Firewall Recommendation Time

Nikumba

Nikumba

Nikumba

Soldato
Joined
4 Dec 2002
Posts
3,983
Location
Bourne, Lincs
Our support contract for our Cyberoam firewalls is due in June, I know is only 5 months away but potentially changing firewalls can be time consuming.

We currently have an active/passive pair of Cyberoam CR1500ia which is one of their top tier products as we use to host our eCommerce platform internally, this has since been moved to Rackspace.

As such we probably do not need such large firewalls, so we are looking at alternatives, now the obvious choice would be to move over to Cisco ASA's but we have also been looking at the Dell SonicWall firewalls.

We have approx 20 site-to-site VPN's, end user VPN's are done by another appliance.

Most traffic outbound will be standard office web traffic and email, along with video feeds out to our content delivery partners, traffic to Rackspace is handled by a dedicated link so does not come near the firewall.

We currently have DMZ, LAN, WAN and Wireless sections on our firewall, mapped to network ports on the actually firewall then cabled to the DMZ switches or to the wireless controllers so this is something we will need to bare in mind.

We are waiting on pricing to re-new out support but in the meantime interested to hear from others about what they would recommend, suggestions etc.

Thanks

Kimbie
 
Sonicwalls are by far the worst firewalls I have the displeasure of managing. I couldn't recommend one even with a gun to my head.

To recommend one we need to know what features you need, rough budget and expected traffic (throughput/connections)

- GP
 
check out fortigate,
lots of features, support v good.

Also they chuck in forticlient (endpoint protection) which includes virus checker (can be disabled if you have an existing v checker)
 
We use vFortigates for our cloud, I'd compare them to the likes of a Watchguard really, however I've been less than impressed by their TAC.

- GP
 
Budget wise, until we get the renewal quote through the budget will be hard to pin down.

In terms of through put, we have a 1gb fibre line out to the internet currently throttled to 200Mb so we will need to in theory handle the full 1gb if we open it up.

We currently have zones, so the wifi zone, network cable goes from a port on the firewall to the wireless switch, and we have access rules. so the guest network can access the internet but not our LAN, the office one can access the LAN but not the internet as internet access is handled through our proxy server.

We will need at a min 20 site to site VPN's, which are capable of having multiple subnets on both the source and destination.

Client VPN's are handled by a Sonicwall VPN endpoint, so the firewall just fowards the traffic straight to that device so does not handle client VPN traffic so to speak.

Will have a look at Fortigate as not really familar with their kit, we are also looking at Watchguards, Baracuda.

One thing we have liked about looking at the SonicWalls and a few other things is there are less like traditional firewalls and more dynamic in how they handle things.

Kimbie
 
That's primarily because Sonicwalls are basically UTMs. If you start comparing them to other UTMs like CheckPoint, Watchguard, Fortinet products etc. then you'll find them more similar. ASAs are basically just firewall and VPN endpoints. Yes they do things like botnet filtering, IPS etc. but not very well.

If you just want basic features then a cluster of 5515-X units would suffice, if you want something fancier then maybe CheckPoint 4400/4600 appliances.

Who would be supporting the units too, yourselves or a 3rd party?

- GP
 
In terms of support, we would be doing the day to day running of the firewall, so rule setup, VPNs etc and then any issues be it hardware, software would be referred back to the 3rd party.
 
Do you have any experience in any particular firewall brands, or have a training budget? It's sounding like an ASA or SSG would do you well for a basic firewall, or an Watchguard/Fortigate if you wanted UTM features. I'm a CheckPoint fanboy but they aren't cheap....

- GP
 
Having used Sonicwall firewalls for a number of years, I have to say that Stonesoft firewall's are by far the easiest to work on in my experience, and are rock solid!

Probably WAY out of budget and over kill for your needs though.
 
If it helps sway you, sonicwall have just transferred my current device to someone else, and to get it back I need a picture of the actual unit - which is 45 miles away...

NOT impressed.
 
dhill said:
Having used Sonicwall firewalls for a number of years, I have to say that Stonesoft firewall's are by far the easiest to work on in my experience, and are rock solid!

Probably WAY out of budget and over kill for your needs though.
Click to expand...

... Which are now part of McAfee ;)
 
I don't get the Sonicwall hate. The UI is no more quirky than any other product competing in the same space, the feature set is decent, support is fine for what it costs, and they're stable. The only real complaint I have is that they aren't intimidating enough to scare people away from dicking around with them, with predictable results.

Having said that I would be looking at the Sophos appliances, but I'd want a demo unit first. How likely are you to upgrade your 200Mbps line to 1Gig? That's a lot of extra cash to spend for capacity you might not need when you could get something now to handle the connection you have and then trade it in when you upgrade your line.

Decide if you want the features of a UTM and work from there.
 
Last edited:
For pure firewalling, I like our Cisco ASA 5555. ADSM is great, and Cisco support has always been good when I've needed to contact them. Not a cheap solution, but good if you've got lots of rules and make lots of changes because they're very easy to manage.

We've got several WatchGuards which are good for UTM, but they are a bit clunky to administer if you've got a lot of rules and they're set up by someone who's not familiar with their quirks. Things like setting up a rule with multiple ports/services is more of a faff than it needs to be because you have to create a group for the ports first. For example, if you've got a rule that allows port 80 configured, and you find you need 443, you can't just add the additional port to the rule. If I was doing ours again I'd create a port group for each rule even where I was only allowing a single port because it makes the job of adding additional ports much easier in future. Watchguard Server Center and System Manager is good if you've got multiple devices and want to manage them from a single location, the logging server is pretty good too. The management server is worth deploying for the config management feature alone - it'll store your configs after each change, with one click instant restore of any previous configuration.

I've just bought a Fortigate 100D. Not done too much with that one yet, I'm using it for web filtering on our guest Wi-Fi at the moment which is seems to do very well. Very good value for money, lots of ports that can be configured pretty much any way you want, and the VDOM virtual firewalls feature is good if you want a single device servicing different zones of your network. I've also yet to come across any Fortigate users who are not happy with the kit. Our network consultants generally push Cisco and Juniper kit, but they really recommend the Fortigate kit for firewall or UTM.
 
We have a pair of Cisco ASA 5525-X in fail over mode in our data center. Pretty much perfect for our needs and the ability to create context's for specific clients is very useful.

Not a fan of ASDM though, CLI gives a far better overview I feel of the configuration. In our case it is pure acting as a firewall and we have a ASA 5515-X acting as a VPN server.
 
Caged said:
I don't get the Sonicwall hate. The UI is no more quirky than any other product competing in the same space, the feature set is decent, support is fine for what it costs, and they're stable. The only real complaint I have is that they aren't intimidating enough to scare people away from dicking around with them, with predictable results.
Click to expand...
In my experience the QA for their firmware updates is ****. We had a ton of tickets from mid-may last year when Sonicwall decided to move Youtube's security priority up from Low to Medium for no apparent reason. There are problems with the DPI engine and the HA aspects of the firewalls. I don't even mention them when it comes to choosing firewalls, they don't excel at anything. 'Average at best' isn't much of a reason to buy one. Their support is extremely variable. Sometimes excellent, sometimes totally worthless. Not much in between.

The Sophos appliances are pretty popular at the moment and not too expensive up-front. Their subscription costs are not small though.
 
Last edited:
I have a installed a client with a Sophos UTM recently (SG210) for a 40 person office over a 100mbps line. They have the entire subscription package. I don't have much experience with other brands, but I'm impressed with the unit. SSL VPN is a synch, and if you buy their wifi Access Points the integration is seamless (isolated guest wifi etc.).

You can muck around with the interface if you want to by installing either the free home or "essential" firewalls - they offer an ISO and a VM appliance. Not everything is enabled (as it requires a license) but you can get the idea... http://www.sophos.com/en-us/products/free-tools.aspx
 
You must log in or register to reply here.
Back
Top Bottom