Yeah I saw the Cisco ASA-X stuff, and while it's a massive step in the right direction it still seems like it's behind CP, PA, and Fortinet. Once this gets rolling more I'm sure I'll add the ASA-X stuff in, and in the mean time I'll take a look at WatchGuard.
I use exclusively Sonicwalls for a company of about 300 employees across ~8 states. They're pretty easy to configure, obviously the price is right, and the higher-end models (NSA devices, in my case) have been very stable. The lower-end models have given me trouble with the management interface becoming unstable (requiring a reboot) and the support leaves much to be desired. I think the SSLVPN is among the best I've used though. The interface is pretty consistent across all devices, and hasn't changed too greatly in a long time, so you'll find that most documentation is still relevant no matter what firmwares you're running. Probably one of the best features is the ability to restore configuration settings across a range of devices: I recently upgraded our main firewall, and was able to do it in 15 minutes flat simply by restoring the configuration from the old device.
I check for the Cisco Logo...
Besides ASA's pay extremely well...
Joking sort of. But standardization versus best of breed is my mantra for better or worse.
Ya, we get it. You are crisco certified and push their products.
All of the Cisco guys I know are ridiculously well-paid.
But you couldn't pay me enough to do that full-time for a job, I'd go bald in a week :awe:
Yeah, but he's not saying that without cause. Their stuff is extremely reliable in general.
This is a funny resurrection thread. Since 2013 I have changed positions and now have ASA in our network. The most unreliable devices in the network are the ASAs in two distinct sites. And it isnt even close. Such junk that costs so much more than the rest. Good thing is we are moving to SD-WAN. And our centralized FW will not be Cisco. I am thinking Palo-Alto. But we will see.
I have to say I dislike ASAs the more I use them.. The small differences in the CLI from IOS are an annoyance but the ASDM is utter garbage and they don't do DMVPN so we end up with a 290x at sites anyways. We have been trying to implement ISE for 802.1X authenticated DACLs and that has been a nightmare. Typical dealings with support have been getting an email at 7pm asking how things are going meanwhile cases go on for weeks with them. Some resulting in hotfixes.. The Sophos XG is the opposite, the CLI makes no sense but the web GUI is laid out logically and does not require JRE. No licensing to worry about for VPN clients (as it uses OpenVPN for better or worse). I have a love hate relationship with Sonicwall, the licensing is bad but not as bad as Cisco, the GUI is laborious but the few times I dove into the CLI it made more sense than IOS and you can do anything the web GUI can which is just awesome. What I have trouble accepting with sonicwalls is the subpar performance of the SOHO unit once you enable the good stuff (the whole point of retrofitting a plain router). The XG 85 is such a better deal and every equivalent model of XG to the price point of Sonicwalls is better performing. I had inherited a Watchguard from a client and really do not care for it or its exuberant licensing.
I have to say I dislike ASAs the more I use them.. The small differences in the CLI from IOS are an annoyance but the ASDM is utter garbage and they don't do DMVPN so we end up with a 290x at sites anyways. We have been trying to implement ISE for 802.1X authenticated DACLs and that has been a nightmare. Typical dealings with support have been getting an email at 7pm asking how things are going meanwhile cases go on for weeks with them. Some resulting in hotfixes.. The Sophos XG is the opposite, the CLI makes no sense but the web GUI is laid out logically and does not require JRE. No licensing to worry about for VPN clients (as it uses OpenVPN for better or worse). I have a love hate relationship with Sonicwall, the licensing is bad but not as bad as Cisco, the GUI is laborious but the few times I dove into the CLI it made more sense than IOS and you can do anything the web GUI can which is just awesome. What I have trouble accepting with sonicwalls is the subpar performance of the SOHO unit once you enable the good stuff (the whole point of retrofitting a plain router). The XG 85 is such a better deal and every equivalent model of XG to the price point of Sonicwalls is better performing. I had inherited a Watchguard from a client and really do not care for it or its exuberant licensing.
We had TAC on the phone last week. Some bug caused the primary of a HA pair to have issues. It didnt failover automatically like every other manufacturer out there. It required a manual failover. Then to reboot the troubled pair this is what TAC told us.
1. Reboot via pulling the power plugs. Apparently this bug caused it so the troubled device would not reboot via CLI.
2. Make sure it is the right device. If it is not, this will corrupt the failover device as well.
3. Good luck
So much confidence in this platform after that interaction.
I couldn't keep track of how many times an ESXi Host went dead in a way that all I/O stopped, but it was just alive enough to keep vSphere from activating HA and booting the VMs on other hosts.
I mean, obviously automatic failover is a capability of the platform, but a bug prevented that from functioning correctly. That sort of thing exists in a ton of enterprise products. I couldn't keep track of how many times an ESXi Host went dead in a way that all I/O stopped, but it was just alive enough to keep vSphere from activating HA and booting the VMs on other hosts.
That's not exactly a fair comparison though as Cisco controls all aspect of the product. ESXi runs on 3rd party hardware. With that in mind, our dozen ASA-X's have issues far more frequently than our 3,000 hosts. We've experienced multiple different failover related bugs both of the ASA itself and the IPS modules. We've had two different ones lose all the IP's in ACL in multiple contexts.
That would be slightly less annoying if network people didn't immediately respond with "it's not the network" when you tell them there's a problem.
Why is Cisco not investing in improving the firepower technology by adding network and content processors like Fortigate? It seems like they are happy just slapping FW software on a general purpose CPU and then on top slapping snort on top of the same cpu.
Even the small fortigate 60E has dedicated silicon for network and content processing. Cisco needs to slow down on stock buybacks and start investing in R&D
You can substitute ESXi for Nutanix (they have their own hardware), or even go back to the same hardware group and talk Palo Alto. We just had one of a pair of 3260's fail during an upgrade. Palo Alto support couldn't figure out what was wrong, had us completely blow away the config and restore it to get it running again. My point is, that's not default behavior. That's a bug, and bugs cause weird things to happen. Saying things like "It didnt failover automatically like every other manufacturer out there." is hardly appropriate because it makes it sound like no other firewall vendor has that problem, which isn't the case at all. You're just lucky you ain't found another problem yet.
That would actually be a reversal of Cisco's previous reversal. They're becoming more software defined to keep up and be "Cloud Ready" like all the upstarts and other vendors are doing. Look how much Cisco's stock quaked at just the muttering that Amazon might be making more network gear. Cisco has said repeatedly that hardware is losing business and that software defined is the future.
It's simply a different methodology. A Fortigate 60E uses a comparatively ancient ARMv7 CPU to match with its dedicated processing hardware. That's not unlike what Cisco used to do with the Firewall Services Module, which combined dedicated packet processing hardware with a pair of 1Ghz Pentium 3 CPUs for everything else. As long as the throughput numbers match, I personally wouldn't care about what they used to get there, but x86 is certainly more cloud ready than dedicated hardware for now.
The problem is a general purpose CPU is not great at everything. Things like Pattern matching are better done via ASIC that can churn through the data quickly, no different than a GPU for dumb math done in parallel many times.
Have you used a Fortigate? It does a lot more than the 5506-x and the UI is so much nicer compared to the ancient ADSM. Not until recently the Firewall and the IPS were two different instances and you even had to plug an additional management connection (3 in total in/out/mgmt) just to be able to configure the firepower instance. Then after that you had no way to view the events etc.. since there was no management console to see it. The performance numbers are impressive on the 60E compared to a 5506-x thanks to the purpose built SOC 3.
Also for SMB it is quite elegant to have a Fortigate, the switches and AP managed by one box acting as wifi controller etc.. pretty slick, Cisco is falling behind Its so cool to see all this from one screen and be able to modify policy, see events etc..
Cisco needs to step up its game.
This Thread at Cisco support forums says it all. pretty sad. Cisco needs to really fix things.
https://supportforums.cisco.com/t5/...re-half-baked-implementation-url/td-p/2981850