Demo24,
>However their products are too expensive for my application, especially when I have to cover small offices with 3-4 PCs in it and really can't justify a 2k appliance there.
Have you considered a topology where you have a non-split tunnel VPN based on inexpensive devices taking ALL small branch traffic back to your main site, and then do your firewalling there with one better device? Obviously, factor in extra bandwidth and main site and extra slowdowns, but that might be an option, depending very much on the details of your situation.
The CCNP class taught them that ASA is the firewall. Just like EIGRP is the routing protocol.
Also, I've seen a lot of folks who know Cisco - kind of - and don't want to, or aren't capable of, learning anything else. So they go with what they know. I've watched this trump all sorts of logic and reason.
What's funny is my company CEO has basically stated that he wants everything to be Cisco. So the guy with the Cisco certs is going to be trying to push non-Cisco stuff to the pro-Cisco CEO. I never would have thought that would happen!
Cisco ASA
I haven't used them in a few years, but even back then, ASAs were hopelessly outdated junk. Their UTM functionality was a joke, ASDM was barely functional, and they were slower than the competition. Cisco's new ASA 5500-X lineup seems to have made their performance competitive again, at the cost of even less UTM functionality
If anybody knows what the draw of these devices are, please chime in. I simply can't see any compelling reason to use them at all.
SonicWALL
I haven't really used these devices much, but based on what I've seen, I'm not a huge fan. In what I assume is an attempt at making their firewalls easy to configure, they seem to have created a "black box" that doesn't behave as a network engineer would expect. It didn't help that the documentation was very sparse, not context-sensitive, and even missing in some aspects. In fact, their entire GUI could really use an overhaul.
If I had more time to play around with them and get used to their idiosyncrasies, I might warm up to them more. They ultimately work well enough, but they wouldn't be my first choice.
Fortinet
I've generally been happy with Fortinet. The products are fast, feature-filled, reasonably-priced, and they don't nickel-and-dime you on licensing like some other vendors do.
There are some rough areas. For example, logging and reporting are definite weak points compared to the competition unless you purchase a dedicated monitoring appliance or use their monitoring service.
Overall, though, I recommend them and they're usually my first choice for edge security.
Thanks for the input everybody. It seems like the three I was leaning to heavily start investigating (Fortinet, Palo Alto, and Checkpoint) are the 3 that others seem to support the most.
CCNP did teach me that. It's been really hard to move away from Cisco anything since my degree was basically Cisco networking. However, I'm getting there. Especially as it comes to firewalls. Sorry Cisco, you've fallen behind. Way behind. The ASA-X stuff might help but I'm not holding my breath.
What's funny is my company CEO has basically stated that he wants everything to be Cisco. So the guy with the Cisco certs is going to be trying to push non-Cisco stuff to the pro-Cisco CEO. I never would have thought that would happen!
pfsense appliance? Best bang for the buck
+1 Palo Alto. They seem to get it. Usual network equipment caveats apply, vendor performance claims should generally be taken with a box of salt.
theevilsharpie,
>If anybody knows what the draw of these devices are, please chime in. I simply can't see any compelling reason to use them at all.
The CCNP class taught them that ASA is the firewall. Just like EIGRP is the routing protocol.
Also, I've seen a lot of folks who know Cisco - kind of - and don't want to, or aren't capable of, learning anything else. So they go with what they know. I've watched this trump all sorts of logic and reason.
Demo24,
>However their products are too expensive for my application, especially when I have to cover small offices with 3-4 PCs in it and really can't justify a 2k appliance there.
Have you considered a topology where you have a non-split tunnel VPN based on inexpensive devices taking ALL small branch traffic back to your main site, and then do your firewalling there with one better device? Obviously, factor in extra bandwidth and main site and extra slowdowns, but that might be an option, depending very much on the details of your situation.
All,
Two things to remember about these products:
1. Fortinet key people were the old key people behind Netscreen, which got bought by Juniper, and later they bailed. So Juniper's products are short many of the key/original people, while Fortinet is those same people's next generation. Also, Juniper seems to really just want to graft the Netscreen functionality into JunOS, which on the surface is a great strategy, but the process of getting there is ugly.
2. Dell bought SonicWALL. I have not been happy with the results I've seen of any of the acquisitions Dell has done - in my opinion every product they have acquired has either atrophied or actively gotten worse. (also, in general, I've just had a ton of bad experiences with Dell the company and Dell products)
For firewalls I only really know the Cisco stuff, but the entire ASA-X line supports L4-7 filtering, IPS, identity, etc, plus much faster firewall throughput. All in hardware, at least in theory. Also I agree with RadiclDreamer that ASDM has come a long way - I heard that Cisco hired a bunch of new devs from other manufacturers to spruce it up. So far so good. Might be worth another look if you're not familiar.
I've heard lots of good things about PA, with the major drawback being significant cost. That matters to some enterprises; doesn't matter so much to others. I haven't met anyone yet who said they didn't like the product, so that in itself is impressive.