To be fair, when I think of NetGate I am not thinking of a turnkey product like Watchguard, or Sophos/Fortinet/Etc. Now that you are in the discussion, is that how you see a Netgate firewall. I almost always assume someone is using their own hardware, but since NetGate is selling hardware with their software installed, it is similar. I know some would argue the merits of a UTM or buzzword compliant NextGenFW, but do you see NetGate positioned as a security appliance company for SMB’s?
Oh, and VPN is a good one to discuss. In a lot of my installations compliance requires that we not only do user validation on the connection (username/password/MFA), but that we’re doing device validation as well (you’re not connecting to our VPN from your home device, only from company managed / approved devices). I don’t expect to ever see that available in an open source VPN client (but one can dream), but it’s not an issue for the higher end commercial solutions. Not going to be doing WireGuard or OpenVPN in any of these type of situations.
Spot on here and its often overlooked. There are legit reasons to choose a larger commercial vendor and one of them are those HIP checks - the ability to connect to a corporate VPN from an approved device which should also have updated A/V database and Windows patches, etc…
OVPN wont ever have that unless there are some really technical dedicated folks to that project. Does that mean i cant roll out pfSense? Well, yes and thats ok. pfSense is A solution in my belt not THE solution. I am happy charging for a Palo Alto deployment just the same.
Well…This is a somewhat nuanced conversation. This depends on business/technical requirements and budget. Lets talk about Palo Alto security appliance. I know about pricing there. The reality is this…For just one of my datacenters for a High Availabilty cluster i need to purchase 2x firewalls. Lets say 3200 series. This alone costs me over 35k. Now we need to add-on the subscriptions - threat prevention, url filtering, A/V and now im already at over 70k. Thats just one site. Multiply it now by 3x other locations i got.
In comparison i could roll-out netgate 8200s with a TAC subscription and still be under say…8k. Throw in the ET Pro ruleset for Suricata which really isnt that expensive (around 1k). Here i need to spend considerable man hours with my SOC training Suricata on whats not a threat This is laborous. Now i need a server to handle all my flow data. Get at least two from dell thats another 5k. Because pfSense doesnt do url filtering and lets be honest, im not rolling out pfBlockerNG, i need to get something on my endpoints such as Zorus or Cisco Umbrella or zScaler. Depending on how many seats you have this is where the costs may go up substantially.
Regardless i can guarantee you im still under 70k which is what im paying for Palo Alto for one location. Does that mean im going for a pfSense. No. Because of the environment i am in we need to choose a vendor like Palo and their suite of tools are fantastic. AIOps is awesome. That said, this all comes at a price.
pfSense is A solution not THE solution. There are scenarios where its a perfect fit such as SMB, maybe midsize permiter firewall or perhaps on a segment which needs a simple NAT box or even a VPN concentrator.
Lastly, as i stated folks are comparing pfSense to a larger commercial vendor but thats not entirely fair. PAs and Fortigates and Ciscos give you turn key products but at a high cost. pfSenses total cost is in the man hours thats required to set up your infrastructure to support it and its add-ons. This isnt a negative per-se but needs to be factored in. There are the technical limitations of pfSense such as no support for SAML/SSO for example. No ability to lock down local accounts with MFA. Do i think thats disqualifying? In certain situations it absolutely is. You have to look at the complete picture of a solution. Going based on cost is one piece but should not be the only piece otherwise you put your network and the users in a very bad and compromising position.
UTM is a marketing buzz word. Most UTM solutions try to do “All the things” and don’t do any of them exceptionally well. Even some devices branded as “router” have stateful packet filtering and edge security features. You’re correct that “router” should be just that: a thing that routes packets, but marketing people like to play fast and loose.
I’ve worked with pretty much every firewall/UTM/router/Next-Gen Firewall/Security Appliance/[Insert other name that is likely meaningless here] vendor in the 15+ years I’ve been working in computer networking. That said, I have the most experience with Cisco Meraki (working in the MSP world), Watchguard (Managing a fleet for a school district for 5.5 years), Sonicwall (formerly CSSA certified), TNSR, and pfSense Plus.
Most perimeter device branding is like IT job titles: Useless fluff. What is really important is:
- Is it stateful or is it stateless?
- What features are they toting that the appliance can do?
- Is it trying to be one/a few thing(s) really well or a lot of things sorta OK to terrible?
- What kind of bandwidth can you push through the device when you’re using or not using the above features?
pfSense Plus is a stateful firewall first and foremost centered around open source technology on FreeBSD utilizing pf (packet filter). It also supports things like suricata/snort for IDS/IPS, pfBlockerNG for GeoIP, Alias list, and DNS-based filtering, HAProxy for Reverse-proxy functionality, Site to Site and Remote Access VPN using Wireguard, Tailscale, OpenVPN, or IPSec (strongswan), and much more. None of this functionality costs very much for the “premium” subscriptions, if it even costs anything at all.
I’m a little surprised you say that the cost of pfSense is “not that far off” of Watchguard or Sophos, but you’ve provided very little information on your requirements for bandwidth, VPN, “UTM” features you need, etc. A Netgate 8200, for example, with a 3 year warranty will run you about $1700. If you have existing hardware/a virtualization environment, you can also run pfSense Plus on your own hardware for a small annual fee, which is something very unique to pfSense Plus that not a lot of vendors offer. Certainly not for the price we charge.
An equivalent-priced Watchguard to the 8200 with 3 years of warranty and basic security suite licensing would be something like a T45 which is just…not even remotely in the same league (lacks 10G connectivity, not rack mountable without a shelf, significantly weaker throughput and processing capability, etc). An 8200 would absolutely shred a T45. A real competitor model would be the M590, which is easily a 8-10 fold price jump. You could buy a fleet of 8200s for that.
I’d argue the weakest features in pfSense Plus are probably web filtering and Gateway Antivirus. However, pfBlockerNG is an excellent, basic DNS-based web filter if you only need something simple and Gateway Antivirus is completely and utterly useless. Everything is encrypted and managing Intermediate Certificates to do DPI is a royal PITA.
As for strengths, pfSense Plus excels at everything else on the tin (IDS, IPS, Packet Filtering, VPN Concentrator, Layer 2/3 filtering, etc. etc.).
I don’t want to stand here and act like “we’re the best there ever was/will be”. I’m not a marketing or sales person. I’m a packet wrangler who has been in the trenches many times before. Watchguard, Cisco, and many others make good products, but I’d argue they make products we do as well or better for cheaper in the ways that matter.
In summary, give us a list of things you want to do here and I (or someone else here) would be happy to discuss how you could accomplish it with pfSense Plus.
I do, and if that’s what you’re after, it’s not going to be a cost savings. Yes you can bolt on a lot of a UTM’s features to pfSense, but again that’s not it’s core competency. So I’m not sure what the point of your thread was, but I’m sure coming in here with this kind of attitude isn’t going to get you whatever answer you were looking for.
Theyre the same product. And you can just get a subscription to “upgrade it”. I know, I use it at home and work.
Would love to pick your brain on the managing school district front. Got a potential here in Georgia where I think I can win the bid…I think…but I do require a web filtering tool. Don’t think it needs to be firewall tho
I’m bit confused. Most traffic is encrypted now days
So if you don’t do SSL decryption then what does your firewall do? Nothing really
I said I’m looking to replace Sophos and looking in to PFSense as option
They advertise it as next gen firewall
But by the time you add everything cost is similar
Public, Charter, or Private? Any certification requirements for the solutions used? What about bandwidth, number of users, and are they BYOD, School-issued devices, or both?
A firewall can filter traffic without DPI. Source, destination, protocol, etc. all don’t need to know what’s happening at Layer 7. That’s for your endpoint management solution.
My professor used to use the phrase “Security is like an onion, not an egg. It should be done in layers”.
I hate to read these “convince me” posts. You seem to be happy with Sophos. You probably ought to stick with it.
Where do they advertise it as a “next-gen firewall?” As what pfSense is good at is being a router and a firewall. Nothing out of the box is “next-gen.”
Public. Fulton County school system.
All great questions but reading through it doesnt offer much in that regard
I have until June and still very early in my process.
edit: Further srolling they do provide example of physical topologies at each"learning district" which are public schools. They are running Palos but the model they gave are EoS and very soon EoL. Lots of Aruba wireless. 10G WAN
Network
a. Process improvements, automation, documentation
b. Systems integrations and upgrades
c. Application load and stress testing
d. Active Directory and Group Policy
e. Network configuration, monitoring, remediation
Your professor. lol
Tell your professor to get real industry experience
In 2024 if you are not inspecting SSL you are not a firewall
I’m not. I’m happy with their UTM platform but they are getting rid of it. I’m doing research and looking for replacements
With Sophos UTM we get full stateful inspection, intrusion d/p, geoip, ssl decryption, vpn with Mfa, app control, web filtering, av scanning, sandbox as option
And most importantly amazing logging. Everything is recorded on local ssd. You can see everything real-time without wire shark
What we don’t have is DLP, DNS filter (newer Sophos or other vendors do)
I never said anything about my former professor commenting on DPI/TLS Inspection. I repeated a phrase he would say as a philosophy on how to treat security in general. Not that I need to prove the validity of such a statement or his credentials as a whole, but he worked in the industry as a security expert at the same time he taught part time. He was not just some “out of touch” teacher who hadn’t been in the industry in 20 years.
Additionally, I wouldn’t take statements of something of a technical nature that I learned when I was in university. I haven’t been in college for well over a decade. Most knowledge of a purely technical nature from that long ago is irrelevant.
It sounds like you want a “magic box”, single point of failure solution at the edge that you can provide (I’m assuming in an MSP setting, based on what I’ve gleaned). You’re welcome to whatever opinion you’d like to express, but IMHO this is the wrong approach. The industry is moving to Zero-trust design and away from just purely perimeter defense network design. If you are designing your networks around a single appliance that does everything security-wise, you’re putting an awful lot of faith in a single point of failure.
Well there you go. I will disagree with their definition of NGFW (I use commercial NGFW’s in my daily life, pfSense is not close to what features I expect in a NGFW), but if it does everything there, where is your disconnect? Why are you buying 3rd party web filtering software? What else are you buying? According to the link you posted, everything you need should come out of the box?
As an aside, Sophos does SSL/TLS decrypt out of the box.