Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 
426 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 710585 1-Nov-2012 19:31 Send private message

For a FWF-60C the Forticare plus Fortiguard Bundle 8x5 for 1yr is ~$390. That includes 8x5 support, UTM and firmware updates. On a par with other support contracts.






7453 posts

Uber Geek
+1 received by user: 970

Trusted
Subscriber

  Reply # 710605 1-Nov-2012 20:27 Send private message

BTR: A Sonicwall TZ series box might do the trick. They are the entry level box but do both SPI and DPI as well as supports site to site and site to client VPN. TZ215 is less than 2K


TZ215 would get my vote wholeheartedly. 24/7 Support with good quality and well trained people.

I think it's also worth noting I support both and I DO like Fortigate and their support once uyou get it, is excellent. However, getting support requires a full description of the issue and a full network diagram even for straight forward issues, which is a pain.



3954 posts

Uber Geek
+1 received by user: 26

Trusted

  Reply # 710834 2-Nov-2012 09:03 Send private message

rhysb: For a FWF-60C the Forticare plus Fortiguard Bundle 8x5 for 1yr is ~$390. That includes 8x5 support, UTM and firmware updates. On a par with other support contracts.


What kind of support does a firewall need?  I was thinking for my friend he could have two around with a cold swap available if the primary unit died. That's cheaper than 7x24 support. The cold swap might be slightly lower spec (like a 60C for a 100D)






System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR running on Gigabyte Brix, Sony BDP-S390 BD player, Logitech Revue, Pioneer AVR, Panasonic 60" 3D plasma

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Toshiba HD-A2 HD-DVD player, Roku XS media player

Check out my blog at lchiu.blogspot.com

87 posts

Master Geek
+1 received by user: 8


  Reply # 710841 2-Nov-2012 09:23 Send private message

lchiu7: An issue my friend has is the cost the ongoing support. He was quoted over $1K for monthly support for a Fortigate. He could not understand what that provided.

I would asumeo once the device is up and running, just a quick check every now and then should be enough. Presumably new rules/filters could be pushed out by Fortigate like AV signatures?


Pretty sure your friend meant $1k would be for annual support, not monthly. We have a large enterprise system and that isn't even anywhere near $1k a month.

426 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 710938 2-Nov-2012 12:24 Send private message

lchiu7: What kind of support does a firewall need?  I was thinking for my friend he could have two around with a cold swap available if the primary unit died. That's cheaper than 7x24 support. The cold swap might be slightly lower spec (like a 60C for a 100D)


You would still need a support contract for each unit as it is activated to the units SN. You also need a support contract to use/continue to use any of the UTM features. As mentioned the first year is bundled with all units sold here.








3954 posts

Uber Geek
+1 received by user: 26

Trusted

  Reply # 711137 2-Nov-2012 20:27 Send private message

Jeeves:
lchiu7: An issue my friend has is the cost the ongoing support. He was quoted over $1K for monthly support for a Fortigate. He could not understand what that provided.

I would asumeo once the device is up and running, just a quick check every now and then should be enough. Presumably new rules/filters could be pushed out by Fortigate like AV signatures?


Pretty sure your friend meant $1k would be for annual support, not monthly. We have a large enterprise system and that isn't even anywhere near $1k a month.


It was per month and actually $1200. I asked who it was and it's a local vendor who have been in the news recently :-) But apparently it involved active monitoring to see that it was up and other proactive stuff. Still seems  a tad expensive IMHO




System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR running on Gigabyte Brix, Sony BDP-S390 BD player, Logitech Revue, Pioneer AVR, Panasonic 60" 3D plasma

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Toshiba HD-A2 HD-DVD player, Roku XS media player

Check out my blog at lchiu.blogspot.com

2296 posts

Uber Geek
+1 received by user: 222

Trusted
Subscriber

  Reply # 711837 4-Nov-2012 17:13 Send private message

My recommendation is Kerio Control

- Built in AV protection on the transparent proxy server (sophos, compatible with many other AV's)
- Firewall functionality
- User surfing monitoring for computer use auditing, finding staff watching porn
- Web filtering for blocking porn, facebook, facebook proxies etc
- Built in VPN server
- URL rules
- Very good reporting
- Runs on windows (including xp pro), linux, or as a hardware appliance
- Bandwidth control eg. large downloads can be limited to a bandwidth pool
- User data quotas
- Internal user database or Active Directory authentication if users are required to login for internet access
- IPv6 support under active development.




Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




109 posts

Master Geek
+1 received by user: 20

Trusted

  Reply # 714051 8-Nov-2012 11:03 Send private message

I won't recommend a specific model, but coming from an ISP, I can say a few things on this topic.

We regularly see scenarios where either the firewall is under-powered and causing performance issues for everything behind it. Sometimes this is because the company decided to cut back on the Firewall/UTM/IDS cost; most often though, we see firewalls getting very old (3+ years) without being upgraded, and because they've "just done their job and kept going" - they tend to be forgotten about.

The hidden cost to a business can be quite nasty; consider having a bunch of designers sitting around waiting for their stock images to download - the longer a performance problem goes on, the more it costs you! Those guys need to be working to their potential!

Especially with UFB coming, the throughput of your firewall (especially with all of those nice features on) is important to consider. Can it do more than 100mbit/sec with IPS on, Anti-Virus on, etc?

I'd argue that more important than a particular brand, is a solid OAM (Operations, Administration and Management) plan for the firewall within your organisation. This will include things like:

- Keeping definitions (and licenses) up-to-date.
- Monitoring performance of the firewall (CPU utilisation, network interface utilisation - i.e., are we maxing out 100mbit/sec of our 100mbit/sec interface? - while I'm at it, beware of 5-minute graphs - if you are getting to 85% of interface speed on 5-minute averages, you are almost certainly maxing out the interface)
- Environmental care (graphing/alerting on the temperature of the firewall is a great idea - this way, you are alerted when the internal fans fail, and your organisation goes offline!)
- Knowing (and periodically revising) the roadmap and product portfolio of your firewall vendor (Is this range being discontinued/cut down? If we upgrade to the next model, do we have to re-configure everything from scratch? A full firewall reconfiguration can cost more than the whole device!)

Some of this stuff sounds costly. In small organisations, it may not be necessary; I think the tipping point is probably 100 users or more, but it depends on the value of your business.
Most managed services providers will consider the above, so if it makes sense to outsource - do it!

2c




“I do not think there is any thrill that can go through the human heart like that felt by the inventor as he sees some creation of the brain unfolding to success... Such emotions make a man forget food, sleep, friends, love, everything.” - Nikola Tesla

Disclaimer: Views expressed in my posts do not necessarily reflect those views of my employer.



3954 posts

Uber Geek
+1 received by user: 26

Trusted

  Reply # 717034 14-Nov-2012 13:53 Send private message

My friend for a number of reasons has decided to go with Fortigate. The problem the organisation with whom he has the relationship cannot free up people to do configuration for him.

So if anybody can or knows people who can configure Fortigate firewalls, lease PM me and I can forward the details.

Thanks




System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR running on Gigabyte Brix, Sony BDP-S390 BD player, Logitech Revue, Pioneer AVR, Panasonic 60" 3D plasma

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Toshiba HD-A2 HD-DVD player, Roku XS media player

Check out my blog at lchiu.blogspot.com

46 posts

Geek


  Reply # 720623 21-Nov-2012 10:33 Send private message

A Sonicwall TZ-215 probably would've done the job, ideally that box sits well for around 25Mbps with all services turned on.

FWIW the fundamental difference between the main firewall brands can be broken into 3 groups of basic tech:

Octeon CPU's: Palo Alto Networks and Sonicwall, both use Cavium Octeon chipsets in their appliances
ASIC's: Juniper and Fortigate
Generic Intel based hardware: Astaro/Sophos, Kerio, PFSense, Watchguard, Checkpoint etc

The Cavium Octeon is designed for looking into packets and that type of workflow. So you tend to see much better performance. When doing IPS, App management, AV, these boxes are the best bang per buck. They typically do a single pass inspection on traffic, so turning on 1 layer 7 service vs all layer 7 services makes little difference. Whereas most of the competitors use multipass inspection, so as you turn on each server (IPS/App Management/AV) the performance issues compound - Octeons avoid this problem.

ASIC based stuff makes for good speeds and feeds, generally fast if you don't want to turn any of the IPS or App management on. Once you do you see big performance hits. These boxes also tend to use proxy based ALG's, and suffer latency issues as well as limits on how much they can scan (often limited by tcp sessions and file size). Also they tend to have a limited breadth of scan in protocols (typically don't pick up HTTP on non-standard ports for example). In some brands specific ports can only be used with ASIC's for traffic inspection.

Intel based stuff... well... it's just not designed for packet inspection on the wire. Let alone high throughput IPSEC VPN or SSL VPN performance. It's not unusual to see these boxes fall over when talking to a Cavium or ASIC based boxes VPN :)  (they get overwhelmed easily). Same as ASICs these boxes also tend to use proxy based ALG's, and suffer latency issues as well as limits on how much they can scan (often limited by tcp sessions and file size). Also they tend to have a limited breadth of scan in protocols (typically don't pick up HTTP on non-standard ports for example).


Every single brand is going to have bugs. Nobody is perfect. So maturity and support from the vendor is always something to look for. And as pointed out above, it pays to measure your current network performance before deciding on which box. You can get tools like PRTG for free (the 10 node limited version) to do some basic network measurements.

Annnnnnnnnnd... DON'T FORGET THE REPORTING ASPECT. Reporting is essential in any decent firewall, always factor this into your decision. 

1 | 2 | 3 
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

My un-consented UFB install
Created by thurthur, last reply by mdooher on 28-Nov-2014 18:57 (79 replies)
Pages... 4 5 6


This is the end ...
Created by joker97, last reply by heavyusr on 28-Nov-2014 21:44 (54 replies)
Pages... 2 3 4


Gigatown winner town and plans
Created by freitasm, last reply by Demeter on 28-Nov-2014 08:59 (76 replies)
Pages... 4 5 6


Seen any good Black Friday / Cyber Monday deals?
Created by Jaxson, last reply by ckc on 28-Nov-2014 15:08 (24 replies)
Pages... 2


Gull Employment Dispute.
Created by networkn, last reply by richms on 28-Nov-2014 17:57 (153 replies)
Pages... 9 10 11


Do Chorus Still Fit ADSL to Rural Cabinets?
Created by TLD, last reply by TLD on 28-Nov-2014 21:56 (17 replies)
Pages... 2


Stuff.co.nz hacked by Syrian electronic army?
Created by surfisup1000, last reply by dclegg on 28-Nov-2014 13:35 (17 replies)
Pages... 2


Excessive Vodafone Support call waiting times 75 mins and then i have to wait an hour for a callback
Created by i4n, last reply by Talkiet on 28-Nov-2014 22:15 (16 replies)
Pages... 2



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.