Overall Satisfaction with Cisco ASA
I use Cisco ASA in three modes. One is as a VPN concentrator and remote access VPN. Secondly as an access control firewall for business to business partnerships. Lastly as an internal network segmentation security device. Cisco ASA is well suited for two of these functions and not as granular as we'd like in the third. The VPN service is bullet proof and highly reliable. Overall the Cisco ASA platform is extremely reliable in terms of uptime and high availability.
- VPN, particularly site to site is solid on the Cisco ASA platform and works well with other vendor's offerings.
- Reliability. The high availability feature works flawlessly and failover events go virtually unnoticed.
- Upgrades are easy and reliable.
- Via simple CLI commands and the ASDM monitor it is very easy to diagnose connection issues. TCP connection flags are extremely useful in pinpointing the nature and direction of the problem.
- ASDM, the GUI based admin tool is poor. It is so far inferior to other firewall vendors' GUIs that many Cisco ASA techs simply don't use it. Fortunately the CLI is straight forward and you can do most things with it.
- Certificate management is cumbersome.
- NAT and no NAT configurations are not intuitive. Lacks policy based routing in the versions we manage.
- Build time, integration time is low for Cisco ASA and can lead to quick turnaround times for projects.
- Adding licensing and feature functionality almost never requires rebooting thus no disruption to the business.
- Bullet proof reliability and robustness allows the technician to sleep well at night. In the event of a hardware failure the RMA process is quick and the system Cisco has built is mature and competent.
Palo Alto Firewalls has the best GUI out there and is a pleasure to use. The monitor feature is as good as ASDM's, but everything else about ASA's ASDM pales in comparison. I've found the performance and reliability of Palo Alto to be on par with ASA. Where ASA excels over Palo Alto is the system Cisco has built to support it and the mile deep documentation around it. Palo Alto being young has a dearth of good user and official documents. Fortinet has a decent product and decent GUI, but the units I've tested do not perform as well as the smaller ASAs. As functionality is added Fortinet begins to bog. Mcafee Enterprise Firewall also has a dynamite GUI and is a pleasure to use. They protect themselves from compromise better than any other firewall on the market. Where Mcafee stumbles is hardware reliability - recommend always using HA pairs - the HA function works well, but ASA failover is seamless.
For most VPN scenarios the Cisco ASA platform is excellent. For basic fire walling, the robustness and reliability of Cisco ASA is highly recommended. Used in an interior capacity for segmenting databases and protected assets there are superior firewalls that integrate out of the box so much better than Cisco ASA that I would recommend not using Cisco ASA for anything but rudimentary network segmentation.