Avatar of aconway
aconway
 asked on

$500-600 Firewall that supports DMZ's??

I am shopping for a good Firewall (currently use a PIX 506) that supports a true DMZ configruation for our web servers..  not something silly like what you see on a Linksys $69 special.

Does anyone have some good advice on a Firewall that fits that description?  I've looked at the Sonicwalls "Pro's", but they are a bit overpriced, IMO.  What about the TZ series???
Software Firewalls

Avatar of undefined
Last Comment
jabiii

8/22/2022 - Mon
jasonpaine

The Sonicwall tz170 has a dmz port you can assign a different ip address for the dmz and create access rules if you need the dmz to access the lan side otherwise the dmz can not access the lan.
ebay and newegg have the  new tz170's in your price range.
ASKER CERTIFIED SOLUTION
rsivanandan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Les Moore

If you have a VLAN capable switch, your existing 506 will support splitting the inside interface in two and giving you a true DMZ.
Else take a look at the next-gen ASA5505
tim1731

Vigor3300V Up to three of the WAN ports can be alternatively configured to be hardware DMZ ports for the isolated hosting of a public-facing server.

Can do failover or bonding

Firebrick
http://www.draytek.co.uk/products/vigor3300v.html

http://www.firebrick.co.uk/

or the Netscreen but get a 25 off ebay
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
aconway

ASKER
Hmm. lrmoore, can you give me the basic rundown of that how'd that?  Something I'd have to turn on within the PIX, then segment using the VLAN on the switch?
Les Moore

PIX:

interface ethernet1 vlan2 logical  
nameif vlan2 intf2 security50
ip address vlan2 192.168.222.1 255.255.255.0
nat (vlan2) 1 0 0

The switcport to PIX interface must be a trunk port (they are auto by default).

Switch example create a new vlan2 and assign ports 14-24 to that vlan:
switch#vlan data
switch(vlan)#vlan 2 name internet
switch(vlan)#exit
Apply completed
switch#config term
switch(config)#interface fast 0/1
switch(config-if)#descript PIX Firewall
switch(config-if)#switchport mode trunk
switch(config)#interface fast 0/2
switch(config-if)#descript AP1100
switch(config-if)#switchport mode trunk
switch(config-if)#interface range fast 0/14 - 24
switch(config-if)#switchport access vlan 2
switch(config-if)#exit
switch(config)#exit
switch#sho vlan

Anything plugged into switchport 14-24 is in your DMZ
jabiii

I'd go with the Netscreen. It' is exactly what your looking for. With one correction, It has 5 Ports, 1 untrusted, and 4 you can set to whatever.

Bad Rajesh I'm telling your boss :)
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
rsivanandan

Ha Ha Jabii :-) Actually the 'untrust' is left out, for him to play with there are 4 ports, that is what I meant! VLANS, PORT-MODES anything goes in there... a wonderful product... gonna buy one for myself at home :-)

Cheers,
Rajesh
jabiii

*grin*  If I had internet at home... I would too... but in the meantime I keep 2 204's, a 5xt and a 5GT at home to play with :) not to mention what's on my desk at work ...00..

rsivanandan

Jeez you have 2 204's ??? You're rich. I think the author would be happy with 5gts.

Cheers,
Rajesh
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
aconway

ASKER
Thanks guys.. thinking the NetScreen-5GT seems most appealing..
rsivanandan

Thx for the points and Believe me it is an amazing box! The reason I suggest is for the flexibility and 'feature-list' supported on it. PIX 501 is comparable to it but if you compare the datasheets for performance there is a difference, then again you don't get Deep Inspection (A minimal version of IPS) in PIX which I seem to be liking too much

A little suggestion or rather an advise, stick with 5.3r3 or 5.3r4 for the OS on it and don't upgrade it to 5.4r1 (Don't ask :-))

Cheers,
Rajesh
jabiii

I'm affraid to...
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
aconway

ASKER
Have a good reseller?
jabiii