Firewalls Forum

Charudatta Kulkarni
Head - UICT and Associate Professor at MIT Pune
Jun 30 2020
I work in a small organization in the educational sector.  We would like to extend firewall licenses, So we need to evaluate vendors. On what criteria/basis should we compare vendors and devices?
Jim BachaudA Firewall is only one brick in your cyber-security wall, if you will, but an important one. Considerations - you have endpoints (laptops) that may travel in and out of network, connecting to the internet while not on your local network. They have the potential to bring problems with them when they come back into the network, especially if they have been infected with a cryptolocker virus and have shared network drives when they reconnect. A firewall, no matter how good it is, won't protect you from this. Are you willing and budgeting for paying for license renewals every year? How much CyberSecurity are you going to put on your firewall, vs offloaded to other systems - spam management for email is a good example of this. What other security solutions are you also using, such as Barracuda email essentials, OpenDNS (Umbrella), file and image-level backups at the endpoint, enterprise grade AV, etc> Are you protecting application servers? Do you have compliance requirements such as HIPAA or PCI you have to manage? You've asked a very generic question, so the answers you get as to the criteria required to evaluate an appropriate solution will be just as generic. In the world of security, Sophos and Fortinet are very good solutions if you want the best of the best, and those aren't always the best solution for the application - if there's no servers, the endpoints (desktops and laptops) are hardened, everything is backed up, and there's no critical data floating around, then a reasonable firewall with great throughput like a Ubiquiti UDM Pro could be a great solution that doesn't ransom you for an annual license fee. In other words, without being more specific about your application, you're not going to get a lot of really useful responses here.
Nawaaz ToonahIn the educational sector, the main challenge is to have control over all content that students or educators will be accessing. We have many vendors that offer this service, a few examples will be Fortigate, Sonicwall, Cisco, and Sophos. Now it will depend on what aspect of firewall that you want to focus on if you want content filtering I would recommend going for Sophos. With Sophos, everything has been made simple to manage and not really need to be an expert to maintain this nice piece of technology.
Frank TheilenYou should defer on what purpose you want to use the firewall and who is supporting it. Means: If you like to use a firewall to protect the computer users from accessing the internet, you should look for integration with your other security aspects like AV, IPS, EMail Protection, classification service catalog, integration in Cloud-based management or SIEM, life protection with isolation or network disruption, reporting to fulfill certification audits like SOX, remote management and location awareness, SSL VPN Clients, access security with 2.nd factor, Active directory integrated security groups, other security products from the same vendor to extend portfolio but keep management in one tool, VPN to other branches, multi-vendor VPNs, throughput with all FW features in place, how many physical network ports you can configure internal/external, multi internet provider network ports to get redundant provider setups, failover or both at the same time, traffic management features to limit the traffic is due to application or service using it (VOIP, Netflix, ...). Also, you should think of what part this firewall takes in due to your other chain of security. Does it fit to them? Do you want to change them in the future as well? Last but not least is the amount of knowledge and support/maintenance the firewall solution would need. DO you want to keep/have an expert just for that? Is it going to be integrated into other management services (AV/Data Gov./Compliance), can you provide compliance access to the reports without compromising internal security? Can you restrict access to browsing or user history but grant access to security alarms and actions? If you have a security concept it should be easy to find the right FW. If not, start with that.
IT Central Station
Jun 30 2020
There seems to be some controversy around whether or not SSL Inspection should be used by businesses. What is your opinion - should they be used, and if so when? Conversely, what are reasons for not using SSL inspection?
Bruce BennettI am a proponent of SSL inspection, as long as you have another function/service that is evaluating that traffic like URL filtering or DLP. The biggest reason I have seen is that all sites are going to https, so there is no granularity for URL filtering unless you are doing SSL inspection. Most URL filtering can categorize based on the full URI, but without SSL inspection you will only see the base. Example, without SSL your services will only see "" going to this page. With SSL inspection you will see the full URL, "", giving the URL filtering service more information to categorize. Another good example are blog sites. without the SSL inspection, all the blogs look the same, with inspection the ones that you want to block can be identified. Where not to use SSL inspection, in personal related destinations like health, banking and sites that fall into similar HIPA and PII categories.  One thing you will run into with SSL inspection is that some sites, especially security related sites, will have issues with the "man in the middle" generally used for SSL inspection, so you will run into issues where you have to bypass sites like this as well.
David StoreySSL Inspection is great for corporate/organizational security as it allows you visibility into the traffic going across the network. It can also break access to some sites as it is technically a man-in-the-middle. (Anything requiring certificate authentication.) If you're going to do it, you really need a login banner for your systems that advise users that their activities are being monitored. You'll also need to install certificates on people's PC's. This won't work for guest users. I wouldn't store decrypted content though as you will have to safeguard that data as it will contain sensitive information. (Is it really worth the risk?)
B Putnam
Owner at a retailer with 1-10 employees
Jun 29 2020
I am the owner of a retailer company with 1-10 employees.  We host websites on Windows 2008 R2 servers and Norton Business Protection. We are looking for recommendations for the best network firewall. Thanks! I appreciate the help.
Stuart BermanGood commercial firewalls take a degree of expertise that small businesses rarely possess, for that reason, I would look for a managed security services provider that specializes in the SMB retail market. They should be able to do it affordably and with solid expertise. They should support Fortinet or Palo Alto Network firewalls which are the current gold standard for Next-Generation Firewall. You should also look at upgrading your Windows 2008 servers as they are end of life and tough to protect today.
Brad NawrockiI like Watchguard Fireboxes for my firewall. We started out with less than 50 users and have grown to 80 and Firewall is easy to manage. The one negative it is expensive to keep the subscriptions updated. Worth it to us, as we've been viruses and malware-free for years.
Gabriel Sicouret VillalobosYou should be looking at the Juniper's SRX300, which is a bundle of switching, security and routing. You'll have embedded PoE+ functionality with its 6 Gigabit Ethernet Ports, and 2 uplinks running at 10 Gbps, Industry best, high-performance IPsec VPN solution with 2 FREE SSL VPN licenses and able to purchase up to 48 more licenses for a total of 50 remote collaborators. Check this out for more information:
Ariel Lindenfeld
Sr. Director of Community
IT Central Station
Jun 29 2020
Let the community know what you think. Share your opinions now!
it_user339975Awesome answers all around! The most important aspect to look for is relative to one question: How informed are you with the actual needs of your network? Overall I think there are too many specific details to choose any one primary aspect when selecting a security appliance and/or firewall device based on functionality alone. Any company that is online and running with proven technology has offered a solution that meets the minimum standard for most situations and customers. However some do perform better than others in certain environments and this depends on the needs of the network and resources. Firewalls fulfill one general role in the network: the protection of key resources. This can be expanded upon in a number of ways but the idea is the same all the time; the protection of key resources and the inspection of traffic in and out of these resources. That being the case, it would require in depth research based on specific needs and see how that relates to the network in question when selecting a device. The one aspect that will always matter regardless of the device capability is Integration and Administration. Although customer support from the vendor is extremely important, the first line of response will always be the in-house technical resource. - How easily can I role this out? - Am I replacing a pre-existing device or adding this in tandem? - Do I have people who can manage this device currently and if not, can they be trained easily? - If I have a single admin/engineer who manages this device and they leave the company, how easy is it to find another qualified person? I think these aspects and questions matter a great deal. Regardless of specific strengths for a single device, if that device cannot be installed easily or managed easily, that equals more confusion and downtime which usually means a loss of money. When considering a new firewall device or security appliance, I encourage my clients to review their short and long term goals before allowing too much time in debate over which device is better.
Girish VyasThere are already some good answers about it but this is what I understand for a firewall. It is a luxury when compared in a networking domain. So basics first, we would need to suit your networking requirement. For this you need to settle down for Vendor whom you need to buy this firewall. From an organization level, Try to get a best deal. Now from networking perspective, take that spec sheet out and look for the models they offer and see which one fits your network. I mean check the throughput of the firewall. Can it handle the load you are going to push it through ? Ok so you got your vendor and the model but wait let's see that spec sheet again. Why? The features. Yes the features are also important as everyone already pointed it out. You need to compare the feature and see if it meets your organization policy. Most of the firewalls have all that is required for an organization. This includes but not limited to deployment mode, high availability, application visibility, custom application definition, central management (required if you have more than one firewall to standardize your policy), Throughput post going through IPS / URLF, SSL VPN capability (I don't want to spend more to get this new extra feature right), IPSEC VPN, and others. The core of deploying the firewall is the throughput. I don't know how to emphasize more on that. Once you get this checklist complete. I believe you are good to purchase a firewall for your organization. I would request people to try these firewalls on the VM instance for demo and see how they function. Check with your vendor for demo. This is to ensure that your IT engineer is comfortable with the look and feel as he is the one going to handle your firewall right ? All the best ! on getting a new firewall.
Simon CoombsComprehensive protection, reliability, straightforward administration, total cost of ownership over three to five years.
Sameer Mogale
Owner (Senior Systems Engineer) at 3Kay Solutions
Jun 18 2020
Has anyone tested or is actively using the Seqrite range of UTM devices in production? I just wanted an honest opinion about their performance and reliability.
ChiragPanchalSeqrite is new entrant in the perimeter security. Hence not have much option on it, but yes Seqrite is doing good in EPP.
reviewer1232628Without knowing much about Seqrite, I can offer this advice: 1. Request (2) loaners for you to test out. Any sales team worth their salt will agree to this simple request, especially if it's going to be 30 days or less. 2. Use a Penetration and Vulnerability tool so you can determine if bad operators can easily break in. Keep this in mind for now and forever: If you sell a security service and your customer suffers from a number of attacks, any number at all, which leads to any kind of loss in productivity or intellectual property, they would consider it your fault, and you don't want that.
Ahmed Khattab KhattabNever heard about them. I’m not into UTMs anyway except for small companies with few number of users and low outbound/ inbound traffic
Sr. Network Engineer at Medha
Jun 09 2020
We need a hardware firewall for 750-1000 users to provide restricted Internet access, business email access, and remote access for 300 users. Please suggest suitable models.
Aleksandar JovanovicPalo Alto PA820 with URL filtering, threat prevention and wildfire subscriptions, HA pair or spare device optional. If remote workers uses linux or android, you'll need a Global Protect licence also.
Syed Khalid AliThere are variety of product options such Cisco, Fortinet, Sophos, Sangfor or Palo Alto. And you may also need to consider other factors including: 1- Total available bandwidth (Internet + WAN + or any other) 2- What other inspection engines will you use other than the basic firewalling. For example: IPS, AV (or Anti-malware), URL, Sandbox, SSL etc... 3- New Sessions Per Second 4- Total/Concurrent Session As a baseline, you can begin with: 1- Fortinet 300E 2- Cisco FPR2110 3- Sangfor M5200/5250 4- Sophos XG210/230 Consider All-In-One subscription license, as it will cost less compared to individual subscriptions.
Stuart BermanAt a minimum I would recommend a Fortinet FG-100F The "F" series is their latest ASIC and it outperforms the E series by x4 or better. I like to oversize the firewalls to get more life out of them, although we usually use virtual appliances (FG-VM02v or greater) If I had to choose an older model would go with FG-600E or higher depending upon discount. The next higher F model is FG-1800F which is a beast and overkill.
IT Central Station
May 21 2020
Why or why not? If so, which are the best providers for this configuration?
PrideChiezaThat is very good question, for SIP we highly recommend using SIP security on the firewall this prevent issues with SIP attacks resulting in unknown phone calls being made from your PBX causing a high phone call bill that you didn't generate however in some cases when working with the Fortigate firewall and older versions of PBX you may need to disable this function its called SIP ALG (Application Layer Gateway) this usually cause problems with SIP VoIP phones registration and call processing but you need to make sure you only allow the PBX to only communicate with the specific voip server for security. Regarding to NAT Traversal it is mostly used when you have devices that are not SIP aware and the firewall is then used to NAT the actual ip address of the SIP phone when communicating with the external ips or VoIP servers,with the use of security policy this can ensure that the voip traffic is also secured by the firewall.
Nawaaz ToonahNAT, ISP normally provides one public IP to subscribers and for many devices to connect on the internet this single public IP address is shared among them. Traversal technique is to do UDP encapsulation to allow traffic to reach the destination device which does not have a public address. SIP traversal is mainly used when we have SIP phones which are registered to a remote IPBX, to keep the connection live and keep signaling link between the phones and the sip registrar, SIP traversal comes into play. I have mainly used this SIP traversal option on Cyberoam / Sophos firewall and believe me it works like a charm.
Rupsan ShresthaSIP is a protocol used for session management in VoIP or video communication, On the other hand NAT Traversal is a technique used to maintain connectivity over networks where NAT is used. You are probably looking to implement VoIP in your network if I'm not mistaken. There is no choice here because some VoIP devices require the implicit use of SIP protocol, That is what they use to initiate, manage, and terminate sessions. While there are some vendors that use their proprietary protocol, SIP like protocol is necessary regardless. And about NAT traversal, if you have a NAT device or a firewall that implements NAT in between or as a gateway NAT traversal must be used to make sure your communication works because in VoIP communication the client also acts as a server, meaning the communication has to be both ways. When there is a NAT in between NAT masquerades the original IPso there is a probability that the communication may fail. However, some VoIP solutions have their own mechanism to bypass NAT and maintain communication while some require NAT Traversal to be configured on the firewall.
Mario Blanco
Jefe de telecomunicaciones at a financial services firm with 10,001+ employees
May 18 2020
I work as the head of telecommunications for a large bank. We are currently researching next-generation firewalls. Which is the best solution available? Which would you recommend? Thanks! I appreciate your help. 
Menachem D Pritzker
Director of Growth
IT Central Station
May 14 2020
Which are the best providers for either configuration?
MayurJadhavFirewalls are basically security devices that help you stop intrusion in your network. They can be deployed either on the host or in the network. The ones that are deployed on a host are generally software firewalls, the ones deployed in network are hardware firewalls. Hardware firewalls are always superior to software firewalls. On the other hand, NAT Traversal is basically a function that can be provided by a router or firewall. Some of the best vendors for hardware firewalls are Palo Alto, Checkpoint & FortiGate. Some of the best vendors for routers include Cisco & Juniper.
Philippe PanardieA Firewall is a security device, on which you can apply rules to defend your professional network: The best suppliers are Palo Alto, Checkpoint and Fortinet. Juniper is reserved for heavy configuration. Palo Alto is the leader. The accuracy of his reporting and the possibility of virtualizing the functionality is very interesting. Fortinet has a wide offering and uses very speed composants . A checkpoint is a historic player and has very keen equipment, especially for technical teams. Firewall NG embarks a lot of additional capabilities: antivirus, IPS, IDS, which make them attractive. Sometimes you d rather buy this equipment separately, not to overload your firewall. An important functionality is to buy a failover, if your activity is 24/24, in order to avoid failure of the first member of your infrastructure. An NAT is only masking the real internet address of your network. These equipements have fewer functionalities and have less interest except for specific needs.
José Luis García MorilloNat traversal is a network communication technique, one of them, and a Firewall is a perimeter security element. They are not comparable.
Sr. Manager - IT at Vehant Technologies Pvt Ltd
May 08 2020
I work as a senior IT manager for a small software R&D company. We need an opensource Linux-based firewall for our organization that is easy to manage. Which is the best option? Which would you recommend?  Thanks! I appreciate the help. 
May 05 2020
How has Ransomware been attacked(Source) and how it can be controlled? Give me the best solution.
David BalabanI have recently written an article on removing ransomware from Mac -
Shermay Tan
Project Engineer with 201-500 employees
May 05 2020
I work as a project engineer at a company with 201- 500 employees. I am looking for recommendations for the best way to prevent DoppelPaymer Ransomware. Is there an action plan or solution you would recommend? Thanks! I appreciate your help.   
SSLIf you want absolute security, for any malware - not just the DoppelPaymer ransomware, I suggest you have a look at ThreatLocker. I do not work for them, but we started implementing this internally and will soon push this out to clients. It is a superb product, that goes about security in a different way - rather than layering antivirus (signature based or nextgen) on top of regular updates (Windows and 3rd party) - it implements application whitelisting and ring fencing. I suggest you have a look at their videos, and reach out to them. No Firewall can protect you completely, even if it is UTM. Even if you close all ports (please do so for RDP or similar). These will help filtering URL, websites, and in some cases using AV signatures or ATP for attachments, but we noticed this is not very effective (especially with SonicWall). Having a nextgen A/V like Carbon Black, Crowdstrike, Cylance or SentinelOne will help as well. You also need a solid antispam solution that does sandboxing, and URL rewriting. Fortinet can certainly provide a solution there for you.
Tarek MenshawyYou need an APT solution integrated with your endpoint solution, firewall, and email security gateways. I recommend Wedge Network and FireEye.
Viral HariyaniI will suggest the below solution for preventing DoppelPaymer Ransomware. I would suggest an end to end protection layer with central management and visibility. SonicWALL UTM Model NSA4650 :- for Gateway protection. SonicWALL Hosted Email Security :- for Protect your mails SonicWALL Capture client (Next Generation Anti-Malware) :- for protect your endpoint layer SonicWALL Capture Security Center :- central management and visibility.
Ron Zelt
Mar 10 2020
If you could go back in time, would you change your decision to buy that firewall and why? What do you think?
Girish VyasThis answer depends on the provider one has. These days people in enterprise are moving away from big names to Fortinet, WatchGuard. I would recommend them to stick to secure architecture than just names. Check the frequency at which their threat database is updated. Ask them about their threat Intelligence provider. Is it in-house vs third-party? Check if they have an integrated suite rather than just a one-off product. See how long have they been in the market and where are they positioned in Gartner Report. Now coming to the original question, do I want to change my Vendor for my security services. My answer is no.
Werner SchonbornIf I could go back and buy a different firewall, I would do so immediately. The main reason is that when layer 7 capabilities are implemented, everything changes in terms of: * Performance * Functionalities * Routing * Reliability I would buy a much stronger firewall i.t.o. CPU power, more ethernet ports. Salespersons always try to sell you what they think will be best, but the technical person should have the final say in the decision-making process. .
AsgharHamidiIf it is about saving money answer is no. Saving money is not aways the case. Some products has easy way of maintaining than other.