+ Post New Thread
Results 1 to 15 of 15
Internet Related/Filtering/Firewall Thread, WatchGuard alternatives in Technical; Evening all, We currently run 2 watchguard firewalls, the XTM510 in both cases. One runs a 10Meg BT leased line ...
  1. #1

    Join Date
    Sep 2011
    Location
    Cambridgeshire
    Posts
    185
    Thank Post
    2
    Thanked 14 Times in 13 Posts
    Rep Power
    14

    WatchGuard alternatives

    Evening all,

    We currently run 2 watchguard firewalls, the XTM510 in both cases.

    One runs a 10Meg BT leased line and the other a 100MB BT leased line.

    Our current policy is to replace the firewall every 3 years, as it usually ends up being cheaper or a better deal to just buy new ones with 3 years full coverage than update the licencing on the old ones(or has the last 2 times). One X750e from the last refresh is currently being pfsensed and is going to run my home network

    Now I have more clout, I would like to move away from WG, as I find them clunky with sporadic updates, a major list of bugs(I think it was one of the earlier 11.x updates ran the firewall for around a minute and a half and then CPU hit 100% and it locked up completely, WG just said wait for the next update!) and I think they could do better in handling our traffic (probably not scientific, as it depends on the testing end too, but speedtest.net usually shows us at 80 ish meg down and half that up)

    Don't get me wrong, they do the job to the extent they work, but there must be better out there.

    What do people suggest for the size of our 2 lines? The 100meg one also hosts about 20 websites, including VLE(moodle 2.3)and other animals, and around 10 VPN's at any one time from home users, and 3 branch office full time VPN's.

    We aren't due to change till the end of this year, but I want time to investigate alternatives, so I can present my findings to SMT when the time comes.

    Oh and the emphasis is on security as much as throughput, application based with group targeting would be lovely, as there are a few students who manage to install spotify on completely locked down computers in our computer rooms!

    Thanks

    James

  2. #2

    Join Date
    May 2009
    Location
    Leeds
    Posts
    360
    Thank Post
    171
    Thanked 50 Times in 45 Posts
    Rep Power
    33
    Barracude NG Firewalls might be worth testing it - I'm sure you can get a free trial of their kit

  3. #3

    Join Date
    Jan 2009
    Location
    England
    Posts
    1,401
    Thank Post
    306
    Thanked 307 Times in 265 Posts
    Rep Power
    82
    We've been running with a Palo Alto firewall since June last year. Absolutely love it. We tried all the major vendors (Fortinet, Watchguard, Sonicwall, Barracuda, Cisco, Juniper, Checkpoint etc) and Palo Alto blew them all away.

    We moved from a Juniper SRX to Palo Alto.

  4. #4
    sdc
    sdc is offline
    sdc's Avatar
    Join Date
    Apr 2008
    Location
    Dorset, UK
    Posts
    312
    Thank Post
    53
    Thanked 42 Times in 37 Posts
    Rep Power
    42
    We're actually running a Watchguard XTM 820 and it handles our traffic very well - around 1000 client connections, plus all our inbound, and it handles all our intra-VLAN routing (it's the default gateway for all the VLANS). It also handles our main 100mb Internet connection and our backup ADSL link, with automatic failover configured. All of this and with WebBlocker and SpamFilter enabled, the loading and traffic indicators hardly register a thing.

  5. #5
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,560
    Thank Post
    529
    Thanked 295 Times in 271 Posts
    Rep Power
    84
    Pfsense.

    Which you CAN run on a WG, for free might I add. Better than WG Software.

  6. #6

    Join Date
    Sep 2011
    Location
    Cambridgeshire
    Posts
    185
    Thank Post
    2
    Thanked 14 Times in 13 Posts
    Rep Power
    14
    While pFsense is fine for my home network, i would have great problems proving to SMT, that something i've cobbled together mysel matches up to a full paid for UTM appliance!! I know it can, but proving it to them is another matter!

    thanks for the replies, interesting so far.

    James

  7. #7

    Join Date
    Dec 2009
    Posts
    914
    Thank Post
    98
    Thanked 184 Times in 159 Posts
    Rep Power
    55
    Quote Originally Posted by Soulfish View Post
    We've been running with a Palo Alto firewall since June last year. Absolutely love it. We tried all the major vendors (Fortinet, Watchguard, Sonicwall, Barracuda, Cisco, Juniper, Checkpoint etc) and Palo Alto blew them all away.

    We moved from a Juniper SRX to Palo Alto.
    Out of curiosity what was the price like? A few people on here say Palo Alto is very good but expensive....just curious what your experience of this was

  8. #8
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,560
    Thank Post
    529
    Thanked 295 Times in 271 Posts
    Rep Power
    84
    True true, SMT do play a hard game of ball.

    However PfSense is for more than just home, I have it on A network of over 500 people ;P lol

    I have a meeting with Palo Alto next week, looking forward to it!

  9. #9

    Join Date
    Mar 2011
    Location
    Manchester
    Posts
    43
    Thank Post
    0
    Thanked 10 Times in 10 Posts
    Rep Power
    9
    Hi,

    It will in many ways depend on what exactly you are trying t get out of the firewall. We are partners with Palo Alto and SonicWALL, but each leads in a different way. The Palo will lead with application control and the idea of being able to control which applications can be used across a network. Firewall rules are then built from that. SonicWALLs will lead with firewall rules and then move on to application control.

    We can arrange trials of both if you are interested and I will PM you with our details, so you can use them if they are of interest.

  10. #10

    Join Date
    Mar 2011
    Location
    Manchester
    Posts
    43
    Thank Post
    0
    Thanked 10 Times in 10 Posts
    Rep Power
    9
    Quote Originally Posted by RTFM View Post
    Out of curiosity what was the price like? A few people on here say Palo Alto is very good but expensive....just curious what your experience of this was
    You can start with a PA 200, if you are only doing about 40 - 50mb/s of real world traffic and they are under £2k

  11. #11

    Join Date
    Sep 2011
    Location
    Cambridgeshire
    Posts
    185
    Thank Post
    2
    Thanked 14 Times in 13 Posts
    Rep Power
    14
    All very interesting.

    Now ive had some time to go through it, it would seem this time next year we will need 1 large device for the 100mbit, 1 medium device for the 10mbit(as it is a DR failover for the main site), and additionally 2 small devices for another 10mbit and a 4mbit EFM. I have managed to get them all to end at the same time, giving me some buying power! the other 2 devices are both at the moment, TZ210 SonicWalls, which are EOL soon enough anyway.

    So added to my list is a centralised management console, so I can add sites to the blockers etc in one place rather than 4 places! Would be bliss!

    Thanks for the input so far, and while the Palo Alto looks nice, it does seem on the steep end of things, does it have any extra functionality that warrants this/would enable me to sell it to SMT!

    James

  12. #12

    Join Date
    Mar 2011
    Location
    Manchester
    Posts
    43
    Thank Post
    0
    Thanked 10 Times in 10 Posts
    Rep Power
    9
    Hi,

    Personally I would have gone for a failover pair of firewalls with a couple of switches that you could then connect all of your different circuits in to. I am presuming there is no real reason why they all have to separate firewalls as you can do all the nice firewalling and failover in one box really. If you are doing full DPI etc on the firewalls then I would suggest if you wanted to still with a SonicWALL, then something along the lines of a NSA 3500 or 4500 and if you wanted a Palo Alto probably a 2020 or 2050 would be fine. Palo are a little better on the DPI throughput so as a result you sometimes don't need such a hefty box.

    More than happy to have a chat at any point.

  13. #13

    Join Date
    Sep 2011
    Location
    Cambridgeshire
    Posts
    185
    Thank Post
    2
    Thanked 14 Times in 13 Posts
    Rep Power
    14
    Sorry, should clarify the DR is at another location. So 4 centres, 4 leased lines, hence 4 firewalls.

    Thanks

    James

  14. #14

    Join Date
    Mar 2011
    Location
    Manchester
    Posts
    43
    Thank Post
    0
    Thanked 10 Times in 10 Posts
    Rep Power
    9
    That makes more sense. The 100mb/s link is the only one you need something more meaty on, but only if you are doing full deep packet inspection and application control. If it is just firewalling then an NSA250 upwards will do the deal on the SonicWALL front or a PA200 upwards on the Palo side of things

  15. #15
    MicrosoftTechy's Avatar
    Join Date
    Apr 2010
    Posts
    78
    Thank Post
    1
    Thanked 6 Times in 6 Posts
    Rep Power
    11
    Amazing bit of kit. Packed full of everything you could EVER need! 4000 Security Appliances | Check Point



SHARE:
+ Post New Thread

Similar Threads

  1. Securus alternative
    By glennw in forum Educational Software
    Replies: 20
    Last Post: 8th October 2009, 09:56 AM
  2. Speedykeys alternatives
    By contink in forum Educational Software
    Replies: 4
    Last Post: 2nd October 2006, 12:51 PM
  3. Alternatives to WWW.
    By danIT in forum Wireless Networks
    Replies: 2
    Last Post: 17th August 2006, 12:35 PM
  4. Alternatives to the Intel Play Microscopes?
    By ChrisH in forum Hardware
    Replies: 0
    Last Post: 6th March 2006, 01:48 PM
  5. free alternative to wininstall le
    By russdev in forum Windows
    Replies: 2
    Last Post: 24th October 2005, 12:58 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •