What kind of business class firewalls do you guys prefer?

brad-

I am looking at replacing an old ISA firewall as well as some little small office routers. The small office routers will be at branch offices, and a couple more at the main office that do some port forwarding for some hosted websites. The ISA at the main office serves about 100 people, while the branches serve about 20 each.

I have looked at the Cisco ASA's and while i am familar with cisco switches and routers, setup and maintenance, i do not feel comfortable or confident with the ASA and they are the most costly.

I was looking at the Sonicwall and Barracuda firewalls primarily. Barracuda costs a little more overall but sonicwall nickel and dimes you so hard they prices are comprable. I like both interfaces and would be comfortable with either.

Before i get into getting quotes do you guys have any recommendations or experience with the sonicwalls or barracudas?

SteveO86

Never used barracuda so I can't comment on those. I did a bunch of SonicWall deployments, and I am not impressed I found them to be buggy and requiring a reboot to get some features working for reason.

Fortinet's are cool, but I'll prefer a Cisco ASA

shodown

sonic wall for ease of use. Cisco ASA for support. When it breaks or acting funny they have some of the best support.

f0rgiv3n

1. Cisco ASA
2. Juniper SRX
3.
4.
5.
...
15. SonicWall

My last job I was in charge of the network which included multiple Sonicwall clusters. Very buggy from my experience. Yeah it was easy to use but any of the more complex features (SonicPoint wireless, actual failover in clusters, dynamic routing protocols, etc...) seemed to have issues constantly. Then again, that was only my experience. It seems that they are still popular.

No experience with Barracuda firewalls except for their spam firewall which did the job for a very long time at a previous job of mine. Personally, if I had to choose between Sonicwall or Barracuda I'd take my chances with Barracuda mainly because of my experience with Sonicwall.

it_consultant

brad- wrote: »

I am looking at replacing an old ISA firewall as well as some little small office routers. The small office routers will be at branch offices, and a couple more at the main office that do some port forwarding for some hosted websites. The ISA at the main office serves about 100 people, while the branches serve about 20 each.

I have looked at the Cisco ASA's and while i am familar with cisco switches and routers, setup and maintenance, i do not feel comfortable or confident with the ASA and they are the most costly.

I was looking at the Sonicwall and Barracuda firewalls primarily. Barracuda costs a little more overall but sonicwall nickel and dimes you so hard they prices are comprable. I like both interfaces and would be comfortable with either.

Before i get into getting quotes do you guys have any recommendations or experience with the sonicwalls or barracudas?

Then don't get a Cisco! With the number of users you have, price and support should be your primary concern. Do up a matrix of all the products you are considering (You should have Cisco, Watchguard, Sonicwall, Juniper, and Fortinet) and compare prices and support. Specifically, on support, when you call do you get a noob who opens a ticket or someone immediately ready to work on your case. Post that matrix up here and lets take a look.

netsysllc

Sonicwall
Cisco ASA
and hopefully soon the EdgeMAX | Ubiquiti Networks, Inc. if they test well after release, based on Vyatta which is a big competitor to Cisco

undomiel

We have SonicWalls everywhere and it would definitely be what I would recommend for less complex scenarios. When you're having techs working on them that aren't particularly networking savvy; the GUI will hold their hand the entire way. Haven't had too much of a problem with bugs on them in the past year, except for a vlan bug that they patched recently. A few years earlier they were having to be rebooted constantly though. We're looking at the Barracudas as well. I've liked other Barracuda products I've worked with (archiver, filter and load balancer) so I'm curious if I'll like their firewalls.

it_consultant

I should add Meraki to my earlier list. Cisco hasn't killed their security appliances yet, managing all your firewalls will be a snap since most of the management is run through the meraki website.

Meraki Cloud Managed Security Appliances

brad-

undomiel wrote: »

We're looking at the Barracudas as well. I've liked other Barracuda products I've worked with (archiver, filter and load balancer) so I'm curious if I'll like their firewalls.

I have a Barracuda spam filter and i love it...so i went looking for documentation and youtube/other videos on their NG firewalls - there is nothing out there. Not a thing, videowise. I wanted to get a warm fuzzy about the interface and all so i had to do a webex with one of their guys to see it in action. Sonicwall on the other hand has lots of videos out.

Ill look into fortinet and watchguard.

Someone here HAS to have seen an barracuda NG firewall?

EV42TMAN

I've used Sonicwall and Cisco ASA the only downside to Cisco is there is a huge price jump from the ASA 5505 and ASA 5510. So if the needs are some where in between that space, then sonicwall has options but over all i prefer Cisco

netsysllc

Fortinet is difficult for many techs, so be aware of that. I have a love hate relationship with Watchguard, great management tools but the routers have to be rebooted very often. I have seen this from the little SOHO all the way up to the larger expensive units.

crrussell3

We use Watchguard firewalls. Currently we have 2x XTM510 with one of them being a "warm spare" (can't get the boss to pay for the Firecluster license). They do the job for SMB setups. We have 7x locations in a hub/spoke mpls setup with 350 users.

The WSM (Watchguard System Manager) software is decent, not really a fan of their web gui.

SteveO86

I called SonicWall support twice, and both times were absolutely horrible.

Slowhand

If you're looking at Cisco or Juniper, you'll be in good shape either way. Palo Alto Networks also makes a good firewall - as they should, the company's primarily comprised of former Cisco PIX and ASA engineers - and Barracuda made a strong showing at RSA last year. And, while they were clunky and buggy when I worked with them, I have to say that SonicWalls latest generation of firewall products are very nice. They've come a long way from the bad ol' days of "Netgear on steroids", and they've really added some features and capabilities that puts their newer products on enterprise and even service provider levels.

Long story short: do some research, perhaps contact some different vendors and see if they're willing to demo a product for you, then narrow down your search to two or three choices so you can ask some more focused questions about them to folks like our security-obsessed TE members.

NightShade1

I would say you should got Fortinet. They are not costly, also they got UTM so you will get good webfileter app control, Perimeter AV, data leak prevention and other good things... you just need to renew one license and thats it... its not like other vendors that you need license for that another lincense for that or another appliance for like webfilter....

If you see the gardner quadrant they are leaders over everyone...

Everyone

Like SlowHand said, the Palo Alto's are pretty nice. I like pfSense. I used to administer a lot of Sidewinder back in the day... I think McAfee owns them these days.

Geek1969

+1 for Palo Alto

deth1k

Juniper SSG is what you want, they are so easy to use even if you are novice at configuring firewalls. It's all GUI driven and only time you need to use CLI is for debugs. Nothing comes close to them from ease of use perspective. SonicWall menu look nice but configuring them is a pain, feature wise they are good considering their price scheme. ASA's are just cr@p, just looking at ASDM screen brings you back to 80's. Firewalls were meant to be configured using GUI not bashing 1000s of lines using CLI.

Chard26

Checkpoint or Juniper.

docrice

I have either worked with or evaluated various firewall vendors including Cisco, Check Point, Juniper, NetScreen, Palo Alto Networks, Fortinet, Microsoft, and Sourcefire ... as well as the open source stuff like straight iptables, pf, and their derivatives like pfSense, OpenWall, Untangle, and m0n0wall.

Everything sucks. Everything also has their strong points. I'd recommend different solutions depending on an organization's staff, their expertise / comfort levels, management resources, budget, and specific business requirements. I will say that although Cisco isn't a security company (they just happen to make "security products"), their wide deployment in some ways makes them appealing because if you're stuck with an issue, more than likely other people are as well and there's a large support / public forum where they're discussed. A Google search can yield answers relatively quickly. They have a lot of documentation online as well.

For Juniper, I was pretty impressed with Junos (although I don't use their firewalls). Everyone who I've talked to who have worked with Junos always raves about it. After seeing it in action myself, I understand why. There's a lot of, "If only Cisco IOS had this feature..." But I couldn't stand their web management interface though. There's still a lot of reminiscent NetScreen in there (naturally), but in a convoluted way in my opinion. Even Junos space was immature when I looked at them last, although they may have significantly improved it since then. That said, the SSG hardware is really nice with a lot of potential port-density and flexibility on their chassis-based solutions. It can get really, really expensive though.

I disagree with the statement that firewalls should be managed by GUIs. In many cases I would recommend the reverse depending on where on the network they're deployed and the specific function they're serving. UIs are convenient, but there are times when I'd much rather manage ACLs at the CLI as it's much faster and cleaner to read, depending on the product in question. That said, as firewall devices become more function-rich (access-lists, VPNs, multi-level threat management, built-in IPS, URL filtering, etc.) there are some things which are more intuitive through a visual interface. Some products are designed more with the UI in mind for management.

Vyatta was bought by Brocade recently. I presume that'll be a good thing. I don't hear much about them but I know Brocade is really hungry in the market and they seem to have pretty impressive routing / switching technology, and probably at a substantial price difference from Cisco. I hear their CLI is very similar to Cisco IOS. Time will tell how Vyatta benefits.

I've heard good things about Astaro which was picked up by Sophos. Sidewinder is now McAfee Firewall Enterprise and I've heard nothing but very good things about Sidewinder in general. I have no idea how they are now though as I've personally never touched one nor know anyone who has.

I've never used SonicWall or Barracuda. I've heard mixed things about the former. I personally don't know anyone who has worked with either. It might just mean that they cater to a different market segment than where I've worked in.

Cisco certainly has a high price tag but that's because many shops are invested into them for routing / switching and using ASAs is a natural extension for the existing staff. The ASA-X series is now out and will slowly replace the older generation. That said, you take another relative newcomer like Palo Alto Networks and see how much they cost - a very pretty penny indeed. I'd almost argue over-priced as they have a lot of marketing gloss behind them. I think their solutions are nice overall and I can see why they can make sales, but I feel there's quite a bit of hype as well that folks need to scrutinize carefully when evaluating their products. If price is a big concern, I'd definitely say check out Fortinet. I was pleasantly surprised by their offering in conjunction with their FortiAnalyzer product. Their documentation is pretty well done also.

I'm not a big fan of following Gartner and similar folks. When a vendor comes into the room for their show-and-tell, I lay down several rules up-front before the meeting begins: 1) I don't care about Gartner reports, 2) what NSS Labs says, and 3) who their existing customers are. It helps the vendor skip slides in their presentation. With my limited time, it's my way of asking them to remove the fluff so I can get to the technical nitty-gritty and get the most value out of the hour or two.

Another aspect to consider is the quality of support you'll receive in the event you have issues. I've had some disappointing service in the past (including one particular vendor whose support advice caused my firewall to get to a point where I had to rebuild it) and while every vendor isn't going to be perfect, some were more problematic for me than others. There's always turnover in product tech support groups, but over the long run some vendors end up building a reputation that isn't always in their favor.

I'll just throw this out as a retroactive rant: Check Point's pricing scheme is really annoying and is only equalled by their sales staff trying to push me on it (or not replying to me at all until after significant escalations). I've heard I'm not alone in this.

This is probably more advice than you were seeking, but I hope it provides some perspective. It doesn't sound like you're the large-enterprise target market so going ASA for the firewall may / may not be the ideal move. You have to ultimately be comfortable with managing the solution that you select. As I mentioned previously, take a look at Fortinet as well. I've heard their support is okay, but I know one reseller who's also provides security consulting and they have good staff who are certified in their products for the support part of the picture.

Edited to add the link to Fortinet's documentation on their FortiGate appliances: http://docs.fortinet.com/fgt.html

demonfurbie

SteveO86 wrote: »

I called SonicWall support twice, and both times were absolutely horrible.

see ive had the exact opposite response, but that was after dell bought sonicwall.

for small to small-med i tend to use sonicwall for the ease of use and price. but i also get all dell workstations/servers/wireless/laptops so everything has a single point of contact on warranty and service and if ya get a good rep you can get discounts on some of the stuff.

it_consultant

I will reiterate, for a network like OP described the most important thing is price and support. I recommend the SSG series because they are fairly easy to deploy and there is a deep knowledge base on those products such that a JOAT [like the OP] can configure without too much difficulty. My secondary recommendation is Meraki since their web config stuff is the easiest I have ever seen and their tech support is first rate. They are not cheap though. Thirdly I recommend WG because their stuff is reasonably inexpensive and their good support package puts you on with someone who can work on your case right away. A lot of people bash WG but their appliances are really just CentOS with IPTABLES and various open source bolt-ons and they work pretty darn good.

deth1k

don't forget to deploy layered security i.e different vendor perimeter firewalls

undomiel

Multiple firewalls? For a branch office? Seriously? Not that I've ever put much stuck in the multi-vendor layered firewall setups anyhow. I can't agree on the GUI part either. If everything had to be configured through the GUI then I would end up wasting a lot of time in repetitive tasks that could have just as easily been scripted. I believe in a GUI being there to make it easier for the junior admins to help out in a pinch. Otherwise more often than not it just gets in the way.

Lizano

Im surprised how few times Fortinet is mentioned normally on these topics. I look at Sonicwall everytime I quote a Fortigate, and I haven´t been able to get a Sonicwall quote to beat a single Fortinet quote.

I used to hate Fortinet, after working on a few Watchguards, Sonicwalls, and a Barracuda, I have no problem recommending a Fortigate. I do beleive its not so much about what firewall you buy anymore, they are all so similar (and different at the same time) that its almost like everybody does everything, only thing that changes is how they do it. I think the BIG DEAL is who you buy it from. Is the partner that you are buying this product prepared to give you decent support, advice, installation help, etc.

docrice

deth1k wrote: »

don't forget to deploy layered security i.e different vendor perimeter firewalls

While I'm a fan of this approach, I can only recommend it for organizations with sufficient staff / training to handle it. Having two firewalls by different vendors introduces complexity in the network design and additional management required to stay on top of bugs, syntax, interface usage, etc. and increases troubleshooting turnaround. With firewalls getting more complicated to manage with each passing year as the feature set increases, I think it's also more prone to configuration errors.

But if the organization can handle it, more power to them. Every firewall has things that they're better at and when you get two complementing technologies, it can be a good thing. A lot of these all-in-one type devices (Fortinet, PAN, etc.) are usually strong in one or two areas but fairly average for the rest. That trade-off is where the decision-making rests on.

wes allen

What would you all recommend that compares to a Sonicwall NS220 with integrated wireless and an additional Sonicpoint AP? Ease of use and cost are the two prime considerations. I have always used/recommended sonicwall, but always open for a better solution.

it_consultant

You know...I really hate running an AP on my firewall.

wes allen

Fair enough. What would be your solution? Need a firewall + 2 APs with integrated management under $1500ish.

it_consultant

I would go with Meraki firewall plus 2 merki access points.

Meraki MR12 Cloud Managed Wireless AP

Meraki MX60 Cloud Managed Security Appliance
OR
Meraki MX60W Cloud Managed Security Appliance

wes allen

They sometimes hit 150-200 users, so think they would need one of the beefier Meraki's, and that would put them out of reach pricewise.