I primarily use Cisco Secure Firewall for two main purposes. The first is perimeter security, particularly for all locations, especially data centers where we determined that SASE would be overkill. I secure all traffic from the firewalls for servers hosted in data centers, with a small group of users working and having their internet egress out of data centers. Perimeter security for secure internet access is the predominant use case.

The second purpose is segmentation. We have different zones depending upon the criticality of applications. We have a DMZ, an internal DMZ, and other zones. The primary task is to ensure that whenever there is a difference in the trust level from one zone to another, we have a firewall in between. These firewalls provide next-generation advanced threat prevention, firewall rules, stateful firewall rules, and we use Snort 3 for IPS/IDS detections. We are using all the features that Cisco Secure Firewall has to offer.

For all inline traffic, Cisco Secure Firewall definitely delivers. The IPS engine is based upon a Snort 3 license and uses signature-based scanning. Behavioral detection exists to an extent, but it is not an ideal replacement for a traditional NDR (Network Detect and Response). It does not do AI-based modeling at the same level as traditional NDRs, but it is definitely decent. All signature scanning looks at the traffic, and if decryption is applied, post-decryption scanning examines the payload and matches signatures. If a signature is found, an alert is generated. It is a good solution, though not Suricata, but Snort 3 works differently and gets the job done.

Cisco Secure Firewall is a next-generation firewall, and you must leverage all that can be leveraged for preventing lateral movement attacks and all these things that traditional security rules and firewall rules cannot address. Snort 3 and adaptive security bring behavioral and anomaly-based detections. Again, this is not as elaborate as NDR, but it is designed as a firewall and does the job effectively.

Cisco Secure Firewall provides deep packet inspection, so I get deep visibility into every single packet. If attackers or insiders are smart enough to change the protocol behavior or tunnel the traffic through DNS tunneling or similar methods, the firewall can easily detect them. Deep packet visibility and deep packet inspection are crucial, as that is where it all starts. Additional features include DNS security and advanced IPS (NGIPS), which perform signature-based scanning. These feeds are updated in real time by Cisco Talos and integrated across all firewalls. While I would not say this protects against zero-day attacks, it is very close. It helps with lateral movement-based attacks because of the segmentation these firewalls enforce. It definitely cannot help with TLS 1.3, as no firewall can. There are many nuances involved. The key valuable features are deep packet visibility and inspection, the ability to enforce at all layers of the server model, and the ease of applying signature-based scanning along with behavioral-based detection, though not extensive.

Regarding integration options with user IDs, with the emergence of zero-trust network access and new paradigms, you must configure policies based upon who the user is and not IP addresses. Cisco Secure Firewall does support this and can integrate with Active Directory and Entra ID. However, based on my comparisons with Palo Alto next-generation firewalls, which I work with extensively, the number of options available with Palo Alto is quite extensive. You can integrate with any identity provider, but with Palo Alto it is not just traditional LDAP server and user ID and IP mapping constructs. There is room for improvement in this area.

Based on my experience with Palo Alto and a couple of its competitors, there is room for improvement with the integrations with identity providers. The number of options and integration partners available with Palo Alto is more extensive compared to Cisco Secure Firewall. This is not because Cisco lacks these capabilities, but rather because other vendors are doing better things in this area. However, this is on Cisco's roadmap. I had contact with their sales teams and alliance teams, and they have these improvements carved out in their roadmap.

Cisco Secure Firewall evolved from Cisco ASA, and then Cisco purchased Sourcefire. They integrated ASA with Sourcefire, and now they have Firepower. The current form of Cisco Secure Firewall represents this evolution. I have worked with Cisco Firewalls since 2013 or 2014.

When Cisco acquired Sourcefire and turned it into Firepower, it was a very problematic device. We had challenges every single day, with connectivity issues between the firewall and FMC (the management plane). The connection used to break, and we had to perform upgrades. Feature releases used to cause issues. Lately, this has not been the case.

It was really problematic back then. Lately, we have not had significant service outages. The firewall is stable now. There are multiple firewall clusters that we have not rebooted in more than a year, which speaks volumes about stability. We receive regular feature releases and upgrades, and we get security advisories. Cisco has definitely done an excellent job in the last two to three years. Before that, it was not a very good product, and many places were moving away from Cisco Firewalls to Palo Alto or Fortinet due to stability issues. Currently, if I were purchasing Cisco Secure Firewall because I already have a Cisco footprint, I would not hesitate based upon stability alone.

Given the business we run, I do not think we have hit the bottleneck yet. Every time we detect a potential issue, we proactively monitor performance and have thresholds clearly demarcated. If traffic crosses a particular threshold, we provision a new instance. Until now, we have not hit those hard limits where we are helpless and unable to scale out. It still works for us. However, if we were handling several hundred gigabits of outbound or east-west traffic, I would think harder and look for better designs and a more distributed approach rather than using a single cluster and forcing it to scale out indefinitely. That is more of a design consideration. In our current context, we have not hit those thresholds. There are a couple of on-premise locations where we did hit limits, but that was because we sent out more traffic than we planned for, and we simply had to replace those devices. That is not a product problem.

Cisco Secure Firewall offers many deployment options depending on the architecture and functionality required. If it is a cloud deployment, you can achieve native load balancing with active-standby, active-active, and active-active configurations with cloud-native load balancers such as AWS Gateway Load Balancer or Network Load Balancer. The same deployment options apply to Azure and GCP. Cisco offers cloud firewall functions where they provide templates and onboarding options to spin up firewalls and scale them out as part of auto-scaling instances. These capabilities are on par with what competitors are offering. On-premise deployments, of course, are hardware-based, and you can achieve active-active and active-standby configurations. This depends on latency requirements, security requirements, and the capabilities you want to leverage. Proper sizing is essential. Cisco Secure Firewall is highly scalable in cloud environments. On-premise deployments are bound by the restrictions inherent to all hardware firewalls, but with proper sizing, they perform fairly.

One of my clients did deploy cloud firewalls on AWS, and I believe they did the same for Azure Marketplace. I am not certain about the specific pricing, but it is clearly outlined. You can choose between BYOL (bring your own license) or pay-as-you-go models. During unit testing and the initial PoC, we selected pay-as-you-go. Later, the client teams purchased from AWS Marketplace and leveraged committed spend with AWS to acquire the cloud firewall clusters. This option is available.

Based on my experience with Palo Alto and a couple of its competitors, there is room for improvement with the integrations with identity providers. The number of options and integration partners available with Palo Alto is more extensive compared to Cisco Secure Firewall. This is not because Cisco Secure Firewall lacks these capabilities, but rather because other vendors are doing better things in this area. However, this is on Cisco's roadmap.

I manage a few dozen firewalls, close to 100 in total. You cannot manage each firewall manually, especially if you have local IT teams scattered across locations. It would be too much work. Centralized management attempts to align with what Gartner describes as a hybrid mesh. You hook the firewalls to the centralized management and integrate them with the device management platform. All you have to do is manage your security policies, rules, IPS signatures, and configurations from that central console. You can also take backups, restore them, and if you want to replace a device, you do it from this same console. This definitely reduces administrative overhead, costs, and the number of people you must employ to manage your firewall infrastructure.

The time we need to spend to triage any incidents or potential events is significantly reduced. Before events become incidents, we already have complete insights into who or which IP or source was attempting to reach what, whether it was crypto mining, and we receive all details about the category of URLs or endpoints on the internet the user was trying to access, including whether they were suspicious or potentially benign. The ability to classify these is crucial, and nothing can be done without Talos. However, you must size your firewall properly, because you are ingesting all these feeds from Cisco Talos, and if your firewall is a small model or not sized perfectly, performance can become unstable. You must perform capacity planning well. All third-party threat intelligence feeds vary in quality, but Cisco Talos is definitely one of the most mature threat intelligence feeds that has been around for quite some time and has a decent reputation.

Based on quotes I have seen in the last couple of months, Cisco Secure Firewall is fairly priced. I sometimes find Palo Alto is more expensive than Cisco. Of course, the money you pay is for the capabilities you get. If it is an apple-to-apple comparison, Cisco Secure Firewall is fairly priced. I have no concerns about the pricing. My overall rating for Cisco Secure Firewall is 7.5 out of 10.

My main use case for Cisco Secure Firewall is to protect corporate internet access from malicious people.

I can provide a specific example of how I use Cisco Secure Firewall to protect my corporate internet system from malicious activity: I block malicious sites and create rules to detect them.

I also use it to provide remote access for vendors and IT support people.

The best features Cisco Secure Firewall offers in my experience are its GUI, clear definition, and process to create rules.

The GUI is clear and I am able to follow the description of processes such as backup, creation of rules, and other management processes.

This has helped my team feel more confident that we are protected from malicious intruders, and I have noticed specific positive outcomes and changes since using Cisco Secure Firewall.

I believe Cisco Secure Firewall can be improved, particularly regarding the specifications such as the memory that is used on entry-level firewalls, because sometimes when doing an upgrade or changing configuration, issues arise.

On the performance side, I notice that the upgrade to a different version is slow, so hopefully improved CPU and RAM will help performance.

I have been using Cisco Secure Firewall for three years.

Cisco Secure Firewall is stable in my experience.

The hardware is working and we have not encountered the firewall failing because of a firmware upgrade.

We have not needed the scalability feature of Cisco Secure Firewall as of now.

I have not needed to reach out to Cisco support for any issues.

I have not switched from another vendor or used another firewall vendor prior to Cisco.

Before choosing Cisco Secure Firewall, we did not evaluate other options.

I would advise others looking into using Cisco Secure Firewall that it is easy to use and manage, easy to create rules, and upgrade the firmware, and it is reliable; I have not encountered any failure on my Cisco firewall so far. I rate this product an 8 out of 10.

I have mainly worked with Cisco Firewall, specifically FTD and FMC, controlling the Firewall Threat Defenses from FMC, using Talos and Cisco ISE for approximately two and a half to three years. I completed a comprehensive re-architecture and added different vendors for a company called Gaming Laboratories International, where I extensively used their products.

For a span of two years, I extensively used Cisco products, ranging from switching and routers to firewall solutions for Gaming Laboratories International. For the last year, I have mainly worked with Palo Alto and Cato products, transitioning toward SD-WAN and SASE solutions.

At Gaming Laboratories International, I inherited a poorly designed network architecture and completely re-architected the network using Cisco Secure Firewall FTD and FMC across 45 different offices around the globe, spanning 435 jurisdictions at that time. My team and I used Cisco Secure Firewall as our internal firewall, securing the internal perimeter and protecting our DMZ from the inside. On the outside, we implemented Palo Alto because Cisco Secure Firewall could not handle the capabilities we required, such as application identification, which Palo Alto truly excels at.

Cisco Secure Firewall is quite scalable, and I have found it relatively easy to set up high availability. I have truly enjoyed the flexibility, without the need to use StackWise cables but simple Ethernet cables.

The benefit of Cisco Secure Firewall lies in keeping it to the basics through hardware, which costs a bit more, but the real problem emerges when integrating other platforms and their licensing, which is quite expensive. When calculating the total costs, including ISE, DNA Center, and hardware maintenance, it becomes exorbitant for medium-sized enterprises. It may work for large enterprises already entrenched in Cisco products.

The biggest inefficiency with Cisco Secure Firewall, to be honest, is the licensing—too many licenses for too many different products. There is not a single platform, which is essential nowadays. Cisco Secure Firewall is a bit of a colossus where they add weight on top of it, and I believe it amounts to simply placing products next to each other, which is not a very good solution from the perspective of a network security engineer.

There are many features I would personally remove, amend, or create differently from an engineering perspective. The Frankenstein architecture needs to stop and focus on AI. Nowadays, with different products, it is essential to have a single platform for better data and line application control. Everything about AI is to control application usage and how users interact with your systems.

The process with FMC is quite a hurdle, and attempting to integrate it with DNA Center or ISE turns into a nightmare. There is a stark contrast with Palo Alto and Prisma—everything just flows.

When setting up Cisco Secure Firewall, I encounter significant challenges, especially with on-premise Next-Generation Firewalls. There is lacking clarity in documentation, particularly when changing internet service providers or external IP addresses. This lack of guidance often leads to being locked out or corrupting files within the Next-Generation Firewall, resulting in wasted time troubleshooting.

I worked with Cisco Secure Firewall more than a year ago, exactly eleven months, to be precise.

I am really happy with the performance and capabilities of Cisco Secure Firewall to manage heavy workloads. Although it performs well, integrating the software with existing systems often creates complications.

Cisco Secure Firewall is quite scalable, and I have found it relatively easy to set up high availability.

Cisco's customer service and technical support respond in a timely manner, which is good. However, they do not always come up with effective solutions. Many times, I need to dig deep to find solutions due to the complexity of the environments where I work, especially in game development.

I would rate Cisco technical support as a seven. They deserve a six or seven for their efforts, but I feel sympathy for them given the challenging circumstances they work under.

At the moment, I do not use Cisco Secure Firewall at all. For the last eleven months, I have been working solely with Palo Alto Next-Generation Firewall, Prisma Access, and Cato. I am primarily integrating Cato for companies, and I have witnessed its rise over Cisco Secure Firewall because of its simplicity, ease of management, and deployment cost and time efficiency.

When setting up Cisco Secure Firewall, I encounter significant challenges, especially with on-premise Next-Generation Firewalls. There is lacking clarity in documentation, particularly when changing internet service providers or external IP addresses.

For high traffic rates and heavy CPU consumption, Cisco Secure Firewall could fit well. However, security can lead to lock-out situations, so those considering Cisco Secure Firewall should thoroughly assess their needs. SASE solutions are dominating the market; I primarily work with Cato, which finds traction in eight out of ten meetings I have with customers, with Palo Alto depending on the desired security posture.

I suggested in the design, and that was approved to be moved internally because Palo Alto had better capabilities to handle security concerns. Cisco Secure Firewall overly relies on administrators to do the heavy lifting to connect those platforms with open-source or third-party solutions. Licensing is a recurring issue—it would be much easier if there were a package, but that is not the case.

When we do not talk about money, time has become the critical factor where Cato massively outperforms Cisco Secure Firewall. I would rate this review a five point five overall.

We have two deployment models for the use case: one is a perimeter firewall and one is a data center firewall. If you have a perimeter, you will position Cisco Secure Firewall as a perimeter firewall; it fits more in data as a data center firewall because in a data center firewall, you are inspecting incoming traffic and you need a very good IPS, so Cisco Secure Firewall is very effective as a data center firewall.

The best feature in Cisco Secure Firewall is the stability; we have a stable product with no lagging or crashing, unlike others. Additionally, the IPS is the next-generation IPS from Cisco, which has many features and many signatures with updated signatures for my IPS.

I switched to Cisco Secure Firewall to get very good IPS signatures and next-generation IPS; that is a market leader from Cisco.

The stability is very good. I do not experience any downtime, crashes, or performance issues; that is the best feature from Cisco Secure Firewall.

Most of the time, Cisco provides features on some versions and the updated versions will move them; for example, we can do firewall policies based on users, which is from Active Directory. It should be from Cisco ISE, so it is a very bad drawback from Cisco Secure Firewall. Not all customers have Cisco ISE, and we need to integrate to make a policy on users, not just by IP, but with users also. We had integration before with LDAP and Active Directory, but on some versions, Cisco requires us to do it through Cisco ISE.

I have five years of experience with Cisco Secure Firewall overall.

The stability is very good. I do not experience any downtime, crashes, or performance issues; that is the best feature from Cisco Secure Firewall.

Cisco Secure Firewall is providing scalability. I rate the scalability as a number 10.

I rate the technical support a number 10.

Compared to Fortinet, we have a complex configuration, but we still have a stable product rather than Fortinet's product.

Cisco Secure Firewall requires maintenance. Maintaining it is slightly complex; it is not easy or very easy.

I am a customer. It was purchased through a partner. I was satisfied with my experience with the partner.

I have seen a return on investment of 50.

The pricing for Cisco Secure Firewall is very good, and we got many discounts from them.

Cisco Secure Firewall is deployed on-premises. We have a team of four users using the solution. I rate this review a 10.

I use Cisco Secure Firewall essentially as a firewall and for a secure access VPN solution. I need Cisco Secure Firewall to fulfill that role; I need it for secure access, and it performs the firewalling I need it to do in the network segment where it is located.

I have seen a return on investment with Cisco Secure Firewall. Generally, where it sits in my network, there are other vendors as well, but Cisco Secure Firewall is a better product and easier to manage than those alternatives. It does more of the features that I want it to do to be more secure, and I will move the other vendors into Cisco Secure Firewall.

The biggest challenge I have with Cisco Secure Firewall is that I often need to look in a few places to find what I want to do or I find myself searching for where a particular feature is located. I know what I want to accomplish, but I cannot always find it easily; it takes some time looking around. Because I do not use Cisco Secure Firewall as heavily as other vendors, I find it a little harder to navigate, though I would caveat that with the possibility that with more use, it would become easier for me to navigate and accomplish what I want to do. I am not sure how I would specifically improve that aspect, but it is probably the biggest day-to-day challenge I have with it.

I have been using Cisco Secure Firewall for about a year, maybe just over.

Stability of Cisco Secure Firewall is generally very good.

In terms of scalability, because it is there for the secure access solution as well, it was right-sized when it was put in, so I have not had any scalability challenges for what I do. My organization is fairly static in terms of scale, so users and that type of thing do not scale up and down quickly; it is more slow-moving in that regard.

I have not done a whole lot of customer support with Cisco Secure Firewall.

Before Cisco Secure Firewall, I used Juniper as a vendor; I have used them with other vendors as well, but where I am using Cisco Secure Firewall, they are sort of a direct competitor with Juniper.

It took a couple of months to deploy Cisco Secure Firewall; that was the same for secure access, as it was all part of the same rollout. What took those months to deploy was probably more internal change controls; it is just slower moving, as I have done a lot of testing deployments in lab environments, so it is less of a technology issue and more of the constraints of where I work that slow it down.

I did not implement Cisco Secure Firewall personally, but I was there for the implementation.

I have seen a return on investment with Cisco Secure Firewall. Generally, where it sits in my network, there are other vendors as well, but Cisco Secure Firewall is a better product and easier to manage than those alternatives. It does more of the features that I want it to do to be more secure, and I will move the other vendors into Cisco Secure Firewall.

Integration with other systems is fairly slow-moving and static in that way. I would rate this review an 8.

In terms of security, Cisco Secure Firewall is very reliable, especially when clients are up to date and run their security updates regularly. It is one of the greatest solutions for security in terms of networking. It is very easy to use, aside from being somewhat costly compared to other firewalling solutions. Cisco has been in existence for a while compared to other firewalling devices, which makes it more expensive. It is very easy to use, especially when you have hands-on experience with any of Cisco's devices before. You do not even need to probably take higher professional courses before you can manage it, especially if you can learn easily. For me, I learn quickly and I approach anything with the understanding that nothing is impossible, though it might take some time.

Because we have a centralized solution that manages all of our Cisco Secure Firewall and Cisco devices within the network, and IHS spreads across more than 10 countries, all of which communicate together using the same devices, we can push policies centrally from the central management system to all the Cisco Secure Firewall devices and the policies take effect immediately.

We have been using Cisco Secure Firewall since 2015, which is when I joined IHS. Currently, I cannot remember the exact name because it has been a while since I logged into that environment, and I have already resigned from IHS to work as a consultant. We are using Cisco AnyConnect for our VPN, to be precise. We majorly use the VPN because all of our clients are on VPN, so whenever they want to connect to any of the resources from outside the network, they connect through the VPN.

The major improvement so far is that everything has moved from a black screen interface to a GUI that you can easily use. It is not necessary to do everything on a black screen. Aside from the price constraint, I do not really see much in terms of the disadvantages of this product. Although everything has advantages and disadvantages, the major disadvantage is the cost, which is why many people in the industry are moving to products like Check Point or Sophos because they are cheaper compared to Cisco Secure Firewall.

The major improvement needed is the GUI interface. Most of the new generation firewalls actually come with a GUI where you can do whatever you want to do without running a command, and they give that privilege. I believe Cisco Secure Firewall has already probably introduced that, as from the Cisco centralized application, you can manage many things, push many configurations, and do many things. However, they need to do more so that it is not necessary to give access to the black screen as in the core device to your users before they can do certain things. From the GUI interface, they should be able to do certain things. It creates a kind of restriction, and it is only when it is necessary that you probably launch the GUI or SSH to that device that users do whatever they need to do.

I have been using Cisco Secure Firewall since 2015, which is when I joined IHS.

Reliability is superb because we usually have monthly maintenance on all of our devices. Because all of our devices are on HA, we test the high availability and run any patches that need to be run. So far so good, it is reliable because there has never been a time when we have had a failover test that we ran into a problem.

Cisco Secure Firewall is scalable.

Technically, Cisco covers a lot.

Currently, I do not use any other firewalling solutions. I think the other HP product I probably worked with is not used anymore.

I might not say because I cannot compare my own experience with other people's experiences. For people like me and probably the majority of my team, we do not find it difficult to implement or deploy. However, for some new generation people that are just coming to the industry, they might find other firewalls very easy and straightforward in terms of deployment because they cannot be compared to Cisco Secure Firewall devices. For me, probably based on my years of experience, I do not find any challenges in terms of deployment.

The implementation team was effective.

Of course, what we are getting from Cisco Secure Firewall is worth it. There is always a return on investment because you find you invest heavily, but your environment is secure and then you are at rest; you do not need to panic. Even if attackers are coming, you know you will be rest assured that you are covered. Although other firewalls are okay, they cannot be compared to Cisco Secure Firewall.

The setup cost is somewhat high compared to other firewalling solutions.

I have a different job title now as I am doing more consulting work.

For instance, we have some resources on Azure, and when it comes to security posture on Azure, I take about more than 50% of it because I am in charge. When it comes to cloud security, we do not really have full control 100%, unlike when you have your firewall on-premises where you are the alpha and omega of the solution and these devices. You can do whatever you want to do. However, cloud security gives a kind of platform whereby you have some limitations because you do not have physical intervention to that device.

Aside from that, it is very easy to use, especially when you have hands-on experience with any of Cisco's devices before. You do not even need to take higher professional courses before you can manage it, especially if you can learn easily. For me, I learn quickly and I approach anything with the understanding that nothing is impossible, though it might take some time. My overall rating for Cisco Secure Firewall is 9 out of 10.

Assessment of Cisco Secure Firewall – Policy Unification & Zero-Trust Enablement

I assess the policy unification and operational flexibility of Cisco Secure Firewall very positively, based on our hands-on deployment in the COE (Center of Excellence) lab environment where we conduct regular customer demonstrations.

1. Dynamic Policy Management in a Live Demo Environment

In our COE setup, firewall policies are frequently modified based on customer use cases.

• We regularly update existing rules or create new ones.
• Sometimes changes are required weekly.
• In certain scenarios, rule updates are needed multiple times in a single day.
• The environment is continuously adjusted to reflect customer-specific requirements.

Cisco Secure Firewall enables us to make these changes quickly and efficiently, demonstrating its operational flexibility and centralized policy control.

2. OT Network Segmentation & IDS/IPS Flexibility

Within our lab, we have a dedicated OT segment with multiple security zones configured.

To simulate real-world scenarios:

• We include attacker zones that generate controlled attack traffic.
• For some use cases, we enable IDS (detection-only) to showcase logging and monitoring.
• For other scenarios, we enable IPS signatures to demonstrate active prevention.

The ability to seamlessly switch policies from IDS-only mode to full intrusion prevention allows us to demonstrate multiple use cases using the same infrastructure without complexity.

This flexibility is particularly valuable in OT security environments where detection and prevention requirements may vary depending on operational needs.

3. Zero-Trust Architecture Demonstration

Cisco Secure Firewall plays a critical role in demonstrating Zero-Trust architecture in our lab.

Our integrated setup includes:

• Cisco Secure Firewall
• SDA fabric / trusted network switches
• Cisco Identity Services Engine (Cisco ISE)

Using Cisco ISE:

• Users are securely onboarded onto the network.
• Authentication and authorization policies are enforced.
• Role-based segmentation is applied.

If a connected user attempts unauthorized actions—such as accessing malicious destinations or generating abnormal traffic—the system responds automatically.

4. Automated Threat Containment – Practical Demonstration

For example:

• We restrict excessive ICMP traffic between segments.
• If a user continuously generates abnormal ICMP traffic,
• The firewall detects the behavior using IPS signatures.
• The firewall notifies Cisco ISE about the abnormal activity.
• Cisco ISE automatically quarantines the client into a restricted VLAN.

This process occurs without any manual intervention.

Even though our lab does not generate fully malicious real-world attacks, customers can clearly see how:

1. The firewall detects suspicious activity.
2. The integrated ecosystem communicates automatically.
3. The endpoint is isolated in real time.
4. The threat area is segmented from the rest of the network.

This provides a complete, practical Zero-Trust story:

• Secure onboarding
• Least-privilege access
• Continuous monitoring
• Automated threat response
• Dynamic segmentation

5. Unified Security Story for Customers

What makes this powerful is not just the firewall capability alone, but the integrated ecosystem:

• Identity-driven access control
• Behavioral detection
• Automated containment
• Dynamic VLAN reassignment
• Segmentation of threat zones

Cisco Secure Firewall allows us to demonstrate how a fully integrated security architecture can automatically identify, isolate, and contain threats—helping organizations minimize risk and maintain operational continuity.

One of the most valuable aspects of Cisco Secure Firewall is its deep and seamless integration within the Cisco security ecosystem.

While most next-generation firewall capabilities are broadly comparable across OEMs, the true differentiator lies in Cisco’s ecosystem-driven architecture and automation capabilities.

1. Ecosystem-Driven Security Automation (Unique Differentiator)

We have deployed Cisco Identity Services Engine (Cisco ISE) as our NAC solution and integrated it directly with Cisco Secure Firewall.

This integration enables Rapid Threat Containment (RTC):

• If the firewall detects malware activity (e.g., malicious download attempts or suspicious behavior),
• It automatically notifies Cisco ISE,
• Cisco ISE dynamically quarantines the endpoint or moves the user into a restricted security segment,
• All without manual intervention.

This closed-loop automation between detection and enforcement is a powerful advantage. It significantly reduces response time, limits lateral movement, and strengthens overall security posture.

This level of orchestration across network and security components is a major reason we prefer Cisco over other OEMs.

2. Advanced Visibility & Log Analytics

Another strong capability is the rich dashboard visibility within Cisco Secure Firewall.

• Detailed traffic analysis
• Granular log inspection
• Application-level visibility
• Improved troubleshooting capabilities

The dashboard enables faster root cause analysis and better operational decision-making.

3. AI-Driven Optimization with Cisco Secure Cloud Control

Recently, Cisco introduced Cisco Secure Cloud Control (SCC), a cloud-based unified security management platform.

With SCC, we gain access to AI-driven operations (AIOps), which provides:

• Rule optimization recommendations
• Identification of overlapping firewall rules
• Policy cleanup insights
• Performance optimization guidance

This AI-assisted intelligence improves firewall efficiency and reduces configuration complexity over time.

4. Flexible Hybrid Security Management

One of the strongest advantages of Cisco is deployment flexibility.

For customers who:

• Prefer a fully cloud-managed model → SCC provides centralized management.
• Require on-premise control due to compliance or data sovereignty → we can deploy Cisco Firepower Management Center (FMC).
• Want both on-prem control and cloud-based AI benefits → we can integrate on-prem FMC with SCC.

This hybrid capability allows organizations to:

• Maintain data control,
• Leverage AI-driven analytics,
• Manage multiple security products under a single umbrella.

This flexibility is a strong differentiator in environments with regulatory or operational constraints.

5. Improved User Experience & Modernized UI

From a configuration standpoint:

• The latest software releases have significantly enhanced the UI.
• Navigation is more intuitive.
• Policy configuration is more streamlined.
• Overall usability has improved compared to earlier versions.

This reflects Cisco’s continuous investment in platform modernization.

Feedback and Improvement Areas – Cisco Secure Firewall (Customer Perspective)

From a customer point of view, there are a few improvement areas observed while positioning Cisco Secure Firewall in competitive scenarios.

1. Dashboard & Visibility Enhancements

Customers often compare firewall dashboards across different OEMs during evaluation.

• Competing vendors typically provide more feature-rich and visually detailed dashboards.
• There is a perception that Cisco dashboards still require enhancement in terms of visualization, consolidated reporting, and built-in analytics.
• Some OEMs advertise additional security capabilities clearly within their publicly available data sheets, making competitive positioning easier.

In comparison, Cisco sometimes references separate documentation or explains how certain capabilities (such as anti-spam or antivirus functionality) can be achieved through integration or ecosystem components rather than native, built-in features. This creates a perception gap during customer discussions.

Improvement Opportunity:

• Enhance dashboard capabilities.
• Clearly articulate feature availability in public documentation and data sheets.
• Reduce dependency on cross-referenced documentation for commonly compared features.

2. Virtual Firewall / Multi-Instance Capabilities in Lower Models

Another competitive challenge relates to virtual firewall capabilities.

• Several OEMs provide virtual firewall (VDOM-like) functionality in lower-end models.
• In Cisco’s portfolio, multi-instance capability typically starts from higher-end platforms such as the 3K series or higher.
• Customers looking for smaller deployments with logical segmentation are often forced to consider higher models, resulting in a price jump.

Competitors also offer:

• Compact hardware models
• Dongle-based firewall appliances
• Smaller entry-level products with virtual segmentation

In Cisco’s case:

• To achieve similar multi-instance functionality, customers must opt for higher-tier models.
• This creates a significant pricing gap in entry-level or SMB deployments.

This pricing difference becomes a key factor when customers compare solutions. If competitors offer a lower-cost model with virtual segmentation, and Cisco requires a higher platform investment, customers may lean toward alternative OEMs.

3. Documentation Gaps – OT Protocol Visibility

In our lab environment, we have deployed Cisco Secure Firewall and are using Application Visibility and Control (AVC) for OT network monitoring.

Observations:

• OT protocols are clearly visible within application visibility.
• The firewall successfully identifies and classifies OT traffic.

However:

• This capability is not clearly mentioned in publicly available documentation.
• When a feature is available and functional, it should be explicitly documented in data sheets and feature guides.

The need for third-party integration depends on what we are looking for. Here I am saying that the integration with Cisco NAC can be done because RTC functionality is only available with Cisco ISE and the firewall integration. For other ecosystems, if we use a NAC solution that is not Cisco, we can still integrate it for user authentication, such as with VPN user authentication. But in that case, we don't achieve the same functionality, such as RTC with other NAC solutions. This is one aspect.

Another part is that if we are using it, it always happens with some NAC solutions because we have Cisco NAC and Cisco firewall; we want consistent policy across the network, whether the user is on-prem or using VPN services. If this is a unified OEM solution, in that case, we require an agent, such as the Cisco Secure Client. That allows us to easily check the posture status of the remote user and connect to the network effortlessly. But if we are using a third-party solution, we can't achieve that.

From a SIEM perspective, certain prerequisites must be fulfilled before integration with Cisco Secure Firewall can be completed. The feasibility of integration depends on the capabilities of the SIEM platform. If the SIEM solution supports the required APIs and event handling mechanisms, similar functionality can be achieved. Therefore, integration itself is generally not the challenge; the key consideration is the desired security outcome within the overall ecosystem.

If the customer does not have a SIEM solution and intends to automate quarantine actions or enforce restricted access for users, a Network Access Control (NAC) solution becomes mandatory. In this scenario, the recommended NAC solution is Cisco Identity Services Engine (Cisco ISE). Automated quarantine and dynamic access control workflows are dependent on NAC capabilities.

From a feature enhancement perspective for Cisco Secure Firewall, deeper NAC-driven integration adds significant value.

1. TrustSec / Tag-Based Policy Enforcement

Cisco ISE supports Cisco TrustSec, which enables Security Group Tag (SGT)-based segmentation.

• In traditional (legacy) networks, firewall policies are created based on IP addresses.
• With TrustSec, policies are defined based on user identity, group membership, and security tags instead of IP subnets.
• When users authenticate to the network, Cisco ISE assigns Security Group Tags (SGTs).
• These tags are shared with Cisco Secure Firewall.
• The firewall then enforces policies based on SGT-to-SGT rules rather than IP-to-IP rules.

Benefits:

• Significant reduction in the number of firewall rules
• Simplified policy management
• Improved scalability
• Easier implementation of role-based access control

This integration enhances operational efficiency and security posture.

2. Rapid Threat Containment (RTC)

Another key capability is Rapid Threat Containment (RTC).

If Cisco Secure Firewall detects malicious activity—such as malware download attempts identified via signature-based or advanced threat detection—it can notify Cisco ISE about the compromised endpoint.

Based on this input:

• Cisco ISE can automatically quarantine the user
• The endpoint can be moved to a restricted VLAN
• Access can be dynamically limited without manual intervention

This automated workflow ensures faster response time and reduces the risk of lateral movement within the network.

3. VPN and Posture Assessment

This functionality is not limited to wired or LAN users.

For VPN users:

• Authentication can be integrated with third-party NAC solutions.
• However, if posture assessment (device compliance checking) is required in addition to authentication, Cisco ISE integration with Cisco Secure Firewall becomes essential.

Cisco ISE enables:

• Endpoint posture validation
• Dynamic policy assignment
• Automated remediation workflows

I have been working with Cisco Secure Firewall for around four to five years.

For Cisco's technical support, I always rate it a ten. It's excellent.

Implementation Approach – Cisco Secure Firewall

The implementation of Cisco Secure Firewall primarily depends on customer requirements and the selected management approach. Broadly, there are two deployment models:

1. Cloud-based management
2. On-premises management

Functionally, both approaches provide similar capabilities. The difference lies mainly in deployment workflow and management architecture.

1. Cloud-Based Deployment – Simplified Onboarding

When using cloud-based management through Cisco Secure Cloud Control, onboarding a new firewall is straightforward and efficient.

Key advantages:

• Plug-and-play provisioning
• No initial CLI configuration required
• Automatic onboarding to the management platform
• Centralized visibility from the cloud console

The typical process includes:

• Activating the tenant in the cloud management portal
• Completing basic prerequisites
• Connecting the firewall to the network
• Ensuring the device receives an IP address via DHCP
• Confirming internet connectivity for cloud registration

Once connected, the device automatically appears in the management portal and can be claimed without complex manual steps. This significantly simplifies large-scale or remote deployments.

2. On-Premises Deployment – Structured Preparation

For on-premises management using Cisco Firepower Management Center (FMC), the process is similarly straightforward but requires some initial preparation.

Before onboarding the firewall:

• FMC must be installed and fully configured.
• Network reachability between FMC and the firewall must be ensured.
• Registration keys and management connectivity must be prepared.

Once these prerequisites are completed, the firewall can be onboarded and managed centrally.

3. Deployment Timeline & Practical Experience

From our practical experience:

• Basic reachability and initial configuration can typically be completed within 30 minutes to a couple of hours.
• Plug-and-play onboarding significantly reduces deployment effort.
• Advanced configurations—such as production IPS signature tuning, policy optimization, and security rule validation—may require additional time depending on the environment.

Overall, the initial onboarding process is simple and efficient. The time investment primarily depends on the complexity of the security policies and production-level tuning requirements.

Overall Assessment

Cisco Secure Firewall offers:

• Flexible deployment models (cloud or on-prem)
• Simplified plug-and-play onboarding
• Minimal CLI dependency for initial setup
• Scalable management architecture
• Efficient initial configuration timeline

Regarding the impact of the cloud-delivered firewall on my customer's security posture, considering the firewall's deployment in production is crucial. When someone deploys the firewall, they will apply some intelligence and follow best practices to deploy the solutions. But after, the person managing the firewall is sometimes adding rules based on urgency, allowing certain rules that might permit any-any traffic. To mitigate some issues, they forget to disable this rule later. This rule shouldn't remain active in the firewall. This is one aspect they can encounter.

Another issue we face with customers is that they continue with the same configuration without updating new patches. They only update the setup when something happens. This is what sometimes occurs; users don't renew their license subscriptions. If they lack an updated subscription, they won't receive updates for the latest signatures. This will create problems in the live environment. Overall, I would rate this solution an eight out of ten.

Cisco Secure Firewall can be used for perimeter security, IDS, IPS, and VPN purposes. When discussing secure access via Cisco Secure Firewall, it helps any roaming user, whether working from home, an airport, or in the office, to securely access any workload that could be located on a private cloud, public cloud, data center, or at the edge. It bypasses the on-premise firewall, but they offer firewall as a service, which is on the cloud and enables Secure Service Edge. Perimeter security is necessary and is part of their Secure Access offering, which is Firewall as a Service coming out of the cloud.

From Cisco Secure Firewall's security offering perspective, Cisco has a very comprehensive offering. Whether it is perimeter security in the form of firewall, user security for remote users for SASE, AI security, endpoint security, network security, or workload security, this fits very well into an overall security architecture proposed by Cisco, which is called a Security Reference Architecture. They have a very comprehensive range of products that integrate very well with their firewall. I do not view Cisco security offerings only from a firewall perspective, but from an overall offering perspective.

Cisco Secure Firewall includes something called Secure Cloud Control, which provides single management for consolidating policy across multiple pieces of equipment, whether it is a SASE policy, firewall policy, or otherwise. Centralized policy management is possible within that firewall, and if you want to orchestrate the same policy across multiple security products, you can use Cisco Secure Cloud Control.

Different models exist for Cisco Secure Firewall. Every on-premise model has a limit to the throughput it can support, and up to that limit, it scales fine. After reaching that limit, you are supposed to replace the model. For on-premise solutions, this is the case. However, Firewall as a Service can scale to a very large extent because it is a cloud-based offering that can scale up to a very large number, which is not a problem.

Cisco Secure Firewall has been used and sold for at least three to four years.

Cisco Secure Firewall is quite stable. If I had to rate stability from zero to ten points for Cisco Secure Firewall, I would give it an eight.

Cloud-delivered firewall provides much better flexibility for an organization via Cisco Secure Firewall. First, you can ensure that any users coming from outside securely access any workload that the organization may be running either in a private cloud or public cloud on a hyperscaler. Second, it provides what is called local internet breakout, where any services not supposed to go through the firewall can do a local internet breakout. With Firewall as a Service, you can consume capacity as you grow, rather than trying to put one firewall for your peak load. This gives tremendous flexibility similar to the flexibility that exists in cloud consumption.

If I had to give points for technical support from Cisco, I would give it an eight. It is pretty good, and we do not face a challenge. The reason is that our own team is pretty capable technically, so we do not go back to Cisco for much support. Whenever we have requested support, they have been pretty responsive.

I do not view Cisco security offerings only from a firewall perspective, but from an overall offering perspective. Cisco Secure Firewall helps with the Zero Trust Security Model. ZTNA is a concept that has to be implemented at every tier, including the firewall. You cannot implement zero trust without a firewall also supporting it. It is an important piece in building a zero trust architecture. The review rating for this product is an eight out of ten.

Cisco Secure Firewall provides intelligent devices that can manage security issues between IT and OT environments. IT is an information technology environment consisting of servers and data centers, while OT environment is operational technology related to PLC cabinets and machines. When integrating both to work in business processes, security issues between IT and OT must be managed, and Cisco provides excellent devices for managing this challenge.

I primarily use Cisco Secure Firewall in manufacturing fields rather than applications. In a small area, I integrated Cisco with RADIUS for authentication purposes and TACACS, applying security rules to external access for suppliers from Europe and the USA to our environments.

I use cloud-delivered firewall in parts of our business because we have multiple locations distributed across Egypt and Germany. I needed to use a firewall in the cloud to publish security policies remotely and manage separate locations with the same vendor like Cisco.

The biggest benefit of Cisco Secure Firewall and the features that stand out to me are its excellent integration with PLC and manufacturing devices. This option cannot be found on other devices such as Sophos or FortiGate.

The unification of policies is very important to me because without unified communication between devices with the same rule and security policy, managing everything with separate technology and separate vendors would be very difficult. Cisco excels at this.

The deployment of Cisco Secure Firewall was completed in-house.

Regarding implementing a zero-trust security model, I did not pursue this option because zero-trust is new technology with significant human impact on business operations. I use multi-factor authentication instead, with devices such as YubiKey, which is a USB device for trusting device authentication with hardware, but I have not implemented zero-trust at this time.

I do see some drawbacks with the authentication portions of Cisco, which are very legacy and have not been improved for a long time, such as using 802.1X switches. These aspects must be improved.

I have been using Cisco Secure Firewall for ten years.

For some period of time, we were a partner with Cisco, and after that, we began working as a customer.

I see some ROI through savings, including time and money savings. When evaluating Cisco over a longer period, I save money because the service renewal costs are substantial compared to alternatives. If I consider FortiGate, each module costs money and each renewal costs money. When comparing Cisco with other vendors, I believe Cisco's licensing is better.

Some differences from a technical standpoint are that Cisco is more professional in creating and applying rules on devices and integrating with other infrastructure, particularly routers. If I wanted to integrate access points and switches with Sophos or FortiGate, I would have to purchase the same brand name from those vendors and not integrate with others. This is a significant limitation. With Cisco, I do not have to purchase everything from a single partner and can mix between providers to take advantage of each product's benefits.

We are currently using Cisco Secure Firewall ASA and are planning to use Cisco Vision. Cisco provides many tools to have visibility of packets moving on the network and enables capturing certain packets for analysis, which others cannot do.

Cisco Secure Firewall is very fair according to the benefits it provides. When comparing Sophos, FortiGate, and Cisco in terms of benefits and stability, Cisco is excellent.

Cisco Secure Firewall has a degree of complexity, but I believe it is more professional in deployment because it operates at the data link layer and network layer rather than only at the application and web levels. I rate this review as a nine out of ten.

The challenges during the implementation of Cisco Secure Firewall mainly involve the complexity of the rules to be migrated or the complexity of the scenarios to be implemented, which are related to OT scenarios and disconnected environments.

I benefit from using Cisco Secure Firewall mainly because at least 99% of my customers have a Cisco environment, including switching and routing, making it easier to integrate with other Cisco components than with other vendors.

The impact of a cloud-delivered firewall on my organization's security posture depends on the environments I manage, which are primarily disconnected and focused more on industrial security rather than the cloud. While traditional IT recognizes that the delivery of cloud services is beneficial, comparing it to Azure Firewall, Google Firewall, or AWS Firewall shows that they are not true firewalls but rather sets of rules that do not work perfectly. From my perspective, it is better to add Cisco Secure Firewall for proper coverage.

The best features of Cisco Secure Firewall that make it distinct from the rest of the vendors are mainly its Layer 4 capabilities, as it is the best in routing and switching mode, along with the way Cisco Secure Firewall works in disconnected environments.

The deployment for Cisco Secure Firewall takes no more than six to eight hours, but the fine-tuning of the solution typically takes four or five days.

Using Cisco Secure Firewall is financially beneficial as it provides clear settings for all members managing the solution, making it easy to teach the engineering team how it works and how to configure it, ultimately reducing the time needed to apply policies or make changes in the infrastructure.

I have not noticed any significant drawbacks or weak points in Cisco Secure Firewall. The deployment is not complex, but the complexity arises during fine-tuning due to customers migrating from other solutions, as copying and pasting rules is not the same across all vendors, which necessitates fine-tuning. This can be a pain point when lacking tools to assist in the migration process.

I would assess Cisco Secure Firewall's ability to unify policies across environments as complex, since different customers have varying situations. Some wish to consolidate rules in the same place, while others prefer different rule sets in different locations.

I have been working with Cisco Secure Firewall for around 20 years.

My thoughts about the technical support of Cisco are positive. The times I have opened a ticket, the support has been responsive, and for incidents rated P up to P3, the responses have been satisfactory. I have not needed to open a P2 or P1 incident.

I would rate Cisco's technical support a nine out of ten.

The number of people involved in the process depends on the customer. Sometimes I am alone doing the task, but there are times when I define the task and the customer team handles it, which can involve three, four, or six people, depending on the customer.

I am focused mainly on the security part, utilizing all of the tools such as Palo Alto, Fortinet, Check Point, Sophos, CyberArk, Delinea, Netskope, Splunk, and all the security suite from Microsoft.

I am working with both on-premises and cloud deployment models.

I have not used any new features or functionalities recently in Cisco Secure Firewall, as it usually functions as a Layer 4 firewall without applying any filtering or inspection.

My experience with the licensing model indicates that for a long time, I believed the price was reasonable, but currently, I am uncertain as all services I purchase are directly from the customer while I act as a consultant, not purchasing any components myself.

I would rate this product a nine out of ten overall.