IT Central Station is now PeerSpot: Here's why

Which is the best network firewall for a small retailer?

B Putnam - PeerSpot reviewer
Owner at a retailer with 1-10 employees

I am the owner of a retailer company with 1-10 employees. 

We host websites on Windows 2008 R2 servers and Norton Business Protection. We are looking for recommendations for the best network firewall.

Thanks! I appreciate the help.

PeerSpot user
6060 Answers

Gabriel Sicouret Villalobos - PeerSpot reviewer


AndriiDanylov - PeerSpot reviewer
Real User

Hard to give a recommendation based on this limited information.

Best NG firewalls are from Fortinet and PAN.

You can just use your ISP modem firewall and put your servers in DMZ, install some antivirus on your employees' PCs (if not Macbooks), and feel safe.

Valid comment about Win 2008 server being vulnerable, need to upgrade asap.

Vladimir Jirasek - PeerSpot reviewer
Top 5Real User

When making a decision look at 5 years' TCO. For example, Fortigate is cheap to buy the 
first-year but the support to keep security functions running can get expensive over time! 

My suggestion is to look at firewalls that do not require subscriptions - the reason is that you are looking for a device that will be in the network for many years!


1. Netgate HW running pfsense firewall - we run it for clients and internally 

2. Ubiquity Unify Dreeam Machine Pro (advantage of very nice GUI and included CCTV capability)

Happy to discuss in detail. 


Jairo Willian Pereira - PeerSpot reviewer
Top 5LeaderboardReal User

Fortinet has an excellent price for low-profile equipment that still offer great deliveries for small/medium businesses (beware with version versus EOL/License only). If you have 'qualified team' and the price is differential, you can even think about using an opensource solution (iptables, pfctl or similar).

Md Rezwan Ashique - PeerSpot reviewer
Top 10Real User

For initial start-up and to secure your business, I would recommend to go with Fortigate Firewall, that will provide the feature of NGFW. One more recommendation is to upgrade your Windows server to latest one. 

Vladimir Jirasek - PeerSpot reviewer
Top 5Real User

Hi, I see an immediate issue "Server 2008 R2." That implies old web server software. You are much better off to migrate this website/web application to a cloud provider (such as AWS or Azure) and use their security services - such as web application firewall, DDoS protection etc. 

Feel free to reach out for a more detailed discussion. 



Dilip Saraf - PeerSpot reviewer
Top 5Real User

Go with FG-40F

Clive Derwent - PeerSpot reviewer

FortiGate 30e


FortiGate 40f

José Rios - PeerSpot reviewer
Top 5Real User

Dear, firstly received a cordial greeting.

These questions arise:

What service do you have in the cloud?

How much is your capacity?

Now, you can install a Mikrotik operating system on a PC or server that can help you with network firewalls, creating rules.

Or buy Mikrotik hardware.

I am at your service to help you. Mikrotik has many advantages.

José Rios - PeerSpot reviewer
Top 5Real User

Dear best regards, I recommend that MikroTik in the operating system or the physical equipment have a great structure at the firewall level.

You can implement Smoothwall Express is a free solution with a simple web interface to configure and manage the firewall to get started.

I am attentive and at your command.

Stuart Berman - PeerSpot reviewer
Top 5Real User

Good commercial firewalls take a degree of expertise that small businesses rarely possess, for that reason, I would look for a managed security services provider that specializes in the SMB retail market. They should be able to do it affordably and with solid expertise. They should support Fortinet or Palo Alto Network firewalls which are the current gold standard for Next-Generation Firewall. You should also look at upgrading your Windows 2008 servers as they are end of life and tough to protect today.

Luis Apodaca - PeerSpot reviewer
Top 5User

1-10 employees., it's not that big, you should try the Unifi Platform from the Ubiquiti brand, it is a bargain for the price and resource you can manage, and the better for you is you don't have to pay licencing, you only pay the hardware an the IT for implement the solution.

Nguyen Nguyen - PeerSpot reviewer

Priority as below:

1. Best choice: CISCO FirePower 1120 as it is a strong FW and not necessary to renew the subscription if you just need a firewall.
2. Powerful but expensive: Palo Alto Networks PA or Check Point: small series and you have to renew subscription yearly.
3. Multi-functions: FortiGate, ForcePoint, SonicWall, Watchguard, Sophos: Forti is popular and high ranking, the others are lower ranks, but all these ask to renew subscription yearly as well.
4. Opensource: I do not recommend as there is no one responsible for your system unless you are very pro in Linux and opensource.

David Hartt - PeerSpot reviewer
Real User

I think you should be looking more into a WAF. For firewalls with ~ 10 users a small FotiGate should be sufficient but the opportunity I see of the 2008 R2 servers. You should have moved off of these systems as of 2019 but that is not relevant to your question. I would invest in protecting those systems with an appropriately sized WAF. For this I recommend a FortiWEB.... these are distinctly different products.

Mohamed Rashwan - PeerSpot reviewer
Real User

FortiGate 60F will be a good and economical choice for you especially that you will host a website it will give you the best performance.

Rias Majeed - PeerSpot reviewer
Real User

Better go with FortiGate 60E.

Brad Nawrocki - PeerSpot reviewer

I like Watchguard Fireboxes for my firewall. We started out with less than 50 users and have grown to 80 and Firewall is easy to manage. The one negative it is expensive to keep the subscriptions updated. Worth it to us, as we've been viruses and malware-free for years.

Kostiantyn_Frolov - PeerSpot reviewer
LeaderboardReal User

The best solution in you case is a Fortinet or Sophos firewall. Use it with Endpoint protection from Fortinet or Sophos.

JoshuaThums - PeerSpot reviewer
Real User

For your businesses that are under 50 employees but still require enterprise-class security, insight into traffic and ease of management, I usually point people to Cisco Meraki products. For businesses with relatively few users, these products are very simple to set up and usually do not require network admins or engineers to set up successfully and securely.

Ray Kingdon - PeerSpot reviewer
Real User

What is the budget and who will the Firewall administrator be?

It does not matter what firewall you recommend, money and who is looking after it is the question to ask!!

If you spend £40k on a firewall and have an idiot configure it and administer it – the firewall is next to useless, what ever Vendor’s product you buy!!

José Luis García Morillo - PeerSpot reviewer
Real User

I would go for an OPNSense/PFSense solution. Thought It's no so easy to begin with it, but it will scale to your needs easily.

Mike Hancock - PeerSpot reviewer
Real User

Selecting the "Best" firewall will give you many different answers from many different people. Firewalls and firewall vendors as well as the people that implement them are very partial to what they are familiar with. Same as me. I have what I consider the "best" but is the Best "for my installation". The real answer is another question, What are you looking for and need in a firewall?"

With such old web servers you will need a Web Application Firewall "WAF" much more that you would need, say a packet filtering firewall or even a NGFW.

Too many questions to list here but I would definitely need much more information about your situation before I could even start to make a recommendation.

Arturo Rony-Oncebay Casanova - PeerSpot reviewer
Top 10LeaderboardReal User

It will depend on the budget and scalability you want, if you have a high budget, better to implement a commercial firewall, another alternative would be an open-source firewall.

I recommend:
- Commercial Firewalls: Palo Alto or Fortinet.
- Open Source Firewalls: pfSense or OPNsense.

Alexander Kostov - PeerSpot reviewer
Real User

I would recommend a Palo Alto appliance since you can watch up to layer 7 traffic.

Ali Abdo - PeerSpot reviewer
Real User

From my experience, Fortinet or Cisco will work fine if you looking for NGFW, I am not sure about the price, you can ask the vendor partner in your area for the price list. Both Cisco & Fortinet firewalls will do the job perfectly.

Tom Makosky - PeerSpot reviewer

I suggest installing a *pfSense* router as the gateway to the Internet.   

I've also had success with a *Dlink* router and using *ClearOS*.  Any of these would enable the user to place their Web servers in a separate zone.

reviewer1181697 - PeerSpot reviewer
Top 10Reseller

Sophos XG 106 Firewall

Christine Parr - PeerSpot reviewer

Fortinet Firewall would be the best by far with built in wireless and vpn capabilities

Daniel Calvo - PeerSpot reviewer

With that number of employees, Sophos offers good solutions (XG line) at a reasonable price. That’s my recommendation.

AndreaMattioli - PeerSpot reviewer

In few words:
Looking at the best balance between Security functionalities, performance per Mbps of protected traffic and price, the best is FortiGate:
> Advanced security functionalities from basic ACL until level 7 security protection, that could be used for security functionalities consolidation (a typical scenario for SMB needs).
> Embedded Security Management functionality (on board of FortiGate appliance) really usable.
> A scalable platform from a few Mbps Throughput until high-end needs.

Danny Vergel - PeerSpot reviewer
Real User

Open Source: PFSENSE
Good - Cheap - Easy on use: Sophos
The best: Cisco ASA Firepower

John Holbel - PeerSpot reviewer
Top 10MSP

Web-sites do require additional protection that a firewall appliance by itself cannot achieve.

Having 1 to 10 employees is useful, however understanding the web-site traffic volumes is completely different.

So, making certain assumptions I would lean towards Fortinet or Sophos.

And what can we assume regarding EOL for OS?

AleksandarIvanovic - PeerSpot reviewer
Real User

For Open-source solution is PFSense/OPNSense and commercial is Check Point firewall. This is my recommendation.

reviewer1314963 - PeerSpot reviewer

Large sites = Fortinet

Small 2 -3 server sites = PFSense, available in the virtual or physical installation. Available in Opensource or with professional support.

Teja Kethanagiri - PeerSpot reviewer

You can take Fortinet 30E.BDL in the present situation. This model can easily fit the budget of the customer and their requirements in the full edge.

Gregor Papez - PeerSpot reviewer

You have several options. if you want to add IPS functionality then I would recommend Sophos Firewall XG. If you want to go open source route then pfSense is the tool. There a other similar products that have different learning curves or prices. For my personal use I'm using Sophos Firewall XG since it is free for home users.

Dat PK - PeerSpot reviewer

It depends if you have time and a server with 4 ->5 port (VM or physical) you should install pfSense firewall. It is open-source, it is quite easy to install and setup but you have to spend time on it.

If you have budget for FW you should choose
Fortinet price: 8/10 but admin's experience about 7/10
Palo Alto has an expensive price we could say: 7/10 but admin's experience is very good it is the best enterprise FW

When sizing FW you should inform the throughput so it helps the reseller pick a model for you. IF you have 1-10 employees and 1 server I would say your best solution is pfSense open-source FW.

Jay Raimondi - PeerSpot reviewer

Here are three options depending on your budget and overall security consideration based on your business. Strongly advise that you locate a
local resource to help you plan out your network and security work. There are many considerations to include server patching you need to keep an eye

1. Sonicwall
2. Fortinet
3. Palo Alto Networks

Owenmpk - PeerSpot reviewer
LeaderboardReal User

I recommend and deploy Kerio Control Firewalls because you can install on an old desktop PC with that you add a 2nd network card. I use Dell OptiPlex i5 with 8 GB of RAM for my base router. I also know that Sophos and Untangle has the same option and they both have better end user support than Kerio. I stick with Kerio because i have been a partner from way before the GFI purchase so know the products very well and do not have need for support.

On the outdated server issue and if you are in a situation where with COVID-19 do not want to be spending the money to upgrade hardware and software I would reach out to Norton and see if their Business Protection suite protects against known threats to outdated software or has a protection add on. I use Trend Micro Worry Free Security for my clients and learned that Trend Micro has an addon or a separate product to add that type of protection.

Good luck in the coming days / months.

reviewer210690 - PeerSpot reviewer

Agree 100% with Thomas Davis. As a Meraki partner, I can attest it is a great product but you need to work with an authorized Meraki partner. as for the servers, I would note that you are facing an upgrade from an unsupported OS (2008 R2) and will need to be purchasing a server OS license for 2016 or Windows 2019, Microsoft Licensing can be tricky so I suggest contacting an IT company that is both a Microsoft partner and a Meraki Partner. The firewall is a necessity but understands that if you are running web servers, there will be at least ports 80 and 443 open to public traffic. These Ports will be probed by malicious activities trying to make use of exploits in the hosting server OS and applications. Thus it is imperative that the environment be maintained and latest patches applied in a controlled manner. It is difficult to accurately understand what is meant by "Norton Business Protection" as they offer a range of products. We have had great success with the enterprise offerings from Symantec but they too have recently (Aug 2019) sold to Broadcom the Enterprise Security Business.

Impossible to keep current with IT Mergers & Acquisitions. Accenture Security is to acquire Symantec's Cyber Security Services business from Broadcom [ ] Second ownership change but core product --for now remains the same offering.

Thomas Davis - PeerSpot reviewer

First you need to upgrade to a supported platform. 2012r2 or Higher...
Cisco Meraki Firewall is the easiest to manage and deploy.

reviewer1126683 - PeerSpot reviewer
Top 10Real User

Fortinet or Sonicwall

Ahmed Mohamed Abdelmaged - PeerSpot reviewer
Real User

Sophos XG firewall with RED devices to make tunnels

Evert Le Roux - PeerSpot reviewer
Real User

Just get Untangle it's the easiet and cheapest...but not weak by a long shot... 4 years multiple deployments and no breaches or ransomedware

Walter Cross - PeerSpot reviewer

How can gI et a Cisco ASA 5510 Firewall for a decent price? It has all the essential features.

Mohamed Rashwan - PeerSpot reviewer
Real User


Dave Kiewra - PeerSpot reviewer

What is the speed of your internet connection?

Star Sulaiman - PeerSpot reviewer
Real User

I would recommend you to use Cisco firepower, easy to configure and manage, this will be very helpful for you because you have a limited staff

Presalesa8b7 - PeerSpot reviewer
Real User

based on the information that you provide, you will need small firewall (depend on size and growth of your company and bandwidth). Since you also locate your website on you premise, I suggest you to Protect the server with small WAF (Web Application Firewall). Regarding the brand, there are many justification as your required such as bandwidth, firewall feature (UTM or NG-Firewall) and budget.
Thank you

Yasser Kazmi - PeerSpot reviewer

You could go for CISCO MERAKI MX-64 with 1/3 yrs advanced security services license. Since it’s could based administration, very easy to deploy and Manage. Can support upto 50 devices including servers.

Alan Chavira - PeerSpot reviewer
Real User

Take the FortiGate 40F with UTM protection (600 Mbps Threat Protection), easy management and low cost for your requirement. If you need load balance WAN links choose the 60F because it has more physical ports and 700 Mbps Threat Protection.

Kevin Daniel - PeerSpot reviewer

I personally use Cisco Exclusively because that is what I know. Palo Alto firewalls are also very good. Those are the two biggest players right now from my research and knowledge. Performance-wise the are clearly direct competitors and one may fair better in one feature and the other in another feature so it's hard to say one is really better than the other. Both can now be managed via a GUI however Cisco has the advantage of also being manageable via a fully developed and documented CLI.

As for which model to choose that would depend on the anticipated load and any additional features you would need. Both support a DMZ / public /
private network infrastructure. From what little information is provided the lower end firewall models would most likely be acceptable however the final is dependant on the incoming traffic more than the number of users behind it.

MuhittinAkar - PeerSpot reviewer
Real User

Windows Server 2008 is unsupported by Microsoft and you should migrate it to Windows Server 2019. I think your hardware is also very old. But you don't have to buy new hardware. You may create a virtual machine from a datacenter like Azure, AWS, etc. They also offer some security services like IPS, Next-Generation Firewall, DDOS protection, etc for your workloads and I am sure it will be cheaper instead of buying hardware. I advise you to use Fortinet, Palo Alto or Check Point virtual firewalls.

ImadAwwad - PeerSpot reviewer
Real User

First, before proceeding with the firewall brand, I need to know what tasks must the firewall handle i.e IPS, Protection from the exterior, web application firewall, VPN users, protection for clients hosting their websites on your servers, web and application filter, mail filter? All of these will determine which firewall should you go for.

If you can send me these I will tell you which brands to follow and how the configuration shall be done.

As for windows 2008, yes it is not supported but this doesn't make your environment vulnerable since you have Norton in place and the next-generation firewall will do the protections unless you have a budget allocated to the migration to windows server 2016, then it is better to migrate first.

STEPHEN MINDER - PeerSpot reviewer

You have two challenges:
- First, Windows 2008R2 is no longer under Microsoft support (you will no longer receive security patches) - this makes your server MUCH more vulnerable.
- Second, firewalls. I tend to like Sonic Wall, but there are others as well. Each vendor has models that address a range of features, with cost considerations attached. Suggest working with a local vendor to consider a holistic approach to your org and needs.

Danut Agache - PeerSpot reviewer

I recommend using Cisco FPR 1010 (

Nguyen Nguyen - PeerSpot reviewer

I will prefer Cisco FPR 1120 for SMB as it is power of CISCO and no renewal fee for firewall subscription.

CoPr - PeerSpot reviewer
Real User

Better take the 60F instead of the 60E. more performance, ower price, same functionality.

Upgrading your 2008 servers is also a recommendation. But all firewalls of the major companies(Fortinet, Palo Alto, and CheckPoint) will be good enough for you. It all depends on your budget and how you manage your security policies.

A firewall isn't a silver bullet against all threats.

Hamid Hussain - PeerSpot reviewer

It depends on your budget, there are many options you can avail, but if you buy a Fortinet firewall, it will get you ease of management and having all the options which enterprise network needs.

One consideration that is throughput required to respond to your web server queries is essential, so please chose as per your requirement like 40E, 60E.

Buyer's Guide
June 2022
Find out what your peers are saying about Fortinet, Check Point, Netgate and others in Firewalls. Updated: June 2022.
608,713 professionals have used our research since 2012.