Firewalls Forum

Ariel Lindenfeld
Sr. Director of Community
IT Central Station
Jan 16 2019
Let the community know what you think. Share your opinions now!
Stuart BermanThe state of the firewall has moved from IP and port filtering to combine these elements: 1) Application awareness (want to block Tor or Bit Torrent?) 2) User identity awareness (policies based on identity not just source IPs) 3) Policies based on device attributes (allow smartphones to access email without login) Forward thinking enterprises are looking at Unified Threat Management devices (or NGFW) to combine these functions along with IPS/IDS, malware filtering, AV gateway and other features.
Peter LimbuhanFirewall should be: - with NGFW features - Capable of Inspecting encrypted traffic without breaking or compromising the security of the traffic. - Scalable - Easy to manage and configure - with Excellent vendor support
Rhea Rapps
Content Specialist
IT Central Station
Is it required in your company to conduct a security review before purchasing a firewall? What are the common materials you use in the review? Do you have any tips or advice for the community? Any pitfalls to watch out for?
Chris LoehrIf you are a small shop, you need to trust your MSP, VAR or another reseller when purchasing a firewall. Don't just go online and buy direct. Resellers have trained people. Most mainstream vendors even have devices that can be deployed ahead of time to get a good idea of your firewall needs. In today's firewall world, it comes down to the software package that you license on your firewall. If you get a firewall without the security software, you are not getting an effective firewall. If you a midmarket or large company, there are tools such as ThreatCare that can help you test the effectiveness of the firewalls your are putting through proof-of-concept testing. They will test how well the capabilities are working, especially the ones that are in place to ensure confidential information does not go out of your network without authorization.
Dan StoltsYes, I recommend doing a security review regularly. Not necessarily before a firewall purchase unless you have not done one lately. Having the results of the review will help you understand what capabilities you need in a firewall. As an example, if you get a ton of login attempts from outside your country of origin but have no customers or partners outside the country you will want to have "country blocking" capabilities. There are a number of tools that can be used for evaluations. We currently use RMM and Security tools from SolarWinds. We have other tools as well. To perform a security review you have to have tools do the work. It simply is not possible for an individual to perform a thorough check without significant automation. We offer this as a service as well. Pro's: SolarWinds has a free version of some of the useful tools such as SIEM Security Information and Event Management (SIEM) Tool. You can rent some tools by going though a partner (such as us Con's: Tools to purchase are a bit expensive. Performance checks that RMM uses is not accurate on large busy machines. Support leaves much to be desired.
Michael Majeski, Mba,Pmp,CsmIs it required in your company to conduct a security review before purchasing a firewall? Firewalls review are usually done annually and equipment is purchased to protect each network data point What are the common materials you use in the review? To verify the open ports, services, and applications of what is allowed and disallowed. Most companies are moving towards software like TUFIN to help continually perform these rule deployments and changes globally. Do you have any tips or advice for the community? Adapt to a common service platform to connect to service desk, deployments and regular review to reduce errors and service time to deploy FW changes. Any pitfalls to watch out for? Not being able to survey automatically current FW rules and settings could leave the company vulnerable to intrusion or failed services for internal stakeholders.
Terry Stokes
Information Technology Manager at a healthcare company with 51-200 employees
I have a web-based firewall solution from our telecom vendor which is not user friendly nor does it show you the traffic on the firewall.I have six geographically dispersed locations. What do you recommend for a corporate firewall implementation? 
sgelbandpfSence will easily let you interconnect all 6 locations. It has a terrific GUI interface and fantastic tools for openvpn. The support guys are the best I have ever worked with. And once you master it, it is entirely free.
Irvin GaerlanI would recommend Sophos UTM9. We've been using it for more than 2 years and it's stable. Although Sophos is already recommending their newest XG line the UTM9 version is very stable and still has a large community support. The UI is intuitive and features are up to par for your most demanding policy enforcement. Like all the posts before, you have to determine appropriately the scale and expected TPT for your traffic so that your organization can decide the appropriate device model for the task. Sophos also has a unified Management UI for managing all your firewalls in one place called Sophos Firewall Manager. Whether you like to deploy a full blown firewall appliance per site or RED devices, Sophos Firewall would most probably be one of your organizations top choice.
Cristian MenghiHi, I'm a big fan of opensource solution, now i'm very satisfied with pfsense ( you can use your own hw or buy some appliance from ( sponsor of pfsense) Other payed solution can be Mikrotik (is a linux base), Ubiquiti or Fortinet
Rhea Rapps
Content Specialist
IT Central Station
One of the most popular comparisons on IT Central Station is Fortinet FortiGate vs Sophos UTM. One of the users on our site says about Fortinet FortiGate, "A strong point of FortiGate is that the graphical interface is complete and easy to use, especially if we think there is a list of operations that we are able to perform inside." Another user says about Sophos UTM, "Brings greater visibility into the network traffic coming inside and passing away from the company." In your opinion, which is better and why? Thanks!
Maher AbdelshkourSophos and FortiGate are good solutions, but you need to know the advantages and disadvantages for each. Sophos is great as a visionary company, keeping up with IT Managers' requests for features within their products (specially Sophos SG Appliances and XG NGFWs). Their hardware addresses a constant situation where many competitors fail; they are scalable, and tough (SSDs Hard Drives, and Intel latest generation processors is about it). Sophos offers HIGH AVAILABILITY with just 1 license. While other vendors, try to squeeze the companies for every penny, Sophos address that issue, and is honest about it: They deliver High Availability in Active/Passive mode, with two identical hardware options, with just one license. ((Pros.)) 1 • Scalability, if you needed HA in Active/Passive Mode, but need more throughput during certain periods when the parameters change (i.e. number of users, or Internet bandwidth growth) you can always license the second one and it will behave as a Cluster in Active/Active mode in just 2 minutes, with no downtime. 2 • Delivers great WebGUI management, which is easily understandable by every IT Professional 3 • Worldwide RMA, gosh! If you have any kind of issue with your hardware, Sophos will deliver it to your business door, at no cost, with a return label for you to ship the damaged or faulty device back. No questions asked. 4 • Constant visionary technology, with out of this world new features. ((Cons.)) 1• Better standard support, it used to be great, now, not so much (for paying customers, that only aquired the Hardware) 2• Better wireless solution, there is always room for that, now that everybody needs robust wifi, even at home! 3• Faster and more robust wireless Access Points, or different vendor-like compatibility. Fortinet FortiGate needs a very low maintenance and easy to upgrade and its rich feature set and robust monitoring have made this product almost fun to use. ((Pros.)) 1 • VPN client is easy to use and can be customized for your organization. 2 • All features are enabled on the firewall with little to no impact on performance. 3• Easy to configure interface on the firewall but also has a command line available for high level admins. 4• Excellent technical support department - very quick response time. 5• Pricing was amazing compared to peers. ((Cons.)) 1 • Prepare for terrible support, hour long hold time for Level 1, and next-day call backs for Level 2 • Sales team is lacking information (type of licensing, hardware model, etc). Make sure you ask lots of questions. Now you have better information about both solutions and you decide which one is better for your needs.
reviewer175356I would like to strongly recommend for Fortinet products because of following reason. 1. if you go on Gartner Magic Quadrant for comparing the Security firewalls, you can easy get Fortinet is among leaders for maintaining network security features. Sophos does not come in picture. 2. there are multiple flavours of Fortinet products in market available. 3. Fortinet TAC support is good and having experienced TAC engineers to resolve issues. 4. Fortinet firewall comes with nextgen firewall features which can amplify security posture. 5. Security updates received from Fortinet much better and they release as soon as any outbreak noticed.
Jeff StutzmanI have no real experience with Sophos, but can comment on Fortigate. I'm a huge fan of both Meraki and Fortigate. Meraki is used for more hands-off approaches while Fortigate is used for those times when I need greater granularity in control. The boxes are priced out about the same, but while both machines are packed with features, the Fortigates offer more control.
Sunil Soni
Can I please get feedback on which of these three Firewall products are the best? Is there another product you would recommend?
reviewer230721Looks like WatchGuard is doing a really bad job in it's marketing, as it's in many aspects superior to other firewall vendors - when you are really into security and not just to have a box, that you will set up and forget. The biggest mistake in firewalling and security is that everyone just looks to have things as simple as possible, set them up and than never look back at them. Firewalls are not L2 switches! Still many would like to handle them as such. Big mistake. But there is no 'best' firewall. All good ones have advantages and disadvantages. It's pretty much like there is no 'best car'. You just have more and less popular ones and such that spend tons of money for marketing, to give you a fake sense of how good they are. Today it's easy to get demo/eval appliances. Instead of asking what others like, everyone should evaluate the different products out there and find out, what HE likes. Others don't have the same environment as you have, neither they have the same requirements, skills, experience. All this is critical for choosing the right firewall solution for your needs. There is a Gartner MQ released every year and there is the NSS Labs report. Should not be too difficult to find out, what solutions are worth to be evaluated. But please don't others let decide for you, what firewall you should be using!
Eric BurkeI've utilized both SonicWALL and Fortinet in many implementations over the years. Fortinet does a better job in large, multi-tenant deployments and has excellent stateful packet inspection throughput. If you're planning to do SSL decryption and inspection, SonicWALL is the way to go (and currently, the product we lead with). I've found SonicWALL to be easier to manage and have also found that if you're a GUI-oriented user, all of the features are there in the UI. On the Fortigate you'll often have to dig into the CLI to enable some features.
reviewer215406Out of these three firewalls I would, and have chosen Fortinet. Checkout NSS Labs for real world comparisons. I have been using Fortigates for 2 years now in HA configurations and have only once had to use the cli. Also updates and firmware upgrades never bring the network or internet down. These firewalls get new features added at no extra cost and the throughput is amazing. Buying the UTM bundles gets you all of the features you need and more. I heard about support issues but evertime i call i get routed to someone who knows how the features work and actually helps. We added a fortianalyzer and now we can see logs from all of the firewalls in one console and hold them for a year. Fortinet doesn't just manage their antivirus products they are the developers. These firewalls decrypt data on the fly and scan for viruses before it gets to your email, desktops or servers. Within the first week it caught ransomware within a yahoo email before it could infect our systems. We replaced our websense URL filtering with the URL filtering within the fortigates and never looked back. I could go on and on but the real tilt in Fortinets favor was it was near half the cost of similar features and functions PA had quoted. Write down what you want and then ask if the vendors have these included in their firewalls or if they have separate appliances that can do them. Every appliance has a latency cost associated with it. You might find that all three can do what you want then it will come down to the management of the firewalls and cost. Good luck.
Amitava Ganguly
Admin - IT Infrastructure, Networking ,Communications & Security at a manufacturing company with 501-1,000 employees
We are planning to procure UTM along with end point solution. Primarily we have selected the following brands and models by going thru different reviews. SOPHOS XG 210 HW & SOPHOS XG 135 HW. FORTIGATE FG 100E & FORTIGATE FG 60E. Ours is a medium size organization with 100 desktops and 10 windows servers. We are using Exchange 2010 as our mailing solution. Our major objective is to protect external and internal threats including RANSOMWARE which may come thru E-Mail, Internet , Pen Drive, External Hard Disk. From the cost perspective, SOPHOS is cheaper.  Please help us to decide about the UTM .
Justin Twiss Hi guys, Not familiar with the Sophos units but definitely am with the Fortigates. For that size environment (100 users) – I’d recommend the 100E over the 60E especially if you’re looking at using the NGFW functionality (ie, UTM, Web Filtering, IPS and the like) – Additional head room in CPU and memory may not be important at the moment but it will be when the unit’s approaching end-of-life. We’ve found 60E’s are good for upto about 70 medium-to-heavy users – 100D’s (and now the 100E’s) are good for 100-200 users. Like all NGFW solutions – The total cost isn’t “the appliance” itself – Always look at the overall cost over the lifetime of the unit (3-5 years at most) inclusive of maintenance, bundling and the like. Specifically, units like the Palo Alto’s have a cheap upfront price, but when your annual renewal is >50% of the cost of a replacement unit, it very quickly adds up over the lifetime of the unit (especially if you need to bundle individual components separately like Web Filtering and IPS. (I’m looking at you Cisco!) Hope that helps, -JT
ramesh1923Here I would suggest your to go with Fortigate, The model 60E or 100 E is based on your throughput. 100 E is capable of handle 100 Mbps in realtime UTM traffic and 60E is capable of handle 40 Mbps UTM traffic. .
Milenko JakovljevicCan't tell about Sophos, but we have Fortinet firewall, and we are very pleased with the service and efficiency.I thinkt that it is worth the money we spent to put this in place. We tried Cisco firewall first , but service was just awful, the cisco partner could not even install the device and could not make it work with our network (took less than 2 hrs for Fortinet to install and configure everything we needed). With Fortinet you have great tech support, a LOT of "how to" videos so i can say that i am very happy with Fortinet.
Rhea Rapps
Content Specialist
IT Central Station
On a scale from 1-10, how would you rate Palo Alto Networks VM-Series and why?
Rhea Rapps
Content Specialist
IT Central Station
On a scale from 1-10, how would you rate Barracuda Networks NG Firewall and why?
Nick StaicuI have not used Barracuda NG. I would stick with a Fortinet or - depending on the budget and what quotes you get - with a WatchGuard or Sophos (it may also depend on previous experience). I have started my comparison from the Gartner Magic Quadrant for Unified Threat Management and reduced my list to Fortinet, Check Point, Sophos, Cisco, SonicWALL. I selected the models based on needs (current and in the next 2-3 years) also with help from technical representatives of the respective manufacturer. Then based on cost (actual lowest offers) (with 3 years support the Check Point was 4 times more expensive than Fortinet!), I have eliminated Check Point and Cisco. My final 3 were Fortinet, a new model of SonicWALL and Sophos. Reading actual reviews, support forums (check for memory leak!), and even from pricing, my choice was a new Fortinet (from the newer E series), with the UTM bundle and 3 years of support and updates, with Sophos XG as runner-up. For SonicWALL I got quotes from partners and from Dell, there is a part number for a competitive upgrade which gives 2 years of support instead of 1, (but still it was - with 2 years of support - more expensive than the Fortinet or Sophos with 3 years of support). Pay attention to real-life performance [so with site-to-site SSL, SSL VPN, full Deep Packet Inspection (DPI) and IPS activated at the same time (see in the test results the lowest throughput for that model, some data was hard to find)], at support, at initial cost with 3 years of support/updates and at support renewal costs. In my case Fortinet was the best (and it even had the lowest Max Power consumption). Fortinet has extra reporting add-ons if needed (like FortiCloud, FortiAnalyzer and for further more enterprise reporting - FortiSIEM, all nicely integrated). I am just an IT Manager and using the products, I don't work for any manufacturer/supplier.

Sign Up with Email