Watchguard M390 replacement

[nemomaximus]

It is time to replace the firewalls here and we currently run 2 x Watchguard M390 in HA-mode with 2x10 Gbit expansion ports. I am interested in going open source with somethings like pfSense/OPNsense, but what kind of hardware should we buy if we decide to go that route?

Need something rack mounted with similar specs...

Should we go for a "standard" server from Dell or similar or is there something better out there?

 

[oneplane]

It really depends on the specs (not hardware specs but firewalling and throughput specs).

If you don't do anything fancy and just have some rules and some interfaces, you can get by with a C3000 era SoC. If you intend to do IPSec, OpenVPN, IPS etc. you'll want more CPU, more RAM and more modern features for hardware acceleration.

Commercial hardware from OpnSense does list the expected bandwidth, PPS, sessions, rules etc: DEC2752 – OPNsense® Rack Security Appliance – OPNsense® Shop so you can derive what you need from those numbers if needed (table is a bit towards the bottom of the page).

 

[nemomaximus]

Thanks! Very interesting!

We have a lot of VPN traffic so we will probably look at some of their higher end appliances.

How is OPNsense running high availability? Is it working well?

 

[oneplane]

The HA part strongly depends on what you're trying to achieve; I've had people wanting to do sticky sessions and Load Balancing via the firewall (I would not do that), but also client VPN connections (also not something I'd HA on the firewall - but running them on the firewall with a CARP IP is fine), and other services.

The base NAT and State HA that you actually need (with CARP) is pretty solid, and as long as your other services don't intend on having weird long-lived sessions (i.e. a 10 hour long DNS connection or something weird like that) it is pretty unnoticeable to users if you fail over.

I do think that HA-wise you might be best off doing 'base' things where the firewall is involved using CARP but having other services solved in the applications instead (i.e. retries/timeouts inside applications, they are generally much better off re-connecting themselves in modern implementations). For systems like those from Apple we have MPTCP (multiparth TCP) that allows for the TCP stack on the OS to have a true 'endgame' of reliable connectivity.

 

[zer0sum]

Keep in mind that if you go opensource you're only buying a Layer 3/4 firewall.
I absolutely love OPNsense, but it doesn't compare at all to a proper Layer 7 firewall from one of the major vendors like Palo Alto, Juniper, etc.

The Palo Alto 4XX series is incredible for the price when you consider all of the features and how advanced they are from L4-L7

 

[oneplane]

Keep in mind that if you go opensource you're only buying a Layer 3/4 firewall.
I absolutely love OPNsense, but it doesn't compare at all to a proper Layer 7 firewall from one of the major vendors like Palo Alto, Juniper, etc.

The Palo Alto 4XX series is incredible for the price when you consider all of the features and how advanced they are from L4-L7

That's not true. "Proper" layer 7 is arbitrary at best anyway. If you want to do protocol-based analysis you can do that on OpnSense just fine. You can also do it without OpnSense on any bare FreeBSD or Linux install. This is not something special that only PA, Cisco etc. can do.

The only true value those vendors provide is intel feeds (which you can just buy and feed to whatever you want including into OpnSense). Other values that I personally do not value are Cover-Your-Ass and It-is-their-problem which is what their primary reason for existence is.

It used to be that their FPGA and ASIC offloads where a barrier to entry in the networking world, but that hasn't been the case for decades, unless you're doing carrier level or datacenter core switching traffic.

 

[zer0sum]

That's not true. "Proper" layer 7 is arbitrary at best anyway. If you want to do protocol-based analysis you can do that on OpnSense just fine. You can also do it without OpnSense on any bare FreeBSD or Linux install. This is not something special that only PA, Cisco etc. can do.

The only true value those vendors provide is intel feeds (which you can just buy and feed to whatever you want including into OpnSense). Other values that I personally do not value are Cover-Your-Ass and It-is-their-problem which is what their primary reason for existence is.

It used to be that their FPGA and ASIC offloads where a barrier to entry in the networking world, but that hasn't been the case for decades, unless you're doing carrier level or datacenter core switching traffic.

Show me how OPNsense can do layer 7 application based filtering, routing, steering, etc.

Within Palo you can build policies based off L7 application detection from any of these 4300+ applications - Application Research Center

 

[oneplane]

We have about 700 PA devices still deployed in the field (including panorama instances), I'm not exactly new to it.

Layer 7 'steering, routing' doesn't really exist, unless you mean load balancing. It doesn't exist because unless the protocol itself is routing or steering aware, those words hold no meaning, and any software package that pretends otherwise is lying. Granted, the terminology gets re-invented across vendors, but if we stick to plain technical English it at least applies to everything the same.

As for L7 policies, you pretty much do the same in OpnSense: you enable a policy engine of your choice, feed it the set of protocols you want to support and then allow ingress and egress based on those protocols. You can do that interface or zone based, but also floating with additional matchers to apply those policies on non-zonal factors. It doesn't have a concept of VRF or Vsys so you can't do those things, but since you can just add more *sense instances it doesn't exactly matter (unless you don't have automation). Even pfSense had this in 2016 (albeit a crappy experience). It's not something that is unique to PA or any other vendor. Their uniqueness as stated earlier comes from their feeds and hardware acceleration.

As for PA's app ID specifically, it's pretty unreliable and not as useful as the marketing people have been shouting all these years.

 

[LodeRunner]

Show me how OPNsense can do layer 7 application based filtering, routing, steering, etc.

Within Palo you can build policies based off L7 application detection from any of these 4300+ applications - Application Research Center

I don't know that it's entirely equivalent to what PA does (I have managed PA's before) but you can get Zenarmor as a plugin for OPNSense.

 

[Stephan]

It can't, but it also won't suffer compromise on next supply chain attack or zero day on major vendor. Not a month goes by until another big seller is hit. 12 months prior you could read of major layoffs so I can guess where that was coming from. Fired the wrong people. On the other hand OP asking for HA explicitly and 10 GBit/s so this is a commercial support question. True HA in a complex scenario is hard. Many failure modes. Forget Layer 7 because these days everything is HTTPS so needs arbitrarily invasive custom CA certificates on every machine, SSL downgrades to non-ephemeral suites like plain RSA and then a criminal stores something on a Google service for which Chrome has certificate pinned and won't accept the firewalls fakery, so there is an exclusion just when you needed it. CARP seems reasonable but the fewer ports are open on the firewall itself the better. For IPSec you probably still need a commercial appliance, for plain OpenVPN not so much. For the money I'd probably just get a plain x86 1U 2U server box and book an on-site hardware warranty so you get a replacement part within a day or two. And install something myself. If you are just a small cog in the company and not the owner, buy something off the shelf. If box gets hacked, not your fault. If box stops working, not your fault. If you are on vacation, let somebody else call support.