Firewall Recommendations

nelnel Member Posts: 2,859 ■□□□□□□□□□
Hey Guys,

Just looking for folk to put forward their recommendations for a dedicated firewall solution that supports up to 1Gb in their product line. im looking to deploy these to offices that fall into a 10, 100 and 1Gb scenario.

Currently we use a mix of ASAs and SRXs but are looking at the wider picture and re-evaluating our current deployments as few are of a standard! any pro's and cons of the products recommended would be appreciated too.

Thanks
Xbox Live: Bring It On

Bsc (hons) Network Computing - 1st Class
WIP: Msc advanced networking

Comments

  • Chivalry1Chivalry1 Member Posts: 569
    Fortinet Fortigate offers the best firewall solution plus the cost is very reasonable. I can't say I know many cons with owning this firewall. Also, I have been hearing good things about Palo Alto.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • nelnel Member Posts: 2,859 ■□□□□□□□□□
    Thanks for the suggestions, i'll take a look into them.

    whats the manageability like on these products? do they come with a decent management console?
    Xbox Live: Bring It On

    Bsc (hons) Network Computing - 1st Class
    WIP: Msc advanced networking
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    The FortiGates have been some of the best I've worked with as far as manageability is concerned. I'm always quick to suggest the FortiGate platform but I hear good things about the Palo Alto and new CheckPoint boxes.
  • kal#4kal#4 Registered Users Posts: 7 ■□□□□□□□□□
    Had a Web-ex session with Palo Alto yesterday, it looks fantastic! i have a palo alto 2020 box coming next week and putting it inline with my check point firewall and in TAP mode. So lets see what this palo alto box can do...
  • nelnel Member Posts: 2,859 ■□□□□□□□□□
    thanks guys.

    Kal, would be great to hear some feedback from yourself when you get one of these boxes if thats ok?
    Xbox Live: Bring It On

    Bsc (hons) Network Computing - 1st Class
    WIP: Msc advanced networking
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    nel wrote: »
    Hey Guys,

    Just looking for folk to put forward their recommendations for a dedicated firewall solution that supports up to 1Gb in their product line. im looking to deploy these to offices that fall into a 10, 100 and 1Gb scenario.

    Make sure you are considering the throughput for encrypted traffic if you are using these for VPN Solutions.
  • LizanoLizano Member Posts: 230 ■■■□□□□□□□
    RTmarc wrote: »
    The FortiGates have been some of the best I've worked with as far as manageability is concerned. I'm always quick to suggest the FortiGate platform but I hear good things about the Palo Alto and new CheckPoint boxes.

    Just curious, what models of Fortigates have you worked with?
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Lizano wrote: »
    Just curious, what models of Fortigates have you worked with?

    I've used the 50s, 60s, 100s, and 500s. Multiple versions of each. I actually have a 60B at the house that I was using as a firewall for my house for a while.
  • Chivalry1Chivalry1 Member Posts: 569
    I worked with the 200 and 60 series. The 60 I deployed at the remote site locations. They also provided me 60 series for the house.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • TLeTourneauTLeTourneau Member Posts: 616 ■■■■■■■■□□
    I'm a fan of Watchguard XTM's. Check out the XTM 5 series, great price and alot of features for the money.
    Thanks, Tom

    M.S. - Cybersecurity and Information Assurance
    B.S: IT - Network Design & Management
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I've started looking at Palo Alto Networks (PAN) and their presentation is certainly impressive. So far, I feel that their selling point is their firewall with application awareness. They like to tout their IPS capabilities as well, and it probably would be fine for a lot of shops, but I get the feeling that if you're the type to dive deep into packet headers, IDS / IPS signatures, custom payload tuning, etc., you're going to be left wanting more. The web content filtering is based on BrightCloud and you can QoS based on user and application (for example, surfing Facebook is fine, but Facebook games gets throttled down significantly ... except for the CEO who gets a free pass). If you want to tail a log file, seems like the better place to do it would be at the CLI, not the GUI. Their centralized management system for multiple firewalls across sites is a VM, although I haven't looked at it yet.

    The double-edged sword (in my opinion) is the User-ID feature. You install a PAN agent on a Windows machine which then actively queries AD auditing and security logs. You can then create policies based on specific users or LDAP groups. Very sweet, until you consider that if someone breaks into your firewall, they also have user information as well.

    I like the management console interface. Very polished looking, and if you're familiar with Check Point, it's a very easy transition to manage policies.

    In general, I've heard mostly good things about PAN. I already see some limitations with the capabilities on our eval unit which I might be able to live with, but any vendor solution has its shortcomings. Weigh accordingly.

    PAN competes directly with Fortinet in the "nextgen" space. I'd like to look at Fortinet too. I hear more about PAN though, not sure why. HP TippingPoint and Sourcefire are also planning a nextgen firewall offering, and while I certainly respect their IPS solutions, they're also not traditionally firewall vendors and I feel they're probably playing catch-up.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • LizanoLizano Member Posts: 230 ■■■□□□□□□□
    I've worked with Fortigate , 50s, 60c, and 80s. I have to say, while I love some stuff about the Fortigates, there's other stuff that just ticks me off. They change the way stuff works too much between one firmware revision and the next for one. I have to grant them most of the boxes I have out there stay up solid most of the time, but I've ran into a few buggy behavior scenarios that have affected my confidence in the units. I keep thinking maybe it's because I'm dealing with the SOHO units, maybe life gets better at the 110 models and up?

    While I'm not ready to push the boss on dropping Fortinet, I am highly interested in at least looking at the competition. I keep reading good stuff about Palo Alto Networks, but from what I'm seeing, they are in a little bit of a higher price range aren't they? Is there anything else in the Fortinet price range?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    The attitude I get from PAN to justify their price tag is, "Our one box will replace at least your existing firewall, IPS, web filter, and more, so you're really saving money in the long run." I don't personally buy this up-front, but it may be a legitimate argument for some organizations.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • LizanoLizano Member Posts: 230 ■■■□□□□□□□
    docrice wrote: »
    The attitude I get from PAN to justify their price tag is, "Our one box will replace at least your existing firewall, IPS, web filter, and more, so you're really saving money in the long run." I don't personally buy this up-front, but it may be a legitimate argument for some organizations.

    Hehe yeah except I don't have all of that, I have a Fortinet that does all that...and to be fair for the most part it works flawless. I know with any vendor when you start turning on all their features and pushing more traffic with those features turned on, you get less performance. That I get, and I understand. It's the other oddball stuff that ticks me off.
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Lizano wrote: »
    I've worked with Fortigate , 50s, 60c, and 80s. I have to say, while I love some stuff about the Fortigates, there's other stuff that just ticks me off. They change the way stuff works too much between one firmware revision and the next for one. I have to grant them most of the boxes I have out there stay up solid most of the time, but I've ran into a few buggy behavior scenarios that have affected my confidence in the units. I keep thinking maybe it's because I'm dealing with the SOHO units, maybe life gets better at the 110 models and up?

    While I'm not ready to push the boss on dropping Fortinet, I am highly interested in at least looking at the competition. I keep reading good stuff about Palo Alto Networks, but from what I'm seeing, they are in a little bit of a higher price range aren't they? Is there anything else in the Fortinet price range?
    It's been a little while since I've worked on any FortiGates but the biggest problem I had with the SOHO models is that they seemed to be lacking on the memory side. Even at my house, running some of the newer firmware images and running just home traffic would use the majority of the memory sometimes even peg it. At work, on the other hand, I had no issues. We ran a 500A cluster and those things were rock solid.

    They do make a lot of changes between versions but most of the time they are for the better.
  • nelnel Member Posts: 2,859 ■□□□□□□□□□
    thats some good feedback guys. Really appreciate it. Keep it comin :).

    For those of you who have used ASAs, what are the PAN/Fortinet products like compared to the Cisco box
    Xbox Live: Bring It On

    Bsc (hons) Network Computing - 1st Class
    WIP: Msc advanced networking
  • demonfurbiedemonfurbie Member Posts: 1,819
    i guess im the only person that likes sonicwall
    wgu undergrad: done ... woot!!
    WGU MS IT Management: done ... double woot :cheers:
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    nel wrote: »
    For those of you who have used ASAs, what are the PAN/Fortinet products like compared to the Cisco box

    Superior in almost every way.
  • crrussell3crrussell3 Member Posts: 561
    I'm a fan of Watchguard XTM's. Check out the XTM 5 series, great price and alot of features for the money.

    We use Watchguard, and are considering upgrading to the new XTM 3 series that will be out next month.
    MCTS: Windows Vista, Configuration
    MCTS: Windows WS08 Active Directory, Configuration
  • it_consultantit_consultant Member Posts: 1,903
    crrussell3 wrote: »
    We use Watchguard, and are considering upgrading to the new XTM 3 series that will be out next month.


    We use Watchguards as well. Not my choice but I have to give them credit, their XTM and XCS appliances work pretty well. Once you get used to the management interface it is a whiz to manage and make changes to. I manage XTM 23s, XTM 505 and 510, the XCS 170, and the QMS appliance. My preference, because of how good the VPN client is, has always been Juniper.
  • unclericounclerico Member Posts: 237 ■■■■□□□□□□
    nel wrote: »
    thats some good feedback guys. Really appreciate it. Keep it comin :).

    For those of you who have used ASAs, what are the PAN/Fortinet products like compared to the Cisco box
    I agree 100% with rtmarc, the capabilities and visibility that PAN gives to you is something that I cannot imagine living without. Traditional firewalls just don't cut it anymore. We had a well known/respected security firm in over this week to do penetration testing and other enterprise assessments and the security consultants were gushing about PAN. They tried to tunnel, proxy, impersonate, etc. and their efforts were thwarted every time.
    Preparing for CCIE Written
Sign In or Register to comment.