We just raised a $30M Series A: Read our story

Cisco ASA Firewall Competitors and Alternatives

Get our free report covering Fortinet, Cisco, Palo Alto Networks, and other competitors of Cisco ASA Firewall. Updated: October 2021.
540,884 professionals have used our research since 2012.

Read reviews of Cisco ASA Firewall competitors and alternatives

Andy Dibble
IT Manager at Flare Technologies
Real User
Top 5
With VPN, any of our guys can log in to the system and effectively be on board; helps with our customers all over the world

Pros and Cons

  • "One thing we use quite a lot, as well, is the DHCP Server, because we do a lot of work where all our devices need to have static IP addresses. Rather than going around and configuring every box, we do it all through DHCP reservations. It's easier. We've got a record of it. We can manipulate it if we need to change something or change some hardware. It's all easy. Even guys who are not used to using it can pick it up quite quickly."
  • "There's also room for improvement in the Traffic Rules. We define networks to use a specific outgoing interface, say VSAT, shore, or marine WiFi, which is okay. But then all we have is a checkbox that says "Use other internet interfaces if this one is unavailable." What we would prefer would be to have a priority list. So if VSAT is unavailable, try to use 4G, etc. We haven't really found a reliable way of doing that in the current release."

What is our primary use case?

Our main customer base is superyachts, and they have the Kerio for traffic rules and bandwidth management of the various networks on board. They can optimize traffic for crew versus owners and guests, the VIPs that might be on board. They also use it for bandwidth sharing. They usually have a mixture of the VSAT satellite internet and 4G internet access. Sometimes they have WiFi, for example if they connect to a WiFi hotspot in a marina, as well as shoreline or fixed DSL. They use it to manipulate the internet traffic, so they can say the crew uses the slower VSAT and the guest gets the fast 4G or shoreline.

They also use it to see what's going on. If the boss complains that the internet's slow, they can quickly see if someone is downloading a load of updates or streaming Netflix and they can block them. They just want to have control, as the product name suggests, over the internet traffic.

In-house, we use the NG300, but because we are a partner, we use various hardware platforms. At the moment it's nearly all the NG series, the 100, 200, and 500. The most common that we use is the NG500. I'm interested in using the next-generation, which is due out in the next couple of months, but I've also used the virtual Kerio platform on a VMware hypervisor.

There's a virtual appliance, but also software installed on a Windows PC. We build our own virtual "guest" on a host, we've done a couple of those, and then attached it to a switch with VLANs, so we've covered all platforms.

We have these Kerios on anything from a 30-meter Sunseeker, with five or six crew members, four guest cabins, and a couple of master cabins, or a master and a VIP. They might have 20 guests so there would be a total of about 30 users and some 50 devices for those users. There is also all the AV equipment. And we've gone right up to a 120-meter superyacht, with 50 to 100 crew and space for about 200 guests. We've also got a couple of ski chalets, and a private island in Ibiza. A few hundred users is its top end, but as far as network-connected endpoints go, it could be in the few thousands of devices.

How has it helped my organization?

The way it improves the way our company functions is through the VPN, because we offer support services. Normally, we would have to rely on TeamViewer to a computer on board, or to get on the phone and tell somebody to take pictures or press buttons, where we can't see what's going on. 

In the last year or two, after setting up the VPN, any of our guys can log straight in to the system and they are effectively on board. That is a big help because our customers are all over the world. They could be in Ibiza one day, but then they're heading to the South of France and then they're going off to Greece or crossing the Atlantic. Sometimes it's difficult to send somebody out to them quickly. They might not want to pay for somebody to come out. It could be two or three days of round-trip travel for a half-hour job. The VPN makes it more efficient. We can jump in and see what's going on. We can mimic our engineer's being on board the vessel via the VPN. That's the biggest benefit. And it's instant. Someone rings me up and I've got a single VPN connection and I can get to their networks.

What is most valuable?

The most common feature is the Traffic Rules, so the users can define which network or which users access which internet interface. But bandwidth management and content filtering are also commonly used.

With the Traffic Rules we define all the different sources, such as various user groups or network interfaces for the crew. And we show them that if they want the guests to access 4G internet, this is how they do it. They're defining who gets what, in the Traffic Rules. 

If they've only got a single connection, and everyone's sharing it, then they would jump into bandwidth management and prioritize the boss, but also allow the crew a little bit of internet, just to get by, for WhatsApp messages and emails. 

Content filtering is to stop malicious content. They don't want people accessing the various categories in the filter. The default is usually pretty good for them, things like BitTorrent, downloads, and sharing, but also the more "adult" parts of the internet.

It gives our customers pretty much everything they need in one product, in terms of security features. It's a firewall, but generally for what they want, it works.

What our customers like about it is that it has a nice interface. It's been around in the yacht sector for a long time. I was introduced to Kerio by the yacht customers. They were saying they want this firewall and I hadn't really heard of it. They're usually comfortable with it because it's a familiar interface.

By default, the firewall stops everything coming in but allows everything going out. For everything we've needed, it's done the job. If we've needed to open something up or block something we've managed to do it.

We also use the VPN quite a lot. We have an NG500 in our data center and we actually create a VPN tunnel between and our data center and each of our current customers who have a Kerio. Technically, it's one-way because they don't talk to each other via VPN. All the customers are separate, but as a support company, we can VPN from our laptops to our data center and from there we can access all our customers' networks. That is handy for us because we can log on to their IT switches or their AV equipment to offer support. We also use it for delivering email for some customers, whereby because they don't always have a guaranteed fixed IP address, we give them one, in a sense. We have a pool of IPs in our data center. All the mail hits their assigned IP address and is sent over the VPN to their email servers on board.

We also have some third-party subcontractors and we can give them access to specific customers. We can give them an account on our firewall and through our own traffic rules we can allow them or deny them access to specific customers and specific parts of that customer's network. Because they're hitting the central point, we don't necessarily want them to access all our customers. The customers themselves don't often have a big, remote-work environment because the crew is either on board or off. But we have seen a small increase in customers wanting to use VPN to access files on board, and during the COVID outbreak some of the ETOs (electronic technical officers) and the technical guys have not actually been able to get to the yacht, physically. So we've set them up with VPN so they can actually continue to do certain work. When we first started using Kerio we never really used VPN. Now, pretty much every Kerio we supply gets on the VPN.

The ease of use of Kerio is very good. Everything's there, once you know where to go or how to find things. One thing we use quite a lot, as well, is the DHCP Server, because we do a lot of work where all our devices need to have static IP addresses. Rather than going around and configuring every box, we do it all through DHCP reservations. It's easier. We've got a record of it. We can manipulate it if we need to change something or change some hardware. It's all easy. Even guys who are not used to using it can pick it up quite quickly.

The learning curve is pretty quick. It helps if someone has a general IT understanding of networking, for certain aspects. What we don't always have on a customer's site is somebody who is familiar with all aspects of the Kerio, such as interfaces, VLANs, and IP subnetting. They don't always understand DHCP, what it is and how it works. They pick it up pretty quickly, but it usually helps if someone has at least some knowledge of IT and networking. Normally, though, we find it's quite a decent balance because they will do what they want to do after a little bit of training. Anything else they'll leave to us or they'll ask us the question, and then we can either do it or go and figure it out and then come back and do it.

What needs improvement?

Sometimes it might not be detailed enough, or it might have more details but the customers just don't know where to look. The issue is usually when it comes to specific packets. Sometimes they find it slightly difficult to see exactly what's going on.

For example, we had a customer who was using the content filter. They tried to block Facebook using the web filter categories, and in combination with that they wanted to always require that a user was authenticated before accessing web pages. What would happen was that even though they had the content filter enabled to block social networking — Facebook may even be a category — it still allowed them to get in through mobile apps. If they went to the website, it would prompt them for login and then it would deny it, but they would get into the app and they weren't even logged in. That might have been an HTTPS issue and the way that the app was talking, rather than an actual website or what page. We always managed to find a way around. They'll come to us with a question and then we'll figure it out and usually they're happy enough with that.

There's also room for improvement in the Traffic Rules. We define networks to use a specific outgoing interface, say VSAT, shore, or marine WiFi, which is okay. But then all we have is a checkbox that says "Use other internet interfaces if this one is unavailable." What we would prefer would be to have a priority list. So if VSAT is unavailable, try to use 4G, etc. We haven't really found a reliable way of doing that in the current release.

Finally, the customers sometimes want to use the VPN link for outbound traffic. But at the moment, it appears that there is an all-or-nothing solution, so either everything uses the VPN and breaks out at the remote site or nothing does. The simple example is for the email system we've put in. We can direct traffic in over the VPN, but we'd also like to send that same email traffic out of their server over the VPN to break out on a specific IP address in our data center. We would like to see a little bit of functionality in prioritizing of internet interfaces.

For how long have I used the solution?

I have been using Kerio Control for about 10 years. 

What do I think about the stability of the solution?

The stability is good. 

There have only been a couple of occasions where we've had high RAM usage of the Kerio, where it may be a more complex network. What we found is that over the course of a week or 10 days, the RAM utilization would slowly increase to a point where it would be 100 percent usage and then you couldn't do anything with the box. You would have to physically power it off. 

We do have cases open for Kerio with GFI and they're looking into it. Apparently there is going to be quite a big software update coming soon, which will change the backend workings. That's hopefully going to make a big difference, but the problem has only happened in one or two cases. Other than that, it's generally pretty solid.

What do I think about the scalability of the solution?

If you've got a hardware appliance, then you are generally limited to its own specifications, in terms of throughput and power. That's what you've got. If you start hitting that, then it's time for a new box, or you need to look for something else.

On the NG500 you can increase the RAM slightly and you can also increase the storage space.

But there is no way of changing processing power. So you have to specify the right box. You can increase physical network interfaces if you want to. You attach a switch to it and scale it that way if you need more physical interfaces. We haven't needed to do that. Or if you wanted to have fibre connections; you would have to attach it to something else. 

It would be nice to see SFP slots in new hardware, which I think is coming in one of the models. 

Overall, you'll hit a point with the box where you can't really scale any higher. But if you've got a virtual appliance, if you want to give it more processing power you can. If you want to give it loads of memory or storage, I would find it quite easy to really scale it up in terms of hardware resources.

How are customer service and technical support?

Technical support is pretty good. They're quick to respond. You get an answer straight away, although it might not be the final answer. 

I have learned a few things from contacting support, things that I probably wouldn't have ever found out just researching online or playing with it myself. 

At the moment, the particular questions we have are a bit more complicated than just, "How do I configure this traffic rule to do this job?" We've got a problem with RAM being utilized and we don't know why, and I had to send them system logs. I've had to do full system resets, complete erase and recovery. It's a bit tricky. It's more development-type work rather than user support. I think they're holding back from really getting involved with that because they are developing the new system. At the moment, our workaround is just to reboot the box every two weeks, which is inconvenient, but if they're going to solve this, then we just have to wait.

How was the initial setup?

The setup is straight out-of-the-box. Take it out of the box, run through the wizard, configure it with the settings that you should already know, and then it works and you get in online. That's the basic setup, because the Traffic Rules, by default, allow everything out and stop everything coming in. That's enough to just get online.

You then go to start defining your networks and your traffic rules. Putting multiple VLANs in there is easy. Even as it gets to be a more complex configuration, it's easy to do.

Sometimes it's time-consuming if it's a large configuration, but that's just what it is. It takes time to click boxes if it's a large network with lots of different scenarios, and to type in all the IP addresses.

But it's easy out-of-the-box for a basic configuration and still fairly easy if you've got that knowledge of the Kerio and networking. Just a little time-consuming. If there were some kind of import or bulk add, that would be nice, but that's on a wish list. It's really not that necessary.

If a customer just wants something out-of-the-box, we plug it in, make it work, and it probably takes a couple of hours, at the most. If it's a bit more complex, it might take a day. It might take longer if you don't know what you're doing.

I've always told customers that there is no fixed configuration. This thing will work and do what you want it to do. As time progresses, it evolves with the changing requirements. So we can give them a solution. They can give us some key config points telling us "Okay, we want this many networks and we want these users, and these particular rules," etc. We configure all that  in a day and test it the next day. After that, it's ongoing. They might decide, "Oh, we actually want to change the bandwidth allocation," or "We've got a new internet interface," or we want to block Facebook at a specific time. It's ongoing.

What was our ROI?

We have definitely seen return on investment with Kerio Control because it would take us a lot longer to fix something in a lot of support calls we get. We might be stuck on the phone for four hours just to try and talk someone through something that we could fix in 20 minutes, because they're not looking in the right place or they don't see something that is relevant. Whereas, we've been able to use the VPN through Kerio, so we can sometimes fix a problem before they've even finished describing it. It has definitely helped us a lot.

Kerio's VPN has easily saved us 50 percent, maybe more, in terms of time spent on support. We're connected in seconds. We can see things quickly. We can be connected to five different customers at once through a single connection.

What's my experience with pricing, setup cost, and licensing?

Pricing depends on the requirements. The more powerful boxes, like the NG500, are more expensive on licensing terms, depending on how you license them. At the moment, the NG500 doesn't have an unlimited user option. I believe they took it away, although I might be wrong. 

Figure out how many users you're going to need because there's no point in configuring or licensing it for 200 users "just in case," when you might only need 50. It's obviously going to cost you four times as much. 

There is an option to have GFI Unlimited, which is their all-in-one licensing model, which includes Kerio Control. It works for hardware boxes as well the software virtual appliances. Depending on the number of users, it might be more beneficial to go for GFI Unlimited. It can work out cheaper.

Which other solutions did I evaluate?

The other real experience I've had is with Cisco ASA, Palo Alto, and WatchGuard. 

The Cisco was more complicated and people didn't really like it because it was a more complicated interface or it seemed more complicated for them.

The WatchGuard and, from what I saw, the Palo Alto are good firewalls; some would say better as firewalls than Kerio. But they don't have all the other features and they didn't seem as easy. They may have more specific options you could set in the actual firewall rules; you could drill it down a bit further. But my experience has been pretty limited, so it might have just been that they looked like they did more, but in fact they just looked more complicated and only gave the impression they would do more. But these devices didn't have all the features of Kerio like the users, the groups, domain logins, bandwidth management, and content filters. They were just firewalls.

Generally, our customers are all small to medium, if you were to compare them with a typical business. They're not "enterprise" technically, even though they do run a lot of enterprise hardware, like full Cisco networks, etc. They just don't really have the same configuration. They've got the budget, but they just don't always want to spend it. I think Kerio could work in an enterprise. A lot of the time, it depends on who is running the security and what they prefer and what is approved by any governing bodies.

Kerio seems to have a reputation, for some people, not to be a true firewall. It's just a feeling that people get, but that's biased towards what they prefer to work with.

On the same price point, you can't compare them. If you're looking at a Kerio box that might be £3,000 a box plus a year's license every year, versus our £100,000 security system, you can't really compare them. But for devices and hardware/software in the same price range, I wouldn't knock it back for something else.

What other advice do I have?

Regardless of whether you get a box or virtual, the interface is nearly always the same. There are very few changes between versions. Research what you think you're going to need. Don't just buy the biggest box or the most expensive box because you think it's going to be better.

The biggest lesson I have learned from using this solution is that you don't always have to be onsite to fix something.

The malware and antivirus features are pretty good. We generally have other malware and antivirus protection as well. A lot of the time, things come in via email so we do have services from Symantec, which filters that out beforehand. Very occasionally I have seen a false positive, where it's blocking something that's actually allowed, but then I can usually figure it out and just allow it. When I've seen something has been blocked or someone has reported they're trying to do something and they can't access or download a file, I can quickly see in the logs that something has been blocked because of the antivirus detection. And I've managed to go from there, allow the file.

One feature we haven't used yet is the solution's high availability failover protection. It's something that I've not even tested myself. I was interested in it when it was first announced, but I was reading about it and a few people said that some of the early implementations were a little bit buggy. I have a feeling it's gotten better now. But I've not used it and no one has asked for it either.

Disclosure: My company has a business relationship with this vendor other than being a customer: Silver Partner with GFI
JL
Executive Cyber Security Consultant at a tech services company with 11-50 employees
Consultant
Top 20
An excellent solution for the right situations and businesses

Pros and Cons

  • "The Palo Alto VM-Series is nice because I can move the firewalls easily."
  • "It has excellent scalability."
  • "The product needs improvement in their Secure Access Service Edge."
  • "They made only a halfhearted attempt to put in DLP (Data Loss Prevention)."
  • "Palo Alto is that it is really bad when it comes to technical support."

What is our primary use case?

Palo Alto VM-Series is something we recommend as a firewall solution in certain situations for clients with particular requirements who have the budget leeway.  

What is most valuable?

The Palo Alto VM-Series is nice because I can move the firewalls easily. For instance, we once went from one cloud provider to another. The nice thing about that situation was that I could just move the VMs almost with a click of a button. It was really convenient and easy and an option that every firewall will not give you.  

What needs improvement?

We would really like to see Palo Alto put an effort into making a real Secure Access Service Edge (SASE). Especially right now where we are seeing companies where everybody is working from home, that becomes an important feature. Before COVID, employees were all sitting in the office at the location and the requirements for firewalls were a different thing.  

$180 billion a year is made on defense contracts. Defense contracts did not stop because of COVID. They just kept going. It is a situation where it seems that no one cared that there was COVID they just had to fulfill the contracts. When people claimed they had to work from home because it was safer for them, they ended up having to prove that they could work from home safely. That became a very interesting situation. Especially when you lack a key element, like the Secure Access Services.  

Palo Alto implemented SASE with Prisma. In my opinion, they made a halfhearted attempt to put in DLP (Data Loss Prevention), those things need to be fixed.  

For how long have I used the solution?

I have been using Palo Alto VM-Series for probably around two to three years.  

What do I think about the stability of the solution?

I think the stability of Palo Alto is good — leaning towards very good.  

What do I think about the scalability of the solution?

Palo Alto does a good job on the scalability. In my opinion, it has excellent scalability.  

How are customer service and technical support?

My experience with Palo Alto is that it is really bad when it comes to technical support. When we have a situation where we have to call them, we should be able to call them up, say, "I have a problem," and they should ask a series of questions to determine the severity and the nature of the problem. If you start with the question "Is the network down?" you are at least approaching prioritizing the call. If it is not down, they should be asking questions to determine how important the issue is. They need to know if it is high, medium, or low priority. Then we can get a callback from the appropriate technician.  

Do you want to know who does the vetting of priority really, well? Cisco. Cisco wins hands down when it comes to support. I do not understand that, for whatever reason, Palo Alto feels that they do not have a need to answer questions, or they just do not want to.  

It is not only that the support does not seem dedicated to resolving issues efficiently. I am a consultant, so I have a lot of clients. When I call up and talk to Palo Alto and ask something  like, "What is the client's password?" That is a general question. Or it might be something even less sensitive like "Can you send me instructions on how to configure [XYZ — whatever that XYZ is]?"  Their response will be something like, "Well, we need your customer number." They could just look it up because they know who I am. Then if I do not know my client's number, I have got to go back to the client and ask them. It is just terribly inefficient. Then depending on the customer number, I might get redirected to talk to Danny over there because I can not talk to Lisa or Ed over here.  

The tedium in the steps to get a simple answer just make it too complicated. When the question is as easy as: "Is the sky sunny in San Diego today?" they should not be worried about your customer representative, your customer number, or a whole bunch of information that they really do not use anyway. They know me, who I am, and the companies I deal with. I have been representing them for seven or eight years. I have a firewall right here, a PA-500. I got it about 11 years ago. They could easily be a lot more efficient.  

Which solution did I use previously and why did I switch?

I have clients whose architecture is configured in a lot of different ways and combinations. I use a lot of different products and make recommendations based on specific situations. For example:  

  • I have one client that actually uses multiple VM-series and then at each one of their physical sites that have the K2-series — or the physical counterpart of the VM-series.  
  • I have other clients that use Fortinet AlarmNet. As a matter of fact, almost all my healthcare providers use Fortinet products.  
  • I have another customer that used to be on F5s and they had had some issues so switched to Fortinet.  
  • I have a couple of holdouts out there that are still using the old Cisco firewalls who refuse to change.  
  • I have a new client that is using a Nokia firewall which is a somewhat unique choice.  

I have a customer that used to be on F5s and they had had some issues. The result of the issue was that they came to me and we did an evaluation of what they really needed. They came in and they said, "We need you to do an evaluation and when you are done with the evaluation, you need to tell us that we need Palo Alto firewalls." I said that was great and I sat down and got to work building the side-by-side comparison of the four firewalls that they wanted to look at. When I was done, just like they wanted the Palo Alto firewall was right there as the first one on the list. They selected the Fortinet firewall instead.  

Nokia is specifically designed to address the LTE (Long Term Evolution, wireless data transmission) threats with faster networks and such. So it is probably not considered to be a mainstream firewall. The client who uses Nokia is a service provider using it on a cellular network. They are a utility and they are using Nokia on a cellular network to protect all their cellular systems and their automated cellular operations. The old Nokia firewalls — the one on frames — was called NetGuard. This client originally had the Palo Alto K-series and they switched over to the Nokia solution. That is my brand new Nokia account. They were not happy with the K-series and I am not sure why.  

The thing about Cisco is nobody is ever going to fire you for buying a Cisco product. It is like the old IBM adage. They just say that it is a Cisco product and that automatically makes it good. What they do not seem to acknowledge is that just because their solution is a Cisco product does not necessarily make it the right solution for them. It is really difficult to tell a customer that they are wrong. I do not want to say that it is difficult to tell them in a polite way — because I am always polite with my customers and I am always pretty straightforward with them. But I have to tell them in a way that is convincing. Sometimes it can be hard to change their mind or it might just be impossible.  

When I refer to Cisco, I mean real Cisco firewalls, not Meraki. Meraki is the biggest problem I think that I deal with. I do not have the network folks manage the Meraki firewalls differently than they manage their physical firewalls. I do not want there to be a difference, or there should be as little difference as possible in how the firewalls are handled. They do have some inherent differences. I try not to let them do stuff on the virtual firewalls that they can not do in the physical firewalls. The reason for that is because in defense-related installations it matters. Anytime you are dealing with defense, the closer I can get to maintaining one configuration, the better off I am. Unless something unique pops up in Panorama, I will not differentiate the setups.  

I say that there are differences because there is a little bit of configuration that inherently has to be different when you are talking about physical and virtual firewalls, but not much. I can sanitize the virtual machine and show the cloud provider that since I was going into a .gov environment or a .gov cloud, that it met all the requirements as stated in the Defense Federal Acquisition Regulation Supplement. That is huge for our situation. Of course with a cloud provider, you are not going to have a physical firewall. Had we had a physical firewall, that becomes a bit of a chore because you have got to download the configuration file, then you have got to sanitize the configuration. Things like that become a bit of a burden. Having a VM-Series for that purpose makes it much easier.  

I did not mention Sophos in the list. Sophos does a semi-decent job with that too, by the way. The only problem with Sophos is that they are not enterprise-ready, no matter what they say. I have deployed Sophos in enterprises before, and the old Sophos models did very well. The new ones do very poorly. The SG-Series — Sierra Golf — they are rock solid. As long as we keep going with them, our customers love it. It works. I have one client with 15,000 seats. They are running 11 or 12 of them and they have nothing but great things to say about the product. The second you go to the X-Series, they are not up to the task.  

How was the initial setup?

Setting up Palo Alto is relatively quick. But I also have an absolute rockstar on our team for when it comes to Palo Alto installations. When he is setting it up, he knows what he is doing. The only thing he had to really learn was the difference between the VM-Series and the PA-Series.  

I lay out the architecture and I tell people doing the installations exactly what has to be there. I sit down and create the rule sets. Early on, the person actually doing the fingers-on-the-keyboard complained a little saying that the setup was a little bit more complicated than it should have been. I agree, generally speaking. I generally feel that Palo Alto is more complicated than it needs to be and they could make an effort to make the installations easier.  

But, installing Palo Alto is not as bad as installing Cisco. Cisco is either a language that you speak or a language that you do not. I mean, I can sit down and plot the firewall and get the firewall together about 45 minutes with a good set of rules and everything. But that is me and it is because I have experience doing it. Somebody who is not very well-versed in Cisco will take two or three days to do the same thing. It is just absolutely horrid. It is like speaking English. It is a horrid language.  

What's my experience with pricing, setup cost, and licensing?

I do not have to do budgets and I am thankful for that. I am just the guy in the chain who tells you what license you are going to need if you choose to go with Palo Alto VM-Series. How they negotiate the license and such is not my department. That is because I do not resell.  

I know what the costs might be and I know it is expensive in comparison to other solutions. I get my licenses from Palo Alto for free because they like me. I have proven to be good to them and good for them. When they have customers that are going to kick them out, I can go in and save the account.  

I will tell you, they do practice something close to price gouging with their pricing model, just like Cisco does. When I can go out and I can get an F5 for less than half of what I pay for Palo Alto, that is a pretty big price jump. An F5 is really a well-regarded firewall. When I can get a firewall that does twice what a Palo Alto does for less than half, that tells me something.  

Sophos decided that they were going to play with the big boys. So what they did is they went in and jacked up all their prices and all their customers are going to start running away now. The model is such that it is actually cheaper to buy a new firewall with a three-year license than it is to renew the Sophos license of the same size firewall for an older product. It sorta does not make sense.  

Which other solutions did I evaluate?

I make recommendations for clients so I have to be familiar with the firewalls that I work with. In essence, I evaluate them all the time.  

I work from home and I have two Cisco firewalls. I have a Fortinet. I have the Palo Alto 500 and I have a Palo Alto 5201. I have a Sophos. My F5 is out on loan. I usually have about eight or nine firewalls on hand. I never go to a client without firing up a firewall that I am going to recommend, testing it, and getting my fingers dirty again to make sure I have it fresh in my mind. I know my firewalls.  

The VM-Series are nice because you can push them into the cloud. The other nice thing is whether you are running a VM-Series or the PA-Series, we can manage it with one console. Not without hiccups, but it works really well. Not only that, we can push other systems out there. For instance, for VMware, we are pushing Prisma out to them. VMware and the Palo Alto VM-Series do really well with Prisma. The issue I have with it is — and this is where Palo Alto and I are going to disagree — they are not as good at SASE (Secure Access Service Edge). I do not care what Palo Alto says. They do a poor job of it and other products do it better.  

Palo Alto claims it is SASE capable, but even Gartner says that it is not. Gartner usually has the opinion that favors those who pay the most, and Palo Alto pays them well. So when Gartner even questions their Secure Access Service Edge, it is an issue. That is one of those places where you want the leader in the field.  

From my hands-on experience, Fortinet's secure access service edge just takes SASE hands down.  

What other advice do I have?

My first lesson when it comes to advice is a rule that I follow. When a new version comes out, we wait a month. If in that month we are not seeing any major complaints or issues with the Palo Alto firewall customer base, then we consider it safe. The client base is usually a pretty good barometer for announcing to the world that Palo Alto upgrades are not ready. When that happens, making the upgrade goes off our list until we hear better news. If we do not see any of those bad experiences, then we do the upgrade. That is the way we treat major revisions. It usually takes about a month, or a month-and-a-half before we commit. Minor revisions, we apply within two weeks.  

I am of the opinion right now that there are some features missing on Palo Alto that may or may not be important to particular organizations. What they have is what you have to look at. Sit down and be sure it is the right solution for what you need to do. I mean, if the organization is a PCI (Payment Card Industry) type service — in other words, they need to follow PCI regulations — Palo Alto works great. It is solid, and you do not have remote users. If you are a Department of Defense type organization, then there are some really strong arguments to look elsewhere. That is one of the few times where Cisco is kind of strong choice and I could make an argument for using them as a solution. That is really bad for me to say because I do not like Cisco firewalls.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate the Palo Alto Networks VM-series as an eight-out-of-ten.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PS
Principal Network and Security Consultant at a comms service provider with 10,001+ employees
Real User
Top 5
Central architecture means we can see an end-to-end picture of attacks

Pros and Cons

  • "Check Point definitely has a great architecture, where you can just enable the software blades and deploy a secure service. Overall, it provides ease of deployment and ease of use."
  • "The area it needs improvement is the SandBlast Agent. It receives a file, or if it detects a Zero-day attack, it takes the file and analyzes it, either on-premise or in the Check Point Cloud, and then it reports back whether the file is secure or non-secure, or is unknown. That particular area definitely needs a bit more improvement, because there is a delay... where it needs improvement is where [SandBlast is] an appliance-based solution rather than a software or cloud-based solution."

What is our primary use case?

I support multiple clients within the UK, the EMEA region, the US, and now in Asia Pacific as well. I specialize in Check Point firewalls. I design and secure their data centers, their on-premises solutions, or their businesses security.

The firewalls are mostly on-premise because most of our clients are financial organizations and they have strict compliance requirements. They feel more secure and have more control when things are on-premise in the data center. However, there are use cases where I have helped them to deploy Check Point solutions in the cloud: AWS, Azure, and in Google as well. But cloud deployments are very much in the early stages for these clients, on a development or testing basis. Most of the production workloads are still on-premise in data centers.

Most of my customers are still using R77.30, and they are on track to upgrade from that to R80, which is the current proposed version by Check Point.

How has it helped my organization?

One of our customers has just recently been attacked by malware and internal DoS attacks, and they have a multi-vendor, multi-layer firewall approach. The internal firewalls are Check Point. The great thing about Check Point is that because of its central architecture, you can very quickly pinpoint where the attacks are coming from. It gives you comprehensive reporting when the attacks start and when they've stopped, so you can see the complete, end-to-end picture: where the point of attack is, at what time, and what host. They can track all of that.

However, in parallel, that customer is using other firewalls which have no visibility. One of the main advantages of having Check Point firewall is definitely that it gives you absolute in-depth visibility.

What is most valuable?

Among the valuable features are antivirus, URL inspection, and anti-malware protection. These are all advanced features.

One of the great advantages of having Check Point as a firewall is that all of these are software blades, so you can buy a license or subscription and enable them and get the security up and running. With other firewalls, it's a completely different agenda, meaning some of them require hardware modules, and some of them have a complex way of adding the licensing, etc. Check Point definitely has a great architecture, where you can just enable the software blades and deploy a secure service. Overall, it provides ease of deployment and ease of use.

What needs improvement?

The area it needs improvement is the SandBlast Agent. It receives a file, or if it detects a Zero-day attack, it takes the file and analyzes it, either on-premise or in the Check Point Cloud, and then it reports back whether the file is secure or non-secure, or is unknown. That particular area definitely needs a bit more improvement, because there is a delay. That's one of the main complaints for most of our customers. Or if it is quick, then it's very complex. For example, if they have received a file which is "unknown" or has Zero-day attack malware, sometimes it doesn't get analyzed properly or it's locked into the cloud. So there are various small issues with the product that need possible improvement.

The SandBlast product on its own is a very good concept, and it works absolutely brilliantly. However, when you integrate it with existing firewalls, it just doesn't play very well.

The cloud solution is quite straightforward because it seems the SandBlast solution was designed, initially, for cloud deployments, where you've got multiple clouds or multiple vendors, and you are receiving files from different points. And on the cloud edge, for example in AWS, if you have Check Point sitting there, it works very well if you're running a virtual firewall. However, if it's on-premise and it's a dedicated appliance, then the performance is slightly different and the way it works is very different. So where it needs improvement is where it's an appliance-based solution rather than a software or cloud-based solution.

If I am using SandBlast on a virtual appliance — for example, I've got Check Point virtual appliances in AWS, and Azure as well, for a customer — those virtual appliances work absolutely fine as a service, as does SandBlast as a service. However, if it's an appliance, if it's a dedicated firewall on-premise in a data center and you add SandBlast as a software service, the integration is not that straightforward, so the experience is very different. 

It seems like they were possibly built by different teams, independent of each other.

For how long have I used the solution?

I've been using Check Point firewalls for about 16 years. I am the main network or security lead and I have four other engineers who report to me. They also do design and deployment.

I work with approximately 40 companies that utilize Check Point.

What do I think about the stability of the solution?

Check Point firewalls are very stable. One good thing about Check Point is that they do rigorous testing internally before releasing updates, which is something I have not found with any other firewall products. With most of the other firewall products, when they release something, it's like the customer becomes the guinea pig for that particular version, whether a minor or a major update. However, with Check Point, you can see all the white papers and what ways they have tested a minor or major upgrade of the software version, and what the performance was like. What are their known issues and is somebody working on them or not?

So the software releases are very stable and you have visibility into how they operate and what the known issues are, so you know whether you should go ahead with them or not. And in case there is a problem, the support is excellent. You can reach out to Check Point and say, "Look, I've done the software upgrade and I'm experiencing these problems. How can I deal with them?" They are there to help you out.

There are times when we have problems in terms of software or hardware defects. We have sustained downtime, but most of the architecture I design is resilient, so if one device is down, the other one is working fine. Then in the background, I or my support team will deal with Check Point directly, to get a replacement. They're definitely quick to respond and very efficient. 

In the past, we had a lot of problems with licensing, specifically, but Check Point has redone the whole way they do licensing. It's very quick now, and very efficient.

What do I think about the scalability of the solution?

Check Point firewalls are extremely scalable. Recently, I deployed Check Point in an AWS cloud solution for one of my clients, and it's been absolutely excellent in handling growth. They've grown from 10,000 users to a million users. The way Check Point has advertised the product, it is supposed to be highly scalable, which means it grows as your demand grows, and that has been the case. 

Recently we have set up a test case where we are moving over management servers from on-premise to a Check Point-provided Infinity cloud solution. We are still at the testing phase but, overall, it's been a great experience so far.

How are customer service and technical support?

The teams we deal with within Check Point are extremely knowledgeable. They know how to understand the background of the problem, and they're very good about articulating how we deal with the issue, whether it's a minor software upgrade issue or it's a major failure of the hardware itself. They know where to look for the right stuff. The key point is they're very knowledgeable and very technical. And if somebody doesn't have the technical capability, they will definitely help you out to make sure you get to the bottom of the problem.

Which solution did I use previously and why did I switch?

In the past, most of the customers I've worked with have used different firewall vendors, such as Cisco, Palo Alto, and Juniper.

I've recently seen deployments where customers have tried to move from Cisco ASA to Cisco Firepower and the deployment has gone horribly wrong because the product has not been tested by Cisco very well and is not a mature product. I've gone in and reviewed their business requirements and technical requirements and, based on that, I've recommended Check Point and done the design and deployment. They've absolutely been happy with the solution, how secure and how capable it is.

We use Check Point across multiple types of customers, such as financials, retail, and various other public and private sector organizations. I review their security architecture, which is firewall specific and, based on that, I have recommended Check Point. In most cases, I've managed to convince them to go ahead with Check Point firewalls as a preferred secure firewall solution.

The main reason is that Check Point is far ahead in the game. They're definitely the market leader. They are visionaries when it comes to security. Another reason is that a lot of firewall architecture starts from the firewall itself, which is the local firewall. It can easily be hacked and manipulated. However, the Check Point architecture, out-of-the-box, is very secure. They have a central Management Server and all of the firewalls are managed through that one central point. So in case somebody breaks into your firewall, the firewall is encrypted; they will delete the database. The architecture is secure by default. The good thing is that other firewall vendors have realized this and they've started to copy the same system that Check Point has used for the past 20 years now.

How was the initial setup?

When working with the Check Point team on deployment, they're really helpful and very talented people. When you speak to other firewall vendors, they just think about the firewall from their point of view. The good thing about Check Point engineers, or technical staff, or even management staff, is that they understand what the requirements of business are and how they can improve or align the proposed solution. Overall, Check Point staff are very knowledgeable, they understand different industries, and they understand the product very well. That's definitely a competitive edge compared to other firewalls.

Once the design is done, for something simple the deployment can take half a day, whereas for a complex deployment in a data center it can take about five days.

Our implementation plan is divided into different phases. Phase One might be the physical cabling of the firewall device itself. Phase Two would be the logical setup, which means defining the interfaces and the virtual setup of the firewall itself. The final phase would be to bring it online in parallel with production, in a non-prod service, and test it to ensure it works as per the design.

What was our ROI?

A customer I'm working with right now was running with Check Point and they wanted to move to Fortinet firewalls. However, when I worked with them on the design to upgrade the existing Check Point firewalls, what we worked out was that even though the Fortinet might have seemed like a cheaper option, it didn't have the security capabilities that Check Point is offering. On that basis, the customer signed off on a project for upgrading their existing firewalls, on-premise and cloud, from R77.30 to R80.10.

What's my experience with pricing, setup cost, and licensing?

It can be expensive, but it's value for money. What you pay for is what you get. You can go down in price and buy some cheap firewalls, but you're not going to get great support and you're not going to get the level of protection you need. With Check Point you get all of that.

Which other solutions did I evaluate?

With Juniper, one of the biggest downsides is support. The support portal is slow and I won't say the staff is competent in terms of understanding. They're very disconnected internally. What I mean is that the team working on the software development of the firewall has no interface with the support teams that are handling day-to-day TAC cases. They definitely struggle when it comes to understanding challenges, problems, and incidents with the firewalls.

In the past, Juniper firewalls were good, but recently the security offering has just not been there. They don't have anything like SandBlast from Check Point. They don't have up-to-date Zero-day attacks control. They're still running a very old architecture. They can do things like antivirus and URL proxy, but those are very simple features. They have none of the advanced feature set that Check Point has.

Palo Alto is very competitive with Check Point when it comes to security. However, one of the challenges with Palo Alto is that, overall, the solution can be extremely complex and expensive. That is one thing I've heard from customers again and again. Either they have existing Palo Altos or they plan to go to Palo Alto, but when they do a comparison with Check Point, what they find is that the overall value with Check Point is much greater than with Palo Alto firewalls.

What other advice do I have?

If you're looking to implement Check Point as a security solution, definitely do your homework. Do some research, not just in terms of firewalls, but overall security architecture. Which ones are the leaders in the field? Which ones are there to deliver what they promise? And overall, how does the architecture work? Is it secure or not? And does it come from a team that understands how to support the solution itself? Are they consistent? Look at their track record for the past 10 or 15 years, or are they a new player? If they are, you don't know whether they're going to stay in the game or not. A good thing about Check Point is that its core product is security. They've been doing it day in and day out. You know they're there to stay in the game. You can trust them.

Check Point is a proven solution. A lot of customers and clients already rely on it. And for the Next Generation Firewalls, they're coming up with new features as security threats become known.

If somebody wants a secure and stable environment, Check Point is definitely the leader to go to; definitely the number-one choice. It's not only what it says on the box. In reality, I've worked with hundreds of banks and they're happy with the product because it works; in practice, it works. That's the main thing.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Shashidhara B N
Director - Technology Solutions & Services at Connectivity IT Services Private Limited
Real User
Top 20
This best in class Next-Gen firewall is elegant in its ease-of-use and architecture

Pros and Cons

  • "Juniper is one of the most powerful network security solutions while remaining simple to use, set up, and scale."
  • "It could have features that other products support like blade options and stand-alone endpoint security."

What is our primary use case?

For different customers, we use the product in different ways. In some cases, it is going to be an on-premises solution. In some cases, it is going to be a cloud-integrated solution. That is one of the best things about Juniper. We can use a single box and have the same unified policy structure if it is off the cloud or it is on-premises.  

Our primary use case is basically to use it like you would any other firewall. I do not call this a firewall anymore because it has functionality beyond what we traditionally think of as a firewall. Those days are gone where a firewall does just one thing. Today most of the firewall products are station firewalls. You have various options in each firewall station. In terms of comparison, you can compare Juniper with Cisco, with Fortinet, with Palo Alto and other leading products. It depends on what exactly you are planning to have it do.  

What is most valuable?

The most valuable feature for me over-all is that Juniper is simplified and can still do everything that is necessary to be effective. 

On the SRX box, it has what I call a one model concept for security. I work especially with hybrid environments. With an SRX we have a single management dashboard. We can manage the internal framework easily with the centralized management component. You can work with the threat prevention, you can work with the integration, you can work with traffic management. Another good part about SRX is that you have opportunities for automation. Another thing that is very good is that all the operating systems for all Juniper boxes are the same. You do not work on different operating systems using different boxes. 

It does user validation automatically and has automated threat detection and defense. It does threat analytics, which is integrated. So as a single box, it does not just address security, it does not just handle switching, it does not just work as a firewall. It addresses everything.  

What needs improvement?

I have not given a lot of thought as to what needs to be improved because so much of technology and capabilities are expanding.  

Probably Juniper could come up with their own dedicated endpoint security. Today they have an integration with Sophos. If you really look at what SRX has as far as antivirus capability, it is really only the integration with Sophos. Sophos is good, I am not saying Sophos is a bad solution. But Juniper having their own antivirus solution may be a batter idea to make it a stand-alone product.  

If you look at Check Point. They have a lot of experience in the area of security which is integrated with their product. In comparison, Juniper could start developing its own strong capabilities with antivirus and have its own security which may even surpass relying on Sophos. Sophos could improve more but it is definitely a wonderful architecture.  

For how long have I used the solution?

I have around 22 years of experience with various similar products. My experience for the last 10 years has been on Juniper. I have worked on Cisco, on Foundry, and on Xstream. And you can make comparisons with products like Fortinet and Palo Alto next-generation firewalls.  

What do I think about the stability of the solution?

I would rate stability on a scale of one to ten. If ten is best, I would rate a nine-point-five. I would not rate anything a ten in this industry in any case because nothing is perfect and there is always room for improvement. It is very robust. Because the product is robust and very agile that carries over well into the potential for reliability.  

What do I think about the scalability of the solution?

When it comes to scalability, basically Juniper is modular. The SRX architecture is very important. Say I am a small-time customer with 50 people in my company and I deploy on the SRX 300 Series. If my business grows exponentially and I now have 500 people in the company. My traffic has boosted significantly — say about ten times what it was. I do not have to really worry. Within one hour, I can just switch and get a new SRX box in place. Let's say I go with the 500 Series or the 4000 Series. This is my new capacity.

The change over is so simple, because the architecture is common. Whether you talk about SRX 300 or you talk about the service provider architecture, it is the same thing except for the capability to expand and handle the volume. That is very important from a technical perspective, which normally you only need one tech person to deploy.  

For mid-sized companies or even large-sized companies, you have a lot of clients from SRX 300 to SRX 5000 Series and the product line covers all the options. This is from a very basic server-level SRX box to the Next-Generation Firewall and advanced threat mitigation.  

But one thing that scalability should really take into account is that Juniper is an enterprise product. If you are really only talking about using the Sophos UTM or only want to use the product like a firewall, then you should consider a UTM box. If you then want to add an SD-WAN as an additional part of the architecture, the UTM is not the right choice. You just take an SRX box and you have SD-WAN on that. You can have a firewall on that. You can have a UTM on that. You can integrate with the cloud. You can integrate with Linux infrastructure. You can have network security.  

Today when we talk about Check Point, we talk about Next-Generation Firewalls. That includes the Palo Alto Next-Generation Firewall and Cisco Next-Generation. But no one talks about what the definition of Next-Gen is. The only difference about Next-Generation is that it has a staple firewall, by definition.  

If you are a small company and you only have five in your office, obviously you want a secure network. To do this you will buy a simple firewall. When you think of the most simple firewall, people buy a router. Then people buy a switch. Then people buy a firewall. Three devices. I would say, do not buy anything. Just buy one SRX box, which does all the three.  

Now I can also expand the same SRX 300 with a branch location. Let's say, I'm a bank customer. I have branches. Simple, I can now have the simplest of SRX 300 at all my branches or SRX 500. I just connect to my main SRX, let's say a 1500 Series with an SD-WAN topology. The project is done. Simple. I secure my network. I handle my routing. I handle my security. And I have an option for just enabling the license to get the latest threat mitigation.  

For comparison, let's take a very big enterprise network. Maybe I was the head of Informatica at APAC. I am in a situation where I have 6000 R&D developers in the organization. We monitor our total performance. Latency on the firewall should be as low as possible. This is especially critical with the current environment where people work from home. Everyone who is working from home now because of COVID has all their data still in the office and people come onto the network to get connected from home to the office.  

Imagine the load on my firewall in that situation. All the people from inside my organization are sitting outside of the office now accessing the data in the internal network through the firewall. Imagine all the data tracking is coming from all over like an external traffic base. You need to have the proper solution to handle the change in traffic and scalability is the most important factor in this case for successfully running a demanding environment.  

How are customer service and technical support?

Juniper support is very good. But more than the technical support, their documentation is awesome. You can just Google a solution right now by stating your problem. You get into the juniper.net and there is wonderful documentation. As a technical person, I have never seen any technical documentation that is as good. I would say it is awesome. Any person who has an interest to learn, who has the interest to scale his capability with the product, just has to go to the Juniper site and they will get all the information on every one of their products. I think that it is written well enough for a non-technical person to become technical.  

They have different levels of training available. They make it very easy and available for anybody to explore the solution. There are knowledgeable people available in the technical community. It is a very good solution overall.  

How was the initial setup?

I consider the setup for the product to be very easy. A basic technical person can do it. But, a person would need to know the capability of a robust box like SRX to make full use of the capabilities and the right choice of the product.  

You install the box, configure the hostname, a password, and set your IP address. By default, Juniper handles the basic configurations automatically. The control frame architecture is very nice. The whole platform architecture is very good. When you work with that box, you just divide the box into two layers: the top layer and the bottom layer. The top layer is exclusively made for the SRX box. The bottom layer is nothing but throughput where the packets get in and get out. We call it a packet forwarding engine, PFE.  

Initiating the routing packets actually go in the mapping connection between the top and the bottom, which is managed as with Oracle in an internal zone. The box is already secured when an attack happens. Nothing is 100% in the world. So, there is the possibility of an attack but at least the control center protects your network.  

The entire installation is just a couple of hours. It depends on the Oracle sizing. Let's say that you want to work on the agility of SRX, something you really need to understand is where you are deploying this product. It is different if you are comparing an SRX box or the cloud. When you are using an SRX box will it be deployed for a small enterprise, a mid-size enterprise, and a data center. You can have SRX boxes for a large data center. That is a difference in the agility of Juniper SRX compared to Cisco. For example, when I work with the cloud, I have an SRX virtual firewall, which is a high-performance network security in the virtual cloud. It is especially good for rapid deployments. It hardly takes hours to deploy on the cloud.  

When you have a container with a firewall, it is known as cSRX. Which is again, a highly available container firewall. These are used especially for microservices. When you start with a small enterprise you start with either the SRX 300 series or a 500 series, which is a next-generation firewall. It is comparable to the Cisco ASA. Probably the next good product to compare is Check Point. But the SRX product is easier to manage and deploy when compared to Check Point or Cisco.  

For the mid-size enterprise organization, we have the SRX 1400 Series or you can consider the 4000 Series. It is just an appliance. You just plug it in, switch it on, configure the network IP address, and then start configuring the protocols. You enable the licenses there, malware prevention, and all the other features you want by just adding on to the licenses.  

So it is just a matter of choosing the right appliance and from there it is practically plug-and-play. The challenge is not the initial setup and deployment, it is what you make use of.  

Which other solutions did I evaluate?

The main competitors for Juniper are Palo Alto, Check Point, and Cisco. Juniper has a lot of features that are good for engineering. Things like Fortinet and Cyberoam can not really compete with these others when it comes to these important features. Specifically, when you talk about Juniper SRX you talk about cloud deployment. You talk about malware remediation. You talk about reporting analytics. You talk about quarantining or threat intelligence (Unified Threat Management or UTM). You talk about data throttle, control prevention, email, web analysis, and integrated management. It can even just work as a router or assisting layer. It works best especially in large networks — like when you talk about service providers — where you have huge traffic flow. It is built to have flexibility and ease-of-use.  

What other advice do I have?

My advice to anyone considering Juniper as a solution would be to first understand that the product needs to be chosen to fit the environment. You want to get the one right box that has the capacity you need. You have everything you need in the model by just updating your license. You do not have to look for a new box when your traffic remains under the upper limits of the capacity. If you are under the limitations of the capacity, the traffic goes straight out, unimpeded.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Juniper SRX as a nine or even a nine-point-five overall. Additional features that could be added to make this solution a ten that other competitors have would technically make it the best product. For example, Check Point offers Blade Architecture. You just keep adding more and more blades. Because of this, Check Point — especially in the area of their security database — they are quite superior to Juniper. o there is room for improvement.  

When you really study on an enterprise level where Check Point stands out or where Juniper stands out, you have got to look into the way each product fits your needs. I mean Check Point is currently easy-to-use, and very good, global product. It also has quite a good rating from the industry over the past few years. Certainly, someone considering a purchase needs to consider options and trends.  

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
BT
Virtual CIO/ CISO at Kyber Security
Real User
Easy to implement, fairly stable, and supports SSL-DPI

Pros and Cons

    • "From a support perspective, if we're talking tech support I think Silver Partners, Gold Partners, Platinum, whatever level, should have a different number to call. End users can call tech support over at SonicWall if they've paid for support as part of their AGSS or whatever services they bought. The end-user can call, or we can call, however, I don't want to be calling the same line that an end user's calling. I don't want the same response time. I need a different level of expertise."

    What is most valuable?

    Once we moved the units up to the Gen 6 platform, they could support SSL-DPI. We are huge fans of the DPI. That piece is incredibly easy to implement. I'd say probably the most powerful thing about the solution is that coupled with the captured functionality. 

    What needs improvement?

    We've turned the SSL inspection on, and it is a nightmare. It doesn't mean it doesn't work, but it will turn your world upside down for weeks until you tune it and get it right. That's an across the board problem. It's not just TZ. That's TZ's, NSA's, etc. Wherever you're using their implementation of SSL, where you've got to implement a certificate on every machine. Once you even get past that it's still going to be particular and finicky. Banking sites are driven crazy by it every time we turn it on.

    It is trying to lock down outbound traffic so tightly that you get to sites that are already very security conscious. It's just a battle to get the traffic through. Intentional traffic, the traffic you want to get through, seems to be a problem. It will stop almost everything. Too much in fact. I understand the concept. It's just a little threatening. We just had a client sign off on a 6650. Then we send them a scope of work for implementing it. We specifically put a note in there in enormous bold type: "Note does not include SSL-DPI implementation". That is additional. The client responded that  "That's the one piece I wanted you guys to do. I'm scared of it."

    He said, "We're scared of it," and I told him, "We're scared of it too." I said, "I don't know how long it's going to take. And it's going to turn your universe upside down for a week to 10 days to maybe two weeks." He said that he heard that this would be the case. 

    My fear is that the client thinks that we'll say it will take four hours and then, when it turns into 40, try to make us give them the submission for free. 

    Even tiny environments, for example, 10 user environments, once you turn it on, you will spend days tuning it. The last one we did took us 22 hours to get it perfect. We learned our lesson. We slotted in four to eight hours to do it and it took us 16 to 20.

    From a support perspective, if we're talking tech support I think Silver Partners, Gold Partners, Platinum, whatever level, should have a different number to call. End users can call tech support over at SonicWall if they've paid for support as part of their AGSS or whatever services they bought. The end-user can call, or we can call, however, I don't want to be calling the same line that an end user's calling. I don't want the same response time. I need a different level of expertise.

    For how long have I used the solution?

    We've been a SonicWall dealer for 21 years approximately. We've been handling the solution since 1999. I personally didn't start using the solution until 2004.

    What do I think about the stability of the solution?

    Once you get past all the configuration issues, If you are on a rock-solid GA (Generally Available firmware), I don't know if I want to say it's bulletproof, however, the stability is really, really good. I don't sit and worry, thinking, "Oh, God. We know another one's going to fail today." We never think that way about that type of stuff. It's the odd time where we might get hardware failures or random reboots. We've had a couple of SMA units go sideways. Even SonicWall couldn't solve the problem. However, that said, it's rare.

    What do I think about the scalability of the solution?

    There's a couple of different ways to answer the question of scalability. They've built the TZ line wide enough so that we've got enough of a selection to be able to fit most bandwidth and user count situations. It's never going to fit everybody and it's not meant to. It shouldn't. It is a little challenging to try to get one of the boxes to do full wire speed. I'm not so sure inside that box, at the price point, you're going to solve that problem.

    That's why we sold the 6650. One client has got a one gig fiber line and they're in a school. On an NSA 3600, he can't get over 400 on it. I told him he never would. Some days I'd be surprised to get 400, depending on the user count. The TZ lineup is pretty good, however, I'm not so sure I'd use the word scalable. 

    If what we mean by scalable is, "oh, well, I buy a 300 and I buy it for 10 users, but I can scale up to 30 users with that box," the answer to that is no you can't. If you ask "could I scale up to 25 users and move to 200 or 300 or 400 meg?" You can't. We've got somebody in that situation right now and we're quoting a box replacement because it just can't scale that way.

    You can't necessarily scale on the appliance. You've got to get the right size. That's the easiest way to scale. If it's the right-sized appliance for the environment with some headroom then I think most situations users are going to be fine. There's going to be some issues where somebody cheaps out. For example, we worked with a law firm. They bought a TZ 300 because they didn't want to spend the money for the 500. Now they're going to have to spend the money for the 500 anyway because they need to scale up. 

    How are customer service and technical support?

    I don't think they really separate support from line to line. Maybe if you get all the way up into supermassive issues they do. Between NSA and TZ, it's the same level of service that you get on the other end of the phone. To be quite honest, level one support is not sparkling. Level two is usually really good. Level three is usually a combination. You get to level three, and you're almost talking to development or a combination of a crew that's dealing with development and senior technical expertise. Those guys rarely fail us.

    That's a typical support story. The level one guys will read the scripts and don't necessarily fix anything. We've already run through level one through three on our end with my staff. If they can't fix it, talking to a level one script reader is definitely not going to get it fixed. You should be able to bypass those guys if you're a reseller and a long-standing Silver Partner, like we are.

    Which solution did I use previously and why did I switch?

    We've also used Cisco previously. A while back, we used to have Cisco as our primary choice, with SonicWall being our second. That changed when I came to the company in 2004, where SonicWall became our solution of choice. We've got 400 or 500 firewalls out there and we don't plan on changing over to anything else.

    What other advice do I have?

    We're a Silver Partner.

    I'm not an engineer. I was a field engineer for nine years a long, long time ago. However, I'm not typically the one that gets my fingers into stuff, and it would be my engineering and senior engineering staff that do that. That said, I can say that I don't think any of our guys have touched the virtual platform yet.

    We use TZ and traditional NSA tech every day. That's our bread and butter.

    The current version we're using right now is the 600 series, although we do still have some 350 series. 90% of what we use are Gen 6. They're either TZ 300, 400, 500, 600 or NSA 2600, 3600, 4600. 

    We've got a smattering of 2650s that we've rolled out, which have been really, really good. Those are powerful units.

    I'd rate the solution eight out of ten. It doesn't warrant more than that. There's plenty of products I'd give a five to out there, however, for the quality of the product offering, I think an eight is a fair mark.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Get our free report covering Fortinet, Cisco, Palo Alto Networks, and other competitors of Cisco ASA Firewall. Updated: October 2021.
    540,884 professionals have used our research since 2012.