Firewalls Configuration Reviews

Showing reviews of the top ranking products in Firewalls, containing the term Configuration
Juniper SRX: Configuration
Srengineer98987 says in a Juniper SRX review
Sr. Engineer at a comms service provider with 51-200 employees

The setup depends on the deployment, on what we have to configure. But from one firewall to another firewall, it's about the same. They're not really complex. We have experience using the command line and the user interface. If you ask me which one is easier to configure, I will answer that configuring through the user interface is easier.

The amount of time the deployment takes depends on the complexity of the solution. If the firewall is used as an L3 firewall or L4 firewall, for blocking by IP address and, it's going to be faster to deploy than deploying the firewall using Unified Threat Management. In that case, we need to carefully tune the VPN configuration.

View full review »
Bunyamin Bunyamin says in a Juniper SRX review
Senior Network Security Engineer at Aplikas

Improvements can be made to the GUI. The GUI can be improved by creating policies to handle IPS requirements. The configuration should be a one-step process. This would make it easier to complete the setup to register the time of operation.

View full review »
Darcy Hiebert says in a Juniper SRX review
Network Architect - Contractor at TEML

It allows us to do remote configuration changes, and if there is a problem, not losing connectivity to the device.

View full review »
Shashidhara B N says in a Juniper SRX review
Director - Technology Solutions & Services at Connectivity IT Services Private Limited

I consider the setup for the product to be very easy. A basic technical person can do it. But, a person would need to know the capability of a robust box like SRX to make full use of the capabilities and the right choice of the product.  

You install the box, configure the hostname, a password, and set your IP address. By default, Juniper handles the basic configurations automatically. The control frame architecture is very nice. The whole platform architecture is very good. When you work with that box, you just divide the box into two layers: the top layer and the bottom layer. The top layer is exclusively made for the SRX box. The bottom layer is nothing but throughput where the packets get in and get out. We call it a packet forwarding engine, PFE.  

Initiating the routing packets actually go in the mapping connection between the top and the bottom, which is managed as with Oracle in an internal zone. The box is already secured when an attack happens. Nothing is 100% in the world. So, there is the possibility of an attack but at least the control center protects your network.  

The entire installation is just a couple of hours. It depends on the Oracle sizing. Let's say that you want to work on the agility of SRX, something you really need to understand is where you are deploying this product. It is different if you are comparing an SRX box or the cloud. When you are using an SRX box will it be deployed for a small enterprise, a mid-size enterprise, and a data center. You can have SRX boxes for a large data center. That is a difference in the agility of Juniper SRX compared to Cisco. For example, when I work with the cloud, I have an SRX virtual firewall, which is a high-performance network security in the virtual cloud. It is especially good for rapid deployments. It hardly takes hours to deploy on the cloud.  

When you have a container with a firewall, it is known as cSRX. Which is again, a highly available container firewall. These are used especially for microservices. When you start with a small enterprise you start with either the SRX 300 series or a 500 series, which is a next-generation firewall. It is comparable to the Cisco ASA. Probably the next good product to compare is Check Point. But the SRX product is easier to manage and deploy when compared to Check Point or Cisco.  

For the mid-size enterprise organization, we have the SRX 1400 Series or you can consider the 4000 Series. It is just an appliance. You just plug it in, switch it on, configure the network IP address, and then start configuring the protocols. You enable the licenses there, malware prevention, and all the other features you want by just adding on to the licenses.  

So it is just a matter of choosing the right appliance and from there it is practically plug-and-play. The challenge is not the initial setup and deployment, it is what you make use of.  

View full review »
Check Point UTM-1 [EOL]: Configuration
GoumouFerdinand says in a Check Point UTM-1 [EOL] review
Security Engineer at Socitech SA

The solution should be more user-friendly. I know we can do a lot of the configuration using GUI or CLI. But they have to work more on their GUI. If they work more in the GUI I think many people will come to the solution.

View full review »
Check Point Virtual Systems: Configuration
Assistant Manager IT Projects at Mustafa Sultan

The knowledge base that is available is limited and it is on a closed network where only a customer or certified engineer will know about it. A beginner who wants to learn about the product actually has to enroll in training or get certified and have a valid license or certification to access information. That is something I find strange as most users would like to know about it. The new users would like to be able to see those areas and what type of concerns or any configuration issues they may have before deciding to work with the product. To me, that is a simple open-mindedness. In terms of the availability of the system and functionality of the product, there's no concern. But the problem is that efficient VSX (Virtual System Extension) deployment is complicated. Most of our customers are afraid to deploy any configuration changes because they are afraid something will happen.

It's not the same situation as with other products. I guess the reason behind it is the kind of architecture which they are using. There are more possibilities to crash than other products. That is the feedback I normally get from end-users, but even so, for us, I would say it's one of the best product.

View full review »
reviewer897588 says in a Check Point Virtual Systems review
Network Security Engineer at a government

If you compare the GUI with the Palo Alto and Cisco, they're very easy. Check Point, due to its design, is a little bit complex. They should make the GUI easy to use so that anyone can understand it, like Fortinet's GUI. Many companies end up using Fortinet because the GUI is very easy, and there's no need for training. They just deploy the box and do the configuration.

Also, we have to inform customers that with Check Point there's no need to purchase any routing device. Check Point can do that routing as well as the Firewall and the IPS. The marketing should be stronger, to show that customers only need one box to handle all the features. It will be cost-effective and enhance the performance and value, but because of their poor marketing, customers don't realize this.

In the future, a color string would be powerful. Sandboxing should also be offered. Many people want the Trend Sandbox but not on the cloud. In the Middle East, there is a policy for Sandboxing that states it should be on Trend as per the government law. They have Sandboxing solutions on the cloud, but they have to bring the solution onto Trend also. Palo Alto has Wildfire, Cisco has Talos, and Forcepoint has one available as well.

In the future, routing protocols should be more supported like OSPF and BGP. There needs to be integration with the SDN. I don't know if SDN is there or not in Check Point, but SDN is one of the major requirements nowadays.

View full review »
Senior Network/Security Engineer at Skywind Group

As an administrator, I can say that among all of the Check Point products I have been working with so far, the Virtual Systems solution is one of the most difficult. You need to understand a lot of the underlying concepts to configure it, like the virtual switches and routers it uses underneath. That leads to additional time needed for the initial configuration if you don't have previous experience.

In addition, there is a list of limitations connected specifically with the virtual systems, like the inability to work with the VTI interfaces in a VPN blade, or an unsupported DLP software blade.

View full review »
Cisco ASA Firewall: Configuration
Net823Eng2 says in a Cisco ASA Firewall review
Network Engineer at a media company with 51-200 employees

At times the product is sluggish and slow.  Sometimes when deploying a new configuration or role, it is painstakingly slow. It should be a little faster than it is. 

View full review »
InfSec4893 says in a Cisco ASA Firewall review
Information Security Officer at a non-tech company with 10,001+ employees

The scalability is fine. We have no problems with the solution. We have two of them in a standby configuration.

View full review »
it_user588258 says in a Cisco ASA Firewall review
Network Administrator at a healthcare company with 501-1,000 employees

It is primarily used as a firewall. I think that all firewalls basically work the same, but some have different configurations of the switches. Cisco ASA is very strong. 

View full review »
Ryan Partington says in a Cisco ASA Firewall review
Systems Administrator at Universal Audio

The integration and configuration were pretty straightforward.

View full review »
Munish Gupta says in a Cisco ASA Firewall review
Partner - Consulting & Advisory at Wipro Technologies

The integration and configuration are transparent and easy.

View full review »
Fadil Kadrat says in a Cisco ASA Firewall review
Network Engineer at Banque des Mascareignes

I have deployed Cisco ASA as a terminator firewall. Normally, I would have preferred to have a sandwich configuration for firewalls: One possible firewall that would make an internal firewall and another for an external firewall. 

View full review »
Nadika Perera says in a Cisco ASA Firewall review
CEO at Synergy IT

We can create a profile and we can give them access depending on the access level they need to be on. All the way from level one to level 16. I just create the user and from the dropdown, I select what access level they need to be on and that's it. I don't need to go individually to each and every account and do the configuration.

View full review »
reviewer818484 says in a Cisco ASA Firewall review
Information Security Officer at a government with 501-1,000 employees

Palo Alto Networks NGFW Firewall was compared in-house using the same configuration and testing, and it won hands-down.

View full review »
Michael Collin says in a Cisco ASA Firewall review
Senior System Engineer at a tech services company with 11-50 employees

The web interface was easy for me. The configuration is logical, so it's easy to use and easy to understand how to protect, how to open a port, how to manage and how to route a device. That's why I prefer Cisco. It's robust and I never have issues with the hardware. That's why I choose Cisco and not another vendor.

View full review »
reviewer1084986 says in a Cisco ASA Firewall review
Network Engineer at a comms service provider with 1,001-5,000 employees

I think it is not the simplest solution to set up because it is sophisticated equipment. For engineers to work with vendors and incorporate totally different solutions, it could be difficult. It is also different from the other Cisco devices like Cisco Router IOS. It differs in a strange way, I would say, because the syntax or CRI differs. If you are used to other OSs, it is not easy to switch to ASA because you have to learn the syntax differences. 

It's common for there to be differences in syntax between vendors. But, I would say that this is more complex. The learning curve for start-up and configuration of ASA is at mid-level when it comes to the difficulty of implementation.

View full review »
NGFW677 says in a Cisco ASA Firewall review
IT Specialist at a government with 1,001-5,000 employees

There was an error in the configuration, related to our uplink switches, that caused us to contact technical support, and it took a very long time to resolve the issue.

Some of the features should be baked-in by default.

View full review »
Mantechni677 says in a Cisco ASA Firewall review
Technical Manager at a comms service provider with 501-1,000 employees

The setup is always different. If you have a small company, the setup is quite easy, but if you have a bigger company the setups are quite complex. Cisco is pretty good in routing. So in bigger situations, configuring the ASAv file is pretty straightforward.

The deployment also depends on the customer's site. So, the time changes because most of the time we have to do a migration. For example, some customers have an old firewall, and you have to migrate things to a new one. And sometimes, it's just copy/paste, but in some situations, we cannot migrate all firewall configurations to a new one.

In terms of how many people you need for deployment and maintenance, again, it's dependent on the company strategy around the help desk. You should have a maintenance engineer who should be part of a team. The deployment will be done in a team. You can have one person to do the deployment but usually, you always have a backup, so it would be two. And then, for the maintenance, it can be one person or two. The maintenance can be done on the site desk, operating after office hours, so it depends.

View full review »
Jonathan LELOU says in a Cisco ASA Firewall review
Ingénieur technico-commercial at Inter-Continental Business Machines (ICBM)

If people want to build a solid security solution for their company, I think this solution is the best but it would depend on the configuration of your company. For a good company to have a good solution for security, you can choose the Cisco firewall for that and be confident. 

I think I can give that product an eight out of ten. It comes down to the user interface. It needs to be easier so that more people can quickly develop the skills to manage the product. It would be better for us right now for more people to have certification or to just develop the skills to use the product. But if Cisco made it easier and took away the need for certification, it would be easier for us to use company-wide and have more people involved.

View full review »
Ntwrksec457 says in a Cisco ASA Firewall review
Network Security/Network Management at a K-12 educational company or school with 201-500 employees

In the future, I would like to see friendlier configuration and only one license because everything needs a license. You need a URL license, security license, everything is based on a license. I would like to have one license that covers everything. But I am really impressed by the program and my rating is nine out of ten.

View full review »
SherifNour says in a Cisco ASA Firewall review
IT Manager, Infrastructure, Solution Architecture at ADCI Group

The Cisco security rules are very strict and very strong.

I like the Cisco ASDM (Adaptive Security Device Manager), which is the configuration interface for the Cisco firewall.

View full review »
Heritier Daya says in a Cisco ASA Firewall review
Network Administrator at a financial services firm with 1,001-5,000 employees

The initial setup of this solution was a bit complex because it was a new technology for us. We did find documentation on the vendor's website, and it also helped that we found some videos on how to do the configuration.

Our initial deployment took approximately three months because we were learning from scratch. We still had some service requests open because we could not fine-tune the solution, and ultimately it took a full year to fully deploy.

This solution is managed by the qualified people in our network engineering team. 

View full review »
Tracey Jackson says in a Cisco ASA Firewall review
Senior Network Engineer at Johnson & Wales University

The VDB updates run on schedule, so less hands-on configuration is needed.

View full review »
reviewer1357989 says in a Cisco ASA Firewall review
Cisco Security Specialist at a tech services company with 10,001+ employees

My concern in the 21st century, with ASA, is the front-end. I think Cisco missed the mark with all the configuration steps. They are a pain and, when doing them, it looks as if we're using a very old technology — yet the technology itself is not old, it's very good. But the front-end configuration is very tough. They probably still make a good profit even with the front-end being difficult, but it's not easy. It's not user-friendly. All the configuration procedures are not user-friendly.

Also, they launched the 1000 series for SMBs. They have all the same features as the enterprise solutions, but the throughput is less and, obviously, the price is less as well. It's a very nice appliance. However, imagine you buy one, take it out of the box to connect it and the device needs one hour or two hours to start up. That is a pain and that is not appropriate for the 21st century. They should solve that issue.

Another issue is that when you integrate different Cisco solutions with each other, there is an overlap of features and you need to turn some of them off, and that is not very good.  If you don't, and you have overlap, you will have problems. Disabling the overlap can be done manually or the solution can identify that there is already a process running, and will tell you to please disable that function.

For today's threats, for today's reality, you need to add solutions to the ASA, either from Cisco or from other vendors, to have a full security solution in an enterprise company.

View full review »
Ashraf-Sadek says in a Cisco ASA Firewall review
CSD Manager at BTC

The traffic inspection and the Firepower engine are the most valuable features. It gives you full details, application details, traffic monitoring, and the threats. It gives you all the containers the user is using, especially at the application level. The solution also provides application visibility and control.

The integration between the ASA and Cisco ISE is very easy because they are from the same vendor. We don't face any integration problems. This is one of the valuable points of Cisco firewalls. They can be easily integrated with different Cisco security products.

Our clients also use other products with Cisco ASA, such as Aruba ClearPass and different NAC solutions. The integration of these other products is also easy with Cisco. 

It integrates with email security and Firepower. For example, if you have an attached file infected or you have attacks through email, the traffic will be forwarded to the email security and it will be blocked by the firewall. It gives you a clear view of the file and it can be blocked at every stage, protecting your network from this threat.

One of the best parts is the traffic management and the inspection of the traffic packets. The Device Manager is easy to use to supervise things, and the Firepower application gives you clear threat detection and blocking of all threats. Cisco also provides a better analysis of the traffic.

In addition, Talos is an enhancement to Cisco firewalls, and provides a better view.

The device management options, such as Firepower Device Manager (FDM), Cisco Firepower Management Center (FMC), or Cisco Defense Orchestrator (CDO) add a lot of enhancements in the initial deployment and configuration. In migrating, they can help to create the migration configuration and they help in managing encryption and automation. They add a lot enhancements to the device. They make things easier. In the past, you had to use the CLI and you could not control all this. Now you have a GUI which provides visibility and you can easily integrate and make changes.

View full review »
Lwazi Xashimba says in a Cisco ASA Firewall review
Network Specialist at a financial services firm with 501-1,000 employees

It's very good to get partner support if you're not very familiar with how Cisco works. Cisco Certified Partner support is a priority.

For application visibility and control we're using a WAN optimizer called Silver Peak.

To replace the firewalls within our data center we're planning to put in FMCs and FTDs. With the new FMCs what I like is that you don't need to log in to the firewalls directly. Whatever changes you do are done on your FMCs. That is a much needed improvement over the old ASAs. You can log in to the management center to make any configuration changes. 

There are two of us managing the ASAs in our company, myself and a colleague, and we are both network specialists. We plan to increase usage. We're a company of 650 employees and we also have consultants who are coming from outside to gain access to certain services on our network. We need to make provisions on the firewall for them.

View full review »
reviewer1010625 says in a Cisco ASA Firewall review
Tier 2 Network Engineer at a comms service provider with 1,001-5,000 employees

One of the problems that we have had is the solution requires Java to work. This has caused some problems with the application visibility and control. When the Java works, it is good, but Java wasn't a good choice. I don't like the Java implementation. It can be difficult to work with sometimes.

If you use Cisco ASDM with the command line configuration, it can look a bit messy. We have some people who use them both. If you use one, it's not a problem. If you use both, it can be an issue.

View full review »
Olivier Ntumba says in a Cisco ASA Firewall review
Network & Systems Administrator at T-Systems

It's an almost perfect solution.

The configuration is very easy.

The management aspect of the product is very straightforward.

The solution offers very good protection. 

The user interface itself is very nice and quite intuitive.

View full review »
McAfee Firewall Enterprise MFE [EOL]: Configuration
Computer Technician at a leisure / travel company with 1,001-5,000 employees

They should let the users configure more of the options, like with the blacklists and the whitelisting configuration. We didn't have that much control over what we could whitelist and blacklist, and it was complicated and hard to implement in their solution.

Customer support and AV are both lacking and are really hard to come to you when the product is installed. Those are the two major points that they need to work on.

View full review »
Fortinet FortiGate: Configuration
Chingiz Abdukarimov says in a Fortinet FortiGate review
Director at a integrator with 11-50 employees

Good VPN, both IPSEC and SSL (web-mode, tunnel-mode). An engineer/network administrator has tools to debug VPN issues that can occur during tunnel setup with other vendors' equipment.

SD-WAN feature at no cost. This is really great feature for remote locations (branch offices) and HQ, application steering between many ISP links becomes a simple task. Steering can be done dynamically by measuring link quality (latency, jitter, packet loss, available bandwidth).

Wi-Fi and Switch controller at no cost. FortiSwitch and FortiAP can become a kind of port extender of the firewall, all its ports can be referenced in firewall policies. When you have such management plane consolidation it gives you a simpler way to operate.

Security Fabric Framework is helping in analyzing sudden and rapid changes in whole infrastructure, and gives the ability to simplify daily operations (e.g. address objects synchronization between all firewalls in Fabric, estimating overall security rating, single-sign-on for admin access and many more)

Single Sign On support with deep LDAP integration (several variants for environments with different scales), RADIUS authentication.

Can work as transparent and explicit web-proxy, the last option supports Kerberos authentication which requires no agents installed on any windows server.

Human readable firewall policies with editable security policies and
addresses in single page. This is very useful and time saving feature.

Firmware upgrade process is very simple, even for cluster configurations it is fully automated by default.

Straightforward SNAT and DNAT; you may work in two ways: with Central NAT rules configuration and by applying translation directly inside firewall policies.

Bulk CLI commands are uploaded via gui in script file (portions of config file).

VDOMs are very useful when you need to grant admin role to clients separately. VDOMs in FortiGate can be represented in FortiAnalyzer's ADOMs (administrative domain), which can have different log storage policies, event handling and alerting configurations. You can create one VDOM working in NAT/Route mode, and another VDOM working in Transparent mode.

If you don't want to create and use second VDOM you can still transparently inspect traffic at layer 2 level while having only one VDOM in NAT/Route mode. This is achived by configuring Virtual Wire Pair ports that work like a separate bridge.

Ability to capture packets going through any interface of device (and VM too). You can set number of packets, filter out packets by IP and port number for particular troubleshooting purposes, then download a .pcap file from web gui and analyze it in your favorite programm.

Advanced routing (RIP, OSPF, BGP, PBR). It gives you a seamless and simple integration into a large network.

IPS, AV, Web Filter, AppControl profiles are working very well.

SSL Inspection and CASI (Cloud Access Security Inspection) profiles.

Rich logging options allow you troubleshoot most problems.

Straightforward HA with different redundancy schemas.

IPv6 support.

View full review »
Ahmed Konsowa says in a Fortinet FortiGate review
Senior Pre-Sales Engineer (Commercial Sector) at SEE "Systems Engineering of Egypt"

It has very easy management and an amazing ETM configuration.

View full review »
Mohamed Abdullah says in a Fortinet FortiGate review
Senior Security Engineer at crystal networks

The configuration was very easy. I didn't have any problems with it.

 It depends on the project, but I don't need a lot of resources to maintain it. One or two staff are enough to deploy and maintain it.

View full review »
Vineeth Babu P says in a Fortinet FortiGate review
IT System Administrator at emirates hospital

The most important features with FortiGate are the web filter and application controls. We can control our internet usage and use the web filter for application purposes. All branch FortiGate devices are integrated with FortiAnalyzer and easy to download and monitor the logs from all other locations. It's easy to change the configurations using CMD-SSH. FSSO is also another good feature. 

View full review »
Barracuda CloudGen Firewall: Configuration
Director854e says in a Barracuda CloudGen Firewall review
Director of IT at Superfeet Worldwide Inc.

The AWS integration and configuration was easy to use and set up.

View full review »
Hilary Tullier says in a Barracuda CloudGen Firewall review
Business Systems Manager at ACT Pipe And Supply, Inc

The technical manuals, at times, have images that don't match the actual screens and are not always as clear as they could be on the configuration. This requires a call to their very good support department.

View full review »
Mohd Fauzan Rahim says in a Barracuda CloudGen Firewall review
Senior Network Engineer at a tech vendor with 11-50 employees

The interface should be more user-friendly and it should be easier to configure. Its configuration are divided per module/service. You will have Firewall service, VPN module and others service. Each services are under 1 server tree. You have to configure at different tabs to make it functions which I found easy to get confused. There are no wizard for guided configuration. You have to depend on their manual at barrcuda campus. Fortunately the manual is quite comprehensive.

The inclusion of a load-balancing capability in the future would be helpful.

View full review »
pfSense: Configuration
reviewer963351 says in a pfSense review
IT Manager & Sr. Application Programmer with 11-50 employees

There are so many packages you can install which extends pfSense's capabilities including consuming from lists such as FireHOL, Pi-Hole, etc. Here are a few packages we use:

  • IPSec: pfSense allows for both v1 and v2 IPSec configurations to secure your connections.
  • IPS: You can use Snort or Suricata along with Snort packages, even subscribe to commercial packages if you wish. This alone starts making pfSense on par with Cisco.
  • Proxy/content filtering: You can install Squid and SquidGuard to act as a proxy and content filter. Yes, it does filter HTTPS, and there's a number of ways you can do it out of the box.

pfSense also reformatted their logs so that they're compliant and standardized. We have our logs shipped to our SIEM and Logstash servers.

View full review »
Ray Ost says in a pfSense review
CEO at Private

I'm still experimenting with some new features. I want to do a high availability configuration. I haven't done that yet, but I'm using OpenVPN, it's very handy. 

View full review »
reviewer1356246 says in a pfSense review
Solutions Architect at a tech services company with 51-200 employees

The scalability is very good, where you can do an HA configuration and then bring in another box, if necessary. We have ten users in the organization.

We get very little usage and have no plans to increase it.

View full review »
VinodGupta says in a pfSense review
CEO and Founder at Indicrypt Systems

This solution is absolutely stable. With some systems there's a necessity to regularly redo the configurations inside the system. With Pfsense that's not the case. I have no issues with it at all. 

View full review »
SonicWall TZ: Configuration
John Sturman says in a SonicWall TZ review
Technologist at Digifabshop (Hudson, NY)

I find that the user interface for the product configuration needs improvement. It is not intuitive when you are trying to figure out how to get something done.

An additional feature that I would like to see is reporting that includes metrics to give me more information about the number of viruses that it has actually detected and interrupted.

View full review »
Rias Majeed says in a SonicWall TZ review
CIO IT Security - Connectivity at Exceed NetSec LLC

The initial setup was complex. It is not so straight forward. It's not tough like others, but still, they can improve on it.

Deployment takes, depending upon the concentration, anywhere from half a day to two days, depending upon the password you need to deal with for all the configuration. If everything is not the same, like you have UTM features and all those things, it may go up to one day, depending upon the configuration. If the training is also added into it, two, three days including training and assistance.

View full review »
Umut Erol says in a SonicWall TZ review
Partner at 0ve1

We would like to improve the rules configuration in SonicWall TZ. Sometimes the rules don't work. We cannot prove that the rules don't work. Maybe they can improve that. 

Sometimes you write a rule in SonicWall and users are not able to use YouTube, Facebook, or Instagram. Users can see YouTube or Instagram for a while, but five minutes later, they cannot visit the sites.

The additional feature I would like to see included in the next release of this solution are analyzers. They can put it in the software, i.e which users are in which sites.

We need to see which users are on which sites simultaneously. In this edition, it's hard to see. You can just see the IP address. FortiGate has 40 analyzers. Maybe SonicWall can put it in the license for at least three.

View full review »
Bob-Thomas says in a SonicWall TZ review
Virtual CIO/ CISO at Kyber Security

Once you get past all the configuration issues, If you are on a rock-solid GA (Generally Available firmware), I don't know if I want to say it's bulletproof, however, the stability is really, really good. I don't sit and worry, thinking, "Oh, God. We know another one's going to fail today." We never think that way about that type of stuff. It's the odd time where we might get hardware failures or random reboots. We've had a couple of SMA units go sideways. Even SonicWall couldn't solve the problem. However, that said, it's rare.

View full review »
SonicWall NSA: Configuration
Marcio Vieira says in a SonicWall NSA review
Solutions Specialist with 201-500 employees

Initially, we had to review our security policy and this was the stage that involved the highest level of complexity.

With the policy defined according to our needs, the initial configuration of the solution was simple, but obviously, because it is an advanced-level security solution, it must be implemented by a specialized professional.

View full review »
reviewer1120704 says in a SonicWall NSA review
Manager with 51-200 employees

While there are a lot of options on the market, we only use SonicWall at this time. We have used Sophos in the past previously. We found that Sophos Firewall had more flexibility compared to SonicWall, especially in the configuration capabilities.

View full review »
Flavio Soares says in a SonicWall NSA review
Senior Systems Administrator at Prodomax

At this office, the firewall was already configured when I started working here, so I only needed to make some adjustments. We have another office that we acquired recently, and I implemented the firewall there. The configuration was pretty straightforward. The graphical interface is very intuitive and that helps. 

View full review »
reviewer1126683 says in a SonicWall NSA review
IT Security Analyst at a outsourcing company with 51-200 employees

I used to work on SonicWall regularly. Now, I am working as an IT analyst and my job is to check the SonicWall configuration and test it. For example, I have to check the policy and then audit which ports are open.

View full review »
Balaraju K says in a SonicWall NSA review
Technical Lead at 64Network Security

The initial setup is definitely user-friendly, it's easy.

It only takes an hour to deploy, which includes the configuration.

View full review »
reviewer1314267 says in a SonicWall NSA review
Director of IT at a consultancy with 11-50 employees

The initial setup isn't too complex. My understanding is that it's straightforward. I didn't set it up myself, however, it's got configuration wizards to walk a user through. This no doubt is quite helpful and makes it pretty simple in terms of implementation.

View full review »
Sophos XG: Configuration
Olufemi Adalemo says in a Sophos XG review
Chief Technology Officer at Leystel Nigeria Limited

We evaluated Cisco ASA as well as the FortiGate before ultimately choosing Sophos.

I chose Sophos over FortiGate because I'd already had experience with Cyberoam and it was a fairly similar migration in terms of configuration from the UTM over. But in terms of features and capabilities, I think FortiGate is pretty similar to the Sophos. Cisco ASA I choose not to go with because it's much harder to configure. I also needed to be able to have someone other than myself manage it and not need to have someone with CCNP sitting down just to add VPN users etc. I felt that the Sophos solution was a better option because it gave me all the functionality of the ASA, but it's much easier to manage.

View full review »
Kamran SAJJAD says in a Sophos XG review
Manager IT at a retailer with 201-500 employees

The initial setup and configuration are not difficult for somebody with firewall experience. However, for somebody who has not worked on one in the past, it will be complicated.

View full review »
Kerio Control: Configuration
Matt Gerken says in a Kerio Control review
VP Engineering & Admin at E3 Systems

The interface control manager where we can allocate LAN connections to certain VLANs is the most valuable feature. The other feature that's important for us is because everything is remote with MyKerio, as long as the boat has an internet connection, we can log onto the Kerio and get statistics, as well as provide support.

It's important because unlike a company where a company has an IT person on-site because these are yachts, they have a boat crew that is not necessarily "IT," so they rely upon us to provide them with their IT services. This is a platform that allows us to control and troubleshoot as necessary.

I would say about 95% to 97% of all of our support is managed remotely because of the nature of superyachts, where they're located, and the importance of the people that own them.

I have not run into any issues or complaints with regard to the firewall and intrusion detection features. I find that in this industry, the fact that those are services that are included is important. But I can't speak to the operability of it.

Because I interface the most with the boats and the crews, I've never run into an issue with the comprehensiveness of the security features.

In terms of the ease of use, if you took 15 different network professionals and told them to configure a Kerio Control, you would get 15 different configurations. Having said that, within our specific business segment, we have learned the configuration that works best for us and works best for our customers. The way that we have set it up is to not put the onus on the boat to make any changes, but if they need to make any changes they allow us to go in there and make changes. 

From my experience, I don't necessarily do the configuration on them, but I do manage them. If there's a boat that has a problem, I'm the first phone call. Most of the time I can figure it out, but what we provide as a service is that we refer to it as a virtual ETO which is an electronics and technology officer. That would be an actual IT person, but for the most part, we just encourage our customers to defer their technical queries to us and allow us to manage it for them.

It has saved time for the members of our team who manage security based on how they're using it. It has saved time in the sense that they have an integrated security solution. I think the maritime industry is moving towards a standardized security initiative because the problem is that everything within the maritime industry is based on international, not national standards. So where and how the Kerio Control will fit into that is undetermined because the IMO, International Maritime Organization, has not yet determined what those standards are going to be. It's still a work in process.

It has a VPN back to our data center but I don't think it has increased the number of VPN clients extended to those outside our environment

View full review »
Frank Raasveld says in a Kerio Control review
Owner at Fr@nkonnections

I use it as a service for my customers. My primary target is to help my customers in the best way to protect them from the dangerous things from the Internet. As a solution, it's easy to maintain. The product is a good solver that also depends on good support and its availability of engineers.

I am using the latest version of Kerio Control. It is an old type of configuration with VPN connections. I still like the product very much.

It is mostly installed on the Linux software appliance. That's what I mostly use for my customers.

View full review »
reviewer1378203 says in a Kerio Control review
Freelance IT Specialist at a computer software company with 501-1,000 employees

I am self-employed, so I work with other companies that usually do the installation of the hardware and I come in at the end to just make sure everything's all configured correctly and set up properly for Kerio configuration.

View full review »
Andy Dibble says in a Kerio Control review
IT Manager at Flare Technologies

The setup is straight out-of-the-box. Take it out of the box, run through the wizard, configure it with the settings that you should already know, and then it works and you get in online. That's the basic setup, because the Traffic Rules, by default, allow everything out and stop everything coming in. That's enough to just get online.

You then go to start defining your networks and your traffic rules. Putting multiple VLANs in there is easy. Even as it gets to be a more complex configuration, it's easy to do.

Sometimes it's time-consuming if it's a large configuration, but that's just what it is. It takes time to click boxes if it's a large network with lots of different scenarios, and to type in all the IP addresses.

But it's easy out-of-the-box for a basic configuration and still fairly easy if you've got that knowledge of the Kerio and networking. Just a little time-consuming. If there were some kind of import or bulk add, that would be nice, but that's on a wish list. It's really not that necessary.

If a customer just wants something out-of-the-box, we plug it in, make it work, and it probably takes a couple of hours, at the most. If it's a bit more complex, it might take a day. It might take longer if you don't know what you're doing.

I've always told customers that there is no fixed configuration. This thing will work and do what you want it to do. As time progresses, it evolves with the changing requirements. So we can give them a solution. They can give us some key config points telling us "Okay, we want this many networks and we want these users, and these particular rules," etc. We configure all that  in a day and test it the next day. After that, it's ongoing. They might decide, "Oh, we actually want to change the bandwidth allocation," or "We've got a new internet interface," or we want to block Facebook at a specific time. It's ongoing.

View full review »
Greg Regester says in a Kerio Control review
ICT Consultant at D-R Consulting Pty Ltd

It's a combination of authentication, internal network DNS, filtering, and antivirus. It is a standalone product which has a lot of the features that a Windows domain might have. However, I don't need to have a whole lot of Windows or Mac infrastructure, as I can do all my network management from Kerio.

One very good thing about the Kerio device is its authentication. I don't have a Windows domain for authentication. Instead, I use the Kerio product because it can separate users by Mac addresses and give them IP addresses based on their usernames, automatically logging them in. This makes for a very simple authentication system.

The solution’s firewall and intrusion detection features are pretty good. I have, at different times, connected directly to the Internet in bridge modes with the modem, and the noise in the logs is phenomenal. So, it does a good job. I can see that the intrusion prevention catches everything that is coming at it. I tend to not use it in that mode. I have it connect to a port on my modem router, so I let the modem router take all the initial intrusion noise, then not much gets through to Kerio. That just gives me a lot of confidence that I have a secure network.

For the content filter, I am pretty much running their default. I haven't added any rules to that myself. The default does a pretty good job at picking up things. I might have whitelisted one or two things that I use which it tends to pick up, but I know they are okay.

Kerio Control gives us everything we need in one product. 

The feature that I'm relying on: If the appliance died and I had to get another one, Kerio has a configuration backup. Therefore, it's pretty easy to restore to a new appliance.

View full review »
Freddie Lewis says in a Kerio Control review
Solutions Architect at Clockwork Solutions

Its primary job is to protect us and give us a degree of comfort. We're putting a lot of effort into creating a financial trading system. We want some comfort that it's secure behind the quality firewall and that's really what beckoned its purchase. The fact that we've not had any issue indicates that it must be doing that job reasonably well, and the fact that we don't get any of those attempted attacks from the block in China, because of geo-blocking, is probably the strongest feature for us. I wouldn't say it improves what we do because it doesn't affect what we do. It's really just security.  It's a tool to improve our security profile for what we do.

We don't expose our remote desktop connected servers to the internet anymore. But when we did have that, because the security log is a really easy thing to set up, it would show you all the attempted, brute force attacks. That's now down to zero. We don't get any brute force attacks, but at the same time, we don't expose the Port 3389 out to the internet. We could achieve the same result with a domestic firewall in a domestic router. However, this gives us a degree of comfort that we can actually analyze any traffic that looks a bit suspicious, inbound, or outbound. That's a definite step change compared to what we'd have in an out-of-the-box type of router.

Security is there to slow things down and make things a bit tricky. That's its bottom line. If security is easy, it's probably being done wrong.

Certainly in the first few months of using it, it was quite time-consuming to get a configuration working that was reliable. Because I work from home, I originally had it protecting everything coming in and out of the home which didn't work well at all. It's protecting the home office and the server environment. Everything else just goes straight out of the domestic router out to the internet because we've got IPTV, with kids on devices. They don't need such a high level of protection. It would be nice to give them that because if you've got this perimeter that's protected by a really good quality product, you want to protect everything.  But when we tried that, it seemed to struggle with the high volume of traffic that was being generated by the IP cameras, the IPTV service, and the myriad of devices and iPads that we have in the house. So we stopped using it for that purpose.

View full review »
Liam Bartlett says in a Kerio Control review
IT & Installations Manager at Odyssey Gaming

We turned on two-factor authentication just after the shutdown when we knew we were going to get more users using it. That was the only feature that I've used recently that was different and it worked fine. You only have to authenticate once every 30 days, once you've fully authenticated. It was easy. Technically, it's not a full implementation. It's two-factor on every login, but it's certainly more secure than it was.

In terms of the comprehensiveness of the security features, I know that we haven't had any breaches before. We've had security issues before but it hasn't been with the data center implementation. We have a technology partner that we use to consult for configuration and Kerio was their number one recommendation at the time. We've never had an issue since implementing that. While it works, it's not an issue for me. Best to our knowledge, we haven't had any data breaches.

We do a lot of audits in terms of data security. I don't know if that's ever been an issue here because a lot of our production stuff is actually walled off from our corporate network so it's of lesser risk factor. We were regulatory. We're a licensed regulatory body as well. We monitor gaming machines throughout the state. A lot of our security and the production network is a lot higher than our corporate. Not that corporate's not high, but there are a lot more freedoms for the user under the corporate network umbrella anyway. But it does what it needs to do. We haven't had an issue with it. The most we've had to do when we've had an issue is upgrade the VPN Client's software.

Before using Kerio, with another software, we did experience security breaches. Not so much with a firewalling product. We've had issues with breaches of user breaches. So phishing attempts and so forth. Just the general user stuff, but not through the corporate firewall. And honestly, we didn't handle all of that previously. We only took that on board about six or seven years ago when we changed ownership. So a lot of our services are in the cloud these days as well. Office 365 and so forth.

In a roundabout way, its security features played a role in our decision to go with it. We rely on the advice of our consultant and the consultant recommended this configuration, this software, and this appliance. So, it was more about the appliance. It was more about the flexibility than what we needed to do in a data center environment as well, to be able to manage it remotely and securely. It's been very easy to manage. 

The consultant was TechPath. TechPath is very good. I have full faith in TechPath. They're an MSP and we've just used them as a consultant when we initially set up our wide area networks and the security around it. They have good guys there. We don't have a lot of network engineers in what we do. That's their job. That's why we use another consultant.

Because it's all ID integrated, it's very easy for a user to get online step by step. And in terms of the actual configuration of the firewall itself, it's an intuitive interface if you know what you're doing, in terms of logging traffic, spanning, and the rest of it. The logging is fine. 

Remote work has been increased by 100%. We would have had around 25 - 30 remote users. That's probably increased to 60 over the shutdown, including contact center staff. That'll scale back a little bit as people come back into the office, but overall, people don't stay connected during office hours, it's more of an as-needed basis. We still only have 10 to 15 concurrent users, but in terms of licensing, we have under five concurrent users at any one time before that. There was an increase, but it was not a resource-hungry increase. We said to make sure the licenses were sourced in advance.

View full review »
Arie De Kruijf says in a Kerio Control review
EMP Specialist at Global EPM BV

GFI's technical support is way too slow in terms of response times. Their knowledge is okay. They should know their products. Even though they bought Kerio, they were able to update the software with their developers and build some new routines in it.

But regarding the support, if I send out a solution or a request today, it's taking too long to get a proper answer. You should have an answer the same day, at least, and if possible a quick response via email. That would be preferable in our cases. I know that is not always possible. And that's for software issues. 

But if you have a hardware issue it's even worse because we are not able to get hardware maintenance on the firewalls. Ideally, within two hours of going down, a mechanic would come with a new firewall to replace it and to restore your saved configuration from the cloud. They don't have that. If a hardware issue arises with a firewall, then it takes at least a week, maybe a week-and-a-half, to get a new firewall sent by GFI. That's really not acceptable. If we have a hardware issue and we order something from some companies here in The Netherlands, we have it the next day. That would be acceptable.

We deal with that by having a spare NG500 lying around that we can use. We've never used it, so it's already three years old, doing nothing. But it's there.

View full review »
Chris Bristow says in a Kerio Control review
Account Manager (Technical) at Redfortress Ltd

We hired a guy to do the initial set up for us. I think he was a Kerio reseller and we used him for consultancy before it started and then he actually did the work on the Kerio as well, and the network in general.

Our experience with him was excellent. We've used him a couple of times since. He's brilliant. His knowledge of everything is incredible. We tried to do it all ourselves at first, but he came in and knew exactly what the problems were. Something that had taken us about four days, he did in five minutes. He's just incredibly knowledgeable about everything to do with networks: Cisco, Kerio, everything.

I've set up another one since, for the same company. I just copied the configuration file of the one and put it straight onto the other. They're in separate buildings, but they wanted them exactly the same so it was really easy.

That deployment took an hour, but it was because we already had one set up.

As for deployment and maintenance of these solutions we generally need just one person: me.

View full review »
A10 Networks Thunder CFW: Configuration
Techofficechief67 says in an A10 Networks Thunder CFW review
Chief Technical Officer at a tech services company with 1-10 employees

The technical support is excellent. It's 24/7 and you'll have direct access to the engineers. It's not like support where they will ask you to just restart the box and see what happens. They will get the file from you, and they will replicate the configuration, and they will come back very quickly with answers.

View full review »
Cisco Firepower NGFW Firewall: Configuration
Technical Manager at a comms service provider with 1,001-5,000 employees

I would like for them to develop better integration with other security platforms. I would also like for them to make the Cloud configuration easier. 

View full review »
Gerald Zauner says in a Cisco Firepower NGFW Firewall review
Data Center Architect at Fronius International

Customers should take note that the migrations steps are not easy. The tools cannot solve all configurations and handle all configurations directly so you will have to do some coding by yourself. The solution is not complete at the moment but it will get better.

View full review »
Network Engineer at CoVantage Credit Union

Our organization is a big believer in training, So I attended a five-day class on this. From that, I was able to set it up pretty easily.

We have a virtual appliance. Once it actually installs and we set IPs and got some of the base set up, it was done within about a day. But the time it takes will depend. We're not an organization that has 10,000 users. We're probably a medium enterprise, of about 400+ users, rather than a large enterprise, so our ruleset is comparatively small. As a result, it didn't take me as long as it might for some, a total of two or three days, and that's even with fine-tuning. But because we're still using the ASA and the ASDM, we still have those rules in the firewall. We're not really at the FTD point where all the rules are in there. If we were, to migrate it would probably take some time.

For me, it was relatively simple because of the valuable training I had. There are some good resources online, don't get me wrong. It was just nice to be able to do something hands-on at a place, in training, and then come back and be able to do it.

The neat thing is that the gentleman who taught us, instead of just teaching us the material from a book or even, "This is how you can pass the Firepower test," taught us how he would go into a Fortune 100 and set up an organization. I had almost a step-by-step lesson on how to keep going through the configurations to get to a finished product.

With a firewall, you're always coming back to it to tweak it a little bit. You might find, "Oh, I'm not getting the logging a lot," or, "Oh boy, this rule is doing this, but maybe I want to tighten it down a little bit more." But to get the base configuration, to get the objects in, it takes about a couple of days. At that point, you can at least have traffic going through it. You may not be blocking anything, but you can be monitoring things.

View full review »
Security Architect

Setting up an FTD is a bit more complex with the new FTD line. They integrated the FXOS, but the OS is still not fully integrated. If you want to be able to fully manage the device, you still need to use two IP addresses: One for FXOS and one for the software. It's complicating things for the 4110 to have to, on the one hand manage the chassis and the hardware on one, and on the other hand to manage the logical device and the software from another one.

But overall, if you take them separately, it's pretty easy to set up and to manage.

The time it takes to deploy one really depends. I had to deploy one in Singapore and access the console remotely. But most of the time, once I get my hands on it, it can be very quick because we have central management with FMC. Setting up the basic configuration is quick. After that, you have to push the configuration that you use for your group IPS and that's it. My experience is a bit different because I lose time trying to get my hands on it since I'm on the other side of the world. But when I get access to it, it's pretty easy to deploy. We have about 62 of them in production, so we have a standard for how we implement them and how we manage them.

We have Professional Services and consultants who work with us on projects, but not for the deployment. We have our own data centers and our own engineers who are trained to do it. We give them the instructions so we don't need Cisco help for deployment. We have help from Cisco only for complex projects. In our case, it requires two people for deployment, one who will do the configuration of the device, and one who is physically in the data center to set up the cables into the device. But that type of setup is particular to our situation because we have data centers all around the world.

For maintenance, we have a team of a dozen people, which is based in India. They work in shifts, but they don't only work on the FTDs. They work on all the security devices. FTD is only a part of their responsibilities. Potentially we can be protecting 140,000 people, meaning all the employees who work on the internal network. But mostly, we work for international internal people, which would be roughly 12,000 people. But there are only three people on my team who are operators.

View full review »
reviewer1208142 says in a Cisco Firepower NGFW Firewall review
IT Specialist at a consultancy with 1,001-5,000 employees

We would like to see improvement in recovery. If there is an issue that forces us to do recovery, we have to restart or reboot. In addition, sometimes we have downtime during the maintenance windows. If Cisco could enhance this, so that upgrades would not necessarily require downtime, that would be helpful.

We would also like to have a solution on the cloud, where we could manage the configuration. CDO is in the ASA mode. If Cisco could do it in full FTD — the configuration, the administration, and everything — it would be very good, and easy.

View full review »
IT Infrastructure Specialist at RANDON S.A

I participated in the first deployment. I know it's not hard to do, but it's also not easy. It requires some knowledge, the way we deploy it. We use next-gen firewalls inside the Cisco router. It's virtualized inside the Cisco router. So you need to set settings on the router itself to allow the traffic that comes to the router to go to the firewall and return to the router to. So it's not an easy setup but it's not very complex. It requires some knowledge, not only of security, but also of routing and related things. It's in the middle between complex and simple.

Once you have the templates for it, it's easier. It can take a day or two to deploy, or about 20 hours for the whole configuration.

View full review »
reviewer1217634 says in a Cisco Firepower NGFW Firewall review
Lead Network Administrator at a financial services firm with 201-500 employees

With the FMC and the FirePOWERs, the ability to quickly replace a piece of hardware without having to have a network outage is useful. Also, the ability to replace a piece of equipment and deploy the config that the previous piece of equipment had is pretty useful. 

The administration is a little easier on the FirePOWER appliances because we're not using two separate products. For example, in the ASAs with FirePOWER Services, we were using the FMC to manage the FirePOWER Services, but we were still using ASDM for the traditional Layer 2 and Layer 3 rulesets. That is all combined in FMC for the FirePOWER devices.

Our particular version includes application visibility and control. Most next-gen firewalls do. The product is maturing with what they call FirePOWER Threat Defense, which is the code that runs on the firewalls themselves. The FirePOWER Threat Defense software has matured somewhat. There were some issues with some older versions where they didn't handle things in a predictable manner. Applications that we didn't have a specific rule for may have been allowed through until it could identify them as a threat. We reorganized our rules, because of that "feature," in a different way so that those extra packets weren't getting through and we weren't having to wait so long for the assessment of whether they should be allowed or not. We took a different approach for those unknowns and basically created a whitelist/blacklist model where applications on the list were allowed through.

Then, as you progressed into the ruleset, some of those features became more relevant and we stopped this. We looked at it as "leaky" because it was allowing some packets in that we didn't want in, while it made the determination of whether or not those applications were dangerous. Our mindset was to assume they're dangerous before letting them in so we had to adjust our ruleset for that. As the product matures, they've come out with better best practices related to it. Initially, there wasn't a lot of best-practice information for these. We may have been a little early in deploying the FirePOWER appliances versus continuing on with the adaptive security appliances, the old PIX/ASA model of firewalls. Cisco proposed this newer model and our VAR agreed it would be a benefit to us.

There was a bit of a transition. The way they handle the processing of applications is different between the ASAs and the FirePOWERs. There were growing pains for us with that. But ultimately, the ability to have this configured to the point where I could choose a specific user and create a rule which says this user can use this application, and they'll be able to do it from whatever system they want to, has been advantageous for our functionality and our ability to deliver services more quickly.

There haven't been a lot of specific use cases for that, other than troubleshooting things for myself. But having the knowledge that that functionality is there, is helpful. Certainly, we do have quite a few rules now which are based on "this application is allowed, this whole set of applications is blocked." It does make that easier because, in the past, you generally did that by saying, "This port is allowed, this port is blocked." Now we can say, not the ports; we're doing it by the services, or instead of by the services we're doing it by the applications. It makes it a little bit easier. And Cisco has taken the step of categorizing applications as well, so we can block an entire group of applications that fall under a particular category.

For the most part, it's very good for giving us visibility into the network, in conjunction with other products that give us visibility into users as well as remote items. It's really good at tracking internal things, really good at tracking people, and really good at giving us visibility as to what's hitting us, in most situations.

In general, Cisco is doing a pretty good job. Since we started the deploy process, they've increased the number of best-practice and configuration-guidance webinars they do. Once a month they'll have one where they show how we can fix certain things and a better way to run certain things. 

The product continues to improve as well. Some of the features that were missing from the product line when it was first deployed — I was using it when it was 6.2 — are in 6.4. We had some of them in ASDM and they were helpful for troubleshooting, but they did not exist on the FirePOWER side of things. They've slowly been adding some of those features. They have also been improving the integration with ISE and some of the other products that utilize those resources. It's getting better.

View full review »
Technical Consulting Manager at a consultancy with 10,001+ employees

Compared to many years ago, the configuration is much more simplified. It is still not one button to get it all done. It's not easy enough. It hasn't reached the level where a junior staff member can get the job done. 

For my enterprise environment, the deployment goes wave by wave. It can take six to eight weeks. We do a rolling upgrade. It's not something that can be done in one action because the network is so huge and complex. 

We have a uniform implementation strategy. We have a standard upgrading proceeding. We do testing and verify and then we put it into production.  

View full review »
Associate Vice President - IT Infrastructure at Navitas Life Sciences

The initial setup was complex. We engaged NTT Dimension Data as there were a couple things that needed to be done for our requirements and validation. This took time to get signed off on by quality team. However, the configuration/implementation of the system did not take much time. It was a vanilla implementation.

We did face performance issues with the console during implementation. The console was hacked and we needed to reinstall the console in the virtual environment. 

View full review »
Zhulien Keremedchiev says in a Cisco Firepower NGFW Firewall review
Cisco Network Engineer at IBM

My primary use case with Cisco Firepower NGFW is implementing, configuring, maintaining, and troubleshooting lab and customer devices in both lab and production environments.

Using best practices for configuration, as well as fine-tuning intrusion policies and utilizing as many of the features that the firewall has to offer, which are feasible in said environment.

Overall, I am confident to say that I have worked with every flavor of Cisco Firepower NGFW, be it their older IPS-only sensors, ASA with Firepower services, as well as the FTD sensor itself.

View full review »
Untangle NG Firewall: Configuration
Simbarashe Mazorodze says in an Untangle NG Firewall review
ICT Infrastructure and Security Services Manager at NATIONAL SOCIAL SECURITY AUTHORITY - NSSA ZIMBABWE

The initial setup is very straightforward. It's very simple. You just plugin and then you use the web interface and it's quite straightforward for a tech guy. In terms of deployment, because we are deploying two firewalls, it only takes about two days to do the configuration.

View full review »
Sameer Mogale says in an Untangle NG Firewall review
Owner (Senior Systems Engineer) at 3Kay Solutions

At this stage, I think the SSL decryption option can be streamlined.

I think decryption transparency could be improved because you basically click a button and then you set up one rule-set and that's about it. I've noticed there's a problem on some sites where it doesn't do the proper decryption. I actually had to go through the application control module, and logs to see what was happening, and why some sites could not function, before I could decipher that it was the SSL decryption that was blocking the sites. I would like to see more hands-on configuration in that respect.

View full review »
Palo Alto Networks VM-Series: Configuration
Dan Rabinowitz says in a Palo Alto Networks VM-Series review
Director of Infrastructure at Arcadia

We're still learning about the scalability. We have run into some issues with scaling and limitations associated with some of the configurations. However, it is a solution that we have been happy with overall.

View full review »
System Administrator at DeepMap

The integration and configuration on our AWS environment was pretty simple. We did not have to ask any questions about anything on it, so it was good.

View full review »
Pavan Tipirneni says in a Palo Alto Networks VM-Series review
Solution Architect at JM Family Enterprises

We have been happy with the configuration and implementation on the AWS environment.

View full review »
Director of Cloud Security at a tech services company with 10,001+ employees

Identify a use case first of all. If the use case is a match, then use the product.

We use it in the cloud for both AWS and non-AWS versions. The AWS version is far better. It works seamlessly and integrates very well with some other services. 

We have integrated it with Splunk for the security aspects and with identity and access management for configuration purposes. 

View full review »
VishalGilatar says in a Palo Alto Networks VM-Series review
IT Security Head with 1,001-5,000 employees

The initial setup is straightforward and easy. 

The deployment will take a couple of hours at the max and will depend on the configuration that you are looking for. Palo Alto will give you a report that recommends policies that are based on industry standards. For example, if you have approved Telnet access then you will be warned because it is not recommended and you should be using SSH instead. They will give you lots of recommendations to warn that the configuration does not follow the standard practice and if allowed to remain then it will explain what vulnerabilities you might face in the future. This kind of report is really valuable.

View full review »
reviewer1415211 says in a Palo Alto Networks VM-Series review
Senior Manager Network Engineering at a manufacturing company with 10,001+ employees

With any organization, if you want to change the firewalls that are being used in production then it's a hectic task. You have some rules and engines that can be used, but it's a step-by-step process.

Migrating from an existing solution to Palo Alto needs to be done in phases. Phase one would be installing the devices. Phase two is testing a lab setup and diverting traffic, then analyzing it. Finally, the third phase is to enable other features like threat protection, malware detection, and other advanced options.

Depending on the size of the organization, if a migration is well planned then it will take three to four months to complete.

The configuration is different between our branch offices in order to meet our requirements. Some use the hardware appliance, whereas others use the software version.

View full review »
reviewer1267734 says in a Palo Alto Networks VM-Series review
Executive Cyber Security Consultant at a tech services company with 11-50 employees

I have clients whose architecture is configured in a lot of different ways and combinations. I use a lot of different products and make recommendations based on specific situations. For example:  

  • I have one client that actually uses multiple VM-series and then at each one of their physical sites that have the K2-series — or the physical counterpart of the VM-series.  
  • I have other clients that use Fortinet AlarmNet. As a matter of fact, almost all my healthcare providers use Fortinet products.  
  • I have another customer that used to be on F5s and they had had some issues so switched to Fortinet.  
  • I have a couple of holdouts out there that are still using the old Cisco firewalls who refuse to change.  
  • I have a new client that is using a Nokia firewall which is a somewhat unique choice.  

I have a customer that used to be on F5s and they had had some issues. The result of the issue was that they came to me and we did an evaluation of what they really needed. They came in and they said, "We need you to do an evaluation and when you are done with the evaluation, you need to tell us that we need Palo Alto firewalls." I said that was great and I sat down and got to work building the side-by-side comparison of the four firewalls that they wanted to look at. When I was done, just like they wanted the Palo Alto firewall was right there as the first one on the list. They selected the Fortinet firewall instead.  

Nokia is specifically designed to address the LTE (Long Term Evolution, wireless data transmission) threats with faster networks and such. So it is probably not considered to be a mainstream firewall. The client who uses Nokia is a service provider using it on a cellular network. They are a utility and they are using Nokia on a cellular network to protect all their cellular systems and their automated cellular operations. The old Nokia firewalls — the one on frames — was called NetGuard. This client originally had the Palo Alto K-series and they switched over to the Nokia solution. That is my brand new Nokia account. They were not happy with the K-series and I am not sure why.  

The thing about Cisco is nobody is ever going to fire you for buying a Cisco product. It is like the old IBM adage. They just say that it is a Cisco product and that automatically makes it good. What they do not seem to acknowledge is that just because their solution is a Cisco product does not necessarily make it the right solution for them. It is really difficult to tell a customer that they are wrong. I do not want to say that it is difficult to tell them in a polite way — because I am always polite with my customers and I am always pretty straightforward with them. But I have to tell them in a way that is convincing. Sometimes it can be hard to change their mind or it might just be impossible.  

When I refer to Cisco, I mean real Cisco firewalls, not Meraki. Meraki is the biggest problem I think that I deal with. I do not have the network folks manage the Meraki firewalls differently than they manage their physical firewalls. I do not want there to be a difference, or there should be as little difference as possible in how the firewalls are handled. They do have some inherent differences. I try not to let them do stuff on the virtual firewalls that they can not do in the physical firewalls. The reason for that is because in defense-related installations it matters. Anytime you are dealing with defense, the closer I can get to maintaining one configuration, the better off I am. Unless something unique pops up in Panorama, I will not differentiate the setups.  

I say that there are differences because there is a little bit of configuration that inherently has to be different when you are talking about physical and virtual firewalls, but not much. I can sanitize the virtual machine and show the cloud provider that since I was going into a .gov environment or a .gov cloud, that it met all the requirements as stated in the Defense Federal Acquisition Regulation Supplement. That is huge for our situation. Of course with a cloud provider, you are not going to have a physical firewall. Had we had a physical firewall, that becomes a bit of a chore because you have got to download the configuration file, then you have got to sanitize the configuration. Things like that become a bit of a burden. Having a VM-Series for that purpose makes it much easier.  

I did not mention Sophos in the list. Sophos does a semi-decent job with that too, by the way. The only problem with Sophos is that they are not enterprise-ready, no matter what they say. I have deployed Sophos in enterprises before, and the old Sophos models did very well. The new ones do very poorly. The SG-Series — Sierra Golf — they are rock solid. As long as we keep going with them, our customers love it. It works. I have one client with 15,000 seats. They are running 11 or 12 of them and they have nothing but great things to say about the product. The second you go to the X-Series, they are not up to the task.  

View full review »
Fortinet FortiGate-VM: Configuration
reviewer1245921 says in a Fortinet FortiGate-VM review
Manager, Infrastructure Support at a construction company with 10,001+ employees

The initial setup was not complex. The implementation proved to be straightforward.

The project took about one week in total, including deployment and configuration.

There was only a single person needed to handle the deployment process.

View full review »
Eric Xiao says in a Fortinet FortiGate-VM review
Director at Treasure Technology

For myself, the UI is pretty much perfect. It's much easier to work with than Cisco's FirePOWER, for example. I prefer the way it is designed above everything else, even though Cisco may be better for a different reason. Fortigate is just hands down more intuitive and therefore users need less training. While a non-tech person may need a bit of training in terms of configuration, it's still easier than Cisco.

In terms of general features, I find Fortigate and Cisco very comparable. They technically do the same things. Both can drill down by IP or region, so, application-wise, they're very much the same. 

View full review »
OPNsense: Configuration
Michal Konecny says in an OPNsense review
Consultant at INCONSYS GmbH

Something that needs to improve is the translation. This comes into play when you have a remote and a local site and you have to work with two different transfer networks for each direction. What I'm missing is user portal for downloading the configurations for SSL VPN clients. It's still not implemented so it seems that this product is still in a developing process. 

Sometimes it's a little difficult to find some examples for special scenarios. But we have to keep trying and I believe it is possible. It's quite a suitable possibility to use it for VPN connections.

The monitoring is a little complicated and I have tried to use a plug-in, but it's quite complicated to configure. I had to write my own script.

With the VPN solutions, it is possible  to cover up all the scenarios which we have. For instance, if you have a customer and your local network is already in use, you have to work with source nat. It is possible and it works. Another issue that customers sometimes have Networks, which are already in use on out local site. It means you have to work with a destination nat but it is possible to create. 

I would, therefore, like to see the monitoring of the firewall being easier to configure, or to have more templates for this so that you can download the configurations for each scenario and get more detailed descriptions like how all the available plug-ins are performing.

View full review »
reviewer1140060 says in an OPNsense review
Owner at a construction company

The solution is easy to use and is accessible. I can also use it without paying. The configuration is very easy, and the website makes it easy to find help if you need it.

View full review »
YaserAljohani says in an OPNsense review
OT/ICS Information Security Specialist at SANS

I have some issues with OPNsense. I have created a virtual machine that I've lost connection at times and I am not able to connect to the gateway or ping the internet. When I started with OPNsense, it worked right away. It may be an issue with the virtual machine itself. I am currently setting up the protection on all of the virtual machines so they will connect to OPNsense and the internet, or anywhere they need to access.

I have tried to download some malicious files or a virus and it should dump the files and prevent the download, but I don't seem to get any notification or warnings.

It may be an issue with the configuration but I am not sure.

I would like to see improvements made to connectivity and alerting.

I wanted to deploy this solution in our organization and some of the workstations from remote sites but it's not reliable enough to do that yet.

In the next release, I would like to see real traffic monitoring and more visibility. Also, for the antivirus, I would like to see the files protected by ClamAV. 

I would like to see intelligence in OPNsense and have the option to apply it or not.

They need a threat intelligence tool similar to the one they would find with Cisco. It will show you the file hashes, all of the IFCs, the niches, the address information, and more.  With all of this information, you can be proactive and block the malicious file hashes, all of the malicious IP addresses, and the public IP addresses. It should help you be proactive.

It would be helpful to have OPNsense be one of the plugins, and they should include traffic capturing. With Palo Alto, you can monitor and specify which interface you want to monitor, the source IP, or you can specify the network and see the traffic that is coming from the VLAN, the destination, and any files being transferred over the network.

If you apply security profiles you can see the signatures.

View full review »
Chirosca Alecsandru says in an OPNsense review
Owner and business consultant at a tech services company with 1-10 employees

We plan to continue using this solution. Right now, we are settling our networks. We plan to expand its usage, but I don't think it will happen until 2022.

It has a good user interface. Its configuration is simple but requires a little planning. It is much simpler than the Cisco ASA configuration.

I would recommend this solution. I would rate OPNsense a nine out of ten. I am happy with it.

View full review »
Check Point NGFW: Configuration
LuisDavila says in a Check Point NGFW review
Network and IT Security Admin at DP World Callao

The most valuable feature of Check Point is the management console. Another feature that is most valuable for me is that the configuration is easier than other firewalls.

View full review »
Manegnet677 says in a Check Point NGFW review
Network Manager at a retailer with 10,001+ employees

All the advanced features of automation, especially the first installation of tunnels, need improvement. Also, in terms of configuration, in terms of tuning, and fine-tuning the system, I think they do make it a bit hard for users. Right now, we need to teach admins, the network and security admins about system fine-tuning in terms of load balancing between CPUs, assignment of processes. I don't think a network admin or a system admin should deal with it in terms of when we are speaking about the firewall or networking device. It should be automatic.

View full review »
reviewer1281831 says in a Check Point NGFW review
Security and Network Engineer at a tech services company with 501-1,000 employees

The Check Point NGFW is the best product that I have ever used. It has pluses and minuses, as do others, but the usability, simplicity, and the configuration abilities are very user-friendly. After a while, other vendors just don’t come close to it.

The second thing is that is just works and it does it with ease. The upgrades and bug fixes are frequent and well documented. Also, the patches just work ;-)

There are some negatives but as I already said, they aren’t many and from my point of view, we can see past them.

View full review »
Ricardo-Fernandes says in a Check Point NGFW review
Manager for Operations, Security and Management at REN - Rede Energeticas Nacionais, S.A.

The initial setup is pretty simple. The amount of time required for deployment depends on the number of rules that need to be configured. The initial setup can be done in one day, and the post-setup configuration depends on the rules to be applied.

View full review »
Amit Kuhar says in a Check Point NGFW review
Network Security Consultant at Atos Syntel

We are an IBM OEM company who received installation support from that vendor. They provided all the network connectivity.

For our implementation, we:

  1. Started with an initial diagram of the configurations and what we want to see after the installation.
  2. Segregated the SonicWall and Check Point tools for the migration since we used automation.
  3. Checked the mode of installation. We went with transparent mode.
  4. Collected the IPs for the firewall. It required multiple IPs because with we have cluster nodes.
  5. Assessed the feasibility of Check Point in our environment.

For our strategy, we looked at:

  • How many users are in all our offices? For example, is it a small office, mid-size office, or data center?
  • Using high-end versus lower-end devices, e.g., lower-end devices means a smaller price tag.

A smaller office of less than 500 people would get a 4000 Series. Whereas, a larger office would get a 5600 or 7000 Series. We have to be focused on the natural topology.

View full review »
Oleg P. says in a Check Point NGFW review
Senior Network and Security Engineer at a computer software company with 201-500 employees

We have had several support cases opened. Some of the were resolved by installing the latest recommended JumoHotfix, some required additional configuration on OS kernel level (e.g. TCP MSS clamping). The longest issue took about one month to be resolved, which we consider too long.

View full review »
Swapnil T says in a Check Point NGFW review
Technology Consultant at a tech services company with 201-500 employees

Check Point needs to improve their 3 tier architecture. Firstly, gateways cannot be managed without the Management server, which sometimes creates a problem. There is no way to extract policies or other configurations from gateways in case a management server goes down. That is something other companies provide.

Another major issue is the Smart console application is very heavy and cannot install anything other than the Windows operating system. Every time I open Smart console it becomes unresponsive for some time.

Lastly, the stability of R80 is an issue. Regularly we get some issues or bugs that are resolved by custom or new hotfixes. Sometimes it is a tedious task as this has a production impact.  

View full review »
DmitryPavlukhin says in a Check Point NGFW review
Security Analyst at HOST

I hope for product simplification. It would be better to use one security console, instead of many of them (for licensing and monitoring). The solution is hard for newcomers and takes much time to deep in. Also, I want a historical graph for throughput and system resources usage. Maybe it will be great to make easy step-by-step installation and configuration cookbooks as Fortinet did, and integrate the documentation within the solution. In most cases, the solution works great and I recommend it for our customers.

View full review »
reviewer1402668 says in a Check Point NGFW review
Security and Platforms Engineer at a K-12 educational company or school with 201-500 employees

The initial setup is really easy. You can do it in 30 minutes. Setting up an environment for a firewall and its management with a licensed demo took me an hour last week, and that includes the time for configuring the rules. The whole installation is 30 minutes and the configuration is another 30 minutes.

If you are implementing from another vendor, Check Point has a program called SmartMove. Then, all you need is the configuration of the previous firewall. Once you do some optimization, then you are ready for the integration. This might take a month overall.

View full review »
reviewer1404666 says in a Check Point NGFW review
Security Team Leader at a aerospace/defense firm with 10,001+ employees

Their management features are the best, from one point of view, but they are too heavy. For example, if you are looking at a configuration file, you can't just browse through it and see all the configurations like you can with other vendors, like Cisco and Fortigate. With those solutions you can just go over the configuration file and read all the objects and the policies, etc. 

Because of the Check Point architecture, the data file itself is huge if you're comparing it to the data files of other vendors. The difference is something like 3 Mb to 1 Gb. It's not so straightforward. 

The data process is also not so simple. You don't just load a text file which has all the configuration. It's a more complex process to restore it from a backup, when it comes to Check Point.

View full review »
Nikhil Dhawan says in a Check Point NGFW review
Associate Consultant at a tech services company with 10,001+ employees

It gives us centralized management for multiple firewalls. For example, if I want to push the same configuration to 10 firewalls, I can push it all at once with the help of the centralized management system.

It is easy to use because it supports Linux language in the CLI. This is a good for someone who already knows Linux language.

View full review »
reviewer1412340 says in a Check Point NGFW review
IT Specialist at a tech services company with 10,001+ employees

In advance, we get security vulnerabilities. So, we can configure new security policies, update our antivirus, or check the configuration to protect the environment.

View full review »
Matt Millen says in a Check Point NGFW review
Network & Systems Administrator I at DMH

I have set up replacements and it's very straightforward. It's very easy. It's much easier than some of the other network equipment that I've had to deal with. Check Point provides a wizard that walks you through the process and that streamlines the entire process. They also provide instructions on how to go about getting to the wizard and the process that we needed to take to complete that configuration. It was relatively painless.

The replacement was configured in one day and deployed the next, with no issues.

There are five of us in our company who have management access. I'm the network administrator, and I've got four IT technicians who work under me and assist in the firewall configuration and deployment.

View full review »
SamirShah says in a Check Point NGFW review
Network Security Consultant at a energy/utilities company with 5,001-10,000 employees

For the infrastructure in question, we have always used Check Point firewalls.

I have worked with Cisco ASA. Cisco is more CLI oriented, whereas Check Point is more GUI oriented. With the GUI, it's easier to manage and administrate it. If the configuration becomes bigger and bigger, it is really easy to see things in the GUI versus a CLI.

The advantage of the CLI is that you can create scripts and execute them. But the disadvantage is that they become so lengthy that it becomes very difficult to manage.

View full review »
Sunil Redekar says in a Check Point NGFW review
Security Engineer at Hitachi Systems

I have done four to five initial setups and configurations of firewalls, which have been completely fine and proper. There are no improvements needed.

For one firewall, it will take around two and a half hours to configure the interface and everything else. For the deployment of one firewall, it will take around two and a half hours. If you want to make any clusters, then it is around five to six hours. 

View full review »
Ifeanyi Onyiaodike says in a Check Point NGFW review
Network Administrator at a financial services firm with 5,001-10,000 employees

The VPN part was actually one of the most complex parts for us. It was not easy for us to switch from Cisco, because of one particular part of the integration: connecting the Check Point device to an Entrust server. Entrust is a solution that provides two-factor authentication. We got around it by using another server, a solution called RADIUS.

It was very difficult to integrate the VPN. Until now, we still don't know why it didn't work. With our previous environment, Cisco, it worked seamlessly. We could connect an Active Directory server to a two-factor authentication server, and that to the firewall. But when we came onboard with Check Point, the point-of-sale said it's possible for you to use what you have on your old infrastructure. We tried with the same configurations, and we even invited the vendor that provided the stuff for us, but we were not able to go about it. At the end of day they had to use a different two-FA solution. I don't if Check Point has a limitation in connecting with other two-FAs. Maybe it only connects with Microsoft two-FA or Google two-FA or some proprietary two-FA. They could work on this issue to make it easier.

Apart from that, we are coming from something that was not so good to something that is much better.

View full review »
reviewer1986 says in a Check Point NGFW review
Network Security Architect at a financial services firm with 1,001-5,000 employees

Upgrades and debugging of the operating system, as well as the backups and restores of configuration, need improvement. 

Debugging is very complex when compared to Fortinet, for example. That's the worst thing about Check Point. The deployment of the solution is harder than it is with the competitors. But after you've deployed it, the operation is easy.

View full review »
reviewer1420545 says in a Check Point NGFW review
IT-Infrastruktur at Synthesa Chemie Ges.m.b.H

Check Point has improved our organization in the following ways:

  • Provides for central management over all of the Check Point gateways
  • Maintains a changelog that shows which users have made changes
  • Version control allows us to roll back a ruleset after, for example, a misconfiguration
  • Offers very granular application control
  • Allows for various internet permissions for various users
  • Gives us very good logging, which is nice for troubleshooting because you can instantly which rule is affected for each action
  • The cloud gateway (Check Point Capsule Cloud) ensures that users are getting the same internet permissions as they would if inside the company, no matter which internet connection they are using
View full review »
AshishRawat says in a Check Point NGFW review
Firewall Administrator at a tech services company with 1,001-5,000 employees

Per my experience, it is very easy to scale these firewalls, because they are combined with the central management point. It is very easy to push the same configuration to different firewalls at the same time. It does not take much time to extend usage.

We use them throughout our organization. Currently we have used them for around 50 percent of our needs and there is definitely a room to grow. In the future we will definitely try to increase usage, if it is required.

View full review »
Palo Alto Networks NG Firewalls: Configuration
Network Engineer at Acliv Technologies Pvt Ltd

Deployment time depends on your requirements. If you talk about the system requirements, it hardly takes up to 15 or 20 minutes for the configuration.

That said, it totally depends on your requirements: What kind of policy you require that supports what kind of block, etc.

The deployment time would change based on these requirements, but the system configuration: accessing the internet and creating policies hardly takes 20 minutes.

Deployment is configured by administrators, so if we have any kind of issue in policies or any confusion, we get tech support.

View full review »
Sales Engineer at a wholesaler/distributor with 51-200 employees

I find the configuration the most valuable.

View full review »
IS&S Europe and Global Infrastructure Manager at a manufacturing company with 10,001+ employees

I think they need to have a proper hardware version for a smaller enterprise. We had to go to a very high-end version which is very expensive. If we chose the lower-end version, it would not meet our goals. A middle-end is missing in its portfolio.

For example, there's the PA820 and the PA220, but there's nothing between. So they are really missing some kind of small-size or medium-size usage. Right now, you have to choose either a big one or you have a very small one, which is not really good.

In the next release, it would be helpful if there was some kind of a visualized feature that showed the traffic flow, or something like that, to be able to simulate. When we define something if we could see a simulation of how the flow will be treated that would be great. Because today everything is done by experts by checking logs, but it's very time-consuming. If there's also a simulator to use when you apply some configuration, you can also apply on the simulator, to copy the configuration. So, you can see maybe to generate some traffic and to see how it will be treated. That will be very good.

View full review »
Senior Technical Consultant at Exclusive GRP

The initial setup was basic. It was very simple. The basic configuration will only take 15 minutes. Anyone can set it up. If a person has worked with a firewall before, they can do it themselves. You only need one person for deployment.

View full review »
Jean Maurice Prosper says in a Palo Alto Networks NG Firewalls review
Chief Executive Officer at a tech services company with 11-50 employees

Mostly it's improved the security side. There was no security before, and we were looking for a solution that could give us the exact capacity to do all the configurations that we need, while also providing a high level of security. 

View full review »
reviewer1132443 says in a Palo Alto Networks NG Firewalls review
User

The initial configuration is complicated to set up. You really have to know what you're doing. I attribute that to all of the features and functions that are built into the product. Luckily, Palo Alto has a great support site and you can find contractors who are knowledgeable in the technology.

View full review »
Sales Solutions Engineer at a tech services company with 501-1,000 employees

The manufacturer can improve the product by improving the configuration. Some of the menus are difficult to navigate when trying to find particular features. It is not entirely intuitive or convenient. You might need to configure a feature in one menu and next you need to go to another tab and configure another part of the feature in another tab. It's not very user-friendly in that way. On the other hand, it's still more user-friendly than using the console. But this is certainly one feature they can improve.

View full review »
Vice President & Head Technology Transition at a tech services company with 10,001+ employees

The support could be improved.

The next release could use more configuration monitoring on this one, and additional features on auditing.

View full review »
reviewer1232628 says in a Palo Alto Networks NG Firewalls review
Solutions Architect at a comms service provider with 501-1,000 employees

As a solutions architect group, we are what you would call "vendor-agnostic." We evaluate any solution that seems like it may be viable to provide clients with some advantages. I will never go to a customer and say that these are the only products that we are going to support. However, if there is something that a client wants to use which I feel would be detrimental to their business or that doesn't fit their needs, I will encourage them to look at other solutions and explain why the choice they were leaning towards may not be the best. When a solution they want to use means that no matter what we do they are going to get broken into, I'll let them know. It isn't good for their business or ours.

That said, some of the most requested or considered firewall solutions by clients beside Palo Alto are Fortinet, Firepower, and Meraki. Looking at each provides a background into how we look at solutions and how we evaluate options for clients. You have to look at the benefits and disadvantages.

Cisco Firepower NGFW (Next-Generation Firewall)

I think that Firepower can be simplified and can be made into a more viable product in the Cisco line. I think that Cisco has the ability to get into the Firepower management platform and trim it, doing so by breaking down all of the different areas of concern and configuration and categorizing them into overviews, implementation across the board, and steady-state management. If they were to do that, then users could start at the top layer and drill down more as they see fit to customize to their needs. I believe that Cisco can do that with Firepower and make it a much better security tool.

Firepower is not just a firewall, it is an SD-WAN. It is an application that Cisco sells that gets loaded onto an ASA 5500 series appliance (the appliance has to be the X platform). It is not a bad solution. I can use it to get into your network and protect a lot of your customers who will be running traffic through it. But a problem that you are going to get into as a result of using Firepower is that it is extremely difficult to configure. Security engineers that I have handed the setup after a sale came back from the service and asked me never to sell it again because it was very difficult for them to set up. However, it is also very secure. The difficulty is in using the GUI, which is the console that you would log into to set up your rules and applications. It can take about 10 times as long as Meraki to set up, and that is no exaggeration. Palo Alto is easier to set up than Firepower, but not as easy to set up as Meraki. But, the security in Palo Alto is phenomenal compared to Meraki. Firepower is pretty secure. If it was a little easier to operate, I'd be recommending it up one side and down the next, but ease-of-use also comes into play when it comes to recommending products.

I'll support what Firepower has to offer considering the quality of the security. But I can't take anyone seriously who is proud of themselves just because they think their firewall is next generation. It might have that capability but it might not be 'next generation' if it is set up wrong. Some vendors who sell firewall solutions that I've spoken to admit to dancing their customers around the 'next generation' promise and they make amazing claims about what it can do. Things like "This firewall will protect the heck out of your network," or "This firewall has built-in SD-WAN and can save you lots of money." These things are true, perhaps, depending on the clients' needs and the likelihood that they will be able to properly manage the product. 

Firepower is a capable solution but it is difficult to set up and manage.

Cisco Meraki NGFW (Next-Generation Firewall)

Meraki was a horrible acquisition by Cisco and it is harming their name. All of us who are familiar enough with the firewall know how bad that firewall is and we know that Cisco needs to make changes. The acquisition is almost funny. The logic seemed to be something like "Let's buy an inferior security solution and put our name on it." That is a textbook case on how not to run a company.

If Cisco wanted to improve Meraki, the first thing they need to do is simply activate the ability to block an unknown application. Start with that and then also improve utility by blocking every threat by default like other products so that users can open up traffic only to what they need to. That saves innumerable threats right there.

There are situations where Meraki works very well as is. One example is at a coffee shop. What the coffee shop needed for their firewall solution was to have a firewall at every location for guests. The guests go there to eat their donuts, drink their coffee, and surf the internet. The company's need was simply to blockade a VLAN for guest access to the internet while maintaining a VLAN for corporate access. They need corporate access because they need to process their transactions and communications. All corporate devices can only communicate through a VPN to headquarters or through a VPN to the bank. For example, they need to process transactions when somebody uses their debit card at a POS station. It works great at the coffee shop. 

It works great at department stores as well. All employees have a little device on their hip that enables them to find what aisle a product is in when a customer asks them. If the store doesn't have the product on hand, the employee can do a search for another store that does have it in stock right on the device. They can do that right on the spot and use that service for that device. For that reason, they are not going across the internet to find the information they are searching for. They are forced into a secure tunnel for a specific purpose. That is something you can do with Meraki. If you don't let employees surf the web on the device, then Meraki will work.

I can actually give you the methodologies in which hackers are able to completely hack into a Cisco customer's network and steal extremely valuable information. Meraki is the most simple of all firewalls to infiltrate in the industry. It is an extremely dangerous piece of hardware. What comes into play is that Meraki, by default, does the opposite of what all of the other firewalls do. Every firewall not called Meraki will block every means of attack until you start saying to permit things. The Meraki solution is the opposite. Meraki, by default, blocks nothing, and then you have to go in and custom key everything that you want to block. This is dangerous because most people don't know everything in the world that they need to block. With Meraki, you have to get hacked in order to be able to find out. Now, tell me who really wants that.

An example of this is that Meraki cannot block an application it doesn't know about, which means that all unknown applications are forever allowed in by Meraki. If I am a hacker and I know that you are using a Meraki firewall, I can write an application to use for an attack. When I do, it is unknown because I just wrote it today. If I load it up on a website, anybody that goes to that website using a Meraki firewall has this application loaded onto their computer. Meraki can't block it. That application I wrote is designed to copy everything from that person's computer and everything across the network that he or she has access to, up to a server offshore in a non-extradition country. I will have your data. Now I can sell it or I can hold you for ransom on it.

Customers love it because it is simple to configure. I don't even need to be a security architect to sit down at a Meraki console and configure every device across my network. It is an extremely simple device and it's extremely cheap. But you get what you pay for. You are generally going to suffer because of the simplicity. You are going to suffer because of the low cost and "savings."

All I can say about Meraki is that it is cheap and easy to use and fits well in niche situations. If you need broader security capabilities, spend a few bucks on your network and get a better security solution.


Fortinet FortiGate
 NGFW (Next-Generation Firewall)

I'm supportive of Fortinet because it is a decent next-generation firewall solution. While not as secure as Palo Alto, it is a cost-effective and reasonably reliable product. I have customers choose it over Palo Alto. But if they decide to use this solution, I want to charge them to manage it for them. The reason for that is, if anything goes wrong in the network and they get hacked, my client will likely get fired and replaced. If anything goes wrong in the network and I am paid to manage their firewall, I am the one in trouble if they get hacked — not the client. I apply my services to the network, make sure everything is working as it should and give them my business card. I tell them that they can give the business card to their boss if anything goes wrong because the guy on the card is the one to blame. That way I remain sure that nothing will go wrong because of poor administration, and my client contact sleeps better at night.

Fortinet is sort of middle-of-the-road as a solution. It has a relative simplicity in setup and management, it has a lower price and provides capable security. Fortinet FortiGate still gets some of my respect as a viable alternative to Palo Alto.
     

Comparing the Complexity of Setup

Firepower is the most complex to set up. The second most complex is Palo Alto. The third is Fortinet. The fourth is Meraki as the simplest.

Rating the Products

On a scale from one to ten with ten being the best, I would rate each of these products like this:

  • Meraki is a one out of ten (if I could give it a zero or negative number I would).
  • Fortinet is seven out of ten because it is simple but not so secure.
  • Firepower is seven out of ten because it is more secure, but not so simple.
  • Palo Alto is a ten out of ten because the security side of it is fantastic, and the gui is not a nightmare.

An Aside About Cisco Products 

It is interesting to note that the two offerings by Cisco are on completely opposite ends of the spectrum when it comes to the learning curve. Firepower is on one end of the spectrum as the most difficult to configure and having the worst learning curve, and Meraki is on the other as the easiest to configure and learn. Both are owned by Cisco but Cisco did not actually develop either of product. They got them both by acquisition.

View full review »
Information Security Specialist at UAEU

We are basically using a double protection layer in which we take care of all our DMV, VPN, tunnels, and internal network. We are basically using it for application based configuration  controlling our traffic on applications with layers four to seven. We are customers of Palo Alto and I'm an information security specialist. 

View full review »
reviewer1153383 says in a Palo Alto Networks NG Firewalls review
Sr. Solution Architect at a tech vendor with 501-1,000 employees

While we mainly deal with on-premises deployment models, occasionally we also do hybrid deployments.

We're not a customer. We're a systems integrator. We're a reseller. We sell solutions to our clients.

Palo Alto is very good at policymaking. It's like they have a single policy that you can use. Other solutions don't have single policy use, which means you have to configure everything. There may be many consoles or many tasks that you'll have to worry about other solutions. Multiple task configuration should not be there, and yet, for many companies, it is. This isn't the case with Palo Alto. Palo Alto is easy compared to Fortinet. 

It's overall a very solid solution. I would rate it nine out of ten.

View full review »
Assistant Manager at Net One Systems

Our primary use case was to configure our PSAs for our customized configuration

View full review »
Antonio El Khoury says in a Palo Alto Networks NG Firewalls review
System Engineer at IRIS

This is a stable firewall and you don't have a lot of surprises. The performance, throughput, and decryption are all good. It is important to remember that at the end of the day, it depends on the configuration.

For special functionality, you are going to have some exceptions. However, for the well-known functionality, it is stable.

View full review »
Fortinet FortiOS: Configuration
Directhost465 says in a Fortinet FortiOS review
Director Of Hosting Services at a tech services company with 51-200 employees

Excluding the login performance — which we would have issues with in the past that made us have to turn off the feature in order to examine the infrastructure — every other feature and functionality has proven to be stable. We have also experienced some issues with performance with filtering traffic but it was on the appliance and because it was just a basic setup.  The real problem was the configuration and had we been more familiar at the time, we would have done a better job with it. So it was not the product that was unstable, it was our application of it.

View full review »
MohamedTalbi says in a Fortinet FortiOS review
Network and Security Engineer at VERMEG for Banking & Insurance Software

It's important to have 24/7 support because the documentation is poor and you will need the support. It's important to have a support team and a support contract. 

I would rate it a nine out of ten. Not a ten because of the troubleshooting. Other solutions have a mechanism to find your IP network. Cisco has something called Packet Tracer which is very advanced that helps you test your configuration. It really helps the engineers to test without affecting the product environment.   

View full review »
Khaled Barakat says in a Fortinet FortiOS review
Technical Consultant at ezz elarab

Fortinet is very easy to use. I like its configuration and the various functions it offers. 

I think the most common use for a firewall system is web filtering and application filtering. The program has other features too, like anti-virus and other security features, but I think that some of the usage is there to control and connect web filtering and application filtering and to control what comes in and what goes out.

View full review »
SoheylNorozi says in a Fortinet FortiOS review
IT Consultant at a tech services company with 51-200 employees

I go about initial setup by just implementing the configuration using CLI (Command Line Interface) to propagate the components. I think the initial setup is straightforward.

View full review »
technica379896 says in a Fortinet FortiOS review
Technical Head at a tech services company with 51-200 employees

The VDOM (Virtual DOM) is a virtualized firewall that has some opportunities for flexibility that are an advantage in certain configurations. The other valuable part is that this flexibility makes it easy to integrate with Cisco products.  

View full review »
Comodo Dome Firewall [EOL]: Configuration
Walter Shelver says in a Comodo Dome Firewall [EOL] review
Owner at CableWeb

The setup, the configuration, and the security are the most valuable features.

This solution is user-friendly.

View full review »
Huawei NGFW: Configuration
MuhammadAdnan says in a Huawei NGFW review
Security Engineer at Multinet Pakistan Pvt.

Normally, the initial setup is straightforward. The length of time for deployment depends on the client, their environment, and the requirements. For a basic configuration, we can normally deploy within three to five working days. Sometimes, it will take longer because of the requirements, but the basic configuration should not be any longer.

View full review »
reviewer1388931 says in a Huawei NGFW review
Section Head Project Planning and Management. /Lead Network and Security Engineer at a government with 1,001-5,000 employees

The support could be improved. As we've gone along, we've realized the support is not effective due to the contracts we have. They need to offer more support upfront, no matter what contract you have.

The solution requires a more interactive dashboard. That would make it easier than playing with configurations the way we have to now.

It would be better if upgrading the solution was easier.

The solution needs four-way deployments and dashboard confirmation.

The product should be able to integrate with products like Ansible.

View full review »
Forcepoint Next Generation Firewall: Configuration
Information Security Consultant at a tech services company with 51-200 employees

We are an integrator that helps with the installation.

The initial installation needs a high level of knowledge because it's not like other firewalls where you have one single appliance. You need to have a separate machine to manage the firewall. The firewall is just a dummy device and all the configurations are done on a Windows machine. Sometimes, in the case of the unavailability of a Windows machine, you cannot do much with the firewall.

View full review »
Security Pre-Sales Manager at a tech services company with 51-200 employees

They just need to make sure that their environment is ready for implementing the firewall. They have to prepare for about two hours of downtime because we need some downtime to do the initial configuration. They need to be prepared for the deployment plan. That's all.

The biggest lesson I learned is that you cannot provide everything in one box. You can provide everything in one box, but you cannot provide everything deeply with the same quality all in one box. You need to give up on something to gain another. I'm always telling the customer, what's your biggest issue? Is it security or performance? Is it task optimization? What is your biggest concern? Based on their answer, I recommend one of the vendors that we work with.

If he said that he does not have any problems with anything, he just wants to get everything, then I provide them with Forcepoint and tell them that they will have some issues in a certain area. If he is okay with that, we go with the product. If he isn't okay and cannot accept that risk or that point, then we go with another vendor.

What I learned from them is that you can provide everything in one box, but you cannot provide everything with the same quality in that box.

They have really good capabilities if you want to use it. So I do recommend them in some cases, when the customer needs some optimization, along with performance and security. If they want everything in one package, I recommend Forcepoint because they have everything. That's why I recommend Forcepoint in that situation.

I would rate the solution as eight out of ten. If they solve the problem of optimization and added those IPS rules, I believe that they would deserve nine of ten. Nothing is perfect, though.

View full review »
Head of Infrastructure & Cloud Section at a computer software company with 1,001-5,000 employees

I might have contacted them for some questions related to managing instances. We sometimes had problems with registering or activating licenses on the manufacturer portal. I haven't opened any ticket personally. My colleagues have contacted them for technical support, that is, for problems that go beyond the basics of the Forcepoint configuration, such as for replacing some faulty components. Their experience was good in general.

View full review »
ShieldX: Configuration
CIO0ee7 says in a ShieldX review
CIO at a comms service provider with 1,001-5,000 employees

ShieldX has been designed from the very beginning to work well in cloud environments. It understands autoscaling, automation, and auto-configuration. These are the things which are important in today's operating environment.

We have already added it to the enterprise environment. We are in the process now of putting it into production. We are somewhere around 15 to 20 percent done. Our goal is to get up as high as 100 percent within the next six to nine months.

View full review »
Zscaler Cloud Firewall: Configuration
Carlos Snel says in a Zscaler Cloud Firewall review
Director at Aquila ICT Solutions

The solution has great features like configuration. It would be difficult to improve or simplify what Zscaler does. Once you have Zscaler running you have access to configure it however you want.

View full review »
Palo Alto Networks K2-Series: Configuration
Network Security & Virtualization at a financial services firm with 1,001-5,000 employees

We are talking about a firewall and we are not talking about a simple machine. We are talking about a machine that is not something you can just make simple. We are not talking about a general machine, so it does not really have general features. It does have multiple features. It does have processing engines — the parallel processing of Palo Alto — which is great. The stability will depend on the configuration and use. You really only have two options. You can either go for Palo Alto, or with Fortinet. These are the leaders of network security right now, so I guess those are stable or they would not be popular.  

View full review »
reviewer1271676 says in a Palo Alto Networks K2-Series review
IT Specialist at a transportation company with 10,001+ employees

The stability of the solution is rather excellent. It is really stable unless somebody messes up a configuration. We didn't face any bugs or crashes or have any issues with glitches.

View full review »
reviewer1270158 says in a Palo Alto Networks K2-Series review
System Engineer at a tech services company with 501-1,000 employees

Palo Alto has an approach that makes the configuration easier not only for the customers but also for the IT help for the customers. 

View full review »
CSD Manager at BTC

The ease of management and configuration should be improved.

The price of the K2 series could be lower.

View full review »
Juniper vSRX: Configuration
Aaron Venson says in a Juniper vSRX review
CTO at SEV Technologies LLC

The integration and configuration with AWS was excellent.

View full review »
reviewer1011693 says in a Juniper vSRX review
Expert - architect of ICT systems at a tech services company with 501-1,000 employees

The solution as a whole is good, but it requires knowledge to use it properly. We know this solution well; we know all of its configurations and little secrets that inexperienced users may not be aware of. It's a very powerful solution and the firewalls function with high performance. The configuration is also great.

View full review »