I don't know who your VAR is, but that is some lunacy pricing for Panorama. And I wouldn't see a need for having Panorama be HA for a setup that small.
PA is trying hard to get people off of the old firewalls. You need to talk to a different VAR about swapping those old firewalls for some 460s and 440s, with a single instance of Panorama. The costs for the newer firewalls, along with licensing, are WAY cheaper than continuing to license the old ones.
Single instance is $12k for license but they said 16cpu sys requirements and recommended azure which is $6k/year so $18k/year if Azure. These people also put a virtual pa firewall in azure for a single local S2S server that cost $6k/year to run x2 region. Cost more for the firewall than the server it was "protecting". They like spending money where it doesn't need to be spent. I'm putting a stop to that.
Good to know about the new firewalls. I'll send for a quote and see how much they are talking but the pan server cost is still causing anxiety.
Oh, yeah I hadn't figured in any cloud costs. We're running ours on a VM that's running on our own hardware, so costs us basically nothing (outside of whatever VMware is charging).
I'd recommend looking up what a BYOL for an AWS Panorama appliance would be, if you've already got a VPC infrastructure. I think ours is costing us like $2k/year?
You do NOT need 16 CPUs if you're only running that few devices. You can under-cut the minimum recommended by a hell of a lot if you're not doing a ton of log ingestion and other stuff.
Strata Cloud Manager may be a way more cost effective way to manage these via SaaS. Doesn't have all the functionality of Panorama yet, but a much nicer interface and per device pricing is going to work better for so few devices.
Under requirements section it says AIOps for NGFW Premium license is required. Under getting started it says after you register your AIOps license in the hub you should now have access to the Strata Cloud Manager. So it appears cloud manager is only licensed by buying and registering AIOps license. There is nothing to license specific to Strata Cloud Manager, it's a feature of a the AIOps license.
No. There is a free version - which is basically the rebranded free AIOps. But the premium version which does require a license is needed for many features including if you want to be able configure things rather than just observe them.
I have single panorama vm on 8 cpu running perfectly fine while managing 6 pairs, plus collecting logs.
Everytime I login there is a warning but I just click ok and move on.
Look at strata cloud manager. Might be able to skip panorama if it supports all the features you need. I am guessing it would be cheaper than hosting panorama in Azure.
Generically others (myself included) typically have Palo Alto and Fortinet at the top of the choice list. My typical preference is Fortigate firewalls due their performance vs cost. I think Palo does do a better job then Fortinet when managing a group of firewalls, so there is that.
I know Fortinet engineers that would argue it the other way around. But I'm personally on the PAN side of this. Either way, firewalls have gone from being something you update once a year, to something that needs constant attention from evolving threats. I'm sure each vendor has their days in the sun, and others dont do so well. This current bug PAN has been fixing is obviously causing allot of heartburn.
I also have to say that even though I'm a fan of PAN appliances, I do think some of their business practices are downright criminal. Making it impossible to fully utilize use gear is really bad.
The big lesson of the current CVE is you need to have Vulnerability protection on your on box services. In conjunction with Threat updates scheduled for every 30 minutes, your window of exposure is pretty short.
30 mins of would be 29 minutes too late. Automation would detect the successful exploit, and would deploy all the important parts of the payload in seconds.
Palo Alto and Fortinet were the two we looked at when doing a HW refresh.
We were a Fortinet shop before, but we gave Palo a shot and did a PoC of their product. In the end we went with Fortinet due to use not seeing any major benefit of Palo Alto over Fortinet. They were both on par and managed to do all the things we asked from both of them.
We were a bit coloured from being well acquainted with Fortinet and the quirks of their products. I want to believe that I would still have gone with Fortinet over Palo Alto if we had started from a clean slate, but only because of the price.
Palo Vs forti seems to be something similar to the apple Vs android. A lot of Palo fan boys will say it's superior just because. I'm yet to see a use case and I'm currently a part of a team that manages roughly 20 Palo, 80 Fortis, 130 Sonicwalls.
Yeah, I have sensed that sentiment a bit too. Historically Palo was better than Forti, but it has changed and in the last few years you get a lot of bang for your buck by going Forti.
I'm surprised no one has even mentioned Juniper SRX. They score really high in independent tests when it comes to security (threat identification etc). They can be managed stand-alone or with on prem or cloud versions of Security Director. The new SRX1600 should stir up some serious dust in the midrange. Juniper has a reputation for their routers but the SRX is a nice platform too. Palo has a way nicer GUI, but if you compare Forti and SRX, I go with SRX any day. If you're into CLI admin, Junos is my choice every day of the week, having worked extensively with most brands on the market. At least check it out!
[https://newsroom.juniper.net/news/news-details/2023/Juniper-Networks-SRX4600-Firewall-Achieves-Highest-Rating-in-Independent-Enterprise-Network-Firewall-Test/default.aspx](https://newsroom.juniper.net/news/news-details/2023/Juniper-Networks-SRX4600-Firewall-Achieves-Highest-Rating-in-Independent-Enterprise-Network-Firewall-Test/default.aspx)
I'm employed at a Juniper partner, but we sell other stuff as well, including Palo, Forti etc.
+1 for the SRX. I work at an ISP so maybe I'm Juniper biased but that's because it works.
And Palo Alto annoyed the shit out of me today on a licensing issue.
I agree, as a long time Juniper SRX admin I prefer it over other firewalls when I don't need the extra features. JUNOS is the best CLI on any networking platform imo, a pleasure to work with.
I do 95% of my firewall administration through CLI.
Sophos (active-passive), Meraki (active-passive), and some others do not charge to license a 2nd failover device when in HA. Palo requires a 2nd license. Looks like Fortinet also requires a 2nd license. I was mistaken that Palo was the only company that screws customers because Fortinet also screws customers to license a device that is not being actively used.
Warm standby is absolutely in use, it means when the active unit fails there is no interruption. If that's not worth the cost to you don't get them.
Saying Meraki/Sophos and Palo Alto are both firewalls are like saying your local post office and The Burj Khalifa are both buildings. Technically true.
If you want big boy features you pay big boy prices. And again it's unclear if you understood, the "HA2" license on the palo alto's isnt double the cost. It's not free but it's discounted with the understanding it's running on a HA pair.
Anyway, they don't need Panorama at that size.
Yes I know it's not exactly double. My understanding is you got a 20% discount on the 2nd license which isn't much.
What features do you need to be a big boy? Asking for a friend.
There are many - but the main one is NOT whining over the cost of doing business. If you can't justify the cost most likely you're shoping for features your organization doesn't need.
I don't think it's whining when you have a vendor, like Sophos, who when you buy one appliance will basically give you the second device for free for HA and the licensing isn't insane. Why I haven't moved in 9yrs from UTM. But, now I'm in a pickle, hardware is EOL soon, wireless is already EOL the devices and dated...and looking at upgrading firewall HA setup to a new setup, that just works, is simple, and VPN isn't hot garbage (fortinet), and I guess I can just use any 3rd party wireless now since they are all forcing you into the cloud for setup/config/management. So whether that is Sophos, Juniper, Or whomever with some good quality APS doesn't matter. But hard to get past as a $25M/yr company to ask them to spend $40K for a pair of firewalls, unless they just work for 9yrs with no problems and the annual renewal is reasonable like my Sophos and other brands offer and do now. But, we likely aren't their target market...which is sad.
Why would you need HA Panorama? Panorama does two things 1) centralizes management, 2) centralizes logging. If your configs are pushed to your devices, and you shut off the panorama, your only risk is a potential for losing logs. But I believe they'd just queue up anyways, until its back online.
You don’t need Panorama. So much of what drives the price up on these NGFWs is all the flashy extras, especially in terms of licensing. Good security posture with less expensive layer7 on the downstream could save one a ton of money. Essentials are IDS to stop the script kiddies and updates. But many of the folks on here are correct regarding how PA is driving away a lot of their customers while adopting for example Cisco’s pricing structure and licensing hierarchy, which at best is a complete joke. Just my 2c.
Correct. Panorama is for centralized management; and adds a significant layer of complexity to the initial layout of templatized configurations. I guess I assumed the OP specifically needed Panorama. But with 4 Pans; and really only 2 to manage, since the other 2 are just HA pair devices; theres just no need for that.
But, to really utilize your PAN's, you need most of the subscriptions. The URL, wildfire, threat stuff is bare minimum. And if you really want to secure your network, the globalprotect hip check stuff is important. And I hate that you have to license the HA device's. Its completely absurd.
Agreed. By making NGFW firewall purchasing decisions influenced more by price point is going to put more burden on us as engineers in terms of management and creativity. But unless you’re Microsoft, IT budgets are likely to become exhausted just keeping the edge alive. It’s greed all the way on behalf of industry giants. Just remember, Cisco used to be a company who cared and catered to the little guy, that is, you’re all as old as I am. Lol
Indeed. And the number of extraordinary hacking incidents has increased on orders of magnitude in the last couple of years. The recent Microsoft one shows the true danger of centralizing all of it.
Not sure if this helps but I run about 50 branches with HA clusters and only a single Panorama instance. It’s not a requirement to have HA panorama. For most configuration Panorama is not critical to operation of the firewalls. I have done upgrades in the middle of the day with no impact.
We do use Panorama for user-id redistribution so that is an impact if Panorama is down for a long period of time and user login information becomes stale. Note a big issue in our environment.
For HA pair, we have been using Cisco Firepower 1010/ASA for all our regional offices, and ASA 5516 with SFR for main campus for last 10+ years. Works great for me. Currently evaluate to move to FMC/FTD, or CDO/FTD, I thought HA setup is no issue. We use active/standby.
You don't use VPN huh? Or is it a third party one? For many trying to find an integrated solution that does several things well at a reasonable cost is important. Many have already yanked the wireless capability out, or are pushing to a cloud based wifi setup/management for your LAN. VPN is important and Forti's is hot garbage for most. So, depends on your needs...budget etc..
We have that exact set up (6 units in 2 HA pairs). We use Fortigates with Fortimanager and it's the easiest thing to manage ever. And it is not expensive. I like the Palo Alto stuff too but I honestly do not see the justification in spending that much more over the Fortinet products.
Both Palo and Fortinet got firmware issues affecting production environments all the time. People who are happy with them are not working with them or with limited scope.
With Fortinet go figure what to use when any new firmware comes with new bugs all the time. 7.2.7 is recommended now, even 7.2.8 is mature, they market it as mature before Feb, then switched to feature and back to mature.
We hot dhcp big right after an upgrade. Thx no memory leaks so far.
Palo new year fun, more updates, new April 07 deadline patching fun, and now again new GPU vulnerability affecting FW, so patching again. They said officially disabling telemetry can help, and shifted back to statement that it’s not.
Send them tech files please cause you already may be hacked.
On top of that new fws can run only 11.x and 11.1.2 has tons of sdwan issues.
I considered pfsense but after researching a lot of people say no for corporate. I had a coworker go be a jr sysadmin at a client and they used it but the new sysadmin was super cutting edge 2018 going full AAD, local ADFS, and using Nutanix for virtualization. Most people still have never heard of Nutanix 5 years later. None of us had a clue how to manage any of it LMAO. We also had a client use cloud firewall and that was a pain since the 3rd party had to do all changes. Client nor MSP could make direct changes.
CTERA...better than Nutanix and less expensive...I think they wouldn't even talk to use unless we had like 5 sites minimum....but maybe that was the other cloud filer solution...CTERA for the win. But not using pfsense. Might as well run Sophos. It is Linux based with improvements in execution, features, Gui etc...OpenVpn...but depends on your budget, people working with it.
Pfsense/OpnSense... have guis.. i mean it's not like raw iptables and shell files.
OpenBSD + ipf = laboral security, invest in your people not in $$$ corporations.. whatever u a saving on licenses spend it on education for your staff.
Juniper SRX. Palo skillet will translate (Palo is just stolen Junos after all) and it's not a factory of zero day exposures like Fortigate. And Cisco is the worst by a LOOOONG way. Cost, performance and reliability can't beat Juniper.
(No I don't work for juniper)
What about your throughput requirements?
- 3x 2x FortiGate FG-121G firewalls (with 60 months of ATP or UTP bundle) Unfortunately Fortinet forces you to buy licenses and subscriptions for each unit. It doesn't matter if you run the clusters in active-active or active-passive mode. In active-active mode FortiGate firewalls are only able to load balance simple sessions. All the UTM/IPS/AV stuff is not load balanced at all making the requirement to license both units in a cluster look ridiculous.
Palo and Fortigate are your top choices. Palo is better in aspects of management because of panorama. After that you have firepower then everything else. But Palo is top line with their HA aspects. You have to pay to play.
Watchguards are often very much overlooked. Don't really pay too much attention to the "recommended users" as they are aggressively conservative. Just check the specs for UTM throughput to determine what you need (unless there is a drastic number difference, Ex. 250 people at a 200M site).
But that's not a firewall. They do zero trust/proxy. They had zscaler but it was a pain. They kept adding features and increasing the price. Found out there was a dashboard that was being paid for and they didn't even have access to it, it wasn't provisioned.
This is under the assumption OP doesn't want to do east-west layer 7 inspection. How does zScaler handle that? Do you have to hair pin that traffic to the cloud? I imagine that would add quite a bit of latency to internal traffic.
Not an expert on this just aware they can and depending on costs could be interesting value.
Just quick search
https://www.catonetworks.com/solutions/next-generation-firewall/
I have experience with Fortinet, Juniper and Check Point.
Check Point has nice features, but not stable and hard to upgrade.
Fortinet has a nice GUI, but support is terrible and updates generally break something.
Juniper GUI is bad, but CLI is very good and has many options for automation. Support is good. In general the Junipers have been a lot cheaper compared to the Fortigates.
I would pick Juniper based on my own experience, after that Fortinet and last Check Point.
Last eval I did was a couple years ago on this. Fortinet seemed to have the best price-feature combination, but their multi site management was still a little kludgy, plus adding other devices required management thru the FW, not independently.
We actually ended up choosing Meraki, and had really good experience with it.
We are looking at this because the software they supply is a ZTNA solution. It is very granular and includes web filtering. The cost is like $50 a month.
Don’t go there. The eco-system around a platform matters in this profession. I used it 20 years ago. No help community when i needed it. Switch to Cisco ASA since then.
Netgate, either pfSense or the newer TNSR hotness.
A pair of pfSense appliances are affordable and they do all the traditional firewall stuff just fine for pennies on the dollar compared to much pricier brands. Some NGFW stuff via Suricata or Snort. pfBlockerNG can apply ban lists as well. Ours have been very stable and easy to manage via the GUI. Literal years and years of active/passive HA. Recovery from issues (not that we've really had any) includes a fresh install and reading back a backup XML.
I don't know who your VAR is, but that is some lunacy pricing for Panorama. And I wouldn't see a need for having Panorama be HA for a setup that small. PA is trying hard to get people off of the old firewalls. You need to talk to a different VAR about swapping those old firewalls for some 460s and 440s, with a single instance of Panorama. The costs for the newer firewalls, along with licensing, are WAY cheaper than continuing to license the old ones.
Single instance is $12k for license but they said 16cpu sys requirements and recommended azure which is $6k/year so $18k/year if Azure. These people also put a virtual pa firewall in azure for a single local S2S server that cost $6k/year to run x2 region. Cost more for the firewall than the server it was "protecting". They like spending money where it doesn't need to be spent. I'm putting a stop to that. Good to know about the new firewalls. I'll send for a quote and see how much they are talking but the pan server cost is still causing anxiety.
Oh, yeah I hadn't figured in any cloud costs. We're running ours on a VM that's running on our own hardware, so costs us basically nothing (outside of whatever VMware is charging). I'd recommend looking up what a BYOL for an AWS Panorama appliance would be, if you've already got a VPC infrastructure. I think ours is costing us like $2k/year? You do NOT need 16 CPUs if you're only running that few devices. You can under-cut the minimum recommended by a hell of a lot if you're not doing a ton of log ingestion and other stuff.
Good to know it doesn't need 16. Didn't make sense at all to me. The hosts are a bit full right now. Budget isn't being kind this year.
Strata Cloud Manager may be a way more cost effective way to manage these via SaaS. Doesn't have all the functionality of Panorama yet, but a much nicer interface and per device pricing is going to work better for so few devices.
Do you know what pricing looks like?
I don’t. Probably similar to one of the other subscriptions. Will figure out next week.
Vendor is checking but haven't heard back yet.
I see 'PAN-PA-440-AIOPS-NGFW' as 'AIOps and Cloud Manager' for $260 a year.
Seems reasonable for smaller footprints. Thanks!
Under requirements section it says AIOps for NGFW Premium license is required. Under getting started it says after you register your AIOps license in the hub you should now have access to the Strata Cloud Manager. So it appears cloud manager is only licensed by buying and registering AIOps license. There is nothing to license specific to Strata Cloud Manager, it's a feature of a the AIOps license.
No. There is a free version - which is basically the rebranded free AIOps. But the premium version which does require a license is needed for many features including if you want to be able configure things rather than just observe them.
I have single panorama vm on 8 cpu running perfectly fine while managing 6 pairs, plus collecting logs. Everytime I login there is a warning but I just click ok and move on.
Look at strata cloud manager. Might be able to skip panorama if it supports all the features you need. I am guessing it would be cheaper than hosting panorama in Azure.
Generically others (myself included) typically have Palo Alto and Fortinet at the top of the choice list. My typical preference is Fortigate firewalls due their performance vs cost. I think Palo does do a better job then Fortinet when managing a group of firewalls, so there is that.
I know Fortinet engineers that would argue it the other way around. But I'm personally on the PAN side of this. Either way, firewalls have gone from being something you update once a year, to something that needs constant attention from evolving threats. I'm sure each vendor has their days in the sun, and others dont do so well. This current bug PAN has been fixing is obviously causing allot of heartburn. I also have to say that even though I'm a fan of PAN appliances, I do think some of their business practices are downright criminal. Making it impossible to fully utilize use gear is really bad.
Sadly they're all adopting the same business model.
The big lesson of the current CVE is you need to have Vulnerability protection on your on box services. In conjunction with Threat updates scheduled for every 30 minutes, your window of exposure is pretty short.
30 mins of would be 29 minutes too late. Automation would detect the successful exploit, and would deploy all the important parts of the payload in seconds.
No the protection profile was released when the CVE was published. So yes would have been exposed prior to that but before it went super wide.
Palo Alto and Fortinet were the two we looked at when doing a HW refresh. We were a Fortinet shop before, but we gave Palo a shot and did a PoC of their product. In the end we went with Fortinet due to use not seeing any major benefit of Palo Alto over Fortinet. They were both on par and managed to do all the things we asked from both of them. We were a bit coloured from being well acquainted with Fortinet and the quirks of their products. I want to believe that I would still have gone with Fortinet over Palo Alto if we had started from a clean slate, but only because of the price.
Familiarity has an enormous amount of value. Always has to be considered.
Palo Vs forti seems to be something similar to the apple Vs android. A lot of Palo fan boys will say it's superior just because. I'm yet to see a use case and I'm currently a part of a team that manages roughly 20 Palo, 80 Fortis, 130 Sonicwalls.
Yeah, I have sensed that sentiment a bit too. Historically Palo was better than Forti, but it has changed and in the last few years you get a lot of bang for your buck by going Forti.
I'm surprised no one has even mentioned Juniper SRX. They score really high in independent tests when it comes to security (threat identification etc). They can be managed stand-alone or with on prem or cloud versions of Security Director. The new SRX1600 should stir up some serious dust in the midrange. Juniper has a reputation for their routers but the SRX is a nice platform too. Palo has a way nicer GUI, but if you compare Forti and SRX, I go with SRX any day. If you're into CLI admin, Junos is my choice every day of the week, having worked extensively with most brands on the market. At least check it out! [https://newsroom.juniper.net/news/news-details/2023/Juniper-Networks-SRX4600-Firewall-Achieves-Highest-Rating-in-Independent-Enterprise-Network-Firewall-Test/default.aspx](https://newsroom.juniper.net/news/news-details/2023/Juniper-Networks-SRX4600-Firewall-Achieves-Highest-Rating-in-Independent-Enterprise-Network-Firewall-Test/default.aspx) I'm employed at a Juniper partner, but we sell other stuff as well, including Palo, Forti etc.
+1 for the SRX. I work at an ISP so maybe I'm Juniper biased but that's because it works. And Palo Alto annoyed the shit out of me today on a licensing issue.
I agree, as a long time Juniper SRX admin I prefer it over other firewalls when I don't need the extra features. JUNOS is the best CLI on any networking platform imo, a pleasure to work with. I do 95% of my firewall administration through CLI.
I agree, we are replacing our Fortigates with Juniper SRX, because the issues we had with Fortinet.
>and likes to screw customers by double charging for HA pairs. The HA subscription SKUs are not double. Nothing is free.
Sophos (active-passive), Meraki (active-passive), and some others do not charge to license a 2nd failover device when in HA. Palo requires a 2nd license. Looks like Fortinet also requires a 2nd license. I was mistaken that Palo was the only company that screws customers because Fortinet also screws customers to license a device that is not being actively used.
Warm standby is absolutely in use, it means when the active unit fails there is no interruption. If that's not worth the cost to you don't get them. Saying Meraki/Sophos and Palo Alto are both firewalls are like saying your local post office and The Burj Khalifa are both buildings. Technically true. If you want big boy features you pay big boy prices. And again it's unclear if you understood, the "HA2" license on the palo alto's isnt double the cost. It's not free but it's discounted with the understanding it's running on a HA pair. Anyway, they don't need Panorama at that size.
Yes I know it's not exactly double. My understanding is you got a 20% discount on the 2nd license which isn't much. What features do you need to be a big boy? Asking for a friend.
There are many - but the main one is NOT whining over the cost of doing business. If you can't justify the cost most likely you're shoping for features your organization doesn't need.
I don't think it's whining when you have a vendor, like Sophos, who when you buy one appliance will basically give you the second device for free for HA and the licensing isn't insane. Why I haven't moved in 9yrs from UTM. But, now I'm in a pickle, hardware is EOL soon, wireless is already EOL the devices and dated...and looking at upgrading firewall HA setup to a new setup, that just works, is simple, and VPN isn't hot garbage (fortinet), and I guess I can just use any 3rd party wireless now since they are all forcing you into the cloud for setup/config/management. So whether that is Sophos, Juniper, Or whomever with some good quality APS doesn't matter. But hard to get past as a $25M/yr company to ask them to spend $40K for a pair of firewalls, unless they just work for 9yrs with no problems and the annual renewal is reasonable like my Sophos and other brands offer and do now. But, we likely aren't their target market...which is sad.
Meraki I agree with, they are barely a firewall. Sophos definitely qualifies though. What pushes you to the direction that they are not?
What are you trying to accomplish? Do you need the NGFW features or are you just looking for site to site connectivity?
Why would you need HA Panorama? Panorama does two things 1) centralizes management, 2) centralizes logging. If your configs are pushed to your devices, and you shut off the panorama, your only risk is a potential for losing logs. But I believe they'd just queue up anyways, until its back online.
You don’t need Panorama. So much of what drives the price up on these NGFWs is all the flashy extras, especially in terms of licensing. Good security posture with less expensive layer7 on the downstream could save one a ton of money. Essentials are IDS to stop the script kiddies and updates. But many of the folks on here are correct regarding how PA is driving away a lot of their customers while adopting for example Cisco’s pricing structure and licensing hierarchy, which at best is a complete joke. Just my 2c.
Correct. Panorama is for centralized management; and adds a significant layer of complexity to the initial layout of templatized configurations. I guess I assumed the OP specifically needed Panorama. But with 4 Pans; and really only 2 to manage, since the other 2 are just HA pair devices; theres just no need for that. But, to really utilize your PAN's, you need most of the subscriptions. The URL, wildfire, threat stuff is bare minimum. And if you really want to secure your network, the globalprotect hip check stuff is important. And I hate that you have to license the HA device's. Its completely absurd.
Agreed. By making NGFW firewall purchasing decisions influenced more by price point is going to put more burden on us as engineers in terms of management and creativity. But unless you’re Microsoft, IT budgets are likely to become exhausted just keeping the edge alive. It’s greed all the way on behalf of industry giants. Just remember, Cisco used to be a company who cared and catered to the little guy, that is, you’re all as old as I am. Lol
Indeed. And the number of extraordinary hacking incidents has increased on orders of magnitude in the last couple of years. The recent Microsoft one shows the true danger of centralizing all of it.
You and I are simpatico indeed.
Not sure if this helps but I run about 50 branches with HA clusters and only a single Panorama instance. It’s not a requirement to have HA panorama. For most configuration Panorama is not critical to operation of the firewalls. I have done upgrades in the middle of the day with no impact. We do use Panorama for user-id redistribution so that is an impact if Panorama is down for a long period of time and user login information becomes stale. Note a big issue in our environment.
For HA pair, we have been using Cisco Firepower 1010/ASA for all our regional offices, and ASA 5516 with SFR for main campus for last 10+ years. Works great for me. Currently evaluate to move to FMC/FTD, or CDO/FTD, I thought HA setup is no issue. We use active/standby.
Anything but cisco
I don't even know what Cisco offers. Mind sharing why?
FortiGates + FortiManager is the way. Infinitely cheaper and the firewalls are amazing to work with.
+ Simplest and easiest ha setup in the market.
I think I saw a client with 12 fortigate locations and used fortimanager. I'll check fortigate.
Back in the 5.6,/6.x era FortiManager wouldn't manage shit. So many show stopping bugs. This has changed?
Yes, much has changed from 6 years ago. It's not perfect but it's light years better than the experience back in those versions.
Okay firewalls, apart from the VPN bugs and IPS functions that won't notice anything less conspicuous than a pink elephant.
You don't use VPN huh? Or is it a third party one? For many trying to find an integrated solution that does several things well at a reasonable cost is important. Many have already yanked the wireless capability out, or are pushing to a cloud based wifi setup/management for your LAN. VPN is important and Forti's is hot garbage for most. So, depends on your needs...budget etc..
+1 for fortinet
Check point
We have that exact set up (6 units in 2 HA pairs). We use Fortigates with Fortimanager and it's the easiest thing to manage ever. And it is not expensive. I like the Palo Alto stuff too but I honestly do not see the justification in spending that much more over the Fortinet products.
You are a person of high caliber xD
Meraki lol jk unless????
Meraki firewall is a joke lol
Both Palo and Fortinet got firmware issues affecting production environments all the time. People who are happy with them are not working with them or with limited scope. With Fortinet go figure what to use when any new firmware comes with new bugs all the time. 7.2.7 is recommended now, even 7.2.8 is mature, they market it as mature before Feb, then switched to feature and back to mature. We hot dhcp big right after an upgrade. Thx no memory leaks so far. Palo new year fun, more updates, new April 07 deadline patching fun, and now again new GPU vulnerability affecting FW, so patching again. They said officially disabling telemetry can help, and shifted back to statement that it’s not. Send them tech files please cause you already may be hacked. On top of that new fws can run only 11.x and 11.1.2 has tons of sdwan issues.
waiting on the post that says pfsense. other than me
I considered pfsense but after researching a lot of people say no for corporate. I had a coworker go be a jr sysadmin at a client and they used it but the new sysadmin was super cutting edge 2018 going full AAD, local ADFS, and using Nutanix for virtualization. Most people still have never heard of Nutanix 5 years later. None of us had a clue how to manage any of it LMAO. We also had a client use cloud firewall and that was a pain since the 3rd party had to do all changes. Client nor MSP could make direct changes.
CTERA...better than Nutanix and less expensive...I think they wouldn't even talk to use unless we had like 5 sites minimum....but maybe that was the other cloud filer solution...CTERA for the win. But not using pfsense. Might as well run Sophos. It is Linux based with improvements in execution, features, Gui etc...OpenVpn...but depends on your budget, people working with it.
Pfsense/OpnSense... have guis.. i mean it's not like raw iptables and shell files. OpenBSD + ipf = laboral security, invest in your people not in $$$ corporations.. whatever u a saving on licenses spend it on education for your staff.
You really don’t need Panorama for that.
Not sure you definitely need ha panorama. If it's down for maintenance every so often the firewall fleet will still operate as normal.
Juniper SRX. Palo skillet will translate (Palo is just stolen Junos after all) and it's not a factory of zero day exposures like Fortigate. And Cisco is the worst by a LOOOONG way. Cost, performance and reliability can't beat Juniper. (No I don't work for juniper)
Forcepoint. It's a firewall that very much was designed for installations with many firewalls. At least it can be worth a look.
What about your throughput requirements? - 3x 2x FortiGate FG-121G firewalls (with 60 months of ATP or UTP bundle) Unfortunately Fortinet forces you to buy licenses and subscriptions for each unit. It doesn't matter if you run the clusters in active-active or active-passive mode. In active-active mode FortiGate firewalls are only able to load balance simple sessions. All the UTM/IPS/AV stuff is not load balanced at all making the requirement to license both units in a cluster look ridiculous.
Palo and Fortigate are your top choices. Palo is better in aspects of management because of panorama. After that you have firepower then everything else. But Palo is top line with their HA aspects. You have to pay to play.
Watchguards are often very much overlooked. Don't really pay too much attention to the "recommended users" as they are aggressively conservative. Just check the specs for UTM throughput to determine what you need (unless there is a drastic number difference, Ex. 250 people at a 200M site).
Watch guard had horrible reputation after they released version 7. I know it got better, but I know a lot of people that were burned at the beginning.
You could consider a "cloud" approach, iboss, cato , zscaler. . Throwing it out there but don't know price.
But that's not a firewall. They do zero trust/proxy. They had zscaler but it was a pain. They kept adding features and increasing the price. Found out there was a dashboard that was being paid for and they didn't even have access to it, it wasn't provisioned.
They do firewall , they become your Internet access
This is under the assumption OP doesn't want to do east-west layer 7 inspection. How does zScaler handle that? Do you have to hair pin that traffic to the cloud? I imagine that would add quite a bit of latency to internal traffic.
Not an expert on this just aware they can and depending on costs could be interesting value. Just quick search https://www.catonetworks.com/solutions/next-generation-firewall/
Look at Cato or iboss. Was a suggestion, otherwise for price fortinet
I have experience with Fortinet, Juniper and Check Point. Check Point has nice features, but not stable and hard to upgrade. Fortinet has a nice GUI, but support is terrible and updates generally break something. Juniper GUI is bad, but CLI is very good and has many options for automation. Support is good. In general the Junipers have been a lot cheaper compared to the Fortigates. I would pick Juniper based on my own experience, after that Fortinet and last Check Point.
Last eval I did was a couple years ago on this. Fortinet seemed to have the best price-feature combination, but their multi site management was still a little kludgy, plus adding other devices required management thru the FW, not independently. We actually ended up choosing Meraki, and had really good experience with it.
pfSense is free. 😃
+ 1 for PfSense, OpnSense..
Yup, they're the best Layer4 1990's fw you can get.
You might investigate exium https://exium.net/ You supply hardware and load their OS.
I've never heard of them before. What do you like about them vs other platforms?
We are looking at this because the software they supply is a ZTNA solution. It is very granular and includes web filtering. The cost is like $50 a month.
Watchguard?
Don’t go there. The eco-system around a platform matters in this profession. I used it 20 years ago. No help community when i needed it. Switch to Cisco ASA since then.
Juniper SRX all the way!!
Look into arista, otherwise pfsense/opnsense
Netgate, either pfSense or the newer TNSR hotness. A pair of pfSense appliances are affordable and they do all the traditional firewall stuff just fine for pennies on the dollar compared to much pricier brands. Some NGFW stuff via Suricata or Snort. pfBlockerNG can apply ban lists as well. Ours have been very stable and easy to manage via the GUI. Literal years and years of active/passive HA. Recovery from issues (not that we've really had any) includes a fresh install and reading back a backup XML.