Looking in to PFSense as a solution
We are currently Sophos shop
By the time I buy hardware, presence support, 3rd party web filtering, etc the cost is not that much off let’s say Watchguard
I’m I missing something? Why would I use PFSense for business?
You can download PFSense and run it, without restriction (or cost), and explore the feature set yourself, and thus, have a informed opinion about it’s capabilities and worth.
You could certainly do web filtering without enlisting a 3rd party vendor, but I digress.
The most obvious observation is that you can do all of this without actually having to buy the product, unlike your other candidates for firewalls.
PFSense is not always the right solution for reasons you haven’t even scratched on, so yes, you are missing something.
I deploy Watchguards for Clients and use PFsense at home. I am comfortable with pFsense, but, I am going to leave liability issues with Watchguard and not on my shoulder. I am not going to stand up to an insurance company lawsuit after the client files a cyber insurance claim, I am going to let WatchGuard do that.
I disagree with kphillips-netgate’s take. You don’t need an M590 for most situations. Yes, on Paper a NetGate 8200 has a more capable feature set than a t45, but in practice the Watchguard will do what you need it to do. Comparing a NetGate 8200 to an M590 isn’t a practical comparison. Keeping the Watchguard in support allows for services, updates, and hardware replacement for hardware failures.
I don’t use gateway antivirus, or DPI. I think DPI is too much trouble for too little return. I do use Weblocker, and I definitely use WatchGuard Cloud or Dimensions for logging, and I don’t leave a site without Watchguard DNSWatch enabled. I have had a single issue with a false positive with DNSWatch, and it has prevented uncountable issues. I think DNSWatch is one of the more important features in the suite to use. Identity/MFA is something you need to look at it you’re doing VPN/Remote access, which in these WFH days is a must. There is a DUO integration, and documentation on both DUO and Watchguards side. Simple DUO integration with PFsense is a non starter.
What are you looking for a firewall? If you are looking for a URL filtering via forward proxy then pfsense is not for you. If you are looking for a firewall that provides reverse proxy, vpn, URL filtering via DNS and many others you can look into pfsense.
Why would I use PFSense for business?
Depends on the business. Size, number of locations, magnitude of possible loss, insurance considerations, etc.
This post makes very little sense to be honest but the replies here are good. Seems very troll like but the replies are sensible and honest.
I will add in another point about pfsense. It’s not a turn key product. Ultimately these comparison posts are about a turn key product solution vs a more manual set up like pfsense. With Palo Alto I have built in reporting, netflow, threat prevention taken care of by an actual SOC and those rules pushed down to me weekly as examples.
Pfsense you need 3rd party tools for reporting, for net flow, Suricata requires way more hand holding and tuning(you are your own SOC).
Again, these aren’t “negatives “ per se but if you are looking for overall feature parity then you need to do more on the pfsense side which does bring up the overall deployment costs.
That is surprising. Can you show a little bit of your math?
A part from the cost, I value knowing a little bit about what is running on my system. Old outdated code is not cool Fortinet.
Why are you buying all those things? Sounds to me like the hand holding commercial router platforms are perfect for you. That is not pfSenses target market, nor will it ever be.
Can you post a breakdown of devices / costs you are comparing from each of the 3 manufacturers? I think it would help everyone to better understand exactly what we’re comparing here.
Thats not accurate. You can do the same with Sophos XG.
I was mostly commenting on feature parity and pricing parity devices from Watchguard. I’d agree that an M590 or 8200 could be overkill for their setup. I have no idea what kind of size network they’re deploying as they didn’t provide details.
As for 2FA, if you’re using a RADIUS or LDAP backend for your VPN (like Windows AD) you can run the Duo 2FA agent on the backend and it’s easy as pie. Utilizing freeRADIUS as a backend within pfSense lets you also setup 2FA TOTP as well without needing an external service, but that’s not applicable to all use cases and may not be what someone would be looking for.
Appreciate your feedback. I always love a good discussion on network implementation 
.
100% agree with you on most of your points. Liability / Risk / Compliance / Support / etc. are why a lot of businesses veer away from Open Source solutions (they simply want someone to point a finger at when something goes wrong). And yes you’re going to get a whole lot of features from the commercial vendors all bundled in (and depending on vendor, you may actually have to pay for each of these features (or buy a bundle, usually 3 or 4 features is about the same price as a bundle for all features)). But that’s why they cost a lot more, you’re paying for all those features (even if you’re not using them all), the support, the hardware warranty, etc.
But not everyone needs / wants that. Depending on your use case / scenario pfSense or any open source solution might be a better solution. Do you need support? Are you buying your hardware from pfSense (I don’t for example, I mostly run it on rack mount servers which have their own hardware warranty)? Do you need all these things that the commercial firewalls make you think you need? Are there open source solutions to them (probably are, but much more complicated to setup)?
Every installation is different, and I approach every one with an open mind. I’ve even deployed Ubiquiti equipment (against my better judgement), simply because it made sense for their environment / budget.
But also when I’m doing comparisons I try and compare apples to apples, and I don’t believe that OP has done that. He hasn’t even given us a list of what he’s comparing (what models, what are the costs, etc.) He finally did come out and say what’s important to him (which read more like it was cut and paste from a product brochure than reality). But at this point, I think he should stick with a commercial solution, it’s going to give him all the checkboxes (buzz words) that he says are critical.
Oh, and VPN is a good one to discuss. In a lot of my installations compliance requires that we not only do user validation on the connection (username/password/MFA), but that we’re doing device validation as well (you’re not connecting to our VPN from your home device, only from company managed / approved devices). I don’t expect to ever see that available in an open source VPN client (but one can dream), but it’s not an issue for the higher end commercial solutions. Not going to be doing WireGuard or OpenVPN in any of these type of situations.
I came looking for booty.
That’s what I’m seeing, thus I said by the time you all of this together it’s not much savings vs ready solution . So what is a point?
Agreed, I want to see the breakdown by vendor. Watchguard AAA for $XXXX and Sophos BBB for $YYYY and pfSense CCC for $ZZZZ, etc. That will let us know what features we’re trying to compare and costs. I’m still finding it hard to wrap my head around the math.
Do you know the difference between UTM and a router? Or are you just typing stuff for the sake of typing
This is what we currently have and what need to pass our standards
I’m not. I’m happy with their UTM platform but they are getting rid of it. I’m doing research and looking for replacements With Sophos UTM we get full stateful inspection, intrusion d/p, geoip, ssl decryption, vpn with Mfa, app control, web filtering, av scanning, sandbox as option And most importantly amazing logging. Everything is recorded on local ssd. You can see everything real-time without wire shark
What we don’t have is DLP, DNS filter (newer Sophos or other vendors do)
*Sophos XG Home Edition
s for 2FA, if you’re using a RADIUS or LDAP backend for your VPN (like Windows AD) you can run the Duo 2FA agent on the backend and it’s easy as pie.
This for sure is a working solution i got. Run DUO Proxy on a server. Have it point to your LDAP and boom…2FA prompt on a clients phone. I think 10 clients is free…So if this is a SMB situation they are in a much better secured position.