SMB Firewalls, what do you use?

lifegard2a · 2011-06-15T12:21:09.000Z

I have a client with roughly 60-75 machines on the LAN. They have a Watchguard Firebox X Edge that’s been working well since 2007. Trouble is they only have 30 user licenses. To add licenses, Watchguard wants them to come current on a LiveSecurity subscription and then purchase the licenses on top of that. For that cost, I think it’s worth considering another solution. It really chaps my hide to pay an annual support contract for a firewall when I don’t normally need it. Any suggestions? I’ve used Watchguard and pfSense, and I prefer an appliance as opposed to dropping pfSense on an old PC with a few NICs.

Denis-Kelley · 2011-06-15T12:35:27.000Z

Sonicwall.

greg8172 · 2011-06-15T12:37:20.000Z

I’ve had a lot of good success with Sonicwall. Great protection and services and has been very scalable as a company grows. I concur on the support contracts. It seems everyone has their hand out. Sonicwall has support contracts but they have different choices and they are very reasonable. Good luck.

brianreed9675 · 2011-06-15T12:44:48.000Z

SonicWALL is definitively the way to go these days. Bottom line, no matter what firewall you buy you will have the subscription every year. Without the subscription your firewall become more useless every day. With all of the blended Internet threats you will be happy to have a firewall that has the latest website filter, antivirus signatures, spyware/malware signatures, intrusion detection signatures and so on.

Of course, we sell the SonicWALL products along with training videos (free for this month). If you need more info just let me know.

You can also trade-in your WatchGuard for a SonicWALL Secure Upgrade model (well worth it!)

kelly · 2011-06-15T12:46:42.000Z

We’re another Sonicwall shop although that may be changing. We’re probably going to be moving toward Cisco as we grow. They are no longer the absurdly spendy proposition they were a few years ago, and they have been doing IPv6 for a while and our phone system and switches are already Cisco.

rmuniz9336 · 2011-06-15T13:22:30.000Z

Sonicwall, absolutly!

lifegard2a · 2011-06-15T13:26:59.000Z

Sonicwall seems to be the resounding choice. A colleague recommended a used tz170 on eBay. However it looks like the tz170 only allows 25 users. I’ve got at least 60-75 IP addresses on the wire trying to pass through the gateway. Any model recommendations, used or new?

brianreed9675 · 2011-06-15T13:37:56.000Z

for 75 IP addresses I would recommend (if you want low cost) SonicWALL TZ 210 TotalSecure or (for better performance) SonicWALL NSA 240 TotalSecure .

spiceuser6504 · 2011-06-15T13:41:49.000Z

Sonicwall is great. But I’m also a huge fan of the Fortinet Fortigate UTMs.

eric0921 · 2011-06-15T15:57:07.000Z

Fortinet’s Fortigate product line is great. They do not have a user license limit on any of there products, all are unlimited users. I would recommend the Fortigate 60c as it is a similar price to the TZ210. You get 5 gb ports, two wans and a dmz, App control, firewall, wan opt, anti-virus, anti-spam, web filtering,Deep SSL scanning, DLP, wireless control, etc… To renew each year would be about 250.

bryandoe · 2011-06-15T19:58:34.000Z

Cisco ASA 5505. You’d want to pay annually for Smartnet but it’s only run me ~$100/year.

alexheylin · 2011-06-16T03:16:15.000Z

We’re currently using a Sonicwall Pro 1260 in our head-office and TZ170s in our two branch offices. The issues we’re having are - the sonicwalls have been less than reliable, particularly with software / config errors (such as refusing to make a backup config, or just plain refusing to do what has been set - such as WAN failover / balancing that actually works!).

The other issue we have is throughput - our head office is about to get upgraded from 1 x 10Mb over fibre to include a 40/5Mb bonded ADSL second line and the primary is likely to get replaced with something between a 30-100Mb fibre line.

Even with the firewall load-sharing the existing 10Mb and 20/2.5Mb unbonded ADSL (totalling 30Mb down and 12.5 up) we’re just not able to pull more than 20Mb combined (up and down) because the Sonicwall runs up to 90% average CPU from about 8am - 8pm.

If we’re going to have up to 140 down / 105 up (245Mb combined) available in the head office, we need a firewall that will keep up with this and be able to sustain at least 20-50Mb of VPN as part of this.

Is Sonicwall still the right way to go - bearing in mind that we don’t want to spend a fortune?

Am I better off using one firewall for VPN / inter-site VPN etc, and another (software - pfsense etc) for user-web-browsing etc?

We don’t need any email filtering. However web-filtering / AV, etc would be useful if the price is right.

I shoudl also mention that the Soincwall VPN client is COMPLETELY usless on Windows 7 as it dies entirely about once an hour. This is preventing our Win7 rollout. “Native” (IPSEC / PPTP) etc VPN never seems to work on the firewall no matter how much I RTFM or tinker with it. We need VPN that will be supported by iPhone, Android, Windows, and Macs if required.

Huw3481 · 2011-06-16T03:35:44.000Z

Looks like I’m in the minority then - Watchguard XTM505 + pro upgrade with 80 users behind it. Installed it at the beginning of the year, happy with it and it’s performance.

Cost including 1yr maintenance, 1yr security subscription and taxes was less than $1300 - so about $16 per user

philmulley6283 · 2011-06-16T03:46:10.000Z

We use GTA devices : specifically we have 2 GB800s (which are soon to be superceded) and they have great functionality and were very cost effective.

japes · 2011-06-16T04:02:09.000Z

Huw3481 wrote:

Looks like I’m in the minority then - Watchguard XTM505 + pro upgrade with 80 users behind it. Installed it at the beginning of the year, happy with it and it’s performance.

Cost including 1yr maintenance, 1yr security subscription and taxes was less than $1300 - so about $16 per user

I’ll join your minority.

Watchguard XTM520 + fireware pro 130 users and 30 VPN clients. Great performance. It’s running 1 leased line and 2 broadband lines, and never misses a beat. We pay around £1000 per year - small price to pay for the peace of mind.

alexanderstrobel · 2011-06-16T04:18:41.000Z

i’d go with astaro security gateway 220.

SOPHOS

Cybersecurity as a Service Delivered | Sophos

From Endpoint and Network Protection to Fully Managed Cybersecurity as a Service, We Have You Covered. Sophos Delivers Better Security Outcomes.

unlimited users and vpn tunnel. great firewall!

andynotts · 2011-06-16T05:46:00.000Z

We’ve a Sonicwall NSA240 here, 70-100 users and our connection is 20meg on a 100meg bearer.

timschulte4415 · 2011-06-16T06:56:04.000Z

+1 SonicWALL TZ210. Add wireless N if you need it, and definitely get the Comprehensive Gateway Security Suite subscription. If you can’t afford that you can get an unlimited license key for an old TZ, but the new ones have better security and performance. I use 6 of these to run the VPN between our dealerships.

tythrasher8742 · 2011-06-16T06:59:59.000Z

I have used CheckPoint for many years and have had a few clients using SonicWall. I much prefer CheckPoint, the interface is much more user friendly and straight forward. VPN services do not cost extra like Sonicwall. CheckPoint is one of the top rated systems out there. For SMB you could use the Safe@Office 1000 for unlimited users. Don’t remember the cost on it.

georgewilder · 2011-06-16T07:14:05.000Z

At sites that size, we run dual PIX 515e’s or ASA5510’s and integrate Websense with them and the AD. We rely heavily on L2L tunnels, so we also put in an additional unit as a VPN concentrator.