The configuration is difficult and it should be easier.
Firewalls Configuration Reviews
Showing reviews of the top ranking products in Firewalls, containing the term Configuration
Juniper SRX: Configuration
reviewer1390431 says in a Juniper SRX review
Head Of Network & Technical Support at a financial services firm with 501-1,000 employees
reviewer1332756 says in a Juniper SRX review
Pre-Sales Analyst at a tech services company with 201-500 employees
The initial setup wasn't too complex. It was pretty straightforward. We didn't really face any problems during implementation.
The deployment takes about 20 minutes. This without the client tests and just the configuration and no validation. Everything that was necessary was applied, however, not with the tests as it took too much of the client's time, and would have took much longer.
What I like most about Juniper is that it is a complete configuration.
The user interface is good.
reviewer1473270 says in a Juniper SRX review
Network Engineer & Cyber Security Analyst at a tech services company with 201-500 employees
The GUI of the solution is quite good. It's also very different from other solutions. On others, if you need to configure anything, you can do it all from the default gateway. Cisco, for example, has a bit of a more difficult process. Juniper's GUI is easier and it makes configuration easier.
Troubleshooting with the solution is quite easy. If you compare the process to, for example, Fortigate, Juniper is much easier.
The speed of the solution is very good.
The initial setup is very easy.
The reliability needs to be improved. We purchased three devices and all three have been replaced under RMA. We've had other problems where they have needed to be rebooted.
A couple of times I've run into the problems where they have to integrate with other systems. The Juniper support really doesn't have a clue about other systems. They know Juniper and if everything is Juniper then it's great. However, we have Windows RADIUS Servers and I need Juniper-specific settings for them. Unfortunately, they're having a real hard time telling me what those should be, and they keep referring back to it being Microsoft, which they don't support. When they say that I need to speak with Microsoft, I remind them that these are things that are defined in the Juniper configurations that I need to set up. They seem to forget that not everybody is exclusively Juniper.
reviewer991773 says in a Juniper SRX review
Network Security Engineer at a tech services company with 201-500 employees
The IPSec configuration is going well.
reviewer1501980 says in a Juniper SRX review
Senior Network Engineer at a tech services company with 10,001+ employees
I think it needs some automation. I have to find an API for Python and so on, which is quite different from a typical solution. Sometimes committing configurations takes a lot of time in Juniper because of the connections, and it could be a little bit faster. Their documentation could also be better.
reviewer1605843 says in a Juniper SRX review
IT System Engineer at a computer software company with 201-500 employees
The initial setup was straightforward. The time it takes to implement this solution depends on the complexity of the configuration.
When compared to Palo Alto, Juniper is a better choice when it comes to the enterprise network and connectivity.
Juniper SRX is pretty fast to configure and make it work.
Once it is configured, it's fine, which is not the case with other firewalls.
Juniper is user-friendly. It works perfectly well.
Upgrades are available.
Juniper SRX has a roll-back feature which is very interesting. As no one is perfect and mistakes do happen, we can roll it back to the previous configuration.
This solution can handle a lot. It's manageable when you know the parameters, the features, and the number of policies of your firewall.
reviewer1621608 says in a Juniper SRX review
Information Security Manager at a recruiting/HR firm with 201-500 employees
We have been in touch with support and they've been good. During the configuration stages, we had a couple of tickets and they were responsive to it.
reviewer1650423 says in a Juniper SRX review
System Administrator at a leisure / travel company with 51-200 employees
We had implemented two SRXs in high availability mode. They were used, generally, for firewall and NAT translation tables, for forwarding for services, and connecting branch offices. We have a constant internet connection, which is directly connected with the branch offices, in general. We didn't explicitly configure or use any specific SRX features regarding the filtering of URLs or something that a UTM could use, since Juniper has a more advanced configuration and, in general, a UI that's made for the customer.
reviewer930837 says in a Juniper SRX review
Senior Manager (Engineering Department) at a comms service provider with 10,001+ employees
The installation is straightforward.
The time of the deployment depends on the complexity of the environment. If the customer requires HA deployment and the configuration could take longer time. On average, for a small-scale branch office, it can be completed within one day, which includes testing. If the customer does not have any special preference on the policy and they do not have any IP tunnels then it could be completed within half a day.
Cisco ASA Firewall: Configuration
Olivier Ntumba says in a Cisco ASA Firewall review
Network & Systems Administrator Individual Contributor at T-Systems
It's an almost perfect solution.
The configuration is very easy.
The management aspect of the product is very straightforward.
The solution offers very good protection.
The user interface itself is very nice and quite intuitive.
reviewer1441503 says in a Cisco ASA Firewall review
CEO & Co-Founder at a tech services company with 51-200 employees
The configuration support is very good. You can find a lot of configuration samples and troubleshooting tips on the internet, which is very good.
We primarily use the solution for basic firewall configurations such as NAT, FORWARD PORT and Block TCP-UDP Port.
ERIK LABRA says in a Cisco ASA Firewall review
Technical Specialist, consultant at a computer software company with 10,001+ employees
The configuration capabilities and the integration with other tools are the most valuable features.
I really like this product. Cisco is one of my favorite brands, and I always think Cisco solutions are very reliable, easy to configure, and very secure.
The initial setup was straightforward.
It's easy to install and it doesn't take a lot of time for the initial configuration.
It took an hour to install.
Its configuration through GUI as well as CLI can be improved and made easier.
The graphical interface should be improved to make the configuration easier, to do things with a single click.
There should be better integration with open-source products because some of our clients use them. It would be helpful if they integrated well.
reviewer1307058 says in a Cisco ASA Firewall review
Network Consulting Engineer at a comms service provider with 201-500 employees
I have not been in contact with technical support but I use the implementation guide. I have also used the community support and I think that it's okay. The information that I received about the configuration was good.
It would be ideal if the solution offered a web application firewall.
We've had some issues with stability.
The solution has some scalability limitations.
The firewall itself has become a bit dated.
The pricing on the solution is a bit high.
Some individuals find the setup and configuration challenging.
It's easy for me to configure one because I have firewall configuration certifications. I don't know what someone with nothing in terms of experience would be able to do.
It normally takes me a week to implement and deploy. I normally need a week and three people to do maintenance.
Shamal Fernando says in a Cisco ASA Firewall review
System Engineer at a tech services company with 501-1,000 employees
The configuration is an area that needs improvement.
In the next release, I would like to see the UI include or provide web access, and more integration.
Roger Weiyang says in a Cisco ASA Firewall review
Cyber Security Consultant at a tech services company with 51-200 employees
For a non-Cisco guy like me, there is quite a substantial amount of learning that needs to be done to actually understand how the products are. Some brands like FortiGate, require only an hour and 15 minutes to enable the product, to facilitate the basic requirements of connecting up the traffic and adding on the firewall router. For Cisco, there are levels of challenges because it's a hardened solution that sees a lot of restrictions right out of the box.
Without really understanding how it works, then there'll be a lot of confusion regarding the traffic, etc. You'll find yourself wondering if there are any security concerns if you alter it out-of-the-box. The management console is quite outdated; usually, a lot of configuration is through Commander. We really need to understand how to articulate the Cisco Commander to perform even the most basic feature.
reviewer1395702 says in a Cisco ASA Firewall review
Network Security Engineer at a tech services company with 51-200 employees
The Inline Mode configuration works really well, and ASA works very impressively.
It lacks management. For me, it still doesn't have a proper management tool or GUI for configuration, logging, and visualization. Its management is not that easy. It is also not very flexible and easy to configure. They used to have a product called CSM, but it is no longer being developed. FortiGate is better than this solution in terms of GUI, flexibility, and user-friendliness.
Cisco, obviously, gives you a great amount of reliability which comes in handy. The brand is recognized as being strong.
Even in very big environments, Cisco comes in handy with configuration and offers reliability when it comes to managing multiple items on one platform. You are able to integrate Firepower and all AMP. With so many items to configure, I haven't yet done them all, however, I hope to.
It's great for securing the network. You learn a lot.
The initial setup is straightforward.
The solution is very stable.
The scalability of the solution is very good.
Cisco should work on ASDM. One of the biggest drawbacks of Cisco ASA is ASDM GUI. Cisco should improve the ASDM GUI. The configuration through ASDM is really difficult as compared to CLI. Sometimes when you are doing the configuration in ASDM, it suddenly crashes. It also crashes while pushing a policy. Cisco should really work on this.
The initial setup was not overly complex or difficult. It was quite straightforward and very easy to implement.
Deployment takes about 20 to 25 minutes.
In terms of the implementation strategy, at first, we put up the appliances in the data center. After that, we connected it with the console. After connecting the console, we had an in-house engineer that assisted. Cisco provided us onboarding help and they configured our device for us. We have just provided them the IP address and which port we wanted up. Our initial configuration has been done by them.
The initial configurations were straightforward, not complex at all. It took us just two days to finalize things.
reviewer1570647 says in a Cisco ASA Firewall review
Senior Information Security Analyst at a manufacturing company with 10,001+ employees
My advice to those wanting to implement the solution is to look at their use case and see if it meets those requirements for what they are looking for. There are a lot of security features that people may not be aware of and do not use. Explore the solution and all its features which will help you understand the configurations.
I rate Cisco ASA Firewall an eight out of ten.
It is a security device, and it is useful for securing our environment. It provides role-based access and other features and helps us in easily securing our environment.
It provides visibility. It has been helpful for packet inspection and logging activities for all kinds of packets, such as routing packets, denied packets, and permitted packets. All these activities are visible on Cisco ASA. There are different commands for logging and visibility.
We use Cisco ASA for the integration of the network. Our company is a financial company, and we are integrating different organizations and banks by using Cisco ASA. We are using role-based access. Any integration, any access, or any configuration is role-based.
The configuration was kind of straightforward from the command line and also from the ASDM. It was very easy to manage by using their software in Java.
High throughput, high concurrent connections, easy site-to-site VPN were also valuable. It also had the capability to do double network translations, which is really useful when you are integrating with other vendors for site-to-site VPN.
We provide IT solutions. We provide solutions to our customers based on their requirements. We support them from the beginning and do the installation and configuration in the head office and front office.
We installed Cisco ASA to support a customer in a WAN environment. They used it for site-to-site VPN and remote VPN. They used it for accessing remote office locations via the remote VPN feature. They had Cisco ASA 5500.
It is not straightforward. You should know what to do, and it needs to be done from the command line. So, you should know what to do and how to do it.
From what I remember, its deployment took a week or 10 days. When I was doing the deployment, that company was migrating from an old data center to a new one. We were doing configurations for the new data center. The main goal was that users shouldn't know, and they shouldn't lose connectivity to their old data center and the new one. So, it was a very complex case. That's why it took more time.
I am very happy to use this type of Cisco equipment in my infrastructure. It has given us the most value is the management of dynamic routing, in this case, EIGRP. This protocol, together with a series of additional configurations, has helped us to maintain an automatic redundancy in all our infrastructure, keeping us with very high numbers of operability and without failures that take more than 1 minute or that have not been resolved automatically. With this solution, we only speak with our suppliers either for a link or equipment report, and even if the box or circuit is out of operation, the operation continues to work without problems.
reviewer1884756 says in a Cisco ASA Firewall review
Data center design at a comms service provider with 10,001+ employees
We deployed with a consultant from Cisco support. Our experience with them was good. They provided a lot of documentation ahead of time to help us with our configuration.
From our side there were two people involved. One was doing the configuration and the other person was checking to make sure there were no errors, looking at IPs and the like.
reviewer1885482 says in a Cisco ASA Firewall review
Network Engineer at a computer software company with 201-500 employees
We can build GRE tunnels. Whereas, Firepower can't route traffic nor do a bit more traffic engineering within the VPN tunnels. This is what I like about using ASAs over Firepower.
Firepower Threat Defense has a mode where you can manage multiple firewalls through a single device.
I really like how Palo Alto does a much better job separating the network functions from the firewalling functions.
I would consider if there is a need to centralize all the configurations. If you have many locations and want to centrally manage it, I would use the ASA to connect to a small number of occasions. As that grew, I would look for a solution where I could centrally manage the policies, then have a little more autonomous control over the networking piece of it.
reviewer1895487 says in a Cisco ASA Firewall review
Senior Network Architect at a tech services company with 10,001+ employees
It is stable and secure. There are a few bugs, etc. Overall, we are very happy with it. We have never looked at anything else because it works so well. I would rate the stability as 10 out of 10. It is very good.
There is maintenance. We have to keep an eye out for software upgrades and forced changes to the configuration. We have a network operations team of 15 people who take care of these things from day to day.
I'm a designer, so I don't do racking and stacking, but I'm hands-on when it comes to configuration. I have used this product for years, so for me, it's not like adding a brand new product. It is just a matter of adding features, a hardware refresh. I wouldn't call it a challenge.
For maintenance, we have two to three network engineers involved.
reviewer1895514 says in a Cisco ASA Firewall review
Senior network security, engineer and architect at a computer software company with 5,001-10,000 employees
It has improved things greatly by giving us easier and better access, easier configuration, and allowing users to gain the access they need. We have also had less downtime using these firewalls.
The ASA has been very stable for us. Since I deployed the ASA 5585 in our data center, we've not had to resolve anything and I don't even recall ever calling TAC for an issue. I can't complain about its stability as a product.
Our Cisco ASA deployment is an Active-Standby setup. That offers us resilience. We've never had a case where both of them have gone down. In fact, we have never even had the primary go down. We've mainly used that configuration when we're doing code upgrades or maintenance on the network so that we have full network connectivity. When we're working on the primary, we can switch over to the standby unit. That type of resiliency works well for our architecture.
The IP filter configuration for specific political and Static NAT has been most valuable.
reviewer1639311 says in a Cisco ASA Firewall review
Solutions Consultant at a comms service provider with 10,001+ employees
Sometimes my customers say that Cisco firewalls are a bit more difficult compared to Fortigate or Palo Alto. There is complexity in the configuration and the GUI could be improved.
It's very stable. We've had no hardware issues at all and only very infrequent software configuration issues.
I find it very useful when we're publishing some of our on-prem servers to the public. I am able to easily do the NATing so that they are published. It also comes in very handy for aspects of configuration. It has made things easy, especially for me, as at the time I first started to use it I was a novice.
I have also added new requirements that have come into our organization. For example, we integrated with a server that was sitting in an airport because we needed to display the flight schedule to our customers. We needed to create the access rules so that the server in our organization and the server in the other organization could communicate, almost like creating a VPN tunnel. That experience wasn't as painful as I thought it would be. It was quite dynamic. If we had not been able to do that, if the firewall didn't have that feature, linking the two would have been quite painful.
In addition, we have two devices configured in an Active-Active configuration. That way, it's able to load balance in case one firewall is overloaded. We've tested it where, if we turn off one, the other appliance is able to seamlessly pick up and handle the traffic. It depends on how you deploy the solution. Because we are responsible for very critical, national infrastructure, we had to ensure we have two appliances in high-availability mode.
I have mostly been involved in the pre-sales stage, and then eventually the post-sales as well. But we do the groundwork of making sure that we have set the stage for the customer to get the initial onboarding. And at times, I do it with other engineers or other colleagues who take it over from there. In my experience, it has been pretty straightforward.
It's not just the implementation, but [it's] also managing or maintaining [the ASA]. It would depend on how complex a configuration is, a one-box versus cluster versus clusters at different sites. Depending on the amount of configuration complexity and the amount of nodes that you have, you would need to look at staff from there. It's hard to put a number [on it and] just say you need a couple of guys. It could be different for different use cases and environments.
[In terms of maintenance] it's about a journey: the journey from having the right knowledge transfer, knowing how to configure a product, knowing how to deploy it, and then how to manage it. Now, of course, from the manageability standpoint, there are some basic checks that you have to do, like firmware upgrades, or backup restores, or looking at the sizing—how much your customer needs: a single node versus multiple nodes, physical versus virtual, cloud versus on-prem. But once you are done with that, it also depends on how much the engineers or SMEs know about configuring the product, because if they know about configuring the product, that's when they would know if something has been configured incorrectly. That also comes in [regarding] maintenance [of] or troubleshooting the product. Knowledge transfer is the key, and making sure that you're up to date and you have your basic checks done. Then, [the] manageability is like any other product, it's going to be easy.
Fortinet FortiGate: Configuration
Good VPN, both IPSEC and SSL (web-mode, tunnel-mode). An engineer/network administrator has tools to debug VPN issues that can occur during tunnel setup with other vendors' equipment.
SD-WAN feature at no cost. This is really great feature for remote locations (branch offices) and HQ, application steering between many ISP links becomes a simple task. Steering can be done dynamically by measuring link quality (latency, jitter, packet loss, available bandwidth).
Wi-Fi and Switch controller at no cost. FortiSwitch and FortiAP can become a kind of port extender of the firewall, all its ports can be referenced in firewall policies. When you have such management plane consolidation it gives you a simpler way to operate.
Security Fabric Framework is helping in analyzing sudden and rapid changes in whole infrastructure, and gives the ability to simplify daily operations (e.g. address objects synchronization between all firewalls in Fabric, estimating overall security rating, single-sign-on for admin access and many more)
Single Sign On support with deep LDAP integration (several variants for environments with different scales), RADIUS authentication.
Can work as transparent and explicit web-proxy, the last option supports Kerberos authentication which requires no agents installed on any windows server.
Human readable firewall policies with editable security policies and
addresses in single page. This is very useful and time saving feature.
Firmware upgrade process is very simple, even for cluster configurations it is fully automated by default.
Straightforward SNAT and DNAT; you may work in two ways: with Central NAT rules configuration and by applying translation directly inside firewall policies.
Bulk CLI commands are uploaded via gui in script file (portions of config file).
VDOMs are very useful when you need to grant admin role to clients separately. VDOMs in FortiGate can be represented in FortiAnalyzer's ADOMs (administrative domain), which can have different log storage policies, event handling and alerting configurations. You can create one VDOM working in NAT/Route mode, and another VDOM working in Transparent mode.
If you don't want to create and use second VDOM you can still transparently inspect traffic at layer 2 level while having only one VDOM in NAT/Route mode. This is achived by configuring Virtual Wire Pair ports that work like a separate bridge.
Ability to capture packets going through any interface of device (and VM too). You can set number of packets, filter out packets by IP and port number for particular troubleshooting purposes, then download a .pcap file from web gui and analyze it in your favorite programm.
Advanced routing (RIP, OSPF, BGP, PBR). It gives you a seamless and simple integration into a large network.
IPS, AV, Web Filter, AppControl profiles are working very well.
SSL Inspection and CASI (Cloud Access Security Inspection) profiles.
Rich logging options allow you troubleshoot most problems.
Straightforward HA with different redundancy schemas.
reviewer1316841 says in a Fortinet FortiGate review
System Administrator at a financial services firm with 5,001-10,000 employees
For me, this solution has nothing to improve and it meets the needs that I have. I don't see any way to improve, at least from my point of view on regular use.
In the next release, maybe the documentation on how to use this solution could be improved.
What I have noticed is that when we have done some configurations directly from the command line, there is not a lot of information regarding splitting.
reviewer1266459 says in a Fortinet FortiGate review
Network Security Engineer at a performing arts with 201-500 employees
The commercial side of things can be improved a bit. They have such a good product, and when you disable some features, it has to be commercialized for you to enjoy those features. Therefore, you are actually buying half a product. You have hardware there, and yet, your features are not enabled. The primary things, such as the antivirus, web filter, DNS filter, application intrusion, file filter, and email filter come with the general license. There are other things that you want to also enjoy in this system and you can't.
There are SD-WAN network monitoring, SD-WAN features, Industrial Databases, Internet of Things, Detection, etc., however, we do have not licenses for those features. We thought that if you bought a product, you should have all of the features it offers. Why should you need to make so many extra purchases to enable features? They should have one price for the entire offering. That's one of the drawbacks they could look at.
Sometimes the firmware automatically updates itself. Then it corrupts the configuration and you have to roll back or you have to do amendments to the configurations. That, however, has happened only once with us. We have put in controls for automatic updates to stop them and now we do manual allowance or we allow the manual update.
Most of the features are good. They give you pricing and you get a VPN for about 10 users where you can test it. For us, we feel that we need to buy extra licenses due to COVID, as people are working from home. Under the current conditions, we are not getting the best out of the firewall.
They could just maybe put better graphics or better reporting into the solution. I want to know who is the user and what is the exact website they're visiting. Something like that would help. They should do more like what the GFI is doing.
reviewer1448211 says in a Fortinet FortiGate review
System Administrator at a computer software company with 501-1,000 employees
The most valuable feature is the ease of configuration.
UzairBaig says in a Fortinet FortiGate review
Solution Architect at a tech services company with 51-200 employees
One of the things I like best is the ease of configuration.
Management-wise, it is very good.
The most important feature, normally for small business customers, is link load balancing.
The firewall throughput is very good. Most of the customers in this region use FortiGate for their data center firewalls, and the main reason is because of its high throughput.
reviewer1457130 says in a Fortinet FortiGate review
CIO at a manufacturing company with 201-500 employees
I am working as a manager, and I am not doing any of the configurations.
We only require one person for the maintenance of this solution.
The biggest "gotcha" is that if the client purchases what they call the UTM shared bundle, which has unified threat management on both, it's not as easy to manage if you have more than one firewall.
If I wanted a unified console, I have to pay extra. And that's the downfall. That's the only needed improvement that I would say for the Fortinet solution, is that they should have it web-based from the get-go. You should not have to buy an extra bundle or an extra device.
If I have to make an update to a web filter, and I have 12 devices, I've got to do it in 12 places. If I don't want to do that the client can pay for a pretty expensive device or virtual appliance that does that for them. It's like an expensive centralized management tool. That's the big downfall of Fortinet. It doesn't come included, you have to pay for it. Their web-based one, that's sort of just like an inventory manager. It's not really good for distributing roles. With Cisco, you don't have to do anything. The one from Aruba HD has one too. Fortinet should try to be similar to those options.
In the next release, it would be amazing if they could give a better tool for upgrading, so that if I upgrade from an older version to the other, it can read the configuration and processes it for me so that I don't have to rewrite it from scratch. In FortiConverter, they have a tool like this, however, it doesn't work well. It's really more for bringing items in from other vendors, not from one version to the other.
That was my last experience where they operated from version five to six. However, that's really the only big thing. The main thing is to include the FortiManager cloud software like Cisco does. To have one solution. If you paid $150 a year for the support, you might as well get that too so I could manage all the devices at one spot. They do have FortiCloud, however, it's not the same as the way Cisco does it. They are selling another product called FortiManager. FortiManager should be included with the support, and that would make it more of a business solution, rather than a feature request.
reviewer1368420 says in a Fortinet FortiGate review
Telecommunications Engineer at a university with 1,001-5,000 employees
The most valuable features are the policies, filtering, and configuration.
The solution overall is very easy to understand. Therefore, the initial setup is not complex. It's straightforward. Even the configurations are good. An organization shouldn't have too much trouble with it.
How long it takes to deploy depends on what you want to configure on a firewall. It depends on the policies being implemented. That definitely takes time depending on the company and what is being done. If you are familiar with all features and all the steps regarding how to create a policy and how to implement a policy, it is pretty easy and won't take too long.
reviewer1457472 says in a Fortinet FortiGate review
Firewall Engineer at a marketing services firm with 1-10 employees
The solution's initial setup is not complex. It's pretty straightforward. In my case, I have many years of expertise working with FortiGate and therefore it was not difficult. It's quite good and easy to manage.
How long it takes to deploy the solution, depends on what the customers ask you to do. More or less, however, it might take maybe one day to make the initial setup of the unit and the configuration that the customer requests. It may take another day or two to put it on service and check that everything is working properly, once again, based on the requirements of the customer.
reviewer967515 says in a Fortinet FortiGate review
Network Systems Engineer at a tech services company with 501-1,000 employees
The initial setup was not complex. It was pretty straightforward.
How long it takes to deploy the solution depends on the company and the configurations required. Sometimes I am able to do it in one day, whereas other times it takes more than one month to complete.
The product has enterprise capabilities, which means there are a ton of configurations possible. What I'd like to see in the product is more of a branch in the box wizard deployment for those that are not as well versed in firewall and routing. For a small business, the firewall should be able to self-configure for a Unified Threat Management configuration with 2 SSIDs for protected wireless network for internal gear and a guest wireless network for employee cell phones and guests. I'd like to open the box, plug in the router behind the cable modem, and check a few boxes, and the rest is done automatically. I don't want to have to build a configure VLANs, SSIDs, security protocols for each port, and try to figure out and understand all the layers in an effort to deploy a solution. It's great to have those capabilities in case you need them, but for most of the offices I am trying to deploy these into--it should be a branch in a box.
In terms of what could be improved, the FortiGate support could do some improvements on their IPv6 configuration. Right now it's still in the very early stage for utilizing in an enterprise level network environment
In terms of the FortiGate IPS, we haven't gotten additional tools because they are not free, and we have to purchase them to maximize this IPS feature. As long as they can perform some basic functions to meet our business needs, that is okay. I'm okay with this feature right now, so far.
In the next release of FortiGate the price could be better.
The solution is very, very easy to use.
The user interface is very nice.
The product seems to offer pretty good customization.
The configuration of the product has been very straightforward and simple.
The reporting on offer is quite good.
The initial setup is straightforward as well.
We've found the pricing to be pretty good.
Technical support from the partner has been very helpful.
reviewer1474071 says in a Fortinet FortiGate review
Data Center Operations and Customer Support Manager at a tech services company with 51-200 employees
Since we have been using FortiGate there haven't been any major problems so far. Especially nothing too serious like a major bug or anything like that.
The only issues that we have come across have had to do with simple configuration errors like missing configuration values from a previous implementation.
What I like the most is the configuration and that it's simple, and straightforward to maintain.
The UTM configuration on-premises is straightforward and simple to use.
Support is good and the interface is simple and intuitive.
In terms of what could be improved, the SD-WAN is quite difficult, because if you install in the new box, 15 is okay, but if you change from an old configuration, if there is already a configuration and a policy when you change to SD-WAN, you must change the whole policy that you see in the interface.
We only use Fortinet's FortiGate for our hardware firewall protection.
However, if our clients need extra security, we may add other brands and security layers. We also work with SonicWall, Checkpoint, and Barracuda, for example.
I've also worked with pfSense, which is free, however, it has much more of a do-it-yourself approach. It's also quite different from other solutions. If you have Cisco experience, you'll be able to navigate Fortinet, whereas pfSense requires much more in-depth study. It has its own language, basically. That's one of the reasons you won't find too many of its configurations in China.
The initial setup and configuration are not intuitive and require training.
The management console is pretty simple, so anyone who understands networking can initially deploy the solution. But you need some good hands-on experience for advanced configuration. The amount of time required to deploy depends upon the project and also the organization. So it takes around four to five days to deploy a smaller device. And for the largest device, it takes around a maximum of two months. We do the deployment on our own. So we have a sales team, a pre-sales team, and a deployment team. Our sales team gets this and handles the sales end. After that, we come into the picture. So we do the whole migration, as well as the new implementation and everything. It should take no more than two people to deploy. If we want to migrate from one Fortinet device to another, then we use the command line. They have some script in their firmware, and we can migrate the script directly from the older firewall to the new one. So it isn't too complex.
We implemented through a reseller and it took couple of days. There were some modifications and configurations that took more time, but the core configuration took a couple of days.
Eric TOURE says in a Fortinet FortiGate review
System & Network Administrator at a tech services company with 11-50 employees
Deployment of Fortinet FortiGate took one to two days, because I needed time to put my existing environment and what we have, and what we intended to do with our network, to convert it into the Fortinet FortiGate system.
We were on another platform which was a concurrent platform and it wasn't a good one, and it was our first time to go on Fortinet FortiGate, so we had an issue and it took me a few days to deploy.
Maintenance of this solution requires two people. The number of users of Fortinet FortiGate in our organization depends on whether it's direct or indirect. If indirect, it will be all the users we have in the organization, but if it's direct, it could be just the administrator. If indirectly, it'll be a hundred users on our actual site, and 2000 to 3000 users on the other site, all done remotely.
I didn't have to contact Fortinet's technical support, so I can't evaluate their level of responsiveness. I was able to make all the configurations I wanted, without needing to contact support. This solution is good for me.
I'm rating Fortinet FortiGate an eight out of ten.
I'm recommending this solution to be deployed for a new user. I'm really happy with it.
The most valuable feature of Fortinet FortiGate is security. They are known for efficiency and are on the top of Gartner Quadrant reviews. Fortinet FortiGate has an easy-to-use platform with a good graphical interface. The configuration is simple and the solution provides an overall good layer of security.
reviewer1255635 says in a Fortinet FortiGate review
Head of the Satellite Infrastructure and Operation System Department at a government with 1,001-5,000 employees
We are happy with its scalability. Its users are administrators. Our administrator team has about six people. The environment is set up as a multi-tenant, so each tenant has its own administrator for configuration.
It has been used every day since 2015. It is a core appliance for us.
When I first got here in this job in 2007, they had Cisco ASA Firewall, but it was too cryptic. You had to enter all these CLI commands for a configuration. It also didn't do everything that Fortinet could do. It was very limited, and it wasn't easy to use. I know what I want to do, and I don't have to learn a special language in order to do it. I just want to be able to use some basic programming code that they have put into the firewall and use the GUI interface with it to actually visualize what I am looking at. Some of the Cisco products are not visual enough. That was one of the reasons I stayed away from it. Cisco is also very high-priced. They price themselves out of business a lot of times for equipment, but Fortinet is just great.
I've also used SonicWall before. It was okay, but it is better for bigger places. I was looking for a midrange-size firewall for a couple of hundred users, and I felt Fortinet was the right fit.
reviewer1249359 says in a Fortinet FortiGate review
Executive at a computer software company with 10,001+ employees
The initial setup is straightforward, however, we have knowledgeable teams. We also use Fortinet to check the configurations and make sure everything is supported during implementation.
It's pretty standard to deploy. We're also familiar with Palo Alto and Check Point and there is not much of a difference between the three.
reviewer930837 says in a Fortinet FortiGate review
Senior Manager (Engineering Department) at a comms service provider with 10,001+ employees
The UTM feature is quite good. FortiAP is easy to deploy because both Fortigate and FortiAP are under the same brand. Otherwise, you need to do more work on the configuration.
The initial implementation of Fortinet FortiGate is not complex because the GUI environment is easy to use. We can do a lot of things in the GUI. If the configurations engineer, network administrator, or network engineer has knowledge about firewalls, the process will not be complex. It can easily be managed.
AnilKumar12 says in a Fortinet FortiGate review
Solution Architect at TNS Networking Solution Pvt. Ltd
I would rate this solution 6 out of 10.
The people who are working right now as system engineers are doing a kind of formal activity with the configuration. That means they are doing the basic activation. They are not doing a lot of experiments on them, so they should go with that because Fortinet is also having sensors, which can be highlighted to the customers.
Training should be available to the partner. The people who really implement the Fortinet firewall or Check Point or Palo Alto don't have enough knowledge about that because there is no public document or public training available.
We use Fortigate, and we have a relationship with Fortinet. We are working with the Fortigate 100F firewall. It is mainly for firewalling, but we would also use them for network demarcation as a DHCP or NAT router. We're also working with our Fortinet account manager to try and push further forward using an SD-WAN controller.
In terms of deployment, it comes through to the build lab. We configure it and then ship it to our customers. We are reviewing how to obviously do zero hands with FortiCloud, but what we've done so far has been conventional configuration and shipping.
reviewer1779540 says in a Fortinet FortiGate review
Security Presales Consultant at a tech services company with 501-1,000 employees
Fortinet FortiGate could improve by having better visibility. Palo Alto has better visibility.
When using Fortinet FortiGate you sometimes have to use the CLI to do some configurations which can be sometimes more difficult than using a GUI that other solutions can use, such as Palo Alto.
reviewer1127952 says in a Fortinet FortiGate review
Network Engineer at a logistics company with 10,001+ employees
The simplicity of the configuration and the stability of the product are most valuable. The VPN concentrator is very useful.
It's not straightforward. You must have at least the knowledge and the settings. It's not that simple.
The length of time it takes to install is determined by the configuration you have inside. It could take anywhere from 30 minutes to three hours.
In our company, I am responsible for the solution's maintenance and deployment.
The most valuable feature of Fortinet FortiGate is the simple configuration.
What we like about Fortinet FortiGate is that it's fast. You can also use it immediately, e.g. you don't have to wait and apply the policy before you can use it. It's robust and offers immediate usage, unlike Check Point, which we noticed was a slow product.
Fortinet FortiGate is also more secure, depending on how you set up the SD-WAN technology.
We also like the zero trust access, arrays, and the EDR features on this product. It's also 100% more user-friendly, e.g. even when I worked with them configuration-wise. The availability of the support hotline and their knowledgebase articles, e.g. the Cookbook, help a lot. Those articles are accessible to everyone, and they're free.
Whenever you implement a solution, you can run through Cookbook, then you can install the Fortinet certificate if you aren't able to, if you're stuck, but most of the time you are likely to get it right. The Cookbook explain everything straight to the point, and this makes it much easier.
I advise others Fortinet FortiGate has an easy configuration and it does not take much time to learn about the rules that you will need to apply for your company. When you connect to the main server you have high security.
I rate Fortinet FortiGate an eight out of ten.
Rehan Khurram says in a Fortinet FortiGate review
Systems & Network Administrator at a tech services company with 51-200 employees
Fortinet FortiGate's most valuable features are ease of use, flexibility, and most of the configuration we can be done using the GUI. When we compare Fortinet FortiGate with other solutions the firewall policy are very easy to understand.
The initial setup of Fortinet FortiGate was straightforward.
The time it takes to implement a firewall a large and small firewall is the same. It does not matter the size of the firewall. The complexity comes from the network and the scope of work that we need to do for the customer on the network.
If it is a large network, it will take us more time to deploy it, because there is more to configure. If it is a small network, it will take less time, but configuration-wise, it's likely the same.
It's easy to set up.
For maintenance, if you want to add a mesh configuration, you can restore your configuration from the backup.
The configuration option availability is not 100% from the website of the FortiGate web management site. When we log on to the web interface on FortiGate, we do not have everything under this web solution. If we need some specific configuration or need to do some specific configuration, we need to do additional things on the CLI.
The stability could be a bit better.
The initial setup of Fortinet FortiGate is straightforward we had an right person in-house for deploying it. Moreover, If required, Fortinet has its support extended to us. We can approach them anytime and they can assist us with any kind of complicated configuration.
Our biggest Fortinet solution was 500 plus retail sites. This customer chose the whole nine yards, including FortiGate, FortiSwitch, FortiAPs, and the FortiExtender, which is the LTE router.
I made the templates for the configuration for our bottom tiers because they were the ones rolling them out. I made a standard template config and wrote notes specifying necessary changes for each site.
The primary difficulty was trying to understand our customer's requirements and concerns because they were with an old provider. The provider had a lot of things on-site that weren't necessary. Deploying the Fortinet solution itself wasn't hard.
Getting there was hard because we had to sit down with the customer and their tech team to determine what was needed because they had old Cisco routers. That took about three weeks and required a lot of on-site visits, but it wasn't hard to deploy the solution once we got an understanding of the requirements was not hard.
We trained the customers to manage and maintain the solution themselves. The only maintenance we do is emailing them monthly when we get notifications from Fortinet about router upgrades. You can configure it and then forget it.
The firmware needs improvement because there are bugs when a new release comes through. Sometimes, the configuration changes, and it's a bit harder to see where the fail is. The first time that you have the firmware, it tends to have some issues, and it's better to wait a bit to update the equipment.
All the development of the firmware should be fixed before the update at the page level.
API tokens need to be improved, particularly with regard to integration with other cloud solutions. In other words, proxy flow and API integration need improvement.
Barracuda CloudGen Firewall: Configuration
The implementation process is a walk in the park. IT's just next, next, next and you are done. You change a couple of parameters, and then you are online. Then you just adapt the firewall to the customer's needs. The setup is very easy. It's even easier if you are using the control center, even if it's quite expensive.
The initial setup itself might take 15 minutes or so.
It's a five out of five in terms of ease of setup.
There is some maintenance, however, it is minimal. Maybe every four years you'll need to switch the firewall. That's it. The new firewall is sent directly to the customer site. Then we just need to download the configuration file from the old one and just turn off a switch and turn on the new one.
This solution is absolutely stable. With some systems there's a necessity to regularly redo the configurations inside the system. With Pfsense that's not the case. I have no issues with it at all.
The initial setup has a bit of a learning curve. It's not complex per se. It just takes some getting used to. After the initial deployment, the other six or seven were easy. I could just copy the configuration of the other ones, change some IP addresses, and I was basically done.
Well, its opensource... So for the tech-minded, its not so difficult but yes, the configuration is understandable for those with good prior firewall knowledge...
If you can get it working, its great... But yes, thats the first part... Get it working...
Oncw working, all licenses etc are not a problem as it is opensource... So no restrictions there... so far...
The interface is not very shiny and attractive. Most of the people that use pfSense are highly skilled, so they don't even bother to go the extra mile when it comes to configuration or any protection mechanisms. With other firewalls, with just one click or with the assistance of a wizard, the service is already configured. With pfSense, you have to have some time to do your own research regarding how to fine-tune it. If that could be improved, then life would be much easier. This would help any entry-level users to adapt to the platform.
Netgate, the mother organization that manages the pfSense platform, should offer organized security feeds for its users so that they can avoid configuring multiple types of feeds in multiple locations. That could generate extra revenue for the company, too.
The VPN is my favorite feature. pfSense is very easy to use. The interface and configuration capabilities are great.
Peter says in a pfSense review
Software Applications Manager at a engineering company with 201-500 employees
I've tried to scale the solution previously. I've got two hardware platforms running. I wasn't quite able to run everything I wanted on a small ARM based device. Therefore, I build my own Super-micro platform based on Intel Denverton.
It's actually easy to scale. It's just moving over most of the configuration: exporting, importing, or even going right into the original XML export file.
There are six users, 3 dozen of devices and a homelab server with VM running behind the solution at this time.
The initial setup is straightforward. It took me about ten to 15 minutes to install it and maybe half an hour for configuration.
The configuration of the solution is a bit difficult.
The initial setup is very simple and the configuration is user-friendly. It took me one day for the whole process.
Sometimes firewalls can get a little complicated. I think some of the things about the setup could be a little bit clearer. Maybe something like a configuration wizard or something that would guide you on more in-depth projects.
I'm running pfSense on old hardware, it takes all of 10 minutes to install.
Scalable but only if one has expertise of open source configuration of software such as pfsense.
The initial setup is easy.
The first installation took an hour to complete, but the configuration is another part. It's about the complexity of my network because I have provided services from a firm and every company has a different setup.
It is quite easy. It is up in a few minutes even though I reinstalled the whole thing. For me, it is as straightforward as it can get. I'm a long-time user, and I don't see any problems with the configuration.
SonicWall TZ: Configuration
reviewer1506144 says in a SonicWall TZ review
IT Infra Head at a consumer goods company with 1,001-5,000 employees
It's a good product, but it's not a next-generation firewall. We are looking for a next-generation firewall and considering Cisco.
We require centralized monitoring of the network features, which they have but they are not to the level that we require.
The reporting is not good. Also, the historical configuration of the data or backup is not available.
To compete in the market, there have to be a lot of improvements.
We do not plan to continue using SonicWall TZ. We are looking for a replacement because we need centralized monitoring across the organization. It has been very difficult for us to manage the firewall as it is not managed centrally. This is the main drawback in our current scenario.
In the next release, I would like to see better scalability, easier installation, improved reporting, storage configuration, backup, and centralized management with reporting.
Odimas Nascimento says in a SonicWall TZ review
Diretor Comercial at a retailer with 1-10 employees
Its initial setup is simple. The duration depends on the number of users and configuration, but it usually takes around 12 hours. We have three or four people for its deployment.
The solution is stable. We're an MSP, so if our clients have any dated hardware, we'll make a plan to switch to SonicWall, otherwise there can be issues with the internet or configuration where we can't get in and troubleshoot. We need to know we can get into the firewalls and make sure that they're online, as opposed to having to schedule someone to come in and deal with the basic physical connections or troubleshoot.
Their scalability is wonderful. SonicWall has a migration table and it's easy to migrate the configuration of a small model to medium or all types. It's really easy. No problem. I have done this a few times and each time was perfect.
We have almost 100 users.
One person is enough for doing maintenance on SonicWall.
We do have plans to increase usage to more or less 10 or 20% more users next year.
It is easy to set up SonicWall. It just depends on the scope of the project.
To set up for initial use takes about two hours. We start with the basic configuration and that is enough to start using SonicWall. After that, we do the more complex and detailed configuration of the security features.
Since we can deploy SonicWall in two hours with the basic configuration, we do a fast start because my users are starting to use the web and receive emails. After that, we do the next steps of the complex config for the more detailed secured configurations.
SonicWall NSa: Configuration
At this office, the firewall was already configured when I started working here, so I only needed to make some adjustments. We have another office that we acquired recently, and I implemented the firewall there. The configuration was pretty straightforward. The graphical interface is very intuitive and that helps.
reviewer1126683 says in a SonicWall NSa review
IT Security Analyst at a outsourcing company with 51-200 employees
I used to work on SonicWall regularly. Now, I am working as an IT analyst and my job is to check the SonicWall configuration and test it. For example, I have to check the policy and then audit which ports are open.
The initial setup is definitely user-friendly, it's easy.
It only takes an hour to deploy, which includes the configuration.
reviewer1314267 says in a SonicWall NSa review
Director of IT at a consultancy with 11-50 employees
The initial setup isn't too complex. My understanding is that it's straightforward. I didn't set it up myself, however, it's got configuration wizards to walk a user through. This no doubt is quite helpful and makes it pretty simple in terms of implementation.
We are integrators, but for SonicWall, we use it for a specific project in industrial cybersecurity. It was for ransomware recovery and network restoration.
We did the firewall and the configuration for the ransomware prevention.
Our clients were using it to control the SCADA System in their industry.
reviewer1148964 says in a SonicWall NSa review
Network Administrator at a healthcare company with 201-500 employees
It's not as easy to use, as, for example, Palo Alto.
Some of the configurations could be better.
reviewer1646865 says in a SonicWall NSa review
ICT Consultant at a tech services company with 11-50 employees
I like the solution's configuration, interfaces, and user guides.
Najeeb Haneefa says in a SonicWall NSa review
IT Manager at a insurance company with 51-200 employees
The installation is not easy, you should have a basic understanding of your network and what your requirements are. Generally, the implementation is done by the vendor. We have an external party who used to do the basic configuration. However, the new generation firewalls do not take much time and are easier.
Shahid Abbas says in a SonicWall NSa review
Manager of IT at a healthcare company with 10,001+ employees
I didn't use support over the last nine years, except for handling the device replacement itself. I needed a device replacement due to some damage, and they fulfilled my request and requirements. In terms of tasks such as configuration issues, I've never actually asked for assistance for those queries and therefore could not rate how helpful or responsive they are when they cover those matters.
I am a technical engineer, I have complete knowledge of SonicWall. I can do all of the configurations for the firewall. We are a service-based company and I handle the different solutions. If they need any requirement or they any action on the firewall then I can do that myself.
The only thing that needs improvement is the VPN because we need to pay to connect the points.
reviewer997284 says in a SonicWall NSa review
Network Engineer at a maritime company with 201-500 employees
We have two SonicWalls in the High Availability setup with failover configuration.
We use it for the firewalling, for IPS protection and for VPN clients.
It's very scalable. In some cases, it's necessary to change the firewall, however, it's easy to change as SonicWall has the ability to migrate the configuration from all firewalls to the new one.
Overall, I'm satisfied with SonicWall NSa, but it would be better if they could add a small terminal to each device. This would help me deal with certain issues by running a small bot onto any PC. This terminal could control technical configuration from a centralized configuration with the SonicWall appliance.
SonicWall NSa's most valuable features are the ease of configuration and the GUI. It's a web-based application, so we can easily configure all we want in the browser.
Deploying SonicWall NSa is straightforward. A new user can easily configure the firewall. You can usually complete the deployment within a day. Setting up the prerequisites takes about two hours and then it takes some time to deploy the policies. That varies depending on what the customer wants.
Maintenance is primarily configuration-related stuff, and our customers have their own engineers, but we give them advice. One engineer can maintain the solution.
SonicWall has all the usual functions, like LAN configurations, security features, word filters, etc., but it also has the CFS agent, which isn't available in any other firewall. Reporting port support is also there.
I also like the ability to manage all the firewalls from a single location. We can support all those things from this application. It's a cloud-based solution.
Sophos XG: Configuration
The initial setup was simple. Within one to two hours, we were done. This was not just the installation, but the complete configuration.
reviewer1462965 says in a Sophos XG review
Network Team Lead at a manufacturing company with 5,001-10,000 employees
The initial setup is straightforward. It is a single day task to do the initial configuration and move the traffic over there. The firewall hardening, of course, will take some time depending upon the traffic, but the initial setup is a single day task.
The initial setup was a little complex because of the kind of configuration that we were looking at, the way the firewall had to be configured was slightly complex. We carried out the implementation ourselves and it took a maximum two days.
The web application firewall or WAF is very useful. Web application firewalls help keep your servers safe from hackers by scanning activity and identifying probes and attacks.
Using the Web Application Firewall (WAF), also known as reverse proxy, Sophos
UTM lets you protect your webservers from attacks and malicious
behavior like cross-site scripting (XSS), SQL injection, directory
traversal, and other potent attacks against your servers.
You can define external addresses (virtual webservers) which should be
translated into the "real" machines in place of using the DNAT rule(s).
From there, servers can be protected using a variety of patterns and
This function has been completely re-developed in XG, relatively of the UTM-9 version, and it works fine. I protect many internet web servers (IIS) for my customers with this function, due to of a lot of attempted attacks. It's a very useful and relatively simple to implement in Sophos XG.
Obviously, like all security systems, it is not a "fire and forget" configuration. It is necessary to properly analyze the system to be protected, create an appropriate policy and monitor its behavior once activated.
reviewer1429977 says in a Sophos XG review
Network Security Administrator at a comms service provider with 501-1,000 employees
The initial setup was straightforward. It took us less than 30 minutes. Normally, it depends on the size of your organization, so for mine, the installation was less than 15 minutes. By 30 minutes I was finished even with the setup and configuration.
It is not a very scalable product. I would rate the scalability a seven out of ten because where you order it, it comes with prefixed ports. You will only have perhaps two for the WAN, and then maybe four LAN ports, and one console. In this regard, it's not scalable.
When you buy it, you can't change the port configuration. In order to get more ports, you may have to upgrade to a bigger firewall.
We have about 130 accounts for approximately 80 employees.
reviewer1483797 says in a Sophos XG review
Service Delivery Engineer - Network Security Lead at a tech services company with 51-200 employees
The most valuable feature is the Intercept X. It is the advanced features that are used for malware detection and antivirus. It's similar to antivirus on steroids.
It's simple to use and has a simple interface. It's generally straightforward and configuration-wise, it's not complex.
It's a very simple product to use and that's why you find it is used mostly in small to medium-sized enterprises. They don't have the manpower that a large organization can have, in terms of the skilled workforce when it comes to cybersecurity. They just need something that is simple to use, simple to manage, and simple to administer, but effective at the same time. That's the main selling point for Sophos.
reviewer1096965 says in a Sophos XG review
Systems Administrator Team Leader at a retailer with 1,001-5,000 employees
The initial setup is carried out on the portal so you need to work on the configuration with the respective partner and have the portal accessing all of the environment. It's a simple setup. We have deployed this solution on around 200 machines.
The initial setup and configuration was very easy for us. I think it's easier than the other options in the marketplace. The deployment time is relative. For example, if you're deploying for a client who has another firewall and have to integrate it, it'll take around two or three days. But if it's a new environment, you can deploy the firewall within two hours.
reviewer1496412 says in a Sophos XG review
ICT Manager at a hospitality company with 1,001-5,000 employees
It has been fairly stable, and it is also scalable.
The initial setup is not complex. However, here in Mexico, it's very complex to sell the product. The brand is not as well known.
That said, the process is pretty straightforward.
The deployment times vary. It depends on the end-user and what they need. Sometimes, it's easy as they don't have too many policies. The more policies they have, the longer it takes.
In other cases, clients may have a lot of VPNs. We have to work on those VPNs, and we have to do a lot of routing. However, that depends on the customer. Not all are like that.
For one appliance, you just need one person for deployment and maintenance. If we are working a lot of VPNs, we would have to use more people. We need to involve maybe two or three individuals and re-apply the configuration in that case.
I am using the Azure Active Directory in my company and it was complicated to integrate this solution with Azure. I had to use an internal VPN and had to do many configurations to get it operating. This process should be easier to implement.
The initial setup is not so complicated. The system is not complicated to understand and also in can be installed without a very high level of expertise. Of course, if you have this kind of expertise, you can obtain from the system the maximum performance that the system can do, however, it means that you are not obliged to be a guru to be able to use these kinds of products. You can use these kinds of products just as an IT manager inside the company without having or needing special knowledge.
Otherwise, you can leave to Sophos with the capability of doing something like a close box. You are sure that Sophos is able to guarantee the level of security that you are expecting. You can have it be automatic, or you can choose to go more manual in its operations. For example, if you were a professional photographer, you'd probably like a manual experience, as it would allow you more leeway with your craft, and if you were an amateur, you 'ld likely prefer an automatic camera that handles the heavy lifting for you. Sophos, in that sense, is the same. If you want, you can configure single parameters, or you can leave it to Sophos to give you something out-of-the-box.
In any case, if you stay on the automatic configuration, you are guaranteed that the system can provide the correct level of service that you want. It means that it's not required to have an expert. That said, you need of course to have a minimum level of knowledge, as it's clear that you need to know what you are managing. Starting from that, you can obtain what you need without moving into an advanced configuration.
Typically, a configuration takes about half a day or so, if you go that route. It doesn't take long, as those who would handle it would know what they are doing.
reviewer1229574 says in a Sophos XG review
Head of Network Department at a financial services firm with 1,001-5,000 employees
The GUI and support could be better. I think there are other products that we are going to deploy instead of Sophos. We have already upgraded a month ago because the interfaces and support for Sophos are really weak. But other products like Juniper, Cisco, or FortiGate are better than Sophos. It's also complicated, and the end-user or client does not understand it.
The interfaces and the GUI design are not easy, and when you do something, unrelated things are in the same configuration site. There are different sites to visit to configure Sophos. This is even more than other products. Many features can be improved, especially the VPN and web filtering features.
reviewer1509573 says in a Sophos XG review
Senior Engineer at a engineering company with 11-50 employees
I would advise others to go through the Sophos demos. They are very good, and they walk you through configuration and use cases. Their online documentation is very helpful in not only configuring it but also selecting a proper model to deploy.
I would rate Sophos XG an eight out of ten for ease of use and cost.
The installation is very easy for anyone. The configuration is straightforward, all the information is available through a quick Google search.
Pol Balaguer says in a Sophos XG review
IT Manager for Network and Security at a religious institution with 51-200 employees
I've worked with Sophos previously and we had a different setup. In terms of implementation, sometimes there are complex setups and sometimes the setup s are more basic. Right now, we have a complex setup. We need to ensure interconnectivity between our branches. We'll have different networks, different sites, and a lot of complexity.
It doesn't really take too long to deploy, however. The support from the supplier is good. They're always available to assist. They are well-trained and they are already familiar with the setups and configuration so they're doing a pretty good job in terms of helping us.
In the past, I have worked with SonicWall and Fortinet products.
I prefer Sophos because of the user-friendly configuration and stability.
The initial setup is quite easy. it's not overly complex. The configuration process is also very simple.
We have a team within our organization that can handle any maintenance that is required.
The solution is scalable, but an organization should assess in advance its size based needs. Say, for example, a company utilizes the XG 125 version, but grows rapidly. At this point it may need to switch to the 210 version. Yet, switching from one version to another would not really present an issue. One can restore the backup configuration version on the new hardware and be up and running.
There have been some issues when upgrading. For some reason, parts of the configuration become unconfigured, I then have to reconfigure it. I should not need to keep reconfiguring it after upgrades.
Nitesh Sharma says in a Sophos XG review
Sr Information technology consultant at onkar international pvt ltd
There's no additional cost for installation. The provider from which we purchased, the vendor, himself arranged all installation and configuration. They helped us. However, even through customer care, a company can ask for assistance.
reviewer1625292 says in a Sophos XG review
Creative Head/Director at a marketing services firm with 1-10 employees
I am the technical person. Installation can be handled independently. We do the configuration of the firewall.
We have two teams that are responsible for the deployment, a firewall and a network one. We can handle the implementation using both teams.
We migrated from Cyberoam. The migration went very well.
The migration process did not require a lot of configuration.
It took a few days to complete the migration and the testing.
This solution is being managed by myself and a colleague. We are a team of two.
reviewer1231140 says in a Sophos XG review
IT support officer at a wholesaler/distributor with 51-200 employees
I contacted the external partner, and the setup was easy. It took about two or three days. Some little pictures were difficult for us to find, but that's normal. We could not make a one-to-one copy of the older one, so we had to search for some little personal configurations here. Now that everything is configured right, we are happy to have it.
Niranjan Prajapati says in a Sophos XG review
Network & System Support Engineer at ITCG Solutions Pvt Ltd
When it comes to the firewall, everything hinges on the configuration. Every firewall is good, but one can see the importance of the configuration in the firewalls of Sophos and SonicWall. This is the most important thing, since users occcasionally disable the app control, IPS or anti-spyware features. They do this out of a lack of familiarity with the security, something which allows attacks to occur. Therefore, the configuration is key. I configure every firewall I employ, be it Sophos, SonicWall or Fortinet.
I have not encountered any issues when it comes to the configuration.
Compared to other firewalls that I had looked at, I thought Sophos was the better solution. It just seems to be easier to manage versus Cisco, Fortinet, or one of the other options I was looking at.
I'm not going to say that it's easy to configure, but I can understand how to configure it. There is a certain amount of support available to do the configurations.
The most valuable features are its nice interfaces and configuration. The endpoint is also very good.
reviewer1749918 says in a Sophos XG review
Gerente de Atendimento na Introduce at a tech services company with 11-50 employees
Sophos XG is really robust because of all the implementations you currently have active. We don't have problems on the hardware or a bug on the software or anything like that. It's really, really rare. Most of the problems are from requests for our customers asking to make a particular website available for some parts of the company and things like this. Just some little configurations on the web filter.
reviewer1166514 says in a Sophos XG review
Founder and Managing Partner at a tech services company with 1-10 employees
The stability is what I have found attractive with the whole Sophos product line. You can have a client that starts with a three-person office and grow it to a 10,000 person operation and you keep moving the configuration to the next level of power.
The interface can bit a bit more user-friendly. For me, it's still user-friendly and I don't find it difficult to use. However, the configuration should be more user-based. As an example, IPSec is complex and a little bit difficult to configure. If it were more like Microsoft Azure and the way their online configuration works, it would be an improvement. As it is now, I have all of the settings inside the device, so I can clone them and use them for customers. But, on the customer's side, it is difficult for people to understand.
Our Wi-Fi network is not working as well as expected.
ArcadMkoji says in a Sophos XG review
Head of Information Technology at a manufacturing company with 201-500 employees
I rate Sophos UTM eight out of 10 for ease of deployment. We didn't have any serious issues. The only challenge we had was migrating from Sophos UTM to XG. There was no direct migration, so we had to do a manual configuration.
After deployment, the solution doesn't require much maintenance. So as long as my connections are up and running, I don't need to do any maintenance. All the updates are automatic.
Kerio Control: Configuration
The setup is straight out-of-the-box. Take it out of the box, run through the wizard, configure it with the settings that you should already know, and then it works and you get in online. That's the basic setup, because the Traffic Rules, by default, allow everything out and stop everything coming in. That's enough to just get online.
You then go to start defining your networks and your traffic rules. Putting multiple VLANs in there is easy. Even as it gets to be a more complex configuration, it's easy to do.
Sometimes it's time-consuming if it's a large configuration, but that's just what it is. It takes time to click boxes if it's a large network with lots of different scenarios, and to type in all the IP addresses.
But it's easy out-of-the-box for a basic configuration and still fairly easy if you've got that knowledge of the Kerio and networking. Just a little time-consuming. If there were some kind of import or bulk add, that would be nice, but that's on a wish list. It's really not that necessary.
If a customer just wants something out-of-the-box, we plug it in, make it work, and it probably takes a couple of hours, at the most. If it's a bit more complex, it might take a day. It might take longer if you don't know what you're doing.
I've always told customers that there is no fixed configuration. This thing will work and do what you want it to do. As time progresses, it evolves with the changing requirements. So we can give them a solution. They can give us some key config points telling us "Okay, we want this many networks and we want these users, and these particular rules," etc. We configure all that in a day and test it the next day. After that, it's ongoing. They might decide, "Oh, we actually want to change the bandwidth allocation," or "We've got a new internet interface," or we want to block Facebook at a specific time. It's ongoing.
It's a combination of authentication, internal network DNS, filtering, and antivirus. It is a standalone product which has a lot of the features that a Windows domain might have. However, I don't need to have a whole lot of Windows or Mac infrastructure, as I can do all my network management from Kerio.
One very good thing about the Kerio device is its authentication. I don't have a Windows domain for authentication. Instead, I use the Kerio product because it can separate users by Mac addresses and give them IP addresses based on their usernames, automatically logging them in. This makes for a very simple authentication system.
The solution’s firewall and intrusion detection features are pretty good. I have, at different times, connected directly to the Internet in bridge modes with the modem, and the noise in the logs is phenomenal. So, it does a good job. I can see that the intrusion prevention catches everything that is coming at it. I tend to not use it in that mode. I have it connect to a port on my modem router, so I let the modem router take all the initial intrusion noise, then not much gets through to Kerio. That just gives me a lot of confidence that I have a secure network.
For the content filter, I am pretty much running their default. I haven't added any rules to that myself. The default does a pretty good job at picking up things. I might have whitelisted one or two things that I use which it tends to pick up, but I know they are okay.
Kerio Control gives us everything we need in one product.
The feature that I'm relying on: If the appliance died and I had to get another one, Kerio has a configuration backup. Therefore, it's pretty easy to restore to a new appliance.
We turned on two-factor authentication just after the shutdown when we knew we were going to get more users using it. That was the only feature that I've used recently that was different and it worked fine. You only have to authenticate once every 30 days, once you've fully authenticated. It was easy. Technically, it's not a full implementation. It's two-factor on every login, but it's certainly more secure than it was.
In terms of the comprehensiveness of the security features, I know that we haven't had any breaches before. We've had security issues before but it hasn't been with the data center implementation. We have a technology partner that we use to consult for configuration and Kerio was their number one recommendation at the time. We've never had an issue since implementing that. While it works, it's not an issue for me. Best to our knowledge, we haven't had any data breaches.
We do a lot of audits in terms of data security. I don't know if that's ever been an issue here because a lot of our production stuff is actually walled off from our corporate network so it's of lesser risk factor. We were regulatory. We're a licensed regulatory body as well. We monitor gaming machines throughout the state. A lot of our security and the production network is a lot higher than our corporate. Not that corporate's not high, but there are a lot more freedoms for the user under the corporate network umbrella anyway. But it does what it needs to do. We haven't had an issue with it. The most we've had to do when we've had an issue is upgrade the VPN Client's software.
Before using Kerio, with another software, we did experience security breaches. Not so much with a firewalling product. We've had issues with breaches of user breaches. So phishing attempts and so forth. Just the general user stuff, but not through the corporate firewall. And honestly, we didn't handle all of that previously. We only took that on board about six or seven years ago when we changed ownership. So a lot of our services are in the cloud these days as well. Office 365 and so forth.
In a roundabout way, its security features played a role in our decision to go with it. We rely on the advice of our consultant and the consultant recommended this configuration, this software, and this appliance. So, it was more about the appliance. It was more about the flexibility than what we needed to do in a data center environment as well, to be able to manage it remotely and securely. It's been very easy to manage.
The consultant was TechPath. TechPath is very good. I have full faith in TechPath. They're an MSP and we've just used them as a consultant when we initially set up our wide area networks and the security around it. They have good guys there. We don't have a lot of network engineers in what we do. That's their job. That's why we use another consultant.
Because it's all ID integrated, it's very easy for a user to get online step by step. And in terms of the actual configuration of the firewall itself, it's an intuitive interface if you know what you're doing, in terms of logging traffic, spanning, and the rest of it. The logging is fine.
Remote work has been increased by 100%. We would have had around 25 - 30 remote users. That's probably increased to 60 over the shutdown, including contact center staff. That'll scale back a little bit as people come back into the office, but overall, people don't stay connected during office hours, it's more of an as-needed basis. We still only have 10 to 15 concurrent users, but in terms of licensing, we have under five concurrent users at any one time before that. There was an increase, but it was not a resource-hungry increase. We said to make sure the licenses were sourced in advance.
GFI's technical support is way too slow in terms of response times. Their knowledge is okay. They should know their products. Even though they bought Kerio, they were able to update the software with their developers and build some new routines in it.
But regarding the support, if I send out a solution or a request today, it's taking too long to get a proper answer. You should have an answer the same day, at least, and if possible a quick response via email. That would be preferable in our cases. I know that is not always possible. And that's for software issues.
But if you have a hardware issue it's even worse because we are not able to get hardware maintenance on the firewalls. Ideally, within two hours of going down, a mechanic would come with a new firewall to replace it and to restore your saved configuration from the cloud. They don't have that. If a hardware issue arises with a firewall, then it takes at least a week, maybe a week-and-a-half, to get a new firewall sent by GFI. That's really not acceptable. If we have a hardware issue and we order something from some companies here in The Netherlands, we have it the next day. That would be acceptable.
We deal with that by having a spare NG500 lying around that we can use. We've never used it, so it's already three years old, doing nothing. But it's there.
We hired a guy to do the initial set up for us. I think he was a Kerio reseller and we used him for consultancy before it started and then he actually did the work on the Kerio as well, and the network in general.
Our experience with him was excellent. We've used him a couple of times since. He's brilliant. His knowledge of everything is incredible. We tried to do it all ourselves at first, but he came in and knew exactly what the problems were. Something that had taken us about four days, he did in five minutes. He's just incredibly knowledgeable about everything to do with networks: Cisco, Kerio, everything.
I've set up another one since, for the same company. I just copied the configuration file of the one and put it straight onto the other. They're in separate buildings, but they wanted them exactly the same so it was really easy.
That deployment took an hour, but it was because we already had one set up.
As for deployment and maintenance of these solutions we generally need just one person: me.
reviewer1199382 says in a Kerio Control review
Senior Systems Tech/Admin at a computer software company with 1-10 employees
The solution is scalable. If you are using virtualized machines you can have as much memory and much storage, but you do not need much storage for this solution. It is powerful and fast, although it can slow down the internet because of the filtering. For example, if you have most of your services running, such as antivirus, content filtering, and intrusion prevention. When all of those are all enabled and there is a lot of configuration and it might slow down your internet service to about 70%, instead of a direct simple router.
Cisco Firepower NGFW Firewall: Configuration
Compared to many years ago, the configuration is much more simplified. It is still not one button to get it all done. It's not easy enough. It hasn't reached the level where a junior staff member can get the job done.
For my enterprise environment, the deployment goes wave by wave. It can take six to eight weeks. We do a rolling upgrade. It's not something that can be done in one action because the network is so huge and complex.
We have a uniform implementation strategy. We have a standard upgrading proceeding. We do testing and verify and then we put it into production.
My primary use case with Cisco Firepower NGFW is implementing, configuring, maintaining, and troubleshooting lab and customer devices in both lab and production environments.
Using best practices for configuration, as well as fine-tuning intrusion policies and utilizing as many of the features that the firewall has to offer, which are feasible in said environment.
Overall, I am confident to say that I have worked with every flavor of Cisco Firepower NGFW, be it their older IPS-only sensors, ASA with Firepower services, as well as the FTD sensor itself.
There needs to be an improvement in the time it takes to deploy the configurations. It normally takes two to four minutes and they need to reduce this. The deployment for any configuration should be minimal. It's possibly improved on the very latest version.
An additional feature I would like to have in Firepower would be for them to give us the data from the firewall - Cisco is probably working on that.
The initial setup is easy, with the installation and configuration taking about two hours.
The solution offers very easy configurations.
The administration of the solution is very good.
The product integrates well with other products.
Andreas Pedersen says in a Cisco Firepower NGFW Firewall review
Systems Engineer at a tech services company with 11-50 employees
First you have to configure the Firepower Device Manager, or Firepower Management Center. When you bootstrap it or do the initial config, you type in the IP address, host name, and DNS. When you have the IP configuration in place, you can log in to the Firepower Management Center and start building policies that suit your needs. When you have all the policies, you can add or join Firepower devices to the Firepower Management Center. After adding the devices to the Firepower Management Center, you can then apply the policies that you built in the first place, through the devices, and that will affect the behavior on the devices.
The configuration in Firepower Management Center is very slow. Deployment takes two to three minutes. You spend a lot of time on modifications. Whereas, in FortiGate, you press a button, and it takes one second.
Three years ago, the Firepower Management Center was very slow. The solution has improved a lot in the last couple of years. It is now faster. I hope that continues to improve.
reviewer1512729 says in a Cisco Firepower NGFW Firewall review
IT Administrator / Security Analyst at a healthcare company with 11-50 employees
The big three solutions, Cisco, Fortinet, and Palo Alto, are all really good but I tend to lean on Cisco versus the others because one of their strengths, in general, is threat intelligence. When you put a bunch of security people in a room then you have a lot of consensuses, but like anything, you'll have a lot of disagreements, too.
Each of these products has its strengths and weaknesses. However, when you factor in AnyConnect, which most people will agree is state-of-the-art from a security standpoint in terms of VPN technology, especially when it's integrated with Umbrella, it plays into the firewall. But, it always comes back to configuration. Often, when you read about somebody having an attack, it's probably because they didn't set things up properly.
If you're a mom-and-pop shop, maybe you can get by with a pfSense or something like that, which I have in my house. But again, if you're in a regulated environment, you're looking at not just a firewall, you're looking at all sorts of things. The reality is, security is complicated.
One of the nice things about Firepower is that you can set it to discover the environment. If that is happening, then Firepower is learning about every device, software operating system, and application running inside or across your environment. Then, you can leverage the discovery intelligence to get Firepower to select the most appropriate intrusion prevention rules to use for your environment rather than picking one of the base policies that might have 50,000 IPS rules in it, which can put a lot of overhead on your firewall. If you choose the recommendations, as long as you update them regularly, you might be able to get your rule set down to only 1,000 or 1,500, which is a significant reduction in a base rule set. This means that the firewall will give you better performance because there are less rules being checked unnecessarily. That is really useful.
Cisco implemented a role-based access control for Firepower, so you can have very granular accounts. For example, a service desk analyst could have read-only access. If we have a security operations team, then they could have access to update IPS vulnerability databases. A network engineer could have access to update ACLs, not rules, which is quite useful. Also, you can selectively push out parts of the policy package based on your role-based access control. So, if you have one job role and work on one part of the configuration, and I work on another job role working on a different part of the configuration, then I could just deploy the changes that I have made without affecting what you are doing (or without pushing out your changes). It is quite nice to be able to do that in that way.
I have experience with SonicWall, Fortinet, Juniper, and Sophos firewalls, among others. We work with Fortinet and Palo Alto. It's not that we only do Cisco. But I can say from my experience that I am really more convinced about Cisco products.
What customers really like about Cisco, the number-one thing that they are really happy about within Firepower—and it was also in the old ASA code, but it's even more a feature in Firepower—is that the configuration is in modules. It's modular. You have different policies for the different functions within your firewall, so that your access control policy is only for your access lists and that's it. You have a different network address translation policy. It's all separated into different policies, so a customer knows exactly where to look to configure something, to change something, or to look at something which is not working properly.
Also, with Cisco, when a customer is not totally certain about a change he's going to make, he can make a copy of the specific access control policy or the NAT policy. If something doesn't go right, he can assign the copied policy back to the device and everything is back to the way it was.
These are the biggest advantages our customers see. When a customer doesn't have any knowledge about firewalls, I can explain the basics in a couple of hours and they have enough familiarity to start working with it. They see the different modules and they know how to make a backup of a specific module so that they can go back to the previous state if something goes wrong.
The IPS is one of the top features that I love.
The dashboard of the Firepower Management Center (FMC) has improved. The UI has been updated to look like a 2021 UI, instead of what it was before. It is easy to use and navigate. In the beginning, the push of the config was very slow. Now, we are able to push away some conflicts very quickly. We are also getting new features with each release. For example, when you are applying something and have a bad configuration, then you can quickly roll back to when it was not there. So, there have been a lot of improvements in terms of UI and configuration.
We found that the initial setup using Firepower products was actually very simple. The initial configuration for the Management Console was very straightforward. Adding devices usually takes a few minutes. And then once you've got them physically set up in your Management Console, it's streamlined. It's actually very simple.
One of the great features of having the Cisco Firepower Management Console is having the ability to group. So we have each one of our hospitals as a group, so we can actually do any device configuration within a group. They're HA so that when we do an upgrade, it is seamless because when it fires off the upgrade, it will actually force the HA over automatically as part of the upgrade. And the other part of that is policy management. We have several policies, but specifically, one for the general use at our hospitals has been phenomenal because you build out one policy and you can push that out to all of your end nodes with one push.
We require two staff members to actually implement and devise the initial configuration.
At my company, you have to be at least a senior or an architect in order to manage any type of firewalling, whether that's the IPS, the actual firewall itself, or AnyConnect. So we have senior network engineers that are assigned for that task.
We typically have one person that will actually rotate through the group for the maintenance. There's a senior network engineer that will maintain that on a daily basis. Typically, it doesn't take maintenance every day. The biggest maintenance for us comes to updating policy, verifying the geolocation information is correct, and any upgrades in the future. So typically that takes about one to two people.
It integrates with other Cisco products. We use Cisco ASA and Cisco FTD, and we also use Cisco FMC for monitoring and creating policies. For internal network monitoring purposes, we use Cisco Prime. We also use Cisco ISE. For troubleshooting and monitoring, we can do a deep inspection in Cisco FMC. We can reach the host and website. We can also do web filtering and check at what time an activity happened or browsing was done. We can get information about the host, subnet, timing, source, and destination. We can easily identify these things about a threat and do reporting. We can also troubleshoot site-to-site VPN and client VPN. So, we can easily manage and troubleshoot these things.
Cisco FMC is the management tool that we use to manage our firewalls. It makes it easy to deploy the policies, identify issues, and troubleshoot them. We create policies in Cisco FMC and then deploy them to the firewall. If anything is wrong with the primary FMC, the control is switched to a secondary FMC. It is also disconnected from the firewall, and we can manage the firewall individually for the time being. There is no effect on the firewall and network traffic.
Cisco FMC saves our time in terms of management and troubleshooting. Instead of individually deploying a policy on each firewall, we can easily push a policy to as many firewalls as we want by using Cisco FMC. We just create a policy and then select the firewalls to which we want to push it. Similarly, if we want to upgrade our firewalls, instead of individually logging in to each firewall and taking a backup, we can use Cisco FMC to take a backup of all firewalls. After that, we can do the upgrade. If Cisco FMC or the firewall goes down, we can just upload the backup, and everything in the configuration will just come back.
We can also see the health status of our network by using Cisco FMC. On one screen, we can see the whole firewall activity. We can see policies, backups, and reports. If our management asks for information about how many rules are there, how many ports are open, how many matching policies are there, and which public IP is there, we can log in to Cisco FMC to see the complete configuration. We can also generate reports.
With Cisco FMC, we can create reports on a daily, weekly, or monthly basis. We can also get information about the high utilization of our internet bandwidth by email. In Cisco FMC, we can configure the option to alert us through email or SMS. It is very easy.
Germain Safari says in a Cisco Firepower NGFW Firewall review
Information Security and Compliance Manager at RSwitch
The initial setup is 50/50, between straightforward and complex. Migrating from Cisco to another Cisco product is okay, but migrating to Cisco from other network devices, like an IBM switch, is a bit tricky. You can't test the configuration to see if it's the same as what you're going to. But we managed with support from Cisco.
It took a month to complete the deployment.
Our implementation strategy was based on not upgrading everything at the same time. It was phased. We deployed a specific device and then we monitored everything to make sure everything looked okay, and then we moved on to the next one.
It requires a minimum of two people for deployment and maintenance, from our network and security teams.
It may sound a bit strange, but one of the most valuable features of Firepower 7.0 is the "live log" type feature called Unified Event Viewer. That view has been really good in helping me get to data faster, decreasing the amount of time it takes to find information, and allowing me to fix problems faster. I've found that to be incredibly valuable because it's a lot easier to get to some points of data now.
Also, the new UI is always getting better from version to version. In the beginning, when it came to managing Cisco Secure Firewall, it wasn't always the easiest, but with 6.7 and 7.0, it's gotten easier and easier. It's a pretty easy system to manage. It's especially beneficial for people who are familiar with ASA logic because a lot of the Firepower logic is the same. For those people, they're just relearning where the buttons are, as opposed to having to figure out how to configure things.
I've used the backup VTI tunnel and that's a feature that lets me create some redundancy for my route-based stuff and it works pretty well. I haven't had any issues with it
Firepower 7.0 also has fantastic Dynamic Access Policies that allow me to replicate a lot of the configurations that were missing and that made it difficult to move off the old ASA platform for some customers. The addition of that capability has removed that limitation and has allowed me to move forward with implementing 7.0.
Snort 3 is one of the biggest points on Firepower 7.0. I've been using Snort 3 for quite a while and, while I don't have a ton of customers on it, I do have some who are running on it and it's worked out pretty well. In their use cases, there wasn't a lot of risk, so that's why we started with it. Snort 3 has some huge advantages when it comes to performance and policy and how it's applying things and processing the flows.
Dynamic Objects have also been really critical. They're very valuable. Version to version, they're adding a lot more features onto Dynamic Objects, and I'm a big fan.
I've also used the Upgrade Wizard quite a bit to upgrade the firmware.
And on the management side, there are the health modules. They added a "metric ton" of them to the FMC [Firepower Management Center]. In version 6.7 they released this new health monitor which makes it a lot easier to see data and get to information faster. It's quite nice looking, as opposed to CLI. The new health modules really do stand out as a great way to get to some of that health data quickly—things like interface information, statistics, drops—that were harder to get to before. I can now see them over time, as opposed to at just a point in time. I've used that a lot and it has been very helpful.
In addition, there is the global search for policy and objects. I use that quite a bit in the search bar. It's a great way to get some information faster. Even if I have to pivot away from the screen I'm on, it's still great to be able to get to it very quickly there.
In a lot of ways, they've addressed some of the biggest complaints, like the "housekeeping" stuff where you have to move around your management system or when it comes to making configuration changes. That has improved from version to version and 7.0 is different. They've added more and have made it easier to get from point A to point B and to consume a lot of that data quickly. That allows me to hop in and do some data validation much faster, without having to search and wait and search and wait. I can get to some of that data quicker to make changes and to fix things. It adds to the overall administrator experience. When operating this technology I'm able to get places faster, rather than it being a type of bottleneck.
There is also the visibility the solution gives you when doing deep packet inspection. It blows up the packet, it matches application types, and it matches web apps. If you're doing SSL decryption it can pinpoint it even further than that. It's able to pull encrypted apps apart and tell me a lot about them. There's a lot of information that 7.0 is bringing to the forefront about flows of data, what it is, and what it's doing. The deep packet inspection and the application visibility portion and Snort are really essential to managing a modern firewall. Firepower does a bang-up job of it, by bringing that data to the forefront.
It's a good box for visibility at the Layer 7 level. If you need Layer 7 visibility, Firepower is going to be able to do that for you. Between VLANs, it does a good job. It's able to look at that Layer 7 data and do some good filtering based on those types of rules.
In the new design, I put Cisco Firepower NGFW Firewall as a LAN segment and as the data center firewall. In the old design, I just used FortiGate Firewall for configurations, and we are going to replace it. The complete solution will be replaced with a two-tiered data center.
The ease of use, when it comes to managing Cisco Firepower NGFW Firewalls, is getting better because the UI is improving. It was a bit cumbersome in previous versions. Checkpoint, for example, has one of the most intuitive user interfaces, and now Cisco is really improving.
The only drawback of the user interface is when it comes to policies. When you open it and click on the policies, you have to move manually left and right if you want to see the whole field within the cell. Checkpoint has a very detailed user interface. Cisco is getting better and becoming more and more user-friendly.
Cisco needs a more intuitive user interface. When you know what to do, it's easy. Otherwise, you need training. You can install it and do the initial configuration, but if you don't have the proper training it's also possible to configure it the wrong way. If that happens, some things might pass through that you don't know about.
The reporting and other features are nice, but there is an issue with applying the configuration. That part needs some improvement.
Services from the outside, like financial services that are critical, should be protected by the NGFW. There are cyber attacks on these services. Therefore, adding this NGFW in front of those services will reduce our costs for cyber crime.
I like that you can get really granular, as far as your access lists and access control go.
You can also put everything into a nice, neat, little package, as far as configuration goes. I was formerly a command-line guy with the ASA, and I was a little nervous about dealing with a GUI interface versus a command line, but after I did my first deployment, I got a lot more comfortable with doing it GUI-based.
Hillstone E-Series: Configuration
Untangle NG Firewall: Configuration
At this stage, I think the SSL decryption option can be streamlined.
I think decryption transparency could be improved because you basically click a button and then you set up one rule-set and that's about it. I've noticed there's a problem on some sites where it doesn't do the proper decryption. I actually had to go through the application control module, and logs to see what was happening, and why some sites could not function, before I could decipher that it was the SSL decryption that was blocking the sites. I would like to see more hands-on configuration in that respect.
Untangle now supports TLS v1.3. So far testing has yielded positive results and I have not really had to bypass most of the sites we browse to, after resetting the policies to default.
It is straightforward. Our target market is the small and medium companies that don't have IT departments and a firewall specialist. We provide the Untangle solution and the management of the solution for a quote.
Most of the implementations are simple. However, we have implemented Untangle solution to replace Fortinet in a financial group in Mexico. This was the most complex configuration that we have handled. There were 65 locations with voiceover IP and some other features. We had to create balance and recovery from the cluster.
Our last implementation took less than a week. You need just two people for its deployment and maintenance.
We do a lot of Voice over IP, which is one of the features that I like about it. The firewall works really well with Voice over IP.
They have a command center that makes it easy to log into and see all of your appliances nationwide.
The reporting is wonderful. You can run reports and they are very helpful.
The alerting is great. It will send you alerts when there is any nonsense going on. For example, you will get alerts on DDoS types of attacks.
It has wonderful content filtering built into it. They also have a cap portal feature that is pretty good. It has several useful interesting features included.
The VPNs are great too, they are wonderful.
We set up RDP on our clients, but it's Atlanta LAN, the LAN RDP. If you get on the VPN, then the allow group, you can actually RDP, you make the VPN connection to it. You can also then do a site-to-site VPN and they make it very simple. Overall, the VPN features are wonderful.
The zero deployments are wonderful with this. With Zero deployment, you don't have to touch the firewall. When the firewall arrives on-site, you have a smart hands technician to unplug the old one and you plug in the new one. It automatically downloads the configuration offline. No technician will ever have to physically touch that firewall. It can all be done through the command center once the firewall connects to it. Everything is automatically added once you purchase it and it will download the proper configuration for that site.
This firewall has a lot of features and we are using all of them.
What I like about this product, which is the reason that we continue to use it, is that you can install the software version on your own hardware. In case there is a problem with the hardware, we can just install the firewall in another machine and restore the configuration. This is unlike using a device with hardware that is vendor-specific. We had such a problem one time, and it required that we had to purchase more hardware.
Palo Alto Networks VM-Series: Configuration
reviewer1415211 says in a Palo Alto Networks VM-Series review
Senior Manager Network Engineering at a manufacturing company with 10,001+ employees
With any organization, if you want to change the firewalls that are being used in production then it's a hectic task. You have some rules and engines that can be used, but it's a step-by-step process.
Migrating from an existing solution to Palo Alto needs to be done in phases. Phase one would be installing the devices. Phase two is testing a lab setup and diverting traffic, then analyzing it. Finally, the third phase is to enable other features like threat protection, malware detection, and other advanced options.
Depending on the size of the organization, if a migration is well planned then it will take three to four months to complete.
The configuration is different between our branch offices in order to meet our requirements. Some use the hardware appliance, whereas others use the software version.
reviewer1267734 says in a Palo Alto Networks VM-Series review
Executive Cyber Security Consultant at a tech services company with 11-50 employees
I have clients whose architecture is configured in a lot of different ways and combinations. I use a lot of different products and make recommendations based on specific situations. For example:
- I have one client that actually uses multiple VM-series and then at each one of their physical sites that have the K2-series — or the physical counterpart of the VM-series.
- I have other clients that use Fortinet AlarmNet. As a matter of fact, almost all my healthcare providers use Fortinet products.
- I have another customer that used to be on F5s and they had had some issues so switched to Fortinet.
- I have a couple of holdouts out there that are still using the old Cisco firewalls who refuse to change.
- I have a new client that is using a Nokia firewall which is a somewhat unique choice.
I have a customer that used to be on F5s and they had had some issues. The result of the issue was that they came to me and we did an evaluation of what they really needed. They came in and they said, "We need you to do an evaluation and when you are done with the evaluation, you need to tell us that we need Palo Alto firewalls." I said that was great and I sat down and got to work building the side-by-side comparison of the four firewalls that they wanted to look at. When I was done, just like they wanted the Palo Alto firewall was right there as the first one on the list. They selected the Fortinet firewall instead.
Nokia is specifically designed to address the LTE (Long Term Evolution, wireless data transmission) threats with faster networks and such. So it is probably not considered to be a mainstream firewall. The client who uses Nokia is a service provider using it on a cellular network. They are a utility and they are using Nokia on a cellular network to protect all their cellular systems and their automated cellular operations. The old Nokia firewalls — the one on frames — was called NetGuard. This client originally had the Palo Alto K-series and they switched over to the Nokia solution. That is my brand new Nokia account. They were not happy with the K-series and I am not sure why.
The thing about Cisco is nobody is ever going to fire you for buying a Cisco product. It is like the old IBM adage. They just say that it is a Cisco product and that automatically makes it good. What they do not seem to acknowledge is that just because their solution is a Cisco product does not necessarily make it the right solution for them. It is really difficult to tell a customer that they are wrong. I do not want to say that it is difficult to tell them in a polite way — because I am always polite with my customers and I am always pretty straightforward with them. But I have to tell them in a way that is convincing. Sometimes it can be hard to change their mind or it might just be impossible.
When I refer to Cisco, I mean real Cisco firewalls, not Meraki. Meraki is the biggest problem I think that I deal with. I do not have the network folks manage the Meraki firewalls differently than they manage their physical firewalls. I do not want there to be a difference, or there should be as little difference as possible in how the firewalls are handled. They do have some inherent differences. I try not to let them do stuff on the virtual firewalls that they can not do in the physical firewalls. The reason for that is because in defense-related installations it matters. Anytime you are dealing with defense, the closer I can get to maintaining one configuration, the better off I am. Unless something unique pops up in Panorama, I will not differentiate the setups.
I say that there are differences because there is a little bit of configuration that inherently has to be different when you are talking about physical and virtual firewalls, but not much. I can sanitize the virtual machine and show the cloud provider that since I was going into a .gov environment or a .gov cloud, that it met all the requirements as stated in the Defense Federal Acquisition Regulation Supplement. That is huge for our situation. Of course with a cloud provider, you are not going to have a physical firewall. Had we had a physical firewall, that becomes a bit of a chore because you have got to download the configuration file, then you have got to sanitize the configuration. Things like that become a bit of a burden. Having a VM-Series for that purpose makes it much easier.
I did not mention Sophos in the list. Sophos does a semi-decent job with that too, by the way. The only problem with Sophos is that they are not enterprise-ready, no matter what they say. I have deployed Sophos in enterprises before, and the old Sophos models did very well. The new ones do very poorly. The SG-Series — Sierra Golf — they are rock solid. As long as we keep going with them, our customers love it. It works. I have one client with 15,000 seats. They are running 11 or 12 of them and they have nothing but great things to say about the product. The second you go to the X-Series, they are not up to the task.
I am the guy they call up first for the central infrastructure and configuration of the malware, firewall, and main applications, and I use Palo Alto Networks VM-Series for that.
Fortinet FortiGate-VM: Configuration
reviewer1238931 says in a Fortinet FortiGate-VM review
Junior Network Engineer at a tech services company with 11-50 employees
We've had issues with integration. It hasn't gone well.
We have had some stability issues.
There are some instances where configurations can get complex.
The product does not have a good graphical interface. Their patches and their upgrades are not always compatible with configuration. That means that often you find after you upgrade that there was something else you have to do to the rest of the infrastructure, whether it's a printer or a user or whatever. It doesn't appear to me that their upgrades are well tested. They usually do what they're supposed to do, however, they also usually do some other things that FortiGate doesn't seem to be aware of.
It doesn't maintain legacy capabilities very well.
The stability of the solution isn't ideal.
They don't seem capable of supporting their own product.
The solution needs a better user interface and more intelligent services like spam blocking and auto whitelisting, gray listing, blacklisting, et cetera. It just basically needs better user monitoring.
There are certain GUI features that should be present but are not, although these we can address through the command-line interface. We have to make use of this to create certain policies or change the interface layer. These configuration restrictions should be addressed.
Moreover, the reporting should be upgraded, as there are only a small number of reports available. We also encounter issues on the logging pages. GUI does not allow for live logging and the command-line interface must be used in its stead. The need to rely on CLI should be done away with entirely.
While we consider the solution to be user-friendly, certain improvements should be made in this respect.
reviewer1054542 says in a Fortinet FortiGate-VM review
Consultant at a comms service provider with 11-50 employees
There should be more options to use lower-end models in a high availability configuration.
They should continue to improve the traffic shaping; they should add some AI to the traffic shaping. They should also consider learning from other organizations as opposed to just internally. They should follow patterns instead of everyone having to recognize patterns and make adjustments on their own. Instead, they should add some form of intelligence to guide administrators in best practices with traffic shaping. I think this will become very important as we move more toward a SaaS-type world.
Aurelio Rodas says in a Fortinet FortiGate-VM review
IT Specialist at a tech services company with 51-200 employees
I work with a service provider and he sells service in cloud and FortiGate products, including FortiGate VMs. With this, he sells services, and I work with him on support and initial configurations or deactivations for customers.
I work with various versions of the solution, the latest being 7.7.
We use a variety of deployments, including on-premise and in public clouds. Not an American public cloud, however. Rather, it's a public cloud here in South America.
I'd rate the solution at a ten out of ten. the product is excellent and I am very happy with it overall.
I previously used pfSense but found it was a bit complicated in terms of configuration and didn't give periodic updates. I switched to FortiGate because they were very consistent in giving updates on outbreaks and what they were doing to resolve them.
My experience with the solution has been very positive and Fortinet provides a great layer of security when it comes to SD-WAN and other security capabilities. There are many models available to suit a host of environments.
The solution is extremely easy and friendly. The configuration, graphical interface and command line are easy to use.
With every new version, there are issues and new parts due to the improvements. But the improvements are not always easy for the customer, especially when making a big configuration. Rather than being an improvement, it becomes more complicated.
The previous version, which was 7.1 or 7.2, was a little bit easier to use. It's kind of a little bit tricky to find the options from the firewall configurations now, in the latest version. Previously, it was easier to deal with. The whole dashboard that you get can be improved. They could organize the whole dashboard a bit more to put stuff under each other in a way that makes sense and makes everything easy to reach.
The costs could be lowered.
reviewer1738989 says in a Fortinet FortiGate-VM review
Network Analyst at a manufacturing company with 1,001-5,000 employees
We only have one person for deployment and maintenance.
It took us only two days to deploy it with our desired configurations.
I liked its general capabilities.
Its cloud management is very good.
I did like the ability to back up the configuration into the cloud, as opposed to having to store the configurations or just downloading them, the backups, to local devices. When you want to back up the configuration you can download it as a local file and save it to the cloud.
That flexibility was very useful.
The product had a fairly good user interface. It was well thought out and the controls seem to be in a logical hierarchy. I was able to find stuff without having to configure things. There was just a logical breakdown of how to find things.
We plan to continue using this solution. Right now, we are settling our networks. We plan to expand its usage, but I don't think it will happen until 2022.
It has a good user interface. Its configuration is simple but requires a little planning. It is much simpler than the Cisco ASA configuration.
I would recommend this solution. I would rate OPNsense a nine out of ten. I am happy with it.
Check Point NGFW: Configuration
reviewer1402668 says in a Check Point NGFW review
Security Engineer at a tech services company with 1,001-5,000 employees
The initial setup is really easy. You can do it in 30 minutes. Setting up an environment for a firewall and its management with a licensed demo took me an hour last week, and that includes the time for configuring the rules. The whole installation is 30 minutes and the configuration is another 30 minutes.
If you are implementing from another vendor, Check Point has a program called SmartMove. Then, all you need is the configuration of the previous firewall. Once you do some optimization, then you are ready for the integration. This might take a month overall.
reviewer1404666 says in a Check Point NGFW review
Security Expert at a aerospace/defense firm with 10,001+ employees
Their management features are the best, from one point of view, but they are too heavy. For example, if you are looking at a configuration file, you can't just browse through it and see all the configurations like you can with other vendors, like Cisco and Fortigate. With those solutions you can just go over the configuration file and read all the objects and the policies, etc.
Because of the Check Point architecture, the data file itself is huge if you're comparing it to the data files of other vendors. The difference is something like 3 Mb to 1 Gb. It's not so straightforward.
The data process is also not so simple. You don't just load a text file which has all the configuration. It's a more complex process to restore it from a backup, when it comes to Check Point.
It gives us centralized management for multiple firewalls. For example, if I want to push the same configuration to 10 firewalls, I can push it all at once with the help of the centralized management system.
It is easy to use because it supports Linux language in the CLI. This is a good for someone who already knows Linux language.
reviewer1412340 says in a Check Point NGFW review
IT Specialist at a tech services company with 10,001+ employees
In advance, we get security vulnerabilities. So, we can configure new security policies, update our antivirus, or check the configuration to protect the environment.
I have set up replacements and it's very straightforward. It's very easy. It's much easier than some of the other network equipment that I've had to deal with. Check Point provides a wizard that walks you through the process and that streamlines the entire process. They also provide instructions on how to go about getting to the wizard and the process that we needed to take to complete that configuration. It was relatively painless.
The replacement was configured in one day and deployed the next, with no issues.
There are five of us in our company who have management access. I'm the network administrator, and I've got four IT technicians who work under me and assist in the firewall configuration and deployment.
For the infrastructure in question, we have always used Check Point firewalls.
I have worked with Cisco ASA. Cisco is more CLI oriented, whereas Check Point is more GUI oriented. With the GUI, it's easier to manage and administrate it. If the configuration becomes bigger and bigger, it is really easy to see things in the GUI versus a CLI.
The advantage of the CLI is that you can create scripts and execute them. But the disadvantage is that they become so lengthy that it becomes very difficult to manage.
I have done four to five initial setups and configurations of firewalls, which have been completely fine and proper. There are no improvements needed.
For one firewall, it will take around two and a half hours to configure the interface and everything else. For the deployment of one firewall, it will take around two and a half hours. If you want to make any clusters, then it is around five to six hours.
The VPN part was actually one of the most complex parts for us. It was not easy for us to switch from Cisco, because of one particular part of the integration: connecting the Check Point device to an Entrust server. Entrust is a solution that provides two-factor authentication. We got around it by using another server, a solution called RADIUS.
It was very difficult to integrate the VPN. Until now, we still don't know why it didn't work. With our previous environment, Cisco, it worked seamlessly. We could connect an Active Directory server to a two-factor authentication server, and that to the firewall. But when we came onboard with Check Point, the point-of-sale said it's possible for you to use what you have on your old infrastructure. We tried with the same configurations, and we even invited the vendor that provided the stuff for us, but we were not able to go about it. At the end of day they had to use a different two-FA solution. I don't if Check Point has a limitation in connecting with other two-FAs. Maybe it only connects with Microsoft two-FA or Google two-FA or some proprietary two-FA. They could work on this issue to make it easier.
Apart from that, we are coming from something that was not so good to something that is much better.
reviewer1098015 says in a Check Point NGFW review
Network Security Engineer/Architect at a tech services company with 1,001-5,000 employees
Upgrades and debugging of the operating system, as well as the backups and restores of configuration, need improvement.
Debugging is very complex when compared to Fortinet, for example. That's the worst thing about Check Point. The deployment of the solution is harder than it is with the competitors. But after you've deployed it, the operation is easy.
Check Point has improved our organization in the following ways:
- Provides for central management over all of the Check Point gateways
- Maintains a changelog that shows which users have made changes
- Version control allows us to roll back a ruleset after, for example, a misconfiguration
- Offers very granular application control
- Allows for various internet permissions for various users
- Gives us very good logging, which is nice for troubleshooting because you can instantly which rule is affected for each action
- The cloud gateway (Check Point Capsule Cloud) ensures that users are getting the same internet permissions as they would if inside the company, no matter which internet connection they are using
AshishRawat says in a Check Point NGFW review
Firewall Administrator at a tech services company with 1,001-5,000 employees
Per my experience, it is very easy to scale these firewalls, because they are combined with the central management point. It is very easy to push the same configuration to different firewalls at the same time. It does not take much time to extend usage.
We use them throughout our organization. Currently we have used them for around 50 percent of our needs and there is definitely a room to grow. In the future we will definitely try to increase usage, if it is required.
reviewer1454139 says in a Check Point NGFW review
IT Infrastructure & Cyber Security Manager at a retailer with 501-1,000 employees
It was really pretty straight forward because we upgraded from an older Check Point product. The installation and the assimilation of the new firewall was very quick with almost no downtime and almost no problems.
We deployed four firewalls in two clusters and, all in all, it took about one day of work; half a day for each side. That includes the installation, the configuration, and the exporting of the configuration from the old system and, of course, all the fixes and patches.
On our side there was one person involved in the initial setup, just to make sure that everything was going okay and, after the installation, to do all the checks and verify that everything was working fine and as needed.
Kamal Khurrana says in a Check Point NGFW review
Network Associate at a wireless company with 1,001-5,000 employees
I like the antivirus, attack prevention, three-layer architecture, and data center management features.
The antivirus updates are quite frequent, which is something that I like.
Central management is a key feature. We have between five and ten firewalls on-premises, and if we want to configure or push the same configuration to all of the firewalls, then the centralized management system is very helpful. It means that we only have to push the configuration once and it gets published on all of the firewalls.
Dheeraj Dexit says in a Check Point NGFW review
Sr. Network Engineer at a tech services company with 1,001-5,000 employees
We currently use Check Point and Cisco ASA. The purpose for the company is to increase the security. They were only using Cisco ASA Firewall, which is kind of a degrading firewall right now because it lacks many features, which are advanced in Check Point Firewall. With Cisco ASA, we need to purchase additional IPS hardware. But, for Check Point, we do not require that. Also, if we want the same configuration for multiple firewalls at a time, then Cisco ASA does not support that. We have to create the same policy in each firewall.
It has not only improved our environment but the entire organization. Adopting it brings better functionality.
Starting from the basic firewall blade to sandbox threat emulation and threat extraction, it works seamlessly to protect against both known and unknown malware.
After the version 80.xx migration, Check Point stability and security have improved tremendously.
Through the management server, it has become very easy to manage the configuration for each of the blades, as well as the day-to-day operations. With central management, it has become possible to manage endpoint devices as well.
Rahul Gombhir says in a Check Point NGFW review
Network Security Engineer at a tech services company with 10,001+ employees
The first phase of the implementation is to plan the firewall deployment. After that, we do the configuration and validate it. In the case of a Check Point firewall, this process will take between two and three months to complete.
The complexity of the process depends on the features that you want to add. In general, it is straightforward and not too complex.
Mahendra Pal says in a Check Point NGFW review
Network Security Engineer at a tech services company with 10,001+ employees
Prior to Check Point, we were using Cisco ASA.
The problem with Cisco ASA is that it is a purely CLl-based firewall. Check Point is not only UI and CLI-based, but it is also a next-generation firewall. It has many different and more advanced features, compared to Cisco ASA.
For example, in Cisco ASA, we can use only two gateways in active-active mode, but with this product, we can use five gateways at a time. Another difference is that the Cisco ASA policy configuration options are not as granular as Check Point.
Check Point's new Smart dashboard has an all-in-one configuration interface. They provide a very easy configuration for NAT and one tick for source & destination NAT is possible.
Policies can be configured in a more organized way using a section & layered approach.
Application control has all of the required application data to introduce it into policy and the URL filtering works great, although creating regular expressions is complicated.
The software upgrade procedure is very easy; it just needs few clicks & we are done.
The virtual systems solution (VSX under Check Point terminology) has provided the company the ability to improve performance and adapt to the network and security needs in a flexible way, as the network has been possible to be redesigned at any time and put an additional firewall where there wasn't before without more hardware. At the same time, the costs of the solution are known and limited, as you pay for a bundle of firewall licenses and your hardware purchased.
The NGFW security solution scales well and easily when needed as long as your hardware (performance) admits it. And having a central management system that allows us to share the same object database and different configurations have allowed us to improve the platform operating time. Due to this, we can implement the security needs of more proyects than we used to.
Configurations can be complex in some situations and need experienced engineers for managing the solution.
Integration with a third-party authentication mechanism is tricky and needs to be planned well.
SmartView monitor can be enhanced to display granular details of gateways with a single click. Also, having the ability to generate alerts from the Smart Monitor would be a nice feature.
Within the organization, the inspection of packages has given us great help in detecting traffic that may be a threat to the institution.
The configuration of policies has allowed us to maintain control of access and users for each institution that is incorporated into our headquarters. It is well organized.
Some other of the services that have worked well for us are antivirus, anti-bot, and URL filtering. Together, these have allowed us to maintain control and organization amongst the users.
Another one of the pluses that have helped us a lot has been the IPsec VPN, especially in these times of pandemic.
This is a zone-based firewall, which differs from other firewall solutions available on the market. It changes the way the admin manages firewall policy. The administrator has to be careful while defining policy because it can lead to configuration errors, allowing unwanted access.
For example, if a user needs to access the internet on the HTTPS port, then the administrator has to create a policy as below, rather than using NAT for assigning the user's machine to a public IP.
Source: User machine
Action: allow (for allowing the user's machine access)
This has to be done along with the below policy:
Source: User machine
Destination: Other Zone created on Firewall
The two policies, together, mean that the user's machine will not be able to communicate with any other L3 Network created on the firewall.
The firewall throughput or performance reduces drastically after enabling each module/blade.
It does not provide for standalone configuration on the security gateway. Instead, you need to have a management server/smart console for managing it. This can be deployed on a dedicated server or can be deployed on the security gateway itself.
We greatly appreciate the ease of configuring firewall policy ACL rules and how the seamless integration with VPN users and user groups provides the ability to granularly restrict access. The uncomplicated configuration ensures that mistakes are avoided and rules are easily audited.
Having the ability to set an expiration date for remote access VPN users simplifies the process and increases security by ensuring that stale accounts and not forgotten.
In general, we find that CheckPoint offers a great balance between ease of use and configurability.
reviewer1573887 says in a Check Point NGFW review
CTO at a computer software company with 11-50 employees
Easy setup and configuration by a non-network/security person.
Remote access with a secure workspace provides a clear separation between the client and corporate network.
Threat Emulation (sandboxing) is great for zero-day malware and it is easy to configure.
Logging and administration are best-of-breed. You can quickly trace back on all sorts of logs in no time.
IPS and AV rules are granular and specific for the rules that you need.
The geolocation feature is good for dropping irrelevant traffic.
Configuration through SMS is quick and easy. It eliminates administration errors while checking consistency before applying a policy.
Until you have some experience, the installation and configuration are difficult.
Its initial setup is easy for me. The deployment duration varies. A simple deployment takes two or three days. A complex deployment that involves a cluster configuration or appliance replacement can take up to five days.
We use this solution for permissions regarding access ports and services. We also use Check Point Remote Access VPN as an endpoint VPN. We use it for site-to-site configuration.
All of the traffic that comes through our sites passes through our firewall. Basically, everyone, including our staff and clients, passes through our firewall. In other words, we have thousands of users using this solution.
reviewer1613238 says in a Check Point NGFW review
IT Manager at a comms service provider with 51-200 employees
The implementation was through a vendor, and the installation went really well. The consultant was Check Point certified and explained everything in detail.
Later on, we added new remote sites to the configuration (in-house) without any problem. We didn't need to check with the vendor.
The URL filter is activated to filter access to our employees. We use filtering for VPN access.
The configuration is one of the best features of this product.
When this product was purchased approximately 12 years ago it was the top of the line.
The product has been working very well.
I don't have any issues with the software of this solution. It works as is expected.
reviewer1625583 says in a Check Point NGFW review
User at a financial services firm with 10,001+ employees
I have been designing, deploying, implementing, and operating Check Point's Security solutions including NGFWs and EndPoint security as well as Remote Access VPNs, Intrusion Prevention systems, URL filtering, user identity, UTMs, et cetera, for around 12 years.
I have also used VSX and MDS/MDLS solutions. In my organisation I am using over 150 virtual and physical appliances and also MDS for virtualized/contanerized central configuration management and also central log management MDLS/MLM. We are using this not just for NGFW but also for other Perimeter security solutions.
reviewer1643319 says in a Check Point NGFW review
IT Manager at a transportation company with 501-1,000 employees
The web interface was easy for me. The configuration is logical, so it's easy to use and easy to understand how to protect, how to open a port, how to manage, and how to route a device. That's why I prefer Check Point. It's robust and I never have issues with the hardware.
reviewer1670154 says in a Check Point NGFW review
Firewall Engineer at a logistics company with 1,001-5,000 employees
Firewalling is one of Check Point's core business attributes, and it just works.
Creating site-to-site VPNs between Check Point Gateways that are within the same management is unbelievably easy. If you create VPNs for 3rd parties and there are mismatches or issues, you will see logs that help pinpoint issues or misconfiguration.
Application control help with identifying applications and therefore makes firewall rules easier since changing ports don't have to be adapted every time an application changes or updates.
In some features, it is not easy to use the Check Point firewall.
The IPSEC VPN setup is not easy to configure. In some cases, if the VPN is not established, it is very hard to troubleshoot the configuration. It does not address the problem well.
The upgrading process takes too much time.
The initial configuration was simple. The previous team was also using Check Point, we only had to export and update the rules. Only a couple of things had to be corrected and changed.
Nilson Moya says in a Check Point NGFW review
Logical Security Deputy Manager - IT at a financial services firm with 1,001-5,000 employees
Check Point offers a reliable firewall solution with VPN options that have allowed us to establish secure and stable connections with other companies and users in a very simple way.
Simple and centralized administration has allowed us to manage all the firewall nodes from a single console, facilitating the deployment of firewalls through the network, since a large part of the configurations and access rules, as well as the protection controls, are managed from a single console and via centralized maintenance.
The setup is pretty straightforward, at least for the basic setup. Even with more complicated configurations, you have good support and experts at Check Point in the background that can help.
reviewer1692960 says in a Check Point NGFW review
IT System Operations Manager at Hamamatsu Photonics KK
They offer very scalable solutions to extend compute resources if needed so initial sizing isn't too much of an issue as you can easily add more resources if needed. Reliability is a major factor in any hardware or software solution, and Check Point uses leading-edge hardware, and their software upgrade process is flexible for various deployment requirements.
Policy configuration has been consistent over the years, so there is not much of a learning curve as upgrades are released.
Their threat analysis reporting from their management console is very comprehensive and easy to use. Their web-based dashboard is well designed and offers many out-of-the-box reporting, and provides admins extensive customizations.
Several enterprises, from financial institutions to hospitals, use this product mainly as edge solution. In most cases, the setup was based on a redundant configuration. Other cases which have been rolled out are based on smaller devices in office locations and larger devices in the central datacenter of the customer. As an MSSP we trust the reliability of the solutions, since we cannot risk having our reputation being harmed. Our team is perfectly able to manage the devices on a day by day basis using the central management solution.
The initial setup is straightforward and plug and play for a basic configuration to get you started. You can then begin building the NAT and policy rules, which are easy enough to do.
Initially, I was using the Cisco ASA5500 series firewall. I never believed there could be better firewall devices in terms of ease of setup and management. The NGFW from Check Point has increased my confidence in terms of performance and ease of configuration with its intuitive interface. It supports the VPN configuration without any unnecessary latency and packet dropping.
It blocks over 97% of threats!
The product is very stable with no crashing or configuration corruption.
reviewer1621341 says in a Check Point NGFW review
Executivo de NegÃ³cios de TiC at a comms service provider with 10,001+ employees
My customers cite performance and ease of configuration as two of the solution's most valuable features.
I think the most valuable feature is that the application and configuration were easy for us. When we need to do some work with the networks, configuration and deploying are easy - if I want to search for information, it is easy in the Check Point platform.
I like the facility of the product configuration. The ease with which the solution can be put into production makes it easy for my employers and for me to provide client support.
reviewer1718697 says in a Check Point NGFW review
Network and Security Engineer at BIMBA & LOLA, S.L.
The centrally managed firewalls are great. We can save a lot of configuration time in configuration tasks. We have deployed about 200 devices in record time due to the fact that we use a unique policy for almost all of them.
Logs, Views and Reports are the most detailed compared to other vendors (FortiGate, etc.) We can see a lot of detail in the logs and also we can configure any report we need without any problem and in two clicks.
We can see that, for IPS signatures, we have updates every day, sometimes twice a day, so we see a lot of effort from the vendor. They really try to protect our environment from known attacks and vulnerabilities.
Although there is a lot of automation and pattern that can be classified automatically, the IPS systems are sometimes a little bit complicated, and doing the fine-tuning in over 20,000 patterns is hard to do. This has been improved in the last versions, however, it can still be made a little bit better.
For example, the automatic classification of which pattern should be activated is very simple yet lacks some special configuration options (for example if you want to have more than one classification pattern for the activation).
The HTTPS inspection is very tricky, too. Since there are a lot of applications that are using certificate pinning, most of the SSL traffic (especially to the big cloud provider) must pass without inspection.
Since attackers also use these clouds, there is a problem in getting your security definitions to work.
Of course, this is not a Check Point-specific problem and rather a problem in the HTTPS inspection itself.
There is the need to know which sites are accessed by our staff and to get the visited URLs, to get the internal security policy working. The SSL classification feature of Check Point is a good intention, yet not as good as needed.
reviewer1721655 says in a Check Point NGFW review
Networking engineer at Hewlett Packard Enterprise
The Identity-Based Inspection Control gives us the ability to leverage the organization’s Microsoft AD, LDAP, RADIUS, and Cisco pxGrid.
The Terminal Servers group membership allows policies to automate typical processes (user moves/add/changes) and decrease configuration changes required on the firewall, which is tremendously beneficial. This limits the integration with the identity store to just one interface, and we still get broad security coverage based on a single set of identity policies.
We leverage the combination of identity and application awareness, which is mandatory in order to build scalable security policies that protect the business without compromising user experience. This feature is extended to the SmartEvent console.
In earlier versions, it was a bit hard to do migrations of Multi-Domain Servers/CMAs, nowadays, with +R80.30 it has gotten much easier. I cannot really think of many things to improve.
One thing that could be useful is to have a website to analyze CP Infos. This way, it would be much faster to debug problems or check configurations.
Another thing not very annoying but enough to comment on is when preparing a bootable UBS with the ISOMorphic (Check Point's bootable USB tool), it gives the option to attach a Hotfix. However, this usually causes corrupted ISO installations.
One thing to improve is the VSX gateway. It is quite complex to work with VSX and they are quite easy to break if you aren't familiar with them.
Product-wise, I have no real complaints.
Potential improvements could be made around simplifying VPN functionality and configuration.
The main area that the organization can improve is around the lack of local, in-state technical support. Competitor vendors have a strong presence in the Adelaide Market, however, Check Point has always been limited with its commitment to staffing local technical resources. If this focus is made, I could see Check Point returning to the strength that it once had in the Adelaide market.
reviewer1720029 says in a Check Point NGFW review
Snr Information Security Analyst at The Toronto Star
The product has improved visibility into the traffic going through our network.
For all traffic leaving the network, Check Point provides the capability to inspect and permit traffic using not just ports but application IDs, which is more secure than simply permitting TCP/UDP.
Check Point has a robust IPS Blade which has added an additional layer of security on connections to the data center.
Check Point's compliance blade also helps in checking how Check Point's appliance configuration is in compliance with any requirement that we need to provide evidence for.
Check Point is very feature-rich. There aren't any features missing or that I am awaiting in a future release.
The only downside to Check Point, is, due to the vast expanse of configurable options, it does become easily overwhelming - especially if your coming from a small business solution like Draytek.
Check Point comes with a very steep learning curve. However, they do offer a solid knowledge base. Some issues I have encountered in my five years have only been resolvable via manually editing configuration files and using the CLI. Users need to keep this in mind as not everything can be configured via the web interface or their smart dashboard software.
reviewer1724517 says in a Check Point NGFW review
Senior Infrastructure Technical Analyst at https://www.linkedin.com/in/robchaykoski/
I protect customers and other types of data by ensuring a secure environment. Check Point allows me to deploy quickly and securely, along with using more advanced detection and prevention. By securing multiple sites and various infrastructure elements, I have reduced my overall workload.
I'm using a lot of permanent tunnels and protecting them to ensure that monitoring customer infrastructure is not compromised in any way, shape, or form.
Various hardware has been deployed at proper sizing for customers and the equipment is stable without the need for a lot of custom configuration
Timur Karimov says in a Check Point NGFW review
IT Consultant/Engineer at a computer software company with 11-50 employees
You need to merge all the old consoles into one new one and make the interface more convenient for the novice administrator. Until now, the initial settings as well as subsequent changes to the "iron" part of the firewall, namely its interfaces, routing, or DCCP settings, you must use the web interface through a browser. This is inconvenient. Of course, you can use the command-line for these purposes, however, this also complicates the configuration process for the administrator and requires a well-known habit.
reviewer1260276 says in a Check Point NGFW review
Senior Network Security Engineer at a tech services company with 1,001-5,000 employees
We wanted to deploy a specialized Next-Generation Firewall in our perimeter security.
The solution addresses the Security requirements at Perimeter Layer including:
It was required to enable IPSEC VPN between our vendors across the world
We got positive responses on Check Point Firewalls from our vendors as well.
Our team addresses the regular audits with a Next-Generation Firewall, starting from configuration and application vulnerabilities to customized reporting.
I would rate this solution a nine out of ten. This is a very good solution. It's complex because it's not too easy to use, but the brand and our partner help us with NG Firewall configuration issues or other solutions like Harmony.
The university is growing every year and with that, I purchase more endpoint licenses and Harmony Endpoint because the firewall works well on the dimension and capacity. Next year, we plan to integrate Harmony Email and Office. The solution also prevents threats to Office 365.
The initial setup is hard. We came from another Cisco solution and even then it is hard, especially talking about the traffic. So we had to inspect the traffic and sometimes we had to do a lot of configurations. It would be nice if it was easier.
It took about three months to deploy.
It would be nice if it was easier to set up and to maintain.
In our organization, we are using policy configurations where various policies are configured for internal to outside organization communication, and our DM's are there too. Various zones are created in our organization.
For each particular zone, if I want to communicate with the external zone, then I need to create a policy for internal to external. Various rules can be created, particularly for organization communication outside the organization. It will be configured in our organization and four gateways are there allowing for our four different locations to communicate.
In our HR deployment, hiring deployment, there is a new and legacy mode that we are currently using.
For the migration for Smart-1, I wish the security policy could allow for a migration per gateway.
There needs to be more storage space for reporting. The storage is always full if the reporting feature is on.
We need HA for Smart-1.
The traffic trekking (logs view) needs to be more accurate. Some traffic is often not in the logs view.
We'd like to have more user friendly menu for import vpn users.
There needs to be more compatibility with SIEM.
It would be great if we could join domains with more than one Active Directory server (active-active).
There needs to be an easy menu for export backup configuration (the current menu always has an error).
The signature information needs more detail. We need to know current update versions and on running versions.
Robert Weaver says in a Check Point NGFW review
Senior Systems Engineer at Upper Occoquan Service Authority
It was pretty simple to transfer the old firewall configuration to the new one. So, it was pretty straightforward and easy. I would rate it a four out of five in terms of effortlessness.
It took over a month. We ran two systems. We built a new system for a couple of weeks before switching over completely.
The Check Point could use more time to upgrade the VPN configurations console. At the moment it is not easy to configure some VPN S2S in Check Point. You need to keep opening several groups, objects, and options to configure one simple VPN.
Check Point's most useful feature is threat prevention and extraction. It was tough to manage seven firewalls and a perimeter solution for IPS, anti-malware, anti-bot, and sandboxing.
Integrating everything in Check Point allows us to see all the attacks that are blocked with our perimeter countermeasures every day. Check Point's high detection rate improves our overall security posture, and we can achieve a low rate of false positives through a few adjustments to the configuration.
ANDRES FELIPE GONZALEZ LUGO says in a Check Point NGFW review
PROFESIONAL GESTIÓN TIC at GOBERNACIÓN DEL TOLIMA
The Check Point Next Generation Firewall solution has allowed us to improve our protection scenario as it is above other products that we have known. It allows us to easily update against the latest security vulnerabilities and has also allowed us to have the opportunity to analyze unexpected behavior in files and applications.
In addition, the constant improvement in the new versions allows us to include better features in the administration and ease in its configuration and allows for the possibility of obtaining important data through the reports that it generates.
reviewer1375017 says in a Check Point NGFW review
Senior Solution Architect at a comms service provider with 51-200 employees
The implementation of Check Point NGFW difficulty level depends on the environment. For example, from the initial deployment, it can be easy, but you have to keep your teams learning, they have to consider their traffic size and many other factors. However, the configuration can be difficult, you need a lot of knowledge. Integrating Check Point NGFW with different networks requires a lot of knowledge about the infrastructure.
Check Point VPN has been most valuable to our organization. Having a hardware solution that allows our remote users to connect securely to our business is extremely valuable.
The ease of use, setup and configuration backed by the knowledgeable support of Check Point has made this a smooth and easy setup. Our users can get connected securely, anywhere. When connected with our Check Point VPN endpoint, users get the same security and prevention from the threat prevention module as the rest of the devices on our network.
The list of site-to-site VPN configuration options is long. They can become confusing and communication with other vendors when deploying VPNs is not the strongest. It's totally different from any other VPN vendor I've encountered.
It lists the current threats identified on the appliance's front page. It would be easier to find information by clicking on the threat and clicking the exact logs, rather than all host logs.
The smart console is heavy. It would be better if it was like the web-based consoles that Palo Alto and Fortigate FW offer.
We use the solution for the DMZ firewall. It's very common and very easy to make configuration, Having IPsec for tunneling solutions with third-party routers and firewalls with other branch offices is very helpful.
It offers support for segmentation networks.
The geolocation feature makes it so that our company can easily allow or block a location of IP and can integrate with our SOC or our log management system.
URL filtering is very powerful for blocking malicious connections.
The user interface is very cool and easy to use. It has anti-DDOS protection which is very useful too.
If you are looking for a firewall appliance that has a lot of security features, easy installation, and configuration, Check Point firewall products are the best for you.
Configuration using the command line is not that simple and user-friendly.
There is no email security.
It's a bit confusing to configure at first. An example is having to set up separate source and destination NAT rather than a simple static mapping. Some configurations require accessing multiple different sections rather than being consolidated in one area. License subscriptions are a bit confusing as well for additional features.
The CLI is not very useful.
There's no option to import bulk address objects.
The firewall default rule 0 blocks rule matches to allowed traffic, even though allow rule is written.
The product could provide an easier user interface and management, by combining all functions (network and policy configuration) into one single application rather than splitting it into different applications.
Users will also really appreciate it if Check Point provides a free management and logfile analysis module. In the existing setup, a user must pay an extra subscription fee to have access to the firewall management module. It makes the user without a subscription unable to fully gain insight from the firewall log file so they are unable to fully utilize the device
reviewer1854897 says in a Check Point NGFW review
Solutions Architect, Cyber Security & Networking team at Expert Systems Ltd
The solution provides better stability and some interesting features such as the ease of throughput expansion (or we can say the load sharing).
The scalability helps to offload the high traffic volume during school time. It also enhances redundancy.
The load sharing capabilities using ClusterXL is possible to switch over the cluster mode to load sharing or Maestro. I also appreciate how easy it is to scale this product.
It is also great that the Check Point community (CheckMates portal) has a lot of helpful guidance. It helps us to work better and ease to find unfamiliar configurations on the new features, it is great for larger organizations as well as very small ones.
Unfortunately, as is the case with many big companies, new features seem to always be more important than fixing the last little bugs that affect only a minor customer base.
The command line, for instance, is still needed regularly if you want to dive deeper into debugging certain issues.
While it certainly has improved over the years, it still doesn't feel like a polished product. Some features (e.g. super netting VPN connections) need to be enabled by editing a configuration file, which is sometimes lost upon upgrading to a new version. I'd really like to see more easily manageable debugging solutions.
reviewer1895619 says in a Check Point NGFW review
Information Technology Security Specialist at AKBANK TAS
In my company, there have between ten and 15 firewalls on-premises, and if I want to configure or push the same configuration to all of the firewalls, then the centralized management system is easy and very helpful.
It is difficult to convey the end-user experience. However, in general, administrators can get used to the interface and start working quickly. Especially after Revision 81.10, I can say that everything became more stable and faster in terms of management. It should be said that it does quite well on the DDOS side.
The management console offers excellent visibility of all security options and configurations, also showing all the traffic from each user.
Once you're working on a specific action, the interface will pop relevant information around past actions contradicting the new policy, showing you strictly where potential threats may come from.
Admins and executives are more at ease with the compliance engine within the software as it measures how many of the security requirements we're compliant with, making their work much more accessible from that standpoint.
One of the valuable characteristics of Check Point NGFW is that it presents very centralized management. Due to this, it's improved our security throughout the organization and outside of it. Many collaborators work from their homes or different places and help us filter, limit of access to packet inspection with flexibility and speed that was not previously possible.
Other characteristics are the records that it shows us and generates depending on its configuration and they are very visible to be able to attack and correct in time, or when superiors ask us for administrative information in that part it provides great value.
Palo Alto Networks NG Firewalls: Configuration
reviewer1232628 says in a Palo Alto Networks NG Firewalls review
Solutions Architect at a computer software company with 10,001+ employees
As a solutions architect group, we are what you would call "vendor-agnostic." We evaluate any solution that seems like it may be viable to provide clients with some advantages. I will never go to a customer and say that these are the only products that we are going to support. However, if there is something that a client wants to use which I feel would be detrimental to their business or that doesn't fit their needs, I will encourage them to look at other solutions and explain why the choice they were leaning towards may not be the best. When a solution they want to use means that no matter what we do they are going to get broken into, I'll let them know. It isn't good for their business or ours.
That said, some of the most requested or considered firewall solutions by clients beside Palo Alto are Fortinet, Firepower, and Meraki. Looking at each provides a background into how we look at solutions and how we evaluate options for clients. You have to look at the benefits and disadvantages.
Cisco Firepower NGFW (Next-Generation Firewall)
I think that Firepower can be simplified and can be made into a more viable product in the Cisco line. I think that Cisco has the ability to get into the Firepower management platform and trim it, doing so by breaking down all of the different areas of concern and configuration and categorizing them into overviews, implementation across the board, and steady-state management. If they were to do that, then users could start at the top layer and drill down more as they see fit to customize to their needs. I believe that Cisco can do that with Firepower and make it a much better security tool.
Firepower is not just a firewall, it is an SD-WAN. It is an application that Cisco sells that gets loaded onto an ASA 5500 series appliance (the appliance has to be the X platform). It is not a bad solution. I can use it to get into your network and protect a lot of your customers who will be running traffic through it. But a problem that you are going to get into as a result of using Firepower is that it is extremely difficult to configure. Security engineers that I have handed the setup after a sale came back from the service and asked me never to sell it again because it was very difficult for them to set up. However, it is also very secure. The difficulty is in using the GUI, which is the console that you would log into to set up your rules and applications. It can take about 10 times as long as Meraki to set up, and that is no exaggeration. Palo Alto is easier to set up than Firepower, but not as easy to set up as Meraki. But, the security in Palo Alto is phenomenal compared to Meraki. Firepower is pretty secure. If it was a little easier to operate, I'd be recommending it up one side and down the next, but ease-of-use also comes into play when it comes to recommending products.
I'll support what Firepower has to offer considering the quality of the security. But I can't take anyone seriously who is proud of themselves just because they think their firewall is next generation. It might have that capability but it might not be 'next generation' if it is set up wrong. Some vendors who sell firewall solutions that I've spoken to admit to dancing their customers around the 'next generation' promise and they make amazing claims about what it can do. Things like "This firewall will protect the heck out of your network," or "This firewall has built-in SD-WAN and can save you lots of money." These things are true, perhaps, depending on the clients' needs and the likelihood that they will be able to properly manage the product.
Firepower is a capable solution but it is difficult to set up and manage.
Cisco Meraki NGFW (Next-Generation Firewall)
Meraki was a horrible acquisition by Cisco and it is harming their name. All of us who are familiar enough with the firewall know how bad that firewall is and we know that Cisco needs to make changes. The acquisition is almost funny. The logic seemed to be something like "Let's buy an inferior security solution and put our name on it." That is a textbook case on how not to run a company.
If Cisco wanted to improve Meraki, the first thing they need to do is simply activate the ability to block an unknown application. Start with that and then also improve utility by blocking every threat by default like other products so that users can open up traffic only to what they need to. That saves innumerable threats right there.
There are situations where Meraki works very well as is. One example is at a coffee shop. What the coffee shop needed for their firewall solution was to have a firewall at every location for guests. The guests go there to eat their donuts, drink their coffee, and surf the internet. The company's need was simply to blockade a VLAN for guest access to the internet while maintaining a VLAN for corporate access. They need corporate access because they need to process their transactions and communications. All corporate devices can only communicate through a VPN to headquarters or through a VPN to the bank. For example, they need to process transactions when somebody uses their debit card at a POS station. It works great at the coffee shop.
It works great at department stores as well. All employees have a little device on their hip that enables them to find what aisle a product is in when a customer asks them. If the store doesn't have the product on hand, the employee can do a search for another store that does have it in stock right on the device. They can do that right on the spot and use that service for that device. For that reason, they are not going across the internet to find the information they are searching for. They are forced into a secure tunnel for a specific purpose. That is something you can do with Meraki. If you don't let employees surf the web on the device, then Meraki will work.
I can actually give you the methodologies in which hackers are able to completely hack into a Cisco customer's network and steal extremely valuable information. Meraki is the most simple of all firewalls to infiltrate in the industry. It is an extremely dangerous piece of hardware. What comes into play is that Meraki, by default, does the opposite of what all of the other firewalls do. Every firewall not called Meraki will block every means of attack until you start saying to permit things. The Meraki solution is the opposite. Meraki, by default, blocks nothing, and then you have to go in and custom key everything that you want to block. This is dangerous because most people don't know everything in the world that they need to block. With Meraki, you have to get hacked in order to be able to find out. Now, tell me who really wants that.
An example of this is that Meraki cannot block an application it doesn't know about, which means that all unknown applications are forever allowed in by Meraki. If I am a hacker and I know that you are using a Meraki firewall, I can write an application to use for an attack. When I do, it is unknown because I just wrote it today. If I load it up on a website, anybody that goes to that website using a Meraki firewall has this application loaded onto their computer. Meraki can't block it. That application I wrote is designed to copy everything from that person's computer and everything across the network that he or she has access to, up to a server offshore in a non-extradition country. I will have your data. Now I can sell it or I can hold you for ransom on it.
Customers love it because it is simple to configure. I don't even need to be a security architect to sit down at a Meraki console and configure every device across my network. It is an extremely simple device and it's extremely cheap. But you get what you pay for. You are generally going to suffer because of the simplicity. You are going to suffer because of the low cost and "savings."
All I can say about Meraki is that it is cheap and easy to use and fits well in niche situations. If you need broader security capabilities, spend a few bucks on your network and get a better security solution.
Fortinet FortiGate NGFW (Next-Generation Firewall)
I'm supportive of Fortinet because it is a decent next-generation firewall solution. While not as secure as Palo Alto, it is a cost-effective and reasonably reliable product. I have customers choose it over Palo Alto. But if they decide to use this solution, I want to charge them to manage it for them. The reason for that is, if anything goes wrong in the network and they get hacked, my client will likely get fired and replaced. If anything goes wrong in the network and I am paid to manage their firewall, I am the one in trouble if they get hacked — not the client. I apply my services to the network, make sure everything is working as it should and give them my business card. I tell them that they can give the business card to their boss if anything goes wrong because the guy on the card is the one to blame. That way I remain sure that nothing will go wrong because of poor administration, and my client contact sleeps better at night.
Fortinet is sort of middle-of-the-road as a solution. It has a relative simplicity in setup and management, it has a lower price and provides capable security. Fortinet FortiGate still gets some of my respect as a viable alternative to Palo Alto.
Comparing the Complexity of Setup
Firepower is the most complex to set up. The second most complex is Palo Alto. The third is Fortinet. The fourth is Meraki as the simplest.
Rating the Products
On a scale from one to ten with ten being the best, I would rate each of these products like this:
- Meraki is a one out of ten (if I could give it a zero or negative number I would).
- Fortinet is seven out of ten because it is simple but not so secure.
- Firepower is seven out of ten because it is more secure, but not so simple.
- Palo Alto is a ten out of ten because the security side of it is fantastic, and the gui is not a nightmare.
An Aside About Cisco Products
It is interesting to note that the two offerings by Cisco are on completely opposite ends of the spectrum when it comes to the learning curve. Firepower is on one end of the spectrum as the most difficult to configure and having the worst learning curve, and Meraki is on the other as the easiest to configure and learn. Both are owned by Cisco but Cisco did not actually develop either of product. They got them both by acquisition.
The initial setup is a very smooth process integrated with initial configuration. It's very easy.
I was using Check Point before Palo Alto. I am very disappointed with Check Point because I had to reboot power three to five times a week. Palo Alto Networks NG Firewall is comparatively very easy to manage and use. It has better logic for configuration than other firewalls.
reviewer1461459 says in a Palo Alto Networks NG Firewalls review
Team Lead Network Infrastructure at a tech services company with 1-10 employees
It's a next-generation firewall and it's pretty stable. You don't have to worry about if you restart it for some maintenance. It will just come back. Basically, it would come back in a straightforward manner. There are no stability issues.
The one thing that I like about Palo Alto is it's throughput is pretty straightforward. It supports bandwidth and offers throughput for the firewall. The throughput basically decreases.
Palo Alto actually provides two throughput values. One is for firewall throughput and other is with all features. Whether you use one or all features, its throughput will be the same.
It's performance is better than other firewalls. That is due to the fact that it is based on SPD architecture, not FX. It basically provides you with the SB3 technology, a single path parallel processing. What other brands do is they have multiple engines, like an application engine and IPS engine and other even outside management engines. This isn't like that.
With other solutions, the traffic basically passes from those firewalls one after the other engine. In Palo Alto networks, the traffic basically passes simultaneously on all the engines. It basically improves the throughput and performance of the firewall. There's no reconfiguration required.
Its price can be better. They should also provide some more examples of configurations online.
I like the architecture because it separates the management plan process and the data plan process. When I perform something CPU-intensive on management configurations, it doesn't disturb the data plan.
On the data plan, it uses parallel processing. This makes the security process and network process is more efficient.
Implementing this product can be a little bit difficult. The configuration is difficult compared to other products, so it would be nice if there were videos are other instructions available. It can be very time consuming for the network administrator.
reviewer1001214 says in a Palo Alto Networks NG Firewalls review
Sr. Engineer at a comms service provider with 51-200 employees
We set up this solution for companies of all sizes, from small to large enterprises. One of our clients is a telecom, which is quite sizable. They have the most complex configuration. The solution, however, is able to work for any company, no matter what the size. In that sense, it's a scalable option.
That said, the NG firewall is not a typical product that we can scale up on a whim. If we want to scale up in this product, we need to buy a higher series. We have to replace it. If we want to scale out this product, we can do a roll out in another location. Therefore, you can expand it out, however, you do need to change the sizing, which means getting a size or two up.
reviewer1503963 says in a Palo Alto Networks NG Firewalls review
Network Security Engineer at a tech services company with 1,001-5,000 employees
I think automation and machine learning can be improved to make bulk configurations simpler, easier, and faster. Scalability can also be better.
Vladimir Kiseliov says in a Palo Alto Networks NG Firewalls review
Information Technology Project Manager at JSC "Penkiu kontinentu komunikaciju centras"
The configuration is very simple.
Jon Cole says in a Palo Alto Networks NG Firewalls review
Network Manager at a financial services firm with 1,001-5,000 employees
The ease of use and the ease of configuration of our policies are the most valuable features.
reviewer1148964 says in a Palo Alto Networks NG Firewalls review
Network Administrator at a healthcare company with 201-500 employees
It's been 10 years and I don't remember any outages because of a hardware failure or a logical error in configuration. We had problems with servers or switches initially but it works like a charm now.
The initial setup is pretty straightforward. We just had to do the initial configuration of hardware, deploy our Panorama VM and integrate with hardware firewall, and it is pretty simple. It's also quite self-explanatory.
reviewer1422384 says in a Palo Alto Networks NG Firewalls review
Network Administrator at a real estate/law firm with 201-500 employees
The SD-WAN product is fairly new. They could probably improve that in terms of customizing it and making the configuration a little bit easier.
Qiwei Chen says in a Palo Alto Networks NG Firewalls review
Security Team Technical Manager at ECCOM Network System Co., Ltd.
- Application identification
- Vulnerability protection
- URL filtering
- SSL VPN
- IPsec VPN
Palo Alto NGFW provides a unified platform that natively integrates all security capabilities. Most of our customers are busy. They cannot afford the time to learn very complicated user interfaces and configuration procedures. With Palo Alto Networks, they offered a unified user interface for all its NG Firewall products and Panorama. I think it reduces some of our customers' maintenance time.
Palo Alto NGFW’s unified platform has helped our customers eliminate security holes. With a unified platform, customers can deploy the NG Firewall both in the data center edge, inside the data center, and in the product/public cloud environments. They have the same user interfaces and platform, so they can be maintained by a single unified platform called Panorama. Customers can use Palo Alto Network NG Firewalls in all the places where they need to protect their environments. This helps to decrease security holes.
reviewer1227594 says in a Palo Alto Networks NG Firewalls review
Senior Network Engineer at a tech services company with 201-500 employees
With Palo Alto NG Firewalls, we can pass all compliance requirements. We trust it and we are building the security of our environment based on it. We feel that we are secure in our network.
It also provides a unified platform that natively integrates all security capabilities. It's very important because it gives us one solution that covers all aspects of security. The unified platform helps to eliminate security holes by enabling detection. It helps us to manage edge access to our network from outside sources on the internet and we can do so per application. It also provides URL filtering. The unified platform has helped to eliminate multiple network security tools and the effort needed to get them to work together with each other. In one appliance it combines URL filtering, intrusion prevention and detection, general firewall rules, and reporting. It combines all of those tools in one appliance. As a result, our network operations are better because we have a single point of view for our firewall and all related security issues. It's definitely a benefit that we don't need different appliances, different interfaces, and different configurations. Everything is managed from one place.
reviewer1400883 says in a Palo Alto Networks NG Firewalls review
Chief Architect at a recruiting/HR firm with 1,001-5,000 employees
Historically, DNS would have been from local providers. Now, having a centralized DNS allows us to make sure there are no issues of DNS cache poisoning and DNS exfiltration.
The solution has definitely helped us with the security holes around visibility and uniform policy deployments across the estate. Unified, centralized configuration management definitely helps us reduce the risk by having a central place where we can create a policy, and it is deployed everywhere, without the risk of human mistakes creeping in, e.g., typo mistakes creeping into configurations.
I have been looking at different firewalls because our service and maintenance contracts are up on it. We have two different outsourced folks who look at the firewall and help us do any configurations. My staff and I lack the knowledge to operate it. For any change that we need to make, we have to call these other folks, and that is just not sustainable.
We are moving away from this solution because of the pricing and costs. Everything costs a lot. We are moving to Meraki MS250s because of their simplicity. They match the industry better. I have called the bigger companies, and Meraki matches the size, then the type of institution that we are.
If someone was looking for the cheapest and fastest firewall product, I would suggest looking at the Meraki products in the educational space. I think that is a better fit.
The initial deployment is straightforward; very simple. The primary access for these firewalls is quite simple. We can directly access them, after a few basic steps, and start the configuration. Even the hardware registration process and licensing are quite simple.
The time it takes to deploy a firewall depends upon hardware and upon the customer's environment. But a basic to intermediate deployment takes two to three months.
Reviewer32052 says in a Palo Alto Networks NG Firewalls review
Presales Specialist at a tech services company with 1-10 employees
The initial setup is really easy. If you're working with Palo Alto Panorama, which is their management server, it's very easy to deploy a lot of appliances in a couple of days, because you're just sending out the configuration and templates on a blind device. In a couple of hours that device is working like the rest.
Eric Steidle says in a Palo Alto Networks NG Firewalls review
Network Analyst at a recreational facilities/services company with 1,001-5,000 employees
It is our main Internet firewall. It is used a lot for remote access users. We also use the site-to-site VPN instance of it, i.e., LSVPN. It is pretty much running everything. We have WildFire in the cloud, content filtering, and antivirus. It has pretty much all the features enabled.
We have a couple of virtual instances running in Azure to firewall our data center. Predominantly, it is all physical hardware.
I am part of the network team who does some work on Palo Alto Networks. There is actually a cybersecurity team who kind of controls the reins of it and does all the security configuration. I am not the administrator/manager in charge of the group that has the appliance.
reviewer1560024 says in a Palo Alto Networks NG Firewalls review
Technical Manager at a tech services company with 201-500 employees
We are an implementation partner for Palo Alto. One of the companies we implemented its Next-Generation Firewalls for was previously using Barracuda. A ransomware attack happened and they lost all their backup data, and their configuration. Once we implemented Palo Alto for them, there were similar attacks but they were blocked.
Along with Prisma, it helps in preventing a lot of attacks, especially Zero-day attacks.
We are not happy with Palo Alto at all. It would be better if they provided more support for the firewall. We have a few pending issues with the configuration for each application. We cannot deploy them yet due to some support-related problems in the firewall.
We have deployed a few policies for DNS spoofing and DNS attacks, but we could only block a few IP addresses through the policy. That's DNS security, and we have configured a few policies for DNS spoofing and more.
URL categorization and URL filtering are not yet adequately maintained. For example, if you created a few rules in the rule-based configuration and made some rules downstairs, you will lose some of them if you give access upstairs. It's not giving us a proper solution for which route it is using. We need to apply the application-based policies and URL filtering-based policies. It creates more issues because we are not getting good support from the team.
Someone who says, "We are just looking for the cheapest and fastest firewall?" can get a free firewall, but they will not be protected. They will not be updated against the latest attacks all over the world.
There are tools on the Palo Alto portal that can be used to enhance the configuration of your Palo Alto product and they are free.
Overall, I love Palo Alto.
The technical support is good. I would rate them as 10 out of 10.
They are able to support me and the issues that have arisen, which have been very minimal. For cases where we break something in the configuration or any bug that is out of control, they are good in understanding and analyzing our issues as well as providing a solution for them. That is why I rated them as 10.
These are gateway firewalls to the Internet for every site. At a majority of the sites, we use the firewall as our gateway for the network below.
Previously, we used them just for the Internet firewall and Internet security side. However, in the last year or two, we have started to migrate them as the gateway routers, e.g., as gateways for the networks below. They are doing Internet firewalling as well as firewalling for the networks below.
We are using the PA-220s, PA-440s, PA-820s, PA-3250s, and PA-5250s. We are using all of those hardware models. Then, we are running the PAN-OS 10.1.3 on those.
We have around 40 locations worldwide. At minimum, we have one Palo Alto Networks NG Firewall at each location. At some of the larger sites, we have two Palo Alto Networks NG Firewalls in HA configuration. Then, at our headquarters and disaster recovery site, we have two at each site.
KumarPranay says in a Palo Alto Networks NG Firewalls review
Solutions Architect at HCL Technologies
The most important thing is that it's really user-friendly. I have almost stopped using the CLI because I like the graphical interface. You can do whatever you want on a single screen, including all the configuration and implementation, using Panorama. You don't have to switch from one place to another. And the best part is that you can manage multiple Palo Alto devices. We do have other companies' devices and for them we need to go to the CLI. But with Panorama, you almost get everything you need. It is very important for managing all the technology and features on the device, and for adding multiple devices, on one page.
Palo Alto also gives you a lot more options to troubleshoot and fix problems. That really helps our operations team.
Another valuable feature is the sinkhole option. If a malicious packet travels across the firewall, the firewall detects it as malicious traffic but it doesn't stop the traffic then and there. That way the attacker assumes that they have been successful but they have not. It's a type of honeytrap. It allows us to keep on responding to those packets.
Also, when the firewall does network discovery it can detect a malfunction or bugs or a configuration issue. That is very important. If your endpoint system is not functioning properly, it gives you an extra layer of protection in the network discovery field. It shows you all the options and all the data if your system is not compliant.
The Single Pass architecture is a nine out 10. A single pass is always good.
There are no issues with stability. In most cases, they are very stable.
We recommend our customers to have an HA configuration with active/passive, which is very good in Palo Alto. It takes seconds to change from one firewall to another, which provides reliability and prevents loss of service because of a hardware problem or a network problem on a device. Having an HA environment makes your network resilient.
The solution's VPN, called GlobalProtect, could be improved as I've had a few issues with that.
It can be challenging to migrate configurations between Palo Alto firewalls or restart with a backup configuration using the CLI. That could be improved. I think I'm one of the only people still using the CLI over the GUI, so that's just a personal issue.
The security features are the most valuable aspect of Palo Alto's Next-Generation Firewalls. It has all the typical static threat protection based on signatures and WildFire dynamic analyzers. I love this feature. Palo Alto Networks updates the signatures of global threats on the cloud every 60 seconds, so we are protected against the latest threats.
It also has SD-1, but unfortunately, very few customers in Poland want to enable SSL decryption. From time to time, we have customers who want to test this. Machine learning is crucial to security features like anti-spyware and URL security profiles. Palo Alto was one of the first firewalls to have this capability. It helps us analyze real-time traffic using machine learning instead of signatures. Palo Alto has a better web interface than other firewalls I've used.
The DNS Security checks if your DNS queries are valid because infected computers try to connect to the DNS domain. We have this configuration to block access to the domain. We can use the application to block the DNS tunnel link.
One of the key features for us is product stability. We are a bank, so we require 24/7 service.
Another feature we like about Palo Alto is that it works as per the document. Most vendors provide a few features, but there are issues like glitches when we deploy the policy. We faced this with Cisco. When we pushed policies and updated signatures, we ran into issues. With Palo Alto, we had a seamless experience.
The maintenance and upgrade features are also key features. Whenever we have to do maintenance and upgrades, we have it in a cluster and upgrade one firewall. Then, we move the traffic to the first one and upgrade the second one. With other vendors, you generally face some downtime. With Palo Alto, our experience was seamless. Our people are very familiar with the CLI and troubleshooting the firewall.
It's very important that the solution embeds machine learning in the core of the firewall to provide inline real-time attack prevention. There is one major difference in our architecture, which we have on-premises and on the cloud. Most enterprises will have IPS as a separate box and the firewall as a separate box. They think it's better in terms of throughput because you can't have one device doing firewall and IPS and do SSL offloading, etc. In our new design, we don't have a separate box.
When we looked at Palo Alto about five years ago, we felt that the IPS capability was not as good as having a separate product. But now we feel that the product and the capabilities of IPS are similar to having a separate IPS.
Machine learning is very important. We don't want to have attacks that bypass us because we completely rely on one product. This is why any AI machine learning capability, which is smarter than behavioral monitoring, is a must.
There was a recent attack that was related to Apache, which everyone faced. This was a major concern. There was a vulnerability within Apache that was being exploited. At the time, we used the product to identify how many attempts we got, so it was fairly new. Generally, we don't get vulnerabilities on our web server platform. They're very, very secure in nature.
We use Palo Alto to identify the places we may have missed. For example, if someone is trying something, we use Palo Alto to identify what kind of attempts are being made and what they are trying to exploit. Then we find out if we have the same version for Apache to ensure that it protects. Whenever there are new attacks, the signature gets updated very quickly.
We don't use Palo Alto Next Generation Firewalls DNS security. We have a separate product for that right now. We have Infoblox for DNA security.
Palo Alto Next Generation Firewall provides a unified platform that natively integrates with all security capabilities. We send all the logs to Panorama, which is a management console. From there, we send it to our SIM solution. Having a single PAN is also very good when we try to search or if we have issues or any traffic being dropped.
Panorama provides us with a single place to search for all the logs. It also retains the log for some time, which is very good. This is integrated with all our firewalls. Plus, it's a single pane of glass view for all the products that we have for Palo Alto.
When we have to push configurations, we can push to multiple appliances at one time.
Previously for SSL offloading, we utilized a different product. Now we use multiple capabilities, IPS, the SSL offload, and in certain cases the web browsing and the firewall capability altogether. Our previous understanding was that whenever you enable SSL offloading, there is a huge impact on the performance because of the load. Even though we have big appliances, they seem to be performing well under load. We haven't had any issues so far.
Cisco IOS Security: Configuration
reviewer1256787 says in a Cisco IOS Security review
Technical Lead at a tech services company with 10,001+ employees
I was not part of the installation process. That was handled by another team entirely. That said, they didn't take a lot of time to get everything up and running. It was, if I recall correctly, less than one week to put it up and test it and make all the configuration adjustments. Deployment was fast and it's my understanding that the whole process from beginning to end was straightforward.
We only needed two people and they were able to handle both deployment and maintenance. They are engineers.
The configuration should be easier in the solution.
reviewer1540473 says in a Cisco IOS Security review
Sr. Security and Enterprise Architect at a security firm with 11-50 employees
As a Cisco partner/reseller, security has been a concern for many years. Cisco has a security concept that begins right when you try to connect to the network. Security is a complete system and is not just put on security devices at the perimeter or between tiers inside a data center.
iOS on routers is a mature solution, allowing easy setup of a traditional ISAKMP V1 or V2 VPN, and a very mature proprietary VPN flavor called DMVPN. DMVPN allows on-demand VPN establishment with minimal setup configuration and creates a pseudo full mesh avoiding bottlenecks.
Cisco Technical Assistance Center works on a follow-the-sun concept and gives real 24x7 customer support, which is a great advantage when you have a service contract with them.
I can do all the implementation of the solutions through the Cisco DNA Center. I can manage the Cisco IOS Security configuration. The whole process can be complex. Additionally, when we cannot connect to the internet we need to do manual configuration.
The full setup can take a couple of hours. However, initially, it took to use a couple of weeks.
Fortinet FortiOS: Configuration
I work on the configuration and not really involved in the pricing. It was already in place when the company decided to switch back to Fortinet.
I concentrate more on security.
We have had some performance issues, but that seems to be improving. I'd like to see better integrations and more flexibility for different scenario configurations. In comparison to Cisco, the CLI is quite difficult to use. Finally, I believe that the reporting could be enhanced to provide better visibility into the traffic.
As an additional feature, Fortinet could have XDR embedded into it which would mean more visibility from the reporting side because right now we have to separately install FortiManager and FortiAnalyzer for driver analysis.
reviewer930837 says in a Fortinet FortiOS review
Senior Manager (Engineering Department) at a comms service provider with 10,001+ employees
We use FortiOS for the internet router and firewall for our customers' offices. In some of the smaller offices, there is only one FortiGate, but the hub site may have a pair of firewalls in an HA configuration.
If I have to implement through the Fortinet FortiOS I have to go through multiple screens. For example, if I need to configure a simple VPN, and a site-to-site Sec VPN channel, in Fortinet FortiOS, I may have to go through multiple GUI pages or screens. Whereas, in SonicWall, everything can be done on one page.
When comparing the ease of configuration and management, with SonicWall, I find Fortigate needs some improvement. If it was improved it would make it a lot easier for implementers.
Fortinet's central management needs to be improved. FortiManager's technical tool provider ability should manage all Fortinet security products. Right now, FortiManager only manages the configuration of FortiGate.
The stability of Fortinet FortiOS initial setup is simple and it is user-friendly. To do the whole process of transferring the firewall configurations and updates took approximately one day.
The solution is very easy to configure and has a good interface, plus it offers more configuration options than other vendors.
If you are a novice person that has never worked with any firewall and don't really understand the concepts, you may find it challenging to set up. However, there are help files, online tutorials, and videos that guide you on any of the topics you have in it.
It really helps you a lot to get to it in order to do the configuration. So it varies. It depends on how you install it. It may be fairly easy for your average user at home or for an average enterprise guy. However, for a process environment, it may be a bit more challenging since there are different approaches that we follow in order to install it. That said, Fortinet itself is not very difficult to use and its knowledge base and help are very extensive.
We only need one person to deploy the solution.
How long deployment takes depends on the customer requirements and what they require for their network that we need to implement. For the actual deployment of the FortiOS and the initial testing, you're looking anything from a day to about four days' worth of work.
That said, your pre-prep, in other words, all your pre-definition of your firewall rules and what security model you need to run and what security level in your Purdue model that you need to implement, can take a good couple of months to do since it's purely based on how you apply the IEC 62442.
It also greatly depends on what the customer needs are. The pre-prep work is actually the most important. The actual configuration is quick. However, the pre-prep work takes quite a while.
Sangfor NGAF: Configuration
Huawei NGFW: Configuration
reviewer1603671 says in a Huawei NGFW review
Senior Software Manager at a engineering company with 51-200 employees
The initial setup is okay because you basically have to follow the user interface and configuration. Setup is quite easy to follow as long as you have all these network consents and firewall knowledge, you can do it easily.
GiancarloCecchetti says in a Huawei NGFW review
Chief Information Security Officer at Scil Animal Care Company S.r.l.
We use Huawei for a firewall and router switching with some components of our network. It's the first line of defense for our infrastructure. Our USG protects the navigation and communication of a lots of people. We have a big fiber channel network with more than 600 kilometers of fiber.
We have our environment and our technical needs, and if those can't be met by our base configuration we need to seek out an additional solution with extra features. In USG, we have both BBN and OBBN as well as some additional security features, like ATS and anti-spam.
Forcepoint Next Generation Firewall: Configuration
reviewer1322226 says in a Forcepoint Next Generation Firewall review
Head of Infrastructure & Cloud Section at a computer software company with 1,001-5,000 employees
I might have contacted them for some questions related to managing instances. We sometimes had problems with registering or activating licenses on the manufacturer portal. I haven't opened any ticket personally. My colleagues have contacted them for technical support, that is, for problems that go beyond the basics of the Forcepoint configuration, such as for replacing some faulty components. Their experience was good in general.
Mohamed Abdel Hassanein says in a Forcepoint Next Generation Firewall review
Managing Director at FORESEC
It is stable and scalable. In addition, their support is great. When you ask them for something, they provide support, and if required, they also involve the R&D team to help you to resolve the issues in your configuration.
reviewer1319712 says in a Forcepoint Next Generation Firewall review
Systems Engineer at a tech services company with 11-50 employees
The initial setup is of medium complexity. It is neither straightforward nor complex. If you want to implement a new firewall, you need to connect it to something called SMC or security management center, which is the main thing. It is the brain of the firewall, and without that, you cannot manage the firewalls. There are certain steps that need to be done on the SMC to do the configuration of the firewall.
reviewer1461459 says in a Forcepoint Next Generation Firewall review
Team Lead Network Infrastructure at a tech services company with 1-10 employees
Forcepoint is a little difficult to configure compared to its competitors.
The product could be more user friendly. Firewalls are getting better in graphical user interfaces. If there is an issue with the appliances then the engineering team can work on the command line controls. A cheaper way is a graphical user interface for any users to be able to quickly configuration and implement.
Dharmendra Mishra says in a Forcepoint Next Generation Firewall review
Associate Consultant at SoftwareONE
The solution is mostly stable. We've just had a little configuration issue around the access and net policy. However, beyond that, it's been pretty reliable.
The initial configuration is straightforward, and we can use it with the cloud. But sometimes, there are network issues we can't see when we're using the ethernet cable. I think you need an engineer with some experience before implementing the first implementation by yourself.
The time it takes to deploy this solution depends on the features I have to implement or configure. Normally, it takes five or six working days, but it might take another week if I have issues with the VPN or user IDs.
reviewer1047669 says in a Forcepoint Next Generation Firewall review
PS & Technical Manager at a integrator with 11-50 employees
Configuration is not easy because it has an old-fashioned interface. The configuration interface is highly complex, and it's been the same for years. They have to change the interface.
The structure of the configuration interface isn't like Palo Alto or FortiGate where you can do everything from a single screen. With Forcepoint, you have to import or assign rules because it's working with SMC, the central firewall management. Also, you cannot communicate directly with the product. You have to communicate with the product through the management interface.
The dashboard also should be updated.
MuhammadRicky Anggoro Pratomo says in a Forcepoint Next Generation Firewall review
Network Engineer at a tech services company with 51-200 employees
The installation is quite simple, but when it comes to configuration we need to know why the customer is implementing the solution. Firewalling or connecting other branches is a simple configuration but with something like auto-scaling or antivirus, Forcepoint needs to be more straightforward.
Azure Firewall: Configuration
Reviewer45205 says in an Azure Firewall review
Group Cloud Competency Center Manager at a transportation company with 10,001+ employees
Its initial setup was pretty straightforward. With its native portal and User Guide, you can very quickly do the implementation. Its UI is very user-friendly.
We made it an enterprise shared service for our use case. We studied and designed the cloud-native Azure Firewall service from scratch and packaged it as a standard service in our environment. We wanted to maintain the Azure service like the DNAT network rule and application rule. We wanted it to be always manageable in its lifecycle. So, we chose the infrastructure mode to manage our service. We have a delivery pipeline, and we also use the DevOps mode to maintain the Azure Firewall configuration in its lifecycle. For this part, the API is good, and the native Terraform and Ansible have relevant predefined modules. It is working fine. So, for this part, it is very good. It doesn't matter whether you are a junior technical guy or an advanced technical guy. You can always find a comfortable way to deploy, manage, and maintain it.
Its deployment is very quick. It takes a few minutes. In order to make it the deployer pipeline, you need to spend some time because you need to think about the integration, such as how to integrate with GitLab CI, and how to make Azure Workbook so that it can monitor the usage and user performance. We wanted it as a managed service. So, the duration also depends on your use case.
Compared to other firewall products, the setup is complex. I have faced problems setting up the DNAT, and there are some issues with setting up the certificates. I have also had trouble with service tag issues.
The basic deployment takes one day or two days at the maximum. The fine-tuning, where we have to monitor and identify the proper traffic, takes place over two or three weeks. Fine-tuning is an extensive part of it. It is important that the configuration is set up correctly.
reviewer1573551 says in an Azure Firewall review
Network Engineer at a leisure / travel company with 10,001+ employees
In terms of what could be improved, it lacks a couple of features which are available in the other marketplace products, but it is stable and it performs most of the basic functions that are expected from a normal firewall.
When we deployed we did not have a centralized management of multiple firewalls. Right now, with Azure Firewall, we cannot have a normal inbound traffic flow. For inbound, Microsoft suggests using application gateways, so the options are very limited. I cannot use this firewall as an intermediate firewall because of the limitations, and I cannot point routing to another firewall. So if I want to use back-to-back firewall architecture in my environment, I cannot use Azure Firewall for that type of configuration either.
Other features I would like to see are intrusion prevention, URL filtering, category-based URL filtering and other advanced features.
Overall, the configuration can definitely be improved.
In terms of the overall product architecture, if the management and the architecture of the product could support back-to-back firewall architectures so that I could use Azure Firewall in combination with another firewall, that would be one point which would help this product be used more and in a better way.
Again, if the Azure Firewall could be accommodated as a back-to-back firewall, meaning if it could work as a firewall which handles the inbound traffic from the internet, which is an NVA, or a network virtual appliance, and we could reroute the traffic to Azure Firewall, that would be good. But as of now, there is no routing options in Azure Firewall.
There are a lot of competitors to Azure Firewall. Microsoft figured it out, that they needed a firewall for their Azure platform that can integrate with their services. That's why they came up with Azure Firewall. It really has a pretty nice integration with Azure services.
In terms of the reporting, it's beautiful. It integrates with Azure monitoring and with Azure policies. That piece is a big help. You can set governing policies and you can use the application firewall, as well as the Azure Firewall, to enforce those policies. If you use the Azure platform, it is the best choice. And they're working on integrating it with many more Azure resources.
The configuration is much easier because Microsoft already provides you with a tool that belongs to Azure. You can set one rule instead of setting 100 rules. That makes the administration of Azure Firewall much easier. For example, when it comes to DNS tags, services tags, and URL tags, you don't have to go URL-by-URL and tell it to open this or that port.
In addition, it's a SaaS service. You don't have to worry about managing a virtual machine and things like patching and upgrading.
reviewer896049 says in an Azure Firewall review
Cloud Architect at a financial services firm with 1,001-5,000 employees
You have to have a defined IP range within your network to associate it with your network. The problem is you have to plan ahead of time if you expect to use the firewall in the future so that you don't have to reconfigure your subnets or that specific IP range. Other than that, I don't any issues. I use it for basic configuration for a single application, so I really don't try to leverage it for multiple applications where I might find some complexity or challenges.
reviewer1574409 says in an Azure Firewall review
Cloud Architect at a tech services company with 10,001+ employees
We get enterprise support as well as Microsoft support with our premium version.
Technical support is also fine. It is sufficient in my opinion. We have a Microsoft solution architect aligned with us as well, and if any new services, or deployment, as well as configuration, are required, he comes into the picture and we can get support from him. Aside from that, we have technical support for case-by-case scenarios such as severity A, B, and C for Microsoft. So far Microsoft support has not been an issue. I have been working with Microsoft for the past 10 years, I don't see much of an issue from Microsoft on support, at least from my point of view.
I would advise people who are interested in Azure Firewall to find the people who can implement it, because not everyone is able to do everything in the proper way. Some people will go ahead and do the configuration but it's not the right configuration. The client will start to have issues and will start to complain about the product. But the problem is not the product, it's the implementation itself. The person who did it wasn't knowledgeable enough.
Palo Alto Networks K2-Series: Configuration
I have heard that Juniper firewalls are more complex when it comes to configuration than Palo Alto Networks K2-Series. The flexibility of Palo Alto Networks K2-Series is a large advantage and they use the best parts.
The most valuable feature of Palo Alto Networks K2-Series is the configuration, it is very clear.
The initial setup of Palo Alto Networks K2-Series was straightforward. However, we have support from Palo Alto. There were some configurations that needed to be done for our firewall that required some advanced knowledge from a certified expert. Since we were using the help from Palo Alto the experience was good.
Juniper vSRX: Configuration
The solution as a whole is good, but it requires knowledge to use it properly. We know this solution well; we know all of its configurations and little secrets that inexperienced users may not be aware of. It's a very powerful solution and the firewalls function with high performance. The configuration is also great.
It is deployed on the customer site, and we manage the firewalls on this side. It's a very useful solution. It is used on-premise at the customer site. It is useful for management, and the configuration is rather easy, as well.
Mine control is not an easy area to control in Juniper. There are also too many steps for configuration, like the IP address policy. There are too many types of licenses, which can be confusing. Simple licenses should be built in.
Processing is too slow between Juniper and Cisco. Palo Alto is faster. The database is not as complete as Cisco or Palo Alto.
GajShield Next Generation Firewall: Configuration
The firewall configuration and administration screens could use some improvement.
I think the UI screen has to be a lot simpler and smarter for firewall administration. They should also build a smarter alert mechanism in case of any unauthorized access. Basic alerts are there, but I think they could be better. First and foremost is the UI configuration screen. Some screens are good, and some screens are not that good. The UI for the administration of the firewall needs a lot of work.
SonicWall NSSP: Configuration
SonicWall NSV: Configuration
Niranjan Prajapati says in a SonicWall NSV review
Network & System Support Engineer at ITCG Solutions Pvt Ltd
The hardware box renewal appliances GUI became extremely slow after the release of SonicOS 7.
When I compare SonicWall to its competitors, I notice that there are some functions that I cannot perform with the SonicWall appliance. For example, when I assign a user base bandwidth management, I enable the ULA (User Level Authentication), but I need a different solution and must enable browser-based authentication.
SonicWall requires certain features such as the authentication agent and user-based routing.
There are limitations to bandwidth management. When used in the education sector, there are some difficulties. They require bandwidth management, an authentication agent, and SSL VPNs.
Google Chrome is not supported, which is why the ULA occasionally fails to function. The authentication page does not appear.
The earlier model is TZ SOHO, they now have a startup with TZ270. We have some offices that have 10 users, as well as a limited amount of users that require a small device such as TZ SOHO, and not the TZ270.
We are having some difficulties with the SOHO 250 model, regarding the throughput, but when I use the TZ270 it works well. I decided to replace it with TZ270.
When I enable the ULA, the Sophos core usage increases dramatically. Everything works fine when I use the IP-based policy. In general, when it comes to IP-based configuration, everything is fine; everything works great.
SonicWall, as well as other competitors, have SD-WAN, however, SonicWall features are different. The web filter component, the application component, and the firewall access rules, for example, are all different in the SonicWall Appliance.
When creating firewall access rules in Sophos and Fortinet, I just define the source, destination, and user, as well as a web filter, an application filter, and user bandwidth management on a single line. I only follow one rule and have never had a problem.
Everything is contained in a single rule only when I create it. I can assign web filter policies, application filter policies, and I can apply all security services in a single rule.
Check Point CloudGuard Network Security: Configuration
We have had several support cases opened. Some of the issues were resolved by installing the latest recommended JumoHotfix, whereas some required additional configuration on the OS kernel level.
The longest issue took about one month to be resolved, which we consider too long.
The biggest room for improvement is that, for a long time now, they've moved everything over to R80 but they still maintain some of the stuff in the old dashboard. They need to "buy in" and move everything to the modern dashboard so that you don't have to go to one place and to another place, at times, to configure the environment. It's time they just finish what they started and put everything in the new, modern dashboard. I thought they would have done that by now. It has been years. It's always a little disappointing when you get a new version and you see that it's still using the old dashboard for some of the configuration and some of the stuff that you look at.
They just need to make sure they get all their tools into this one place. It would make it a lot easier for the managers.
reviewer1026111 says in a Check Point CloudGuard Network Security review
IT Security Manager at a retailer with 10,001+ employees
The features of the solution which I have found most valuable are its flexibility and agility. It's a fully scalable solution, from our perspective. We can define scaling groups and, based on the load, it will create new instances. It's truly a product which is oriented toward the cloud mindset, cloud agility, and this is a great feature.
Check Point is a known leader in the area of block rate, so I don't have any complaints about it. It's working as expected. And similarly for malware prevention. When it comes to exploit resistance rate, it's excellent. I haven't seen any Zero-day vulnerabilities found in Check Point products in a very long time, which is not the case with other vendors.
The false positive rate is at an acceptable level. No one would expect a solution to be 100 percent free of false positives. It's obvious that we need to do some manual tuning. But for our specific environment and for our specific traffic, we don't see a lot of false positives.
Overall, the comprehensiveness of the solution's threat prevention security is great. It was changed in our "80." version and I know that Check Point put a lot of effort into threat prevention specifically, as a suite of products. They are trying to make it as simple as it can be. I have been working with Check Point for a long time, and in the past it was much more complicated for an average user, without advanced knowledge. Today it's more and more user-friendly. Check Point itself has started to offer managed services for transformation configuration. So if you don't have enough knowledge to do it yourself, you can rely on Check Point. It's a really great service.
Check Point recently released a feature which recognizes that many companies are going with the MITRE ATT&CK model of incident handling, and it has started to tailor its services to provide incident-related information in that format. It is easier for cyber security defense teams to analyze security incidents, based on the information that Check Point provides. It's great that this vendor looks for feedback from the industry and tries to make the lives of security professionals easier.
I highly rate the security that we are getting from the product, because the security research team is great. We all know that they proactively analyze numerous products available on the IT market, like applications and web platforms, and they find numerous vulnerabilities. And from a reactive point of view, as soon as a vulnerability is discovered, we see a very fast response time from Check Point and the relevant protection is usually released within a day, and sometimes even within a few hours. So the security is great.
As an administrator, I can say that among all of the Check Point products I have been working with so far, the Virtual Systems solution is one of the most difficult. You need to understand a lot of the underlying concepts to configure it, like the virtual switches and routers it uses underneath. That leads to additional time needed for the initial configuration if you don't have previous experience.
In addition, there is a list of limitations connected specifically with the virtual systems, like the inability to work with the VTI interfaces in a VPN blade, or an unsupported DLP software blade.
reviewer1518027 says in a Check Point CloudGuard Network Security review
Electronic Engineer at a tech vendor with 11-50 employees
The solution, overall, has worked very well for our organization.
The reliability of the product is excellent.
The configuration capabilities are very good.
The initial setup is pretty easy.
reviewer1637334 says in a Check Point CloudGuard Network Security review
Security Platform Administrator at a tech services company with 501-1,000 employees
Check Point CloudGuard Network Security has established communications with other devices and other cloud providers. CloudGuard has improved the passage of CIS and PCI regulations. The functions for autoscaling save costs for the company and the centralized management helps us with administration. CloudGuard complements the security model of the company. We only need one solution for all cloud providers as it offers good compatibility with lots of protection. the easy funtion of use the licence core in other gateways helmpe to save cost. And the easy VPN configuration helpme to stablish more than 100 VPN in an shortly time.
Sophos XGS: Configuration
The initial setup for Sophos XGS is very easy. From cloud it can be deployed even faster, since it allows to create configuration templates.
In the new release 19, there should be the implementation of a cloud service that you can use to set up the IPSec tunnels, and the SD-WAN from the WAN dashboard, and then you can push that configuration out to every firewall that you have.
The initial setup is complex. Sophos has some features like rules and policies, NATing, and PATing so deployment might take more time than if we were using an alternate solution. Deployment can take up to two weeks because every policy and VPN requires checking and that takes time. I've been working for the past 10+ years experience in network engineering and firewall configuration so we deployed in-house but we contacted Sophos for assistance when we needed it.
The initial setup is straightforward and takes 15 minutes. The time it takes to setup depends on what you're trying to achieve and how complex you want your configuration to be.
We handled the installation and configuration with our in-house team.
I am a cyber professional. I support customers with this solution. Sophos XGS is primarily a firewall. The product allows my customers to manage their internet access for their employees while protecting their environment from things like malware.
The solution requires one administrator as it does not require much maintenance. It depends on the usage and the environment. For example, in some account configurations, the environment has only four or five rules, other times there are over 100 rules. More rules will require more maintenance.
The initial setup is complex as Sophos doesn't support the installation or configuration. I would rate the ease of setup as one out of five.
The initial setup was quite simple, and the configuration took around an hour and a half.
Andrew Banda says in a Sophos XGS review
Head Of Information Technology at Zambia National Building Society
It works. However, Sophos configurations are a bit complex. It's not very user-friendly. I don't find it user-friendly when it comes to setting up the firewalls.
The user interface for the technical admin can be better. It should be set forward to configure a firewall. if a firewall has complexities. I don't know why they did that. However, you should be able to quickly set up a rule to minimize the mistakes that a security administrator or a firewall administrator can make and configure. If not, that becomes an issue. One mistake on a firewall could result in a bridge.
It should be more straightforward. If you compare it with GFI Carrier Control Firewall, which is very straightforward, you can see why it’s helpful when it's easier.
In general, the solution is scalable.
Its features and configuration can expand. As long as the engineer or the implementer knows which policies are needed, the Sophos firewall integrator can also help with that. If he or she does not know any complicated solution, Sophos support is also there to help.
There are issues with some designs being able to work on high availability. We design our architecture in three tiers on the network. There is the core tier, the distribution tier, and the access tier. We haven't succeeded in our attempts to configure this and haven't been able to find documentation on how to go about it. Sophos has a single sign-on, but it requires configuration to communicate with the firewall and that is lacking. The configuration on Sophos is well described, but the configuration on the Windows system is not well described in relation to the Sophos knowledge base. It took a lot of my own research to figure out what was wrong. I'm a cyber security guy so it's very difficult for me to implement the solution.