Cisco Secure Firewall Threat Defense Virtual - PAYG

My main use cases for Cisco Secure Firewall  vary between branch office, remote connectivity for site-to-site tunnels, partner organizations that we want to connect and share information with, and also protecting internal sensitive workloads and providing secure access to the internet.

The features that I appreciate most about Cisco Secure Firewall  include the security intelligence that is incorporated into it. Not only can I rely on information coming directly from Cisco from everything they see across all their customers, but I am also able to use many of the same underpinnings they have built out to incorporate information from other sources.

These features have benefited my organization significantly. For example, they certainly reduce the risk impacting endpoints because if something arises where we have a device reaching out to something that presents a risk, that intelligence helps with assessing and blocking that communication. This way, we do not have as high of an impact for a potential incident that we need to clean up.

I assess the operational efficiency of Cisco in my IT environment as needing some optimization, but at least some of the tools are incorporating AI to help with finding opportunities for optimization to make the product perform better.

My impression of the end-to-end visibility offered by Cisco is that there are certainly many different options available, and not everyone can afford to have everything in the Cisco portfolio to incorporate all of that to get full visibility. However, from the portfolio suite, there is certainly a lot there to enable customers to have visibility.

My experience with deploying Cisco Secure Firewall has had the biggest challenges in relation to device clustering. Having edge deployment scenarios where you have high connection counts, high user counts, and a need for high availability and load balancing across that has been very complicated to set up correctly. Even when it is set up correctly, there are still times when I have a firewall cluster experiencing issues that require opening a TAC case. This is frustrating considering the solution has been in place for years and suddenly starts to have issues, even when everything looks completely healthy in the health dashboards.

If I could give Cisco Secure Firewall a 12, I would. I rate it as an eight. It still has some growing pains, especially trying to combine two different product lines with Snort and Cisco ASA . Not having feature parity across the entire gamut yet is still a pain. On the software side, you still have to understand the engineering behind it, particularly how the product works at the different layers, because it is not necessarily one cohesive product base yet. It is still multiple components stacked on each other.

I have been serving the same customer for 26 years using Cisco Secure Firewall with my latest company.

I assess the stability and reliability of Cisco Secure Firewall as having been fairly reliable. When there are issues, it is easy enough for us to engage with TAC and replace hardware quickly.

From my perspective, many of the issues that presented a challenge have already been addressed or will be addressed soon with Cisco Secure Firewall, such as decrypting certain types of traffic like QUIC, which has traditionally been a challenge. With no solution there previously, you were having to outright block that traffic, which does cause an impact. Cisco is taking the right steps to help make those issues less impactful when they do arise. I do not have anything that comes to mind that I would say needs to be addressed urgently.

I evaluate customer support and tech support as excellent, and I would rate it as a very high number on a scale of one to ten. There were a few years, especially following COVID, where it was very challenging even for severity three incidents that we had open where it would take up to a month to have some initial contact, which was very disheartening. However, now with that same level of severity, you are getting a callback within 30 minutes. My most recent case that I had to engage on, the engineer went way above and beyond what I had asked for, and I was very happy with the support that they have given us.

Prior to adopting Cisco Secure Firewall, I have always had Cisco firewalls in the environment across my entire tenure. It has never been a complete rip and replace. We did have a point in time where at the edge we had Check Point  firewalls. They worked well, but when it came time for replacement, we put Check Point  against Cisco and Cisco won out, which I was happy about because I prefer Cisco.

My experience with pricing, setup, and cost licensing is that cost is always an issue for everyone. I think it has gotten easier, especially when it comes to larger customers with enterprise agreements. For example, my organization, while we have 5,000 users and around 18,000 endpoints, there was a time when we were considered not big enough to take advantage of an enterprise agreement. Considering the amount of product that we buy, that was a bit disheartening. But now, with more flexible options for purchasing and enterprise agreements, it has made it easier for us to not only purchase product but also have a clear idea of what we are allowed for growth and have something that is predictable for the cost of that management piece. Cisco has done a really good job with that.

I really do not face any specific challenges with hybrid and distributed enterprise networks that Cisco addresses at the moment, so it does not really apply to us. I rate Cisco Secure Firewall as an eight out of ten.

My main use for Cisco Secure Firewall  is primarily for our internal VMs and similar infrastructure.

What I like the most about Cisco Secure Firewall  is that it performs better than our previous product. We had a lot of latency issues and general problems with our previous solution, but this firewall functions much better.

Cisco optimizes the experience by providing a single pane of glass for our GUI and firewall management, which is probably the best feature.

I assess the operational efficiency of Cisco in my IT environment as very strong, as it integrates well with most of our existing infrastructure since we are already a Cisco shop.

Cisco does optimize the experience in a hybrid or distributed enterprise setup.

I evaluate customer service and technical support as quite good. The documentation could use some improvement overall, as there are some errors in it. However, when we interact with support personnel and the AI agent, the experience is usually very good.

I have been using Cisco Secure Firewall for about six months, having received our firewalls during that time.

I have not experienced any downtime or crashes.

Cisco Secure Firewall scales well with the growing needs of my organization and certainly scales beyond what we needed.

I evaluate customer service and technical support as quite good. The documentation could use some improvement overall, as there are some errors in it. However, when we interact with support personnel and the AI agent, the experience is usually very good.

Prior to Cisco, we were using a few different options, but much of our infrastructure was Grandpea and Upsense.

Deploying Cisco Secure Firewall was as painless as swapping an internal firewall can be.

I have seen ROI mainly because our firewall runs our internal infrastructure, and we offer some services behind it, so overall, I would say the ROI is positive.

My experience with price, setup costs, licensing, and related factors was beyond my direct involvement, but I know it came down to a deal that included other products. Overall, we were very happy with the arrangement.

What stood out to me during the evaluation process was that choosing Cisco made sense primarily because we are already a Cisco shop and are familiar with their sales representatives, products, and dashboards.

I give Cisco Secure Firewall an overall rating of eight out of ten.

I have two different perspectives about my use cases for Cisco Secure Firewall . The first one is the device frontier, creating all the connections between on-premise, cloud, on-premise to on-premise, VPNs, NAT and also rules for secure endpoints or user endpoints for downloading malicious files or visiting different websites.

The other use case was threat intelligence, which I mostly used Snort rules or created Snort rules on the firewall to understand or catch early attackers before they started the attack.

Snort is one of the features of Cisco Secure Firewall  that I know is an open-source rule, but it is really cool that the firewall allows you to create your own rules using this protocol for threat intelligence.

The flow of Cisco Secure Firewall is something that I have a lot of experience creating policies with, but the way the policies work is unusual. For example, they are using every single policy that cascades between each other, and other vendors do not use that kind of flow. Other vendors allow you to create one rule for a specific thing without needing to iterate something from another policy. That is something I do not dislike, but it is hard to work with that kind of flow.

As I mentioned, Cisco Secure Firewall's flow is easier with Palo Alto to create things and configure things, also with the policies. But this vendor does not have the possibility for Snort, so I need to work with what the vendor gives to me and it is not really free to use. On the basic configurations and day-to-day tasks that we are having using this tool, it is much easier to use Palo Alto than Cisco Secure Firewall. Cisco has the feature that is Snort, but it is more easy to use Palo Alto in general.

Compared to the license of Cisco Secure Firewall, it was expensive. Right now compared with Palo Alto, Cisco Secure Firewall is kind of expensive. Basically, the license for the VPNs is for all the interfaces, and that is the thing that is really expensive compared with Palo Alto.

I am not using Cisco Secure Firewall too much now because I left my previous company, but in previous companies I worked with Cisco Secure Firewall for four to five years.

There was basically one downtime with Cisco Secure Firewall that was for a DDoS attack. I think that it was due to a bad configuration from our side. Without those configurations, there were no issues. I would say that the product is pretty much stable and the issue was our fault.

Cisco Secure Firewall is scalable, but if you have the money for the license, then it is scalable.

I have had to contact Cisco technical support two times. One time was to integrate the firewall with the WLC, Wireless LAN  controller, for wireless issues, and the other time was for the license that was not activated due to something that happened with the payments.

The first case on the WLC for Cisco Secure Firewall was not very good because it took more than one week with the first call and emails back and forth to resolve the issue. The answers from the technical assistance center gave me the sense that they did not really know what we needed to do or what we needed for escalations. On the other hand, for the payment issues for the license, that team was really clear and resolved the issue in less than 12 hours.

With my experience with those two support cases, I would rate Cisco technical support a seven on a scale from one to ten.

I have experience with Cisco in two parts. I worked with Cisco as the SM for one of the companies in Colombia, and I have also worked with other customers that use Cisco. I have been on both sides.

There are two ways for the initial deployment of Cisco Secure Firewall. We have the on-premise device, when I was working in that company, and we also deployed one of the solutions for Threat Defense on Azure . I think that it is easier for on-premise because you have direct connections, and if something happens troubleshooting all the initial IPs is better that way. It is pretty smooth to update it or create that firewall on Azure . On AWS , it is easy. They have some troubles with the Linux instance, but on Azure, it is pretty smooth.

Cisco Secure Firewall is all about taking care for Cisco right now. Previously it was not, but right now it is.

Compared to the license of Cisco Secure Firewall, it was expensive. Right now compared with Palo Alto, Cisco Secure Firewall is kind of expensive. Basically, the license for the VPNs is for all the interfaces, and that is the thing that is really expensive compared with Palo Alto.

I have used Fortinet and Palo Alto as alternatives to Cisco Secure Firewall.

It is hard to say, but right now I have been working with Palo Alto. That is currently my best option and I learned a lot from this vendor compared to Cisco Secure Firewall.

I have experience with Cisco in two parts. I worked with Cisco as the SM for one of the companies in Colombia, and I have also worked with other customers that use Cisco. I have been on both sides.

The last time with Cisco I was a partner.

My overall review rating for Cisco Secure Firewall is nine out of ten.

Cisco Secure Firewall  serves as our primary line of defense when receiving traffic for the customers that we serve, and from there, it is distributed across our network. It is the main firewall for the division of service that we manage the network for.

Cisco Secure Firewall  performs very well in that the web interface is manageable when deploying configurations because it is very easy to set up. I don't have to write all those lines of configuration codes directly on the devices, but I can do it on a visual interface where I can double-check before pushing any configuration through, and that is very useful. When setting VPN connections, the filtering during troubleshooting is particularly helpful, as the Cisco IOS CLI has never been very capable when filtering during troubleshooting of a deep issue, and the interface is very helpful when it comes to that.

There are quite a lot of bugs when opening sub-windows, as sometimes I cannot extend the size to read more information, and when writing a long line of text, it can be annoying.

There are quite a lot of bugs when opening sub-windows, as sometimes I cannot extend the size to read more information, and when writing a long line of text, it can be annoying.

I have been using Cisco Secure Firewall for approximately three or four years now.

I have seen some instability regarding Cisco Secure Firewall. This may have been on us because we had a provisioning capacity issue and had to make an upgrade to serve the needs of our network. We experienced the issue due to a memory issue with one of our firewall pairs. Despite that issue, the devices are very reliable and stable under normal functioning.

Cisco Secure Firewall is very scalable. It is almost transparent from both customer and service technician perspectives, and I would give Cisco a 10 for scalability. This has been one of its strengths in their history.

I have contacted the technical support or customer support of Cisco regarding this solution. The speed of the support was appropriate. The quality was challenging to assess because when given a problem to resolve, there are so many details to recover and so much context of the company's usage to understand that it is not as simple as saying the official support of Cisco must have a magic wand to resolve the issue. At the end of the day, they were not able to provide the proper insight that we needed to resolve the issue we were facing at the time.

It is worth mentioning that our head of network is one of the toughest professionals I have come across when it comes to networking, and this may have made it more difficult for them because every person who came on the line was way ahead of them. When trying to get to a solution and having to repeat myself, I can come into a call not knowing everything, and recovery scripts must be run to gather information, analyze it, and then come back with a solution. In the end, it did not work, and we had to use another workaround developed by us. I would not say the support was bad; it was efficient in communication, but the final solution was not satisfactory.

I have never used any direct alternative to Cisco Secure Firewall, although there were discussions about switching to another vendor. After a lot of discussion, we remained with Cisco for its capabilities and some other details. It came into consideration to switch to another vendor for administrative decisions because Cisco solutions are quite expensive, and other vendors might do the job for a considerably lower amount, but Cisco remained. We never managed to use an alternative.

The initial deployment was most difficult because there were some compatibility issues. At the time I came to the team, we were transitioning from Cisco ASA  to the new Firepower solution, and the tools for migrating the configuration about the objects were not working properly. I did not have the time to work out why since I was not the main architect of the network and was in a lesser role, but this was one of the main challenges I worked on. We had to do a lot of scripting and manual work to migrate the objects and configure the new solution because Cisco ASA  was not very capable of extracting the information to push to a newer generation of firewalls.

We handle maintenance on Cisco Secure Firewall ourselves. We require maintenance and upgrades, and we do it ourselves.

I would rate this product an 8 out of 10 overall.

I primarily use Cisco Secure Firewall  for two main purposes. The first is perimeter security, particularly for all locations, especially data centers where we determined that SASE  would be overkill. I secure all traffic from the firewalls for servers hosted in data centers, with a small group of users working and having their internet egress out of data centers. Perimeter security for secure internet access is the predominant use case.

The second purpose is segmentation. We have different zones depending upon the criticality of applications. We have a DMZ, an internal DMZ, and other zones. The primary task is to ensure that whenever there is a difference in the trust level from one zone to another, we have a firewall in between. These firewalls provide next-generation advanced threat prevention, firewall rules, stateful firewall rules, and we use Snort 3 for IPS/IDS detections. We are using all the features that Cisco Secure Firewall  has to offer.

For all inline traffic, Cisco Secure Firewall definitely delivers. The IPS engine is based upon a Snort 3 license and uses signature-based scanning. Behavioral detection exists to an extent, but it is not an ideal replacement for a traditional NDR (Network Detect and Response). It does not do AI-based modeling at the same level as traditional NDRs, but it is definitely decent. All signature scanning looks at the traffic, and if decryption is applied, post-decryption scanning examines the payload and matches signatures. If a signature is found, an alert is generated. It is a good solution, though not Suricata, but Snort 3 works differently and gets the job done.

Cisco Secure Firewall is a next-generation firewall, and you must leverage all that can be leveraged for preventing lateral movement attacks and all these things that traditional security rules and firewall rules cannot address. Snort 3 and adaptive security bring behavioral and anomaly-based detections. Again, this is not as elaborate as NDR, but it is designed as a firewall and does the job effectively.

Cisco Secure Firewall provides deep packet inspection, so I get deep visibility into every single packet. If attackers or insiders are smart enough to change the protocol behavior or tunnel the traffic through DNS tunneling or similar methods, the firewall can easily detect them. Deep packet visibility and deep packet inspection are crucial, as that is where it all starts. Additional features include DNS security and advanced IPS (NGIPS), which perform signature-based scanning. These feeds are updated in real time by Cisco Talos  and integrated across all firewalls. While I would not say this protects against zero-day attacks, it is very close. It helps with lateral movement-based attacks because of the segmentation these firewalls enforce. It definitely cannot help with TLS 1.3, as no firewall can. There are many nuances involved. The key valuable features are deep packet visibility and inspection, the ability to enforce at all layers of the server model, and the ease of applying signature-based scanning along with behavioral-based detection, though not extensive.

Regarding integration options with user IDs, with the emergence of zero-trust network access and new paradigms, you must configure policies based upon who the user is and not IP addresses. Cisco Secure Firewall does support this and can integrate with Active Directory and Entra ID. However, based on my comparisons with Palo Alto next-generation firewalls, which I work with extensively, the number of options available with Palo Alto is quite extensive. You can integrate with any identity provider, but with Palo Alto it is not just traditional LDAP server and user ID and IP mapping constructs. There is room for improvement in this area.

Based on my experience with Palo Alto and a couple of its competitors, there is room for improvement with the integrations with identity providers. The number of options and integration partners available with Palo Alto is more extensive compared to Cisco Secure Firewall. This is not because Cisco lacks these capabilities, but rather because other vendors are doing better things in this area. However, this is on Cisco's roadmap. I had contact with their sales teams and alliance teams, and they have these improvements carved out in their roadmap.

Cisco Secure Firewall evolved from Cisco ASA , and then Cisco purchased Sourcefire. They integrated ASA  with Sourcefire, and now they have Firepower. The current form of Cisco Secure Firewall represents this evolution. I have worked with Cisco Firewalls  since 2013 or 2014.

When Cisco acquired Sourcefire and turned it into Firepower, it was a very problematic device. We had challenges every single day, with connectivity issues between the firewall and FMC (the management plane). The connection used to break, and we had to perform upgrades. Feature releases used to cause issues. Lately, this has not been the case.

It was really problematic back then. Lately, we have not had significant service outages. The firewall is stable now. There are multiple firewall clusters that we have not rebooted in more than a year, which speaks volumes about stability. We receive regular feature releases and upgrades, and we get security advisories. Cisco has definitely done an excellent job in the last two to three years. Before that, it was not a very good product, and many places were moving away from Cisco Firewalls  to Palo Alto or Fortinet due to stability issues. Currently, if I were purchasing Cisco Secure Firewall because I already have a Cisco footprint, I would not hesitate based upon stability alone.

Given the business we run, I do not think we have hit the bottleneck yet. Every time we detect a potential issue, we proactively monitor performance and have thresholds clearly demarcated. If traffic crosses a particular threshold, we provision a new instance. Until now, we have not hit those hard limits where we are helpless and unable to scale out. It still works for us. However, if we were handling several hundred gigabits of outbound or east-west traffic, I would think harder and look for better designs and a more distributed approach rather than using a single cluster and forcing it to scale out indefinitely. That is more of a design consideration. In our current context, we have not hit those thresholds. There are a couple of on-premise locations where we did hit limits, but that was because we sent out more traffic than we planned for, and we simply had to replace those devices. That is not a product problem.

Cisco Secure Firewall offers many deployment options depending on the architecture and functionality required. If it is a cloud deployment, you can achieve native load balancing with active-standby, active-active, and active-active configurations with cloud-native load balancers such as AWS  Gateway Load Balancer or Network Load Balancer. The same deployment options apply to Azure  and GCP . Cisco offers cloud firewall functions where they provide templates and onboarding options to spin up firewalls and scale them out as part of auto-scaling instances. These capabilities are on par with what competitors are offering. On-premise deployments, of course, are hardware-based, and you can achieve active-active and active-standby configurations. This depends on latency requirements, security requirements, and the capabilities you want to leverage. Proper sizing is essential. Cisco Secure Firewall is highly scalable in cloud environments. On-premise deployments are bound by the restrictions inherent to all hardware firewalls, but with proper sizing, they perform fairly.

One of my clients did deploy cloud firewalls on AWS , and I believe they did the same for Azure Marketplace . I am not certain about the specific pricing, but it is clearly outlined. You can choose between BYOL (bring your own license) or pay-as-you-go models. During unit testing and the initial PoC, we selected pay-as-you-go. Later, the client teams purchased from AWS Marketplace  and leveraged committed spend with AWS to acquire the cloud firewall clusters. This option is available.

Based on my experience with Palo Alto and a couple of its competitors, there is room for improvement with the integrations with identity providers. The number of options and integration partners available with Palo Alto is more extensive compared to Cisco Secure Firewall. This is not because Cisco Secure Firewall lacks these capabilities, but rather because other vendors are doing better things in this area. However, this is on Cisco's roadmap.

I manage a few dozen firewalls, close to 100 in total. You cannot manage each firewall manually, especially if you have local IT teams scattered across locations. It would be too much work. Centralized management attempts to align with what Gartner describes as a hybrid mesh. You hook the firewalls to the centralized management and integrate them with the device management platform. All you have to do is manage your security policies, rules, IPS signatures, and configurations from that central console. You can also take backups, restore them, and if you want to replace a device, you do it from this same console. This definitely reduces administrative overhead, costs, and the number of people you must employ to manage your firewall infrastructure.

The time we need to spend to triage any incidents or potential events is significantly reduced. Before events become incidents, we already have complete insights into who or which IP or source was attempting to reach what, whether it was crypto mining, and we receive all details about the category of URLs or endpoints on the internet the user was trying to access, including whether they were suspicious or potentially benign. The ability to classify these is crucial, and nothing can be done without Talos. However, you must size your firewall properly, because you are ingesting all these feeds from Cisco Talos , and if your firewall is a small model or not sized perfectly, performance can become unstable. You must perform capacity planning well. All third-party threat intelligence feeds vary in quality, but Cisco Talos is definitely one of the most mature threat intelligence feeds that has been around for quite some time and has a decent reputation.

Based on quotes I have seen in the last couple of months, Cisco Secure Firewall is fairly priced. I sometimes find Palo Alto is more expensive than Cisco. Of course, the money you pay is for the capabilities you get. If it is an apple-to-apple comparison, Cisco Secure Firewall is fairly priced. I have no concerns about the pricing. My overall rating for Cisco Secure Firewall is 7.5 out of 10.