Spec me a firewall

iaind · 22 Sep 2010 at 08:22

I thought I had come back to say, but obviously not!

I probably decided against it at the risk of BRS's fury

I ended up with a watchguard x550 with the 3 year UTM bundle - so AV, spam etc.

I've left the job I was in (hence not being around here as much - the checkpoint firewalls at my new job block the site

) but I implemented it about 3 weeks before leaving.

I've always loved the watchguards from an admin side, they make a lot of sense IMO. Performance was brilliant, the VPN tunnels off it became much more reliable and the UTM stuff seemed to do a good job. Would recommend, mainly for the paint job and the "armed" light

Seems as good a place as any - what are peoples views on checkpoint? We've got a redundant pair of r70s running on HP DL360s at my new job. They're managed by a third party though so i have no involvement in them - would just be curious to see what people think.

ethos · 22 Sep 2010 at 08:56

iaind said:
I've always loved the watchguards from an admin side, they make a lot of sense IMO. Performance was brilliant, the VPN tunnels off it became much more reliable and the UTM stuff seemed to do a good job. Would recommend, mainly for the paint job and the "armed" light

I agree, I'm running the X550e here with the pro feature key. It round robins 3 ADSL lines with great success. When I was first testing failover it constantly dropped 1 ping before failing over, which is pretty impressive.

Performance and stability are excellent, but let's not forget the most important factor.... It's RED and looks AWESOME!!!!!!1 Which to be honest is the main thing when buying hardware.... isn't it? :cool:

bigredshark · 22 Sep 2010 at 14:50

Checkpoint are awesome *if* you have lots of them and the management products to go with them, a headache for small installs they are massively powerful and popular with people like BA for that reason.

iaind · 23 Sep 2010 at 08:21

I'm not sure about the management side of things, but the company managing them are rather massive so I guess they know what they're doing. We've got 3, strictly, 2 in some sort of HA setup and one on a VM collecting logs.

Had a look at the report for the rules the other day - looks very complicated so I can see how they'd be a headache for small installs.

Was mulling over whether it was worth keeping the management agreement up, it's a bit odd not having access to your own firewalls, but from what I've seen it's probably for the best

Little_Crow · 23 Sep 2010 at 11:04

We did use borderware firewalls, but recently moved to checkpoints.
I highly recommend them, they are extremely intuitive, and the reporting module is excellent.

They might be a bit overkill for a small install, but if you have the budget for them I highly recommend them.

Lithium · 27 Sep 2010 at 23:32

Watchguard are sooooo bad.

Cisco ASA all the way. They even come with a nice GUI to help you along.

ethos · 27 Sep 2010 at 23:39

Lithium said:
Watchguard are sooooo bad.

Any particular reason?

bigredshark · 28 Sep 2010 at 09:30

Lithium said:
Watchguard are sooooo bad.

Cisco ASA all the way. They even come with a nice GUI to help you along.

Actually the entire configuration of ASAs is fairly illogical to the extreme, it only makes sense if it's the only thing you've ever worked with. They work alright when setup correctly but for ease of administration virtually else anything is better (as evidenced by some of the ridiculous configurations I've seen people come up with because it's not clear the correct or easy way to do something).

s0ck · 29 Sep 2010 at 11:46

bigredshark said:
Actually the entire configuration of ASAs is fairly illogical to the extreme, it only makes sense if it's the only thing you've ever worked with. They work alright when setup correctly but for ease of administration virtually else anything is better (as evidenced by some of the ridiculous configurations I've seen people come up with because it's not clear the correct or easy way to do something).

Got an example m8? Just anything off the top of your head. No worries if not though

bigredshark · 29 Sep 2010 at 12:14

s0ck said:
Got an example m8? Just anything off the top of your head. No worries if not though

VPN formation is my biggest issue - I don't want you to magically generate phase 2 proposals, I can do it myself, I particularly don't want you to do it when you do it in a way which is extremely annoying to get working with other vendors.

Or even the policy formation, access list style CLI config was never a good way of doing this for any kind of length of rule set...