Cisco Secure Firewall ASA Virtual - PAYG

I have two different perspectives about my use cases for Cisco Secure Firewall . The first one is the device frontier, creating all the connections between on-premise, cloud, on-premise to on-premise, VPNs, NAT and also rules for secure endpoints or user endpoints for downloading malicious files or visiting different websites.

The other use case was threat intelligence, which I mostly used Snort rules or created Snort rules on the firewall to understand or catch early attackers before they started the attack.

Snort is one of the features of Cisco Secure Firewall  that I know is an open-source rule, but it is really cool that the firewall allows you to create your own rules using this protocol for threat intelligence.

The flow of Cisco Secure Firewall is something that I have a lot of experience creating policies with, but the way the policies work is unusual. For example, they are using every single policy that cascades between each other, and other vendors do not use that kind of flow. Other vendors allow you to create one rule for a specific thing without needing to iterate something from another policy. That is something I do not dislike, but it is hard to work with that kind of flow.

As I mentioned, Cisco Secure Firewall's flow is easier with Palo Alto to create things and configure things, also with the policies. But this vendor does not have the possibility for Snort, so I need to work with what the vendor gives to me and it is not really free to use. On the basic configurations and day-to-day tasks that we are having using this tool, it is much easier to use Palo Alto than Cisco Secure Firewall. Cisco has the feature that is Snort, but it is more easy to use Palo Alto in general.

Compared to the license of Cisco Secure Firewall, it was expensive. Right now compared with Palo Alto, Cisco Secure Firewall is kind of expensive. Basically, the license for the VPNs is for all the interfaces, and that is the thing that is really expensive compared with Palo Alto.

I am not using Cisco Secure Firewall too much now because I left my previous company, but in previous companies I worked with Cisco Secure Firewall for four to five years.

There was basically one downtime with Cisco Secure Firewall that was for a DDoS attack. I think that it was due to a bad configuration from our side. Without those configurations, there were no issues. I would say that the product is pretty much stable and the issue was our fault.

Cisco Secure Firewall is scalable, but if you have the money for the license, then it is scalable.

I have had to contact Cisco technical support two times. One time was to integrate the firewall with the WLC, Wireless LAN  controller, for wireless issues, and the other time was for the license that was not activated due to something that happened with the payments.

The first case on the WLC for Cisco Secure Firewall was not very good because it took more than one week with the first call and emails back and forth to resolve the issue. The answers from the technical assistance center gave me the sense that they did not really know what we needed to do or what we needed for escalations. On the other hand, for the payment issues for the license, that team was really clear and resolved the issue in less than 12 hours.

With my experience with those two support cases, I would rate Cisco technical support a seven on a scale from one to ten.

I have experience with Cisco in two parts. I worked with Cisco as the SM for one of the companies in Colombia, and I have also worked with other customers that use Cisco. I have been on both sides.

There are two ways for the initial deployment of Cisco Secure Firewall. We have the on-premise device, when I was working in that company, and we also deployed one of the solutions for Threat Defense on Azure . I think that it is easier for on-premise because you have direct connections, and if something happens troubleshooting all the initial IPs is better that way. It is pretty smooth to update it or create that firewall on Azure . On AWS , it is easy. They have some troubles with the Linux instance, but on Azure, it is pretty smooth.

Cisco Secure Firewall is all about taking care for Cisco right now. Previously it was not, but right now it is.

Compared to the license of Cisco Secure Firewall, it was expensive. Right now compared with Palo Alto, Cisco Secure Firewall is kind of expensive. Basically, the license for the VPNs is for all the interfaces, and that is the thing that is really expensive compared with Palo Alto.

I have used Fortinet and Palo Alto as alternatives to Cisco Secure Firewall.

It is hard to say, but right now I have been working with Palo Alto. That is currently my best option and I learned a lot from this vendor compared to Cisco Secure Firewall.

I have experience with Cisco in two parts. I worked with Cisco as the SM for one of the companies in Colombia, and I have also worked with other customers that use Cisco. I have been on both sides.

The last time with Cisco I was a partner.

My overall review rating for Cisco Secure Firewall is nine out of ten.

Cisco Secure Firewall  serves as our primary line of defense when receiving traffic for the customers that we serve, and from there, it is distributed across our network. It is the main firewall for the division of service that we manage the network for.

Cisco Secure Firewall  performs very well in that the web interface is manageable when deploying configurations because it is very easy to set up. I don't have to write all those lines of configuration codes directly on the devices, but I can do it on a visual interface where I can double-check before pushing any configuration through, and that is very useful. When setting VPN connections, the filtering during troubleshooting is particularly helpful, as the Cisco IOS CLI has never been very capable when filtering during troubleshooting of a deep issue, and the interface is very helpful when it comes to that.

There are quite a lot of bugs when opening sub-windows, as sometimes I cannot extend the size to read more information, and when writing a long line of text, it can be annoying.

There are quite a lot of bugs when opening sub-windows, as sometimes I cannot extend the size to read more information, and when writing a long line of text, it can be annoying.

I have been using Cisco Secure Firewall for approximately three or four years now.

I have seen some instability regarding Cisco Secure Firewall. This may have been on us because we had a provisioning capacity issue and had to make an upgrade to serve the needs of our network. We experienced the issue due to a memory issue with one of our firewall pairs. Despite that issue, the devices are very reliable and stable under normal functioning.

Cisco Secure Firewall is very scalable. It is almost transparent from both customer and service technician perspectives, and I would give Cisco a 10 for scalability. This has been one of its strengths in their history.

I have contacted the technical support or customer support of Cisco regarding this solution. The speed of the support was appropriate. The quality was challenging to assess because when given a problem to resolve, there are so many details to recover and so much context of the company's usage to understand that it is not as simple as saying the official support of Cisco must have a magic wand to resolve the issue. At the end of the day, they were not able to provide the proper insight that we needed to resolve the issue we were facing at the time.

It is worth mentioning that our head of network is one of the toughest professionals I have come across when it comes to networking, and this may have made it more difficult for them because every person who came on the line was way ahead of them. When trying to get to a solution and having to repeat myself, I can come into a call not knowing everything, and recovery scripts must be run to gather information, analyze it, and then come back with a solution. In the end, it did not work, and we had to use another workaround developed by us. I would not say the support was bad; it was efficient in communication, but the final solution was not satisfactory.

I have never used any direct alternative to Cisco Secure Firewall, although there were discussions about switching to another vendor. After a lot of discussion, we remained with Cisco for its capabilities and some other details. It came into consideration to switch to another vendor for administrative decisions because Cisco solutions are quite expensive, and other vendors might do the job for a considerably lower amount, but Cisco remained. We never managed to use an alternative.

The initial deployment was most difficult because there were some compatibility issues. At the time I came to the team, we were transitioning from Cisco ASA  to the new Firepower solution, and the tools for migrating the configuration about the objects were not working properly. I did not have the time to work out why since I was not the main architect of the network and was in a lesser role, but this was one of the main challenges I worked on. We had to do a lot of scripting and manual work to migrate the objects and configure the new solution because Cisco ASA  was not very capable of extracting the information to push to a newer generation of firewalls.

We handle maintenance on Cisco Secure Firewall ourselves. We require maintenance and upgrades, and we do it ourselves.

I would rate this product an 8 out of 10 overall.

I primarily use Cisco Secure Firewall  for two main purposes. The first is perimeter security, particularly for all locations, especially data centers where we determined that SASE  would be overkill. I secure all traffic from the firewalls for servers hosted in data centers, with a small group of users working and having their internet egress out of data centers. Perimeter security for secure internet access is the predominant use case.

The second purpose is segmentation. We have different zones depending upon the criticality of applications. We have a DMZ, an internal DMZ, and other zones. The primary task is to ensure that whenever there is a difference in the trust level from one zone to another, we have a firewall in between. These firewalls provide next-generation advanced threat prevention, firewall rules, stateful firewall rules, and we use Snort 3 for IPS/IDS detections. We are using all the features that Cisco Secure Firewall  has to offer.

For all inline traffic, Cisco Secure Firewall definitely delivers. The IPS engine is based upon a Snort 3 license and uses signature-based scanning. Behavioral detection exists to an extent, but it is not an ideal replacement for a traditional NDR (Network Detect and Response). It does not do AI-based modeling at the same level as traditional NDRs, but it is definitely decent. All signature scanning looks at the traffic, and if decryption is applied, post-decryption scanning examines the payload and matches signatures. If a signature is found, an alert is generated. It is a good solution, though not Suricata, but Snort 3 works differently and gets the job done.

Cisco Secure Firewall is a next-generation firewall, and you must leverage all that can be leveraged for preventing lateral movement attacks and all these things that traditional security rules and firewall rules cannot address. Snort 3 and adaptive security bring behavioral and anomaly-based detections. Again, this is not as elaborate as NDR, but it is designed as a firewall and does the job effectively.

Cisco Secure Firewall provides deep packet inspection, so I get deep visibility into every single packet. If attackers or insiders are smart enough to change the protocol behavior or tunnel the traffic through DNS tunneling or similar methods, the firewall can easily detect them. Deep packet visibility and deep packet inspection are crucial, as that is where it all starts. Additional features include DNS security and advanced IPS (NGIPS), which perform signature-based scanning. These feeds are updated in real time by Cisco Talos  and integrated across all firewalls. While I would not say this protects against zero-day attacks, it is very close. It helps with lateral movement-based attacks because of the segmentation these firewalls enforce. It definitely cannot help with TLS 1.3, as no firewall can. There are many nuances involved. The key valuable features are deep packet visibility and inspection, the ability to enforce at all layers of the server model, and the ease of applying signature-based scanning along with behavioral-based detection, though not extensive.

Regarding integration options with user IDs, with the emergence of zero-trust network access and new paradigms, you must configure policies based upon who the user is and not IP addresses. Cisco Secure Firewall does support this and can integrate with Active Directory and Entra ID. However, based on my comparisons with Palo Alto next-generation firewalls, which I work with extensively, the number of options available with Palo Alto is quite extensive. You can integrate with any identity provider, but with Palo Alto it is not just traditional LDAP server and user ID and IP mapping constructs. There is room for improvement in this area.

Based on my experience with Palo Alto and a couple of its competitors, there is room for improvement with the integrations with identity providers. The number of options and integration partners available with Palo Alto is more extensive compared to Cisco Secure Firewall. This is not because Cisco lacks these capabilities, but rather because other vendors are doing better things in this area. However, this is on Cisco's roadmap. I had contact with their sales teams and alliance teams, and they have these improvements carved out in their roadmap.

Cisco Secure Firewall evolved from Cisco ASA , and then Cisco purchased Sourcefire. They integrated ASA  with Sourcefire, and now they have Firepower. The current form of Cisco Secure Firewall represents this evolution. I have worked with Cisco Firewalls  since 2013 or 2014.

When Cisco acquired Sourcefire and turned it into Firepower, it was a very problematic device. We had challenges every single day, with connectivity issues between the firewall and FMC (the management plane). The connection used to break, and we had to perform upgrades. Feature releases used to cause issues. Lately, this has not been the case.

It was really problematic back then. Lately, we have not had significant service outages. The firewall is stable now. There are multiple firewall clusters that we have not rebooted in more than a year, which speaks volumes about stability. We receive regular feature releases and upgrades, and we get security advisories. Cisco has definitely done an excellent job in the last two to three years. Before that, it was not a very good product, and many places were moving away from Cisco Firewalls  to Palo Alto or Fortinet due to stability issues. Currently, if I were purchasing Cisco Secure Firewall because I already have a Cisco footprint, I would not hesitate based upon stability alone.

Given the business we run, I do not think we have hit the bottleneck yet. Every time we detect a potential issue, we proactively monitor performance and have thresholds clearly demarcated. If traffic crosses a particular threshold, we provision a new instance. Until now, we have not hit those hard limits where we are helpless and unable to scale out. It still works for us. However, if we were handling several hundred gigabits of outbound or east-west traffic, I would think harder and look for better designs and a more distributed approach rather than using a single cluster and forcing it to scale out indefinitely. That is more of a design consideration. In our current context, we have not hit those thresholds. There are a couple of on-premise locations where we did hit limits, but that was because we sent out more traffic than we planned for, and we simply had to replace those devices. That is not a product problem.

Cisco Secure Firewall offers many deployment options depending on the architecture and functionality required. If it is a cloud deployment, you can achieve native load balancing with active-standby, active-active, and active-active configurations with cloud-native load balancers such as AWS  Gateway Load Balancer or Network Load Balancer. The same deployment options apply to Azure  and GCP . Cisco offers cloud firewall functions where they provide templates and onboarding options to spin up firewalls and scale them out as part of auto-scaling instances. These capabilities are on par with what competitors are offering. On-premise deployments, of course, are hardware-based, and you can achieve active-active and active-standby configurations. This depends on latency requirements, security requirements, and the capabilities you want to leverage. Proper sizing is essential. Cisco Secure Firewall is highly scalable in cloud environments. On-premise deployments are bound by the restrictions inherent to all hardware firewalls, but with proper sizing, they perform fairly.

One of my clients did deploy cloud firewalls on AWS , and I believe they did the same for Azure Marketplace . I am not certain about the specific pricing, but it is clearly outlined. You can choose between BYOL (bring your own license) or pay-as-you-go models. During unit testing and the initial PoC, we selected pay-as-you-go. Later, the client teams purchased from AWS Marketplace  and leveraged committed spend with AWS to acquire the cloud firewall clusters. This option is available.

Based on my experience with Palo Alto and a couple of its competitors, there is room for improvement with the integrations with identity providers. The number of options and integration partners available with Palo Alto is more extensive compared to Cisco Secure Firewall. This is not because Cisco Secure Firewall lacks these capabilities, but rather because other vendors are doing better things in this area. However, this is on Cisco's roadmap.

I manage a few dozen firewalls, close to 100 in total. You cannot manage each firewall manually, especially if you have local IT teams scattered across locations. It would be too much work. Centralized management attempts to align with what Gartner describes as a hybrid mesh. You hook the firewalls to the centralized management and integrate them with the device management platform. All you have to do is manage your security policies, rules, IPS signatures, and configurations from that central console. You can also take backups, restore them, and if you want to replace a device, you do it from this same console. This definitely reduces administrative overhead, costs, and the number of people you must employ to manage your firewall infrastructure.

The time we need to spend to triage any incidents or potential events is significantly reduced. Before events become incidents, we already have complete insights into who or which IP or source was attempting to reach what, whether it was crypto mining, and we receive all details about the category of URLs or endpoints on the internet the user was trying to access, including whether they were suspicious or potentially benign. The ability to classify these is crucial, and nothing can be done without Talos. However, you must size your firewall properly, because you are ingesting all these feeds from Cisco Talos , and if your firewall is a small model or not sized perfectly, performance can become unstable. You must perform capacity planning well. All third-party threat intelligence feeds vary in quality, but Cisco Talos is definitely one of the most mature threat intelligence feeds that has been around for quite some time and has a decent reputation.

Based on quotes I have seen in the last couple of months, Cisco Secure Firewall is fairly priced. I sometimes find Palo Alto is more expensive than Cisco. Of course, the money you pay is for the capabilities you get. If it is an apple-to-apple comparison, Cisco Secure Firewall is fairly priced. I have no concerns about the pricing. My overall rating for Cisco Secure Firewall is 7.5 out of 10.

My main use case for Cisco Secure Firewall  is to protect corporate internet access from malicious people.

I can provide a specific example of how I use Cisco Secure Firewall  to protect my corporate internet system from malicious activity: I block malicious sites and create rules to detect them.

I also use it to provide remote access for vendors and IT support people.

The best features Cisco Secure Firewall offers in my experience are its GUI, clear definition, and process to create rules.

The GUI is clear and I am able to follow the description of processes such as backup, creation of rules, and other management processes.

This has helped my team feel more confident that we are protected from malicious intruders, and I have noticed specific positive outcomes and changes since using Cisco Secure Firewall.

I believe Cisco Secure Firewall can be improved, particularly regarding the specifications such as the memory that is used on entry-level firewalls, because sometimes when doing an upgrade or changing configuration, issues arise.

On the performance side, I notice that the upgrade to a different version is slow, so hopefully improved CPU and RAM will help performance.

I have been using Cisco Secure Firewall for three years.

Cisco Secure Firewall is stable in my experience.

The hardware is working and we have not encountered the firewall failing because of a firmware upgrade.

We have not needed the scalability feature of Cisco Secure Firewall as of now.

I have not needed to reach out to Cisco support for any issues.

I have not switched from another vendor or used another firewall vendor prior to Cisco.

Before choosing Cisco Secure Firewall, we did not evaluate other options.

I would advise others looking into using Cisco Secure Firewall that it is easy to use and manage, easy to create rules, and upgrade the firmware, and it is reliable; I have not encountered any failure on my Cisco firewall so far. I rate this product an 8 out of 10.

I have mainly worked with Cisco Firewall, specifically FTD and FMC, controlling the Firewall Threat Defenses from FMC, using Talos and Cisco ISE  for approximately two and a half to three years. I completed a comprehensive re-architecture and added different vendors for a company called Gaming Laboratories International, where I extensively used their products.

For a span of two years, I extensively used Cisco products, ranging from switching and routers to firewall solutions for Gaming Laboratories International. For the last year, I have mainly worked with Palo Alto and Cato products, transitioning toward SD-WAN and SASE  solutions.

At Gaming Laboratories International, I inherited a poorly designed network architecture and completely re-architected the network using Cisco Secure Firewall  FTD and FMC across 45 different offices around the globe, spanning 435 jurisdictions at that time. My team and I used Cisco Secure Firewall  as our internal firewall, securing the internal perimeter and protecting our DMZ from the inside. On the outside, we implemented Palo Alto because Cisco Secure Firewall could not handle the capabilities we required, such as application identification, which Palo Alto truly excels at.

Cisco Secure Firewall is quite scalable, and I have found it relatively easy to set up high availability. I have truly enjoyed the flexibility, without the need to use StackWise cables but simple Ethernet cables.

The benefit of Cisco Secure Firewall lies in keeping it to the basics through hardware, which costs a bit more, but the real problem emerges when integrating other platforms and their licensing, which is quite expensive. When calculating the total costs, including ISE, DNA Center , and hardware maintenance, it becomes exorbitant for medium-sized enterprises. It may work for large enterprises already entrenched in Cisco products.

The biggest inefficiency with Cisco Secure Firewall, to be honest, is the licensing—too many licenses for too many different products. There is not a single platform, which is essential nowadays. Cisco Secure Firewall is a bit of a colossus where they add weight on top of it, and I believe it amounts to simply placing products next to each other, which is not a very good solution from the perspective of a network security engineer.

There are many features I would personally remove, amend, or create differently from an engineering perspective. The Frankenstein architecture needs to stop and focus on AI. Nowadays, with different products, it is essential to have a single platform for better data and line application control. Everything about AI is to control application usage and how users interact with your systems.

The process with FMC is quite a hurdle, and attempting to integrate it with DNA Center  or ISE turns into a nightmare. There is a stark contrast with Palo Alto and Prisma—everything just flows.

When setting up Cisco Secure Firewall, I encounter significant challenges, especially with on-premise Next-Generation Firewalls . There is lacking clarity in documentation, particularly when changing internet service providers or external IP addresses. This lack of guidance often leads to being locked out or corrupting files within the Next-Generation Firewall, resulting in wasted time troubleshooting.

I worked with Cisco Secure Firewall more than a year ago, exactly eleven months, to be precise.

I am really happy with the performance and capabilities of Cisco Secure Firewall to manage heavy workloads. Although it performs well, integrating the software with existing systems often creates complications.

Cisco Secure Firewall is quite scalable, and I have found it relatively easy to set up high availability.

Cisco's customer service and technical support respond in a timely manner, which is good. However, they do not always come up with effective solutions. Many times, I need to dig deep to find solutions due to the complexity of the environments where I work, especially in game development.

I would rate Cisco technical support as a seven. They deserve a six or seven for their efforts, but I feel sympathy for them given the challenging circumstances they work under.

At the moment, I do not use Cisco Secure Firewall at all. For the last eleven months, I have been working solely with Palo Alto Next-Generation Firewall, Prisma Access , and Cato. I am primarily integrating Cato for companies, and I have witnessed its rise over Cisco Secure Firewall because of its simplicity, ease of management, and deployment cost and time efficiency.

When setting up Cisco Secure Firewall, I encounter significant challenges, especially with on-premise Next-Generation Firewalls . There is lacking clarity in documentation, particularly when changing internet service providers or external IP addresses.

For high traffic rates and heavy CPU consumption, Cisco Secure Firewall could fit well. However, security can lead to lock-out situations, so those considering Cisco Secure Firewall should thoroughly assess their needs. SASE  solutions are dominating the market; I primarily work with Cato, which finds traction in eight out of ten meetings I have with customers, with Palo Alto depending on the desired security posture.

I suggested in the design, and that was approved to be moved internally because Palo Alto had better capabilities to handle security concerns. Cisco Secure Firewall overly relies on administrators to do the heavy lifting to connect those platforms with open-source or third-party solutions. Licensing is a recurring issue—it would be much easier if there were a package, but that is not the case.

When we do not talk about money, time has become the critical factor where Cato massively outperforms Cisco Secure Firewall. I would rate this review a five point five overall.