Seeking Advice on Upgrading a Netscreen SSG Firewall
Hello,
I am looking for advice on selecting a new hardware firewall for my home/office. I have been using a Juniper Networks SSG5 for over 10 years. It is configured with multiple zones (Work, Family, and Guest). My network is much simpler now than it was 10 years ago. The number of users has also decreased to just 5 who are all family members. Here are my desired specs for a new firewall:
Requirements/Musts
1. Be easy to use/program with a GUI interface from my desktop using a current browser. Bonus if there are easy to follow training videos available.
2. Have between 2 and 6 GbE ports for my network. The SSG5 only has Fast Ethernet ports. My ISP is providing me with download speeds of 400 Mbps, but this gets cut down to 95 Mbps by the SSG5.
3. Support multiple zones so I can configure a Work Zone (for a couple of desktops, a file server, and some peripherals) and a Family Zone for three personal use PCs for family members and in-home wifi. I want to block all traffic between the Work and Family zones.
4. Be compatible with MoCA 2.5 which I use for two smart TVs in my home.
5. Work with Wifi extenders and mesh routers - in particular Netgear Orbi WIFI router and satellites.
6. Have a max throughput/performance that is better than my SSG5.
7. Be compatible with Strong VPN (which I use).
8. Cost under $500.
In addition, I would like the firewall to come from a company with a proven track record and support IDS/IPS. I am open to a firewall that provides the option for Unified Threat Management on a subscription basis (depending on cost).
I started looking into this and found a few candidates:
Thank you!!
I am looking for advice on selecting a new hardware firewall for my home/office. I have been using a Juniper Networks SSG5 for over 10 years. It is configured with multiple zones (Work, Family, and Guest). My network is much simpler now than it was 10 years ago. The number of users has also decreased to just 5 who are all family members. Here are my desired specs for a new firewall:
Requirements/Musts
1. Be easy to use/program with a GUI interface from my desktop using a current browser. Bonus if there are easy to follow training videos available.
2. Have between 2 and 6 GbE ports for my network. The SSG5 only has Fast Ethernet ports. My ISP is providing me with download speeds of 400 Mbps, but this gets cut down to 95 Mbps by the SSG5.
3. Support multiple zones so I can configure a Work Zone (for a couple of desktops, a file server, and some peripherals) and a Family Zone for three personal use PCs for family members and in-home wifi. I want to block all traffic between the Work and Family zones.
4. Be compatible with MoCA 2.5 which I use for two smart TVs in my home.
5. Work with Wifi extenders and mesh routers - in particular Netgear Orbi WIFI router and satellites.
6. Have a max throughput/performance that is better than my SSG5.
7. Be compatible with Strong VPN (which I use).
8. Cost under $500.
In addition, I would like the firewall to come from a company with a proven track record and support IDS/IPS. I am open to a firewall that provides the option for Unified Threat Management on a subscription basis (depending on cost).
I started looking into this and found a few candidates:
- Ubiquiti Unifi Security Gateway (USG) $130
- Zyxel UTM Firewall USGFLEX100 $220 hardware only
- ZyXEL Next-Gen VPN Firewall USG20-VPN $145
- ZyXEL Next-Gen VPN Firewall with Wireless USG20W-VPN $170
- Fortinet FortiGate 30E $270
Thank you!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Working with Junipers for 16 years, I recommend any of the new SonicWall SRA series routers. I’ve been using them to slowly phase out my aging SSG network. I choose them because of the easily translatable settings from Juniper to SonicWall and the lovely web user interface. The website is important to me because my remote helpers are usually maintenance workers and I need to be able to explain steps to them without breaking out the CLI
Big caution. Never get SRX. It’s not the same and the interface/programming is more complicated than it needs to be. I already when that route and had to turn back.
Big caution. Never get SRX. It’s not the same and the interface/programming is more complicated than it needs to be. I already when that route and had to turn back.
I agree with Sanga Collins it is not the same interface but it is not complicated as you said .
if anyone not familiar with CLI , you can use GUI instead from version 18.X there is too many enhancements on web interface so yo can configure everything that you want using GUI :)
if anyone not familiar with CLI , you can use GUI instead from version 18.X there is too many enhancements on web interface so yo can configure everything that you want using GUI :)
We moved from the SSG5 to the SRX340 some years ago.
I've often used BOTH the GUI and the CLI for setting things up. My feeling is that Juniper is very CLI-oriented and the GUI is more of an afterthought. A remote session with JTAC will demonstrate the preference! But, of course these are professional, trained techs.
I've used the GUI to create examples that I can see in the configuration file and vice versa. Then I can edit the configuration file (using the GUI) which isn't using the CLI *interface* but is somewhere in between. Reading and editing the configuration file using the GUI is one of the preferred methods for me.
Just FYI. I'm not commenting on the recommendations re: Fortinet, etc. You'll have to rely on the experience of others there.
I've often used BOTH the GUI and the CLI for setting things up. My feeling is that Juniper is very CLI-oriented and the GUI is more of an afterthought. A remote session with JTAC will demonstrate the preference! But, of course these are professional, trained techs.
I've used the GUI to create examples that I can see in the configuration file and vice versa. Then I can edit the configuration file (using the GUI) which isn't using the CLI *interface* but is somewhere in between. Reading and editing the configuration file using the GUI is one of the preferred methods for me.
Just FYI. I'm not commenting on the recommendations re: Fortinet, etc. You'll have to rely on the experience of others there.
ASKER
Hello,
Thank you all for your comments. I am leaning towards the Fortigate 30E, but have some more questions. Mohammad, I understand your logic for suggesting the SRX300, but in truth it has been several years since I have programmed the SSG5 and I would need to relearn how to use it. I am definitely not looking for something that utilizes or relies on Command Line Interface.
A few questions about Fortigate, am I correct that I do not need to subscribe for the UTM protection? Without the UTM, how would the Fortigate 30E compare to my SSG5 in terms of security and protection and performance? Also, it looks like the Fortigate 50E and 60E offer much higher performance for very little extra cost. Would you suggest either of those?
Does anyone know how much it costs for a 1, 2 or 3 year UTM subscription on the 30E and 60E?
Thank you all for your comments. I am leaning towards the Fortigate 30E, but have some more questions. Mohammad, I understand your logic for suggesting the SRX300, but in truth it has been several years since I have programmed the SSG5 and I would need to relearn how to use it. I am definitely not looking for something that utilizes or relies on Command Line Interface.
A few questions about Fortigate, am I correct that I do not need to subscribe for the UTM protection? Without the UTM, how would the Fortigate 30E compare to my SSG5 in terms of security and protection and performance? Also, it looks like the Fortigate 50E and 60E offer much higher performance for very little extra cost. Would you suggest either of those?
Does anyone know how much it costs for a 1, 2 or 3 year UTM subscription on the 30E and 60E?
am I correct that I do not need to subscribe for the UTM protection?
Correct , firewall will work without license but you will forget a lot of important things , You just won't get the firmware or security updates , fortigate support ( technical support ) and too many of fortiGuard features.
Without the UTM, how would the Fortigate 30E compare to my SSG5 in terms of security and protection and performance?basically without license ( subscription ) , you can do firewall basic configuration like firewall policies , NATing rule , routing , object , vdoms , vpn ipsec site to site , up to 10 concurrent users dial-up IPsec remote access , application control ..
I think there is trial period to use fortigate firewall features , so if you get this trial and update antivirus / IPS Signatures when trial expired the firewall will keep working for antivirus/IPS signatures but without new signatures update :-)
I did basic comparison , Fortigate 30E better than SSG
| SSG5 | FG30E | |
| Firewall performance (Large packets) | 160 Mbps | 950 Mbps |
| Firewall packets per second (64 byte) | 30,000 PPS | 180 Kpps |
| New sessions/second | 2,800 | 15,000 |
| Maximum security policies | 200 | 5,000 |
| Fixed I/O | 7x10/100 | 1x GE RJ45 WAN Port / 4x GE RJ45 Switch Ports |
https://www.juniper.net/us/en/local/pdf/datasheets/1000176-en.pdf
Also, it looks like the Fortigate 50E and 60E offer much higher performance for very little extra cost. Would you suggest either of those?you can use the below link to do comparison between Fortinet product .
https://www.fortinet.com/products/product-compare
Does anyone know how much it costs for a 1, 2 or 3 year UTM subscription on the 30E and 60E?from my point of view , you can contact Fortinet and request quote this will give you budgetary price
also you can contact fortinet local partners and compare these prices with amazon and ebay this will give a good insight about what you need
https://www.fortinet.com/corporate/about-us/contact-us ,
ASKER
Hi, I had a few distractions come up, but hope to review all the great recommendations provided and either close the thread or post my final questions by the end of the weekend. Thanks for your patience and for checking back!
Good Luck and please let us know if you need any extra information :)
The OS for SSG and the OS for SRX are different. So, the CLI is different.
I used a transfer interpreter to generate a config file for our SRX but it wasn't 100%.
The Fortigate sounds interesting. I wonder how it compares with SRX340?
I used a transfer interpreter to generate a config file for our SRX but it wasn't 100%.
The Fortigate sounds interesting. I wonder how it compares with SRX340?
It is very good option to check Juniper SRX300 series. It is very stable device and have all option that you need and the price is good also
For your options, I worked with zyxel and fortigate both are good but I will recommend fortigate than zyxel
Fortigate also support sdwan feature, it is very good option also as Elie said, it is very simple , have a lot of KB , tutorials , videos and resources.
http://www.networkscreen.com/SRX300.asp
https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000550-en.pdf