Firewall & VPN recommendations for an organisation of about 60 people

Forums › IT Pro and developers › Firewall & VPN recommendations for an organisation of about 60 people

1 | 2 | 3

6183 posts

Uber Geek

Trusted

#703576 19-Oct-2012 15:33

BarTender: Still think pfSense is the best option especially if you have a Virtualised environment with spare capacity. Just dedicate a network cards to routing out to the internet, and since it sits on your ESX server / SAN, if that blows up you're dead in the water anyway. So no need to purchase new hardware.

Come on Laurence... Pull out the geek card and make it happen :)

What works for Geeks doesn't necessarily work for a business that requires support and has no in house tech capability!

But it's worth thinking about I guess since they are about to a virtualised environment with all new kit.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/rooms/32019730 Mention GZ to get a 10% discount

System One: PS3 SuperSlim, NPVR and Plex Server running on Intel NUC (C2D) (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Odroid C2 running Kodi and Plex, Panasonic 60" 3D plasma, Samsung Q80 Atmos soundbar. Google Chromecast, Google Chromecast TV

System Two: Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen, Denon AVRS730H 7.2 Channel Dolby Atmos/DTS-X AV Receiver, Samsung 4K player, Google Chromecast, Odroid C2 running Kodi and Plex

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

Ragnor

8085 posts

Uber Geek

Trusted

#703609 19-Oct-2012 16:31

If there is no in house IT, a supported managed solution from an established reputable provider is probably the way to go.

I've dealt with http://www.ifm.net.nz/ and http://www.networkpro.co.nz/ before and they were both pretty good.

It's pretty expensive though.

If they have no VM server and you still want to look into pfsense:

You could install pfsense on two ALIX boxes or other commodity hardware, eg: mini ITX and charge them a monthly fee for support yourself.
http://nicegear.co.nz/single-board-computers/pc-engines-alix-2d2/
http://nicegear.co.nz/accessories/pc-engines-case-for-alix-2d2/
http://nicegear.co.nz/accessories/pc-engines-poe-injector-for-alix-boards/

http://www.minecraftforum.net/topic/1447486-building-a-pfsense-mini-itx-firewall-box/
http://forum.pfsense.org/index.php?topic=32383.0;prev_next=next
http://www.smallnetbuilder.com/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense

The DIY/pfsense router is far far cheaper

jackk

53 posts

Master Geek

#708701 29-Oct-2012 21:02

i would go with sonicwall, not fortigate.

fortigate i found they are too buggy. Quite a lot of random errors that might require firmware upgrade or reboot. Although most configurations can be done in GUI, but some functionalities are only available in CLI, while some require both GUI and CLI configurations. Which is very annoying!

Jeeves

301 posts

Ultimate Geek

#709039 30-Oct-2012 11:22

jackk: i would go with sonicwall, not fortigate.

fortigate i found they are too buggy. Quite a lot of random errors that might require firmware upgrade or reboot. Although most configurations can be done in GUI, but some functionalities are only available in CLI, while some require both GUI and CLI configurations. Which is very annoying!

On the contrary, I have felt the Sonicwalls that I have worked with have been buggy and not as user friendly as the FG.

Fortinet put out new firmware very regularly, and are about to come out with a flashy new OS that is supposedly very good (I haven't had a look yet).

Whilst you are right about some config being required in CLI, it's generally some of the niche stuff, and it's usually just to turn features off or on. A lot of CLI only config is stuff that is on it's way out anyway (Like PPTP or L2TP VPN setup).

They do have bugs, sure. But what device doesn't? I haven't come across any bugs yet which are anything more than an annoyance. Nothing that impacts the core functionality of the FW.

Each to their own really. Being in charge of 30 odd fortigates makes me slightly (ok, a lot) biased towards them - but I was thrown into this position and was a bit cynical of them in the beginning. They old versions of the OS (anything pre V4) are ugly and weren't nearly as nice. But now that I have worked with them, I think they are a great little device.

jackk

53 posts

Master Geek

#709114 30-Oct-2012 13:10

Jeeves:
jackk: i would go with sonicwall, not fortigate.

fortigate i found they are too buggy. Quite a lot of random errors that might require firmware upgrade or reboot. Although most configurations can be done in GUI, but some functionalities are only available in CLI, while some require both GUI and CLI configurations. Which is very annoying!

On the contrary, I have felt the Sonicwalls that I have worked with have been buggy and not as user friendly as the FG.

Fortinet put out new firmware very regularly, and are about to come out with a flashy new OS that is supposedly very good (I haven't had a look yet).

Whilst you are right about some config being required in CLI, it's generally some of the niche stuff, and it's usually just to turn features off or on. A lot of CLI only config is stuff that is on it's way out anyway (Like PPTP or L2TP VPN setup).

They do have bugs, sure. But what device doesn't? I haven't come across any bugs yet which are anything more than an annoyance. Nothing that impacts the core functionality of the FW.

Each to their own really. Being in charge of 30 odd fortigates makes me slightly (ok, a lot) biased towards them - but I was thrown into this position and was a bit cynical of them in the beginning. They old versions of the OS (anything pre V4) are ugly and weren't nearly as nice. But now that I have worked with them, I think they are a great little device.

Yeah I am a bit biased as well, been dealing with 70 or sonicwalls at my last job and they are great but then again those are deployed for various SME. Currently looking after 10 or so fortigate in an enterprise environment and I don't have the best experience with them. Some of the major ones includes GUI admin locked up and rules' hit counters resetting randomly. Support usually ask you to reboot or firmware upgrade (firmware on board was only a few months old) but being in a large enterprise, this is easier said than done. I also don't really like the logging in fortigate, I found that they are not as informative as the sonicwall. Perhaps they are more suited for smaller networks. :P

Jeeves

301 posts

Ultimate Geek

#709756 31-Oct-2012 11:39

Agreed on the logging. It's horrible.
Regards firmware upgrades - I do like the automatic process that happens when setup in HA so you have no or only a micro outage throughout the whole process. Very seemless and I haven't had one fail yet.

jackk

53 posts

Master Geek

#709815 31-Oct-2012 13:04

I really should try the HA upgrade next time. Being a bit paranoid previously and have been upgrading them one by one. :P

I really like the VDOM though!!

Jeeves

301 posts

Ultimate Geek

#710256 1-Nov-2012 10:36

Nothing wrong with being paranoid. But to be safe enough just keep a usb drive with a version of the older OS handy and be on-site when doing the upgrade, so you can roll back if needs be. (again, haven't had a failure/problem yet amongst dozens of upgrades).

lchiu7

6183 posts

Uber Geek

Trusted

#710270 1-Nov-2012 10:51

An issue my friend has is the cost the ongoing support. He was quoted over $1K for monthly support for a Fortigate. He could not understand what that provided.

I would asumeo once the device is up and running, just a quick check every now and then should be enough. Presumably new rules/filters could be pushed out by Fortigate like AV signatures?

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/rooms/32019730 Mention GZ to get a 10% discount

jackk

53 posts

Master Geek

#710283 1-Nov-2012 11:15

Jeeves: Nothing wrong with being paranoid. But to be safe enough just keep a usb drive with a version of the older OS handy and be on-site when doing the upgrade, so you can roll back if needs be. (again, haven't had a failure/problem yet amongst dozens of upgrades).

cheers Jeeves. will keep that in mind.

jackk

53 posts

Master Geek

#710291 1-Nov-2012 11:25

lchiu7: An issue my friend has is the cost the ongoing support. He was quoted over $1K for monthly support for a Fortigate. He could not understand what that provided.

I would asumeo once the device is up and running, just a quick check every now and then should be enough. Presumably new rules/filters could be pushed out by Fortigate like AV signatures?

With regard to the support, do you mean support provided by a managed service provider/IT company to "look after" the box? It is not the actual support license (the support license enable you to log calls direct with fortigate and depends on the license it might give you AV/IPS signatures update as well) direct with fortigate right?

Once the device is in, it should require little attention, unless you require rule/config changes. Probably a firmware upgrade every couple of months and that's pretty much it.

lchiu7

6183 posts

Uber Geek

Trusted

#710502 1-Nov-2012 16:38

jackk:
lchiu7: An issue my friend has is the cost the ongoing support. He was quoted over $1K for monthly support for a Fortigate. He could not understand what that provided.

I would asumeo once the device is up and running, just a quick check every now and then should be enough. Presumably new rules/filters could be pushed out by Fortigate like AV signatures?

With regard to the support, do you mean support provided by a managed service provider/IT company to "look after" the box? It is not the actual support license (the support license enable you to log calls direct with fortigate and depends on the license it might give you AV/IPS signatures update as well) direct with fortigate right?

Once the device is in, it should require little attention, unless you require rule/config changes. Probably a firmware upgrade every couple of months and that's pretty much it.

I asked my friend and he is not clear on that at all. He was provided this set of services as an example but they are from Fortigate, not the local SI organisation.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/rooms/32019730 Mention GZ to get a 10% discount

Zeon

3876 posts

Uber Geek

Trusted

#710509 1-Nov-2012 16:53

Haha $1k! crazy. I'll go on using PFsense thanks. These things are generally set and forget (well to a point).

Speedtest 2019-10-14

Chippo

119 posts

Master Geek

Trusted

#710513 1-Nov-2012 16:58

$1000 is insane - that's almost twice what I'd expect the annual renewal to be.

NZ's largest Fortinet importer sells all their Fortinet hardware with at least first year support. That means that there shouldn't be ANY ongoing costs for the first year - for the Fortinet hardware. It's not unusual for a reseller to add managed services though for things like reporting and 2 hour on-site replacement which either aren't part of the standard bundle or which might require additional licencing. If they won't remove those costs; there're about 190 resellers in NZ.

In the little units this "Bundle" also includes all the UTM services turned on. Web Filtering etc. Which is good - you will want them. You can also buy 24 or 36 month bundles if you'd like which is cheaper than renewing annually.

Year two+ you'll need to renew the hardware support (Which provides TAC access, firmware upgrades and hardware replacement if the box dies) and can optionally renew the UTM - You'll still want this. As a rough estimate it'll be about 20-25% of the hardware for everything enabled.

For the highlighted support clause - Advanced replacement is available nationally. Be aware that until the Local RMA is in place these are shipped from Taiwan so take 3-5 days to arrive. That's the main reason resellers choose to offer 2 hour onsite :).

I work for a global Data Protection Software company - But my opinions are my own.

jackk

53 posts

Master Geek

#710582 1-Nov-2012 19:15

For your reference, we have received a quote from a reseller for forticare 8x5 for 7 of our fortigate (various models) recently. it was roughly around 7k including GST. These are 1 year support licenses not including UTM.

1 | 2 | 3