We just raised a $30M Series A: Read our story
2019-03-28T08:19:00Z

What advice do you have for others considering Cisco Firepower NGFW Firewall?

20

If you were talking to someone whose organization is considering Cisco Firepower NGFW Firewall, what would you say?

How would you rate it and why? Any other tips or advice?

ITCS user
Guest
4242 Answers

author avatar
Top 5Real User

My advice: DON'T.


We have FTDs running in HA and an FMCv (FirePOWER Management Center Virtual) managing them for the past 3.5 years. It runs well for our light load, and is stable if you don't change anything. 


But it is buggy and when you want to change the config or troubleshoot something, you'll need 5-7 minutes to "Deploy" the config. 


This makes troubleshooting a slow process: to test something - wait for 5 min. to deploy. Then, if it doesn't work change to something else.


There are other products that are better. I haven't tested them myself, but some friends who tested both, say that Fortinet is much better, more stable and much easier to work with than FirePOWER.

2021-11-04T05:43:26Z
author avatar
Top 20Reseller

My advice is that you need to know your flows. If you're upgrading to Firepower, you should know what traffic matters and what traffic doesn't matter. If you really want to be successful, you should know all the flows of traffic, how they function, what they do. That way, when you get the box up and running, you know exactly how it should operate. You can split Firepower users into two buckets: help desk and admin. Help desk will usually be read-only and admin will be read-write. If there's one engineer at a customer, he might have admin rights. If there's a help desk and one senior firewall guy, he might have admin rights where his help desk has read-only. It varies by the size of the customer. Most midsize organizations have one or two firewall guys. When you get into the big enterprises, the number goes up. Regarding Firepower's Snort 3 IPS allowing you to maintain performance while running more rules, the "book answer" is yes, it's supposed to. We're not really running Snort 3 a ton on those yet because of some of the risk and because some of those customers haven't upgraded to 7.0 yet. Those that are on Snort 3 are just not running policy sets that are large enough that to notice any major or even minor improvements. I have seen an uptick in performance improvements with Snort 3, even on firewalls that are not 100,000-rule firewalls. We are seeing improvements with Snort 3. It's just that Snort 2 performance hasn't really affected the box overall, it just runs a little hotter. When I mentioned the risk for Snort 3 for our larger clients, what I meant is that with new things come new risks. Snort 3 is one of those new things and we have to evaluate, when we upgrade a customer to it, whether the risk of the upgrade warrants doing it for the customer. In some cases, the answer is no, because of burn-in time. With some of our riskier locations or locations that require 24/7, it makes more sense to run Snort 2, which has been out there since forever on the Firepower platform. It's a lot more stable on Snort 2 and the problems are known problems, from a design perspective. We've mitigated those and worked around them. With Snort 3, there could be new bugs or problems, and in some environments, we want to mitigate that risk. My expectation is that by 7.1 or 7.2 we will upgrade more generally to Snort 3. It's not that it's far away. It's just that with 7.0 being the first release of Snort 3, and 7.0 only having one or two patches under its belt, we thought it better to remove some risk and just use Snort 2. Cisco Secure Firewall helps to reduce firewall operational costs, depending on the firewall vendor it's replacing. In some cases, customers are coming from old platforms where the security wasn't nearly at the same level as a next-gen firewall, so the advantage of moving to a next-gen firewall is the increase in security. But that comes with an operational burden no matter the firewall type. There is a lot more visibility and capability out of the NGFW platform, but it comes at a cost. There's more data to work through and more things to configure. Still, in most cases, Cisco Secure Firewall is going to decrease operational usage with the caveat that it has to be an "apples-to-apples" situation, which is very hard to come across these days.

2021-09-14T14:27:00Z
author avatar
Top 20Real User

Definitely do your research, e.g., how you want to set it up and how deep you want to go in with it. This will actually help you more. When we say Cisco Secure Firewall, is it Next-Generation, running ASA, or running Firepower? Or, does Meraki actually fit in there? So, there are different scales based on what you are trying to look for and how deep security-wise you want to go into it. SecureX is a nice feature, but it has to be for the right environment. It is nice that we get it, but most people don't take advantage of it. The dynamic policy capabilities can enable tight integration with Secure Workload at the application workload level, but I am not using much with Secure Workload at this point. I would rate Cisco Secure Firewall as nine out of 10. I would not give it a 10 because of bugs.

2021-08-25T17:02:00Z
author avatar
Top 5Real User

Our client didn't implement dynamic policies for dynamic environments because they were a small company, and they didn't need that kind of segmentation. I am not sure if it reduced their firewall operational costs because they were a small company, and the traffic was not so high. I would rate Cisco Firepower NGFW Firewall an eight out of 10.

2021-08-24T04:48:00Z
author avatar
Real User

My advice is "buy it." A lot of people prefer a specific brand and it's fairly hard to convince them that something else, like Cisco, is not bad, as well. They are so convinced about their existing firewall that they want to keep that brand because they are familiar with it and they won't need to learn a new firewall. It's hard for a customer to learn how a firewall works in the first place. But my advice is that people should read about how Cisco security, in general, is set up and how it is trying to protect them with Talos. They need to understand that Cisco security is very good at what it does. They shouldn't blindly believe in what they have at the moment. I always hear, "My firewalls are good enough. I don't need Cisco. I will just buy the same ones, but new." Cisco Firepower is superior to other firewalls and people should not be afraid to dive in. By educating themselves about the firewall, they will be fine in managing it. Practically speaking, Cisco firewalls are easier to manage than the firewalls they have at the moment, but they need to make the leap and try something else. That is the hardest part. When I do show them what they are capable of, and how you can configure all kinds of different things, they start to understand. We don't have many customers that use other vendors' security products together with Firepower. We convince nine out of 10 customers to go over to Cisco fully. We do have customers who don't do that, and then we try to find a way to get the solutions to work together. For example, we try to integrate other brands' switches or firewalls with Cisco security products, but most of the time that is pretty hard. It's not the fault of Cisco. It requires that the other brands speak a protocol language that will support integration, but in the end, it's not perfect and the integration does not work very well. The majority of the time, we are not able to integrate into other security products. Cisco is using standard protocols, but the other vendor is abusing some sort of protocol and then it doesn't work well. I don't prefer using applications in firewall rules, but our customers do use the application visibility and control, and it works perfectly. Firepower is very good at recognizing the application and is very good at showing you the kind of application that has been recognized. Customers use that in their access control policy rules, and I have never heard bad things about it. Cisco Firepower works very well in recognizing applications. I get questions from customers because they do not understand threat messages generated by Firepower. Sometimes, it's hard to read what exactly the message is saying. In my opinion, that is not something that is specific to Cisco security or Firepower, rather it is an issue with security in general. Most networking people get these fancy firewalls and they get fancy security events. It's hard for some of them to understand what is meant, and what the severity level is of the message. It's more that a networking guy is trying to read security events. Firepower is doing a good job, but customers sometimes have problems understanding it and then they stop looking at it because they don't understand it. They assume that Firepower is taking the correct actions for them. Firepower is not a fire-and-forget box. It is something you actually do have to take a look at. What I tell customers is, "Please enable Impact-One and Impact-Two messages in your mailbox, and if it's really something that you cannot understand, just forward it to me and I will take a look for you. Most of the time they are not very high-impact messages. There are only one or two high-impact messages per month. There are customers who say, "We want you to review the messages in Firepower once a week." I have a look at them when I have time. We try to help the customer check security events once a week or so. That's not great, but it's always a question of finding a good balance between the money a customer can spend and the security aspects. When we do monitor all the events, 24/7, for a customer, you can imagine that it is quite expensive. I configure every customer's automatic tweaking of IPS policies so that the IPS policy is enabled for the devices seen by Firepower, for recognition of what kinds of clients and hosts are in the network. Other than that, we do not do a lot of automation within Firepower. Since 7.0, I don't have a lot of things to complain about. If I do have suggestions for improvements, I will give them during the beta programs. The speed of the FMC is very good. The deployment time is much better. They added the policy deployment rollback. That was something I really missed, because if I destroyed something I was able to undo that. Now, for me, it's actually almost perfect.

2021-07-05T14:06:00Z
author avatar
Top 20Real User

I would recommend a Next-Generation firewall. FortiGate has a Next-Generation firewall but I have never used it. However, it would be similar to the Cisco Next-Generation FirePOWER, which has most of the capabilities, such as running all the BDP sessions and having security intelligence in one system. I would recommend everyone to use this solution. I rate Cisco Firepower NGFW Firewall a six out of ten.

2021-06-27T09:39:30Z
author avatar
Top 20Real User

We are very satisfied with the service and the product. I don't think that any product would be better than Cisco when it comes to next-generation firewalls.

2021-04-13T13:39:00Z
author avatar
Top 5Real User

I would probably ask, "How long do you want to keep the connection and intrusion events for?" You need to remember that Firepower Management Center can only keep a certain amount of events. I think you need to have that in mind as one criteria to make your decision against. You need to look at what hardware platform you are going to be deploying. We have a lot of customers who are running ASAs, but they are running the Firepower Threat Defense image on their ASA. For all intents and purposes, those ASAs act as FTDs. Now, try to remember those ASAs were never designed originally to run the FTD code. Now, they can run the FTD code, but some of the dedicated Firepower appliances have a split architecture. So, they have separate physical resources, CPU, and memory for running the traditional firewalling capabilities versus the next-generation firewall capabilities, like IPS, AMP for Networks, and AVC. Maybe, have a think about the hardware platform, because you need to try to assess what throughput you are trying to put through the firewall and how that will impact the performance of the box. There is definitely some advantage moving to the dedicated Firepower appliances rather than putting the Firepower code on an ASA. Although, it does allow you to leverage an existing investment if you put the FTD code onto the ASA, but you need to be mindful of the limitations that it has. Also, if you are looking to do SSL decryption, then you need a much bigger firewall than you think you need because this puts a lot of overhead on the appliance. However, this would be the same for any vendor's firewall. It is not Cisco specific. If 10 is the most secure, then our customers are typically in the middle, like a five, in terms of maturity of their organization’s security implementation. This will be because they won't necessarily have things like Network Access Control, such as Cisco ISE. They also won't necessarily have security analytics for anomaly detection, like Stealthwatch or Darktrace. For some of these more sophisticated security technologies, you need to be a large enterprise to be able to afford or invest in them. While Firepower provides application visibility and control, we don't use it much simply because we use Cisco Umbrella. Firepower gives you application visibility control on a location-by-location basis. So, if we have a firewall at the head office or a firewall at the branch, then we get application visibility control by firewall. However, because we use Cisco Umbrella, that gives us very similar application and visibility control but on a global level. So, we tend to do application visibility and control more within Cisco Umbrella because we can apply it globally rather than on a site-by-site basis. Sometimes, it is useful to have that granular control for an individual site, but it is not something that we use all the time. I would rate the solution as a nine out of 10.

2021-02-22T20:01:00Z
author avatar
Top 5Real User

On the IT infrastructure side, we are using Cisco hardware for the network. Then, as a security team, we are looking at adding Cisco's incident response solution, but we have not done it yet. Firepower provides us with application visibility and control. We don't utilize it to the fullest extent. We rely on some additional tools like DNS, to identify applications being used across our endpoints. However, the Firepower deployment primarily protects the servers. So, on the servers, it is a controlled environment. Therefore, we do know the applications and services being used and deployed out of the servers. Applying something like this to protect yourself from the Internet, which is where most of the threats come from, besides email. It guarantees that you are able to refocus your energy on internal processes: endpoints, people, etc. Intrusion Prevention is effective because it helps security teams refocus their efforts to build out other components, such as security pillars of the organization. The solution is effective. My initial exposure to Cisco started through Firepower, since then I have understood that Cisco is moving towards an ecosystem approach. Basically, Firepower represents what I think Cisco stands for. I would rate the solution as a nine (out of 10). It does what it needs to do and does it great with a good sense of confidence, allowing the team and me to focus on other things. If needed, we can always leverage that data to derive different values from it.

2021-02-09T01:25:00Z
author avatar
Top 5Real User

It is a very powerful device. Firepower Management Center is a great tool, but it is a bit slow. We don't have Cisco Umbrella integrated with Firepower. We tested Firepower's integration with Meraki Umbrella, but we don't use it because you need better firmware. I would rate this solution as an eight (out of 10).

2021-02-02T22:07:00Z
author avatar
Real User

Have a plan. Find out how much bandwidth and throughput you need before you implement it because if you don't scale it well from the start, it can slow down your environment. Keep in mind that it adds so much security that the total data throughput can take a hit. We have many customers, but in general, many of our customers are using all the tools they can to secure their infrastructure, such as AMP, Umbrella, and Firepower. Many companies are doing what they can to secure their network and their infrastructure. But there are also customers that only have a firewall. In today's world that's not enough to secure the network at all, but that's a decision the customer has to live with. We have tried to push them in the right direction. But the majority of our customers have a secure infrastructure. The other Cisco products or services our customers are using in conjunction with their firewall include AMP, AnyConnect, cloud mail Email Security Appliances, Cisco ISE, and Web Security Appliances. We are only a Cisco partner. We don't do HP or Check Point or Palo Alto, so our customers do have a lot of Cisco features. For regular use, the integration among these Cisco products is pretty easy, but I have also worked with these products a lot. But it's easy to implement a firewall solution on Firepower and you can tweak it as much as you like. ASA is also easy to set up and configure, in my opinion, but I'm a security professional. For a regular user, both products can be pretty cumbersome.

2021-02-01T19:29:00Z
author avatar
Top 20Real User

If configured, Firepower provides us with application visibility and control. The ability to futureproof our security strategy is definitely there. There are a lot of functions that we don't yet use. When I say we don't use a function, I mean that the functionality or the ability is not turned on yet simply because we have not gotten around to it. The ability is there, the capability is there. That also goes into the reasoning behind why we chose it. Do your research, know your skillset, be comfortable with your skillset, and don't be afraid to challenge yourself. Overall, on a scale from one to ten, I would give this solution a rating of eight.

2021-02-01T15:40:00Z
author avatar
Top 20MSP

I am working for a Cisco seller in Mexico, and we have a relationship with Cisco. We are a gold partner. We ensure that the development is of the proper sizing for our clients. I would rate the solution at a nine out of ten. We've had a very good experience so far. The only downside is that it's not as advanced as, for example, Palo Alto. That said, if you have the right skills to manipulate the configuration capabilities, Cisco is quite good.

2021-01-31T06:58:30Z
author avatar
Top 20MSP

I do not hear anything bad about the competition. I am difficult to change my ways and learn a new product. Unless somebody comes and makes a SWOT analysis and shows me the evidence of how the alternative is better, I am fine with Cisco. I would recommend this solution to others. I rate Cisco Firepower NGFW Firewall an eight out of ten.

2021-01-30T11:43:23Z
author avatar
Real User

Everything has room for improvement. I would rate this solution a five out of ten.

2021-01-29T23:27:27Z
author avatar
Top 5LeaderboardReal User

We are just at the beginning of the deployment of Arctic Wolf for managed detection and response. We don't have a lot of information yet, as we are onboarding it now. We wanted to have someone watching and we couldn't set up the SOC by ourselves because we need six security dedicated people to man it at all times. With a staff of 80, it was too much. We engaged Arctic Wolf to be our 24/7 eyes on the potential risks that are happening. They can alert us and we can deal with it. We like to use the integrator just to make sure that the firewall is set up correctly. If you don't have people dedicated to the firewall, then you can't do it in-house. I would rate the Cisco firepower NGFW Firewall a nine out of ten.

2021-01-29T19:23:57Z
author avatar
Top 5LeaderboardReseller

This is a very stable platform, and you can adjust the engine for malware protection. It is one of the best and a very reliable solution. I would rate this solution a 10 out of 10.

2021-01-25T20:39:42Z
author avatar
Top 5LeaderboardReal User

This is a good product and I recommend it. I would rate this solution an eight out of ten.

2021-01-14T15:25:12Z
author avatar
Real User

Currently, I would give this solution high marks because I have not had a problem. However, keeping in mind, my evaluation period has been short. I would not give the solution a ten, nothing is perfect. I rate Cisco Firepower NGFW Firewall a nine out of ten.

2021-01-07T20:30:30Z
author avatar
Top 10Real User

I would recommend this solution to other users.

2020-12-27T09:06:00Z
author avatar
Top 5LeaderboardReal User

I would recommend Cisco Firepower NGFW Firewall to potential customers. On a scale from one to ten, I would give Cisco Firepower NGFW Firewall a ten.

2020-12-19T23:58:40Z
author avatar
Top 20Real User

We're just customers. We don't have a business relationship with Cisco. It's a solid, reliable product, however, if it's right for a company depends on the use case and the size of the organization. For a startup, this might not be a suitable option. Overall, I'd rate this solution nine out of ten. As a comparison, if I was rating Palo Alto, I would give it a ten out of ten.

2020-11-27T17:49:41Z
author avatar
Top 10MSP

I would rate this solution an eight out of ten.

2020-11-25T18:49:00Z
author avatar
Consultant

This is a product that I can recommend for an internal firewall. It's good enough. I would rate this solution a seven out of ten.

2020-11-20T12:21:55Z
author avatar
Top 20Consultant

We're a partner. We aren't an end-user. We are a managed security provider, and therefore we use this solution for our customers. We always provide the latest version of the solution to our clients. Typically, we use both cloud and on-premises deployment models. I'd recommend the solution to others. It's quite good. On a scale from one to ten, I would rate it at an eight.

2020-11-18T18:04:57Z
author avatar
Top 5LeaderboardReal User

In summary, this is a good product and I recommend it. I would rate this solution a ten out of ten.

2020-11-12T17:12:29Z
author avatar
Top 20Real User

I would recommend this solution. I would rate Cisco Firepower a nine out of ten.

2020-11-12T15:44:25Z
author avatar
Top 5Real User

Cisco is a large, good and reliable firewall. They are working on advanced features and catching up with the leaders in the market. I believe that's a score for them. A yearly subscription is cheaper than Palo Alto and Fortinet offer. They provide good support and once it's loaded, it doesn't give a lot of problems, that's very important. I would rate this solution an eight out of 10.

2020-11-10T15:08:05Z
author avatar
Top 20Real User

I believe that Cisco Firepower NGFW is the future leader in NGFW, with only maybe Palo Alto being the main competitor. This is very good, as we all know that having a rival is good for us, the users :)

2020-10-09T08:56:00Z
author avatar
Top 20Real User

I would advise using Firepower and not other products because other products do not have all the features available in Firepower. We are looking to integrate with Cisco Umbrella next year and we will integrate our switches and Cisco Firepower with it. It has been a good investment for my organization and I'm happy to be using it. All its features are good. It's a great firewall for a small business. But you really need to know what you are doing to get the most benefit from it. Overall, I don't think anybody can replace Firepower or Cisco.

2020-05-18T07:50:00Z
author avatar
Top 5Real User

We are using Cisco at a global level. We have internally integrated this solution with Cisco Unified Communications Manager in a master and slave type of environment that we built. It uses a country code for each extension. Also, there is Jabber, which our laptop users utilize when connecting from home. They call through Jabber to connect with customers. Another tool that we use is Cisco Meraki. This is our all time favorite product for the office WiFi environment. However, we are not currently integrating our entire stack because then we would have to change everything. We may integrate the Cisco stack in the future. It should not be difficult to integrate since everything is a Cisco product. The only issue may be compliance since we have offices in the US and Europe. We are now using a NGFW which helps us deep dive versus using a normal firewall. Overall, I would rate Cisco Firepower as an eight (out of 10).

2020-05-17T07:17:00Z
author avatar
Top 5Real User

Get your homework done. Get to know in-depth what Cisco can do and compare it with Palo Alto. If you're happy with Cisco, go for it but Palo Alto is the safer choice. I would rate it an eight out of ten.

2020-03-23T06:14:00Z
author avatar
Real User

The biggest lesson I have learned from using this solution is that you can't always trust that console. In the particular case of the traffic which I was used to seeing identified in CTR, not seeing that traffic but knowing that it was actually occurring was a little bit of a concern. It wasn't until we actually put rules in that said "block that traffic" that I started to see the traffic in the console and in the CTR. Overall, my confidence in Cisco as a whole was shaken by that series of events. I have a little bit less trust in the brand, but so far I've been happy with the results. Ultimately we got what we wanted out of it. We expected certain capabilities and we received those capabilities. We may have been early adopters — maybe a little bit too early. If we had waited a little bit, we might've seen more about these SIP issues that weren't just happening to us. They've happened other people as well. The maturity of our company's security implementation is beyond the nascent stage but we're not what I would call fully matured. We're somewhere in the middle. "Fully matured" would be having a lot more automation and response capabilities. At this point, to a large extent, the information security team doesn't even have a grasp on what devices are connected to the network, let alone the ability to stop a new device from being added or quarantined in an automated fashion. From my point of view, posture control from our ISE system, where it would pass the SGTs to the FirePOWER system so that we could do user-based access and also automated quarantining, would go a long way towards our maturity. In the NISK model, we're still at the beginning stages, about a year into the process. Most of our tools have some security element to them. From the Cisco product line, I can think of about ten that are currently deployed. We have a few extras that are not Cisco branded, three or four other items that are vulnerability-scanning or SIEM or machine-learning and automation of threat detection. The stuff that we have licensed includes the AMP for Networks, URL filtering, ITS updates and automation to the rule updates, as well as vulnerability updates that the product provides. Additionally, we have other services that are part of Cisco's threat-centric defense, including Umbrella and AMP for Endpoints. We use Cisco Threat Response, or CTR, to get a big-picture view from all these different services. There's a certain amount of StealthWatch included in the product, as well as some of the other advantages of having the Cisco Talos security intelligence. The integration among these products is definitely better than among the non-Cisco products. It's much better than trying to integrate it with non-Cisco functionality. That is probably by design, by Cisco. Because they can work on both ends of, for example, integrating our AMP for Endpoints into our FirePOWER Management Console, they can troubleshoot from both ends. That probably makes for a better integration whereas, when we're trying to troubleshoot the integration with, say, Microsoft Intune, it's very hard to get Cisco to work together with Microsoft to figure out where the problem is. When you have the same people working on both sides of the equation, it makes it a little easier. Additionally, as our service needs have progressed and the number of products we have from Cisco has increased, they've put us onto a managed security product-support model. When I call in, they don't only know how to work on the product I'm calling in on. Take FMC, for example. They also know how to work on some of those other products that they know we have, such as the Cisco Voice system or Jabber or the WebEx Teams configurations, and some of those integrations as well. So, their troubleshooting doesn't end with the firewall and then they pass us off to another support functionality. On that first call, they usually have in-house resources who are knowledgeable about all those different aspects of the Threat Centric defenses, as well as about routine routing and switching stuff, and some of the hardware knowledge as well. We're a heavy Cisco shop and it helps in troubleshooting things when the person I'm talking to doesn't know only about firewalls. That's been beneficial. It's a newer model that they've been deploying because they do have so many customers with multiple products which they want to work together. In most cases, this number of tools improves our security operations, but recent events indicate that, to a large extent, the tools and their utilization, beyond the people who deployed them, weren't very helpful in identifying and isolating a particular issue that we had recently. Ultimately, it ended up taking Cisco and a TAC case to identify the problems. Even though the security team has all these other tools that they utilize, apparently they don't know how to use them because they weren't able to utilize them to do more than provide info that we already had. We have other vendors' products as well. To a large extent, they're monitoring solutions and they're not really designed to integrate. The functionality which some of these other products provide is usually a replication of a functionality that's already within the Cisco product, but it may or may not be to the extent or capacity that the information security team prefers. My functionality is largely the security hardware and Cisco-related products, and their functionality is more on the monitoring side and providing the policies. From their point of view, they wanted specific products that they prefer for their monitoring. So it wasn't surprising that they found the Cisco products deficient, because they didn't want the Cisco products in the first place. And that's not saying they didn't desire the Cisco benefits. It's just they have their preference. They'd rather see Rapid7's vulnerability scan than ISE's. They'd rather see the connection events from Darktrace rather than relying on the FMC. And I agree, it's a good idea to have two viewpoints into this kind of stuff, especially if there's a disagreement between the two products. It never hurts to have two products doing the same thing if you can afford it. The best thing that can happen is when the two products disagree. You can utilize both products to figure out where the deficiency lies. That's another advantage. For deployment, upgrades, and maintenance, it's just me. We were PIX customers when they were software-based, so we've been using that product line for some time, other than the Meraki MXs that we're using for the branch offices. The Merakis are pretty good firewalls as well. We also have access here at our primary data centers, but they're configured differently and do different things. The MXs we have at our data centers are more about the LAN functionality and the ability to fail from site to site and to take the VPN connections from the branch offices. For remote access VPN, we primarily used the firewalls. For our site-to-site VPNs, we primarily use these firewalls. For our public-facing traffic, or what is traditionally referred to as DMZ traffic, we're primarily relying on these firewalls. So, they have a lot of functionality here at the credit union. Almost all of our internet bound traffic travels through those in some way, unless we're talking about our members' WiFi traffic.

2019-10-28T06:34:00Z
author avatar
Real User

You must know exactly what features are important for you, and how you can manage all this infrastructure in the future. Sometimes you can have a product that is superior but it might demand an increase in manpower to manage all the software or platforms. Another point to consider is how good the integration is between products? You should check what features you need, what features you can have, and the integration with other products. In terms of the maturity of our security implementation, we have had security appliances, software or hardware, for more than 15 years. So we have a long history of using security products. We started using Cisco competitors in the past and we still use them for our headquarters, where I am. Our main firewall is not currently Cisco, although we are in the process of evaluation and we will replace this firewall soon. Cisco is one of the brands being evaluated for that. In the past, while it's not a next-gen firewall, we also used a Cisco product for URL filtering, up until this year. We are moving to the cloud. We are starting to use Office 365, so we are moving email, for example, from on-premises to the cloud. But until June of this year, we mainly used security from Cisco. But we also have antivirus for endpoint protection. We also had Cisco IPS in the past, which was a dedicated appliance for that, but that was discontinued about two years ago. Those are the major products we use currently. In addition — although it's not specifically a security product — we use Cisco ISE here to support our guest network for authentication. We plan, in the near future, to increase the use of Cisco Identity Services Engine. When we start to use that to manage policies and the like, we will probably increase the integration. I know that both products can be integrated and that will be useful for us. There's one other product which we use along with Cisco next-gen which is a SIEM from Splunk. Currently, that is the only integration we have with Cisco. We send logs from next-gen firewalls to the Splunk machine to be analyzed and correlated. Although I'm not involved on a daily basis in operations, I helped in the process of integrating it. It was very easy to integrate and it's a very valuable integration, because we can analyze and correlate all the events from the next-gens from Cisco, along with all the other logs we are collecting in our infrastructure. For example, we also collect logs from the Windows machine that we use to authenticate users. Having those logs correlated on the Splunk box is very valuable. The integration is very easy. I don't know who built what, but there's a kind of add-on on the Splunk that is made for connection to firewalls, or vice versa. The integration is very simple. You just point to the name of the server and a user name to integrate both.

2019-10-24T04:52:00Z
author avatar
Real User

We are using about ten different security tools, including analytics, monitoring, threat management, and email security. What we have integrated is the ISE and FTD but the third-party solutions are not fully integrated.

2019-10-15T05:02:00Z
author avatar
Real User

FTD is pretty good. You can stop new threats very quickly because you can get the threat intelligence deployed to all your IPSs in less than two hours. Cisco works closely with Talos and anything that Talos finds is provided in the threat intelligence of the FTDs if you have the license. It's pretty good to have the Cisco and Talos teams working closely. I know Palo Alto has an similar arrangement, but not a lot of suppliers get that chance. Our organization's security implementation is pretty mature because we try to avoid the false positives and we try to do remediation. We try to put threat intelligence over a link to our IPS next-gen firewalls. Overall, we have too many tools for security in our organization — around a dozen. It's very complicated to integrate all of them. What we have done is to try to use the Elastic Assist Pack over all of them, as a main point of centralization of log information. The number of tools also affects training of teams. There are issues because one tool can't communicate with the another one. It can be very hard, in terms of technical issues and training time, to have everybody using all these processes. We also use Cisco Stealthwatch, although not directly with the FTD, but we hope to make them work together. There is not enough integration between the two products. Overall, FTD is one part of our security strategy. I wouldn't rely only on it because we've got more and more issues coming from the endpoints. It lets you decipher everything but sometimes it is very complicated. We try to use a mix and not rely only on the FTDs. But for sure it's great when you've got a large network, to give you some visibility into your traffic. I rate it at eight out of ten because it's pretty good technology and pretty good at stopping threats, but it still needs some improvement in the management of the new FTD line and in performance.

2019-10-15T05:02:00Z
author avatar
Real User

My advice would be: Don't let the price scare you. I would describe the maturity of our company's security implementation as "working on it." It is an evolving process. When it comes to the Cisco product line, we try to keep it as up to date as possible when they release new products. An example would be their DNA Center which we're looking at installing in the next year. From a product standpoint, we're pretty well off. From a policy and procedure standpoint, that is where we're somewhat lacking in our organization. In terms of the number of security tools our organization uses, we have a lot of them. From a software standpoint, we use tools from eight to 12 vendors, but there is more than one tool from each. We have anywhere from 30 to 40 security suites that we run across our environment. When it comes to hardware manufacturers, Cisco isn't the only one that we use. We use products from three different hardware manufacturers and layer our security that way. The way this number of tools affects our security operations is that there's a lot of overlap. But there are different groups that look at and use each set of tools. It works because that way there are always the checks and balances of one group checking another group's work. Overall it works pretty well. In terms of other products and services we use from Cisco, we're a Cisco shop. We have all of their routing and switching products, AMP for Endpoints for security, Cisco Prime Infrastructure. We also have their voice and whole collab system, their Contact Center. We have their CUCM as well as Unity Connection. A lot of our servers are Cisco UCSs, the Blade Servers are in our environment. We have Fabric Interconnects, fibre switches. Pretty well anything network related is Cisco, in our environment. We do layer it. We do have some F5 firewalls deployed in front of the Ciscos. We have had Barracuda firewalls in line as well, along with spam filters, so that we get that layered security. Cisco's cross-platform integration and data sharing between their products are very key. Cisco is really good at that. It's nice to be able to see the same data through multiple product sets and be able to view that data in different ways. Cisco-to-Cisco is really good. Cisco integration with other products depends on the product and what you're trying to get out of it. Most of it we have to send through different SIEMs to actually get usable data between the two product lines. It depends on what we're doing. Every scenario's a little different. As for automated policy application and enforcement, we actually bought a couple of other tools to do that for us instead. We're getting into Tufin software to do automations, because it seems like they have a little bit better interface, once they pull the Cisco information in. Overall — and I don't want to get too full of Cisco because everyone's vulnerable in a way— we've had very few issues, even when a lot of these Zero-days are attacking cities and organizations, and there are ransomware attacks as well. We've seen items like that hit our network, but not have any effect on it, due to a lot of the Cisco security that's in place. It has been very strong in helping us detect and prevent all of that. Overall, it's given us a certain comfort level, which is both good and bad. It's good because we haven't run into the issues, but it's bad in the sense that our organization, a lot of times, takes it for granted because we haven't run into issues. They tend to overlook security at times.

2019-09-27T04:38:00Z
author avatar
Real User

The neat part about this is how Cisco continues to evolve its product line and help us stay secure, while still doing our day-to-day business. My advice would depend on how you want to use it. What are you looking for Firepower to do? Firepower added features that, until we introduced into our environment, we could not have done. We probably could have added a third-party product but we would hate to keep doing all that. It's nice to be able to have our products from the same organization because then, if something's really wrong, we can talk to the same organization as we're trying to troubleshoot something through our environment. We use Cisco switches, Cisco routers, we use ISE, and Umbrella. We have a lot of products through Cisco. We use the ACLs. We use the intrusion side, just to watch traffic. We have used the malware and have actually caught stuff in there. We do have a DNS policy so that at least we can check to make sure someone's not going to a bogus site; things can get blocked for that, but Umbrella is really good at what it does. We also have it connected to our Active Directory so I can see which users are going where, and that is valuable. But I can also see that in Umbrella, so there's some overlap. For managing the solution it's me and at least one other person. I'm the primary resource on it. We used to use AMP for endpoints through the Firepower but we decided to discontinue that. We have AMP on all our endpoints but with all the other things we have, such as Umbrella, we were satisfied enough with the security we have. We didn't want two different things possibly stopping files instead of having one console area to be able to see those kinds of things. Overall, I would rate Firepower at eight out of ten. Every product can improve. But for what we're looking to do, it does a very good job.

2019-09-12T09:06:00Z
author avatar
Real User

This is a solution that I recommend. The biggest lesson that I have learned from working with this solution is to always update the firewall. If you do not have the latest updates then it will not function well, so always keep it up to date. I would rate this solution an eight out of ten.

2019-08-28T09:52:00Z
author avatar
Real User

I would recommend this solution to someone considering it. I would recommend to study and know what the requirements are exactly. One of the things that might be a problem, or might be a complex thing to do is to go through Cisco Firepower, because Firepower is a software that's complex to explain to somebody. There is the previous ASA code that Cisco had and there is the source file that they acquired. Cisco started to send it as ASA Firepower services. Then they combined the two codes together and they started to send a new code called the Firepower Threat Defense, FTD. Any customer who wants to buy it needs to understand all of these options and what the limitations of each option are, the pros and cons. Any customer who wants to deploy Firepower needs to understand what Cisco has to offer so he can choose correctly. I would rate it a seven out of ten.

2019-08-25T05:17:00Z
author avatar
Top 5LeaderboardReal User

If you're really looking into Cisco Firepower, they have a good product, but I would say study hard and look around. If you want an easier product, you can always use Palo Alto. If you are a Cisco guy and you want to be with Cisco, you'll need to get an integration service engineer from the Cisco side. That will actually help you out a lot. Alternatively, maybe you can go for Palo Alto. That would be the best thing to do. If you are not worried about the technical integration part and learning how it works and how well it can go with the environment, I would recommend you go ahead and take an integration engineer with you. Doing a POC could be troublesome for you. We have professional services. You can leverage that. If you do not want to invest much money on all that stuff you can go ahead and hire someone who's already aware. Or if not, you can use any other vendor like Palo Alto.

2019-05-13T08:56:00Z
author avatar
Real User

In my opinion, I would rather ask everyone to have a simple network. If you need multiple networking lines, like for the Cisco ASA or the Firepower NGFW, make sure you have ample tech support. There are many issues with connectivity in firewall systems, but Cisco quality is good. The connectivity of your network can really reduce your complexity over firewalls. I would suggest if you want to configure a complicated network scenario, go for a next-generation firewall. I would also suggest making your firewall options go to Cisco as they have some influential products right now. Once you are pushing the Cisco firewall, you'll be able to actually monitor and confirm each and every traffic coming in or going out of your network. Palo Alto Networks or Juniper Networks firewalls are ideal, slightly better than Cisco. They are not as easy as Cisco to use right now, but considering the cost and everything else, Juniper Networks equipment is really good. The fact is you need to consider just what you're achieving when you put in Cisco firewalls and implement Cisco routers. For those on the verge of a new purchase, I would say that going for an expired model of firewall is definitely a good buy. I would rate the Cisco Firepower NGFW with an eight out of ten points.

2019-03-28T08:19:00Z
Learn what your peers think about Cisco Firepower NGFW Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,407 professionals have used our research since 2012.