UTMs

Associate
Joined
23 May 2004
Posts
578
Location
UK
Hi Everyone,

Thought this was better suited for this forum rather than the Network forum since this is much more of an enterprise question! We're currently going through a process of getting a 1Gbps bearer and 100Mbps backup put in place.

Initially we're likely to have 300-500Mbps activated, but its quite possible within the next couple of years that we'll be growing beyond that and so we're looking at new UTM options.

Currently we use a Juniper SRX240 with IPS and AV scanning subscriptions, but I'm not sure if the SRX650 is the best option to go to as it's AV scanning speeds (according to the datasheet) cap out at around 350Mbps.

I've spoken to a few sales people and we've currently been suggested Palo Alto, FortiNet and Astaro. The Astaro would be running on HP servers, while the other two are appliances (PA-4020 or a FortiGate-1000C).

I was just wondering if anyone had any hands on experience with them, how they compared to the Juniper SRX range and if there's anything else anyone would recommend is worth looking at?
 
Not a fan of PA/FortiNet - Astaro can't comment on.

Were upgrading our old Nokia CheckPoint to one of their new 2012 models, I'd recommend looking at them (They don't have the bad problems some of the UTM-1s had, they are better like the older Nokias). The ONLY caveat is that you have to cluster them (you don't but I wouldn't run them without it) - we had some problems with some clients that would have taken them out of action for a while but the clustering worked so well and it makes them much easier to work with on a day-to-day basis

- GP
 
Last edited:
Currently running a PA2020 and two PA500s. I've also got a Fortinet 40C about to go into a branch site. Palo Altos have been great, especially PANOS v4 has had a few nice tweaks such as the addition of native kerberos real-time authentication for AD.
The Fortinet interface is less user friendly imo, but the boxes themselves are very good. They also offer a few features not on the PAs, like web caching which might be useful if you're on 95th Percentile billing :)
 
Not a fan of PA/FortiNet - Astaro can't comment on.

Were upgrading our old Nokia CheckPoint to one of their new 2012 models, I'd recommend looking at them (They don't have the bad problems some of the UTM-1s had, they are better like the older Nokias). The ONLY caveat is that you have to cluster them (you don't but I wouldn't run them without it) - we had some problems with some clients that would have taken them out of action for a while but the clustering worked so well and it makes them much easier to work with on a day-to-day basis

- GP
Have to say Checkpoint wasn't someone I'd considered. We use them for our laptop encryption so will have to have a look at their appliances. How easy to use do you find them? Any suggestions for a good reseller?

Currently running a PA2020 and two PA500s. I've also got a Fortinet 40C about to go into a branch site. Palo Altos have been great, especially PANOS v4 has had a few nice tweaks such as the addition of native kerberos real-time authentication for AD.
The Fortinet interface is less user friendly imo, but the boxes themselves are very good. They also offer a few features not on the PAs, like web caching which might be useful if you're on 95th Percentile billing :)

How'd you rate the PA's vs the Fortigates? How hard are the two CLIs/GUIs to master? Any particular gotchas with either unit?
 
Not really any gotchas I've come across.
The PA webGUI is nice and simple, the CLI is quite odd in it's syntax compared to the routers and switches I'm used to configuring. But I never use it because the GUI is good enough to do it all :)
Fortigate it becomes irrelevant about GUI and CLI because you can get at the CLI from the GUI :) which is nice, but again, not the most logical syntax format.
The only beef I have with the PA is you can't tag multiple VLANs on a single interface. Which is unusual to do on a firewall anyway.
FortiOS is also good, though I'm not as fond of the way the rules are setup on that where you have to define address objects for everything first before you create the rule. PANOS lets you just type IPs in if you want to OR create new address objects on the fly.

Both are perfectly decent though.
 
Our UK reseller is Azlan - service is excellent. As for the appliance, in my mind they are top of the game. The only caveat is that they run on tops of SPLAT (Linux derivative) on the appliances so you need a little bit of Linux experience

- GP
 
Back
Top Bottom