Sophos XG alternatives and competitors

Palo Alto VM-Series is something we recommend as a firewall solution in certain situations for clients with particular requirements who have the budget leeway.  

The Palo Alto VM-Series is nice because I can move the firewalls easily. For instance, we once went from one cloud provider to another. The nice thing about that situation was that I could just move the VMs almost with a click of a button. It was really convenient and easy and an option that every firewall will not give you.  

We would really like to see Palo Alto put an effort into making a real Secure Access Service Edge (SASE). Especially right now where we are seeing companies where everybody is working from home, that becomes an important feature. Before COVID, employees were all sitting in the office at the location and the requirements for firewalls were a different thing.  

$180 billion a year is made on defense contracts. Defense contracts did not stop because of COVID. They just kept going. It is a situation where it seems that no one cared that there was COVID they just had to fulfill the contracts. When people claimed they had to work from home because it was safer for them, they ended up having to prove that they could work from home safely. That became a very interesting situation. Especially when you lack a key element, like the Secure Access Services.  

Palo Alto implemented SASE with Prisma. In my opinion, they made a halfhearted attempt to put in DLP (Data Loss Prevention), those things need to be fixed.  

I have been using Palo Alto VM-Series for probably around two to three years.  

I think the stability of Palo Alto is good — leaning towards very good.  

Palo Alto does a good job on the scalability. In my opinion, it has excellent scalability.  

My experience with Palo Alto is that it is really bad when it comes to technical support. When we have a situation where we have to call them, we should be able to call them up, say, "I have a problem," and they should ask a series of questions to determine the severity and the nature of the problem. If you start with the question "Is the network down?" you are at least approaching prioritizing the call. If it is not down, they should be asking questions to determine how important the issue is. They need to know if it is high, medium, or low priority. Then we can get a callback from the appropriate technician.  

Do you want to know who does the vetting of priority really, well? Cisco. Cisco wins hands down when it comes to support. I do not understand that, for whatever reason, Palo Alto feels that they do not have a need to answer questions, or they just do not want to.  

It is not only that the support does not seem dedicated to resolving issues efficiently. I am a consultant, so I have a lot of clients. When I call up and talk to Palo Alto and ask something  like, "What is the client's password?" That is a general question. Or it might be something even less sensitive like "Can you send me instructions on how to configure [XYZ — whatever that XYZ is]?"  Their response will be something like, "Well, we need your customer number." They could just look it up because they know who I am. Then if I do not know my client's number, I have got to go back to the client and ask them. It is just terribly inefficient. Then depending on the customer number, I might get redirected to talk to Danny over there because I can not talk to Lisa or Ed over here.  

The tedium in the steps to get a simple answer just make it too complicated. When the question is as easy as: "Is the sky sunny in San Diego today?" they should not be worried about your customer representative, your customer number, or a whole bunch of information that they really do not use anyway. They know me, who I am, and the companies I deal with. I have been representing them for seven or eight years. I have a firewall right here, a PA-500. I got it about 11 years ago. They could easily be a lot more efficient.  

I have clients whose architecture is configured in a lot of different ways and combinations. I use a lot of different products and make recommendations based on specific situations. For example:  

• I have one client that actually uses multiple VM-series and then at each one of their physical sites that have the K2-series — or the physical counterpart of the VM-series.  
• I have other clients that use Fortinet AlarmNet. As a matter of fact, almost all my healthcare providers use Fortinet products.  
• I have another customer that used to be on F5s and they had had some issues so switched to Fortinet.  
• I have a couple of holdouts out there that are still using the old Cisco firewalls who refuse to change.  
• I have a new client that is using a Nokia firewall which is a somewhat unique choice.  

I have a customer that used to be on F5s and they had had some issues. The result of the issue was that they came to me and we did an evaluation of what they really needed. They came in and they said, "We need you to do an evaluation and when you are done with the evaluation, you need to tell us that we need Palo Alto firewalls." I said that was great and I sat down and got to work building the side-by-side comparison of the four firewalls that they wanted to look at. When I was done, just like they wanted the Palo Alto firewall was right there as the first one on the list. They selected the Fortinet firewall instead.  

Nokia is specifically designed to address the LTE (Long Term Evolution, wireless data transmission) threats with faster networks and such. So it is probably not considered to be a mainstream firewall. The client who uses Nokia is a service provider using it on a cellular network. They are a utility and they are using Nokia on a cellular network to protect all their cellular systems and their automated cellular operations. The old Nokia firewalls — the one on frames — was called NetGuard. This client originally had the Palo Alto K-series and they switched over to the Nokia solution. That is my brand new Nokia account. They were not happy with the K-series and I am not sure why.  

The thing about Cisco is nobody is ever going to fire you for buying a Cisco product. It is like the old IBM adage. They just say that it is a Cisco product and that automatically makes it good. What they do not seem to acknowledge is that just because their solution is a Cisco product does not necessarily make it the right solution for them. It is really difficult to tell a customer that they are wrong. I do not want to say that it is difficult to tell them in a polite way — because I am always polite with my customers and I am always pretty straightforward with them. But I have to tell them in a way that is convincing. Sometimes it can be hard to change their mind or it might just be impossible.  

When I refer to Cisco, I mean real Cisco firewalls, not Meraki. Meraki is the biggest problem I think that I deal with. I do not have the network folks manage the Meraki firewalls differently than they manage their physical firewalls. I do not want there to be a difference, or there should be as little difference as possible in how the firewalls are handled. They do have some inherent differences. I try not to let them do stuff on the virtual firewalls that they can not do in the physical firewalls. The reason for that is because in defense-related installations it matters. Anytime you are dealing with defense, the closer I can get to maintaining one configuration, the better off I am. Unless something unique pops up in Panorama, I will not differentiate the setups.  

I say that there are differences because there is a little bit of configuration that inherently has to be different when you are talking about physical and virtual firewalls, but not much. I can sanitize the virtual machine and show the cloud provider that since I was going into a .gov environment or a .gov cloud, that it met all the requirements as stated in the Defense Federal Acquisition Regulation Supplement. That is huge for our situation. Of course with a cloud provider, you are not going to have a physical firewall. Had we had a physical firewall, that becomes a bit of a chore because you have got to download the configuration file, then you have got to sanitize the configuration. Things like that become a bit of a burden. Having a VM-Series for that purpose makes it much easier.  

I did not mention Sophos in the list. Sophos does a semi-decent job with that too, by the way. The only problem with Sophos is that they are not enterprise-ready, no matter what they say. I have deployed Sophos in enterprises before, and the old Sophos models did very well. The new ones do very poorly. The SG-Series — Sierra Golf — they are rock solid. As long as we keep going with them, our customers love it. It works. I have one client with 15,000 seats. They are running 11 or 12 of them and they have nothing but great things to say about the product. The second you go to the X-Series, they are not up to the task.  

Setting up Palo Alto is relatively quick. But I also have an absolute rockstar on our team for when it comes to Palo Alto installations. When he is setting it up, he knows what he is doing. The only thing he had to really learn was the difference between the VM-Series and the PA-Series.  

I lay out the architecture and I tell people doing the installations exactly what has to be there. I sit down and create the rule sets. Early on, the person actually doing the fingers-on-the-keyboard complained a little saying that the setup was a little bit more complicated than it should have been. I agree, generally speaking. I generally feel that Palo Alto is more complicated than it needs to be and they could make an effort to make the installations easier.  

But, installing Palo Alto is not as bad as installing Cisco. Cisco is either a language that you speak or a language that you do not. I mean, I can sit down and plot the firewall and get the firewall together about 45 minutes with a good set of rules and everything. But that is me and it is because I have experience doing it. Somebody who is not very well-versed in Cisco will take two or three days to do the same thing. It is just absolutely horrid. It is like speaking English. It is a horrid language.  

I do not have to do budgets and I am thankful for that. I am just the guy in the chain who tells you what license you are going to need if you choose to go with Palo Alto VM-Series. How they negotiate the license and such is not my department. That is because I do not resell.  

I know what the costs might be and I know it is expensive in comparison to other solutions. I get my licenses from Palo Alto for free because they like me. I have proven to be good to them and good for them. When they have customers that are going to kick them out, I can go in and save the account.  

I will tell you, they do practice something close to price gouging with their pricing model, just like Cisco does. When I can go out and I can get an F5 for less than half of what I pay for Palo Alto, that is a pretty big price jump. An F5 is really a well-regarded firewall. When I can get a firewall that does twice what a Palo Alto does for less than half, that tells me something.  

Sophos decided that they were going to play with the big boys. So what they did is they went in and jacked up all their prices and all their customers are going to start running away now. The model is such that it is actually cheaper to buy a new firewall with a three-year license than it is to renew the Sophos license of the same size firewall for an older product. It sorta does not make sense.  

I make recommendations for clients so I have to be familiar with the firewalls that I work with. In essence, I evaluate them all the time.  

I work from home and I have two Cisco firewalls. I have a Fortinet. I have the Palo Alto 500 and I have a Palo Alto 5201. I have a Sophos. My F5 is out on loan. I usually have about eight or nine firewalls on hand. I never go to a client without firing up a firewall that I am going to recommend, testing it, and getting my fingers dirty again to make sure I have it fresh in my mind. I know my firewalls.  

The VM-Series are nice because you can push them into the cloud. The other nice thing is whether you are running a VM-Series or the PA-Series, we can manage it with one console. Not without hiccups, but it works really well. Not only that, we can push other systems out there. For instance, for VMware, we are pushing Prisma out to them. VMware and the Palo Alto VM-Series do really well with Prisma. The issue I have with it is — and this is where Palo Alto and I are going to disagree — they are not as good at SASE (Secure Access Service Edge). I do not care what Palo Alto says. They do a poor job of it and other products do it better.  

Palo Alto claims it is SASE capable, but even Gartner says that it is not. Gartner usually has the opinion that favors those who pay the most, and Palo Alto pays them well. So when Gartner even questions their Secure Access Service Edge, it is an issue. That is one of those places where you want the leader in the field.  

From my hands-on experience, Fortinet's secure access service edge just takes SASE hands down.  

My first lesson when it comes to advice is a rule that I follow. When a new version comes out, we wait a month. If in that month we are not seeing any major complaints or issues with the Palo Alto firewall customer base, then we consider it safe. The client base is usually a pretty good barometer for announcing to the world that Palo Alto upgrades are not ready. When that happens, making the upgrade goes off our list until we hear better news. If we do not see any of those bad experiences, then we do the upgrade. That is the way we treat major revisions. It usually takes about a month, or a month-and-a-half before we commit. Minor revisions, we apply within two weeks.  

I am of the opinion right now that there are some features missing on Palo Alto that may or may not be important to particular organizations. What they have is what you have to look at. Sit down and be sure it is the right solution for what you need to do. I mean, if the organization is a PCI (Payment Card Industry) type service — in other words, they need to follow PCI regulations — Palo Alto works great. It is solid, and you do not have remote users. If you are a Department of Defense type organization, then there are some really strong arguments to look elsewhere. That is one of the few times where Cisco is kind of strong choice and I could make an argument for using them as a solution. That is really bad for me to say because I do not like Cisco firewalls.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate the Palo Alto Networks VM-series as an eight-out-of-ten.  

We are an authorized partner of Untangle, and we primarily work with small businesses that have limited needs. We have deployed Untangle NG Firewall z4 Plus to the majority of our clients. With simple hardware and a monthly service fee, it's very affordable for our clients. 

The software versioning is 16.5. We have deployed them primarily on-premises. We have a couple virtualized and on ESXi servers, and that's pretty much it. They're fully managed from our cloud database directly on untangle.com/cmd.

Its ease of use, variety of available features, and low pricing have enabled us to improve the security for a lot of our very small business clients at a price that they are happy to pay for. The big thing for us is that we're providing a good quality security service to them without spending thousands of dollars per year on hardware and licensing, which we would spend with something like SonicWall, Palo Alto, etc.

It is very easy to use. The user interface is very straightforward. It may not be as fancy as some of the ones I've seen, but it's very straightforward. It's very easy to find what you need, and it's very easy to get things done.

The majority of our clients are very small businesses, and Untangle devices have been fantastic for these small clients. We've basically standardized our stack to just simply use Untangle. We include the hardware and the service option, which makes it very easy and affordable for us to just simply push that into the monthly per-user costing that we provide as a managed services provider. It's really a no-brainer. They're easy to use, and they're easy to set up and configure. Support is generally good about resolving any issues that we have. We haven't had any real complaints.

I've heard other people saying that other firewalls have better detection rates, so better security. If they can improve the security of the device, I'm always for that, but at the moment, we've been happy with the service that we're getting out of them. 

It does have multi-factor authentication in some areas, but I would love to see a more widely implemented version of that on the devices themselves. 

It could use some improvement for Azure Active Directory Connections. It does exist, and it is available, but it needs work to be able to fully authenticate.

I know there are some advanced features that other firewalls have that aren't present in Untangle, but we've never noticed any feature that we need but isn't there. 

I also know a lot of people have complained about the cost per device because they license by device counts. So, once you get over a certain number of devices, it is not really a cost-effective solution.

We have been using this solution for the past three years.

We have had one device go down in three years. I've never been certain if that was an issue with Untangle themselves or with the client location. I know for a fact that the client did unplug the device repeatedly because they did not want to listen to their tech support. They unplugged it repeatedly. They left it disconnected from the internet completely for several months. It was disconnected and turned off, and it came to a point where we were never able to remotely restore that connection. So, we had to go in and physically factory reset the device. That's the only issue that I've had in terms of stability, but I don't know if that's an issue with Untangle or an issue with the client themselves. We dropped that client shortly after.

It is easy to scale. I ordered 10 of them in bulk just a month ago. We have about a hundred clients. 

We pretty much standardized it across our client base. We also provide some email services, Microsoft 365, and tech support to people who literally just work from their laptop from a Starbucks. They are the only clients who aren't using it. Any of our clients that have an office or home office have Untangle Firewall. We serve a lot of residential customers, and we've stuck the unlicensed version of the Untangle Firewall on their network. We manage those, and it's been great for the most part. The only way we would really increase that in our client base is by just increasing our client base.

I would really like phone support for emergencies. I'm not sure if there is one. I don't think I've ever had to actually utilize it if there was. Having a direct line of contact or support, especially being a partner, would definitely be an improvement, but their tech support has been able to resolve every issue that we've had with them.

Originally, we tested Untangle many years ago, but it wasn't a fantastic solution then. So, we didn't really utilize it and always stuck with pfSense, but over the past three years, we've been using, almost exclusively, Untangle devices for our clients.

Our clients were using a variety of solutions. They have been utilizing SonicWall. We have replaced a couple of WatchGuard firewalls. We've had people with pfSense, and we've had people with Cisco Meraki. We've seen most of the firewalls in the business, and I like Untangle.

It was straightforward. You can basically set up a demo device with the settings that you want, take the config file, and export those configs and policies to any new device you deploy. So, the initial setup is not that complex. It is very simple and straightforward because the user interface is very simple and straight. 

When you get to whatever you like and how you want to configure it, you just save it as a policy set, save the config file, and deploy it within minutes. We order the device, get the serial number, apply the serial number to our portal, and then apply the policies, and we're done.

One person can handle the deployment. As a matter of fact, the end-user can handle the deployment, as long as the tech just tells them where to plug it in. The end-user doesn't need to do anything. As soon as it's connected to the internet, as long as it's plugged into the right place on the network, the deployment takes minutes, and we manage them all from the command center.

I'm not a financial type of person, but I can say that configuring a pfSense firewall is a couple of hours per location, and managing other firewall solutions is definitely more costly and time-consuming from what I've seen previously. We've definitely saved time in deployment, and we have also saved time in management. We save time and money in a variety of ways. So, we have definitely seen an increase in ROI. In addition, the fact that we're able to just simply include it in our monthly costs for what we charge our clients makes it all the better.

Untangle is open-source software. So, you can get it for free. That has been a benefit, especially for the residential users because it is free. The license costs start at $25 a month for some additional features, including higher tiers of security intrusion prevention. The free version comes with intrusion detection, and then the license version has intrusion prevention. It also has some additional things for active directory connectors, etc.

It starts at $25 a month to cover 12 devices. Then it goes up from $25 to $50 a month for 12 to 25 devices. That's where it really doesn't scale out per site. If you have a site that has more than 50 devices on it, then Untangle quickly becomes cost prohibitive in comparison to several other competitors. They have a weird per-device licensing model, whereas most firewall vendors simply tell you that this is how many devices we expect you to cover and this is what your licensing costs. They don't tier it by the device. Firewalls have different costs and different licensing. So, in a way, it is the same, but Untangle is more upfront about it. They tell you that if you have X amount of devices, this is what your licensing cost is, whereas other firewall vendors tell you that if you're covering this amount of devices, you need this type of firewall that they make, and it's going to cost you this amount a month, which is going to be more, but the price comparison is definitely not favorable for Untangle once you go over 50 devices.

There is an additional cost of the hardware, which you can purchase upfront. You can pay for hardware as a service, or you can deploy it to your own hardware at no additional charge. We can deploy this for free, completely and utterly free and clear, just by simply running a VM and installing the free version of the software on it. So, there are literally no costs to it. The additional costs are basically just completely optional, except in the cases of industries where certain of these other security features are a requirement, but the only costs that you have to pay are the licensing costs. You can choose not to buy their hardware at all and just deploy it in a VM.

We evaluated pfSense, WatchGuard, and Sophos, and ultimately went with Untangle.

I would definitely advise going for z4 Plus. The base z4 is good if you're going with the free licensing. It is a little bit lower powered. So, it's only good for the free tier licensing or very small offices with only a couple of devices. z4 Plus has been fantastic. We can turn on every feature that Untangle has, and it runs right along for months at a time.

I would rate it a solid nine out of ten. It has been fantastic for the uses that we put it to, which are primarily small clients. It does its job, and it does it well. I've had almost no issues in the past three years of running them except for one, and I'm pretty sure it was the client that caused the issue.

We are solution providers and this is one of the products that we deploy for our customers. This is not a product that we use ourselves.

pfSense prevents unwanted access. If you configured things properly then you'll be protected to some level. There is still a need for products like a SIEM, but the UTMs like pfSense or Sophos, prevent most of the problems.

The classic features such as content inspection, content protection, and the application-level firewall, are the most important.

This is a feature-rich product.

The documentation is good.

Ease of use is a problem for a user who is unfamiliar with this product because, in the interface, everything has to be set manually. It would be more user-friendly if things were set automatically. 

The drop in performance can be drastic when you use more advanced techniques. There is some trade-off between having a certain level of security and maintaining acceptable performance.

One of the things that are usually outside of the UTM, or system on the gateway, is the SIEM. It is an advanced system for managing the possibility of threats. It is not normally part of such devices but it would be nice if the pfSense interface were integrated with it.

We have more than a year of experience with pfSense.

The stability of pfSense is standard. It is rated as one of the good solutions in this area.

This product is scalable to some point, although we have never used it for large companies. We use it for small to medium-sized organizations. For big companies, we more often implement Palo Alto.

In our company, we have a data center and some of our clients are hooked to it. This is something that we have on-premises for our customers.

We have plans to increase our usage with pfSense because we have had good feedback from our customers. In fact, with the good experience we have had, our sales have been slightly increasing. Our sales are shifting from Sophos to pfSense.

The technical support is organized well. We do most of the technical support for our customers in-house but there is a second level of outside support available. It is okay. 

We currently resell products from both pfSense and Sophos. In some areas, pfSense is better than Sophos. I have been a bit disappointed with Sophos because I know their history, and I don't think that they have advanced as well as they should have in that time. Also, they have two different products, being XG and UTM. This is another reason that I prefer pfSense, at least a little bit, over Sophos.

In the past, we were the developers of a product called Network Defender, but it has reached end-of-life. We were pioneers in the area and were one of the first who was making UTMs. The name "UTM" didn't exist at that point. We were partners with Cobalt, who was the first appliance creator. Their appliances include web servers and email servers. When Cobalt was bought by Sun, we made our first Network Defender line. That became the first appliance, which had firewall content inspection, content protection, intrusion prevention, intrusion detection, antivirus, and email and web servers at that time, all in one box.

From that point on, we had our line, which was distributed all over the Middle East, Asia, and some parts of Europe. We then worked with Palo Alto, we were a Cisco partner the entire time, and we worked with both Sophos and pfSense.

In our organization, with have Cisco ASA for certain things, and we have a firewall by Palo Alto.

The initial setup is complex. If you have a straightforward setup then you will have straightforward, basic protection and nothing else.

It takes a few months to adjust where you start by setting it up, and then you have to monitor it and see what's happening. It's ongoing work because, after this, you have to keep monitoring and adjusting to the situation. This is part of the service that we perform for our customers.

We are the integrators for our customers and deploy with our in-house team. We have people in the company who are specialized in this area.

The return on investment depends on the predicted cost of failures of the system, or intrusion of the system, which is hard to give a straight answer on. In part, this is because different companies put a different value on their data.

For example, with medicine, if somebody were to steal the data related to the latest CORONA vaccine then the cost would be tremendous. On the other hand, if there is a company that is making chairs, stealing the design of the chair probably wouldn't be as high when compared to an application in medicine. So, there is not a straight answer for that.

Return on investment, in any case, I think for every company, this is a must. Put in a straightforward way, they can count just the possibilities of having an attack on their system with a cryptovirus. If they can save their data from attackers then it would save them at least two days of not working plus the cost of recovery, which would be much more than the cost of the system and maintenance.

The price of the licensing depends on the size of the deployment. pfSense is open-source, but the support is something that the customer pays for. We charge them for the first line of support and if they want, they can purchase the second line of support. Typically, they take the first-line option.

The term of licensing also depends on the contract. The firewall doesn't always have a contract but rather, there is a contract in place for the network, which includes UTM.

In addition to the licensing fees, there are costs for hardware, installation, and maintenance. We use HPE servers, and the cost depends on how large the installation is. The price of setup is approximately €500 to €800, which also includes the initial monitoring.

The maintenance cost isn't really included in the network fees.

For smaller companies, we charge them a few hours a month for monitoring. It takes longer if the client is bigger.

It is important to remember that you can't just leave the device to do everything. You still have to know what you're doing.

I recommend the product. It's well-balanced and one with a long history, so it doesn't have child's diseases. There is a lot of online support available online, which they can consult themselves. But, in the case that they need support, they can hire a professional support line and that is highly recommended.

I say this because usually, people look at the UTM as something that should be put in the system, set up, and left alone. But, this is not the case with this type of solution. Therefore, I strongly suggest making an outside agreement with a specialized company that will take care of their security from that point on.

The biggest lesson that I have learned from using this kind of product is that you can't assume that the internet is a big place and nobody will find you. There is always a good possibility that robots will search your system for holes, and they are probably doing so this instant. This means that users should be aware and have decent protection.

In summary, this is a good product but there is always room for improvement.

I would rate this solution a nine out of ten.

Our use cases for SonicWall NSa are the Global VPN and the SSL VPN, because nowadays, everyone prefers to work from home, and prefers to connect from mobile applications to our organization.

What's valuable in SonicWall NSa is the ATP (advanced threat protection). It can protect users from malicious links, e.g. those sent to the end user email and is clicked by the end user, who'll be led to a bad website. SonicWall NSa has a Sandboxing service that is very helpful for us, especially when end users accidentally click on malicious links.

Another valuable feature of this solution is that it is very useful for site-to-site VPN connectivity issues.

SonicWall NSa also has very good hardware, e.g. from 2013 to 2021, only one product had a hardware failure, and within 24 hours, they were able to replace that product.

I also love that SonicWall has very good technical support, who are very knowledgeable, provides good suggestions, and they're easy to reach.

An area for improvement in SonicWall NSa is that sometimes, we experience bugs when upgrading, so we have to contact their technical support to fix issues.

It would be much easier if this improvement was in place: if the one-time password which is built-in, was provided as an OTP for the administrator logging into the console, so that we'll have a quicker awareness of it, rather than needing to check emails for it. Having a Telegram or WhatsApp bot integrated with the device, for example, will be very helpful for us, so we can instantly take action, without us needing to log into and check our emails, meaning we'll be able to put things right faster.

This may not be possible in SonicWall NSa, but I'm also looking for any kind of controller or device for the Windows server or client, e.g. Windows 11 and Windows 10 from SonicWall NSa itself, so that a security domain or the gateway of the organization would be able to identify the latest update for a product, whether that product is installed or not. This feature would be very helpful, and it's what I'd like to see in the next release.

I've been using SonicWall NSa since 2013.

SonicWall NSa performs well, but sometimes, there are bugs, so I have to call their support when this happens, and I elaborate on the problem we're facing. Support then takes the diagnostic data, fixes it, then sends back to me the firmware or the setting so I can restore my SonicWall NSa.

SonicWall NSa is easy to scale.

The technical support team for this solution is very knowledgeable. They are able to fix issues. They understand what we are facing and they suggest very good options. They provide us very good support, and on a scale of one to five, I'm giving them a four to a five for technical support.

I previously used different solutions, e.g. Sophos and Fortinet, but what I noticed is that I either couldn't find how to contact their technical support, or if I was able to call their technical support, I either get a busy tone, or it takes a long time to speak to someone. As for SonicWall support, I only had to wait 10 minutes to speak to someone, and if they accidentally drop my call, they'll immediately call me, no matter which part of the world I'm in, so I switched to SonicWall NSa.

I deployed SonicWall NSa myself. Deployment was very easy.

Last January 14th, one of my firewalls went down, so we had to replace it, but it was unfortunate that we didn't enable the local backup. At the time, what we had was the factory set up option for the device, so it took me six hours to fix, e.g. applying for the policy site to the site VPN, creating the users, etc. All those processes took a minimum of five to six hours.

I didn't use a vendor or a third party for the deployment of this solution. I only had to call their support if there was something I couldn't understand, e.g. why the traffic wasn't working, etc. For some of the processes, I took notes from their support, while for the rest of the processes, we can do it by ourselves.

SonicWall NSa has two types of license, so the cost would depend on the license.

The advanced license is a bit expensive when compared to the comprehensive license, but when you compare the advanced license to the licensing cost of other brands or competitors, it is expensive.

One good point about the more expensive license for this product it that they provide a hardware guarantee, which means direct replacement, no matter how long you've been using it, whether you've used it for two, three, five, or seven years. You can easily have your device directly replaced if it's having issues with the firewall, software, or hardware, etc. You can get this done as an end user, or as a customer. You just have to fill in and send back the application form for device replacement, provide the serial number and the model number, and that's it. They will replace your device. It's also easy for them to transfer your license to another device. SonicWall NSa is worth the money.

I evaluated Sophos and Fortinet solutions.

The firewall products I'm using are SonicWall NSa 3600 and 2400.

We are using the latest version of this solution.

We are using a local backup, and we also enabled for my SonicWall NSa a cloud backup for all devices. We are using six firewalls, so we enabled the flow backup, with the goal of being able to restore immediately, in case of emergency.

This product doesn't require much maintenance. Our company operates 24/7, and we deal with ready-mix concrete. It depends on the production, but SonicWall NSa continuously runs 24/7. Maintenance is done monthly, particularly for upgrading the firmware, or for restarting SonicWall server patches. Maintenance of this product only takes one hour on a monthly basis.

We have 200 end users of SonicWall NSa.

I always recommend this product to my friends and colleagues. My supplier also recommends it. I suggest to them to go for SonicWall NSa, depending on the user, e.g. if you have 100 end users. We pay for the license, for example, 2,200 dirhams, so I can get the license, and also get the SonicWall SOHO device, which is the smaller one.

My rating for SonicWall NSa is seven out of ten.

We needed to replace our external firewall solution as we were having issues with the HTTPS inspection on our previous solution and the level of support being provided was terrible, leaving us with an issue that could not be fixed for over six months. 

We had already deployed a new internal firewall solution but needed something that would protect that from external factors. We also needed a new solution to replace our client VPN solution. The Check Point solution gave us that as one whole solution instead of having to manage multiple services.

Our policy is to deny all outbound traffic unless we allow it, which can generate a lot of work to build a rule base that allows everything we need to get out. 

This solution has made managing connections out to the web much better due to the categorisation and app control that is available. Being able to say certain apps and services are allowed out, instead of finding all the relevant IPs, has massively reduced the workload. The ability to manage the Client VPN and relevant rules for that in the same location has also improved the way we work. Having links into AD for group membership recognition and having rules based around this has been very useful in improving the way remote users can access the network.

Logging has been excellent. Being able to see all logs from all the various firewalls at different sites in one window has made fault finding much easier. We can see how the traffic is moving through the sites and on which firewall. 

It has also been easy to see machines that may have had infections as we can report easily on devices trying to talk out to sites and services that are known to be dangerous. We have these set up as an HA pair on our main site and we have a lot of audio and video services that go out over the web. 

The failover from one device to the other has been seamless and we find that we do not lose ongoing SIP calls or Teams chats. 

The functionality of the S2S VPN service has been temperamental for us at times and is not always simple to manage or check the state of. 

We find the GUI to be wrong and the CLI doesn't always show all of the connections. 

From a general usability point of view, if you have not used Check Point before, the learning curve is steep. Perhaps managing and configuring the devices could be streamlined for people with less experience so that they can pick it up quicker. There needs to be extra wizards for the out-of-the-box builds.

I've used the solution for six months.

On the firewall side and content filtering side of the solution, it has been faultless. There has been no real downtime to note and the access to the web via relevant rules has always worked as expected.

We have a fairly small setup in the grand scheme of things, however, from what we have seen, the ability to add in new firewalls or increase the hardware spec seems very good and it would be easy to transition from older to newer hardware when the time comes.

Due to the support model we signed up for, we don't deal directly with Check Point support. We deal with the vendor first and they will deal with any 1st/2nd and even most 3rd priority issues. They would then go to Check Point if they need more assistance on our behalf. The level of support and responsiveness of their support has been excellent. We're always getting at least a response within a few hours, even on a P3/P4 issue.

Positive

We did have another solution, but due to an issue with the HTTPS inspection that the manufacturer was not able to properly rectify or fix for 6 months, we lost faith in their ability to provide adequate support going forward for any issues we might come across. 

The setup was complex due to the nature of the Check Point firewalls and us having to make some config setup in one portal and others on the CLI. We also had to arrange the rule base via the management console. There could be 3 different places you need to make various changes. We also used private microwave links as redundancy for VPN connections and that had caused significant issues in getting set up as the link selection did not cooperate at first.

We implemented via a vendor and I have to say their level of expertise was brilliant. Every question we threw at them, they were able to provide an answer to. 

It was not the cheapest solution to go for, but the amount of admin time that has been saved by the use of Check Point firewalls has definitely given us a great return, giving us more time to work on other aspects of our network. Also, being able to consolidate 2 solutions (Firewall and Client VPN) into one solution has saved more money and admin time. 

We found that Check Point was very flexible with its pricing. We were looking at a spec of hardware in other solutions. We found that Check Point did not have a direct competitor, but to help with the bid, they managed to reduce the costs of their higher-spec hardware to make it competitive with the other solutions we were looking at. It's not our fault they did not produce the hardware of a similar spec. It's up to them to try and provide a solution that would make it a competitive solution. 

We looked at several other solutions in including Palo Alto at the top of the market and Sophos XG further down.

I would say as good as the solution is, if you are looking to get the most out of it, you should look to get a company or consultant who knows the Check Point solution inside out to assist with the setup. We found a partner who specialized in Check Point and we would not have been able to get it to the stage we have without them.