FirePower services -- specifically the effectiveness of the IPS and Web Content Filtering
Dependency on ASA and SF modules, thus if you want to upgrade one, you may have to upgrade both which increases operational risk for downtime.
- Content filtering works quite well, but has a few quirks with rules (i.e., blocking a domain with a word that is the subset of another domain will result in an unintentional block
- IPS works great, alerting not so much, not very customizable
- Access to snort rules is nice
- Failover works quite well
- Most upgrades are time consuming, but simple
- Integration with AMP is nice, but would be better if AMP for endpoints was represented here as well (it exists as a separate portal)
We utilize many of the NGFW features, one of the main benefits that we received was combining multiple disparate products into a single platform. Instead of having an IPS and Web Content Gateway that are separate, they now work in a single pane of glass so to speak.