Solved

Watchguard XTM505 -  Fortinet's Fortigate 80C  - Sonicwall TZ210, NSA 240  - Netgear Prosecure UTM25

Posted on 2011-03-08
24
2,315 Views
Last Modified: 2012-06-22


Which one would you prefer to buy from this below firewalls list, w.r.t features,support,user friendly, reliability ?


Watchguard XTM505

 Fortinet's Fortigate 80C  

 Sonicwall TZ210, NSA 240  

 Netgear Prosecure UTM25
0
Comment
Question by:OCUBE
  • 12
  • 12
24 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35070654
I've worked with watchguard and my experience hasn't been good. it's been with the older models which don't have the web interface so configurations were difficult. i didn't find the web reporting any easier to work with. i couldn't recommend them.

the only other appliance i'm familiar with are the sonicwall models. the TZ210 is the top level of the TZ range, and the 240 is the introductory model of the NSA range. the 240 is going to be more expensive, but if you need the extra processing power for the security services (content filter, application firewall, IPS, Gateway AV, etc.) and/or multiple site to site vpns or vpn users, then you'll want the 240. regarding the 210, if cost is a concern it would be the way to go. it will do all that the 240 will do, but on a smaller scale. the 210 can even be paired with another 210 in HA (high availability). so, you get a lot of bang for your buck.

the sonicwall models can be strictly wizard driven. there are wizards for opening ports to an exchange server, there's a wizard for configuring a vpn.

you can either use the global vpn client or the ssl-vpn client to connect remote users. it has l2tp vpn capabilities. you can authenticate users with RADIUS or LDAP or keep the authentication right on the sonicwall.

sonicwall is all i deploy. they do make mistakes and it can get challenging as with any vendor. however, i'd have to say that we don't get a lot of DOA hardware and when we need resolution, there hasn't been much i couldn't figure out through their KB or on EE.

hope that helps!
0
 

Author Comment

by:OCUBE
ID: 35074918


Are there a major difference between Sonicwall's   NSA  Vs. TZ series ?
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
ID: 35074995
the primary difference is going to be in their throughput. you're going to be able to analyze and move traffic much faster through an NSA than a TZ. with that, you can add more site to site VPNs, remote VPN users, etc.  the datasheets below are on the TZ and NSA respectively. sonicwall has stopped providing PDF datasheets and opted for the more commercialized version....sorry about that.


http://www.sonicwall.com/us/products/TZ_Series.html#tab=compare
http://www.sonicwall.com/us/products/NSA_Series.html#tab=compare
0
 

Author Comment

by:OCUBE
ID: 35075030


Does both NSA & TZ take care of the spyware/malware attacks which we see most commonly on user desktop PC's when they are browsing ?

I have seen instances where user PC's get some fake antivirus trojan infections, either when to accidentally go to some websites or click on some bad emails.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
ID: 35075052
it has gateway antivirus and antispyware capabilities that comes with the Total Secure licensing. we typically get that on all the sonicwall appliances that we deploy. however, even with that and Symantec Endpoint on the workstations, users still manage to get infected. i don't know if you are considering this as a replacement for the workstation level protection or not, but i would strongly urge against the notion.

anyway, you can license separately the Client Antivirus solution which allows the workstation client to communicate with the sonicwall. if there is an infection, the sonicwall can block the workstation from accessing the internet. also, you can setup rules that if a client tries to connect to the internet and it doesn't have the AV client, it won't be allowed out. at least that the way i THINK it works. i've never licensed that product, but all of the advanced services come with a trial allowing you to try before you buy.
0
 

Author Comment

by:OCUBE
ID: 35075084

I would not replace our workstations Symantec SEP. I will still that in place.

The Client antivirus solution what you had mentioned above, is that a separate product by itself ?

Can local SEP install talk to Sonic and still be able to block internet access if there is a PC infection ?
0
 
LVL 33

Expert Comment

by:digitap
ID: 35075167
Cool.

It's licensed separately from the Total Secure package. It's a partnership with McAfee.

No.

information about the basic package is below:

http://www.sonicwall.com/us/products/Network_Security_Comprehensive_Gateway_Security_Suite.html

information about the client is here:

http://www.sonicwall.com/us/products/Network_Security_Enforced_Client_Anti_Virus_Anti_Spyware.html
0
 

Author Comment

by:OCUBE
ID: 35075280

OK, I will check your links.

Tell me if the features what I am looking below are part of SonicWall NSA & TZ series:

1.  Lets say a PC gets infected with some virus and try's to send out tons of spam emails from our network to the outside world. Now either those emails are going out from local PC outlook, or being routed through our email server which is in the same LAN.

Lets say on an average I know emails going out will be around 200-300, when the above instance happens may be the mail server tries to send around 1000's of emails out. We will not know that there is an spam emails going out from our network, until we receive an email bounce back message from a legitimate outside email server saying that your email is not delivered because your public IP address (or mail server external IP address) got blacklisted in some spam databases.

Now after we see the above message we try to look for the PC which got infected, its hard to find it unless we run a full scan on all the PC's.  

Now in the above instance can SonicWall be proactive and alert us before our IP gets blacklisted outside.


 2.  Can it show us a report of the internet bandwidth usage of our network over a period of time ?

3.  Can it show us a real time internet bandwidth usage based on the network PC's hostname or IP address, to identify the PC's which are using most of our internet bandwidth ?


4.  Can we do bandwidth management based on internal IP addresses.  Lets say we have T1 1.5Mbps pipe, I wanted to create a bandwidth profile and allocate  0.80Mbps to a certain internal Lan IP address(which is our web application server) ?


..... will add more to the above list once I get answers.



Thanks in advance
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
ID: 35078707
1. not really. if your exchange server is hardened, then you've probably configured it to only allow authenticated email to go through. so, Outlook and MFPs that you've configured an email account for.

what i also do is to create an additional firewall rule LAN > WAN to deny all hosts from sending SMTP traffic. i then put a firewall rule right before that one to allow the exchange server to send SMTP traffic LAN > WAN. when SMTP traffic hits the sonicwall, if it's the exchange server, then when it finds the first rule, the traffic goes out and it stops. if it's a workstation infected with a virus, it hits the first rule and sees it's not the exchange server and moves on the next rule which is the restrictive rule and blocks the SMTP traffic.

2. yes. when you licensed the comprehensive security gateway suite, you get viewpoint. this software installs on an internal server. you configure the sonicwall to send log information to the viewpoint server. the viewpoint server summarizes the data and tells you who went to what sites and how long, who consumed the most bandwidth, what viruses were blocked, what antispyware was blocked, what websites were blocked, etc. you can configured scheduled reports to be emailed to you on a regular basis. it's quite extensive.

3. yes, see my response in number 2.

4. yes. first, you set how much bandwidth you have on the WAN interface. when you do this, it enables a new tab within the firewall rules. using bandwidth management rules, you can specify what hosts are either guaranteed what bandwidth or can only consume a certain percentage or both.

i'll be waiting.
0
 

Author Comment

by:OCUBE
ID: 35082314


 5.  Does having Gigabit ports on the firewall help ? if YES how in our case

     we have internal Gigabit switch ,most of the servers are having gigabit NIC cards, Cat6 cables are
     run between the NIC's and switch.

     The current firewall we have(Linksys Rv016- which we will be replacing with SonicWall now) has
    only regular 100MB ports.

     ISP(1.5Mb pipe) has a Cisco router(which is just a bridge and does not do anything)

    Cat6 cable runs from Cisco(ISP) to Rv016(firewall) <=> GigabitSwitch

    All the servers are connected to Gigabit.


    Now if we had a firewall(Sonicwall) with Gigabit port, does it help w.r.t. performance ?

   

0
 
LVL 33

Expert Comment

by:digitap
ID: 35082844
5. your internet connection is 1.5mb so that's going to be your limiting step. your internet traffic may hit the sonicwall at 1gb, but they are going out at 1.5mb. i don't see how, in this case, 1gb would really matter. internal traffic isn't going to traverse your sonicwall, unless you are routing different subnets internal through the sonicwall, so it doesn't matter that the port is 1gb. i've seen some posters here on EE with 1gb internet connections.
0
 

Author Comment

by:OCUBE
ID: 35082909


we will be adding one more new  ISP line (20Mbps download ,10Mbps upload) to the current network.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 33

Expert Comment

by:digitap
ID: 35083063
so adding, which means you'll have redundant internet? the sonicwall does allow you the opportunity to add an additional WAN connection and load balance/failover/spillover to a secondary internet connection.
0
 

Author Comment

by:OCUBE
ID: 35083142


 The new ISP will not be a failover for now:

Initially we wanted to use the 2nd pipe to serve fully for one of our internal web hosting server

and will eventually wanted to load balance these 2 ISP pipes( 1.5Mbps - Covad statis  + Comcast Business 20Mb D/10Mp U ) and do some bandwidth profiling.

Which I am hoping the Sonicwall does the job ?right?
0
 
LVL 33

Expert Comment

by:digitap
ID: 35083207
yep. you can setup routes based on either the host or type of traffic will use which WAN interface. then, you can create firewall rules to decide how much bandwidth they use.
0
 

Author Comment

by:OCUBE
ID: 35084542

  The NSA 240 has a "Stateful Throughput 600Mbps",  "UTM throughput 110Mbps"..etc

  Now lets say we get the NSA 240 device and later down the road if we realized we are not fully using all the features.

 1.  Now can we turn off the UTM features in the device ? If we do this, is the UTM throughput
       released back to the NSA 240 device to handle other features efficiently.

 
2. Out-of the  box, does it have everything(all features) enabled which might be using most of the NSA 240 processing power - which 40% of the features we don't use in our network.

Can we turn them OFF, to make the NSA 240 work more efficient and faster for the rest of the 60% features we might be using in the NSA 240 device.



0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
ID: 35084687
i'll combine your two questions into one response. you gain throughput by disabling the security services. the security services are enabled on a Zone basis. the sonciwall creates zone for an interface based on the type of traffic. you get the LAN, WAN, WLAN, DMZ zones by default. you use the zones for setting up the firewall rules and you enable security services per zone. so, if you decide that you don't want any of the security services except the content filter, then disabling those other services provides more throughput capability for the content filter in addition to other activities. this would include the encryption/decryption of remote vpn users or site to site VPNs.

additionally, out of the box, none of the security services are enabled until you license them. even when you license them and they become activated, they are not enabled for any of the zones.
0
 

Author Comment

by:OCUBE
ID: 35084866


So just a basic NSA 240 would allow us do everything except the following optional features :

- Antivirus
- Spyware
- Content Filtering
- VPN's
- viewpoint reporting software


Can we just get the basic NSA 240 and will we be able to do all the basic firewall functionality(including bandwidth management and be able to buy the optional viewpoint reporting software) ?
0
 
LVL 33

Expert Comment

by:digitap
ID: 35085155
out of your list, with a basic firewall you can still establish at least 25 site to site VPNs and you get 2 licensed GVC users and 2 ssl-vpn licenses. the other options are paid services. i believe you can license viewpoint separately, but we'd discovered that purchasing the package was cheaper. of course, you are now committing to yearly renewal costs.
0
 

Author Comment

by:OCUBE
ID: 35085176


So initially to start of we can buy the basic unit and once we like it we can add the optional features
later down the road ?
0
 
LVL 33

Expert Comment

by:digitap
ID: 35086381
yes, but something the reseller or soncwall sales is going to tell you is they make it attractive to get into the package stuff because they lower the price. i am on the technical side so i don't see the actual costs. it might be cheaper to get into the security services up front than to wait down the road. you'll have to ask them about that when the time comes.
0
 

Author Comment

by:OCUBE
ID: 35086413


  OK, I will check with the sales rep.

Thanks for your postings.
0
 

Author Closing Comment

by:OCUBE
ID: 35086443
Thanks
0
 
LVL 33

Expert Comment

by:digitap
ID: 35086514
your welcome. you had some good questions and thanks for the points!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now