We just raised a $30M Series A: Read our story

Cisco Firepower NGFW Firewall OverviewUNIXBusinessApplication

Cisco Firepower NGFW Firewall is #4 ranked solution in best firewalls. IT Central Station users give Cisco Firepower NGFW Firewall an average rating of 8 out of 10. Cisco Firepower NGFW Firewall is most commonly compared to Fortinet FortiGate:Cisco Firepower NGFW Firewall vs Fortinet FortiGate. Cisco Firepower NGFW Firewall is popular among the large enterprise segment, accounting for 66% of users researching this solution on IT Central Station. The top industry researching this solution are professionals from a comms service provider, accounting for 32% of all views.
What is Cisco Firepower NGFW Firewall?

Cisco NGFW firewalls deliver advanced threat defense capabilities to meet diverse needs, from
small/branch offices to high performance data centers and service providers. Available in a wide
range of models, Cisco NGFW can be deployed as a physical or virtual appliance. Advanced threat
defense capabilities include Next-generation IPS (NGIPS), Security Intelligence (SI), Advanced
Malware Protection (AMP), URL filtering, Application Visibility and Control (AVC), and flexible VPN
features. Inspect encrypted traffic and enjoy automated risk ranking and impact flags to reduce event
volume so you can quickly prioritize threats. Cisco NGFW firewalls are also available with clustering
for increased performance, high availability configurations, and more.
Cisco Firepower NGFWv is the virtualized version of Cisco's Firepower NGFW firewall. Widely
deployed in leading private and public clouds, Cisco NGFWv automatically scales up/down to meet
the needs of dynamic cloud environments and high availability provides resilience. Also, Cisco NGFWv
can deliver micro-segmentation to protect east-west network traffic.
Cisco firewalls provide consistent security policies, enforcement, and protection across all your
environments. Unified management for Cisco ASA and FTD/NGFW physical and virtual firewalls is
delivered by Cisco Defense Orchestrator (CDO), with cloud logging also available. And with Cisco
SecureX included with every Cisco firewall, you gain a cloud-native platform experience that enables
greater simplicity, visibility, and efficiency.
Learn more about Cisco’s firewall solutions, including virtual appliances for public and private cloud.

Cisco Firepower NGFW Firewall is also known as Cisco Firepower NGFW, Cisco Firepower Next-Generation Firewall, FirePOWER, Cisco NGFWv.

Cisco Firepower NGFW Firewall Buyer's Guide

Download the Cisco Firepower NGFW Firewall Buyer's Guide including reviews and more. Updated: November 2021

Cisco Firepower NGFW Firewall Customers

Rackspace, The French Laundry, Downer Group, Lewisville School District, Shawnee Mission School District, Lower Austria Firefighters Administration, Oxford Hospital, SugarCreek, Westfield

Cisco Firepower NGFW Firewall Video

Archived Cisco Firepower NGFW Firewall Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
TG
Lead Network Administrator at a financial services firm with 201-500 employees
Real User
Enables analysis, diagnosis, and deployment of fixes quickly, but the system missed a SIP attack

Pros and Cons

  • "With the FMC and the FirePOWERs, the ability to quickly replace a piece of hardware without having to have a network outage is useful. Also, the ability to replace a piece of equipment and deploy the config that the previous piece of equipment had is pretty useful."
  • "We had an event recently where we had inbound traffic for SIP and we experienced an attack against our SIP endpoint, such that they were able to successfully make calls out... Both CTR, which is gathering data from multiple solutions that the vendor provides, as well as the FMC events connection, did not show any of those connections because there was not a NAT inbound which said either allow it or deny it."

What is our primary use case?

These are our primary edge firewalls at two data centers.

How has it helped my organization?

Today I was able to quickly identify that SSH was being blocked from one server to another, and that was impacting our ability to back up that particular server, because it uses SFTP to back up. I saw that it was blocking rule 22, and one of the things I was able to do very quickly was to take an existing application rule that says 22, or SSH, is allowed. I copied that rule, pasted it into the ruleset and edited it so that it applied to the new IPs — the new to and from. I was able to analyze, diagnose, and deploy the fix in about five minutes.

That illustrates the ability to utilize the product as a single pane of glass. I did the troubleshooting, the figuring out why it was a problem, and the fix, all from the same console. In the past, that would have been a combination of changes that I would have had to make both on the ASDM side of things, using ASDM to manage the ASA rules, as well as having to allow them in the FMC and to the FirePOWER.

Overall, as a result of the solution, our company's security posture is a lot better now.

What is most valuable?

With the FMC and the FirePOWERs, the ability to quickly replace a piece of hardware without having to have a network outage is useful. Also, the ability to replace a piece of equipment and deploy the config that the previous piece of equipment had is pretty useful. 

The administration is a little easier on the FirePOWER appliances because we're not using two separate products. For example, in the ASAs with FirePOWER Services, we were using the FMC to manage the FirePOWER Services, but we were still using ASDM for the traditional Layer 2 and Layer 3 rulesets. That is all combined in FMC for the FirePOWER devices.

Our particular version includes application visibility and control. Most next-gen firewalls do. The product is maturing with what they call FirePOWER Threat Defense, which is the code that runs on the firewalls themselves. The FirePOWER Threat Defense software has matured somewhat. There were some issues with some older versions where they didn't handle things in a predictable manner. Applications that we didn't have a specific rule for may have been allowed through until it could identify them as a threat. We reorganized our rules, because of that "feature," in a different way so that those extra packets weren't getting through and we weren't having to wait so long for the assessment of whether they should be allowed or not. We took a different approach for those unknowns and basically created a whitelist/blacklist model where applications on the list were allowed through.

Then, as you progressed into the ruleset, some of those features became more relevant and we stopped this. We looked at it as "leaky" because it was allowing some packets in that we didn't want in, while it made the determination of whether or not those applications were dangerous. Our mindset was to assume they're dangerous before letting them in so we had to adjust our ruleset for that. As the product matures, they've come out with better best practices related to it. Initially, there wasn't a lot of best-practice information for these. We may have been a little early in deploying the FirePOWER appliances versus continuing on with the adaptive security appliances, the old PIX/ASA model of firewalls. Cisco proposed this newer model and our VAR agreed it would be a benefit to us.

There was a bit of a transition. The way they handle the processing of applications is different between the ASAs and the FirePOWERs. There were growing pains for us with that. But ultimately, the ability to have this configured to the point where I could choose a specific user and create a rule which says this user can use this application, and they'll be able to do it from whatever system they want to, has been advantageous for our functionality and our ability to deliver services more quickly.

There haven't been a lot of specific use cases for that, other than troubleshooting things for myself. But having the knowledge that that functionality is there, is helpful. Certainly, we do have quite a few rules now which are based on "this application is allowed, this whole set of applications is blocked." It does make that easier because, in the past, you generally did that by saying, "This port is allowed, this port is blocked." Now we can say, not the ports; we're doing it by the services, or instead of by the services we're doing it by the applications. It makes it a little bit easier. And Cisco has taken the step of categorizing applications as well, so we can block an entire group of applications that fall under a particular category.

For the most part, it's very good for giving us visibility into the network, in conjunction with other products that give us visibility into users as well as remote items. It's really good at tracking internal things, really good at tracking people, and really good at giving us visibility as to what's hitting us, in most situations.

In general, Cisco is doing a pretty good job. Since we started the deploy process, they've increased the number of best-practice and configuration-guidance webinars they do. Once a month they'll have one where they show how we can fix certain things and a better way to run certain things. 

The product continues to improve as well. Some of the features that were missing from the product line when it was first deployed — I was using it when it was 6.2 — are in 6.4. We had some of them in ASDM and they were helpful for troubleshooting, but they did not exist on the FirePOWER side of things. They've slowly been adding some of those features. They have also been improving the integration with ISE and some of the other products that utilize those resources. It's getting better.

What needs improvement?

Regarding the solution's ability to provide visibility into threats, I'm not as positive about that one. We had an event recently where we had inbound traffic for SIP and we experienced an attack against our SIP endpoint, such that they were able to successfully make calls out. There is no NAT for that. So we opened a case with the vendor asking how this was possible? They had to get several people on the line to explain to us that there was an invisible, hidden NAT and that is how that traffic was getting in, and that this was by design. That was rather frustrating because as far as the troubleshooting goes, I saw no traffic.

Both CTR, which is gathering data from multiple solutions that the vendor provides, as well as the FMC events connection, did not show any of those connections because there wasn't a NAT inbound which said either allow it or deny it. There just wasn't a rule that said traffic outside on SIP should be allowed into this system. They explained to us that, because we had an outbound PAT rule for SIP, it creates a NAT inbound for us. I've yet to find it documented anywhere. So I was blamed for an inbound event that was caused because a NAT that was not described anywhere in the configuration was being used to allow that traffic in. That relates to the behavior differences between the ASAs and the FirePOWERs and the maturity. That was one of those situations where I was a little disappointed. 

Most of the time it's very good for giving me visibility into the network. But in that particular scenario, it was not reporting the traffic at all. I had multiple systems that were saying, "Yeah, this is not a problem, because I see no traffic. I don't know what you're talking about." When I would ask, "Why are we having these outbound calls that shouldn't be happening?" there was nothing. Eventually, Cisco found another rule in our code and they said, "Oh, it's because you have this rule, that inbound NAT was able to be taken advantage of." Once again I said, "But we don't have an inbound NAT. You just decided to create one and didn't tell us."

We had some costs associated with those outbound SIP calls that were considered to be an incident.

For the most part, my impression of Cisco Talos is good. But again, I searched Cisco Talos for these people who were making these SIP calls and they were identified as legitimate networks. They had been flagged as utilized for viral campaigns in the past, but they weren't flagged at the time as being SIP attackers or SIP hijackers, and that was wrong. Obviously Talos didn't have the correct information in that scenario. When I requested that they update it based on the fact that we had experienced SIP attacks for those networks, Talos declined. They said no, these networks are fine. They should not be considered bad actors. It seemed that Talos didn't care that those particular addresses were used to attack us.

It would have protected other people if they'd adjusted those to be people who are actively carrying out SIP attacks against us currently. Generally speaking, they're top-of-the-game as far as security intelligence goes, but in this one scenario, the whole process seemed to fail us from end to end. Their basic contention was that it was my fault, not theirs. That didn't help me as a customer and, as an employee of the credit union, it certainly hurt me.

For how long have I used the solution?

We've been using the FMC for about five years. We've only been using the FTD or FirePOWER appliances for about a year.

What do I think about the stability of the solution?

The stability is pretty good. We went through several code revisions from being on the ASAs on 6.2, all the way through the new FirePOWERs, moving them to 6.4.

Unfortunately, we had the misfortune of using a particular set of code that later was identified as a problem and we had a bit of an upgrade issue. We were trying to get off of 6.3.0 on to 6.3.0.3. The whole system fell apart and I had to rebuild it. I had to break HA. We ended up having to RMA one of our two FMCs. I'm only now, a couple of months later, getting that resolved.

That said, I've had six or seven upgrades that went smoothly with no issues.

What do I think about the scalability of the solution?

The scalability is awesome. That's one of those features that this product adds. Not only does it scale so that we can add more firewalls and have more areas of deployment and get more functionality done, but we have the ability that we could replace a small-to-medium, enterprise firewall with a large enterprise firewall, with very little pain and effort. That's because that code is re-appliable across multiple FirePOWER solutions. So should a need for more bandwidth arise, we could easily replace the products and deploy the same rulesets. The protections we have in place would carry forward.

We hairpin all of our internet traffic through the data centers. Our branch offices have Cisco's Meraki product and use the firewall for things that we allow outbound at that location. Most of that is member WiFi traffic which goes out through the local connections and out through those firewalls. We don't really want all of the member Facebook traffic coming through our main firewalls. I don't foresee that changing. I don't see us moving to a scenario where we're not hairpinning all of our business-relevant internet traffic through the data centers. 

I don't foresee us adding another data center in the near future, but that is always an option. I do foresee us increasing our bandwidth requirements and, potentially, requiring an additional device or an increase in the device size. We have FirePOWER 2100s and we might have to go to something bigger to support our bandwidth requirements.

Which solution did I use previously and why did I switch?

The previous usage was with an ASA that had FirePOWER services installed.

How was the initial setup?

The transition from the ASA platform to the FirePOWER platform was a little difficult. It took some effort and there were some road bumps along the way. After the fact, they were certainly running all over themselves to assist us. But during the actual events, all they were trying to do was point out how it wasn't their fault, which wasn't very helpful. I wasn't interested in who was to blame, I was interested in how we could fix this. They wanted to spend all their time figuring out how they could blame somebody else. That was rather frustrating for me while going through the process. It wasn't as smooth as it should have been. It could have been a much easier process with better support from the vendor.

It took about a month per site. We have two data centers and we tackled them one at a time.

We set up the appliances and got them configured on the network and connected to the FirePOWER Management console. At that point we had the ability to deploy to the units, and they had the ability to get their code updates. At that point we utilized the Firewall Migration Tool that allowed us to migrate the code from an ASA to a FirePOWER. It was well supported. I had a couple of tickets I had to open and they had very good support for it. We were able to transition the code from the ASAs to the FirePOWERs.

It deployed very well, but again, some of these things that were being protected on the ASA side were allowed on the FirePOWER side; specifically, that SIP traffic. We didn't have any special rules in the ASA about SIP and that got copied over. The lack of a specific rule saying only allow from these sites and block from these countries, is what we had to do to fix the problem. We had to say, "This country and that country and that country are not allowed to SIP-traffic us." That fixed the problem. There is a certain amount missing in that migration, but it was fairly easy to use the toolkit to migrate the code.

Then, it was just that lack of knowledge about an invisible NAT and the lack of documentation regarding that kind of thing. As time has gone by, they've increased the documentation. The leaky packets I mentioned have since been added as, "This is the behavior of the product." Now you can Google that and it will show you that a few packets getting through is expected behavior until the engine makes a determination, and then it'll react retroactively, to say that that traffic should be blocked.

Certainly, it's expected behavior that a few packets get through. If we'd known that, we might have reacted differently. Not knowing that we should have expected that traffic made for a little bit of concern, especially from the security team. They had third-party products reporting this as a problem, but when I'd go into the console, it would say that traffic was blocked. But it wasn't blocked at first, it was only blocked now, because that decision had been made. All I saw is that it was blocked. From their point of view, they were able to see, "Oh, well initially it was allowed and then it got blocked." We were a little concerned that it wasn't functioning correctly. When you have two products reporting two different things, it becomes a bit of a concern.

What was our ROI?

We have probably not seen ROI yet. These are licensed under Cisco ONE and you usually don't see a return on investment until the second set of hardware. We're still on our first set of hardware under this licensing.

That said, our ASAs were ready to go end-of-life. The return on investment there is that we don't have end-of-life hardware in our data center. That return was pretty immediate.

What other advice do I have?

The biggest lesson I have learned from using this solution is that you can't always trust that console. In the particular case of the traffic which I was used to seeing identified in CTR, not seeing that traffic but knowing that it was actually occurring was a little bit of a concern. It wasn't until we actually put rules in that said "block that traffic" that I started to see the traffic in the console and in the CTR. Overall, my confidence in Cisco as a whole was shaken by that series of events. I have a little bit less trust in the brand, but so far I've been happy with the results. Ultimately we got what we wanted out of it. We expected certain capabilities and we received those capabilities. We may have been early adopters — maybe a little bit too early. If we had waited a little bit, we might've seen more about these SIP issues that weren't just happening to us. They've happened other people as well.

The maturity of our company's security implementation is beyond the nascent stage but we're not what I would call fully matured. We're somewhere in the middle. "Fully matured" would be having a lot more automation and response capabilities. At this point, to a large extent, the information security team doesn't even have a grasp on what devices are connected to the network, let alone the ability to stop a new device from being added or quarantined in an automated fashion. From my point of view, posture control from our ISE system, where it would pass the SGTs to the FirePOWER system so that we could do user-based access and also automated quarantining, would go a long way towards our maturity. In the NISK model, we're still at the beginning stages, about a year into the process.

Most of our tools have some security element to them. From the Cisco product line, I can think of about ten that are currently deployed. We have a few extras that are not Cisco branded, three or four other items that are vulnerability-scanning or SIEM or machine-learning and automation of threat detection.

The stuff that we have licensed includes the AMP for Networks, URL filtering, ITS updates and automation to the rule updates, as well as vulnerability updates that the product provides. Additionally, we have other services that are part of Cisco's threat-centric defense, including Umbrella and AMP for Endpoints. We use Cisco Threat Response, or CTR, to get a big-picture view from all these different services. There's a certain amount of StealthWatch included in the product, as well as some of the other advantages of having the Cisco Talos security intelligence.

The integration among these products is definitely better than among the non-Cisco products. It's much better than trying to integrate it with non-Cisco functionality. That is probably by design, by Cisco. Because they can work on both ends of, for example, integrating our AMP for Endpoints into our FirePOWER Management Console, they can troubleshoot from both ends. That probably makes for a better integration whereas, when we're trying to troubleshoot the integration with, say, Microsoft Intune, it's very hard to get Cisco to work together with Microsoft to figure out where the problem is. When you have the same people working on both sides of the equation, it makes it a little easier. 

Additionally, as our service needs have progressed and the number of products we have from Cisco has increased, they've put us onto a managed security product-support model. When I call in, they don't only know how to work on the product I'm calling in on. Take FMC, for example. They also know how to work on some of those other products that they know we have, such as the Cisco Voice system or Jabber or the WebEx Teams configurations, and some of those integrations as well. So, their troubleshooting doesn't end with the firewall and then they pass us off to another support functionality. On that first call, they usually have in-house resources who are knowledgeable about all those different aspects of the Threat Centric defenses, as well as about routine routing and switching stuff, and some of the hardware knowledge as well. We're a heavy Cisco shop and it helps in troubleshooting things when the person I'm talking to doesn't know only about firewalls. That's been beneficial. It's a newer model that they've been deploying because they do have so many customers with multiple products which they want to work together.

In most cases, this number of tools improves our security operations, but recent events indicate that, to a large extent, the tools and their utilization, beyond the people who deployed them, weren't very helpful in identifying and isolating a particular issue that we had recently. Ultimately, it ended up taking Cisco and a TAC case to identify the problems. Even though the security team has all these other tools that they utilize, apparently they don't know how to use them because they weren't able to utilize them to do more than provide info that we already had.

We have other vendors' products as well. To a large extent, they're monitoring solutions and they're not really designed to integrate. The functionality which some of these other products provide is usually a replication of a functionality that's already within the Cisco product, but it may or may not be to the extent or capacity that the information security team prefers. My functionality is largely the security hardware and Cisco-related products, and their functionality is more on the monitoring side and providing the policies. From their point of view, they wanted specific products that they prefer for their monitoring. So it wasn't surprising that they found the Cisco products deficient, because they didn't want the Cisco products in the first place. And that's not saying they didn't desire the Cisco benefits. It's just they have their preference. They'd rather see Rapid7's vulnerability scan than ISE's. They'd rather see the connection events from Darktrace rather than relying on the FMC. And I agree, it's a good idea to have two viewpoints into this kind of stuff, especially if there's a disagreement between the two products. It never hurts to have two products doing the same thing if you can afford it. The best thing that can happen is when the two products disagree. You can utilize both products to figure out where the deficiency lies. That's another advantage.

For deployment, upgrades, and maintenance, it's just me.

We were PIX customers when they were software-based, so we've been using that product line for some time, other than the Meraki MXs that we're using for the branch offices. The Merakis are pretty good firewalls as well.

We also have access here at our primary data centers, but they're configured differently and do different things. The MXs we have at our data centers are more about the LAN functionality and the ability to fail from site to site and to take the VPN connections from the branch offices. For remote access VPN, we primarily used the firewalls. For our site-to-site VPNs, we primarily use these firewalls. For our public-facing traffic, or what is traditionally referred to as DMZ traffic, we're primarily relying on these firewalls. So, they have a lot of functionality here at the credit union. Almost all of our internet bound traffic travels through those in some way, unless we're talking about our members' WiFi traffic.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
SA
Senior Network Engineer at a consultancy with 1,001-5,000 employees
Real User
Notably reduced our time to root cause and MTTR

Pros and Cons

  • "We can easily track unauthorized users and see where traffic is going."
  • "We would like to see improvement in recovery. If there is an issue that forces us to do recovery, we have to restart or reboot. In addition, sometimes we have downtime during the maintenance windows. If Cisco could enhance this, so that upgrades would not necessarily require downtime, that would be helpful."

What is our primary use case?

The primary use case of for Cisco firewalls is to segment our network. We're using them on the perimeter network for traffic filtering. Since deploying them, we have seen a maturing of the security in our organization. 

We're using both the FTD 2100 and 4100. We have about 40 sites that are using our approximately 80 FTDs. We have about 2,000 users.

How has it helped my organization?

It has helped us to solve some problems regarding auditor recommendations. We used to have some audit recommendations that we were not able to comply with. With FTD deployed we have been able to be in compliance around our 36 remote sites.

Before deploying them we had a lot of incidents of internet slowness and issues with site access, as well as computers that had vulnerabilities. But as soon as we deployed them we were able to track these things. It has helped the user-experience regarding connectivity and security. 

In addition, it is giving us a better view regarding the traffic profile and traffic path. And we can categorize applications by utilization, by users, etc.

The solution has, overall, made us twice as productive and, in terms of response time for resolving issues or to identify root causes, we are three times more effective and efficient.

What is most valuable?

We can easily track unauthorized users and see where traffic is going. It is very useful.

FTD is also fully integrated with Talos. We are in the process of acquiring it and we will integrate it. That way we will have everything from Talos to do correlations.

What needs improvement?

We would like to see improvement in recovery. If there is an issue that forces us to do recovery, we have to restart or reboot. In addition, sometimes we have downtime during the maintenance windows. If Cisco could enhance this, so that upgrades would not necessarily require downtime, that would be helpful.

We would also like to have a solution on the cloud, where we could manage the configuration. CDO is in the ASA mode. If Cisco could do it in full FTD — the configuration, the administration, and everything — it would be very good, and easy.

What do I think about the stability of the solution?

The solution is stable. Last year, we deployed it in more 32 countries and it has been stable since the deployment. We haven't had any issues with the firewall. If we have any issues, it is usually due to the power. The solution itself is stable.

What do I think about the scalability of the solution?

It's scalable.

How are customer service and technical support?

Tech support is able to resolve 70 percent of the issues. In case of an emergency, we can open a case because we have a contract for Smart Net support on the devices. In case of an issue, we open a case and we get assistance.

Which solution did I use previously and why did I switch?

Before FirePOWER we were using the ASA.

How was the initial setup?

At the beginning, it was complex, but we were able to develop a step-by-step implementation. Now, we can deploy one in about two hours, including integration testing, physical testing, configuration, and applying the rules.

What about the implementation team?

We have in-house engineers for the deployment. We haven't used external, third-parties. We are a big institution, based in 36 countries. The team that is focused on this deployment is a team of five. The person who is handling the implementation will be in contact with a local engineer at the remote site, and will assist him, remotely, to do the testing and follow the steps to deploy.

What's my experience with pricing, setup cost, and licensing?

The one-time cost is affordable, but the maintenance cost and the Smart Net costs need to be reduced. They're too high. A company like ours, that has about 80 firewalls, has to multiple the maintenance cost per device by 80. Cisco should find a way to provide some kind of enterprise support. We don't want to buy support per unit of equipment. It would be easier for everybody.

What other advice do I have?

We are using about ten different security tools, including analytics, monitoring, threat management, and email security. What we have integrated is the ISE and FTD but the third-party solutions are not fully integrated.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Learn what your peers think about Cisco Firepower NGFW Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,136 professionals have used our research since 2012.
EV
IT Infrastructure Specialist at RANDON S.A
Real User
Shows the top-consuming applications to help determine if there is a deviation or if we need to increase bandwidth

Pros and Cons

  • "The protection and security features, like URL filtering, the inspection, and the IPS feature, are also very valuable for us. We don't have IT staff at most of the sites so for us it's important to have a robust firewall at those sites"
  • "The user interface for the Firepower management console is a little bit different from traditional Cisco management tools. If you look at products we already use, like Cisco Prime or other products that are cloud-based, they have a more modern user interface for managing the products. For Firepower, the user interface is not very user-friendly. It's a little bit confusing sometimes."

What is our primary use case?

Currently, we have 16 remote sites. Some of them are sales offices and some of them are industrial plants. And we have a centralized IT department here in Brazil. The business asked me to support those remote sites. We started using the Firepower Threat Defense, which is one of the versions of next-gen firewalls from Cisco, at some of the sites. We have them operating at five sites, and we are deploying at a sixth site, in Mexico, with the same architecture. That architecture has the firewall running on the site's router, and we manage them all from here in Brazil.

How has it helped my organization?

Overall, I would summarize Firepower NGFW's effect on our company's security position by saying that, until now, we haven't had any major security incidents. The investment we made, and the investment we are still making in that platform, have worked because they are protecting us from any risks we are exposed to, having all these remote sites and using the internet as the way to connect those sites. They are doing what they promised and they are doing what we paid for.

What is most valuable?

For us, the main feature is due to the fact that we have internet connections for all these sites, and we use the internet to communicate with our data center using VPN. So the VPN support in these boxes is one of the most valuable features.

Also, with the firewall itself, the protection and security features, like URL filtering, the inspection, and the IPS feature, are also very valuable for us. We don't have IT staff at most of the sites so for us it's important to have a robust firewall at those sites, to support the business and give us peace of mind. If we do have an incident, since we don't have any IT personnel there for support, we need to do everything remotely.

It provides us with application visibility and control. We can see, on the dashboard, all the applications that are most used and which are under some sort of risk or vulnerability. From my perspective, which is more related to the network itself and the infrastructure, not the security aspect, it helps a lot when we need to check some situation or issue that could be related to any attack or any violation. We can see that there are one or two or three applications that are the top-consuming applications. We can use this information to analyze if there is a deviation or if it's something that we need to consider as normal behavior and increase the bandwidth on the site. It's very important to have this analytic view of what's happening. That's especially true for us, since we have information on all these remote sites but we don't have IT resources on-premises. Having this view of all the sites in the same pane of glass is very important.

It's not just the visibility of things, but the management of application behavior is very important. If I see that, for example, Facebook is consuming too much bandwidth, I can make a policy on the console here and deploy it to our remote offices. So the application visibility feature is one of the key parts of the solution.

NGFW's ability to provide visibility into threats is also one of the important features. Although we have several applications that are based on-premises — we have databases and file servers that only exist inside the company or inside those remote sites — we see more traffic going to and coming from the internet every day. It's not optional anymore to have visibility into all this traffic. More and more, we are moving things to Office 365 or other SaaS platforms which are hosted on the internet. We need to see this traffic crossing our network. It's a top priority for us.

When it comes to Talos, I recognized the importance of it before they were even calling it Cisco Talos. As a user of the URL filtering product, the IronPort appliances, for six or seven years, perhaps or more, I was introduced, at that time, to a community that was called SenderBase.org, which was like the father of the Cisco Talos. Knowing them from that time, and now, the work they do is very important. It provides knowledge of what is happening in the security space. The information they can collect from all the hardware and software they have deployed with their customers is great. But the intelligence they also have to analyze and provide fixes for things like Zero-day attacks, for example, is crucial. They are able to map and categorize risks. They're unbeatable, currently. Although we know that other vendors have tried to replicate this service or feature, the history they have and the way they do their work, make it unbeatable currently.

What needs improvement?

Some products supersede others within Cisco. I have three platforms and some of the features are the same in two products. It's not clear for us, as a  customer, if Cisco intends to have just one platform for security in the future or if they will offer one product for a particular segment, such as one product for the big companies, one product for the financial segment, another product for enterprise, and another product for small business.

Sometimes, Cisco itself has two products which are doing the same things in some areas. That is something they could make clearer for customers: the position of each product or the roadmap for having just one product. 

For example, I have a management console for the next-gen firewalls we are deploying. But the SD-WAN also has some security features and I would have to use another management console. I don't have integration between the products. Having this integration or a roadmap would help. I don't know if there will be one product only in the future, but at least having better integration between their own products is one area for improvement.

Also, the user interface for the Firepower management console is a little bit different from traditional Cisco management tools. If you look at products we already use, like Cisco Prime or other products that are cloud-based, they have a more modern user interface for managing the products. For Firepower, the user interface is not very user-friendly. It's a little bit confusing sometimes. This is another area where they could improve.

For how long have I used the solution?

We have been using Cisco NGFWs for about for two years.

What do I think about the stability of the solution?

The stability is okay. It's robust enough to support the business we have. We haven't had any major issues with the product itself. Of course, we don't touch them frequently because it's a security deployment so it's not the type of thing where we make changes every day. Once we deploy them, and deploy the policies, we don't touch them frequently.

We have one issue at one of the sites, at times. There is a power outage at the site and the virtual machine itself crashes. We have to recover from the crash and reinstall the backup. It's something that is not related to the product itself. It's more that our infrastructure has a problem with power which led to a firewall problem, but the product itself is not the root cause.

What do I think about the scalability of the solution?

It is scalable in our scenario. It is scalable the way we deploy it. It's the same template or architecture, and that was our intention, for all our remote sites. From this point of view, the scalability is okay. But if one of those remote sites increases in demand, in the number of users or in traffic, we don't have too much space to increase the firewall itself inside that deployment. We would probably need to replace or buy a new, more robust appliance. So the scalability for the architecture is fine. It's one of the major requirements for our distributed architecture. But scalability for the appliance itself, for the platform itself, could be a problem if we grow too much in a short period of time.

I don't know how to measure how extensively we use it, but it's very important because without it, we can't have VPN and we can't communicate with our headquarters. We have SAP as our ERP software and it's located in our data center here at our headquarters. If we can't communicate with the data center, we lose the ability to communicate with SAP. So if we don't have the firewall running on those remote sites, it is a major problem for us. We must have it running. Otherwise, our operations at these remote sites will be compromised. In terms of volume, 40 percent of our sites are deployed and we still have plans to deploy the other 60 percent, this year and next year.

Regarding future demands, if we create new business, like we are doing now in Mexico, our basic template has this next-gen firewall as part of it. So any other new, remote sites we deploy in the future, would use the same architecture and the same next-gen firewall.

Which solution did I use previously and why did I switch?

For our remote sites we didn't use a specific security platform. We had the Cisco router itself and the protection that the Cisco router offers. But of course you can't compare that with a next-gen firewall. But here in our headquarters, we currently use Palo Alto for our main firewall solution. And before Palo Alto, we used Check Point.

The decision to use Cisco was because Cisco could offer us an integrated platform. We could have only one router at our remote sites which could support switch routing with acceleration, for IP telephony and for security. In the future we also intend to use SD-WAN in the same Cisco box. So the main advantage of using Cisco, aside from the fact that Cisco is, course, well-positioned between the most important players in this segment, is that Cisco could offer this solution in a single box. For us, not having IT resources at those remote sites, it was important to have a simple solution, meaning we don't have several boxes at the site. Once we can converge to a single box to support several features, including security, it's better for us.

The main aspect here is that if we had Fortinet or Check Point or Palo Alto, we would need another appliance just to manage security, and it wouldn't be integrated with what we have. Things like that would make the remote site more complex.

We don't currently have a big Cisco firewall to compare to our Palo Alto. But one thing that is totally different is the fact that Cisco can coexist with the router we have.

How was the initial setup?

I participated in the first deployment. I know it's not hard to do, but it's also not easy. It requires some knowledge, the way we deploy it. We use next-gen firewalls inside the Cisco router. It's virtualized inside the Cisco router. So you need to set settings on the router itself to allow the traffic that comes to the router to go to the firewall and return to the router to. So it's not an easy setup but it's not very complex. It requires some knowledge, not only of security, but also of routing and related things. It's in the middle between complex and simple.

Once you have the templates for it, it's easier. It can take a day or two to deploy, or about 20 hours for the whole configuration.

What about the implementation team?

The name of the local partner we use here in Brazil is InfraTI.

For the first deployment we had to understand how to do it because of the constraints. We have the router and we have the next-gen firewalls running inside the router. Until we decided how to deploy, it took a little while. But now we have the knowledge to do that more easily. They are able to deploy it satisfactorily. We are happy with them.

For deployment and maintenance of the solution, it requires two people and our partner. On our side there is an engineer to discuss the details, and then there is the person who does the deployment itself.

What other advice do I have?

You must know exactly what features are important for you, and how you can manage all this infrastructure in the future. Sometimes you can have a product that is superior but it might demand an increase in manpower to manage all the software or platforms. Another point to consider is how good the integration is between products? You should check what features you need, what features you can have, and the integration with other products.

In terms of the maturity of our security implementation, we have had security appliances, software or hardware, for more than 15 years. So we have a long history of using security products. We started using Cisco competitors in the past and we still use them for our headquarters, where I am. Our main firewall is not currently Cisco, although we are in the process of evaluation and we will replace this firewall soon. Cisco is one of the brands being evaluated for that.

In the past, while it's not a next-gen firewall, we also used a Cisco product for URL filtering, up until this year.

We are moving to the cloud. We are starting to use Office 365, so we are moving email, for example, from on-premises to the cloud. But until June of this year, we mainly used security from Cisco. But we also have antivirus for endpoint protection. We also had Cisco IPS in the past, which was a dedicated appliance for that, but that was discontinued about two years ago. Those are the major products we use currently. In addition — although it's not specifically a security product — we use Cisco ISE here to support our guest network for authentication. We plan, in the near future, to increase the use of Cisco Identity Services Engine. When we start to use that to manage policies and the like, we will probably increase the integration. I know that both products can be integrated and that will be useful for us.

There's one other product which we use along with Cisco next-gen which is a SIEM from Splunk. Currently, that is the only integration we have with Cisco. We send logs from next-gen firewalls to the Splunk machine to be analyzed and correlated. 

Although I'm not involved on a daily basis in operations, I helped in the process of integrating it. It was very easy to integrate and it's a very valuable integration, because we can analyze and correlate all the events from the next-gens from Cisco, along with all the other logs we are collecting in our infrastructure. For example, we also collect logs from the Windows machine that we use to authenticate users. Having those logs correlated on the Splunk box is very valuable. The integration is very easy. I don't know who built what, but there's a kind of add-on on the Splunk that is made for connection to firewalls, or vice versa. The integration is very simple. You just point to the name of the server and a user name to integrate both.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
ITCS user
Security Architect
Real User
Gives us valuable insights about encrypted traffic on the web, with statistics up to Layer 7

Pros and Cons

  • "The IPS, as well as the malware features, are the two things that we use the most and they're very valuable."
  • "For the new line of FTDs, the performance could be improved. We sometimes have issues with the 41 series, depending what we activate. If we activate too many intrusion policies, it affects the CPU."

What is our primary use case?

Our primary use cases for FTD are IPS, intrusion detection, and to get visibility into the network and the traffic that is going on in some sites. We always have them in-line, meaning that they're between two networking connections, and we analyze the traffic for the purposes of internal detection.

In production, from the FTD line, we mostly have 2110s and 2130s because we have a lot of small sites, and we are starting to put in some 4110s. We only have FirePOWER here, but we don't use them most of the time as next-gen firewalls but more as an IPS.

Everything is on-premises. We don't use public clouds for security reasons.

How has it helped my organization?

When you put FTD between your internet and network units, you can get valuable insights about your encrypted traffic on the web, DNS traffic, and the like. It gives us statistics up to Layer 7.

Although I can't go into the details, the way the solution has helped our organization is more on the root-cause side when there is an incident, because we get very detailed information.

FTD's ability to provide visibility into threats is very good, if the traffic is clear. Like most companies, we have the issue that there is more and more encrypted traffic. That's why we use Stealthwatch instead, because we can get more information about encrypted traffic. But FTD is pretty good. It gives us a lot of details.

We put them in in-line and in blocking mode and they have stopped some weird things automatically. They help save time every day. We have 150,000 people all over the world, and there are times when computers get infected. It helps save time because those infections don't propagate over the network.

The fact that we can centrally manage clients for our IPS, and that we can reuse what we type for one IPS or one firewall, makes it easy to expand that to multiple sites and multiple devices. Overall, it has been a great improvement.

What is most valuable?

The IPS, as well as the malware features, are the two things that we use the most and they're very valuable.

Cisco Talos is also very good. I had the chance to meet them at Cisco Live and during the Talos Threat Research Summit. I don't know if they are the leader in the threat intelligence field but they are very competent. They are also very good at explaining complicated things easily. We use all of their blacklist, threat intelligence, and malware stuff on our FTDs. We also use the website from Talos where you can get web reputation and IP reputation.

What needs improvement?

For the new line of FTDs, the performance could be improved. We sometimes have issues with the 41 series, depending on what we activate. If we activate too many intrusion policies, it affects the CPU. We have great hopes for the next version. We have integrated Snort 3.0, the new Snort, because it includes multi-threading. I hope we will get better performance with that.

What do I think about the stability of the solution?

The stability depends on the version. The latest versions are pretty good. Most of the time, we wait for one or two minor version updates before using the new major version because the major versions go through a lot of changes and are still a bit unstable. For example, if you take 6.3, it started to be pretty stable with 6.3.03 or 6.3.04.

What do I think about the scalability of the solution?

Scalability depends on the site. At some sites we have ten people while at others we have a data center with a full 10 Gig for all the group. We have had one issue. When there are a lot of small packets — for example, when our IPS is in front of a log server or the SNMP servers — sometimes we have issues, but only when we get a peak of small packets.

How are customer service and technical support?

We've got a little history with tech support. We have very good knowledge within our team about the product now. We have a lab here in Montreal where we test and assess all the new versions and the devices. Sometimes we try to bypass level-one tech support because they are not of help. Now, we've have someone dedicated to work with us on complex issues. We use them a lot for RMAs to return defective products.

Which solution did I use previously and why did I switch?

In our company, we have used another firewall which we developed based on FreeBSD.

I, personally, used to work with Juniper, Check Point, and Fortinet. I used Fortinet a lot in the past. If you use the device only for pure firewall, up to Layer 4, not as an application or next-gen firewall, Fortinet is a good and cheaper option. But when it comes to a UTM or next-gen, Cisco is better, in my opinion. FortiGate can do everything, but I'm not sure they do any one thing well. At least with Cisco, when you use the IPS feature, it's very good.

How was the initial setup?

Setting up an FTD is a bit more complex with the new FTD line. They integrated the FXOS, but the OS is still not fully integrated. If you want to be able to fully manage the device, you still need to use two IP addresses: One for FXOS and one for the software. It's complicating things for the 4110 to have to, on the one hand manage the chassis and the hardware on one, and on the other hand to manage the logical device and the software from another one.

But overall, if you take them separately, it's pretty easy to set up and to manage.

The time it takes to deploy one really depends. I had to deploy one in Singapore and access the console remotely. But most of the time, once I get my hands on it, it can be very quick because we have central management with FMC. Setting up the basic configuration is quick. After that, you have to push the configuration that you use for your group IPS and that's it. My experience is a bit different because I lose time trying to get my hands on it since I'm on the other side of the world. But when I get access to it, it's pretty easy to deploy. We have about 62 of them in production, so we have a standard for how we implement them and how we manage them.

We have Professional Services and consultants who work with us on projects, but not for the deployment. We have our own data centers and our own engineers who are trained to do it. We give them the instructions so we don't need Cisco help for deployment. We have help from Cisco only for complex projects. In our case, it requires two people for deployment, one who will do the configuration of the device, and one who is physically in the data center to set up the cables into the device. But that type of setup is particular to our situation because we have data centers all around the world.

For maintenance, we have a team of a dozen people, which is based in India. They work in shifts, but they don't only work on the FTDs. They work on all the security devices. FTD is only a part of their responsibilities. Potentially we can be protecting 140,000 people, meaning all the employees who work on the internal network. But mostly, we work for international internal people, which would be roughly 12,000 people. But there are only three people on my team who are operators.

What was our ROI?

ROI is a difficult question. We have never done the calculations, but I would say we see ROI because of some security concerns we stopped.

What's my experience with pricing, setup cost, and licensing?

Cisco changed its price model with the new FTD line, where the appliances are a bit cheaper but the licensing is a bit more expensive. But that's not only Cisco, a lot of suppliers are doing that. I don't remember a lot of the licensing for Fortinet and Check Point, but Cisco's pricing is high, at times, for what they provide.

What other advice do I have?

FTD is pretty good. You can stop new threats very quickly because you can get the threat intelligence deployed to all your IPSs in less than two hours. Cisco works closely with Talos and anything that Talos finds is provided in the threat intelligence of the FTDs if you have the license. It's pretty good to have the Cisco and Talos teams working closely. I know Palo Alto has an similar arrangement, but not a lot of suppliers get that chance.

Our organization's security implementation is pretty mature because we try to avoid the false positives and we try to do remediation. We try to put threat intelligence over a link to our IPS next-gen firewalls.

Overall, we have too many tools for security in our organization — around a dozen. It's very complicated to integrate all of them. What we have done is to try to use the Elastic Assist Pack over all of them, as a main point of centralization of log information. The number of tools also affects training of teams. There are issues because one tool can't communicate with the another one. It can be very hard, in terms of technical issues and training time, to have everybody using all these processes.

We also use Cisco Stealthwatch, although not directly with the FTD, but we hope to make them work together. There is not enough integration between the two products.

Overall, FTD is one part of our security strategy. I wouldn't rely only on it because we've got more and more issues coming from the endpoints. It lets you decipher everything but sometimes it is very complicated. We try to use a mix and not rely only on the FTDs. But for sure it's great when you've got a large network, to give you some visibility into your traffic.

I rate it at eight out of ten because it's pretty good technology and pretty good at stopping threats, but it still needs some improvement in the management of the new FTD line and in performance.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
JT
Network Administration Lead at Forest County Potawatomi Community
Real User
Highlights and helps us catch Zero-day vulnerabilities traveling across our network

Pros and Cons

  • "The most valuable features of Cisco firewalls are the IPS and IDS items. We find them very helpful. Those are the biggest things because we have some odd, custom-made products in our environment. What we've found through their IPS and IDS is that their vulnerability engines have caught things that are near-Zero-day items, inside of our network."
  • "The worst part of the entire solution, and this is kind of trivial at times, is that management of the solution is difficult. You manage FireSIGHT through an internet browser. I've had Cisco tell me to manage it through Firefox because that's how they develop it. The problem is, depending on the page you're on, they don't function in the same way. The pages can be very buggy, or you can't resize columns in this one, or you can't do certain things in that one. It causes a headache in managing it."

What is our primary use case?

We use them in multiple places on our network. We use them on the edge of our network, in more of the traditional sense for inbound and outbound filtering. We also use them as a center of our network between all of our users and servers, so that all user traffic going through our servers is IPS and IDS as well.

We have multiple Cisco 5000 Series firewalls and we also have a 4110 Series firewall, all running the FireSIGHT threat detection image. We keep that up to date within three months. If a new release comes out within three months, we're updating. The software deployment is on-prem.

How has it helped my organization?

We definitely feel that we're more secure now than we have been in the past. That goes back to those Zero-day vulnerabilities. An example would be some of the vulnerabilities with Adobe TIF files that were recognized. We run a document management system that wrote the extra, tailing zeros onto all the TIF files, and that was highly exploitable. The Cisco firewalls were able to catch that on the files traveling across our network and highlight it. Those are issues that, without the firewalls actually seeing the north-south traffic in our network, we just didn't have visibility into before. We were running blind and didn't even realize that we were vulnerable in those ways.

Cisco NGFW has excellent visibility through the constructs it has. New vulnerabilities come out and we have hit those multiple times thanks to their solution. We come in on a Monday and, all of a sudden, an application that was working on Friday isn't working. That's because a major vulnerability came out over the weekend. The firewalls, and being able to use the dashboards through FireSIGHT management, provide very good visibility into what's actually going on and why different items on the network are happening. Overall, I would say the visibility is very good.

In addition, among our multiple vendors for firewalls, etc., Cisco Talos really distinguishes Cisco from the Palo Altos and the Barracudas of the world. The work that they do to identify Zero-days and new threats out there, and then document all of that, is invaluable to our organization. I can't say enough about Cisco Talos.

What is most valuable?

The most valuable features of Cisco firewalls are the IPS and IDS items. We find them very helpful. Those are the biggest things because we have some odd, custom-made products in our environment. What we've found through the IPS and IDS is that their vulnerability engines have caught things that are near-Zero-day items, inside of our network. Those items are capable being exploited although they were not actually being exploited. Being able to see what those exploits are, the potential for vulnerabilities and exploits, is critical for us.

What needs improvement?

Cisco firewalls provide us with some application visibility and control but that's one of those things that are involved in the continuous evolution of the next-generation firewalls. We have pretty good visibility into our applications. The issue that we run into is when it comes to some of the custom apps and unusual apps that we have. It doesn't give us quite the visibility that we're looking for, but we have other products then that fill that gap.

There would also be a little bit room for improvement on Cisco's automated policy application and enforcement. The worst part of the entire solution, and this is kind of trivial at times, is that management of the solution is difficult. You manage FireSIGHT through an internet browser. I've had Cisco tell me to manage it through Firefox because that's how they develop it. The problem is, depending on the page you're on, they don't function in the same way. The pages can be very buggy, or you can't resize columns in this one, or you can't do certain things in that one. It causes a headache in managing it. That's part of the reason that we don't do some of the policies, because management of it can be a little bit funky at times. There are other products that are a little cleaner when it comes to that.

For how long have I used the solution?

I've been using Cisco next-gen for at least four years.

What do I think about the stability of the solution?

Stability-wise, we haven't had too many issues. Before the next-generation firewalls, we used ASAs. In the 15-plus years that I've been using them I've only had one fail on me. Software-wise, we really haven't run into too many major bugs that we couldn't can get workarounds for by working with TAC. Overall the stability is excellent.

What do I think about the scalability of the solution?

Scalability is also excellent. I don't have any complaints about it. As long as you're willing to put the money forward, they are very scalable, but it's going to cost you.

Their ability to future-proof our security strategy is also very good. They continuously improve on and add items, functionalities, and features to their software.

User-wise, the government side of our organization doesn't have that many. There are maybe 1200 altogether. We had to upgrade our 5555s to 4110s and our 4110s are just about maxed out. We're pushing the max of the capabilities of all the equipment that we have. The 4110s average about eight gigabits a second all day long, for about 12 hours a day, through each of the devices. There are terabytes of traffic that go through those things a day.

We're always increasing the usage of these devices. They are the core of our network. We use them as our core routers and all traffic goes through them. They are the integral part, the center of our network. They're everything for us.

We have three people on our network team who maintain the entire network, including those devices. 

How are customer service and technical support?

Cisco's technical support is very good, overall. I've only run into one or two instances in the last 20 years where I came away with a negative experience. Those were generally unknown bugs but I didn't appreciate the way they handled some of those situations. But overall, Cisco's technical support is better than most companies'.

How was the initial setup?

We used the Cisco partner for implementation, but overall it seemed pretty straightforward. The deployment has been an ongoing thing. I'd say that we're never done with deploying our firewalls because of that constant state of change of the network. But the original deployment took four to five weeks.

For the ongoing deployment, the amount of time somethings takes depends on what we're doing. We had some 5555 firewalls and all of a sudden they were no longer capable of handling the traffic that we send through. We had to operate those with 4110s. It all depends on what's going through them and what the scope of the project is. But most deployments take less than a week.

There is also the fact that when you upgrade FireSIGHT to the next version and there are new features, you have to go through all the firewalls and make sure that they're utilizing all those features. That's one of the reasons it's always ongoing. It depends on what's released, what's new, what's old, and keeping up on that.

What about the implementation team?

The partner that we utilized was Heartland Business Solutions, in Wisconsin.

Our experience with them, overall, has been pretty good. When it comes to the Cisco world, our organization's mix of experience comes in. There are items that we can do outside of the partner because we have some very talented individuals that work for us, some Cisco Certified individuals.

One issue is that, in their business, Heartland is always trying to upsell. They are an intermediary, they play that middle guy all the time, but there are items that we're capable of doing that they push. They don't really allow us to just run with it because they want to get the engineer time and the tech time. They want to make revenue off of some items that we're capable of doing. That would be one issue with them.

Another item that is frustrating has to do with the way they manage our Cisco licenses and Smart Nets for us. I'll give an example. We have Cisco firewalls across our entire network. Every year we have to buy the subscriptions for malware, and URL filtering, etc., to get full utilization out of them. All of our firewalls are subscribed to the max when it comes to IPS, IDS, and file inspection. To get the licenses, they have to know how many firewalls etc. we have. We have an issue where one of our firewalls went down — it's in an HA so we're still up and functional — but it's still in a down state and we're working through it right now. We contacted them because all of a sudden we found out, hey, we don't have Smart Net. We pay them to manage our Smart Net contracts because it can be quite a hassle.

The question is, how can we not have Smart Net on a product that we know that we own. To get the subscription they know that we have X number of firewalls. When they renewed Smart Net they should know that there are that X number of firewalls in there, but there weren't. We run into a lot of that. We buy subscriptions for this, or there are yearly costs associated with that, but then when we match it up to Smart Net, we find out we don't have Smart Net on it or vice-versa. They have the numbers for subscriptions so they should be able to take those numbers and make sure that the Smart Net numbers match up with them. Or, they have the numbers for Smart Net and should be able to make sure we have the proper subscriptions lined up with it as well. That's been a frustrating point for us.

Other than those couple items, we had really good luck with them and they've been really good to us.

What was our ROI?

We have absolutely seen return on our investment. For example, before Cisco started doing the AMP for Endpoints, just as an example of Cisco security overall, we had Norton Antivirus on all of our workstations and we ran McAfee across all our servers. Our helpdesk and support staff were cleaning up anywhere from six to 13 malware-infested PCs a week. It was a full-time job for two individuals going around and continuously cleaning these, even though we had McAfee and Norton, which are supposedly some of the better ones out there.

After deploying AMP, we might have one incident every three months that our helpdesk or support has to deal with. We freed up two full-time individuals. AMP definitely has a cost, but then you look at the cost to end-users of not being able to use their PCs, or of the payroll department not being able to run their reports for payroll because the PC is too slow because it's infected with malware. 

So not only was there the cost of the two IT resources we gained, but other departments also gained hours back by not losing their PCs and devices.

What's my experience with pricing, setup cost, and licensing?

Our subscription costs, just for the firewalls, is between $400,000 and $500,000 a year. In addition, there is Smart Net, but the subscription base is the most substantial. 

In an environment like ours where you're only looking at a little over 1,000 users, when you start figuring out it all, it's basically $400 a user per year to license our Cisco firewalls. Cisco is very good. From everything I've seen, I truly believe that they lead the industry in all of this, but you do pay for it.

Which other solutions did I evaluate?

There have been evaluations of other products over the years. We do layer some of them to filter things through multiple product vendors, so if there ever is a vulnerability with Cisco, hopefully one of these other ones would catch it, or vice-versa.

But we have never evaluated others with a view to potentially replacing Cisco in our network. That's because of Cisco's being the largest network company in the world. When you have Cisco, it's hard to go away from them for any reason.

When it comes with the firewall side, one of the major differences does have to do with Talos. I've been involved in networks where Palo Altos have been broken and owned by hackers. I've been brought in to work on networks that way. The solution in those cases has been to replace with Cisco, to get control of what's going on. A lot of that has to do with Talos and their frequency of updates and how well they do with all of the security items. That's probably one of the main reasons that we don't ever look at a replacement for Cisco. We'll use other products in conjunction with it, but never to replace it.

What other advice do I have?

My advice would be: Don't let the price scare you.

I would describe the maturity of our company's security implementation as "working on it." It is an evolving process. When it comes to the Cisco product line, we try to keep it as up to date as possible when they release new products. An example would be their DNA Center which we're looking at installing in the next year. From a product standpoint, we're pretty well off. From a policy and procedure standpoint, that is where we're somewhat lacking in our organization.

In terms of the number of security tools our organization uses, we have a lot of them. From a software standpoint, we use tools from eight to 12 vendors, but there is more than one tool from each. We have anywhere from 30 to 40 security suites that we run across our environment. When it comes to hardware manufacturers, Cisco isn't the only one that we use. We use products from three different hardware manufacturers and layer our security that way. The way this number of tools affects our security operations is that there's a lot of overlap. But there are different groups that look at and use each set of tools. It works because that way there are always the checks and balances of one group checking another group's work. Overall it works pretty well.

In terms of other products and services we use from Cisco, we're a Cisco shop. We have all of their routing and switching products, AMP for Endpoints for security, Cisco Prime Infrastructure. We also have their voice and whole collab system, their Contact Center. We have their CUCM as well as Unity Connection. A lot of our servers are Cisco UCSs, the Blade Servers are in our environment. We have Fabric Interconnects, fibre switches. Pretty well anything network related is Cisco, in our environment.

We do layer it. We do have some F5 firewalls deployed in front of the Ciscos. We have had Barracuda firewalls in line as well, along with spam filters, so that we get that layered security.

Cisco's cross-platform integration and data sharing between their products are very key. Cisco is really good at that. It's nice to be able to see the same data through multiple product sets and be able to view that data in different ways. Cisco-to-Cisco is really good. 

Cisco integration with other products depends on the product and what you're trying to get out of it. Most of it we have to send through different SIEMs to actually get usable data between the two product lines. It depends on what we're doing. Every scenario's a little different.

As for automated policy application and enforcement, we actually bought a couple of other tools to do that for us instead. We're getting into Tufin software to do automations, because it seems like they have a little bit better interface, once they pull the Cisco information in.

Overall — and I don't want to get too full of Cisco because everyone's vulnerable in a way— we've had very few issues, even when a lot of these Zero-days are attacking cities and organizations, and there are ransomware attacks as well. We've seen items like that hit our network, but not have any effect on it, due to a lot of the Cisco security that's in place. It has been very strong in helping us detect and prevent all of that. Overall, it's given us a certain comfort level, which is both good and bad. It's good because we haven't run into the issues, but it's bad in the sense that our organization, a lot of times, takes it for granted because we haven't run into issues. They tend to overlook security at times.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Dave Cooper
Network Engineer at CoVantage Credit Union
Real User
For any internet-related event, it's saving us hours of time

Pros and Cons

  • "Once you add Firepower onto to it and you start enabling some of its features, you get some IDS/IPS involved with it and you can even do web filtering."
  • "In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth."

How has it helped my organization?

It's hard to judge how much time it saves our organization because it's doing things you don't realize. For example, when it's blocking web advertisements, when it's blocking phishing, when it's blocking geolocation, the time it saves is because of the things you might have had to deal with that, now, you don't. Any time we have some kind of internet-related event, it's definitely going to take us hours worth of time. We have to do an investigation, we have to report on it, we have to write something up. By protecting our environment it probably saves our security analysts a fair number of hours during the week.

What is most valuable?

It's the brick wall that keeps us from the bad guys. It does a lot of things. In the beginning when you just have a firewall, of course, it's your NAT and it's your Access Control List. It's the thing that allows traffic in and out. There is some routing involved in that too. But once you add Firepower onto to it and you start enabling some of its features, you get some IDS/IPS involved with it and you can even do web filtering.

We used to do some web filtering on the Firepower but we moved into Umbrella once we started. We do use Firepower for one piece of web filtering because Umbrella has yet to provide it: advertisement blocking. We don't allow our end-users to go into advertisements. If they're going to go to a site, they have to know what the site is, not just try to hit some kind of Google ad to get to it because those can be dangerous.

What needs improvement?

In Firepower, there is an ability to search and dig into a search, which is nice. However, I'm not a super fan of the way it scrolls. If you want to look at something live, it's a lot different. You're almost waiting. With the ASDM, where it just flows, you can really see it. The second someone clicks something or does something, you'll see it. The refresh rate on the events in Firepower is not as smooth. It's definitely usable, though. You can get a lot of good information out of it.

It's hard to stay on the bleeding edge on firewalls because you have to be careful with how they integrate with Firepower. If you update one you have to update the other. They definitely have some documentation that says if you're at this version you can go to this version of Firepower, but you need to be careful with that.

For how long have I used the solution?

We've been using Firepower for two to three years.

What do I think about the stability of the solution?

It's pretty stable. There are times where I'll get an email saying a process has stopped. But a few seconds later, they'll say it restarted it on its own. It's hardy enough that if it is having problems, it's bringing things back up. For the most part, it's been very reliable.

It's been really good. And even so, if I've had to reboot the actual appliance, I'll bring it back up and it's good to go.

What do I think about the scalability of the solution?

We haven't hit that issue of scalability. We have increased the amount of traffic through it and it's handled it, but I think that's also a product of the ASA as well. If the ASA is going to choke, Firepower is going to choke as well.

We're going to be bringing in two new firewalls, as early as the fourth quarter or first quarter of 2020, and those are going to be pure FTD appliances. We'll probably be using those a little bit more extensively. I don't think we're going to be using the SSL portion, but we'll probably have the IDS/IPS, and we'll probably have the AMP turned on. That's because with the endpoints, we're not sure if we're going to be able to install an antivirus, so we can at least watch that. We'll probably use most of the suite on it.

How are customer service and support?

I've always liked Cisco support. We're a pretty big Cisco shop, so you're not going to hear a lot of complaints from me about support. And not only that, but if I do have a problem with Cisco support, we get ahold of somebody - our customer-success people and the salespeople from Cisco who are focused on our organization - and we get help. It's very good.

Sometimes, I'll have to contact the first tier of tech support. I'll still open up a case. But in case that, for whatever reason, is not going to our satisfaction, at least we have a chain of command we can go through and talk to some different people. We might get it escalated if we're just not getting something fixed on time. But Cisco has very top-notch support.

Which solution did I use previously and why did I switch?

We've been with Cisco and haven't had anything else yet. We haven't had a desire to move in a different direction. We've stayed with it because of how good it is.

We were initially introduced to Firepower by a consultant. At that time, it was for the web filtering because the web filtering we had was awful. We were using Sophos. Without getting too derogatory, it was just awful. There was no alerting and it was very hard to manage, whereas this is really easy to manage. With Cisco, it was very easy to set up content groups, to allow some users to get to some stuff and other users to not get to it. That's where it really started. There weren't any pros to Sophos that weren't in Firepower. We got rid of Sophos.

How was the initial setup?

Our organization is a big believer in training, So I attended a five-day class on this. From that, I was able to set it up pretty easily.

We have a virtual appliance. Once it actually installs and we set IPs and got some of the base set up, it was done within about a day. But the time it takes will depend. We're not an organization that has 10,000 users. We're probably a medium enterprise, of about 400+ users, rather than a large enterprise, so our ruleset is comparatively small. As a result, it didn't take me as long as it might for some, a total of two or three days, and that's even with fine-tuning. But because we're still using the ASA and the ASDM, we still have those rules in the firewall. We're not really at the FTD point where all the rules are in there. If we were, to migrate it would probably take some time.

For me, it was relatively simple because of the valuable training I had. There are some good resources online, don't get me wrong. It was just nice to be able to do something hands-on at a place, in training, and then come back and be able to do it.

The neat thing is that the gentleman who taught us, instead of just teaching us the material from a book or even, "This is how you can pass the Firepower test," taught us how he would go into a Fortune 100 and set up an organization. I had almost a step-by-step lesson on how to keep going through the configurations to get to a finished product.

With a firewall, you're always coming back to it to tweak it a little bit. You might find, "Oh, I'm not getting the logging a lot," or, "Oh boy, this rule is doing this, but maybe I want to tighten it down a little bit more." But to get the base configuration, to get the objects in, it takes about a couple of days. At that point, you can at least have traffic going through it. You may not be blocking anything, but you can be monitoring things.

What about the implementation team?

It was just me.

What was our ROI?

The return on investment would be the fact that I'm just not spending a lot of time either searching for things or trying to stop what's coming in and out of our network. The return on investment is the time I would have to spend during the day looking at things versus it proactively doing its job.

What's my experience with pricing, setup cost, and licensing?

We're going to get to a point, not this year and not the coming year, probably going into 2021, where we're going to want to replace the ASA appliances with either virtuals or actual physicals. But the Firepower series of appliances is not cheap.

I just got a quote recently for six firewalls that was in the range of over half-a-million dollars. That's what could push us to look to other vendors, if the price tag is just so up there. I'm using these words "fictitiously," but if it's going to be outlandish, as a customer, we would have to do our due diligence and look at other solutions at that point.

In addition to that cost, there are licensing fees for some of the individual things like AMP, the IPS/IDS piece. It depends on what you want to use, such as the SSL piece and the VPN piece, which we don't use.

Which other solutions did I evaluate?

We haven't evaluated any other options. The only thing that may ever force us in that direction would be cost. Only if the cost of the solution got so large would we have to look at something comparable.

What other advice do I have?

The neat part about this is how Cisco continues to evolve its product line and help us stay secure, while still doing our day-to-day business.

My advice would depend on how you want to use it. What are you looking for Firepower to do?

Firepower added features that, until we introduced into our environment, we could not have done. We probably could have added a third-party product but we would hate to keep doing all that. It's nice to be able to have our products from the same organization because then, if something's really wrong, we can talk to the same organization as we're trying to troubleshoot something through our environment. We use Cisco switches, Cisco routers, we use ISE, and Umbrella. We have a lot of products through Cisco.

We use the ACLs. We use the intrusion side, just to watch traffic. We have used the malware and have actually caught stuff in there. We do have a DNS policy so that at least we can check to make sure someone's not going to a bogus site; things can get blocked for that, but Umbrella is really good at what it does. We also have it connected to our Active Directory so I can see which users are going where, and that is valuable. But I can also see that in Umbrella, so there's some overlap.

For managing the solution it's me and at least one other person. I'm the primary resource on it.

We used to use AMP for endpoints through the Firepower but we decided to discontinue that. We have AMP on all our endpoints but with all the other things we have, such as Umbrella, we were satisfied enough with the security we have. We didn't want two different things possibly stopping files instead of having one console area to be able to see those kinds of things.

Overall, I would rate Firepower at eight out of ten. Every product can improve. But for what we're looking to do, it does a very good job.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
ON
Managing Director at Fasp
Real User
User-friendly, easily managed, and scalable

Pros and Cons

  • "The most valuable feature of the Firepower solution is FireSIGHT, which can be easily managed and is user-friendly."
  • "I would like to see the inclusion of more advanced antivirus features in the next release of this solution."

What is our primary use case?

We are a reseller and system integrator, and this is one of the solutions that we provide for our end users. We have experience with many firewall products from different vendors.

The specific use case depends on the customer and their environment. They design the firewalls, and we supply the appropriate equipment.

The majority of deployments are on private networks.

What is most valuable?

The most valuable feature of the Firepower solution is FireSIGHT, which can be easily managed and is user-friendly.

What needs improvement?

The performance and the level of throughput need to be improved. This would make things easier for us.

I would like to see the inclusion of more advanced antivirus features in the next release of this solution.

Adding internet accounting features would also be a good improvement.

What do I think about the stability of the solution?

This solution is completely stable, and we have not had any issues.

What do I think about the scalability of the solution?

Scalability of this solution is ok. They have the IPS (Intrusion Prevention System), online updates, and signature updates.

One customer might have, for example, two hundred and fifty users, whereas another might have one hundred users. There are different models for different numbers of end-users.

How are customer service and technical support?

Technical support is ok, and we have had no problem with them.

How was the initial setup?

The initial setup of this solution is straightforward.

What's my experience with pricing, setup cost, and licensing?

The price of this solution is not good or bad. It is ok.

What other advice do I have?

This is a solution that I recommend.

The biggest lesson that I have learned from working with this solution is to always update the firewall. If you do not have the latest updates then it will not function well, so always keep it up to date.

I would rate this solution an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
YS
Senior Network Support & Presales Engineer at a tech services company with 51-200 employees
Real User
Offers an easy way to manage the devices centrally but not all of its features are supported

Pros and Cons

  • "I like the way Firepower presents the data. It gives you two classifications for the evidence, something based on the priority of the evidence and another classification based on the impact of the evidence in your environment. This makes it very easy to spot the evidence that is most impactful to my environment. Instead of having to go through all the evidence based on that priority, I can focus on the evidence that has the most impact on my environment."
  • "Also, they have a Firepower source file that I can work on the ASA device and on Firepower devices. A problem here lies in the way that you manage these devices. Some devices do not support the FMC, and some devices have to be managed through ASDM, and others have to be managed through FMC."

How has it helped my organization?

A lot of companies have a lot of vulnerabilities and lots of exploitations that are going inside their network that the IT staff are not aware of. You actually need a security device like a next-generation firewall to protect your network.

Once we installed the Firepower system, we started looking at the evidence, and we found a lot of exploitations and a lot of bad things that are in the network. These things were invisible to IT, they were unaware of any of them.

What is most valuable?

The Firepower Management Center is an easy way to manage the devices centrally. I guess this is something that all vendors provide so it's nothing special. I like the way Firepower presents the data. It gives you two classifications for the evidence, something based on the priority of the evidence and another classification based on the impact of the evidence in your environment. This makes it very easy to spot the evidence that is most impactful to my environment. Instead of having to go through all the evidence based on that priority, I can focus on the evidence that has the most impact on my environment.

Sometimes you might have a high priority event but it has nothing to do with your environment. You have a vulnerability. You don't have to treat a vulnerability as an attack. Since you're not vulnerable, it's not impactful to your environment so you don't have to focus on it. This is something that other products don't provide. 

It is very flexible. You can have the next generation firewall work as a physical connection or as a Layer 2 device. You can have a combination of Layer 2 and Layer 3, which is really good. 

What needs improvement?

There are quite a few things that can be improved. Firepower is an acquisition from another company, Cisco's trying to put it together. Their previous ASA code with the source file code that they have acquired a few years ago still has some features that are not fully supported.

Also, they have a Firepower source file that I can work on the ASA device and on Firepower devices. A problem here lies in the way that you manage these devices. Some devices do not support the FMC, and some devices have to be managed through ASDM, and others have to be managed through FMC.

Most of the high-end devices do not support Onboard management. The Onboard management is only supported on the 2100 IP at the 1050 Firepower and on select ASA devices that bear the Firepower image.

It would be very nice if the Onboard management integrated with all the devices. Log key loading for the evidence at the logs, because clearly you only have loading on the remote on the FMP, you cannot store the logs located on the device.

For how long have I used the solution?

I have been using this solution for around two years.

What do I think about the scalability of the solution?

We have several thousand employees at the company.

How are customer service and technical support?

Their technical support is good. 

How was the initial setup?

The initial setup was straightforward. 

What's my experience with pricing, setup cost, and licensing?

The pricing is overrated. Prices for Cisco equipment are always a little bit higher than other vendors. Customers are always complaining about the high prices of Cisco equipment, so it would be very good if these prices can be lowered down, but that's how it is. Cisco equipment usually has higher prices than its competitors.

What other advice do I have?

I would recommend this solution to someone considering it. I would recommend to study and know what the requirements are exactly. One of the things that might be a problem, or might be a complex thing to do is to go through Cisco Firepower, because Firepower is a software that's complex to explain to somebody. There is the previous ASA code that Cisco had and there is the source file that they acquired. Cisco started to send it as ASA Firepower services. Then they combined the two codes together and they started to send a new code called the Firepower Threat Defense, FTD.

Any customer who wants to buy it needs to understand all of these options and what the limitations of each option are, the pros and cons. Any customer who wants to deploy Firepower needs to understand what Cisco has to offer so he can choose correctly.

I would rate it a seven out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Al Faruq Ibna Nazim
Head of Technology at BDPEER Ltd.
Real User
Enables us to monitor and confirm all of the traffic coming in or going out of our network

Pros and Cons

  • "Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching."
  • "One feature lacking is superior anti-virus protection, which must be added."

What is our primary use case?

Cisco has a new general firewall: the Firepower NGFW. If you take a look at the Cisco Firepower product line, they have three models available:

  1. A low-scale model: the 2000 series
  2. A high-end model: the 4000 series
  3. The carrier-grade model: the 9000 series

We have already used the 4000 and 2000 series over here. We've been using this solution in Bangladesh for some customers over the last eight months. 

We've been using FPR 2110, 2120, 2130, & 2140. We also employ the FPR 4130 and 4140. We have been using this equipment on our last few projects. We used it as a transfer and for firewalling. The most recent one we are using for firewall support as well.

How has it helped my organization?

I have a two-part business. First, we provide solution services as a vendor for multiple customers working as a consulting firm. I'm providing multiple customers with support on-premises for Cisco products right now.

We are not able to use these products internally in our company. The second part of the business is my status or core business which is basically operating as a software solution provider.

I have personally engineered these Cisco firewall solutions for clients. When we implemented it, it was easy. We have to maintain high-end abilities in order to ensure the availability of high-end support for the clients. I generally have to look at everything. Later on, we were able to upgrade the Cisco Firepower NGFW easily. We were able to connect from the beginning to implement the complete number of files in the system. 

What is most valuable?

Cisco Firepower NGFW is really easy to use right now to determine when my file requires a shift from primary to secondary status, and it can be done with automation. Earlier we used to do this with patching.

I would say the Cisco Firepower NGFW actually gives superior intelligent behavior to transfer its active/passive infrastructure. Overall, Cisco Firepower NGFW has been a good power element in our systems due to its central location.

What needs improvement?

I would say when Cisco is selling something called a firewall, they put a lot of services together to make a single box solution. When a company develops a firewall, they need to develop certain features like intrusion control and offer it pre-loaded in the product. 

On the mix of projects that I am responsible for, I feel comfortable using the Cisco firewall for management. One feature lacking is superior anti-virus protection, which must be added.

I have to say I am very proud of the Cisco Firepower 41400 as it can give you multiple layers of four-degree connectivity in operations. 

We do not use the Cisco 9000, but even the lower level firewalls are pretty expensive, considering the features and software included.

In summary, we would like Cisco to provide more features inside regarding network trafficking forecasting. Ideally, the belief is that this would add an immediate resolution.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

So far we haven't encountered any stability problems. You should have a lot of patches to apply to update the firmware. You can understand the firewall in less than a week.

We had some fraud introduced with our last box when Cisco produced an upgrade. The updated policy agreement was based on the wrong purchase date information. 

The faster integration that is available in our region is pretty smooth for the Cisco firewall right now. I haven't found that much of a limitation to any service. 

I used to have a lot of issues with firewall support. Now, I keep a good state of mind with Cisco. I can expect my capabilities going out of range eventually if we don't upgrade. 

Cisco has its own cloud platform. I am able to see a single dashboard with all of my firewall activities and network performance under diagnostics, which is really helping us out.

What do I think about the scalability of the solution?

I would put the Cisco Firepower NGFW firewall into Transport mode, as you can do with most firewall systems for scalability. We used to have about 60% of our users on hold during six-week events. We still have certain problems without a firewall, but these days with the Cisco Firepower, we have over 80% of the load working.

As the customer integrator for enterprise contracts, we've been able to introduce Cisco Firepower to around 10 of our new customers in Bangladesh. At least 50 of the previous Cisco customers are still using the firewall solution right now under our support.

These are enterprise customers who require Cisco firewall support. We used to have a specialty in that which is really like the holy grail in rocket science. It used to be like that but now with Cisco's enterprise user base, we offer operational system support to reduce complexity a lot. It's really easy. It's not like you have to be a specialist.

How are customer service and technical support?

In Bangladesh, we had a little issue with Cisco technical support. We run our own sidebar operations, so I am not so satisfied with Cisco customer support. 

Cisco Firepower devices have created a lot of differences with due dates over our service contract. Consequently, we don't really bother anymore with Cisco technical support. Bangladesh has a really good tech scene. That is the reason we are not that concerned about Cisco product support anymore. It's okay. We handle it our own.

Which solution did I use previously and why did I switch?

We previously used Cisco ASA as a firewall.

How was the initial setup?

The setup with the Cisco Firepower NGFW is very easy. I have used other networking and firewall equipment previously, including Juniper. I've implemented other solutions and those were really tricky compared to Cisco.

The Cisco firewall system has eliminated all our network setup problems. Earlier when we used other products for firewalls, it was very complex to set up. Cisco firewalls from the beginning have eliminated all of the difficult parts of the initial deployment. 

All you have to do is pull your management together and communicate to your team to follow the documentation provided by Cisco. Altogether, it is easy for our team to install the Cisco firewall products.

What about the implementation team?

I did the installation myself and it took 48-50 hours, approximately, in the Transfer mode. We had a further two-hour window of augmenting and transforming the data. We were able to do that successfully. Eventually, we were able to transform the entire network setup.

What's my experience with pricing, setup cost, and licensing?

The license in my country is available to subscribe for three years or one year. We wanted to go with the solutions for embedding a two-year subscription, but this was not possible.

The Cisco licensing agreement in Bangladesh is different than the one in India and in Dubai. It is not a problem, but if you want to subscribe to the yearly subscription, the original cost is really high. Also, if you go for an anti-virus, you pay for an additional yearly subscription. 

When we push customers to implement Cisco solutions, they can manage the subscription cost of Cisco internally to access these important solutions long term. Our clients have been able to secure surprisingly efficient service with the Cisco Firepower NGFW firewall solution.

Which other solutions did I evaluate?

This fall, we evaluated firewall equipment from Juniper Networks. This is a limitation for Cisco, as their pricing is too high. The fact is when I need to install and manage an enterprise network, Cisco has the capability of having support for the IC Treadway standards. Furthermore, I can actually manage my entire enterprise network in one dashboard. 

If I bring in tech from the outside, like Palo Alto Networks equipment, that won't be able to integrate with my regular Cisco environment. 

With Cisco devices, it was easier for me to grab the assets required on the network for installation. With other solutions providers, good luck managing that with any ease.

What other advice do I have?

In my opinion, I would rather ask everyone to have a simple network. If you need multiple networking lines, like for the Cisco ASA or the Firepower NGFW, make sure you have ample tech support. 

There are many issues with connectivity in firewall systems, but Cisco quality is good. The connectivity of your network can really reduce your complexity over firewalls. 

I would suggest if you want to configure a complicated network scenario, go for a next-generation firewall. I would also suggest making your firewall options go to Cisco as they have some influential products right now. 

Once you are pushing the Cisco firewall, you'll be able to actually monitor and confirm each and every traffic coming in or going out of your network. 

Palo Alto Networks or Juniper Networks firewalls are ideal, slightly better than Cisco. They are not as easy as Cisco to use right now, but considering the cost and everything else, Juniper Networks equipment is really good. 

The fact is you need to consider just what you're achieving when you put in Cisco firewalls and implement Cisco routers.  For those on the verge of a new purchase, I would say that going for an expired model of firewall is definitely a good buy.

I would rate the Cisco Firepower NGFW with an eight out of ten points.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
OC
Network Engineer at IT Security
Real User
Supports a secure environment and has easy administration

Pros and Cons

  • "An eight because it's a good security solution. It's more mature than its competitors."
  • "The security features in the URL category need more improvement."

What is our primary use case?

Our primary use case is to support a security environment. It has performed well.

How has it helped my organization?

I am a security business of consultant. I deploy this solution for our customers. 

What is most valuable?

I like the easy administration.

What needs improvement?

It could use more of a system interface.

The security features in the URL category need more improvement. 

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

It performs very well. 

What do I think about the scalability of the solution?

Scalability is good. 

How are customer service and technical support?

Cisco has the best technical support. 

Which solution did I use previously and why did I switch?

I worked with Check Point, but Cisco Firepower is better. It was an easy transfer to this solution. We chose Cisco because of its trustworthy reputation. They're a big, recognized brand.  

The most important criteria that we consider when evaluating a solution are performance, administration, and price.

How was the initial setup?

The initial setup was easy and simple. 

What other advice do I have?

I would rate this solution an eight out of ten. An eight because it's a good security solution. It's more mature than its competitors. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PR
Information Systems Manager at a non-profit with 1-10 employees
Real User
Top 5
Traffic comes into the house and gets filtered in and out the Firepower interface

Pros and Cons

  • "Because of the deeper inspection it provides we have better security and sections that allow users broader access."
  • "Cisco should redo their website so it's actually usable in a faster way."

What is our primary use case?

Our primary use case is for handling office traffic VPN tunnels and filtering the traffic. All the traffic comes into the house and gets filtered in and out the Firepower interface. It's performed well.

How has it helped my organization?

Because of the deeper inspection it provides we have better security and sections that allow users broader access.

What is most valuable?

With this solution, you can have an inspection of each package and see what the threat level it's at. It has made the work more dynamic. We don't have to block as much like we had to in the old days.

What needs improvement?

They should develop a web interface that is actually useful. Currently, we still have an issue where you have to go in and do manual configuring by the command line if you want certain functions in it. This means that we need to find people at a higher technical level to be able to do changes in those things. It would be much easier if you had a more friendly user interface basis where you don't have to go in and do the command line off.

They should be a little bit faster sometimes in updating their threat protection. Cisco should redo their website so it's actually usable in a faster way.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

Stability is fantastic. 

What do I think about the scalability of the solution?

We are a rather small firm so we don't have much growth leads but there is a wide range of firewalls that I can expand onto. We can also set up cluster solutions. It's rather indefinite in its expandable possibilities.

How are customer service and technical support?

I've only had to use their technical support once. Otherwise, I haven't had to use them.

Which solution did I use previously and why did I switch?

We were using SonicWall before.

How was the initial setup?

The initial setup is very complex but once it's done, it's fantastic. 

What other advice do I have?

I would rate it a nine out of ten. Not a ten because of the horrible initial setup and because you can't handle all operations from one interface. You have to go back into the command line to even be able to type program language, even though you have a graphic user interface for it but it doesn't work properly.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
GZ
Data Center Architect at Fronius International
Real User
Has the full package that we're looking for but the features aren't stable enough for us to use

Pros and Cons

  • "We chose Cisco because it had the full package that we were looking for."
  • "The stability and the product features have to really be worked on."

What is our primary use case?

Our primary use case of this solution is for firewalling. 

How has it helped my organization?

We have been using Cisco for a long time, and we use Firepower to replace other systems. It hasn't really been an improvement, but there are many features we want to use in the future. We haven't seen much improvement because we only installed it a short while ago. 

What is most valuable?

It has many features but not all of them work. The features aren't stable enough for us to use them. The most valuable features are the firewalling and the deep inspection. 

What needs improvement?

The stability and the product features have to really be worked on.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The stability is getting better but we had some firmware issues. 

What do I think about the scalability of the solution?

The scalability is good. We have scaled it but at a normal gross so it's not very high. We have designed it for our use case and we have the option to scale but we don't use it at the moment.

Which solution did I use previously and why did I switch?

We chose Cisco because it had the full package that we were looking for. 

How was the initial setup?

The initial setup was of normal complexity. It's not straightforward, and because we started so early, the migration tools were not so good at the beginning.

What about the implementation team?

We implemented through our partner and had a good experience with them. 

What other advice do I have?

Customers should take note that the migrations steps are not easy. The tools cannot solve all configurations and handle all configurations directly so you will have to do some coding by yourself. The solution is not complete at the moment but it will get better.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Ali Abdo
Technical Manager at a comms service provider with 1,001-5,000 employees
Real User
Gives more visibility into what's going on when traffic comes in and goes out from the company

Pros and Cons

  • "Stability is perfect. I haven't had any problems."
  • "I would like for them to develop better integration with other security platforms."

What is our primary use case?

My primary use case for this solution is for Internet access for the enterprise or for users, publishing, email, and to protect our network.

How has it helped my organization?

Before Firepower, we didn't have any visibility about what attack was happening or what's going on from the inside to outside or the outside to inside. After Firepower and the reporting that Firepower generates, I can see what's going on: which user visits the malicious website, or which user uploaded or downloaded malicious code, and what the name of the code is and from which country. This is very useful and helpful for me to detect what's going on. It enables me to solve any problem.

What is most valuable?

They give me more visibility of what's going on when traffic comes in and goes out from the company or comes in from the outside. I can see what's going on with this traffic, which is a nice feature. I also like the malware inspection and management of the dashboard features. The management of the dashboard is different from the old Cisco Firewall. This management brings everything together into one management platform. 

What needs improvement?

I would like for them to develop better integration with other security platforms. I would also like for them to make the Cloud configuration easier. 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Stability is perfect. I haven't had any problems. 

What do I think about the scalability of the solution?

Scalability is great. We have around 1,500 users. 

How are customer service and technical support?

Their technical support is good. I opened a ticket when we did the installation. We didn't have any issues with them.

Which solution did I use previously and why did I switch?

We were previously using Cisco ASA without Firepower. We switched to Cisco Firepower because Firepower has more features, like malware inspection, and more possibilities with identity management.

How was the initial setup?

The initial setup was a little complex. We required three staff members for deployment and maintenance.

What about the implementation team?

We implemented ourselves. Deployment took around six months. 

What's my experience with pricing, setup cost, and licensing?

It's more expensive than Fortinet and Juniper. The price is high compared to other vendors. In general, for the license, it's not that expensive.

Which other solutions did I evaluate?

We also evaluated Fortinet and Juniper.

What other advice do I have?

I would advise someone considering this solution to subscribe to the URL filtering and to use malware inspection.

I would rate this solution a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
EE
Senior Data Scientist & Analytics at a tech services company with 11-50 employees
Real User
Supports application visibility and control, and it has great deep packet inspection

Pros and Cons

  • "The architecture of FTD is great because it has an in-depth coverage and because it uses the AVC, (Application, Visibility, and Control) and also rate limits. Also, the architecture of fast paths is great."
  • "The license system is also good but it's not very impressive. It's a very regular licensing system. They call it a smart license which means that your device will connect to the internet. This is a little bit of a headache for some customers. It doesn't make the customer happy because most of the customers prefer not to connect their firewall or system to the internet."

What is our primary use case?

We are currently using version 6.3. Our primary use case of this solution is to put Firepower inside of the data center and at the Edge network.

How has it helped my organization?

This solution has improved my organization. I'm a solution provider and so I deploy in many different companies that are my customers right now. Before Firepower, we had some problems with the architecture of the firewall. Firepower can support two types of intelligence identity: it can support the application visibility and control, and it has a great deep inspection in the packet. Before this solution, we had some problems with malware detection. Right now, we can easily detect and filter all the applications. Before this solution, we never had any file trajectory, but right now we do, according to the file trajectory of Firepower that we have after attack solutions. 

We never had any solution or any workaround for after an attack. We never had any clue what the source of an attack was or how the attack could affect the company. Right now, because of the file trajectory and the great monitoring that FMC does, we know what's happened so we can analyze it after an attack.

What is most valuable?

The architecture of FTD is great because it has an in-depth coverage and because it uses the AVC, (Application, Visibility, and Control) and also rate limits. Also, the architecture of fast paths is great.

What needs improvement?

I would like to see real-time log systems because it's very helpful when you want to troubleshoot.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

Stability really depends on the software that you use. If you use the suggested software that Cisco suggests, you will see a highly robust and highly stable system. A crash or block will never happen to you. It really depends on the version that you are using. Definitely check the release notes before installation.

What do I think about the scalability of the solution?

I've worked with the 2000 series, the 4000, and the 9000. The 9000 series is really impressive because it's absolutely scalable for large deployments.

How are customer service and technical support?

I haven't had to contact their technical support. 

Which solution did I use previously and why did I switch?

We previously used ASA, which is a regular firewall. We switched to Firepower because it has a lot of features. It is one of the best firewalls in the world so we shifted to Firepower.

What about the implementation team?

The time it takes to implement depends on the policy of the customer. Practically speaking, it takes around three to four hours to deploy, but it can depend because the Firepower solutions have two parts. One part is the hardware, it is an actual firewall and actual device but the monitoring system and the control system is a software called FMC. Most of the customers deploy it over VMware. The time of deployment really depends on your resources, but on average will take three to four hours.

At least two to three people with professional knowledge, around three years of experience, are needed for the deployment and maintenance, not only for Firepower but in every security solution. The device is doing something, but the most important part is analyzing it. The device can give you logs, but the engineer should analyze the log and do something.

Deployment without inspection can require only one person but if you want to analyze the IPS, at least two people will be needed.

What's my experience with pricing, setup cost, and licensing?

Based on the services that you will get, especially the AMP license, the price is very reasonable. The license system is also good but it's not very impressive. It's a very regular licensing system. They call it a smart license which means that your device will connect to the internet. This is a little bit of a headache for some customers. It doesn't make the customer happy because most of the customers prefer not to connect their firewall or system to the internet.

What other advice do I have?

I would advise someone considering this solution to just read the release notes before doing anything. You should know what the exact architecture is and what the exact details of the software are before trying to deploy it.

I would rate this solution a ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
IY
Assistant Manager (Infrastructure) at SISTIC
User
It has improved the security posture and visibility of our traffic, but it could use more predefined security templates

What is our primary use case?

E-commerce environment, Enterprise data center.

How has it helped my organization?

It has improved the security posture and visibility of our traffic. It has been proven very reliable on the hardware finishing and network portion. Since Cisco have been very experience in networking.                                                                                                                                                                                   

What is most valuable?

  • Snort IPS with recommendation template
  • Extendable hardware module
  • Straightforward licensing
  • Cisco product integration

What needs improvement?

  • I would like to see more improvements made to the dashboard and UI, as well as to the reporting, the reporting is quite limited and not user friendly. 
  • I would like them to consider offering more predefined security templates.
  • Technical support product knowledge, licensing portal, activation process will need to be improved. 
  • The configuration is not straightforward, Cisco will need to improve this so the user can easily pick up the product.
  • Bugs are more than other firewall competitors, some bugs are quite serious. 



    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    Yes, we found some firmware bugs and Cisco took some time to fix them. We needed to escalate the issue to the account manager to expedite the escalation process.

    What do I think about the scalability of the solution?

    No.

    How are customer service and technical support?

    A five out of 10.

    Which solution did I use previously and why did I switch?

    How was the initial setup?

    Complex in configuration and understanding. It would be very challenging for a non-Cisco trained engineer.

    What about the implementation team?

    We implemented ourselves with some assistance from the vendor. Some vendor are not expertise in this deployment, possible because of the complexity of the product.

    What's my experience with pricing, setup cost, and licensing?

    Base hardware cost are average. Additional hardware modules are priced higher than the base module. They also offer very clear licensing and pricing.

    Which other solutions did I evaluate?

    Check Point, FortiGate, Palo Alto, SonicWall, Huawei, and Sophos.

    What other advice do I have?

    Cisco is still a very good hardware manufacture, but they need to catch up on the software portion. We used the Cisco product because we know they tried very hard to get back into the market and we were willing to give them a chance since we are still using a lot of Cisco product. For those who are non-Cisco trained, it would be very hard to pick up.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    NC
    Technology Associate at a financial services firm with 1-10 employees
    Real User
    The most valuable features are the IPsec VPN and web filtering. It seems very clunky and slow.

    Pros and Cons

    • "The most valuable features are the IPsec VPN and web filtering."
    • "It seems very clunky and slow. I would like to be able to tune it to be a more efficient product."
    • "I would like the ability to pick and choose different features of it to run in a packaged infrastructure or modules, therefore I would like to have more customizability over it."
    • "The use of it has really bogged down our response time for certain problems, given we have to go through AT&T for everything."

    What is our primary use case?

    Our primary use case is as a firewall and using it for web filtering. We use IPsec VPN services on it, as well as the router.

    I have been using the product for only a few months, but the company has been using it for a couple of years.

    How has it helped my organization?

    The use of it has really bogged down our response time for certain problems, given we have to go through AT&T for everything. I don't think really highly of it, though.

    What is most valuable?

    The IPsec VPN and web filtering.

    What needs improvement?

    I would like the ability to pick and choose different features of it to run in a packaged infrastructure or modules, therefore I would like to have more customizability over it. 

    It seems very clunky and slow. I would like to be able to tune it to be a more efficient product.

    For how long have I used the solution?

    Less than one year.

    What do I think about the stability of the solution?

    It has generally been okay in terms of stability. We haven't had it go down, but we do have some interruptions. I don't know if it is the ISP or the firewall. We have more frequent network disruptions, and other branches call in telling us that they are unable to use their services to do their job. Unfortunately, we can't really do anything about it. It just clears up in about five or six minutes. In terms of stability, I would give it a seven and a half out of 10.

    What do I think about the scalability of the solution?

    I don't see it being very scalable. I don't have access to the actual interface on it. However, it is an older product, so it probably doesn't have high availability features. So, it's scalability is probably limited. I know that we kind of put it through the ringer with our fewer than a hundred connections into it.

    How is customer service and technical support?

    AT&T handles our technical support, since it's leased through them.

    How was the initial setup?

    I was not involved with the initial setup.

    What's my experience with pricing, setup cost, and licensing?

    We pay a lot of money for it.

    For big organizations who are used to throwing around a lot of money for absolutely surety, this would probably be a good fit for them. For the average SME, this particular firewall system, as well as Cisco in general, this product would not be a good fit for them.

    Which other solutions did I evaluate?

    We are currently looking at WatchGuard, pfSense, and Fortinet FortiGate. Netgate would provide the hardware.

    We have still got nine months left on our contract with AT&T before we can actually do anything. We are just trying to do as much research and ask as many questions as we can before we get to that point.

    What other advice do I have?

    We just don't have a lot of the control or customizability that we would like to have over the system. A lot of this has to do with how AT&T is handling the access to it. Also, the hardware is outdated. We would like to go with a product in which everything is very transparent, clear, organized, all in the same place, and we can monitor clearly. The reason that we are looking to change is price: We pay a lot for it. If we had more control over it, we would be better able to control the quality and performance of the network and services, as well as the budget.

    The most important criteria when selecting a vendor:

    • IPsec VPN
    • Good stable connection
    • Failover support: We need to have dual-WAN, so we can get two WAN connections in there and have failover. 
    • Load balancing would be good, especially for those rough patches. 
    • Internal web filtering and blocking: We need to be able to control what our end users are looking at.
    • Monitoring: As much monitoring as we can get.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PT
    Support Engineer at a tech services company with 51-200 employees
    Reseller
    We can shift traffic, block certain content, or redirect policies

    Pros and Cons

    • "We can shift traffic, block certain content, or redirect policies."
    • "We would like to see MS Word BPM as a feature."

    What is our primary use case?

    It's primarily for managing our employees. So far, it has been working great. We don't have many problems.

    How has it helped my organization?

    It gives us all the features that we need.

    What is most valuable?

    We can shift traffic, block certain content, or redirect policies.

    What needs improvement?

    We would like to see MS Word BPM as a feature. 

    For how long have I used the solution?

    Three to five years.

    How are customer service and technical support?

    We don't use the technical support too much. It is not good, especially for Latin America. Therefore, we employ people who have skills or certifications, using them for technical support.

    Which solution did I use previously and why did I switch?

    We started with Cisco Firepower.

    How was the initial setup?

    It was a bit complex to set up. However, after some practice, it was not too difficult.

    What's my experience with pricing, setup cost, and licensing?

    It is a great solution for medium or big enterprises, not so much for small businesses, mainly due to the financial costs. Cisco Firepower is a great solution, but it is expensive compared to others that can provide similar benefits for much less.

    What other advice do I have?

    Most important criteria when selecting a vendor:

    • Quality of the product
    • Cost.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    asstmana149958
    Asst.Manager IT at a manufacturing company with 501-1,000 employees
    Real User
    Blocks threats from the application layer

    Pros and Cons

    • "The GUI is among the most valuable features,"
    • "It could use a web-based portal for VPN. Earlier they had it in the ASA model, but currently they don't have it."

    What is our primary use case?

    The primary use is to block incoming threats from the internet, at the edge of the network.

    It's performing well. We check the report of blocked pages, blocked attacks, etc.

    How has it helped my organization?

    Previously, we only had a normal firewall, it was not next generation. It was not blocking many of the threats from Layer 7, the application layer. Now, this solution has IP, an intrusion prevention system, and because of the URL filtering, it can block other malware. It seems with the cloud database and the signatures, it compares the receiving files, then it blocks the URLs, making us more secure.

    What is most valuable?

    All the features are good. The GUI is among the most valuable.

    What needs improvement?

    It is on multiple boxes so ISP load balancing, multiple network load balancing would be helpful.

    Also a web-based portal for VPN. Earlier they had it in the ASA model, but currently, they don't have it. The user needs to just click on the link so he can work.

    What do I think about the stability of the solution?

    It is quite stable, it is able to detect. But the malware part should probably be upgraded. Performance-wise it is good and it has a long life.

    What do I think about the scalability of the solution?

    It has limits. If your network is going beyond it, then you'll have to replace it with higher model.

    How are customer service and technical support?

    Technical support is good.

    Which solution did I use previously and why did I switch?

    We have been using Cisco for a long time, various models. We had PIX, then ASA. We were quite comfortable with the performance, it never failed. But our old solution was coming to end-of-life. Also, this is able to more block more threats from the application layer, etc.

    The most important criteria when selecting a vendor are 

    • reputation
    • technology
    • features
    • cost.

    How was the initial setup?

    The initial setup was a bit complex.

    What other advice do I have?

    My advice would depend on what your comfort level is. If you have already used Cisco, I would recommend this, to evaluate it at least. Evaluate it and learn how useful it is.

    It gives good performance, the technology is quite good, sufficient for our objectives, protecting our network, etc. The missing two points are because they have to do make more improvements.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user886188
    Presales Engineer
    Real User
    Monitoring via the dashboard enables customers to see what is happening in the system

    Pros and Cons

      • "It's lacking one feature: VPN. Also, the 2100 Series lacks a DDoS feature. If they could add that to those platforms, that would be good."

      What is our primary use case?

      The use case has been for the banking sector, for one of our banking customers. According to them, it's working perfectly.

      What is most valuable?

      Monitoring, of course - the dashboard. It enables you to see what is happening.

      What needs improvement?

      It's lacking one feature: VPN. That is a feature we're looking for. Otherwise, the new devices have very good support, and the performance is quite good.

      Also, the 2100 Series lacks a DDoS feature. If they could add that to those platforms, that would be good.

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      So far, since we installed it, there have been no issues.

      What do I think about the scalability of the solution?

      In terms of scalability, it is really expensive. It is scalable, but when it comes to pricing, the upgrading is a bit high.

      How was the initial setup?

      It's not straightforward. You need to know what you're doing, you need to be trained. I don't know for other vendors whether it's the same issue, but for Cisco you have to be trained on the system.

      Which other solutions did I evaluate?

      Check Point and Fortigate. Generally, our customers choose Firepower because they've seen the system work somewhere before, and they see it is stable and working perfectly. Those are the reasons they opt for Firepower.

      What other advice do I have?

      There are other solutions, like Fortigate, which are very good solutions, and cheaper for the customer. Even the support via subscription is favorable, in terms of pricing. I would really advise the customer to do some research first and come up with the best solution for their needs

      I rate Firepower as an eight out of 10. It is a good solution but it is expensive compared to other products, like Fortigate. Still, some of our customers do prefer Firepower over the others.

      Disclosure: My company has a business relationship with this vendor other than being a customer: Solutions provider/integrator.
      DH
      ‎Senior Vice President at a transportation company with 51-200 employees
      Real User
      Enables securing of various network segments based on use, but there are integration issues

      What is our primary use case?

      We use it as a firewall and it has performed adequately.

      How has it helped my organization?

      It allows the securing of various network segments, based on use.

      What is most valuable?

      DMZ segmentation, and IDS and IPS.

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      It is fairly stable. However, Cisco suffers from some integration issues with other products, but this product, as a standalone, is fine. There is a problem with the Cisco Catalyst Switches in terms of assembling bursts and having them interact properly with the Cisco Firepower.

      What do I think about the scalability of the solution?

      The scalability is good.

      How are customer service and technical support?

      Tech…

      What is our primary use case?

      We use it as a firewall and it has performed adequately.

      How has it helped my organization?

      It allows the securing of various network segments, based on use.

      What is most valuable?

      DMZ segmentation, and IDS and IPS.

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      It is fairly stable. However, Cisco suffers from some integration issues with other products, but this product, as a standalone, is fine. There is a problem with the Cisco Catalyst Switches in terms of assembling bursts and having them interact properly with the Cisco Firepower.

      What do I think about the scalability of the solution?

      The scalability is good.

      How are customer service and technical support?

      Tech support has been good.

      Which solution did I use previously and why did I switch?

      We've been using Cisco. Prior to this it was Cisco ASA. This was the next evolution.

      When selecting a vendor it is important that they have positive industry feedback, that they are a visionary leader.

      How was the initial setup?

      I was involved in the initial set up and it was complex.

      What other advice do I have?

      I give this solution a seven out of 10. Some of the tools are still a little bit difficult to use.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Yasir Al-Musawi
      Network Security Specialist at a financial services firm with 501-1,000 employees
      Real User
      It is easy to create interfaces and routing, but the product needs real-time logs

      What is our primary use case?

      Currently used for at our disaster recovery site as our internal firewall, not a lot of services are running through it. We are still going around learning how to use it.

      How has it helped my organization?

      Since we have used Firepower firewall, we are facing issues of getting real-time logs, as they are not available with the latest version.

      What is most valuable?

      It is easy to create interfaces and routing, which all can be done at the GUI level. For now, we are still going around the services and will add more in the future.

      What needs improvement?

      The product needs real-time logs to be able to monitor our services, so we can know if any our services have been blocked via the firewall or on the application side.

      For how long have I used the

      What is our primary use case?

      Currently used for at our disaster recovery site as our internal firewall, not a lot of services are running through it. We are still going around learning how to use it.

      How has it helped my organization?

      Since we have used Firepower firewall, we are facing issues of getting real-time logs, as they are not available with the latest version.

      What is most valuable?

      It is easy to create interfaces and routing, which all can be done at the GUI level. For now, we are still going around the services and will add more in the future.

      What needs improvement?

      The product needs real-time logs to be able to monitor our services, so we can know if any our services have been blocked via the firewall or on the application side.

      For how long have I used the solution?

      Less than one year.
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user697185
      Consultant
      Consultant
      Management Console and user profiling to define activities are key features

      Pros and Cons

      • "Management Console and user profiling to define activities."
      • "As it’s a GenX firewall, expertise for both implementation and troubleshooting the pain points can be a challenge. This could be a concern when companies are thinking about buying this product."

      How has it helped my organization?

      It’s too early to say anything about this, as it’s still under implementation.

      What is most valuable?

      Management Console and user profiling to define activities.

      What needs improvement?

      As it’s a GenX firewall, expertise for both implementation and troubleshooting the pain points can be a challenge. This could be a concern when companies are thinking about buying this product.

      For how long have I used the solution?

      Still implementing.

      What do I think about the stability of the solution?

      Yes, unexpected failure and no RCA provided by the OEM.

      What do I think about the scalability of the solution?

      Still working on this.

      How are customer service and technical support?

      Technical support from OEM is a six out 10, as RCA report has still not been shared to date.

      Which solution did I use previously and why did I switch?

      Check Point. We moved to Firepower as an internal firewall to manage internal access and other network load.

      How was the initial setup?

      Straightforward, two-tire setup.

      What's my experience with pricing, setup cost, and licensing?

      All our requirements which we need performed by the firewall (e.g. VPN, URL white-listing, or IP based white-listing, etc.) have separate licenses and costs.

      Which other solutions did I evaluate?

      Yes, a couple of other of OEMs: Fortinet, Barracuda, etc.

      What other advice do I have?

      I rate it an eight out of 10, as it’s a new platform. Compared to Cisco ASA, it’s far better, per my usage to date.

      Make sure you have an expert resource or subscribe to OEM technical support.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      Network Engineer at a tech vendor with 10,001+ employees
      Vendor
      Some of the valuable features are detecting malware and blocking blacklisted URLs.

      What is most valuable?

      Some of the valuable features are detecting malware and blocking blacklisted URLs.

      How has it helped my organization?

      It has enhanced the security in every network over time.

      What needs improvement?

      As of now, I can't find any flaws with the device or any improvement that I can suggest.

      For how long have I used the solution?

      I have been working with the device for the past two years.

      What was my experience with deployment of the solution?

      The upgrade is a bit of a pain in the neck.

      What do I think about the stability of the solution?

      There were no issues with the stability

      What do I think about the scalability of the solution?

      Scalability has been all-star perfect.

      How are customer service and technical support?

      Customer Service: I…

      What is most valuable?

      Some of the valuable features are detecting malware and blocking blacklisted URLs.

      How has it helped my organization?

      It has enhanced the security in every network over time.

      What needs improvement?

      As of now, I can't find any flaws with the device or any improvement that I can suggest.

      For how long have I used the solution?

      I have been working with the device for the past two years.

      What was my experience with deployment of the solution?

      The upgrade is a bit of a pain in the neck.

      What do I think about the stability of the solution?

      There were no issues with the stability

      What do I think about the scalability of the solution?

      Scalability has been all-star perfect.

      How are customer service and technical support?

      Customer Service:

      I would give customer service a rating of 10/10.

      Technical Support:

      I would give technical support a rating of 10/10.

      Which solution did I use previously and why did I switch?

      We have only used Cisco security devices.

      How was the initial setup?

      The setup was smooth and simple.

      What about the implementation team?

      We implemented it by ourselves and with some support from the Cisco TAC.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      AM
      IT Operation Manager
      Real User
      ​NGFW features software stability, quick software updates for known bugs/vulnerabilities.

      What is most valuable?

      NGFW features software stability, quick software updates for known bugs/vulnerabilities. Why no hardware reliability (see Clock Signal Component Issue -Cisco)? Because without NGFW features it is basically like a home router.

      How has it helped my organization?

      It is small, nobody knows where it is, nobody knows what it is, it works silently. So, as there is no issue, it is good for business and organization.

      What needs improvement?

      License politics, license price, precise vendor roadmap for this product.

      For how long have I used the solution?

      Two years.

      What do I think about the stability of the solution?

      Yes, FirePower is not stable, because every new software version comes with many features that cause problems. Cisco has to do it because other vendors have already added these features.

      What do I think about the scalability of the solution?

      No.

      How are customer service and technical support?

      High.

      Which solution did I use previously and why did I switch?

      3Com TippingPoint as IPS, Zyxel ZyWALL ZyXEL ZyWALLas VPN server. Cisco has good documentation and it is easy for Cisco certificated engineers.

      How was the initial setup?

      Complex, because of non-ready Firepower service software setup.

      What's my experience with pricing, setup cost, and licensing?

      The last years' experience showed that there is no full security, so why pay more. Any security vendor with a user-friendly interface, with good support, on-time updates for known vulnerabilities and reliable hardware, is acceptable for an organization.

      Which other solutions did I evaluate?

      No.

      What other advice do I have?

      Cisco's ASA product line will be replaced by Cisco FTD. And Cisco FTD software is not ready for production (lack of many basic NGFW features). So, maybe only high-performance Firepower 41xx/21xx/90xx Series is good as IPS.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Product Categories
      Firewalls
      Buyer's Guide
      Download our free Cisco Firepower NGFW Firewall Report and get advice and tips from experienced pros sharing their opinions.