In October 2018 I created this post to gather some feedback on using Firepower/FTD in production.
We did try it ourselves in production though so we could form our own opinion, overall it really was as bad as described in the texts you see on the internet.
Usually you don't expect everything to be really good, sometimes the documentation is not really that well or maybe the interface is performing not fast enough so you use the CLI which you don't really mind... but for FTD it is really the overall experience where almost every single part was horrible from the beginning and you could not reasonable argue for such a product at all. From initial deployment, software upgrades, daily operation and troubleshooting... just everything.
Negative aspects:
- Overall Software quality: We did 2 minor software upgrades, one of them caused an outage, the other one took a couple of hours and did mess up a few things afterwards
- Documentation: is either not existing or even just wrong (for example NAT64 configuration, confirmed by TAC)
- Central Management: Cisco representatives told us directly that everything below the largest FMC hardware appliance is not usable and we won't be happy with it (to be fair this specific hw generation is now end-of-sale)
- Hardware Performance: They showed us an internal performance calculator which provided ridiculous numbers, we sized really carefully as we all know datasheet numbers are "a little bit off" most of the times, but for FTD this was really just unbearable
- Development: "Everything will get better in the next release" should be printed on t-shirts, they just kept promising and promising, keep in mind that we already looked at FTD in 2018 and have been aware what progress was made up to this point
Positive aspects:
- Price: they made an absurd cheap offer to stay in the game
- Integration: as we have a lot of Cisco products in place, integration would obviously be native into those if needed (e.g. Cisco ISE, Wireless controllers etc.)
- Cisco seems to be aware and they know they have to do something about it
They had to compete against Palo Alto and it really was straight forward, I was very impressed how Palo does things, especially the central management which provides quite a few features you normally have to use a 3rd party tool like Algosec or Tufin.
There was a lot of politics involved as we have been an all Cisco shop so far and a few people really did not like to move away from it, but the evidence was more than enough against them and stability was the key argument.
In the end we migrated most of our productive clusters within 2019 and are very happy Palo Alto customers. But honestly I think almost every other major Firewall vendor would be better than what we saw with Firepower.
Something I noticed when comparing them is that Cisco is still putting out fires and doesn't seem to have the time or ressources for appropriate development of the product (the still rush half-finished features into the field).
We still bought a few Firepower hardware appliances and run ASA software on them if we don't have the need for NGFW features (e.g. dedicated ClientVPN Firewall) and even on those we face major issues with the delivered performance.
In 5 years everything might be different but for now: stay away from Firepower/FTD if you can.
Happy new year
No comments:
Post a Comment