Item: Cisco ASA 5500-X with FirePOWER Services
Rating: 10
Author: Verified User

Use Cases and Deployment Scope

We use several Cisco ASA's with FirePOWER [Services] throughout our organization. They serve as edge firewalls that touch the internet as well as internal networks that need to be walled off from the outside. The added security of the firepower services within the ASA bring the ASA up to speed as far as next generation firewall are concerned. I use a range of sizes of ASA-5500-X models from the smaller 5506-X to the 55250-X. Depending on the type and amount of traffic that will be going through will determine which one was used. In general I would say the performance of these units is on par with the industry as long as they were sized correctly. I feel they have a done a good job at securing the networks they protect.

Pros and Cons

Intrusion Detection
Intrusion Prevention
Integration with AMP
Network Address Translations
Securing multiple networks

Performance when using FirePower services make the unit slow
Capacity of what the FirePower services need
The interface is better than ASDM but these still need ASDM and that can be a challenge to get the correct Java version loaded
Certain 5500-X models are different than previous versions with no switchport options

Return on Investment

Providing secure internet access for business needs
Constant uptime when in HA mode for business connectivity
Reducing risk
Securing data center boarders for data protetion
VPN access for remote workers

Systems Integrated With

Cisco AMP End point protection
Stealthwatch
Microsoft Active Directory
Secure X
Cisco Anyconnect

The Cisco ASA [5500-X with FirePOWER Services] can integrate into many different systems. Some of the best ones would be adding it to Cisco Secure X for better visibility of the networks secured boarders. When you add that with AMP then you can see and understand how threats are coming into your clients. Any connect is a good VPN that is built into the ASA. You can really secure how the VPN can connect and what the clients can do once it is installed. This can take some time to setup all the way but once it is setup it works really well. I would say any connect, when connected to an ASA provides a better than average VPN experience. You can use LDAP for controller who accesses the firewall and have it tie to any connect so the user can use the same credentials to login. When you do these things you can see where the client is connecting from (IP), what their end points are doing and if any risks like malware or viruses are attempting to run.

Performance

[Cisco ASA 5500-X with FirePOWER Services] is really powerful at looking at attacks from multiple points. The updates come from the Talos group which is constantly adding new threat updates to the devices. This does give me some peace of mind that we are being protected from the newest viruses. The users who sit behind the firewall have no had any issues with the ASA's performance for general connectivity. If an outside device tries to get in they are blocked without much of an issue. The internal users who sit behind the firewall have no noted any performance issues over the years. I think if you heavily use the firepower services on the box you can tax it pretty hard and that will affect performance. When using the interfaces of the firepower you can watch it struggle sometimes. ASDM doesn't seem to be affected by it as much but when using IDS/IPS you can see performance go down a bit. It's still usable but you can tell it was not designed to handle the most modern engines.

Support Rating

Every time I have ever needed support for these devices I have had a good experience. The TAC team Cisco has in place to help with their security appliances has been excellent. The TAC engineers are normally pretty quick about getting on a support call with you to dig in with you to figure out the issue. If you have the right smartnet plans in place you can get a bad device swapped out pretty quick without too much hassle. The support updates and patches that come to the device are not bad to install and keep it up and supported isn't too taxing on my day to day workload.

Alternatives Considered

Fortinet FortiGate, Cisco Meraki MX and Cisco Firepower 1000 Series

The [Cisco ASA 5500-X with FirePOWER Services] does compete okay when compared to other devices. This model is begging to age and does not perform as well as the newer models but that is to be expected. I think their interface is okay but again I think ASDM is aging more compared to other web only based interfaces. Cisco has replaced these models with the Firepower 1000 and 2000 series and I think if you were to purchase a direct replacement that would be it. I think they still work in todays security world and will for a few more years, so if you have one you don't need to run out and replace them this year.

Likelihood to Recommend

If you were looking for a internet edge firewall and wanted to add the modern day "next gen" features than I would say the [Cisco ASA 5500-X with FirePOWER Services] would do the job. The packages Cisco offers with the hardware is pretty easy to understand and you can add the right feature sets to it. If you don't need next gen functions for basic NAT/PAT then it still would be a good firewall. If you wanted it for a data center to inspect traffic going from the LAN to the Data Center it would be a good fit. If you do not size these correctly you might quickly run out of performance or capacity when using the FirePOWER Services. The smaller 5506-X with Firepower really seems to struggle when adding FirePower with it. I would say you would be less likely to use it if your organization has more than 100 devices. You would need to move up to a 5508-X, 5512-X or larger units.

Cisco ASA 5500-X with Firepower adds next generation features to the classic Cisco Firewall

Overall Satisfaction with Cisco ASA 5500-X with FirePOWER Services