Cisco SA 520 firewall disappoints

The Cisco SA 520 network security appliance offers a solid array of features but it has almost no relation to the rest of Cisco's security solutions.

There are two ways to look at the [[xref:]] network security appliance. On one hand, it offers a solid array of features: 65Mbps IPSec VPN throughput, 100Mbps overall throughput, integrated firewall (limited to 100 rules), built-in filtering for common services like IM and P2P networking, SSL VPN, IPS, DDNS, and multi-WAN support. On the other hand, it has nearly no relation to the rest of Cisco's security solutions.

The Cisco SA 520 is physically similar to the old Cisco PIX 501, and it offers similar basic functionality. However, that's where the similarities stop: Whereas the PIX 501 ran PIXOS, the SA 520 runs a Linux-based operating system. Where the PIX 501 was as easy to manage as its bigger brothers, the SA 520 runs a completely different OS, has no console port, and no CLI. It's administered via a somewhat cranky Web-based UI.

From the perspective of a small business looking for a firewall that offers some relatively advanced features, the Cisco SA 520 is suitable. For a network professional looking for a small-site VPN endpoint device, the SA 520 is a mixed bag. It fits the bill in terms of capacity, features, and throughput, but from a management perspective, it promises headaches. Given that scenario, I'm going to address both viewpoints.

Cisco SA 520: Good for small business

The Cisco SA 520 ($419 street) provides a wealth of options as a small-business security appliance. There's a little of everything here, from basic firewalling tasks through SSL VPN features, including SSL VPN portal pages. On the back end, it will integrate with Active Directory or standard LDAP authentication services to allow users to to log into the VPN with their domain credentials.

However, the stock model is outfitted with only two SSL VPN licenses, expandable to 25 by purchasing more. Two might not be the loneliest number, but it certainly seems tiny in this case. Oddly, the SA 520 allows for 50 IPSec tunnels out of the box. It's hard to see anyone in the small-business space needing 50 IPSec tunnels but only two client-based SSL VPN tunnels.

There's also support for multiple WAN interfaces and load balancing, so you can leverage multiple Internet connections within a single device. Further, you can create rules that apply to total traffic passed through each Internet connection to ensure you don't go over ISP-imposed limits, if any should exist.

Test Center Scorecard








Cisco SA 520 Security Appliance









Coupled with that are basic QoS rules that allow traffic classification based on TCP or UDP port, source addresses, VLAN, or even a physical port. This traffic can be prioritized into high, medium, or low priorities. The SA 520 also supports 802.1p traffic prioritization that adds much more granularity, though you'll need to classify traffic with 802.1p internally for this to function.

You can also use some higher-end features, including URL filtering, traffic allowance based on approved client lists, and malware and spam filtering through licensed Trend Micro technology. Another separately licensed option is the IPS (Intrusion Prevention System) that offers another layer of protection for the internal network by filtering traffic based on signatures downloaded from external resources.

With the built-in four-port switch and support for a single DMZ, I can see the SA 520 fitting in well in a small-business infrastructure.

Cisco SA 520: Bad for the remote officeI don't feel the same way about the use of the Cisco SA 520 for remote office connectivity. While the stats on the SA 520 clearly position it as a viable candidate to link a small remote office back to headquarters via a VPN tunnel, the lack of reasonable remote-management capabilities makes it a hard sell.

For one thing, there's no console port, so there's no way to use a serial terminal server to access the device during a failure. There's also no CLI, so all management must be conducted via the Web GUI, which can be very annoying. While there is the ability to download a configuration file for backup, it's not really viable to modify the file offline, as you can for nearly all other Cisco network devices.

Remote administration is possible but can be granted to only a single source IP address, not a subnet or selection of addresses. Also, the SNMP MIB (management information base) situation with the SA 520 is somewhat perplexing. Certain aspects of the device respond to Cisco's MIBs, while others respond to standard UCD-SNMP MIBs. Even more confusing, the MIB support has changed between firmware releases. The upshot is that you may be able to enumerate interfaces with a UCD MIB, but you won't get any traffic data unless you're using the Cisco MIB, or vice versa. It's a bit of a jumble.

Also disturbing is that the SA 520 appears to have problems retaining its configuration across certain firmware updates. I updated the firmware, only to find the device return to factory settings. Should that happen with an SA 520 at a remote site with no other connectivity and no serial console that could ostensibly be connected to a modem, it would remain offline until someone can reconfigure it from the LAN through a Web browser. That's definitely not a good situation for a remote office firewall.

However, the SA 520 supports up to 50 IPSec 3DES-to-AES256 tunnels, though working with the VPN tunnel management interface and wizard can be frustrating for experienced admins who are used to the ease and simplicity of CLI-based configuration. The IPSec VPNs did function properly with all encryption algorithms, and once I wrapped my head around how the VPN tunnel construction interface was designed, I was able to bring up tunnels to Cisco PIX and ASA firewalls without issue.

In short, the SA 520 can run an AES256 IPSec VPN up to 65Mbps, but it'll make you work harder than you think you should to implement it and maintain proper operation.

A Cisco in name onlyThe Cisco SA 520 lives up to its Small Business billing, but doesn't meet the requirements for the Pro designation, lacking adequate tools for managing a remote office endpoint for larger infrastructures. Given the specs for the device, that's a shame, because it definitely performs like a higher-end unit, offering advanced features, including 802.1p, CDP (Cisco Discovery Protocol) RADIUS, and syslog support.

If all you're looking for is a small-business firewall, you can get one cheaper than the SA 520, albeit without some of the extended features. If you're looking to terminate a VPN at a remote office, you might find that paying more for another device that has the necessary management capabilities makes sense in the end.

If you're in the middle, needing a small-business firewall with content filtering and dual-WAN capabilities, the SA 520 might be just the ticket, but I'm not sure how many of those businesses exist these days.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags firewallsCisco Systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Venezia

Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?