Recommended Firewall model

Dear wizards, can you please recommend some best models of Firewall appliance?

The requirements are:
- Can detect and automatically block network attacks (IDS/ÍPS), virus, worms, volummetric ...

- Including routing, HA, failover features

- Reliable
DP230Network AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Giovanni HewardCommented:
Palo Alto
DP230Network AdministratorAuthor Commented:
Hello Giovanni Heward, can you suggest the model in details? (we need protect our DC which had 30 VM servers + 10 physical servers)
Giovanni HewardCommented:
Sorry for the brief reply on my mobile phone. What throughput do you need to support, with all the features enabled you mentioned in your question?
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.


Will you be needing VPN?  How many users?
Lee W, MVPTechnology and Business Process AdvisorCommented:
Untangle. - been using the free and paid versions and have been very satisfied with it.

NOTE: NOTHING is 100% - these days, nothing is 50%.  The bad guys are constantly trying to get in and bypass your security.  And they have (or get) access to the same products you do to find vulnerabilities and ways around the protections.  You need to use a multi-layer approach that includes GOOD user training!
Sajid Shaik MSystem AdminCommented:

firewalls in your case you need UTM appliance (unified threat management) which will scan, ids/ips feature licenses etc. all the features comes along with it, when you purchase UTM in your case you have to go for the full license (i.e in Sonicwall it's called total protection)  models depends up on the throughput requirements.

any how when you purchase the appliance it can be a Sonicwall, Palo Alto, Sophos, Fortinet etc. any model first check the budget, best support and availability etc.. all the UTM models supports Failover and all required features,

ask the vendor your requirement and required licenes as well..

all the best
DP230Network AdministratorAuthor Commented:
Hi, we have about 500 users and also need vpn. How about Cisco ASA?
DP230Network AdministratorAuthor Commented:
I just wonder: when we buy a Firewall appliance, let's say for example Cisco ASA 5525, Sonicwall or SophosXG,... do we have to configure anything to get its function of preventing network attack? or will it run out of the  box?
Lee W, MVPTechnology and Business Process AdvisorCommented:
If you use Untangle, you install the module and then you have to activate it.  

From the Untangle web site:
Intrusion Prevention blocks hacking attempts before they reach internal servers and desktops. Untangle’s pre-configured signature-based IPS makes it easier for administrators to provide 24/7 network protection from hackers.

It minimizes annoying false positives and ensures that signatures are always current with automatic updates. With an easy-to-use setup wizard allowing simple configuration of rules specific to each environment, Intrusion Prevention provides flexible control. Over 34,000 signature detections, including heuristic signatures for port scans, enable you to effectively monitor and block most suspicious requests.
With either Cisco or Sonicwall you will get somekind of protection right out of the box but let's be frank.  if you're not well versed with Cisco IOS I wouldn't recommend it.  Sonicwall is all gui driven.  Whether you choose Cisco, Sonicwall, or Sophos UTM service expect to subscribe to the update service which will include firmware upgrade, AV/firewall threat update, and technical support to say the least so you will always have their help.  A UTM appliance is useless without updates.  But these subscriptions are not cheap.  Sonicwall Comprehensive Gateway Security Suite for the NSA series can run from $800 a year and up but for 500 users environment that cost should be justified.

Having said that each corporate environment is different and the firewall requirements are different.  You should tailor the UTM appliance to your environment.

So to answer "do we have to configure anything to get its function of preventing network attack? or will it run out of the  box?" then yes you will get some basic default settings and protection out of the box.  Whether the basic protection will meet your standard is a different question and only you can answer.
Iamthecreator OMIT Admin/EE Solution GuideCommented:
We are looking to implement the following in our DC. We need a cluster with HA and fail-over.Our requirements are similar to your and most business with high security, load balancing and HA.
It has a lot of features, seems to be easy to manage and configure. The VPN tunnels are re-mounted automatically in the event of failure of primary UTM.
Stormshield SN710
Budget around € 20,000
DP230Network AdministratorAuthor Commented:
How about the Sophos XG 210, 310 ?
Iamthecreator OMIT Admin/EE Solution GuideCommented:
Looks good. I would suggest that you reach out to vendors or partners for different products. Schedule a meeting with their technical sales team to discuss your requirements and their offerings, to get a better idea. It really helps. That is what I have been doing. Currently using a Watchguard UTM but open to change.
DP230Network AdministratorAuthor Commented:
Hi, I'm not sure whether if the datasheet for Sophos is correct or not but their stats are much higher than that of other vendors, such as Palo alto of Cisco.

For example: Cisco ASA 5525, Palo Alto 3060 and Sophos XG210. I also attached their documents

Sophos XG210:
-> Firewall throughput = 16 Gb/s
-> VPN throughput = 1.6 Gb/s
-> IPS throughput = 2.7 Gb/s
-> Max concurrent connections = 8,200,000
-> New connection/sec = 135,000

Palo Alto PA-3060:
-> Firewall throughput = 4 Gb/s
-> VPN throughput = 500 Mb/s
-> IPS throughput = 2 Gb/s
-> Max concurrent connections = 500,000
-> New connection/sec = 50,000

Cisco ASA 5525-K9:
-> Firewall throughput = 2 Gb/s
-> VPN throughput = 300 Mb/s
-> IPS throughput = 600 Mb/s
-> Max concurrent connections = 500,000
-> New connection/sec = 20,000

What do you think? With my ISP connection (Internet leased line: 100 Mb/s Domestic + 45 Mb/s International), which model should we choose?
Feroz AhmedSenior Network Security  / Senior System EngineerCommented:

Cisco ASA 5508 will support all the features you mentioned.It will Support FailOver ,Cluster and Cisco Any Connect .
DP230Network AdministratorAuthor Commented:
We choose XG310 & 330

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DP230Network AdministratorAuthor Commented:
Thanks for your support!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Hardware

From novice to tech pro — start learning today.