We need a firewall suggestion for a small business.

[BackupProphet]

We currently need a decent firewall for ISO compliance. I've been looking into the Palo Alto Networks PA-500. But there are a lot of other great firewalls out there.

We need one that is easy to manage with minimal training, with VPN and IPS/IDS. We're not looking for the cheapest options either as we consider our time very valuable (And PFSense wont do).

 

[wildchild]

Well basically your looking for a vendor box, so take your pick :
Sophos
Fortigate
Cisco ASA
Juniper srx
Edgerouter pro

But all will require some form of end user traning

 

[Peanuthead]

What kind of VPN throughput are you needing?

 

[BackupProphet]

anything that is 10mbit+ is fine. Our servers are on Amazon and we have no plans to use VPN to access them. SSH keys are fine.

 

[Drewy]

Just curious, what's the beef with pfsense?

 

[zer0sum]

I'd throw Barracuda into the mix as well with their X series firewalls as it has very advanced capabilities with a simple web interface and very good VPN capabilities.
If you need something more advanced or plan to roll out a bunch of them then you can go with the F series instead.

They are a totally different beast to all the other products and are designed and engineered by a large team in Austria.

 

[Peanuthead]

You could also consider Zyxel with their software package (I forget what it's called). I have a couple of USG 50's sitting here if that helps you any.

 

[BackupProphet]

Were actually looking at a Zyxel box, but it is Zyxel...

Anyone have any recommendations around what you are using yourself? I would love to hear what you use, and why you are happy/unhappy with it.

The thing about PFSense is that is just too time consuming. I've used it for years in my home, and I struggled so much with VPN, Snort and so on. Today I just run a ordinary FreeBSD box as a firewall, much simpler and easier to manage. There are other things as no proper support for 6rd too which our ISP use.

 

[mstone]

Just curious, what's the beef with pfsense?

It used to have the feel of an open source project. Now they're really invested in their hardware offerings (which frankly aren't that compelling) and are borderline hostile to the community if someone even talks about other firewall projects or people selling hardware to run pfsense on. It feels like they wish they'd only ever done a paid version and been a cut rate checkpoint instead of having to deal with a community. On top of that, the performance has been lagging behind Linux based solutions for some time, which is becoming more obvious as more people get gigabit internet connections. Certain network cards that work fine on other platforms fall over at high speeds on pfsense and the only answer is "buy our stuff". Throwing hardware at the problem is the best way to hit performance targets, but that just makes it even less compelling compared to other solutions.

 

[RchGrav]

Ubiquiti's Unifi Security Gateway Pro keeps looking more and more interesting. It's a newer product than the edge router pro that works within the unifi controller with all of the other diverse network gear Unifi now manages in a surprisingly elegant fashion. Is it perfect, not yet, but what it does have seems great, and they are really listening to their customer base as their feature set continues to expand. The day is coming when I move into this away from pfSense. I love pfSense but I also agree with some of your sentiments regarding its licensing.. Ubiquiti is pouring everything they into the UniFi ecosystem and they have pfSense beat on pricing too, which is weird if you thing about it.

 

[T_Minus]

Do people trust Ubiquiti still as a firewall?

 

[T_Minus]

You could also consider Zyxel with their software package (I forget what it's called). I have a couple of USG 50's sitting here if that helps you any.

Had 0 problems with my Zyxel USG50s, I have 2 here too 1 still in service at my parents.
Tons of options in the admin web gui, easy to navigate, etc... only issue I Ran into was clicking to 'save' and it not doing it. May be a browser comparability error, but I just clicked it again until it saved

 

[RchGrav]

Do people trust Ubiquiti still as a firewall?

They have the older edgerouters and the new Unifi Security Gateways.
I've used their AP's and like them a lot, as well as the unifi controller. I've seen the USG do some pretty nifty tricks not typicallly in other edge products. I really like how it shows you every application with connectivity from each machine IP, and how it does and automatic speed test on an interval and keeps records so when the internet is slow you know why.. and the QOS and VPN's are supposedly very intuitive to configure.
I don't know if I trust the new unifi security gateway yet, but I'm impressed with its features for the price. I think a small/mid size business could do much worse.

 

[RchGrav]

I haven't used one yet.. but I've seen demos and know people who have used them and they seem to be very happy.. Who knows maybe they don't know any better, haha. I'l admit that the Unifi ecosystem has my attention, well, except for maybe the IP Deskphones.. they may need some attention to bring them up to my standards.

 

[zer0sum]

I haven't personally found Ubuiqiti's VPN setup to be intuitive or feature rich...in fact on the Edgerouter X-SFP I would classify it is a PITA!
Their GUI looks ok, but if you really need to configure things you are dropping to the CLI...which might not meet the OP's requirements

 

[RchGrav]

I haven't personally found Ubuiqiti's VPN setup to be intuitive or feature rich...in fact on the Edgerouter X-SFP I would classify it is a PITA!
Their GUI looks ok, but if you really need to configure things you are dropping to the CLI...which might not meet the OP's requirements

Are you referring to the same product as me? Because I'm not referring to edgerouter.. I'm referring to the new Unifi Security Gateway.

It's pretty sweet.. I'm being serious it's a very nice platform.. it's just not open source and it's their own ecosystem.

Ubiquiti Networks - UniFi® Security Gateway Pro 4

Ubiquiti Networks - UniFi® Security Gateway

 

[wildchild]

Do people trust Ubiquiti still as a firewall?

Since it is vyatta, like vyos, i would

 

[wildchild]

They have the older edgerouters and the new Unifi Security Gateways.
I've used their AP's and like them a lot, as well as the unifi controller. I've seen the USG do some pretty nifty tricks not typicallly in other edge products. I really like how it shows you every application with connectivity from each machine IP, and how it does and automatic speed test on an interval and keeps records so when the internet is slow you know why.. and the QOS and VPN's are supposedly very intuitive to configure.
I don't know if I trust the new unifi security gateway yet, but I'm impressed with its features for the price. I think a small/mid size business could do much worse.

Edgerouter and unfi devices run the same base software, abeit unifi a bit older version, but they are playing catch up with that.
The hardware base is 100% the same

Only difference is the bits for controller based management, cli is the same

 

[CreoleLakerFan]

We currently need a decent firewall for ISO compliance. I've been looking into the Palo Alto Networks PA-500. But there are a lot of other great firewalls out there.

We need one that is easy to manage with minimal training, with VPN and IPS/IDS. We're not looking for the cheapest options either as we consider our time very valuable (And PFSense wont do).

ASA 5506-x w/Firepower.

The ASA CLI isn't the most trivial, but support for it is ubiquitous among network engineers. With the releases after 9.5 in the ASA code base it's reached feature parity with Palo Alto (some would argue better) and it's cheaper than the PA500 you're looking at. ASDM/IDM is fairly easy to work with for those less CLI inclined, and if you add-on a SmartNet contract for $120 annually, you have access to Cisco's world-class TAC organization.

BTW, for your stated requirements, you might consider a PA-200 ... the PA-500 is probably overkill, unless you are planning on turning on Wildfire and doing lots of VPN. Same goes for ASA - for what you've stated the 5506-x will suit you fine, but you may look at 5508 or 5512 options if you think the smaller devices can't handle your internal routing/inspection needs.

 

[RchGrav]

It's screenshots like this that have me intrigued.. I have been using their AP's and are happy with them and have a bunch of gear from their BETA program and it all seems pretty good so far for a BETA. I don't personally have a USG just yet to test...
I love the Deep Packet Inspection feature and the stats pages that relate to it.