Which UTM is better for 100-250 Users.?

Dear EE's,

Please give suggestions about UTM capacity for 100-250 users.
Which is good when considering FORTIGATE, SOPHOS, SONICWALL, WATCHGUARD, etc.

Look forward for ur reply soon. Thank you.

Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi Shamil Mohamed,

I recommend SonicWALL NSA 3600 or 4600. They are the best bang for the buck. IMO, best throughput and best real-time gateway security services verified by third parties.
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Dear Diverseit,

Can u please give a a brief advantages of NSA 3600 when compared with Foriagte competitor.
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Dear Diverseit,

I really looking into cost efficient also. Is this NSA3600 appliance is costlier than fortigate appliance/sophos?

Thanking you.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Jon SnydermanCommented:
Have you looked at a Watchguard XTM 5 series?   For your number of users, I would start with the XTM 535 which is model upgradeable to a 545 which a key.  

But there are other questions....   What type of internet bandwidth do you have?   How active are your users?  Do you host servers inside your network such as web servers or email servers or terminal servers?   Do you need any sort of reporting or mandated audit capabilities?  Do you need to meet any compliance laws?   Do you need other services such as access points, spam control, data loss prevention, etc...

IMO, at the 10,000 foot level, when you consider all that you get with a Watchguard UTM bundle along with the included management tools and the tightly integrated and meshable wireless access points, it is very hard to beat Watchguard on a price for feature level.     I have used Fortigate and it is very nice but not easy to manage and usually pricier when comparing apples to apples.    Sonic is also solid and more in the range of Watchguard, but I have used both extensively.  The APs are not nearly as integrated, the web interface is much more confusing and support is usually off shore.    Just to confuse things, I would also consider Palo Alto, but like Fortinet, that will be a price jump.   Management interface and overall capabilities and reporting is excellent though.

In full disclosure, I support many firewall brands, but I prefer and resell Watchguard primarily.

Jon Snyderman
Blue Street TechLast KnightCommented:

SonicWALL vs Fortigate...

Some reasons why SonicWALL is better:
1. Limited Proxy – based AV Scanning FortiGates using proxy-based AV scanning have file size limitations and performance-limiting intellectual property and hardware. Files larger than the buffer are passed without being scanned or are blocked. SonicWALLs have no such file size limitations.
2. Basic Application Management – SonicWALL's running SonicOS 5.6.4 and later with Application Intelligence, Control and Visualization provide a comprehensive set of application management capabilities. FortiGates are limited to very basic allow, block and log. Also, SonicWALLs have 3x as many application signatures as FortiGates.
3. Inadequate File and Protocol Scanning – FortiGates scan only a portion of each file for malware across just 11 protocols. SonicWALLs scan the entire file over 50+ protocols.
4. Poor Distributed Wireless Functionality – FortiWiFis offer few wireless features. SonicWALLs provide many more such as Lightweight Hotspot Messaging, Wireless Guest Services and others.
5. Costly Central Management – You will need to purchase and run FortiManager and FortiAnalyzer together to get the equivalent features of SonicWALL GMS.
6. No IPv6 or ICSA Enterprise Firewall Certification – While FortiGates may support IPv6, SonicWALL NSA and E-Class NSA Series appliances are IPv6 certified. In addition, SonicWALL is the first network security vendor to receive ICSA Enterprise Firewall certification. Fortinet products have no such certification.
7. Poor Anti-Spam Options – The FortiGate email filter service is limited to three dynamically-updated techniques (IP Reputation, Message body URL check and Message body content signatures). SonicWALL Comprehensive Anti-Spam Service utilizes 3x as many techniques including those.
8. One-way Anti-Spyware Protection – FortiGates monitor only inbound traffic for spyware, not outbound. SonicWALLs monitor and block spyware in both directions.
9. Restricted 3G Availability – Only low-end FortiGates (80 Series and below) have 3G wireless WAN failover. SonicWALL includes 3G across all firewall lines.
10. Lack L2TP Server Support for Handheld Devices – FortiGates lack L2TP Server, so handhelds are unable to connect to the firewall. SonicWALLs include built-in L2TP Server.
Hope that helps.
Jon SnydermanCommented:
Well, I didnt think that we were going there because every vendor has their list of advantages.    My recommendations are from my experience....    So two things....  

First, I have attached Watchguard very detailed comparitive analysis vs Fortigate and Sonic.  You will see that when the competitor has better numbers, they are shown clearly.   But at the same time, when you look at the whole picture, clearly WG comes out ahead.   But AGAIN, this is docs from the vendor.   personally, I dont care much for that.

Second, and much more important in my mind.   Everyone has some gripes with Sonic, Fortigate, Juniper, Palo Alto and also Watchguard.   Just the way it is.    I have personally had three different customers put Watchguard up against Sonic, Astaro, and even Juniper on separate occasions.   One customer, a school, tested Sonic AND Astaro.  From a throughput standpoint, Watchguard blew them all away.     From a total integration and management standpoint, Watchguard was also ahead based on ease of configuration, integration to wireless devices, integration to Windows AD and VPN connectivity options, they also won.    

Every company has it's issues and every company can toot it's own horn.   All the brands that have been mentioned are excellent brands and I dont think you can really go wrong with any.   However, for price to feature to performance, I have seen Watchguard shine over and over.  

Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Dear diverseit,

Thank you for the explanation of Sonicawall vs Fortigate..

Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Dear Jon Snyderman,

Here in Malaysia i didn't hear much about Watchguard. It doesn't mean people are not deploying. But as per my knowledge here a lot of people looking into Sonicwall or Fortigate. I really don't know the reason why. You point out right one that each product have its own advantages, even i personally surf for deep comparison i understood same.

I got to compare 2 factors at same time. 1st is cost and 2nd efficiency & service of product (less headache).

Cost wise i really need to look into low yearly subscription also. Service wise i look into service care available locally in Malaysia.

I think i better explain my requirements. as mentioned below.

I having 3 wan lines. 2 Fixed IP using for terminal servers, email server, and for application servers & 1 fixed line for normal office usage, voice chats etc.

I having 2 separate networks for Servers and Clients.

Lets say is for client Pc 's & Wifi clients connecting. and is for server networks.

Wan's connected through Peplink loadbalacer 380 and it goes to Juniper SSG350 to split into 2 lans.

So i need to keep this setup on as i wanna keep on 2 Lans even if i am gonna change Fortiagte/Watchguard/Sonicwall.

Along with above mention i need anti-spam, http/https web filtering, application filtering, high throughput, anti-virus, data loss prevention, AD level reporting etc.

Hope you guys really can help me in this matter.

Jon SnydermanCommented:
Thanks Shamil.  That was a very good recap.    

Regarding Malaysia, I am in the states so I am not sure about local partner support.   I do know that Watchguard has local support for your timezone but your concern for support is a very important and valid one.   I can suggest Watchguard all day long and give you all the reason, but I would not pull the trigger without answering this question.

As for your details, I would definately start with a 535 as a base, which can be upgraded to a 545.   The next tier is the 8 series but I dont think that will be cost effective for you.  

Some benefits that Watchguard provides are guest wifi access along with fully meshed wireless access points.   If you are looking at your wireless infrastructure, this is a major advantage.   You get all of the benefits of FIT access points all managed through the same interface as the firewall and fully integrated in to the security policies.

Regarding your load balancer, you have a substantial network with multiple WAN lines but you dont mention clustering at the load balancer or the firewall layers.   This sounds like a weak spot for you.   Watchguards Firecluster feature included with Fireware PRO allows you to have two boxes in an active\passive or active\active configuration.   The active\passive saves a lot of money because you only pay for the security services on one box, while the active\active configuration doubles your potential throughput (I dont recommend this though).

As for the specific features, Watchguard has all of them without the need for any additional servers onsite.    In addition to the important ones that you mentioned, you should also be looking at zero-day malware prevention which is Watchguards APT blocker.     As for high-throughput AV, this is one of Watchguards key features.   I have seen on multiple occasions where their throughput through the proxies as substantially faster than other competitors.    Finally, ease of administration is also a fundamental feature.   I manage many brands and Watchguard takes a different and more manageable approach to it.  I spend a half day with a customer and let them loose.

Put the costs side by side and put the service and support side by side.  I honestly don't think you will be disappointed in either product.   From the standpoint of price to performance and feature, I do think that Watchguard and SonicWall are your two leading solutions.    Fortinet, as mentioned above, can get expensive if you are not careful.  

Good louck

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Ok thank you guys... I decided to go for Sonicwall NSA 3600.

thanks alot
Blue Street TechLast KnightCommented:
no points?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.