Massive firewall thoughts?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

dwright1542

Active Member
Dec 26, 2015
377
73
28
50
I'm a long time Sonicwall / Cisco dude which have been working fine for my lowly 75/75 FIOS and slower comcast connection.

We just got the 1000/1000 FIOS, and none of the firewalls can even remotely handle that speed doing packet inspection / Anti Virus / Anti Malware. The maintenance costs alone on a firewall (Like an NSA4600, $2000/yr))that could handle it doesn't fit into my budget.

right now I've got a Virtual pfSense firewall up just to play and test the new connection. I'd really like something with UTM features, especially GEO-IP filtering, which has been invaluable.

Other than pfsense, anyone have a suggestion on a supported commercial product?
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Fortinet FG-60/61e
Not full speed with everything on but price is much better than expected for the performance you get.
 

wildchild

Active Member
Feb 4, 2014
389
57
28
Ubiquiti Edgeroute infinity, although that is a pure router.
Another thing to look out for would be the sophos utm, although personally i would have that as secondairy firewall/proxy
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Re 2nd in line...
The suggestion is router to route and either pass traffic though the UTM for IPS or span for for IDS type functions.
Is a very valid config in large setup but for home it's extra complexity.

For my 1G fiber connection at home I do this with an ERL3 and then span a port on switch for other functions.
Having said this I am strongly leaning towards a Fortinet FG-61e as a UTM solution. I think it will do ok. With 3 years hardware support and UTM updates it's $1360 and the only use ~12w as well so super power efficient.

Amazon.com: Fortinet | FG-61E-BDL-900-36 | FortiGate-61E Hardware plus 3 Year 8x5 Forticare and FortiGuard UTM Bundle Firewall: Computers & Accessories

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60E_Series.pdf
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
Ah, ok, If you have a lot of traffic that doesn't need to pass through UTM then this makes sense.
For SoHo I'd expect most traffic to be in need of inspection since usually there are no trusted networks.

Why would you shell out >1k bucks for a appliance if you can get the same significantly cheaper for free (for @ home) ? Or is it business?
I mean I do get the benefit of suppport/certified low power hardware but is it worth that much? O/C to each their own :)
 
Last edited:

dwright1542

Active Member
Dec 26, 2015
377
73
28
50
Re 2nd in line...
The suggestion is router to route and either pass traffic though the UTM for IPS or span for for IDS type functions.
Is a very valid config in large setup but for home it's extra complexity.

For my 1G fiber connection at home I do this with an ERL3 and then span a port on switch for other functions.
Having said this I am strongly leaning towards a Fortinet FG-61e as a UTM solution. I think it will do ok. With 3 years hardware support and UTM updates it's $1360 and the only use ~12w as well so super power efficient.

Amazon.com: Fortinet | FG-61E-BDL-900-36 | FortiGate-61E Hardware plus 3 Year 8x5 Forticare and FortiGuard UTM Bundle Firewall: Computers & Accessories

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60E_Series.pdf
I'm pretty familiar with ER's, but I'm not sure really how this makes sense. Wouldn't you want ALL traffic passing thru UTM? Clearly VPN traffic isn't, but most UTM's have much higher VPN performance anyway.

180Mbps Throughput with Threat. Unfortunately, not even close to what I'm looking for. (FYI, the Sonicwall TZ400 is $1100 with 3 years and has 300Mbps Malware throughput)

I'd need the Fortigate FG200E, with 3 years is over $6k.
 
Last edited:

bds1904

Active Member
Aug 30, 2013
271
76
28
pfSense or Sophos UTM on a xeon e3 or better should get you close. At home I wouldnt expect you to have more than 10-15 clients pulling requests at a time. It's not like it is a 1000 user network.

I personally use a J1900 box with pfSense running pfBlockerNG and suricata while loaf balancing a 100/20 connection and a 180/20 connection. It does just fine.
 

wildchild

Active Member
Feb 4, 2014
389
57
28
Actually the idea would be to let the router handle routing indeed, but also ddos protection and bgp blacklisting.
If you would be under attack, chances are that an UTM wouldnt be able to handle that without choking.
Furthermore it makes sense to make the attack window smaller by having a shielded dmz.

This would make sense at home, especially if you are running a physical device and the option to run a virtual machine as an UTM and forward/reverse/pre authentication proxy
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Actually the devices are rather good at ddos depending on the type.

@dwright1542 one reason device over something else is if you don't run a server 24x7

Yes I know running these devices with full UTM you get limited throughout but they just work and are supporte which is simple.
 

vrod

Active Member
Jan 18, 2015
241
43
28
31
You could definitely consider pfSense. I've easily routed 1gig in a VM and it can take a beating. You also have pfBlocker and are not locked down by licenses. You could either go for one of their appliances or build your own box.
 

NashBrydges

Member
Apr 30, 2015
86
24
8
57
You haven't mentioned whether this was for home or office.

At home, I'm a huge fan of SophosXG. I have it running as a VM on a Dell R230 and can easily reach my full 1Gb download max with everything turned on. The SophosUTM needed to be installed on hardware to allow for that ability but its limit of 50IPs is what prompted me to move to SophosXG. With 4 cores and 6GB RAM, it screams.

I've tried others like Untangle and pfSense and keep coming back to SophosXG.
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
Sophos UTM can be installed in a vm just fine. Throughput depends on your Cpu's single thread performance then oc but most modern Cpu's are more than capable for this
 

NashBrydges

Member
Apr 30, 2015
86
24
8
57
Yep, Sophos UTM runs just fine as a VM, but not if you want everything turned on AND get the full 1Gbps bandwidth usage. I've tried it. Doesn't work, even with a 3.5Ghz Xeon chip.
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
Really? never noticed.
Ok, dont have a gigabit connection, but cpu utilization was not high with my 200 mbit and I havent checked 400 yet.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Some fortigates and Palo Alto etc use ASIC's for processing and hence the 2-3u Sec latency vs the the ~200u Sec delay when using cpu. For devices like ASA's that use Intel the throughput is clearly limited by CPU.

I have a 1 gig connection but do I ever use much more than 200-300m... not really , as long as the first couple of hundred is Super fast I won't notice very small peaks get smoothed over.
 

dwright1542

Active Member
Dec 26, 2015
377
73
28
50
It's an office, but very few users, however, LOTS of data. Veeam replications mostly. Maybe a Plex server.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Just pass the replications around the UTM ?
No matter what you end up doing would be an idea, policy based routing isn't not an idea solution but would work if you can't use a static or a static rout makes no sense. (
 

dwright1542

Active Member
Dec 26, 2015
377
73
28
50
Just pass the replications around the UTM ?
No matter what you end up doing would be an idea, policy based routing isn't not an idea solution but would work if you can't use a static or a static rout makes no sense. (
Nah, that's a lot to manage. Not enough time to deal with that. I'm checking out Sophos, but I may need to bite the bullet with a larger SW.
 

Dww0311

Member
May 19, 2017
49
7
8
57
Nah, that's a lot to manage. Not enough time to deal with that. I'm checking out Sophos, but I may need to bite the bullet with a larger SW.
You should be able to saturate a 1gig connection through a Sophos UTM box with just about everything turned on. It's a factor of the processing power that you throw at it and how much memory you give the box to work with.

I run it on an E3-1280 v2 box with 32GB of RAM, with everything turned on, servicing a load balanced WAN set with total bandwidth of 800Mbit/s, and I can saturate the entire pipeline without topping 35% utilization. Anecdotally (YMMV), I've seen it running on a dual E5-2690 v4 box (24 physical / 48 logical) with 256GB that was able to saturate an OC-48 in a test case without blinking.

Assuming you decide that you just must go ASIC, I would avoid Fortigate. They've gone through several painful firmware releases and their customer support has just gone into the toilet. In that arena, I'd recommend Palo Alto. You do get what you pay for with them, but boy - will you ever pay ... :)
 
Last edited: