Cisco Secure Firewall (formerly Cisco Firepower NGFW) is a firewall product that integrates with other Cisco security offerings. It provides Advanced Malware protection, including sandboxing environments and DDoS mitigation. Cisco also offers a Next Generation Intrusion Prevention System, which provides security across cloud environments using techniques like internal network segmentation. The firewall can be managed locally, remotely, and via the cloud. The product is scalable to the scope of…
N/A
Palo Alto Networks Next-Generation Firewalls - PA Series
Score 9.4 out of 10
N/A
Palo Alto next-generation firewalls classify all traffic, including encrypted and internal traffic, based on application, application function, user and content. Users can create security policies to enable only authorized users to run sanctioned applications.
N/A
Pricing
Cisco Secure Firewall
Palo Alto Networks Next-Generation Firewalls - PA Series
Editions & Modules
No answers on this topic
No answers on this topic
Offerings
Pricing Offerings
Cisco Secure Firewall
Palo Alto Networks Next-Generation Firewalls - PA Series
Palo Alto Networks Next-Generation Firewalls - PA Series
Considered Both Products
Cisco Secure Firewall
Verified User
Engineer
Chose Cisco Secure Firewall
We use both vendors in our environment, I believe it's positive to go with multi vendor approach. As previously mentioned, the PA has the global find option, which is a big asset when troubleshooting. On the other hand, I feel the FTD's CLI is more intuitive and can help you …
Manager Enterprise Systems & Networks Infrastructure
Chose Cisco Secure Firewall
I believe Cisco firewalls are definitely on par with Palo Alto but the latest AI feature releasing in 2024 will certainly surpass all expectations. Fortinet is going to struggle after this and I can say that with certainty given we have removed all our FortiGate firewalls.
Cisco offers a great troubleshooting UI this makes things easier to fix an issue, you can capture traffic from CLI as you did with ASA and through the GUI and read the captures. Easy to deploy and integrate in any architecture.
URL filtering is very rich, you can find multiple …
We found that Cisco compares very favorably to the Palo Alto firewalls, especially with their latest release in the Secure Firewall line. The performance has been phenomenal compared to the earlier Firepower models, which was one of the few advantages I felt Palo Alto still …
Palo Alto has better architecture with their multi cpu concept that increases throughoutput. Cisco has better features and mostly better integrations outside of their eco system. Overall the products and features of cisco are slightly better but if cisco would implement the …
Cisco Firepower NGFW is much more user friendly than its competitors and their customer service is top notch. It was a no brainer in choosing a company that has the backing to help provide a great product and service to its customers. Cisco Firepower NGFW is easy to use, easy …
Palo Alto Networks Next-Generation Firewalls - PA Series
Verified User
Engineer
Chose Palo Alto Networks Next-Generation Firewalls - PA Series
Palo Alto beats all other current UTM/NGFW at this point in time. Palo Alto has a complete vision and is less buggy/requires less management overhead than other NGFW/UTMs on the market. They are currently developing a lot of products and I can see in the next 5 years, other …
Palo Alto Networks Next-Generation Firewalls - PA Series
Likelihood to Recommend
Cisco
Well, I mean it is really meant for the edge. I think maybe some of the smaller models you could maybe use at your, if you have remote workers where you wanted to protect their environment more than in their home network or whatever, but for us, we've always use the enterprise versions.
Palo Alto firewall only affords by Large level infrastructure having a budget for Security Prospect. I will recommend it for the Card information industry & Confidential data solutions. Because it provides a bucket of security features that are not easily vulnerable.
It's been a big change for us because like I said, we've been using it about a year, I think. And we went from ASAs to this, so it was a big changeover from being able to do everything in CLI honestly, it's a bit clunky and more time consuming to have to configure things through the Gooey, which has been a pain point for us. But we've tried to automate as much as we can. What it does well is the analysis. The event, not event viewer, but unified event, that's what it is. Handy tool. Also the tunnel troubleshooting the site to site tunnel monitoring or troubleshooting, I can't remember what it's called. It's pretty good too. It's nice how it has some predefined commands in there. I'd say those are probably the things we like about it the most.
The PA handles VPN connectivity without missing a beat. We have multiple VPN tunnels in use for redundancy to cloud-based services.
The PA has great functionality in supporting failover internet connections, again with the ability to have multiple paths out to our cloud-based services.
The PA is updated on the regular with various security updates, we are not concerned with the firewall's ability to see what packets are really flowing across the network. Being able to see beyond just IP and port requests lets you know things are locked down better than traditional firewalls.
It is a great overall kit, with URL filtering and other services that fill in the gaps between other solutions without breaking the bank.
Sometimes it's the limitation of the throughput or limitation of the firewall. One DDoS attack they have the bandwidth capacity is very little. And then once there is DDoS attack. Many not only the firewall can protect that they need to take action further at the Upstreaming Provider, that side with the bigger pipe bandwidth for protecting the attack. Not only the firewall can prevent,. Yes. So sometimes firewalls still have the limitation and then need to do any additional monitoring or something. But we can do that with the ideas and IPS, but required to have the bigger pipe to protect DDos Attack, for example the bandwidth from the upstream network as well. I mean when many DDos Attack comes with big bandwidth, not only firewall can protect, but also the blackholing the traffic from upstream providers who has bigger bandwidth DDos mitigation services.
It works really well. We can do most anything we want or need to with it, and you don’t have to have a doctorate or multiple certs to necessarily figure it out. The thing that would probably have to happen to make us switch would be if we just got priced out - Cisco’s more powerful and higher bandwidth models cost a pretty penny.
The PA5220s have far exceeded what we have expected out of them. It was a bit of a learning curve coming from another vendor, but everything falls into place now with ease. The capabilities of the solution still surprise us, allowing us to remove other costly hardware and providing a single point of management needed
Solution is highly effective, offers a lot of features with constant improvements and additions of new features over time. It's relatively easy to get familiar with the system, especially if transitioning from adaptive security appliances. If this is not the case, as for learnability there's a learning curve but once learned it is relatively easy to remember the details about the system even after a period of non-use
In my opinion, the Palo Alto Firewall is the simplest firewall in terms of management interfaces; though it has more advanced options that apply to more advanced use cases. Configuring basic features on the firewall is nearly self-explanatory; configuring more advanced features can be met with very thorough vendor documentation.
We have had really good success with Cisco Secure Firewall when it comes to availability. Even when we’ve had temporary issues with one appliance or the other, or with the Firewall Management Center, it has stayed up and defended our network diligently. We even had an issue where the licensing got disabled for multiple days, and it kept spinning like a top
Cisco support is not at all suitable for this product, at least. It takes a long for them to help us with our server issues. A lot of the time, the customer support person keeps on redirecting calls to another person. They need to be well versed with the terminologies of the product they are supporting us with. Support needs a lot of improvement. Cisco Fire Linux OS, the operating system behind Cisco Firepower NGFW (formerly Sourcefire), also doesn't receive regular patches. In short, average customer service.
We've run into a couple undocumented bugs, but that seems to happen with every brand and technology. Any time we've had to engage Palo Alto support they've always been professional, knowledgeable and prompt. In almost all cases we've been able to resolve our issues without having to escalate our tickets.
In the beginning transition from Adaptive Security Appliance to Cisco Secure Firewall did not look like the best choice. Solution was new, there were a lot of bugs and unsupported features and the actual execution in the form of configuration via Firepower Management Center was extremely slow. Compare configuring a feature via CLI on ASA in a manner of seconds (copy/paste) to deployment via FMC to Secure Firewall which took approx. 10 mins (no exaggeration). Today, situation is a bit different, overall solution looks much more stable and faster then it was but there's still room for improvement.
We use the FMC as a virtual machine, it combines administration, monitoring and can be used perfectly for error analysis. There are restrictions due to administration without the FMC, so we decided on the FMC as the central administration.
No one can say any other companies in this time is better than Palo Alto Networks Next-Generatoin Firewalls. Palo Alto offers very advanced features which protect you[r] organization. Advanced malware protection, anti spam, lots of other threats.
I hope this answers the question, but we have the conversation about costs on equipment and lead times have been getting better with firewalls, but those two were the main things that have affected ROI, I think for us. That makes them go to other distributors or even other vendors because they need the products quickly. If it's too costly or the lead times too high, then they'll just go elsewhere.
Overall, even though the device is very expensive (both hardware and licensing), the product does produce a decent ROI, given that one (or HA pair) of devices can do so many things, such as anti-virus, anti-malware, URL filtering, SSL decryption, SSL VPN, routing, etc.
There will definitely be sticker shock when you're renewal comes up annually (or after 3 years), so be sure to look very carefully at the recurring costs of this product, with respect to licensing and hardware/software maintenance.