlation of events, including the path that a file takes in the network and its integration with the endpoint protection. This gives you the chance to take some actions in the case a breach happens.
Visibility in the network traffic.
Management console – Firesight Management Center.
When deploying Cisco FMC versions 6.0 and 6.1, some issues may appear when trying to register ASA sensors. The problem needs Cisco TAC involvement, adding more effort and time. I guess this will be fixed in version 6.2.
I've used this solution for three to five years.
Some clustering functions are not available in the unified image.
Old ASA 5500. Natural upgrade to next generation functions.
Initial setup is pretty straightforward.
We also work with Palo Alto Networks, Fortinet, FireEye, and some other vendors.
Take a look at the features included in the unified image. Some classic ASA functionality has not been integrated yet, go for non-unified image if the deployment requires something that is not available – classic ASA iOS plus Sourcefire code.
Cisco ASAs are great network firewalls and they can work for years after being configured. The best features are NAT, transport-layer inspections, and VPN.
With ASAs, we can keep operational expenses as low as possible. Disaster risks should be observed as usual, but this is definitely not the weak point.
I would like to see new SW versions being more stable and HW performance increase. However, the new 2000 series has high performance, but it is not shipped widely so far.
I started using Cisco firewalls when old PIX models were produced. I then observed all model changes. This makes about 10 years of continuous experience.
There are no real stability issues, if upgrades are done carefully.
I believe scalability issues are caused by poor design.
Cisco technical support makes a good impression most of the time.
The initial setup should not be left to the customer. The best way to do this is to make a basic setup and integration along with cabling and power-up, then verifying requirements and adjusting the configuration.
Basic features and IPs can work without subscriptions. All next-generation features require per-year payments. Enterprise customers usually agree with price and license fees, so I don't see any painful issues with pricing and licensing.
I compared Cisco with Fortinet, Checkpoint, and DIY solutions.
All you need to succeed is careful design, professional setup, and a support contract.
VPN (site to site VPN and remote access ), NAT policies, modular policy framework, detailed troubleshooting methods.
The throughput and reliability of the product improve the network stability of our organization.
Area : URL filtering and content filtering.
When Cisco ASA is presented as an enterprise firewall, that should be capable doing IPS/IDS, firewalling, VPN concentrator, application filtering, URL filtering and content filtering.
Of course, the last three technologies can do by a proxy. But nowadays, all next generation firewalls like Fortinet, Check Point, and Palo Alto are each bundling the UTM features into a single box with multiple separate content processors (hardware) to do these jobs.
This would enable single pane glass for management. No need to look at different devices for change management and troubleshooting.
I would say Cisco ASA is the best except for its URL and content filtering module. And these modules in ASA are not straightforward, rather complex in managing the device.
I've been using this solution since 2007.
All product-based firewalls will encounter scalability issues. The firewall sizing is important during the sizing.
I used to work with most of the hardware firewalls, Cisco ASA is reliable and few technologies are good enough to compete for the market (VPN, Modular policy framework, NAT, etc.).
Straightforward -- console or via the interface.
Expensive when compared to other products.
If you are looking into implementing VPN or advanced features, I recommend using this product. URL or content filtering is not good as much as the NGFWs are.
I have 15 years’ experience with Cisco products and I've had very, very little problems with them. Also, for resolving appeared issues Cisco was a good partner.
Crescendo (www.crescendo.ro) is an IT&C integrator and this product (based on Cisco Partnership) helped us to grow our business, and Cisco ASA was one of most sold product in our solutions portfolio.
Stability, high availability of services, and very high MTBU were the most valuable features for me -- because in my work as network and security consultant, it is very important to guarantee to my customer the security of his business.
The ability to integrate (as options) all-in-one features -- like anti-spam, anti-virus, etc.
With Cisco ASA firewall, no.
No. Based on their recent acquisition of Firepower, Cisco added "multi 10Gbps" NGFW performance in their solutions portfolio, which can be used by us, as a Gold Partner with Advance Security Architecture Specialization, in our network architecture proposals.
I haven' t used another solution.
Initial setup was very straightforward because the training and certification provided by the vendor helped us to solve rapidly any configuration issues.
To discuss with Cisco Systems or their partners to gain the optimal price and to not consider, without verifying, the false information that Cisco ASA is very expensive.
To test the product in their network and to evaluate other products. I am sure that the Cisco ASA Firewall will be the winner.
Our complete relationship is based on the following partner competencies:
• Gold Certified Partner
• Advanced Collaboration Architecture Specialization
• Advanced Data Center Architecture Specialization
• Advanced Enterprise Networks Architecture Specialization
• Advanced Security Architecture Specialization
• Storage: EMC
• Virtualization: VMware
• Cloud Management: VMware
• Cloud Professional Services
• SaaS Simple Resale
• Registered Partner
• Cisco Certified Refurbished Equipment
• Cisco Developer Network Cisco Products Marketplace
• Cisco Meeting Server formerly Acano
• PSPP Defense
• Smart Care Registered Partner
• ATP - Unified Contact Center Enterprise
• More than 10 years
The context aware module gave us good visibility and control over the ingress and egress communications. Allowing us to filter unnecessary communications like streaming video, allowing us to control bandwidth utilization.
IPSec Tunnel and AnyConnect (of course), the context awareness was a good feature, but clumsy at the beginning. I think it's better now.
Also, the IP access list counter is a good feature while troubleshooting.
ASDM can be improved.
Also, a rollback option to a previous config in time will be a great option. Logging can be improved to a vast extent, I think Palo Alto has a pretty good logging structure.
Yep, more than once, but only on one box out of the three we purchased. Suppose we got a lemon, because once replaced, everything was fine.
We never had an infrastructure that required scalability.
An eight out of 10. TAC was very good but some engineers were quite slow and I ended up figuring out the issue myself.
Quite straightforward for the most part, since I had TAC on call while setting it up.
Everything with Cisco is expensive. My advice is that there are a lot better options out in the market now.
Palo Alto is pretty decent for example, but support is the best with Cisco, hands down. All other TACs do not come close, except Arista, but they do not make firewalls.
None. My old company was a complete Cisco shop.
Do look at Palo Alto for comparison, SonicWall is also on the market. But before anything, you need to know your infrastructure really well.
For example, we brought a PAN firewall for east-west traffic control so we could implement a zero trust network. But our business traffic is a bidding traffic which has extremely small packet size and huge connection size per seconds happening, which sent the PAN firewall into a tailspin. Since we bought the device without a POC, we had to eat the cost. So make sure to do a PoC with all the vendor equipment before you purchase it.
The AnyConnect remote access VPN gives us an easy way to deploy remote working for our users.
It all depends on the deployment scenario, as I have used ASA for specific purposes. In general, the stateful firewall feature, site to site VPN, and AnyConnect remote access VPN are always useful.
It's not perfect, and does have room for improvement with certain features.
The SSL VPN is, and always has been, painful to configure and the Java plugin does not guarantee a uniform deployment.
Certain documentation on the newer models of ASA (specifically, ASA 5500-X with FirePower services) is a little out of date and in some cases incorrect, although this may have been corrected since my last deployment.
I've never seen a firewall that didn't need an RMA at some point! And that is true of the ASA, however, the failure rate (in my experience) has always been very low with ASA's (and Cisco equipment in general).
With Cisco TAC, you can always get an answer to technical issues, and with the thriving Cisco support forum, you can always get answers to questions even if you don't have TAC.
Not in my current organization.
I would say it's only complex if you're not familiar with either the CLI or ASDM.
So for me, it was easy, for those without Cisco CLI (or ASDM) experience, deployment can be a little daunting.
That being said, there are plenty of configuration documents available on the Cisco website that will "hold your hand" through any deployment.
Hardware and licensing can be expensive, and licensing can be a complicated affair. I would strongly recommend you speak with your distributor to ensure you choose the right license for your needs, and read the hardware comparison guide to make sure you spec the correct hardware for your specific needs.
It's great buying the latest and greatest equipment, but no so great if your engineers don't know how to operate it!
From experience, hardware purchasing is normally dependent on the technical expertise of engineers, so if all your engineers are Cisco trained, it makes no sense to buy another vendor firewall.
Spec the right hardware model and choose the right license for your needs.
There are a lot of features which are good and can be implemented, especially in the latest IOS version of the product.
They saved me a lot of time thinking how to solve different scenarios with other solutions.
Cisco AnyConnect for remote access is one of them. It is supported on most of the platforms, which business users use. They can gain access to the network, via functions like PBR, Security groups, contexts, and DNS doctoring. This gives a lot of flexibility to the product.
It gave us a more secure environment and a lot of flexibility to the business.
The next generations part of these products need a better approach. A lot of vendors are definitely a step or two in front of them.
I have worked with these types of firewalls for more than 10 years.
I can say that this product is one of the most stable products I have ever worked with.
In terms of scalability, this always depends on how the product was chosen and what purpose it will work for. I haven't experienced any issues with the scalability of the product.
In terms of technical support, it depends on the different cases. I would surely give Cisco technical support a rating of 9/10.
I used to work with open source solutions, but the support and complication behind them was definitely not OK. If you want to have flexibility and stability, you have to move on to something that receives more development in that specific area.
The initial setup was straightforward and there was a lot of documentation that can help out with specific cases.
This is definitely not a cheap solution, but I think it is worth the investment.
We evaluated other solutions like Juniper, but we chose Cisco, since our network was becoming more and more Cisco oriented.
I would recommend that you understand the needs of the business case before choosing the product and start implementing it. It is very important to choose the right licenses from the beginning.
Cisco next-generation firewalls are mainly used either for data center protection - north-south traffic - or internet traffic.
The application and user-visibility and control, along with very powerful IPS and malware protection, enables our clients to secure their data centers and internet perimeter in a much better way. It provides them with traffic visibility and reporting as well.
The main advantage is when you put it between users and servers internally or between different VLANs in the network. You have full visibility over the traffic, over all the internal applications. Usually, there's a lot of traffic that is not very clear and no one knows what is on their network. So, once deploy it internally, you have full visibility over the internal traffic, who's accessing what, which protocol. It can directly detect all kinds of malicious traffic, traffic that abuses bandwidth.
It makes different kinds of internal behavior that is useful to a network admin. And for security of course: Any kind of file infection, any kind of internal scanning, internal attacks; it gives you full visibility.
Finally, you have communication of VLANs, internally, in the network, of course. So you have a granular access control based on user and application, instead of IP and port as you would have with a traditional firewall.
During the first phase of use, it was an extra module on standard Cisco ASA firewalls. It then became a standalone solution known as FTD, Firepower Threat Defense.
The Firepower IPS, based on Snort technology, has an amazing detection engine and historical analysis capability of files that eases threat investigations a lot.
I value the integration with other products (Cisco ISE, Cisco Endpoint AMP) which increases the protection intelligence within the enterprise by sharing security info between different products, which function on different layers. It furnishes fully connected security.
It also provides detection of the client operating system, which gives very good reporting and correlation with the signatures. It can relay the signature IP to the client operating system, to give a better correlation decision.
Some ASA known features are still missing, but are being added bit by bit in each new version release, such as:
I would like to see more integration with third-party devices in general. There is great integration with Cisco devices, but there's not much integration with third-party devices.
We did not encounter any issues with stability. Cisco Firepower FW is very stable in all of the deployments we have made.
The scalability is very good. They have a clustering mechanism, so you can start with an appliance and then cluster, adding more bandwidth and nodes into your cluster. If you don't have a big budget you can start with a medium appliance and then cluster appliances. Or if you want to buy it all in one shot, there is a big range.
Although it allows scaling by adding multiple firewalls together (clustering), we have never used that, as all new hardware supports high-performance throughput and connections at a reasonable price.
Technical support is perfect. Cisco is always known for its good technical support. We have never had any issues with them.
As a Cisco Gold Partner, we always proposed Cisco firewalls for our clients.
The setup was straightforward. A new Cisco FTD can be set up and running in a couple of hours. If you're used to firewalls you can quickly get along with it. There is nothing complicated.
The time deploy is short. But the time to tune and create the policies involves a learning phase. Traffic changes over time, so the tuning for firewall rules has to be as granular as possible takes a bit of time. But to deploy you can go live is fast.
The strategy is to start with high-level security policies and then monitor the traffic and the applications affected. Then on the detection logs, create more granular rules.
It has a great performance-to-price value, compared to competitive solutions. Subscriptions are annual. The licensing fee and standard support are the only costs we pay for.
We did not evaluate any alternative solutions.
Make sure you tune your rules very well, as some clients just leave the firewall as it is and don't maintain the access rules or tighten them to be more granular and efficient.
In terms of maintenance, you need one person for security analysis and one to create rules and for daily support.
The security features are valuable because it is easy to use and it has an important role as a firewall.
It has improved our access control.
It would be useful to gather all security features in one box. For example, certain features like URL filtering and application control licenses need to be purchased separately and it depends on the hardware spec, as not all models are supporting these two features. This causes the user to be highly dependent on the pre-sales person.
We have been using the solution for six years.
We did not encounter any issues with stability.
We had a scalability issue, as each feature is based on license or hardware support.
I would rate the technical support at 8/10.
We did not use a previous solution.
The setup was straightforward with two layers of firewall.
It is too pricey if you want to activate more features in a box, which necessitates you to purchase a license.
Know what features are needed, and then purchase the necessary hardware and license.
The simple access rule, Internet NAT and routing are valuable features. It is very simple and the most reliable perimeter firewall.
We were using Cisco Security Manager (CSM) to control and configure all of our Cisco products. ASA worked very well on the CSM.
The next-generation firewall could improve. Still, they have NGFW 5525 but I haven’t tried it yet.
We have been using this solution for seven years.
We have never faced any stability issues.
Sometimes, the throughput and CPU counter issues were faced, maybe because we started to use it a long time ago.
Technical support is great. They are very responsible, know the bugs and workaround.
We have used it from the beginning.
The initial setup is not simple and straightforward, because it is Cisco and you need to configure it by CLI.
Obviously, Cisco products are not cheap.
If you are looking for a stable run and it is easy to find someone to configure the service, then better go for Cisco; their support is very professional.
The solution's reliability, performance, and security are most valuable.
The price and compatibility with other vendors' products can be improved.
I have used this solution for three years.
I have not encountered any issue with stability.
I have not encountered any issues with scalability.
I would give technical support a rating of 9/10.
I used Juniper Networks and I switched due to the lack of technical and sales support in Romania.
The initial setup was complex because of its outdoor position. We had to solve this problem with outdoor protection.
Negotiate the quote.
Before choosing, I evaluated Juniper Networks SRX.
Be careful with temperature control in the rack area, since Cisco ASA 5585-X with SSP-10 heats up a lot.
These are very important in an enterprise environment.
It is small. Nobody knows where it is or what it is. It works silently. As there ar no issues, it is good for businesses and organizations.
I have used Cisco ASA for five years.
We have not had stability issues.
I would give them a high rating.
We were using TippingPoint as an IPS and ZyXEL ZyWALL as a VPN server.
Cisco has good documentation and it is easy for Cisco certified engineers.
The initial setup was straightforward.
Our experience last year showed us that there is no full security, so why should we pay more? Any security vendor with a user-friendly interface, with good support, on-time updates for known vulnerabilities, and reliable hardware, is acceptable for an organization.
We did not evaluate any alternatives.
The Cisco ASA product line will be replaced by Cisco FTD. Cisco FTD software is not ready for production, due to a lack of many basic NGFW features. Maybe only the high-performance Firepower 41xx/21xx/90xx Series is good as an IPS, because it is using a stable Sourcefire engine.
The feature sets are great when there are no software bugs. With FirePOWER, you can enhance security, have effective management, and a good reporting engine.
It provides detection of zero day infections through FirePOWER AMP.
Well tested software releases. We have had a number of bugs on the FirePOWER software across several clients which have been very inconsistent and have affected our ability to deliver.
I have used the ASA portion for over eight years and the FirePOWER portion for about three years.
We did have stability issues with the FirePOWER software.
We did not have scalability issues with the high end devices.
I give technical support a rating of 5/10.
We are part of the integrator space. When we changed products, it was to displace a product that no longer met the client’s requirements.
The setup was reasonably straightforward.
Get a clear understanding of what the licensing entails before committing.
We checked out Check Point and FortiGate.
Plan very well in order to have a seamless project implementation and transition.
Cisco doesn't have many features but only basic firewalls.
No improvement. My clients have been using this product and moving to other products.
This product should have moved towards making UTMs.
Technical support and documentation is great.
No, I worked with this product by working for a client.
It is easy to set up and implement.
Never worked on pricing and licensing.
I would always prefer to evaluate other products when I have been asked for advice on firewall solutions.
Evaluate other product before using this product.
Firewall, VPN and Single Sign On.
Remote Access and SSO Authentication.
Watchguard Firewall. Switched due to license cost.
A bit complex compared to Watchguard Firewall.
Pricing is competitive but licensing cost is on the higher side for non-profit organizations.
If so, which ones? Yes, Checkpoint, Juniper, Cyberoam.
Cisco is good. Look at your requirements and create a matrix to figure out the best option.
Connectivity with client Telcos works perfectly way and administration is simple.
I think it's the perfect Firewall for SME.
10 out of 10.
Version 5515 is better than 5510 or 5505.
If you know how to use Cisco IOS, it's easy. Otherwise, you will find no way
of configuring it with ease.
Go for the complete bundle, it's a one time investment only. Otherwise, in the future you will have to buy other tools as licenses for some add-on services.
I would go for bundle licenses and hire a Cisco engineer for implementation.
We could connect data securely from outside the company.
I need application user-IP blocking, Intrusion Prevention, QoS; I can't do these with Cisco and have to change it.
I have never needed support from Cisco.
I couldn’t meet all my needs with the Cisco 5505 so I changed it with a next-generation firewall.
Actually it was simple, making port based policies more simple than PA.
Cisco price-performance is very successful.
I evaluated Sophos UTM, Checkpoint, Cisco and PA. PA is the best fit for my company because Sophos acquired Cyberoam and their software wasn’t successful for domain user restrictions. Checkpoint was very slow for me and too many licences and it was complicated. Cisco acquired Sourcefire and they need to improve next-gen features. So I chose PA.
I know that Cisco acquired Sourcefire and they re-introduced next-generation firewall features and I think they’ll improve NX features.
Security, Routing and NAT.
Gives flexibility and several deployment options.
Some default inspection rules need better tuning. Focus development on CLI version.
Yes, before Clustering was introduced.
Nine out of 10.
Yes. We changed for no special reason, just to mix things up.
Yes, but you need to read and understand how the device functions before deployment.
Like with all vendors, know what options you require and request the proper license accordingly. Prices are on the same level as competitors.
Not really, as all firewalls do most of what enterprises look for. What matters most is the after sales support.
Read, read, read and understand your requirements beforehand.
I love its CLI mode of working, it gives plenty of information with a single line of command.
This feature allows its administrator to perform advanced level tasks with much ease.
These products provide much stability which, in return, any organization demands to run its functions properly and smoothly.
This product lacks in GUI format; that needs to be more mature and composed.
10 years +
Rarely, due to software issues.
As of now, no.
Excellent but if non-Indian engineer is assigned.
We have almost 99% Cisco based infrastructure.
Usually yes. We did like Huawei and Juniper.
Cisco has done great job in introducing new features in their security product by acquiring specialized companies in the past. However, they still need to improve their unique feature products as they are in a challenger position, but not on top, at various product review portals.
It helped us and our customers implement more granular and flexible connections to and from our/their environments, building a trust relation between all of us, having the confidence that our exchanged information is occurring in a highly secure manner.
The most valuables feature of this product are given by the comprehensive VPN solutions it offers and its tools for troubleshooting and debugging. You can provide complex and flexible way to securely access private environments. And its troubleshooting and debugging tools allow you to identify, in the fastest time possible, where some potential issues could have been occurred.
It should have an additional “operating mode”, like a “candidate configuration mode”, where you would have the possibility to test the changes you are going to implement and also the possibility to validate these changes.
In addition, a "testing" feature should be performed to let you know what would be the consequences of applying these new changes. Only after you would see the tests’ results (if they do not create any unwanted effect) would you go and commit them.
There were some issues with stability prior to code version 9.2.x, more related to Clientless SSL and Client RA VPN solutions. Some bugs affected the integrity of these type of features.
There were no problems in terms of scaling an existing solution, though very expensive.
I would give a rating of eight out of 10, compared to others vendors. The technical support is much better than most vendors, but let's say not as good as F5 Networks technical support.
I've only worked for integrator or ISP organizations. Over the years I’ve worked with multiple solutions offered by different vendors due to my customers’ budgets or preferences. What makes it the best of all the solutions I’ve worked on is the stability and its hardware.
The initial setup configurations differ from customer to customer, from very simple to highly complex solutions. Depends on the customer’s needs.
I have to admit that the price is high. But I think it's worth it if the stability of your solution counts for you.
Choose it if you aim to have a stable environment.
The front page of device manager is the most valuable feature because it makes it easy to know the system status.
It’s hard to say because our equipment was EoS.
I have used Cisco ASA for three years.
We suffered an attack and the firewall was down repeatedly.
We have to buy more licenses to get more VPN connections.
I rate support 7/10.
We didn’t have a previous solution. I actually searched after another solution.
Setup was complex because we had not taken a course previously.
Sincerely, I prefer other products with no limit on licensing of VPNs, for example.
You have to find more confidentiality, integrity and availability.
Centralized policy creation for URL, application, IPS, etc. It simplifies matters more than previously.
It provides centralized management. I would also add that URL, Malware and IPS built-in has been a great help as well. Where we used to need several products for all these features, we now only need the ASAs with the additional licensing. So now, it is more a matter of license management over hardware and licensing management.
More centralization and simplification of product lines would help most engineers, but I think licensing is the key here. Most organizations won’t pay the money to have ELA licensing, so all the individual licenses for these products can be overwhelming. Plus, they never really synch for expiration time.
This is mainly due to reliance on other Cisco products and licensing. For example, Palo Alto includes several features in one whereas Cisco requires multiples. However, I still think Cisco offers great products but to get a "10" they might consolidate devices or simplify licensing.
I have used this for two years, but company has used Cisco solutions for many years.
We did somewhat have stability problems. Upgrading the ASA, ASDM, and SFR can be a pain if you have as many firewalls as we do (21). Once you can get them to fall under FPMC management it can be a little easier, but it is a battle to get to that point.
There have been no scalability issues from my point of view. I was handed the solution, so some of the initial work was done.
I rate support 10/10. TAC has always done a great job with answering my questions and providing remote support when needed.
Previously, I used ASAs without FirePower; and unsure what my company used prior to that.
For me, setup was half-and-half. In one update run I missed the step that discusses how the ASA and ASDM need to be on a specific patch prior to upgrading the SFR. FPMC attempted to push the new update to the devices regardless of this mismatch that caused FPMC to loose communication. I had to downgrade the SFR all the way back to v5.4.1 before I could install the latest version. You also have to step through several updates before you are done, so that can be tedious as well.
Read everything and track all your licenses. Research all options and maybe pick a few to PoC. It doesn’t hurt to trial others. Maybe they are a better fit for your environment.
We are moving forward with ELA 5.0 for all Cisco security devices. Prior to that decision, we did a PoC with Palo Alto 3020 and 220 firewalls and Panorama. Those are some great products, but we are so Cisco centric that the cost of ELA isn’t much more than we are spending now.
Do research. FPMC is great for us but it requires a lot of time and attention.
Its security features are the most valuable aspect. It has the ability to detect and prevent intrusions.
The product has helped organizations secure their infrastructure and data. Most organizations are happy to adopt the technology.
The equipment is too expensive compared with other firewall products.
I have used ASA for about three months. I just bought and configured it for a client.
Since I installed and configured it, the client has never called with complaints.
I have not had scalability issues at all. Maybe it is because I have not used it quite extensively.
I haven't had a chance to interact with the support team.
The previous product was limited in throughput and security.
The initial setup was quite complex.
As much as there is value for money, there is a need to make it affordable.
I tried Sophos.
It is a very good device to use for those who value their network security.
Class-based policing is the most important part of the ASA, and was its differentiator.
It gave us more organized DMZs and logical segments.
I’m not a fan of the new modular licensing model. Cisco moved from a base license to an a la carte SaaS model a couple of years back, wherein the customer is required to pay for feature sets on a case-by-case basis. This makes it difficult for people who want to study and trial new technologies and features.
I’ve been using ASA technology since it was PIX, so since 1999.
We have not had stability issues.
We have not had scalability issues.
Support with Cisco TAC, or with VARs like WWT and Trace3 is usually pretty good.
I have used both ASA and PAN. Different strokes for different folks.
Initial setup is straightforward. You can get as granular and complex as you want, but out of the box, ASAs provide a secure FW solution.
We evaluate all other options.
ASAs are a solid solution. Cisco provides more training and learning materials than any other vendor, which is critical if an organization wants to take true ownership of a technological solution. Documentation and use cases alone tend to make me a fan of Cisco's way of engineering, and they have come a long way over the last few years when it comes to integrating their solutions into comprehensive security communications platforms using tools like PRIME and ISE. FirePOWER and AMP make Cisco an even better overall contender for top FW status.
It is good for firewalls, management with the adaptive security device manager (ASDM), and tools such as packet tracers for troubleshooting.
It’s a really good firewall which is easy to manage, but it is not a Next Gen firewall.
Firewall functionality is the main issue when buying this product. We use it to segment our DMZs, it is stateful firewalling, is highly reliable with zero outages, and impeccable failovers during upgrades.
The ASDM is the management tool to administer the ASAs via the GUI. It has an easy to use interface with very nice troubleshooting tools, such as Packet Tracer. This tool lets you simulate a traffic flow so you can see why flows don’t work.
It is a very reliable border firewall which makes it easy for us to organize and secure our DMZs.
We have been using the solution for almost five years.
We didn't encounter any issues with stability.
Scalability is limited depending on the chosen model.
I would give technical support a rating of 9/10. Cisco is one of the best, if not the best, in support.
We chose FortiGate from Fortinet as our Next Gen Firewall solution because of the higher value for our money.
The setup was easy with lots of documentation and configuration examples provided.
You have to negotiate well.
We did not evaluate any alternative options for stateful firewalling.
You will want to have Next Generation functionality, so choose FortiGate or Cisco Firepower.
It is very robust, trustworthy and highly customizable.
Solutions using NAT, VPNs, internet and MPLS, are more customizable than other solutions.
It could have more functions for load balance on the internet.
We have been using the solution for two years.
We never had any stability issues. It is the most stable platform that I have used, and I have used several including Fortinet, Sophos, Hillstone, Cisco and D-Link.
We did not encounter any issues with scalability.
I would rate the technical support at 10/10. It is the best.
I implement solutions on several clients, Redneet is a technology integration company and I prefer Cisco ASA for my security solutions.
The setup is a little more complex than other solutions.
It is a bit more expensive than other solutions, but offers more customization and security than other solutions.
We evaluated Fortinet, Sophos, Palo Alto.
Use the best practice guides and online documentation. Cisco has more information online free that any other brand, so use it!!!
The Advanced Malware Protection and Security Group Tag (SGT) are valuable features. You are able to integrate all the networks by using SGT with the pxGrid service. This is built-in technology in Cisco devices and services.
You can extend your visibility in network infrastructure for monitoring. You can absolutely give your users a better experience. When you use .1X for user authentication:
After Firepower V6.1, Cisco added bandwidth shaping on the FTD product. This feature is a little bit weak. You cannot have customized shaping in different projects.
I have used this product, as well as Cisco Firepower Threat Defense, for about two years.
I have heard about some bugs, but I have never encountered any.
This product is very scalable in our experience.
It is easy to initialize. For advanced configurations, it is sometimes complicated.
The base license is delivered with the device. This license includes IPS and user authentication. You should buy a license for an IPS update. You should also buy another license for AMP and URL filtering.
These are the important licenses: BASE, IPS, AMP, and URL filtering. Apart from the base license, the other licenses are subscription based for one, three, or five years.
I evaluated many products, such as CheckPoint, Palo Alto, Fortinet Firewall, Sophos, and Cyberoam Firewall.
This product is very usable when you need integrity in your network. This product is very functional when you use a Cisco Identity Services engine.
It's a standard rule based firewall for us. The AnyConnect VPN has solved a lot of remote access problems. High availability is good. It will fall back to the other ASA without any disruptions.
It has secured our DMZ.
I would like to see the following made easier:
Sometimes we suffer from older versions, such as objects, object groups, and aliases (name).
We have been using the solution for nine years.
We did not encounter any stability issues.
We did not encounter any scalability issues.
The technical support is good.
We used Cisco PIX.
I can't really remember the setup. It was too long ago.
We bought the solution, so there were no real recurring costs at that time.
We didn't evaluate any alternative products.
Cisco ASA is a stateful firewall which means they are the fastest and more secure, because they maintain state tables. Cisco ASA is very efficient not only in Firewalling but in VPNs, IPS and content filtering. It also has option of failover and redundancy.
It allows us to filter incoming traffic to our network and provide a secure access to office network from outside through remote access VPN. We also connected our branch office through IPSEC site-to-site VPN tunnel which is very secure and reliable.
Some improvements required on GUI interface called ASDM. It should include health check parameters like temperature, memory used.
I am using it more than five years.
No issues, very easy to deploy.
Migration to new version is very easy, therefore no issue.
Cisco ASA firewall is most reliable to protect the network, therefore I switched.
Yes, straightforward and simple.
I am also vendor.
Price is bit high as compared to other vendors, but Cisco ASA has reputation and most reliable product. Always go with minimum security plus license.
Yes, Fortinet and Palo Alto.
Provides advanced malware capabilities.
Simplified the complexity of our security architecture.
Integration of advanced malware services with the firewall through Firepower services.
We have been using this solution for six months.
There were no issues with deployment.
There were no issues with stability.
There were no issues with scalability.
I would give customer service a rating of 10/10.Technical Support:
I would give technical support a rating of 10/10.
We were looking to upgrade to a comprehensive firewall solution that integrated Next Generation Prevention System (NGIPS).
There were no issues with setup.
We implemented in-house.
We calculated for the entire year, but the ROI seemed very decent from the first six months.
Licensing: Buy the advanced Malware Protection license subscription for one year. It is worth the investment.
We evaluated Juniper, Fortinet, and Huawei.
It makes it very easy to have delineated roles and responsibilities between network engineering and network security.
I find the overall capability of the higher end firewall products to handle most network tasks without any issues. In addition, it is easy to train lower level help desk personnel on the GUI management.
People tend to think of firewalls as firewalls and routers as routers. Going by the book, I had to create a number of static routes in the firewall so it could reach the various subnets in my client's internal network. I decided to turn on OSPF routing to simplify my deployment. This resolved a lot of issues with remote VPN and site-to-site VPN tunnels.
In my experience, a number of engineers get tunnel vision with devices. This is exacerbated by vendors fostering a silo mentality in disciplines.
I cannot name the organization, but a large national non-profit in the medical field had too many network configuration problems because of the silo mentality.
Large Cisco ASA units have the capability to act as routers. This particular non-profit would not enable routing on the ASA until I explained that it resolve a number of issues that they were experiencing and resolving by static routes, a second Cisco ASA, and a proxy server.
Stability issues did not occur in my experience, as long as we stayed with the correct image builds.
There were no scalability issues.
Generally, we do not need customer support, so it is hard to rate.
Generally we do not need technical support, so it is hard to rate.
The initial setup at many clients' sites was straightforward. Very complicated networks take a lot of planning.
We implemented the solution in-house.
We cannot determine ROI just yet.
Always plan ahead for three years. In other words, do not buy a firewall on what your needs are today, but try to predict where you will be three years from now in terms of bandwidth, security requirements, and changes in organizational design. This applies to any vendor, not just this product. I find that I always need to buy a higher level product than the specifications request in order to be safe.
In locations where I have used Cisco ASA firewalls, I have compared FortiGate and SonicWall.
I utilize different brands of firewalls depending on the needs of a client, i.e., in-house IT versus outsourced. I am vendor agnostic as much as possible.
Outstanding NGFW capabilities, Site to site VPNs and High Availability. Also the integration of FirePOWER services (Web Filtering/IPS/Malware Protection) are a huge step forwards for an already great platform.
We purchased a pair of ASAs to handle all perimeter traffic in and out of our network. This devices enabled us to secure all our perimeter traffic, WAN connections, Internet connectivity and Internet facing services. FirePOWER services enabled better control and visibility over the traffic traversing our perimeter. High Avalability helped us greatly improve the availability of the services by reducing downtime caused by both Incidents and planned maintenance operations.
Only problem in my opinion is ease of use. You really need to know your way around the CLI and complex feature set to get things working. The ASDM GUI is good for some things but for the most part you'll need to stick to the CLI which is a bit difficult specially if you don't have a lot of experience around Cisco equipment.
We've operated this firewalls for around 2 years now.
ASAs are as complex as they are powerful. Configuration and administration are not as straightforward as other solutions and will take some time and studying to get used to them.
In my experience with various Firewall solutions, the stability and reliability of Cisco ASAs is unparalleled.
Cisco offers great customer service.Technical Support:
The best I have worked with.
We used to have a SonicWall and an older ASA 5510 platform. Both were replaced by a Cisco ASA cluster using a pair of 5525x.
ASAs are expensive. The initial cost is high compared to other similar solutions, and chances are the personnel that will operate them will require some training. But if you're aiming for stability and reliability, this is the best solution you will find.
We evaluated Fortinet and SonicWall, both great UTM vendors. Although those platforms are cheaper, we decided to go with Cisco because stability and reliability were mayor concerns for us, also the support is much better in my experience.
I especially value Change Management and Compliance. They are most valuable because we are required to comply with regulations regarding credit card processing (PCI) and protecting patient data (HIPAA).
This product has made visible some areas that were previously hidden.
There are many areas for improvement despite the fact that we love the product, but because it is a newer version we’ve been working out lots of issues. Some of those issues are based on our environment.
I have used the product for 1.5 years with nearly a year for this version.
We did not have any problem with the previous (v7) version but when we upgraded to (v8) the new version, we were well aware that there would be some bugs and issues that would require resolution.
We have had no scalability issues.
Tech Support is awesome. I never get someone who has no clue what they are doing. These guys are well trained and know their stuff.
We did not use a previous solution. FireMon was implemented as part of a security mandate and we chose this product over its competitors.
Setup was pretty simple, because we implemented the single server model.
We purchased licenses for our High Availability (HA) devices as well but they were not really needed.
I was not the researcher and decision maker. I inherited the tool.
To make sure they have the cooperation of the networking team that supports the firewalls. It has been difficult for us to get the tool working to its full potential because our network team is resistant to some of the things we want to monitor.
Cisco ASA has a well-written command-line interface. Cisco’s AnyConnect SSL VPN is by far the best client VPN technology I’ve ever had to deploy and manage. Upgrades are a breeze. Failovers between units are flawless. FirePower add-ons deepen security with intrusion prevention (IPS), anti-malware protection (AMP), and URL filtering. These particular services can run as a hardware or software module within the ASA. Unlike ASA with CSM, these modules are managed by FireSight, a single pane for all of your FirePower nodes. It’s intuitive and easy to use, but still lacks some automation capabilities (e.g., bulk edits, etc.).
Cisco is a huge name in the networking world. Having a solution that includes their firewall technology adds value from an operability and support perspective. Cisco, although sometimes considered to be "behind the times" with firewall technology, continues to prove it has momentum in the industry through acquisitions such as Sourcefire and OpenDNS, with rapid integration into their systems. Additionally, ASA is synergistic with other security offerings from Cisco, such as ISE, remote tele-office workers, etc.
When running multiple firewalls in your network, you need someone to manage them from a central point. Cisco’s answer is Cisco Security Manager (CSM). Unfortunately, this is a suite of applications that is in much need of an overhaul. It is riddled with bugs and lacks the intuitive experience found in competing vendor offerings. The counter-intuitive interface makes configuration management cumbersome and prone to mistakes. There are software defects within certain modules of the application, resulting in a frustrating experience. Reporting is almost useless. The best part about it is the logging component, but it still is lacking, compared to what you get from other competing vendors.
Aside from management, I think Cisco needs to become more application-focused, something that a few of their competitors shine in.
I've deployed and managed Cisco ASA's for over a decade. I've used the X-series models for about three years now.
I have not encountered any stability issues; this is a solid firewall platform. Stability is where it shines.
The newer clustering capabilities have introduced some solid scalability design options. From a cost perspective, scalability is quite intimidating.
Cisco's TAC engineers are competent, responsive and typically resolve issues in a timely fashion. Do not use them for "best practice"; this is what channel partners are for.
I previously used Check Point. Check Point relied on a thick, Windows-based client and, at the time, did not support transparent contexts. However, Check Point has a solid management platform, which is something Cisco should take some pointers from.
Initial setup is complex for a new user, straightforward for a seasoned user. Tons of documentation is available, but you can easily get lost for days if you've never touched one. Cisco offers ASDM, a GUI wizard that can help set up the firewalls. This is nice for newer folks.
Work very closely with your channel partners to verify you have all the licensing you need (VPN, Firepower, etc.). Pricing is always a challenge. Buy closer to Cisco's EOY and you might save a few bucks.
Before choosing this product, I also evaluated Palo Alto. I really liked their firewall platform, their Panorama management platform, and wildfire technology. Their SSL VPN was seriously lacking. This is a decent option to consider as well.
Read the Cisco Validated Designs (CVDs) regarding ASAs. Find some decent blogs, discuss topologies and scenarios with a seasoned engineer, and get your final design validated by Cisco. Your Cisco SE should be able to assist with this. If you need assistance implementing, work with your channel partner.
No idea -- I learn a lot from them
From 2000 until 2014
Learning at the beginning
Nope -- If well planed you should be alright
Not reliable for long term -- seem inferior quality
Depends on the product and the knowledge. Cisco firewalls can be difficult at first but once learned it's fine.
Me, I implemented the firewalls, Cisco switches and routers.
100% in some installations it exceeded the time predicted to keep up with the work load.
Netscreen, Netgear, Checkpoint, others..
Plan well the hardware requirements for future growth and heavy usage.
Firewalling is the most valuable feature. We wanted a back-end/internal firewall solution, and the Cisco ASA 5525 was great.
It has taken the pressure off of the IS engineer.
We've used it for two years.
There was an issue, but it was rectified promptly after troubleshooting the device's configuration.
There were no issues with the scalability.
We've not had any issues scaling yet.
I think it is great but did not use them for this deployment.Technical Support:
I've not had to use them yet for this deployment.
There was no other solution in place.
It was straightforward.
I did the implementation with my colleagues.
It's not really quantified, but we have not experienced downtime due to attacks.
There were no other solutions looked at.
We're able to implement best security practices to secure our company data.
We've used it for over seven years.
We had some issues during deployment.
No issues encountered.
No issues encountered.
Customer service is excellent.Technical Support:
Technical support is excellent.
It was a little complex, but not so much that we couldn't figure it out.
I was the implementor for a client.
Depends on the customer's budget, but we evaluate all vendors that meet the them. It's a mission-critical product.
I give it a thumbs up.
It gives us the ability to do lan-to-lan VPN.
So far it has proven to be rock solid and relatively easy to maintain.
I've used ASA for four years.
No issues encountered.
No issues encountered.
No issues encountered.
We moved our VPN termination from a Cisco ASR to an ASA. We switched because the ASR was not scalable and we realized it was a bad idea to use the same device for routing and VPN termination.
The most complex part was figuring out the failover and what NAT mode to implement.
We did it in-house.
Licenses and prices are pretty high. I understand the validity of the product, so I can't complain much.
No options were evaluated. We heavily rely on Cisco hardware for our infrastructure
I'd say it would be very beneficial to posses certification such as CCNP Security, at least, to get the most out of it. It's a complex product which requires good knowledge of procedures and best practices. Being a CCIE R&S I know the value of those certifications, and I wish I had a CCNP Security to better handle the task.
Cisco ASA's CLI is very effective and fast to configure the firewall and make changes, but monitoring logs and connections can be eye bothering by reading all the line outputs. ASDM, however, have improved the overall ASA configuration from an GUI standpoint. I really enjoy the log monitor where I can see live logs in a more user friendly interface. The down side of ASDM is that it is build with JAVA and that means a lot vulnerabilities and it does not always work with the latest JAVA version and/or patches.
The packet tracer function, which I use the most, have provided me a packet flow through the firewall and see which rule or policy can cause a drop. Also, I can see if my NAT statement is working properly. This has allowed me to quickly troubleshoot potential firewall related issues for my organization.
L7 firewall is a key for the ASA to be competitive in the current and future market place. By integrating with SourceFire, now call FirePower, on the ASA has helped it to get into the next-generation firewall segment.
It blocks all outside to inside traffic and only permits the specific internet traffic from the outside. VPN functionality is very useful, we can create remote access and tunnel VPN in the simplest way.
It blocked all kinds of internet attacks from outside like DOS or DDOS and avoided any down time. We created a remote tunnel from head office to data center network for easy access of servers that make working fast and they are easily manageable.
It would be great if they would add web filtering functionality to this product.
It is a little difficult in newer IOS versions where the use of the NAT command is different. Otherwise its straightforward to configure.
I deployed it in-house with my team.
This solution reduces any downtime therefore business continuity is not disturbed - that is ultimately ROI.
It is one time cost of about $10,000 and there is no day to day cost.
Yes, I evaluated Fortigate, SonicWall and Juniper but found Cisco ASA to be the best solution for us above all of the others.
Cisco ASA is a reliable product and it benefits you a lot in your network.
It's a great solution that amalgamates a firewall and VPN into one device. It also has a well organized GUI- ASDM.
The ADSM is incompatible with different versions of Java.
I've used it for six years.
I have issues with some versions of Java and ASDM.
It's high.Technical Support:
I used a Cisco 881 router as a firewall and VPN solution. ASA allows conformity and various amounts of functionality in work.
It can be complex, since a lot of CLI commands are different with respect to the CLI of IOS routers.
We implemented ASA without vendor support. For first time implementation, it is good to have someone with ASA experience involved.
Prices could be a little bit lower to make the product more accessible.
NGFW: VPN (IPSec, SSL), NAT (provides great flexibility)
NGIPS: Application visibility, file policies (store files), network discovery, correlation features
SSL decryption for modules. Although I think it is better to separate SSL decryption as a service from the software module since it requires additional hardware, but I think it would be great if there is an option to use the ASA (not the software module) to decrypt the SSL.
Ex: Add a license to decrypt SSL traffic on the ASA itself. The ASA already supports SSL VPN. So if SSL decryption can be integrated that would be nice.
Basic setup is easy, but if you need to do some advanced stuff, it can be intuitive, but some things require some kind of tutorial to understand how it can be done. Good thing is that this device is becoming popular and there are many 3rd party free tutorials and guides that can help.
I heard about defect that were encountered by my colleagues, but not something that cannot be fixed using an upgrade.
Clustering is available for ASA with firepower services.
Also for firepower appliances, there is stacking available for some models.
Great support. The engineers know what they are doing.Technical Support:
Well, it is straight forward as long as you understand the components available.
ASA can be configured using the CLI or ASDM.
For the Firepower you will need to use a FireSIGHT as a management solution.
Since you will be using two GUIs, I wouldn't call it straight forward.
The fact that it's a full inspection firewall.
In fact there is no relevant improvement, but this is the kind of device that every company must have.
I've used it for five years.
It was mainly issues regarding the management and VPN setup.
No issues encountered.
No issues encountered.
We previously used IPtables, and switched because there was a lack of technical support, RMA, etc.
It was an easy initial set-up.
We did it in-house.
No other options were looked at.
Cisco Context gave us the feature of creating a virtual firewall, which is good. It provides us with maximum network isolation. Also impressive is the ISP redundancy.
WCCP, and URLs, in the Cisco ASA Context both need work. When changing from single mode to multiple mode or back, the commands must be done from the command line (CLI) and cannot be done via the ASDM GUI interface. ASA context should be able to support site-to-site VPN, but the current Cisco Context does not support VPN
I've used them for six years.
During the deployment of WCCP, we noted some loopholes like it only supports ports 80 & 443. Application which is running on multiple ports doesn't work with WCCP and to make it work we need to allow respective traffic outside the firewall.
Sometimes there is an issue with the site-to-site VPN.
In certain cases, like an any access-list, if we add a URL the Cisco ASA access-list does not resolve that URL while this can be done in Juniper, and Fortinet.
I have migrated some set-ups from Cisco to Juniper, but not from Juniper to Cisco.
We have multiple ASA firewalls for different clients now we migrated to Cisco Context.
It was done in-house.
If it is for a banking domain, your organisation should use Cisco which can assure better security than any other vendors' products. Also, they have the best documentation, reliability and support.
The versatility of the product has allowed us to solve a number of perimeter requirements without having to seek out different products or companies for solutions. It has allowed for a single management mechanism, and by having a single platform solution, it has allowed for simpler training.
The configuration/management interface is complex and can be confusing. Technical documentation is often sparse and can be incomplete when covering specific implementations.
I've used Cisco PIX and ASA firewalls since 2003.
Not with the ASAs, with some early version PIX products.
Not with the ASAs, with some early version PIX products.
The ASAs offer several different technologies for HA and we have used all of them successfully.
It's excellent.Technical Support:
Excellent, we have always been able to get the specific expertise needed to solve our challenges with the products.
Checkpoint Firewalls - the primary reason we switched was cost and limited support options.
It's pretty straightforward. I came at these products already having considerable firewall experience.
It was all in-house, as we all had 10 years plus experience when we moved to PIX firewalls and then a few years later we brought in the ASAs.
The product line offers tremendous capability. Please look into all of the solutions it can provide for you to maximize your investment.
I can tell that when we have started using the Cisco AnyConnect for remote access to business apps it makes the work for remote staff much simpler. It's also easier to provide remote IT support. Aside from this, the security officers can sleep better now.
The ASA is an almost perfect device.
I've used it for two years.
I have had no problems deploying it.
Occasionally, the packet rate falls unexpectedly.
I currently do not need to scale on my network.
9/10 - the regional online support could be better.Technical Support:
We use MySQL and Nagios devices alongside the ASA as our network infrastructure needs expanding and required more serious hardware solutions.
When Cisco was installed, it did not go as expected.
It is not simple to calculate for IT hardware. To calculate the ROI for using the ASA, I would need to have a lot of statistics on the quality of services, both before and after.
Cisco ASA 5512-X was bought for $3,000, and a further $1,000 was needed for installation and pre-configuration.
As a rule, any device upon delivery is obsolete. Pick up the solution for your business, based on your specific needs.
With the new FirePOWER services, Cisco has given the ASA new valuable features like URL filtering and a more simple and efficient IPS. With FirePOWER services, we have been able to have more insight of our network, something that we never had before, now we can see all the applications that our users are using the most and we can see if there is malware on our network.
The FirePOWER defense system has no integration with the firewall management of the ASA, I mean you can’t create ACLS, rules, VPNS NAT, and so on. All of this has to be done with the ASDM which, from my point of view, is very complex if you are not used to it, you should be able to manage the entire solution from one central software like Defense system, but right now you can’t. This is one of the biggest problems I see right now
I've used it for two years.
The FirePOWER deployment has to be done from the management port of the ASA. This port has to be dedicated because all the communication from the defense system to the appliance goes by that port, so you need to have different networks (inside and management port) to be able to implement this feature. It would be nice again if you can just configure this from one single point and not two (defense system and ASDM).
No, I have never had any problems with Cisco equipment regarding stability.
No issues encountered.
6/10 - I mean you need luck when you open a case with Cisco to have someone with expertise on the product. I’ve had great TAC experiences and the worst ones too, if you have a loss of service they put you with people that know what they are doing, but if you want to configure something extra and you just ask the TAC how to do it, sometimes you get someone that appears to be learning the solution. Many times, I´ve been able to solve it by myself sooner than the TAC.
We previously used Microsoft ISA and switched because it's no longer supported.
In our case straightforward, because we do not have many rules on our firewall, but I’ve seen cases where the migration from one firewall to another can be very tedious.
We did it in-house.
If you are using Cisco, then you will be very familiar with the product, and maybe you won't encounter any problems at all. However, if Cisco is a new solution, you should ask for a demo to see the interface of the ASDM and the defense system in action, and then decide if this is the kind of insight you need of your network.
VPN - Both site to site (IPsec) and remote access (IPsec and SSL).
Through the use of VPNs, we were able to connect our branches together through the internet without the any additional cost.
Since 2008, so seven years, and I have been a heavy/daily user, and all of my jobs were related to network security.
No issues encountered.
Sometimes, due to software bugs, but in the long run the ASA is a very stable product when compared to other vendors firewall solutions.
One of the major disadvantages with the ASAs is the throughput, while the network evolves, the ASA was usually causing the bottle neck.
It's very good when compared to other vendors.Technical Support:
It's very good when compared to other vendors.
Mainly switching from the old Cisco PIX to a new Cisco ASA. The reason for switching is to get a higher throughput, and due to the fact the that the Cisco PIX went EoL.
It requires training, but after that it is straight forward.
I work for a vendor, and we implement the solution for multiple customers.
Yes, and we chose Cisco ASA mainly due to the fact that they have a very good, reliable and very responsive technical customer support.
I have worked on the best firewalls in the market, and Cisco ASA is one of the best.
The below screenshots are taken from a demo of ASDM.
With the ASA there are multiple products depending on your needs based on the two generations of the ASA. Roughly split-up there are 4 products.
In general, I like both the SSL VPN and SourceFIRE. Firstly, for the VPN, both the client and client-less versions are very scalable, flexible, and dynamic in configuration and probably the best SSL VPN solution available in the marked. Secondly, SourceFIRE has improved the IPS functionality and stability of the ASA to a point where you can begin to enjoy the fruits of your solution and root out the bad seed in you network.
For many of my customers, the SourceFIRE solution has been an eye opener of exactly what their users are generating of traffic. Some customers, after reviewing the traffic application usage reports are astounded by the amount of traffic used, for example by Facebook and YouTube. My customers like the visibility into their network usage, and not necessarily wanting to block it, but just to know that they can control the network traffic and utilization if needed.
Definitely the throughput could use an upgrade when running the SourceFIRE/AMP with the ASA. Also, it could use better troubleshooting capabilities. You are, most of the time, bound to have access to TAC for troubleshooting advanced problems.
Customers where I have deployed these solutions have had them for three plus years, and most of them have, at the present moment have first generation solutions, or are planning an upgrade to the second generation ones (NGFW or NGIPS),
There are always issues when implementing key equipment like firewalls, especially if you are converting from an unfamiliar platform, activating SourceFIRE, or doing a general maintenance rule clear-up. If you don’t follow best practice, you can seriously impact network performance or unintentionally shut-down services.
In general the ASA has a great software stability reputation, and even though SourceFIRE for ASA is still young, the stability seems to be rather good. Of course you can’t avoid all issues, and you might have to reinstall the SourceFIRE software on the modules. If you're upgrading the ASA from pre code 8.3, you will need to redo the NAT and access rules of the ASA.
License scalability for SourceFIRE is really not good if you have an ASA in HA as you need two licenses of everything, which is really bad as you wont get double SourceFIRE other than that you need to remember to buy your ASA based on the SourceFIRE's throughput and not the inspection throughput.
If you have a service contract with Cisco you can have TAC assistance, software upgrades and next-business-day RMA (or faster) otherwise you are left to yourself or your Cisco partner. Basically without a Cisco service contract, you can't get any help or software from Cisco.Technical Support:
Should you have a Cisco service contract, you get access to TAC that will provide you technical assistance towards solving your issue. The TAC experience can vary a lot. In general I would rate it as very good, 4/5.
Mainly customers switch from other vendor because of VPN features, ease-of-management, and good consultant/partner relationship.
The initial setup is fairly easy and there are wizards for almost all the basic needs, including the initial setup and all types of VPN technologies that the ASA supports.
I am the vendor, and I am an expert with ASA.
Make sure you get the right product/license to do the job you need done. If you are in doubt ask a consultant or a Cisco Partner. I have seen cases where a firewall wasn't the right hardware for the job and you can't just switch off the firewall/inspector for some interfaces or networks.
It provided more secure access to the resources of my organization and created a more stable environment for the business activities between us and our partners.
Security through integrated cloud and software based services.
I've used it for two years.
There were a few problems with the interaction between the ASDM client and ASA device.
No issues encountered.
No issues encountered.
I previously used a Fortinet solution. I switched to Cisco because Fortinet lacked
stability and robust troubleshooting features.
It was complex because I had to put the ASA directly into the production environment.
I implemented the solution in-house.
I also evaluated Juniper and CheckPoint solutions.
You should try it without restraints, and it is worth every penny.