Firewalls

apoole15apoole15 Member Posts: 64 ■■■□□□□□□□
Hello everyone - I am looking to purchase a new firewall for our organization and we have identified 4 products we are interested in. I was hoping the community here could provide insight (pros/cons) of the following:

Palo Alto
Fortinet
Sonicwall
Barracuda

I have demo products of each in place in sniffer mode but was hoping to get some opinions from those who have hands-on experience with any of them.

Look forward to hearing your opinions.

Thanks in advance!

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Haven't tried the last two as I generally don't hear many good things about them, but my lack of experience with them is more related to chance than anything else. Have used the other two. Fortinet I like a lot and it's a great bang for the buck. Palo Alto Networks is fine, but over-hyped and I think way over-priced. I hate the commit times, lack of hit counts in the policy UI, no real-time logging (refresh every x seconds is not real-time to me). I like the reporting look-and-feel and PAN better, but Fortinet I like as a product better in other ways, although I'd couple it with a FortiAnalyzer. The PAN UI, while nice, is a bit slow at times (I expect immediate-instant response when I click on something).

    When I evaluated Fortinet some time ago, their demo appliance had a hardware problem. Not a good impression. When I used PAN at one company, I had two RMAs with a relatively small overall number of devices purchased, which didn't inspire confidence. Every vendor makes lemons though.

    Haven't tried Fortinet's support, but PAN's is hit or miss.

    There's an older thread going over this where I posted my experiences with firewalls which you can search for and I think I mentioned my experiences with the above two more in-depth.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • it_consultantit_consultant Member Posts: 1,903
    apoole15 wrote: »
    Hello everyone - I am looking to purchase a new firewall for our organization and we have identified 4 products we are interested in. I was hoping the community here could provide insight (pros/cons) of the following:

    Palo Alto
    Fortinet
    Sonicwall
    Barracuda

    I have demo products of each in place in sniffer mode but was hoping to get some opinions from those who have hands-on experience with any of them.

    Look forward to hearing your opinions.

    Thanks in advance!

    You have three low end firewalls and one high end firewall. A proper bake-off would have been:

    Fortinet
    Sonicwall (now dell)
    Watchguard
    Barracuda

    AND OR

    Palo Alto
    Checkpoint
    Juniper
    Cisco
  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    Palo Alto - Super bleeding edge, lots of capabilities, super expensive.
    Fortinet - Lower end, basics, could work
    Sonicwall - NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
    Barracuda - Old company, heavily relied upon in the past but they've taken a backseat it seems lately.

    My goal of this post is to deter you from SonicWall firewalls. I managed them at one of my previous positions and they are horrible and buggy and horrible, and buggy. And they're just horrible firewalls.

    Juniper -> Excellent firewalls, expensive. They require a specific skillset because programming them is unlike any other.
    -> the coolest thing about Juniper's is that the configuration changes you make are separate than what is running live on the device. So you basically are changing a separate configuration file and it won't take effect until you "commit" the changes. This will then replace the current running config, with the one that you just created/changed. This is awesome if you are needing to make LOTS of connection changes, remotely. YOu can also tell it to commit and rollback in 5 minutes if you lose connectivity. Superb. Yet, they are complex.
    Cisco ASA -> Excellent firewalls, my favorite. Robust, expensive, reliable, expensive. Be sure you get the proper licensing, which is expensive.
    -> great benefit is if you end up wanting SSL VPN in the future Cisco AnyConnect is the best SSL VPN on the market (my opinion).

    Checkpoint -> Can't speak too much on these except that they are usually 100% GUI based. If you want a GUI like "sonicwall" but an actually good, reliable firewall, checkpoint might be worth a look.

    Sonicwall - NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
  • netsysllcnetsysllc Member Posts: 479 ■■■■□□□□□□
    Not sure why everyone is hating on SonicWalls, maybe because they don't like Dell. SonicWalls are very capable and simple to administer. My only gripe is they have an artificially low connection limit but that is not a problem for most businesses. I have dozens of clients with them including some large and complicated networks and they work well.

    Barracuda makes great products and has even better support

    Fortinet products are good, the little experience I have had with them they are more difficult to administer and support sucked (3.5 years ago)

    Palo Alto - overpriced from what I have seen

    If you want high end go juniper or Cisco. but keep in mind the Cisco ASA is a firewall and not a router and is missing some functionality found in almost all other devices.
  • SteveO86SteveO86 Member Posts: 1,423
    Fortinets, decent little boxes with a good feature set. As stated a little low-end. I probably would not have one of these sitting on a core edge. Always deployed them at small remote sites.

    SonicWall, Hopefully I never have to work on any of these again. Deployed quite a few of these with various feature sets and boy were they buggy.. Although they probably did fix some of those bugs by now.. Even let my SonicWall certification expire not too long ago.

    Palo Alto, these are real nice boxes albeit very expensive. Demo'ed them for a while, very GUI based.

    Barracuda, No idea... never used these.

    CheckPoint, got a few of these cluster running in production solid boxes I have to say. Very intuitive GUI and pretty much 100% GUI based. My only gripe with them is the fact you need SmartDashboard and 'blade' for every feature.

    ASA, can't go wrong with an ASA.. although I am CLI kind of person, just let me type what I need and take it from there. They aren't number one in the firewall/security market (but I don't think they ever were) but they are great for VPN and filtering. The CX-Modules are pretty cool but not as good as Palo Alto's application inspection.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
  • GAngelGAngel Member Posts: 708 ■■■■□□□□□□
    My order would bebased on configuration and ease of maintenance:

    asa - rock solid, medium setup
    checkpoint - rock solid, hard setup
    sonicwall - medium, low setup
    fortinet - low - low setup

    Never configured PAN's before.

    If you've got a lower budget sonicwall's do everyhing. If it's big boy league asa or checkpoint are king
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Sonicwalls are the worst! Use to hate dealing with them when I was with the MSP.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • PurpleITPurpleIT Member Posts: 327
    I'm an ASA guy myself, but when doing a job search several months ago there was a lot of Juniper and Fortinet shops I talked to in the Denver area. Blue Coat, while not exactly a firewall, was quite popular too.

    The Palo Alto places were rather intense and almost cult-like. I do think that if you are a PAN expert you can make some bucks right now, but I have no idea where that platform is going to be in 5 years.
    WGU - BS IT: ND&M | Start Date: 12/1/12, End Date 5/7/2013
    What next, what next...
  • apoole15apoole15 Member Posts: 64 ■■■□□□□□□□
    Thanks for all the advice guys. The PAN is pretty slick but might be a budget-buster. My boss wants me to mainly focus on the Sonicwall and the Barracuda. We are a fairly small shop - around 350 ee's and I am projecting us to hit around 500 within the next 3-5 years. If we were a big shop with a bigger budget I would probably try to talk him into the PAN but I don't know if I can justify the cost for our environment.
  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    ASA would be my preference then again you haven't explained what you need out of the firewall?

    What kind of throughput are you expecting? Do you want high availability?

    All these questions must be answered, then you can select the brand and model of the firewall that will meet your needs and leave room for growth.
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I really like the Palo Altos. I did some data center roll outs with them about two years ago now and they are quite nice. Unfortunately they are a newer company so we had to put them through a lot of testing and the vendor had to put a few special code fixes in for us. They were all over it though. I'd assume the code is a bit more mature at this point though.
    An expert is a man who has made all the mistakes which can be made.
  • it_consultantit_consultant Member Posts: 1,903
    I would take a serious look at the Cisco Meraki MX series with the advanced security license. It isn't cheap, but it is a hell of a UTM/Next Gen firewall which is considerably easier to configure than all the other firewalls mentioned. Plus, you get the Cisco level of support, which is normally world class.
  • NightShade1NightShade1 Member Posts: 433 ■■■□□□□□□□
    It depends on what you are interested

    If you are interested in UTM defenitly pick Fortinet
    Gartner-UTM-MQ-2013.jpg

    If you are interested in Enterprise Firewall, and you dont really care the UTM then pick paloo alto
    %7Bb3cd89ce-0c55-45da-89b5-f0147f121455%7D_Gartner_MQ_Image_2013.png

    The bugded does play a role here... Fortinet is cheaper!

    Cheers
    Carlos
  • it_consultantit_consultant Member Posts: 1,903
    Firewalls are interesting because you can do almost the exact same thing with FOSS software for the cost of hardware. In fact, please realize that most UTMs are simply hardened Red Hat distros with FOSS software bolted onto it. What you are really PAYING for is the support and the interface. Want a nice GUI? You will pay for it, which is OK but keep in mind that pfSense has a great GUI and it is free. The support is where you should focus, if the support is not very good then you might as well save money and install pfSense and pay the $250 a case or whatever the pfSense pro support is per case.

    I hate Cisco, but I recommend their firewalls (Meraki included) because it is hard to find an organization that sells firewalls that has the level of support that Cisco provides.
  • Fulcrum45Fulcrum45 Member Posts: 621 ■■■■■□□□□□
    My shop uses and sells Fortinet almost exclusively. Every now and then I run into single-sign-on issues or VPN tunnels collapsing but I associate that more with the users environment than I do the device. Once you get them configured and running they are solid. Just keep an eye on the firmware and the AV Signature subscriptions and you're good.

    Support is so-so with follow up to trouble tickets typically being within 6-12 business hours.
  • EV42TMANEV42TMAN Member Posts: 256
    Avoid Sonicwall like the plague. I use to work for a Sonicwall partner and have done the Sonicwall training. Their OS is buggy and they rely on new marketing terms to make it seem like they invented new features when in reality they haven't. I agree with everyone else recommending ASA's if you need a more budget friendly option I'd recommend Watchguard.
    Current Certification Exam: ???
    Future Certifications: CCNP Route Switch, CCNA Datacenter, random vendor training.
  • CyberhooliganCyberhooligan Registered Users Posts: 10 ■□□□□□□□□□
    it amuses me when sonicwall gets a NOOOOOO remark..
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    Fortinet has a good reputation within the SMB market (which it sounds like you are in). Their support is getting better, and they just released a ton of new features targeted at small businesses.

    PAN / Check Point - will kill you on pricing. They are good products, but you can get a fully loaded firewall from Fortinet for the same price at the entry level stuff from these two.

    Barracuda / Sonicwall - junk...don't waste your time.

    pfSense - Open source, but highly recommended. They support all the standard features you'd normally require in a firewall. They also have a really small footprint for install and you can buy support for them. Definitely bake them off against Fortinet before you spend a ton of money.
  • NightShade1NightShade1 Member Posts: 433 ■■■□□□□□□□
    Im agree barracuda an sonicwall are piece of junk...

    Let see if sonicwall improve now that dell bough it though...

    As for barracuda i got a client that got it, and they want to change it already...
  • mbarrambarra Member Posts: 44 ■■■□□□□□□□
    Does anyone know anything about the Cyberoam line? I have been asked to look into these
  • gorebrushgorebrush Member Posts: 2,743 ■■■■■■■□□□
    I love ASA's but Checkpoints are nice.
  • Chivalry1Chivalry1 Member Posts: 569
    Fortinet gets the #1 vote from me, they have outstanding support. They have been around for sometime now and have a good niche marketshare. I have heard good things about Palo Alto. They have not been around long. And there is currently a patent-dispute lawsuit by Juniper against Palo Alto networks so I would be conscious of that fact. [Google]. I know that in some companies, once a vendor assessment is performed and they have a current lawsuit pending that would immediately eliminate them as a choice. Juniper however I heard has a good platform and many of the ISP's are adopting there firewall technology. I have managed the Juniper SSL/VPN and was very impressed.

    I came from the Cisco PIX/ASA world and they can become a little complicated within certain networks. I worked with CheckPoint and found that they are a solid Firewall platform. With Cisco or Checkpoint you will find they have the majority of the Firewall markets these days. Each have great technical support but are costly. I would completely pull SonicWall and Barracuda off the list; don't waste your time. So here is my overall list:

    Fortinet
    Cisco ASA
    Checkpoint
    Juniper
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
Sign In or Register to comment.