Firewall recommendation

I am looking into getting a new Firewall.
the 2 that I have been recommended are Watchgaurd firebox and CELESTIX MSA2020 ISA 2004 (Microsoft ISA Server Appliance)
Does anybody have any good reasons why I should choose one over the other?

Who is Participating?
norganConnect With a Mentor Commented:
i would choose juniper over both, netscreens are great and used by many isp's
bbaoIT ConsultantCommented:
it is a simple Q but hard to answer because the real answer actually depends on your specific requirements which was not clearly given in your Q. do not compare products before clarifying your actual requirements. that will make no sense.

please introduce your particular situation and requirements at first. thanks.
rbunnAuthor Commented:
The main purpose of getting this firewall is to give us some sort of failover device should our primary firewall go down.
The firebox would be configured basically the same way our current firewall is configured, and would live on the shelf until needed.
The ISA server would be configured to work as a web caching deivce and be put in place to utilize the features it offers.
Should the main firewall go down I would have an image to flash onto the ISA appliance that would be basically the same as our current firewall.
i know that the best way to do this would probably be to get another firewall like the one we have and configure them as a cluster or H/L.  This method would be 2-3 times more expensive then going with either of the 2 methods that I am looking at though.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

giltjrConnect With a Mentor Commented:
I would suggest that you relook at the costs.  I have worked with a site that did this, against my recommendations, the found that in the end having to have two people that new two different firewalls that had different capabilities cost more.  Especially since they did not realize they were using some of the feature in their primary firewall that the "backup" did not have.  Primary got fried and they had services out of the water for a week while they waited for a new one to be delivered because the backup could not perform the same functions.
azmatmConnect With a Mentor Commented:
I would recommend you Microsoft ISA Server with SecureGUARD its a best tested solution for data security. I would also recommend you to use customised security settings on your windows box, You can secure windows without any firewall ( best would be win2k3).

Two words...
Firewall NOD32

Yea that would be great but just one problem.  Eset does not create firewalls, they only create the antivirus program NOD32.

Both firewalls are good, but it comes down to price and knowledge.  From what I’ve seen the Watchguard Firebox is more readily available and cheaper than the CELESTIX MSA2020 ISA 2004.  However, the Watchguard Firebox Error logs are a bit difficult to read unless you can read Unix system logs.  Besides that, the Watchguard Firebox is easy to use.  The CELESTIX MSA2020 ISA 2004’s web management is not so good, and its fairly easy to use.  They both have plenty of Ethernet ports.  As a result, I would recommend Watchguard Firebox over the CELESTIX MSA2020 ISA 2004.


I don't know about that...
But i have Symantec Norton Internet Security 2006
and i have NOD32 which workslike Antivirus and Firewall
and even block more attacks than Internet Security  2006

DazmConnect With a Mentor Commented:

But yeah... what you said is true, is kind more like antivirus than a firewall
but some how NOD32 block a lot of malicious web script web's you visit regularly.


You also may want to try Kaspersky Anti-Hacker Firewall.
it block more things than any other firewall on the market : )

Hi rbunn

I would second the vote for using the same kit for failover that you already have in production - this will ensure you face no issues with different configs, unsupported features etc should you need to fail over.  The need for different skillsets / knowledge of more than one firewall will also be removed.

To save costs you could replicate your existing config onto an identical cold standby rather than configuring them as an HA pair.

If you must go with the above options from what you have said the ISA solution will offer you better value as you will be able to make use of it's proxying / web caching features in the mean time.  Having had some experience with watchguard appliances previously that option is likely to be slightly easier to configure than the ISA solution.


Netveda is the firewall you want..

This is not for your average user..this is a really nice professional verison for free...
NetAdmin2436Connect With a Mentor Commented:
...just my 2 cents (i can't afford anymore money than that) I can't speak for the other firewalls mentioned...

You won't get people to agree on a common firewall. giltjr has a good point that two different firewalls WILL have different capabilities. When the time comes that the first goes may spend lots more time tweaking the second to adopt to your needs. You many have the second configured to "work" initially. Basic stuff may still work, but little things like .PDF's coming in through email, or an email size limit, or downloading exe's through http may not work initially....hence, more configuration is needed on a backup firewall that you may miss. With that said, your 'primary' firewall should be the more granular (complicated/better...more control basically) firewall. Then if the primary goes down, you can put in the secondary one with still 'good' protection and feel safe for a few days/weeks until you get the primary back up. You may want to keep your 'secondary' firewall running for a few weeks initially to work out all the kinks.

Microsoft ISA... Are all your other client computers running microsoft? it's of my opinion that protecting MICROSOFT with a MICOROST firewall is rather short sighted. The same is true for the opposite.... Hence, it is also of my opinion that you want a completly different platform safegaurding your network.  

I have a watchgaurd X500 on my network. For the most part I like i and am glad i have it now. Watchgaurds are apart of the new UTM (unified Threat Management) devices that are a rather 'stop all' firewall. With annual subscriptions to the some of the following: They can block viruses, spam, and have intrution prevention that stop all that stuff at the gates! They don't enter your network at all! Nice! This free's up your email server, FTP server, web server, do it's job without worrying about that crap (still have protection on them servers in case). Unless your a expert at firewalls, there is a learning curve that comes with watchgaurd. So you want to make sure you are prepared in case your primary goes down. As mentioned, the watchgaurd has extra 'optional' ports that are available with the fireware OS (yes, an initial one time extra cost) I believe mine has 5 optional configurable ports (DMZ for FTP, SMTP, web server..ect..) That's nice so you can have 'special' rules for your public servers to try and lock them down.

May i ask what your other firewall is?

Hope this helps
Rich RumbleConnect With a Mentor Security SamuraiCommented:
You can use two identical cisco pixen and have stateful failover, no dropped sessions, no apparent disruption... using more than one brand to me makes no sense, your forcing yourself to have two differetn syntax's and perhaps rules to remember... with cisco's the firewall reads the ACL from top to bottom, in the order they are listed, some firewalls simply search the list for a match... little things like that can come back an bite you if your not careful, while one firewall was doing it's job, when it failed and the other took over, you forgot some minute detail or didn't account for this and that, and now the primary firewall is behaving different than it should... I've seen it time and time again. I think any of the 500 series firewalls allow you to do stateful failover... but i'm not positive...
hstilesConnect With a Mentor Commented:
If this device is supposed to act as a stop-gap whilst your main firewall is rebuilt/replaced, then I would reccomend the firebox for the following reasons:

1) configuration is a breeze
2) The proxies are very powerful - the http proxy and web blocker make for a very secure environment
3) UTM.  The Firebox X core and peak devices running Fireware support gateway SMTP and HTTP antivirus, spamblocking, web blocker and IDS/IPS.  Some of these features cost on an annual subscription basis, but there is a lot of extra security on offer
4) Relatively inexpensive hardware.

Your business might be able to tolerate highly restricted web access whilst your main firewall was replaced.  I would rather err on the side of too much rather than too little security.

With reference to point 4, you might find that you buy a second Firebox and set up a HA pair.
I still say that if you are using brand B firewall to backup your brand A firewall you are doing nothing but asking for trouble.  

How many people here would recommend using Linux as a backup to your Windows Domain Controllers and file servers because it is less expensive to have Linux boxes sitting there doing nothing when compared to setting up Window's clusters?  It would be a nightmare to try and get a Linux envorment setup and keep in sync with a Windows AD and file server world and it a whole new skill set to learn.  

It may seem less expensive until the day your production firewall falls over and it takes a day, or a week, or a month, to get it replaced and you find out that there are 100 changes you need to make to get the backup firewall to take over, and there are functions that your old firewall did that the backup does not do and now you have lost the ability for work to be done.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.