Need help speccing a firewall

Soldato
Joined
7 Jun 2003
Posts
16,202
Location
Gloucestershire
Hello chaps,

Looking at firewall spec sheets i feel a bit out of my depth, i'm specifically looking at fortinet fortigate appliances (because it's what we're using at the moment, albeit in a hosted solution) but i've no idea what model fits my network. What's the best way to determine this?

Criteria:
Heavy internet use with a peak user count of about 350-400 users.
100/100 internet line
inbound access is relatively small usage, internally hosted sites for external access get maybe 50 concurrent users max.
no VPN use (yet) but even if we do use that it'll be remot access only and small usage
Filtering done by a separate service.

I'm thinking the 100D? but I don't really understand how to interpret the specs.
 
Last edited:
Caveat to anything I say is I'm not a networking/Firewall person (I know IPS and that's about it!), but generally initial things I'd want to know are what's the peak throughput that'll likely be hitting the appliance and how many interfaces of what type do you need.

That's the stuff I'd likely use as a starting point to work out what appliance to choose.
 
Last edited:
What is your budget?

Well, tough to answer really. There isn't one as such, it's a case of the cheaper the better, but finding the right balance of feature set and performance vs price means we'd spend a bit more if needed. I'd say that given alternative options i wouldn't really want to spend over £1,500 really if i can help it. (exVAT)

At the moment our firewall is a hosted solution which is shared with lots of other customers on a forigate 3450C device. I have a few issues with it being hosted (for starters there is no logging, at all, it's turned off because of a bug and hasn't been fixed in over a year by our ISP :|) which is why i want a smaller equivalent internally for whatever size is right for my network.

Caveat to anything I say is I'm not a networking/Firewall person (I know IPS and that's about it!), but generally initial things I'd want to know are what's the peak throughput that'll likely be hitting the appliance and how many interfaces of what type do you need.

That's the stuff I'd likely use as a starting point to work out what appliance to choose.

How do i determine the peak throughput it'll be hitting? Unfortunately I'm a "jack of all trades" where i work so have large gaps in my knowledge, fine with internal networking, but as soon as it attempts to exit past my router I'm a bit lost :p. As for interfaces we only need 1GbE, no SFP or 10GB required.
 
Last edited:
Get whoever manages the current firewall to pull off some stats that show throughput if possible, get an idea of what it's currently doing now. Ideally you want some sort of average peak figure over a decent time period to allow for any 'seasonal' spikes.

Or as its hosted can you get a figure off whatever it feeds into that's within your network?

Again caveat here is firewalls not normally my thing, and there are people on here who are far more knowledgable than me on this stuff who can comment if I'm talking rubbish or not!
 
A 100D will easily cope with what you've outlined about.

I had one running 2 VDOM's each with 100mbps synchronous connections, doing web and email filtering, gateway AV and VPN's and it appeared to have plenty of headroom left. I know of organisations running 100D's on gig Internet connections with no problems.

You'd get away with a 30D for your current requirements but SSL VPN on those is only 25mbps.

Fortigate's paper specs are properly achievable, unlike some other vendors.

The 100D interfaces give you a massive amount of flexibility as well.
 
speak with barracuda - those are designed to be easy. Cisco/Juniper are both excellent but not the easiest... and if you're feeling a little out of your depth the barracuda devices might be a very good option. Their support is excellent - we had their web filter at my old company.

Nox
 
If you're used to a Fortigate then buy another Fortigate. Engage with a VAR to size one appropriately.

Don't buy a Sonicwall.
 
The problem with asking for firewall advice is that everyone will give you their personal preference :)

The only firewall I've used and didn't really like the UI was a Juniper.

As they say, 'no one ever got fired for buying a Cisco' but for a 5512x you're looking at about 3k with a Smart Net. If you're comfortable with CLI you can't really go wrong here.

Check Point has the best logging (Tracker) hands down but they're not cheap.

SonicWall was always relatively user friendly and pretty reasonably priced. Although they're owned by Dell...
 
Meraki MX100?

Interesting that you should point that out...we're currently gathering details and creating a proposal for a new wireless network, we've pretty much narrowed our ideas down to two vendors, those being meraki and ruckus. So if we happened to lean more towards meraki (pending further investigation) could possibly get a good price if we added a firewall in too. (again pending investigation, no knowledge of their firewalls up until you've posted that! :p) EDIT: looks a fair bit more expensive than a fortigate option though, but then again i guess we get special pricing through a vendor...I've just checked web pricing which i guess isn't accurate.

a bit off topic but i've heard good things about meraki switches too, any thoughts on those? We use 95% HP procurves at the moment.
 
Meraki Wi-Fi makes sense. Their switches also make sense if you're providing management services for customers, or you really need the reporting they offer for some reason.

If it's your own office then stick to Catalysts / ProCurve / whatever, they're a fair bit cheaper and you don't really lose out. None of the Meraki switches stack, it's all virtual stack management and traffic between switches is limited to 10Gbps as opposed to the 40Gbps stacking offered by genuine stackable switches. I think you also lose the ability to do etherchannel across stack members, so it might not even suit your topology.

I don't like their security appliances. The reporting is nice, but the UI for configuring firewall rules is archaic and no better than the port forwarding screen on a cheap home router. Why there is no concept of service groups I do not know.
 
Cisco asa, there are a few different models. Can be setup using CLI or ASDM

Its not that difficult, if you know how to configure firewalls
 
Back
Top Bottom