Networks Gigabit small business firewall Recommendation

As the title says, I am looking for a SB firewall to replace my Cisco PIX 506e in the near future. I have been configuring the PIX over the past couple of days and it presents a major headache any time I try to do anything with it due to the outdated, unstable and unsafe Java version which its web GUI, PIX Device Manager (PDM), requires to run. It's almost less of a headache to configure it via the CLI without running an XP VM and installing archaic versions of Java.

There's also the fact that it's now a 10+ year old appliance (manufacturing date for the board in my unit is the 19th week of 2003) and is only 10/100 capable, whilst the rest of my network is gigabit. I know with a firewall I should still be able to get away with 100Mbps because my new fibre connection is not going to exceed that now, but it’s time to make the whole network future proof so I can theoretically go above that in the future. My budget is about £500 if I’m going for a standalone/application specific unit, but I have had suggestions for an open source firewall running on standard hardware. Any pointers would be much appreciated, but I might actually try to upgrade PDM on the 506e to enable the use of a more recent Java version to config it, because I need to get another couple of months out of it before replacement.

 

Surely if you did a pfsense build choosing a dual Intel gigabit nic mobo and any low power Intel dual core, you'll have a more powerful firewall than ever necessary for an SMB? Can even build two and use carp for redundancy. Plus you are most likely to be left with a spare pcie slot or two for future upgrades... Let alone benefits of being able to script on pfsense so easily... Fire daily configs off to a nas etc.

I'm no network guy, but pfsense has been a god send and I'd use it anywhere and everywhere until I'm missing a feature, which serious enterprises no doubt come across. Snort is a great example of something even Cisco are interested in.

 

Some of the ZyXEL USG kit is worth a look.
Fortigate kit is also worth grabbing if you can find it for the right price.
Theres one on the bay right now FortiGate-800 (GBPS Firewall) starting at £50.

I'm using the Fortigate 200 which is 100mbps. - This thing was used briefly in the rack in the data-center and put up with a few small ddos attacks which was impressive for it's age.
Now it resides in my home rack. Solid piece of kit.

 

Fortigate all the way! I have a 40c at home, It's a great piece of kit.

 

I'm looking at getting a 200B for the dc rack or a new L3 switch. Tough decisions. xD

 

could go for Netgear UTM Series

 

Excellent, thanks guys. I see that the FortiGate 800 has a few 1U fans on it. I presume it's pretty loud and will need to get the same liquid cooled treatment as the rest of my racked hardware? I'm trying to silence the cabinet a little Are the FortiGate units relatively painless to configure as well?

 

The fortigates I've used (1u rack one. Not sure what model) was really easy to configure... But both at home and at work they lost their configs all the time and would be nonresponsive at times. Guy I worked with had been on fortigate courses etc and configured the work ones obviously. He hates them now and can't figure out why they are so popular and it is also why I've been using pfsense. It is all been replaced with cisco stuff now at work(old work).

Probably just bad luck... faulty units perhaps. Support contracts and licencing existed and they couldn't figure it out either. (We used them to look at home ones also)

 

I have been selling them for a few years, for the last year there have been a lot of faulty units about, I have noticed it too. this year I have had I think 5 or 6 replaced under warranty.

 

Sonicwall, or is that overkill?

 

Not that I know much about them, but I'd guess that SonicWALL is probably overkill for a couple of file servers and half a dozen machines. Of course it's what's on them that determines the security requirements as opposed to the number of systems, but I still don't think it's necessary to spend a huge amount of money on it. Unless I was getting a good price on a lower end model like the TZ 105, I think my money would be better spent on a second hand Cisco, FortiGate or Draytek.

I'm a bit put off by the reports of reliability problems with the FortiGate units! I wonder if there's any warranty on that eBay FortiGate 800.

 

I currently have a UTM10 and it's rock solid. Like most devices in this category there is a subscription service for the av stuff (which reminds me I need to get my licence renewed).

I use mine with a Draytek 120 Ethernet Modem for my ADSL2 connection and it is awesome. The UTM is a little on the loud side for the front room, so I opened it up and put a 7v (I think) fan resistor in on the chassis fan and that cut down on 90% of the noise. It's now a just audible hum when it's quiet and with the TV on you cant hear it.

My personal opinion of SonicWall gear is that they suck balls. But it has been a few years since I suffered with them so they may have improved the horrible interface.

 

I think it's just the new Fortigate stuff.
The older kit like that 800 seems to be solid.

Check with Margon.




Sonic walls = eewwwwwww.

And I'd stick well clear of Drayteks used to be a fan but they seem to have a lot of problems. The company I used to work for must have shipped about 20 back that went wrong.
They also seem to ship with the wrong firmware on. Common issue we saw was ports would randomly close and need a reboot to start working again. :/

 

It's all the new stuff in the white boxes (on one of the training days I have been on with forti - they called this apple white ),

The older stuff in the green boxes, lasts forever. I have countless sites with 50's or 80's, couple of 200's, that have been out there for YEARS and not missed a beat.

I haven't so much seen that with drayteks - mine just straight up die! haha. They seem to of had a bad year actually this year too if I look through all the units we have replaced or re-sold. Plus there was definitely a dodgy firmware this year, as they had to release a minor update but only to the firmware that was for single band stuff, changed some to that firmware and that solved some problems I had been having.

 

Cisco ASA 5505?

 

exactly what I would suggest too, and i'm a network guy!

just bare in mind warranty status which you won't get with pfsense (except hardware warranty from OEM)

 

I appreciate that pfsense is a good solution, but for ease of setup in my case you're going in the wrong direction because I'd have to actually build it, plus I'd have to buy a rack mount case for it which runs the price up more.

 

Re use an old one? You can either bring old servers back from the dead or just use the case. We've bought 1u VoIP PBX before, sold the fxo or fxs cards to effectively get it free(reduced at least - card are most of the cost in these things) and then gone ahead and made a firewall.

It is more effort though. There is no two ways about it.

 

I just wouldn't be able to put pfsense boxes anywhere. And I love pfsense! All to do with liability and accountability - I want to sell things that when they break, I can send them back, or get them seen to and I am not the person responsible for doing that fixing - pfsense would mean that I would be that person responsible and managing a high volume of sites means that isn't possible. And - customers for whatever reasons prefer to go with a solution that is made and supported by a manufacturer rather than something I have thrown together and promised will work as they want.

I know this doesn't help you Matt - but that's why I don't use pfsense in production environments. I have a pfsense box at home, if I was an onsite person and was responsible for just one business' IT requirements and upkeep I would likely use it there too, not saying you should as while it's your business like me you are probably always working on clients stuff. Case in point - I have been trying to get our ticketing system in house up and running for a LONG time, whenever I sit down with it for more than about 10 minutes my phone rings and someones something is up in smoke or not working properly and the cycle continues!

 

within your budget id say a Check Point SG620 they are around £260-300 RRP

Its a lovely little box and the Firewall is 1st Class.