Solved

FortiGate 60 or FireBox X500?

Posted on 2004-10-23
9,073 Views
Last Modified: 2013-11-16
I'm setting up a network of four servers, approximately 65 pcs, and a dozen printers. This network will have a dedicated T-3 class internet connection. I'm trying to find the best hardware firewall product that includes high-quality intrusion detection and prevention, and possibly virus wall features. Oh, and it has to be relatively easy to set up and administer because I'm still learning when it comes to network security. Has anyone had an opportunity to compare these two products in similar environments? Do you have other suggestions?

The FortiGate is the only product that is ICSA certified for firewall and intrusion detection. The FireBox is ICSA certified as a firewall only, but they have some very convincing data regarding their intrusion prevention features. I know a lot of people are going to mention Cisco. I've tried to work with Cisco products before, and I find their user interfaces kludgy at best. Other products I've given strong consideration to include the SonicWall PRO2040 and Symantec's 5420. I've also considered running Kerio's WinRoute Firewall on a dedicated PC as a gateway. WinRoute is alsoan  ICSA certified firewall.

Any input based on real-world experiences with these products would be greatly appreciated.
0
Question by:realitybytes
    14 Comments
     
    LVL 79

    Assisted Solution

    by:lrmoore
    Cisco PIX is also ICSA and EAL4 certified
    http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pxcrt_ai.htm
    http://www.icsalabs.com/html/communities/firewalls/newsite/certification/vendors_4/cisco-pix/index.shtml


    It has built in intrusion detection and is best-of-breed for firewall. The new GUI makes it relatively easy to get things going and to manage/maintain. It does not have in-line virus protection. The PIX does not and will not try to be an all-in-one box.

    If you think the Cisco interface is kludgy, wait until you see the Fortigate...or Sonic OS..

    I would rule out anything that runs on a PC, including Kerio, if the PC runs any Microsoft operating system as its foundation.
    I would consider some dedicated Linux box first, but unless you are a linux guru and really are a glutton for manual maintenance, well....

    I would weigh heavily on the Symantec gateway product as my second choice... You might find hidden licensing issues drive up the cost...

    Have you considered NetScreen (Juniper) products? They are rock-solid.
    http://www.juniper.net/solutions/security/work/infrastucture_firewall.html

    If you have a dedictated T3 internet connection, I assume you will connect that to a Cisco router sitting in front of the firewall. Why not look at a total Cisco package? Keeps maintenance easier, and is easier to create a complete "system" for IDS and intrusion prevention.
    0
     
    LVL 1

    Author Comment

    by:realitybytes
    You are correct in assuming that there is a Cisco routersitting in front of the firewall. Problem is that it belongs to our service provider, and I not only have no access to the settings, I wouldn't know where to start if I had to configure it. Kind of makes it difficult to create an integrated system.

    I notice that you didn't comment on the WatchGuard product. Any input there? Are you put off by the ASIC structure? The TCO of this prodcut line is very attractive.

    I gave heavy consideration to the Symantec gateway early on in my research - if for no other reason than the fact that we have Symantec's Enterprise AV installed on our network. The pricing is the main drawback. The other negative was that I had read some reviews that said it was somewhat difficult to set up because many of the features are buried deep in submenus, and the default setup does not provide a good level of protection.

    I only recently discovered the Juniper products. Do you have any recommendation on the appropriate unit for our network size?
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    I have nothing at all against the Watchguard products, I just don't have any hands-on experience.
    Our own corporate IT uses the NetScreen products and likes it very much. Again, though, I don't have any experience with it to help decide on exactly which model would be best. Our guys are looking at the 5000 series. We have almost 5000 employees worldwide.. I would think that the 200 series might be just right for your network, or even the 50 series.

    0
     
    LVL 1

    Author Comment

    by:realitybytes
    If I'm being a jerk, I apologize in advance. But I just read through another recent discussion:

    http://www.experts-exchange.com/Security/Firewalls/Q_21148372.html?query=Cisco+506E&topics=193

    You seemed to be pretty positive about the FireBox X500 in that thread. Does anyone know if there is a way to directly contact another user in ExpertExchange? I'd love to contact the guy who asked the question in that other thread (r270ba) and see if he had a good experience with the FireBox.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    You can post a comment right in that thread if you want to and ask about their experience with the box. There is no other way to contact anyone directly.
    0
     
    LVL 2

    Accepted Solution

    by:
    I would definitely choose the Firebox, though I would probably go with an X700 for the better VPN capabilities.  The Firebox is going to be really your only choice for the higher level features that you want, for instance:
    -The HTTP proxy can filter out like Active X controls or other things based on your config
    -The SMTP proxy service can filter based on attachment MIME type (like excel, it will then filter out excel regardless of file extension).  It can also filter out email based on file name, subject name, file size, and more.  Very handy!
    - It doesn't just do intrusion detection, it does PREVENTION.  You can configure any rule to trigger a temporary black list of an IP address.  But the coolest part of the watchguard IPS (intrusion preventio system) is that if you port scan a watchguard, it will come back with no open ports, even if there are ports open.  Go ahead, try it.  Unless you are scanning VERY slowly and with all kinds of paranoid nmap settings, the watchguard will show no open ports and can be configured to block the person who tried.
    -Can terminate PPTP connections, which is great for management.

    There are a million more features, ask questions if you are curiouis.  I am a Watchguard Certified Systems Professional.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Good stuff...
    Thanks for sharing that with us!
    0
     
    LVL 1

    Author Comment

    by:realitybytes
    fendermb4 -

    Thank you for your input. Since you seem to have some experience with WatchGuard, and you said I could ask questions, I've got a couple:

    1) According to one manufacturer rep that I spoke to, the WatchGuard FireBox is one of the slowest firewalls on the market. Frankly, I'm not hugely concerned with that as long as it does it's job well. But do you agree that it is slow?

    2) I have read that the FireBox X can be upgraded with an internal hard drive, but I can't find any information on how that is done. It doesn't appear to be an option that you can purchase from WatchGuard. At least I couldn't find it on their site. Is this an option that is not yet available?

    3) I have to be honest. I was all set to order a FireBox. Then I ran across another discussion on Experts Exchange. The guy claimed that he bought a FireBox X500, was having problems configuring it, and was unable to get any support. He said that he called several times, but never received a callback. I sent an email to WatchGuard, told them I was interested in purchasing their product, told them I had some concerns about their technical support, and asked them to address the claims made in that other thread. To my dismay, they haven't even responded to my inquiry. Several hours later, I signed up for access to some PDF materials on Juniper's website. Within an hour, they were calling me to ask if I had any questions. Having said all that, my question to you is: Should I be concerned about WatchGuard's Customer Service and/or Technical Support?

    Now one thing I do have to say is that WatchGuard's products must be fairly solid. According to the a recent article I read, their products are the #1 seller in the $1,000 to $5,000 price range. And yet, you rarely see any questions on Experts Exchange about any of their products (unlike the Cisco PIX products). So I haven't given up on them yet. I just need a little convincing.
    0
     
    LVL 2

    Expert Comment

    by:fendermb4
    1.)  I have to wonder what manufacturer rep that was.  Watchguard is extremely competitive performance wise.  The best part is, lets say you buy an X500, and a year from now, your needs have grown and you require more performance.  It is simply the purchase of an additional license key to upgrade.  YEAH, all fireboxes are exactly the same hardware wise, so its just a matter of unlocking more performance if you need to.  This significantly decreases the risk of purchasing a firebox.  That said, the X700 does 40MB of VPN throughput, and handles like 50,000 concurrent connections.  Compare the numbers of the boxes your interested in (the real numbers, not some guys opinion) and see for yourself.  You can find all the numbers for the various fireboxes at www.watchguard.com.
    2.) I havne't heard anything about upgrading the hard drive.  I know that they have some significant sort of storage already though.  I know this because at a recent Watchguard Seminar, they talked about some of the new features that would be coming out for the fireboxes soon.  They were things like border antivirus and other things that would require a good amount of storage.  You'll be able to add these with a software key.
    3.)  I have never had a problem with support.  They get back to you within 4 hours.  Sometimes faster if you convey some urgency in your request.  Watchguard doesn't sell directly, they only sell through a channel setup. Their sales team may not be suited for your queries, but you can always call like CDW (www.cdw.com) or something for alot of answers.  They sell watchguards and have engineers that can answer your pre-sales questions.

    I saw a demo where a firebox was pitted against a PIX, and they had a hacker launch several identical attacks at the pair.  I know this will get me flamed, but there were a lot of attacks that the watchguard stopped and the PIX didn't.  In my opinion, the firebox is more secure.  Take it or leave it.
    0
     
    LVL 1

    Author Comment

    by:realitybytes
    You can watch a video of the demo (or something similar) on the WatchGuard website. It's one of the things that got me interested in the first place. You have to sign up to get access to the demo video, but I thought it was worth it. Again, though - you have to wonderabout a company that asks you to sign up for a user name to watch the video, and then doesn't even follow up to see if you're interested.

    Do you have any experience with the WebBlocker or SpamScreen features?
    0
     
    LVL 2

    Expert Comment

    by:fendermb4
    Yes, I've used both.  I thought that WebBlocker was very good.  It is definitely a feasible solution to content filtering for a company like what you describe.  I was not as impressed with SpamScreen.  I've been told that SpamScreen has been greatly improved since I used it, but I don't know.  For me, SpamScreen didn't cut it.
    0
     
    LVL 1

    Author Comment

    by:realitybytes
    Thank you again for your input. I'm going to have to make a decision between the FireBox and the NetScreen. I am surprised that there wasn't anyone here to bang the drum for the FortiGate. It's very hard to find any comparative reviews of Firewalls in this price range.

    Network Computing did a review back in March, and they rated the FortiGate 60 the highest of the five boxes they looked at. Of course they didn't look at the FireBox, the NetScreen, or the PIX, so it wasn't a very helpful review for me. FWIW, if anyone else is reading this discussion, Network Computing rated the following products on a five-point scale:

    FortiGate 60:  4.26
    ServGate EdgeForce:  4.02
    Astaro Security Linux: 3.83
    SonicWall TZ170:  3.82
    Symantec Gateway Security 5420:  3.68

    I'm going to split the points between the only two people who were kind enough to respond.
    0
     

    Expert Comment

    by:stagss
    65 clients means you could try Fortigate 100 or high end model?.. I have personally tried for some of our corporate clients, and i would recommend you to go for Fortigate product.  Easy to Setup, Antivirus, SPAM, SPYWARE, IDP, IDS much more functionality in a single box, Cost is cheaper as well.  

    I have implemented FG 50A, 60, 100, 200, 800, 1000 for HA environment.  Sofar no prob. Support is fentastic. goood luck
    0
     
    LVL 1

    Author Comment

    by:realitybytes
    Well staggs, your input was a few months too late for me, but perhaps someone else will find it helpful.

    As long as I'm posting, I will give everyone an update on my experiences so far. In the end I decided to go with the WatchGuard FireBox X700. I have found the interface pretty easy to deal with, and the configuration has been fairly straightforward. There were only a few areas that were somewhat confusing. Their manual does not do a good job of explaining anything in detail - despite the fact that it is about 400 pages long. Everything is explained in generalities, and there are very very few explicit examples on how make specific settings. Although the device is extremely flexible, they do not give much advice on what settings would be appropriate for typical network setups. Configuring SMTP is somewhat tricky because they offer both a proxy and a packet filter for SMTP services. Although it is not documented anywhere in the manual, you pretty much have to use the proxy for incoming SMTP and the packet filter for outgoing SMTP, even though both services have the apparent capability to handle both incoming and outgoing connections. Since email is a primary function of internet connectivity, you would think that they would do a much better job of documenting this. The only other problem that I had in configuration was with setting up a pcAnywhere packet filter. Again, even though they provide a pre-built filter for pcAnywhere, there is absolutely nothing in the documentation that tells you how to configure it.

    So obviously, if the documentation isn't too good, the tech support had better be darned good. My experience with their tech support was okay, but not great. Part of that was my own fault. I originally contacted tech support through their email support, and I probably should have gone the telephone route. When I called the tech support line, the recording gave me a choice between immediate help from an outsourced help desk, or a callback from a domestic tech within a certain time frame. My experience with outsourced phone support is usually somebody who is reading a script with a heavy accent that is difficult to understand and they usually have trouble understanding exactly what I am trying to say, so I decided against that. I didn't like the idea of a callback either because I can't just sit in my office for hours waiting for a phone call.

    Even though their email support promises a response within four hours, the reality is that the first response came about eight hours after I posted my question. At that point, I was long gone. And even though I gave a detailed explanation of my problem, the first response was little more than a canned statement that my case had been assigned to a specific representative and their normal working hours were from x to x, and that they would call me at some point during that shift. So I waited all day that next day for a callback that never came, and then sent another email asking why they never called. Eight hours later, I got another response that their work shift had changed and that my case was going to be assigned to someone else.

    Long story short, it took a few days to handle my two minor problems. When I finally did get to talk someone on the phone, it was obviously someone from outside the country with a heavy accent. I had trouble understanding them, and they had trouble understanding me. But the actual support that they gave was good, and my problems were fixed. Not exactly a stellar support experience, but a passing grade nonetheless. I hate to think what I might have gone through if I had a major problem that I couldn't wait for several days to handle though.

    I still have a few open issues about the product. First, there is clearly a slot built into the chassis for a hard drive. Currently the slot is filled with a plastic protector. I'm assuming that the purpose of the slot is to allow you to do logging within the firewall itself instead of logging to an outside computer with logging software. This would be a major benefit to me. Sadly, there is no hard drive upgrade available anywhere that I can find.

    Second, I'm not really clear on what I'm getting for my money with the "Live Security" service. I guess that I had assumed that this was some sort of updating service that would download new functionality to the firewall on a regular basis - like new virus signatures or something similar. Basically, I think it just entitles you to access their tech support.

    For the most part, I am very happy with my purchase - even though it might sound like I'm complaining. The FireBox X700 is a powerful device with a lot of very flexible features. I have not encountered any of the speed issues that wre mentioned by the competitor's salesman, so I think that was just sales talk.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    This video Micro Tutorial is the second in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles a…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now