Without a separate management server, PRSM presents a risk to the firewall by running hosting reporting, log storage, and management all on the same CPU that is handling packets. On-box PRSM makes for a fast demo of PRSM capabilities, but we prefer to ship logs to a separate server so that any analysis and debugging won't risk slowing down a production device.
The ASA CX is only managed by PRSM, which creates a disconnect between the next-generation firewall rules and the rest of the ASA management. However strange this interface is, it's a bit unfair to grade the ASA down because of it — Cisco told us that migration of firewall configuration to PRSM (from ASDM) is their No.1 priority for 2013 for the ASA line.
So, yes, today, network managers need to go through contortions to manage a firewall, but we are looking at a product in transition. Even though PRSM's visibility capabilities are excellent, network managers will find PRSM's configuration capabilities to be clumsy and disappointing compared to ASDM. Firewall rules are spread sparsely across a web page without critical information, making policy analysis and editing difficult; policy objects are named with the least helpful terms possible, and redundant and inconsistent terminology pervades the interface. We hope that this poor configuration interface is cleaned up as part of the migration of ASDM functionality into PRSM.
How We Tested
We used the methodology from our 2012 Next Generation firewall test so that readers could evaluate the Cisco ASA CX against competition from Barracuda, Check Point, Fortinet, Palo Alto Networks, and SonicWALL.
Because the Cisco ASA CX does not support anti-malware and traditional IPS, we did not repeat those tests.
We also changed our application identification testing slightly to include a wider range of clients, including smart phone and tablet devices. We highlighted the performance of those clients so that readers can more fairly compare coverage and accuracy of the ASA CX against competitive products.
Sign up for CIO Asia eNewsletters.