dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
769
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

[H/W] Hardware recommendation required

Click for full size
Here's the scenario with diagram attached.
I need a firewall / UTM capable of through-putting 1Gb/s with the UTM features switched on.
I also need the the UTM to detect link failure and resurrection of the primary internet connection. My issue is this: As I understand it, either one of the routers could lose it's internet connection, but if the link between the ISP router and the firewall / UTM is still up/up, then it won't fail over. Here's where IP SLA / floating static routes or HSRP / VRRP could play a part and that's where it gets foggy for me.
And yes I could connect the primary internet connection directly to the firewall / UTM as it is copper GigE on an RJ45. The back-up is ADSL so the firewall / UTM would need an RJ11 interface for that to connect directly.

Here's the exec summary of what I want:
If / when the primary internet link fails routing should switch to the back-up link until the primary link is restored and routing returns to the primary path. No humans should need to intervene at any time after initial set-up!
The final kicker is the hardware DOES NOT have to be Cisco. I am open to any suggestion!
aryoba
MVM
join:2002-08-22

aryoba

MVM

How about Juniper SRX firewall?
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

SRX110 has a xDSL connection. Sweet. If it had better speed (yes I'm being REALLY picky, but my customer will be too...) then it's almost a no brainer. The only spanner in the works is my knowledge of Juniper. I could write everything I know about Juniper on the back of 5 cent coin and still have room for my life story...
aryoba
MVM
join:2002-08-22

aryoba

MVM

Here is the SRX specs
»www.juniper.net/assets/u ··· 1-en.pdf
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Ta. Just had the cr4p scared out of me by the Fortigate prices! I'm in no hurry to do another ASA and the Meraki MR has recurring costs. Juniper would seem to have the early lead...
markysharkey

markysharkey to aryoba

Premium Member

to aryoba
SRX210 / 220 look to be favourites. I have a silly question though...
Firewall throughput is in the hundreds of Mb/s whilst IPS throughput is mid 60's to late 80's. Why? I know what IPS stands for but why is it's throughput so low compared with firewall performance? What extra work is being done for IPS over firewall features?
markysharkey

1 edit

markysharkey

Premium Member

And now this:
quote:
Cisco have fallen behind once again. Juniper SRX has been a disaster. SonicWall have made huge advances since Dell dumped money into them, Fortinet are well ahead of the game and Palo Alto are still making headway despite what I would consider an inferior product.
From here »blog.anitian.com/the-cul ··· etworks/

That muddies the water somewhat...

Edited to add...

Or not. That's from 2.5 years ago. I hope things have improved. Looking at hardware firewalls is a steep learning curve.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to markysharkey

MVM

to markysharkey
said by markysharkey:

I need a firewall / UTM capable of through-putting 1Gb/s with the UTM features switched on.

...sure, got a 6figure budget for that? :gawk:
said by markysharkey:

Firewall throughput is in the hundreds of Mb/s whilst IPS throughput is mid 60's to late 80's. Why? I know what IPS stands for but why is it's throughput so low compared with firewall performance? What extra work is being done for IPS over firewall features?

Recall what anti-virus scanning used to do on an old 486 or early Pentium systems? Same deal here. Basically it costs CPU cycles and throughput to take
each packet, scan it, confirm it, then send it on its way. Also, in what context does the packet have to the overall flow? Does it need to be reassembled
to be scanned?

If you want to see who's out there market-wise, try the Gartner Magic Quadrant for Firewalls -- don't know if they've released a 2015 report yet, but
you should be able to find the 2014 easily enough. Other big names I know of out there are Checkpoint, Palo

Alto, Watchguard and Sonicwall. They've
been on my "love to get one and play with in the lab," but never seen one in production.

My 00000010bits

Regards

Bigzizzzle
Premium Member
join:2005-01-27
Beverly Hills, CA

Bigzizzzle to markysharkey

Premium Member

to markysharkey
Im with Aroyba.

Based on the throughput you likely are sitting between the SRX240/250 series model then need to add the feature UTM pre or post after shaft sales.

Its quite a nice device I got my home/lab/office running on a SRX210HE which got on the "ZON" for ~$320. None of the fancy features like UTM i would need to licensing them via the CSC online portal with Juniper. Its very easy to learn and its very solid device.

Juniper has a great about of tech literature how out to design, rollout, operate all their equipment. All lots of free training stuff too along their various paths of Vendor Citizenship (certifications)
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Budget is not an issue as long as it's less than 10,000 USD.
I've looked (skimmed TL:DR'd) the vendors listed by Hellfire and as expected, they all have their good and bad points. I guess it comes down to finding the one that gets closest to my requirements and gives me the easiest path to a working config that I can deploy in a reasonable time scale and with the least amount of fuss! Not that I want the moon or anything...

smunro622
Premium Member
join:2006-02-15
united state

smunro622 to markysharkey

Premium Member

to markysharkey
take a look @ sophos they seem to be gathering steam...

Bigzizzzle
Premium Member
join:2005-01-27
Beverly Hills, CA

Bigzizzzle

Premium Member

When and If you buy juniper, they have your back with your Juniper account after your register your device (possibly public idk im logged into my account currently)

there is a SRX HA Configuration Generator Tool - Should help you build out your redundant solution.

not only that but it generates a image with ports of your setup.

Very cool - This is the first time i've seen this.

»www.juniper.net/support/ ··· s/srxha/
aryoba
MVM
join:2002-08-22

aryoba

MVM

One upside of Juniper compared to Cisco is about serial number finding. Opening up TAC cases with either Juniper or Cisco require some kind of serial number. However now Cisco managed to come up with licensing game that bound with some serial number that was not easy to find. Gone the day that finding Cisco serial number by just issuing "show version", especially when the Cisco product was software instead of hardware (i.e. CCX). Trying to open up Cisco TAC case during Priority 1 down situation and go through the hassle of finding proper serial number is no fun

Juniper instead is still like the old Cisco day; which was "show chassis hardware" on JUNOS platform
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

And I take it Juniper have sufficiently recovered from the post I quoted earlier as to be a viable option these days?
aryoba
MVM
join:2002-08-22

aryoba

MVM

I never experience "disaster" with reputable vendor product such as Cisco and Juniper. There are bugs, glitches, and some hurdles in technical support process; but they are common.

So I don't think Juniper need to "recover" since major network such as ISP, telco companies (and some smaller scale networks) trusted the products. Otherwise ISP would not implement T routers in their backbone to ensure reliability
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Fair enough.
I guess the final question is, which one would be "easiest" for a firewall novice to get up and running efficiently?
Bear in mind I am OK with Cisco IOS foro routing and Switching and I have deployed 1 (yes one) ASA 5520 in my time.
And ease of set-up has me thinking about Meraki!!!

keyboard5684
Sam
join:2001-08-01
Pittsburgh, PA

keyboard5684 to markysharkey

Member

to markysharkey
For easy and considering your budget, you may want to look at SonicWall:
»www.sonicwall.com/us/en/ ··· ications

It will be hard to get anything in that price range that can handle that much throughput if you start enabling all the security features. My opinion is Palo Alto is probably one of the best. Cisco is one the simpler devices but has fallen way behind in the firewall area (They did buy SourceFire which is a decent IPS device though).
aryoba
MVM
join:2002-08-22

aryoba to markysharkey

MVM

to markysharkey
said by markysharkey:

I guess the final question is, which one would be "easiest" for a firewall novice to get up and running efficiently?

Checkpoint firewall perhaps?

keyboard5684
Sam
join:2001-08-01
Pittsburgh, PA

keyboard5684

Member

That sounds like one of my coworkers making fun of me! Enterprise Checkpoints (1 Gig of processing) are extremely horrible in my experience. If you buy one Checkpoint you better be able to buy two - you will need to do an active/active HA pair.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to markysharkey

MVM

to markysharkey
said by markysharkey:

I guess the final question is, which one would be "easiest" for a firewall novice to get up and running efficiently?

...you do realize that's a pretty relative term, markysharkey See Profile , right?
Offhand, I'd say Sonicwall is a pure GUI driven interface, so should be fairly
easy to navigate. I THINK Palo Alto is also pure GUI -- hit up youtube, there's
a bunch of webinars and demos. Not sure about Checkpoint and Watchguard though.

Key thing is get in, get down and dirty and LEARN!

Regards
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Yes HF, I do realise it's a somewhat stoopid question as there is no way anyone of you can gauge my expertise or experience. But if anyone reading has been in a similar position I was hoping to tease them out and share
At the moment Juniper and Palo Alto are topping my list. I'm going to revisit ASA's just because I have at least configured one to do what I want, albeit with a load of help from you guys here. But it works and has done so faultlessly for several months now.
I have no problem with the learning side (I used to teach CCNA and CCNP a while back so I have perspective). And if it was an IOS router with CBAC or ZBFW I wouldn't even be asking, but as I need 1Gb througput with services and have to at least look like I tried to not blow the whole budget, I thought I'd see what I could shake lose here.
What I do have though, is a truncated timescale...
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to markysharkey

MVM

to markysharkey
said by markysharkey:

said by HELLFIRE:

said by markysharkey:

I guess the final question is, which one would be "easiest" for a firewall novice to get up and running efficiently?

...you do realize that's a pretty relative term, markysharkey See Profile , right?

Yes HF, I do realise it's a somewhat stoopid question as there is no way anyone of you can gauge my expertise or experience.

;) kinda figured as much... definately not ragging on you markysharkey See Profile
said by markysharkey:

What I do have though, is a truncated timescale...

Just how truncated, just to get a sense?

Regards
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

I know you weren't ragging on me, no worries on that score. I think Aryoba may have been with the Checkpoint suggestion though

As for timescale I'd like to be able to pass traffic through it for inspection and have failover working by Feb 28 and as this is for a live project I have 8 x 5 between now and then.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to markysharkey

MVM

to markysharkey
Yeah... that isn't much time.

You've a pretty good sampling of stuff to try here... let us know how it goes, huh?

Regards
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Will do.
Going to look at Meraki too, just 'cos... but I'm still thinking Juniper, Palo Alto or an ASA5510 / 5520 with 8.2(5) 'cos I've dome one of those before.
markysharkey

markysharkey

Premium Member

Fortigate has pushed it's way to the front. I have a colleague with *some* experience with them, the price looks competitive and the customer has one elsewhere that he likes.
So unless anyone can come up with a convincing reason to not use a Fortinet (specifically a 60D model) then that's where I'm heading in the next day or two.
aryoba
MVM
join:2002-08-22

aryoba

MVM

Don't forget SonicWall and Watchguard
prairiesky
join:2008-12-08
canada

prairiesky to markysharkey

Member

to markysharkey
do you need a commercial solution? Build a wicked Pfsense box for a G, then double it for a HA setup. You can have a box that'll do 2+ gbps for a reasonable amount. It'll have a gui.

I've not heard good things about sonicwall lately.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

No, I don't need a commercial solution. I work in a fairly unique space where customers require high end / high capability devices with good manufacturer support, even though the config is often very basic.
cooldude9919
join:2000-05-29

cooldude9919

Member

Which fortinet model are you thinking? 300d?

We are looking to replace a bunch of cisco ISR's next year and their new 4000 series is a bit of a miss on the price to throughput ratio. We are looking at either the 200d or 300d depending on the site size.