Cisco Adaptive Security Appliance (ASA) Software vs. Stonesoft Firewall (Discontinued)

Cisco ASA's are great for internal network connected access between a firewall and the central management server. And, for complex networks where high security requirements with overly strict compliance are necessary. For networks with limited connectivity to the core or for poor network connectivity these are not the best solution. There are other more stand-alone firewall's that do this better. These firewall's are a little more complex to set up to start with so significant knowledge of these devices is required to set them up and ensure they are best practice installed.

Incentivized

Any scenario where a dedicated firewall administrator is on staff and a secure firewall solution that requires high availability is needed will be a good solution for the McAfee Firewall Enterprise product. The McAfee Firewall Enterprise however comes with some of its own parlance that is different from other vendors and does require some comfort on the administrators side when it comes to working in the command line. Added knowledge of protocols and how they interact is a must for any firewall admin but particularly for the McAfee Firewall Enterprise product due to its flexible nature. If the environment is to be mostly hands off where a very limited rule set is to be configured and not likely to change often, I would defer to a different product

Incentivized

• ASA is our VPN concentrator. The client and server are very stable and very easy to use
• ASA also offers Intrusion Prevention, to an extent. This is also very useful for an improved security posture for a small company
• ASA allowed us to scale very quickly. We could onboard clients, partners, and consultants and give them a great onboarding experience as well
• Administrative costs with ASA are low. It's very easy to administer.

Incentivized

• Based on the SecureComputing Sidewinder firewalls, the McAfee Firewall Enterprise does similar backend containerization of each service which provides for added security in the unlikely event of failures or breeches.
• Tie in reporting services (if used by the admin) provide very granular details on rules accessed and the firewalls response to the requests.
• Configurable options are plentiful. Unbound DNS can be configured on each "burb" (SecureComputing/McAfee parlance for interface), similar options for sendmail while rulesets can be configured at the application level down to simple IP-filter making options for enhancing security as well as troubleshooting equally as useful.
• Full control over shell for scripting and/or scheduling (cron) purposes.
• Solid HA and patching architecture.
• Support was always helpful, knowledgeable and insightful (especially the staff that migrated from SecureComputing).

Incentivized

• The ASDM software is at times a nightmare to install because of different java versions[.]
• [The firewall] could do with a power button, just to be able to do a hard reboot when needed[.]
• It would be nice to manage the firewall via the web on port 443[.]

Incentivized

• For an application-layer firewall the applications supported (at the time I managed them) were too few and would need to be expanded and the application ruleset needed to be expanded as well.
• The remote access VPN client configuration was overly complex for the average user and would need to be supplemented with a configuration file that had already been generated. Other solutions from CheckPoint or Cisco ASA are not as complex for end user remote access.
• Enhancing the GUI with a builtin "packet capture" feature would be useful for administrators not familiar with tcpdump.

Incentivized

To be honest there has been now great products out in the market compared to Cisco ASA. I beleieve Cisco has to do a lot of improvement in this area. The other defeiniete factors is the cost when it comes to renewals which is always a premium on Cisco products

Incentivized

I generally have not noticed the outages, however since it's a machine it can malfunction, we need to implement the firewall infrastructure in such a way that it is highly available with device failure, region failure etc. Else any solution will be having the issues if they are not build with resiliency.

Incentivized

The support is usually very good and gets back to you very quickly. However I had some instances of when two engineers will give me wildly different answers to what I thought was a simple question. Overall however I do rate the support highly and they are generally always very good.

Incentivized

It was quite a good one, how ever requires an expertise to deploy hence the SMB segment would be finding it difficult to implement this product. The one good reason is that there are lot of ASA certified engineers in compared to the other certified engineers. Hence this resembles positively on the deployment as you have quite a lot of experienced engineer on your deployment

Incentivized

We were using [pfSense] before in our environment but we regularly facing difficulties over it due to software bugs & downtime. After implementing Cisco ASA, it resolved our availability issue & provides us a reliable solution with the best security features & easy to understand GUI.

Incentivized

Compared to other firewalls I've managed (Palo Alto, Cisco ASA & CheckPoint) I would say that McAfee Firewall Enterprise was probably at the time not the leader in its field however it is a product that proved its reliability and flexibility over the other vendors. The addition of many new features usually comes as a detriment to some other area (restricted CLI, decreased logging etc.). In my experience this product gave the flexibility and options that the organization needed.

Incentivized

• Most network engineers have worked with ASA, so there is no need for re-training when adding or turning over staff
• Current configs from older devices plug in easily, and are operational on larger devices if an upgrade is required
• Many support options available

Incentivized

• In its highly available configuration the impact on any business objective has been positive given the fact that any downtime of the firewall would negatively impact all business objectives.

Incentivized