Spec me a firewall

paradigm said:
Oh, and remove the competitor name, or do you not care for the rules?
Click to expand...

Competitor name removed, thanks :)

Also, this solution isn't going into an Enterprise environment its for 10 users so the your whole argument that SonicWalls aren't suited for Enterprise environments is invalid anyway.
 
iaind said:
The Junipers look good and a nice price too - what is the support like?

I'm also a bit concerned about learning to use something new when my timescales for reimplementation are fairly tight - is a Juniper firewall something someone with common sense could figure out or is it complicated?

Am happy with any web based interface, plus IOS and WSM so this sort of thing isnt new to me, but Juniper is :)
Click to expand...

Support - excellent in general, I've never got frustrated with them which is unusual for a vendor and even first line seem to keep up with me (and I have a JNCIP so that's unusual).

Learning - Well it depends, the SSG is intuitive in the web interface (I think it's the best firewall GUI by a distance) and the CLI is fairly straighforward once you get the 'get'/'set' syntax.

The SRX is a slightly different story. JUNOS is all powerful (it's the same OS running on the TN Matrix platform at the end of the day, which says a lot) but it's very different to IOS and just about anything else. Intuitive, powerful and just easy to use when you know and understand it but it is a steep learning curve for a beginner.

The GUI on the SRX is J-web rather than the old SSG GUI (but it draws heavily from it). It's fairly intuitive (far more so than say, pfsense or similar which is all over the place) but it took me a little while coming from the SSG GUI and I know JUNOS CLI inside out so I still prefer that.

I think it's fairly possible to pick it up if you have a clue but it does depend where you're coming from. I have a CCIE and I've spent a half day this week swearing at the illogical mess which is pfsense on a box I need to rip out of one of our latest acquisitions - I'm sure somebody will defend pfsense but it's certainly not obvious when I can't work it out instantly. Even fortigate (which I don't much like GUI or CLI wise) I understood quicker...
 
the netscreen devices by juniper are fantastic bits of kit, i work with them almost exclusively. really want to get my hands dirty on a junos device soon though. having to learn the competition at the moment though due a lack of demand for netscreen skills around this area and the fact that i'm getting a bit bored in my current role :(

anyway, i digress...

functionality is really good, and you are supplied with a very comprehensive 'concepts and examples' guide for screenos with the product you buy. you can either use cli, or a webui, or nsm to manage the devices. the online knowledgebase is excellent, with really good setup and troubleshooting guides. i've not got a bad thing to say about jtac support either, they have always been very very good with me. you would be daft to buy a unit without it!

i too, personally, would not touch a sonicwall. i've inherited an aventail ssl-vpn platform. aventail were bought out by sonicwall a few years back. granted it's not 'their' product, and credit where credit is due, some of the new functionality they have added is nice, but their support is absolutely diabolical. that's pretty much the only reason i have no interest in any other sonicwall product at this time.

the only thing that is a bummer about the juniper firewall range is that it doesn't include ssl-vpn, and whilst that was on your list of requirements i guess that might be a deal breaker for you? that said, if it were me, i would want my firewall to be my firewall, and my ssl-vpn to be my ssl-vpn. i live in the real world though, and understand that with budget contraints you might not have that luxury.

an ssg20 would do you proud, that's all i'll say! :)

edit: sorry, i thought you had 10 users, just seen that it's 10 ipsec tunnels and 100 users. might want to go for the ssg140 instead then! ;)
 
Last edited:
bigredshark said:
Even fortigate (which I don't much like GUI or CLI wise) I understood quicker...
Click to expand...

Thanks for the good info. Incidentally it's a Fortigate that it's replacing...

atomiser said:
the only thing that is a bummer about the juniper firewall range is that it doesn't include ssl-vpn, and whilst that was on your list of requirements i guess that might be a deal breaker for you? that said, if it were me, i would want my firewall to be my firewall, and my ssl-vpn to be my ssl-vpn. i live in the real world though, and understand that with budget contraints you might not have that luxury.

an ssg20 would do you proud, that's all i'll say! :)

edit: sorry, i thought you had 10 users, just seen that it's 10 ipsec tunnels and 100 users. might want to go for the ssg140 instead then! ;)
Click to expand...

It's not a deal breaker, but I did want to include it. We have a few support contracts and other bits and bobs where we want other people to connect without hardware or proprietery clients - for this we currently use PPTP but a recent audit picked up the fact that it's not very secure (and I agree) so I wanted to go down the SSL VPN route.

I also wouldnt spend 2k on a firewall for 10 people!
 
iaind said:
Thanks for the good info. Incidentally it's a Fortigate that it's replacing...
Click to expand...

No problem. Any reason for not continuing with fortigate in particular, they are good value for money, feature packed and excellent firewalls in their newer models.

They're also terrible routers of course, but in a few years they'll likely be either excellent products or have been bought...
 
bigredshark... how long did you spend getting your jncip and how much prior experience did you have before doing it?

I only ask because I'm really getting my teeth in to them at the moment after configuring a few within the last couple of weeks and I wonder if its worth doing the jncip, also is it IOS or JunOS specific as im only involved with IOS at the moment until we start shofting the srx series.
 
bigredshark said:
No problem. Any reason for not continuing with fortigate in particular, they are good value for money, feature packed and excellent firewalls in their newer models.

They're also terrible routers of course, but in a few years they'll likely be either excellent products or have been bought...
Click to expand...

I'm not a big fan of the administration on the unit we've got so may as well get something better. Of course buying another Fortigate would make the migration easier....

Any thoughts on Watchguard? I've always really liked them and know my way around them
 
iaind said:
I'm not a big fan of the administration on the unit we've got so may as well get something better. Of course buying another Fortigate would make the migration easier....

Any thoughts on Watchguard? I've always really liked them and know my way around them
Click to expand...

I do know what you mean about the interface, it's a little heavy on looking nice and light on functionality.

Personally I regard watchguard as another sonicwall, nothing terrible (and better than a server running pfsense or whatever) but not a serious competitor for the big boys and showing no signs of becoming so.

If you know fortigate it may make a transition to Juniper easier...

-a brief history of firewalls-

...many moons ago there was a nice firewall company called netscreen, who were bought by Juniper. All the original netscreen engineers who weren't so keen on this jumped ship. They got bored and started a new company making firewalls and they called it Fortinet. But meanwhile juniper took the netscreen product, got rid of the bad bits and improved it until they got round to changing the name and called the boxes SSGs. (and they took the core security bits and put them in JUNOS then shipped that in a product called the SRX).

Short version, there's obvious commonality between fortigates and junipers, though the juniper product is superior technically (except for one little area, which is that virtually every Fortigate supports VDOMs - which juniper call vsys and only support on the high end boxes - it's essentially a virtual firewall and even the low end 50B and 80C support 10 VDOMs per box).
 
You have to admit though, the Watchguards do look the part, and that's important :D

I do like the way the Watchguards work with the configuration - being able to configure everything from a nice rich GUI, working with local files and uploading them to the box etc, all seems to make sense to me.

That's interesting about the history of them, how long ago was that? It's funny, I always thought Fortigates were rare/nice etc - nobody I speak to has ever heard of them!

I do worry about our Fortigate, every few weeks it just locks up - all the VPNs drop and outbound traffic stops and the only solution is a reboot.

Wonder if I can get hold of a loan unit to see how I get on with the Juniper
 
iaind said:
You have to admit though, the Watchguards do look the part, and that's important :D
Click to expand...

:D I think they try too hard to look the part, maybe contributing to my 'toy firewall' view of them ;)

That's interesting about the history of them, how long ago was that? It's funny, I always thought Fortigates were rare/nice etc - nobody I speak to has ever heard of them!
Click to expand...

Umm, I think Juniper acquired them in 2004 when they were on v3 of the screenOS software, v4 and v5 under Juniper management were very obvious improvements

Which makes Fortinet founded in 2005 or so I guess, certainly they're small and as a result can be quite responsive to anybody placing any sort of order volume. They are terrible routers, OSPF routinely just doesn't work properly and I think I've actually found a bug recently where they don't understand the concept of most specific route (yes, they're *that* terrible as routers).

I do worry about our Fortigate, every few weeks it just locks up - all the VPNs drop and outbound traffic stops and the only solution is a reboot.
Click to expand...

That I haven't seen though, there was a high CPU bug which plagued boxes on v4 firmware that I know of, v5 seems to be a bit more solid.

Wonder if I can get hold of a loan unit to see how I get on with the Juniper
Click to expand...

Good luck, you'll need to find a sympathetic reseller (or convince them you may be about to give them lots of money). We fair alright for eval units as we do a lot of business with Juniper (to the tune of about £8m last year) but I do hear and it's been my experience in the past that eval units are in demand and thin on the ground.
 
Jeez, our fortigate must be one of the first ones, was purchased in 2005! You're right about the routing functionality - when I've tried to do anything more than basic NAT with ours, it just doesnt do what you expect!

Our's is on 3.something - we cant actually upgrade it to anything more up to date than the latest v3 firmware :(

I'd probably go to one of my usual suppliers and do it on a sale or return basis, rather than direct to juniper.

What model specifically would you suggest for our size?

Cheers again :)
 
For the old SSG series it's a toss up between the SSG20 and the SSG140, most people tended to go for the SSG140 though it was arguably over the top and the SSG20 would have done.

SRX wise I can't see a reason to go beyond the SRX210 and the SRX100 might well be powerful enough, whichever I'd recommend the high memory versions (I believe it'll be required for full AV/IDP functionality anyway).

Given the 750mbps firewall throughput, the 2 GigE interfaces (in addition to 6 FE) on the SRX210 may be worth the premium for the future if you intend to route between multiple security zones internally (the SRX100 is really targeted on branch office and home workers with FE interfaces only - but how much can you ask for when it costs £350!).
 
Actually the chances of it being used internally are quite high - we share our building with 2 of our partners, which are running on completely isolated networks ATM but we do want to integrate IT systems to an extent

Which would you go for - SRX or SSG?
 
iaind said:
Actually the chances of it being used internally are quite high - we share our building with 2 of our partners, which are running on completely isolated networks ATM but we do want to integrate IT systems to an extent

Which would you go for - SRX or SSG?
Click to expand...

SRX is the future and is more powerful at a given price point (better throughput etc) but slightly harder to learn from scratch. Difficult for me to answer helpfully as I know both inside out but I'd be reticent about buying a SSG these days...
 
Sorry to dig up an old thread.

I would be interested to see which firewall you went for Ian and how you are finding it?

At the time of this thread I would have recommended a sonicwall too. However, in the last few months I've had nothing but problems. :(
 
You must log in or register to reply here.
Back
Top Bottom