1

Currently we have a Sonicwall TZ300 - its no longer upto the job.

Firewall side of things - great, just not the vpn

max concurrent global vpn clients on sonicwall= 12 … i need at least 75 users to be able to connect concurrently.

Built in windows VPN currently being used but need to come off asap.

Using Riverbed for WAN acceleration - doesnt work with built in (needs to be supported).

looking to upgrade to a more suitable device.

Running on 1GB fiber - need the throughputs (vpn, firewall etc) to be able to utilise this.

Currently been given following as suggestions

Palo Alto PA-820

FortiGate-100F

Sonicwall NSA 2650

Anyone have other suggestions, recommendations ?

Cheers

8 Spice ups
2

WatchGuard M370 could be another option.

It comes with 150 concurrent VPN users, supporting SSL VPN, IKEv2, L2TP, IPSec…and if you have the TotalSecurity option, even the clientless VPN portal is included.

Check it out… might be, you will like the price/performance/package/…

3 Spice ups
3

I’ll second the WatchGuard lineup!

2 Spice ups
4

I’m staring at a brand new Watchguard M370 that I’m in the process of configuring. :slight_smile:

1 Spice up
5

I just deployed a Cluster of them last month. :slight_smile:

1 Spice up
6

90% of the replys here will be for Watchguard. It’s a Texas thing. :wink:

I just had a Sophos XG230 delivered. Have heard good things about the Fortigate also.

If client VPN is a priority, i don’t think Sonicwall has a native client. It’s all 3rd party support. Not sure if that has changed, but i’d look into it. I used them in the past for point to point, but that was before Dell sucked them up.

All of them seem to be disposable at this point via the pricing model. You are paying for the service contract. The hardware is throw away. I got my Sophos for $0 with a 3 year subscription.

7

Having used Sonicwall and Sophos in the past, what tipped me to the Watchguard world was the reporting features via the Dimension software which is included.

With Sophos, I had to pay > $1k/year for a 3rd party tool that did the same as what Dimension does.

Sonicwall has/had a utility, at an additional cost, which didn’t report on everything I wanted.

That was years ago and things may be different now.

And like some of the competition, they offer a competitive upgrade which pretty much gives you the hardware when purchasing a 3-year security subscription.

1 Spice up
8

Texas? WatchGuard is a Seattle thing!

Client VPN is today built-in in most devices/operating systems by default so one shouldn’t even need a special client for the supported native protocols.

WatchGuard has a WatchGuard SSL VPN client, but the standard native OpenVPN client will also work (I’m using it on Android for years).

Closer the implementation is to native operating system clients, less problems one should expect during implementation / use.

Today (I guess most vendors, not just WatchGuard?) provide configuration scripts/batch files to set up native VPN clients, so you don’t have to play around with ceritficates and write long ‘how to’ descriptions for users, to set things up.

1 Spice up
9

Not Texas/Seattle here. I will put my vote in for the Fortigate option. I’ve been a long time user of Fortigates for over a decade now and have about 70 or so of them in service at the moment. No, not the cheapest option out there, anybody who uses that will mention that. The devices are solid, and the features from their security arm (Fortiguard) are definitely top notch if you have a need for them in your network (IPS, AV, web, DNS and layer 7 application monitoring/filtering). You just need to look at the full datasheet to ensure it’s up to task.

The 100F can do 58K new sessions/second, 1 Gbps Threat Protection throughput, 1 Gbps SSL-VPN throughput, 500 concurrent SSL-VPN connections, and some other stats that probably are irrelevant to most people.

In essence with all security featured turn on, you can still expect 1 Gbps throughput (Internet and inter-VLAN/subnet on the LAN side). If you don’t scan traffic on the LAN side it can push through 10-20 Gbps aggregate. Lots of horse power.

You might even be able to go down a model or two. Anything below the 100 series isn’t rack mountable out of the box and you’d have to find rack shelves/trays to mount them on. Fortinet makes them and you can get 3rd parties as well. I’ve used such trays to mount 80C and 60E/F units on.

2 Spice ups
10

Wow, thank you so much for all of the WatchGuard mentions!

I will concur and say that the Firebox M370 is going to be your best bet as this has a recommended user count of 150, which would be more than enough for your current needs and any future growth. Additionally, you have two options when it comes to security subscriptions - Basic Security Suite and Total Security Suite . Basic will include everything typical to a UTM appliance: Intrusion Prevention Service, gateway antivirus, URL filtering, app control, spam blocking, and reputation lookup. Total Security Suite includes everything in the Basic tier but adds advanced malware protection, DNS level protection, next-gen cloud sandboxing, data loss protection, enhanced network visibility capabilities, and cloud-hosted threat correlation and scoring.

Here’s a look at the throughput numbers for the M370 (and the two smaller devices):

throughput.png
throughput.png800×218 31.6 KB

If you have any questions, feel free to reach out!

11

Yes, true; it shouldn’t be needed. However, my personal experience has been less than satisfactory using native OS vpn configurations. They simply have not performed as reliable. YMMV.

@bojanzajc6669

12

We switched from Sonicwall to Fortigate firewalls 6 years ago, and we upgraded our main office to the FortiGate-100 series earlier this year, we have ~ 195 employees. The Forticlient SSL VPN is solid, and due to the current work at home, most everyone is using the VPN. I just checked, and there are 106 SSL VPN connections currently. Firewall and network taking it in stride. 9% firewall CPU utilization, 25% memory utilization, and running about 55Mb total bandwidth. Fortigate also works with Azure for MFA authentication for the SSL VPN. Which is what we are running, so it’s the same authentication method for the employee as our Office365.

The SSL VPN licenses are included in the cost of the Fortigate firewall, along with a lot of other features.

When comparing firewalls, make sure all your business requirements determined, then take in to account all the licenses you need for each feature, like SSL VPN, IPSEC VPN, Intrusion detection, etc. as well as performance, security, etc.

13

Watchguard here!

M470s in cluster at HQ and T30s, T35s, and T50s in the field.

Moved from Sonicwall, was the best thing we ever did.

2 Spice ups
14

I currently have a SonicWall NSa 2650 and have not had any issues with it.

Previous job we went from old Sonicwall to PaloAlto, to Fortigate , I don’t remember what models we had good luck with those as well.

15

upgrade to an nsa, import your config and be done with it. why change? you’ll save money, have a huge learning curve and it’ll be a non-event. i run an nsa5600 with 12 tz’s at remote locations with tunnels to all of them, rock solid.

16

We are running an (older) NSA 2400. Never fear, replacing it was on our agenda for this year. Yes, it requires you install their VPN client, either the Global VPN client or their SSL VPN client, but that takes all of ten seconds.

It came with ten Global VPN client licenses and two SSL VPN licenses, which was enough for our needs at the time. Last week we had to add ten more Global licenses, which was a same-day thing. We have seen no performance issues, but with only 20 concurrent remote users there had better not be any.

I will admit that my exposure is pretty limited. My previous job I did not work on the team that handled network hardware, so the ~60 firewalls and ~35 Riverbeds were outside my scope beyond helping them get LDAP connections for user authentication. Current job we put the 2400 in ten years ago and it is still cranking away.

17

I have experience with a FortiGate 100E and it has been rock solid. We use it for a small school district of about 900 students and 70 faculty. We currently have the SSL VPN portion setup so teachers and administration can access network resources. No issues here!

1 Spice up
18

I have been using WatchGuard firewalls for about 10 years after wanting to gouge out my eyes when looking at SonicWALL’s interface. They are great firewalls.

Regarding your “Built in windows VPN currently being used but need to come off asap” comment, which built-in VPN? Windows 10 and IKEv2 VPN with 2FA is easy to set up and much faster and more stable than an SSLVPN agent, in my experience.

Test your current firewall to see if it can block executable file downlods in HTTP and HTTPS traffic. I just pick a random printer driver to try to download, and if it offers to save the file, it already failed the test, because malware can get pushed silently. I block those random downloads.

http://download.brother.com/welcome/dlf004709/DCP-330C-inst-win7-A2.EXE

https://download.brother.com/welcome/dlf004709/DCP-330C-inst-win7-A2.EXE

1_WatchGuard_blocked_download_example.png
1_WatchGuard_blocked_download_example.png730×444 14.3 KB

I sold a WatchGuard Core X550e many years ago to a new client whose in-house IT guy said that he spent 20-25 hours per MONTH cleaning up infections, month after month. With the WatchGuard and MY configuration, he went five years ten months WITHOUT A SINGLE INFECTION, then he added an Any rule because a whiny user couldn’t look up an appliance repair shop. BOOM! CryptoLocker! This was the company’s in-house IT guy, so I had no control over his changes. The sad thing is that he could have allowed the appliance site without opening the firewall completely, and the CryptoLocker download would not have happened.

Gregg

19

We switched over from ASA to Palo a few years ago and could not be happier. They work really well but the interface has a bit of learning curve.

20

Forgot to mention - that’s ridiculous. The windows VPN is absolutely fine, and 100% configurable with scripts and GP. Why would you want anything else?