Firewalls

apoole15

Hello everyone - I am looking to purchase a new firewall for our organization and we have identified 4 products we are interested in. I was hoping the community here could provide insight (pros/cons) of the following:

Palo Alto
Fortinet
Sonicwall
Barracuda

I have demo products of each in place in sniffer mode but was hoping to get some opinions from those who have hands-on experience with any of them.

Look forward to hearing your opinions.

Thanks in advance!

docrice

Haven't tried the last two as I generally don't hear many good things about them, but my lack of experience with them is more related to chance than anything else. Have used the other two. Fortinet I like a lot and it's a great bang for the buck. Palo Alto Networks is fine, but over-hyped and I think way over-priced. I hate the commit times, lack of hit counts in the policy UI, no real-time logging (refresh every x seconds is not real-time to me). I like the reporting look-and-feel and PAN better, but Fortinet I like as a product better in other ways, although I'd couple it with a FortiAnalyzer. The PAN UI, while nice, is a bit slow at times (I expect immediate-instant response when I click on something).

When I evaluated Fortinet some time ago, their demo appliance had a hardware problem. Not a good impression. When I used PAN at one company, I had two RMAs with a relatively small overall number of devices purchased, which didn't inspire confidence. Every vendor makes lemons though.

Haven't tried Fortinet's support, but PAN's is hit or miss.

There's an older thread going over this where I posted my experiences with firewalls which you can search for and I think I mentioned my experiences with the above two more in-depth.

it_consultant

apoole15 wrote: »

Hello everyone - I am looking to purchase a new firewall for our organization and we have identified 4 products we are interested in. I was hoping the community here could provide insight (pros/cons) of the following:

Palo Alto
Fortinet
Sonicwall
Barracuda

I have demo products of each in place in sniffer mode but was hoping to get some opinions from those who have hands-on experience with any of them.

Look forward to hearing your opinions.

Thanks in advance!

You have three low end firewalls and one high end firewall. A proper bake-off would have been:

Fortinet
Sonicwall (now dell)
Watchguard
Barracuda

AND OR

Palo Alto
Checkpoint
Juniper
Cisco

f0rgiv3n

Palo Alto - Super bleeding edge, lots of capabilities, super expensive.
Fortinet - Lower end, basics, could work
Sonicwall - NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
Barracuda - Old company, heavily relied upon in the past but they've taken a backseat it seems lately.

My goal of this post is to deter you from SonicWall firewalls. I managed them at one of my previous positions and they are horrible and buggy and horrible, and buggy. And they're just horrible firewalls.

Juniper -> Excellent firewalls, expensive. They require a specific skillset because programming them is unlike any other.
-> the coolest thing about Juniper's is that the configuration changes you make are separate than what is running live on the device. So you basically are changing a separate configuration file and it won't take effect until you "commit" the changes. This will then replace the current running config, with the one that you just created/changed. This is awesome if you are needing to make LOTS of connection changes, remotely. YOu can also tell it to commit and rollback in 5 minutes if you lose connectivity. Superb. Yet, they are complex.
Cisco ASA -> Excellent firewalls, my favorite. Robust, expensive, reliable, expensive. Be sure you get the proper licensing, which is expensive.
-> great benefit is if you end up wanting SSL VPN in the future Cisco AnyConnect is the best SSL VPN on the market (my opinion).

Checkpoint -> Can't speak too much on these except that they are usually 100% GUI based. If you want a GUI like "sonicwall" but an actually good, reliable firewall, checkpoint might be worth a look.

Sonicwall - NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO

netsysllc

Not sure why everyone is hating on SonicWalls, maybe because they don't like Dell. SonicWalls are very capable and simple to administer. My only gripe is they have an artificially low connection limit but that is not a problem for most businesses. I have dozens of clients with them including some large and complicated networks and they work well.

Barracuda makes great products and has even better support

Fortinet products are good, the little experience I have had with them they are more difficult to administer and support sucked (3.5 years ago)

Palo Alto - overpriced from what I have seen

If you want high end go juniper or Cisco. but keep in mind the Cisco ASA is a firewall and not a router and is missing some functionality found in almost all other devices.

SteveO86

Fortinets, decent little boxes with a good feature set. As stated a little low-end. I probably would not have one of these sitting on a core edge. Always deployed them at small remote sites.

SonicWall, Hopefully I never have to work on any of these again. Deployed quite a few of these with various feature sets and boy were they buggy.. Although they probably did fix some of those bugs by now.. Even let my SonicWall certification expire not too long ago.

Palo Alto, these are real nice boxes albeit very expensive. Demo'ed them for a while, very GUI based.

Barracuda, No idea... never used these.

CheckPoint, got a few of these cluster running in production solid boxes I have to say. Very intuitive GUI and pretty much 100% GUI based. My only gripe with them is the fact you need SmartDashboard and 'blade' for every feature.

ASA, can't go wrong with an ASA.. although I am CLI kind of person, just let me type what I need and take it from there. They aren't number one in the firewall/security market (but I don't think they ever were) but they are great for VPN and filtering. The CX-Modules are pretty cool but not as good as Palo Alto's application inspection.

docrice

Here's an older thread which might be helpful:

http://www.techexams.net/forums/off-topic/84843-what-kind-business-class-firewalls-do-you-guys-prefer.html

GAngel

My order would bebased on configuration and ease of maintenance:

asa - rock solid, medium setup
checkpoint - rock solid, hard setup
sonicwall - medium, low setup
fortinet - low - low setup

Never configured PAN's before.

If you've got a lower budget sonicwall's do everyhing. If it's big boy league asa or checkpoint are king

the_Grinch

Sonicwalls are the worst! Use to hate dealing with them when I was with the MSP.

PurpleIT

I'm an ASA guy myself, but when doing a job search several months ago there was a lot of Juniper and Fortinet shops I talked to in the Denver area. Blue Coat, while not exactly a firewall, was quite popular too.

The Palo Alto places were rather intense and almost cult-like. I do think that if you are a PAN expert you can make some bucks right now, but I have no idea where that platform is going to be in 5 years.

apoole15

Thanks for all the advice guys. The PAN is pretty slick but might be a budget-buster. My boss wants me to mainly focus on the Sonicwall and the Barracuda. We are a fairly small shop - around 350 ee's and I am projecting us to hit around 500 within the next 3-5 years. If we were a big shop with a bigger budget I would probably try to talk him into the PAN but I don't know if I can justify the cost for our environment.

RouteMyPacket

ASA would be my preference then again you haven't explained what you need out of the firewall?

What kind of throughput are you expecting? Do you want high availability?

All these questions must be answered, then you can select the brand and model of the firewall that will meet your needs and leave room for growth.

networker050184

I really like the Palo Altos. I did some data center roll outs with them about two years ago now and they are quite nice. Unfortunately they are a newer company so we had to put them through a lot of testing and the vendor had to put a few special code fixes in for us. They were all over it though. I'd assume the code is a bit more mature at this point though.

it_consultant

I would take a serious look at the Cisco Meraki MX series with the advanced security license. It isn't cheap, but it is a hell of a UTM/Next Gen firewall which is considerably easier to configure than all the other firewalls mentioned. Plus, you get the Cisco level of support, which is normally world class.

NightShade1

It depends on what you are interested

If you are interested in UTM defenitly pick Fortinet


If you are interested in Enterprise Firewall, and you dont really care the UTM then pick paloo alto


The bugded does play a role here... Fortinet is cheaper!

Cheers
Carlos

it_consultant

Firewalls are interesting because you can do almost the exact same thing with FOSS software for the cost of hardware. In fact, please realize that most UTMs are simply hardened Red Hat distros with FOSS software bolted onto it. What you are really PAYING for is the support and the interface. Want a nice GUI? You will pay for it, which is OK but keep in mind that pfSense has a great GUI and it is free. The support is where you should focus, if the support is not very good then you might as well save money and install pfSense and pay the $250 a case or whatever the pfSense pro support is per case.

I hate Cisco, but I recommend their firewalls (Meraki included) because it is hard to find an organization that sells firewalls that has the level of support that Cisco provides.

Fulcrum45

My shop uses and sells Fortinet almost exclusively. Every now and then I run into single-sign-on issues or VPN tunnels collapsing but I associate that more with the users environment than I do the device. Once you get them configured and running they are solid. Just keep an eye on the firmware and the AV Signature subscriptions and you're good.

Support is so-so with follow up to trouble tickets typically being within 6-12 business hours.

SephStorm

I really want to get into Sonicwall because of the training and free devices offered by the GK courses...

Network Security Basic Administration Training at Global Knowledge
SonicWALL Network Security Advanced Administration at Global Knowledge

EV42TMAN

Avoid Sonicwall like the plague. I use to work for a Sonicwall partner and have done the Sonicwall training. Their OS is buggy and they rely on new marketing terms to make it seem like they invented new features when in reality they haven't. I agree with everyone else recommending ASA's if you need a more budget friendly option I'd recommend Watchguard.

Cyberhooligan

it amuses me when sonicwall gets a NOOOOOO remark..

NightShade03

Fortinet has a good reputation within the SMB market (which it sounds like you are in). Their support is getting better, and they just released a ton of new features targeted at small businesses.

PAN / Check Point - will kill you on pricing. They are good products, but you can get a fully loaded firewall from Fortinet for the same price at the entry level stuff from these two.

Barracuda / Sonicwall - junk...don't waste your time.

pfSense - Open source, but highly recommended. They support all the standard features you'd normally require in a firewall. They also have a really small footprint for install and you can buy support for them. Definitely bake them off against Fortinet before you spend a ton of money.

NightShade1

Im agree barracuda an sonicwall are piece of junk...

Let see if sonicwall improve now that dell bough it though...

As for barracuda i got a client that got it, and they want to change it already...

mbarra

Does anyone know anything about the Cyberoam line? I have been asked to look into these

gorebrush

I love ASA's but Checkpoints are nice.

Chivalry1

Fortinet gets the #1 vote from me, they have outstanding support. They have been around for sometime now and have a good niche marketshare. I have heard good things about Palo Alto. They have not been around long. And there is currently a patent-dispute lawsuit by Juniper against Palo Alto networks so I would be conscious of that fact. [Google]. I know that in some companies, once a vendor assessment is performed and they have a current lawsuit pending that would immediately eliminate them as a choice. Juniper however I heard has a good platform and many of the ISP's are adopting there firewall technology. I have managed the Juniper SSL/VPN and was very impressed.

I came from the Cisco PIX/ASA world and they can become a little complicated within certain networks. I worked with CheckPoint and found that they are a solid Firewall platform. With Cisco or Checkpoint you will find they have the majority of the Firewall markets these days. Each have great technical support but are costly. I would completely pull SonicWall and Barracuda off the list; don't waste your time. So here is my overall list:

Fortinet
Cisco ASA
Checkpoint
Juniper