What is the best Firewall I can buy?

Money no object? You really should look at Palo Alto firewalls, add in their subscriptions, and then their advanced analytics available with Cortex Network Traffic Analysis for machine learning on your traffic patterns to look for anomalies. Think Darktrace for your firewall.

I use SonicWall. I manage small/medium Businesses and there's no room for a "Firewall Specialist" and as a result things must be simple and do the job. SonicWall meets these requirements.

PA are probably the ones to look at, although FortiGate firewalls are excellent too.

The small Palo Alto PA-220 won't break the bank, either. I use then at my branch offices. Similar in cost to a small Cisco branch router.

Lol @Pete. Turn off SIP ALG and all good :-)

yes, I am running 3cx, on a dedicated Sio trunk from my isp.

so Pali alto, so i wall and fortigate are the ones I should look into?   no one mentioned Cisco, is that not as good?  or like meraki?

my problem is, I am using Sophos as my wifi AP controller and my firewall, so when I replace the firewall, I will have to keep the Sophos for my wifi until I can swap those out as well.
any suggestions for wifi?  I was thinking to go with meraki APs?

sip trunk.

sorry, iphone autocorrection sucks.
the themree are:
Palo Alto
fortigate
sonic wall

so don't look at meraki or Cusco?

Meraki firewalls are toys, IMHO. Fine people who need basic features. They can't even advertise to OSPF or do any BGP.

Meraki WiFi is good.

Honestly I would do Ubiquiti UniFi for WiFi.

I used ubiquiti at a church before and had issues, not a fan of ubiquiti, I'm looking for something more rock solid.

I use Ubiquiti at all of my branches and have no issues with them. Less issues in fact than my Ruckus. When the HDD in my Ruckus controller went down, I was down for days waiting for a replacement.

The best firewall?

Air Gap.

With a question this broad, you're going to get a wide array of answers. I'll answer your question with a question - best firewall.....for what? In other words:

• How many, just one?
• Load balancing?
• Fault tolerance and failover?
• Next gen/Application based?
• Does it have to integrate with our products or platforms?
• Does it need to be managed centrally?
• How much throughput do you need?
• Will it integrate with an SIEM?

I put my money on Palo Alto PANs with all the bells and whistles.

ste5an
From a google search, an air gap is "no internet connection" is that what you are suggesting?

andeporter
1.   Actually, I have 2 locations, but the 2nd location is very small, so I would only need a much smaller firewall for the 2nd location.
2/3. I am mostly interested in my HQ location, so if I don't think I need load balancing, unless I get 2 firewalls to do active/passive configuration, or as you call it, fault tolerant?
4. Not sure the difference of the two, but I think next Gen is better or more capabilities?  I I'm assuming most modern firewalls allow dnat/snat/ etc...rules, which will allow me to create rules to allow certain traffic/applications in?
5. Currently I'm using sophos asmy firewall and wifi controller, so the challenge will be either in replacing the WiFi first, or just using the sophos firewall just as a wifi controller until I figure a long term plan.
6.It does not need to be managed centrally, I prefer I just log into the firewall directly.
7. We currently have a full 1 gig fiber pipe, and here's my current specs on my Sophos, but I would like something beffier.
Throughput:
Firewall (Mbps) 22,000
VPN (Mbps) 4,000
IPS (Mbps)  6,000
AV-proxy (Mbps) 1,500
concurrent connections: 6,000,000
new connections/sec: 120,000
8. I don't currently have a SIEM solution, only really using splunk currently.

Air gap is a facetious suggestion.

The PA-3220. is the next step up in terms of throughput. 5 Gbps of L7 classification and inspection, 2.8 Gbps of full threat throughput. Now, I don't think that it will do a full 1 Gbps of SSL decryption.

https://www.paloaltonetworks.com/products/product-selection

I do central management of my firewalls. It's great because I don't need to try to keep my rule sets synchronized across devices. No to important if you have a main site and a satellite site that just does full VPN back to main office. If you have 2 satellite offices, it's gold.

With 2 firewalls in HA, I can patch and reboot a firewall while generally dropping just 1 ping. Otherwise, it can take maybe 10-20 minutes to reboot a firewall before it becomes operational again.

Firewalls have been able to do L4 filtering for decades. Modern next generation firewalls know the difference between consumer Dropbox and enterprise Dropbox, even though they all run TLS on TCP 443.

How is Baracuda by the way, that name has come up a bit and Meraki, but from the sounds of it, it looks like Meraki is more for small business?

Meraki MX is not an enterprise-level firewall, contrary to what Cisco may tell you.

The top 3 are PA, Fortigate, Checkpoint, in that order.

Regarding the Meraki, I have a friend that has one and he said it's rock solid. I guess it's not enterprise grade, but he hasn't really had many issues with it.

Just because something doesn't crash doesn't mean that it is enterprise.

So I discovered we can't afford Palo Alto, they are crazy expensive.

So after seeing multiple demo's, I really liked Forcepoint, their web GUI is easy to use, but very powerful.
From the brief research I've done, they seem like a new company, so I wonder how good or solid they are?

Then my next runner ups are: Fortigate, Barracuda or Sonicwall.   The number one feature I was looking for is to be able to search in the firewall rules by name.  These are the only 4 companies that has that ability, + PA, but they are to expensive.

So from this list, is one better than another?
Forcepoint
Fortigate
Barracuda
Sonicwall

Thanks, Dan

Forcepoint is the old Intel/McAfee/Secure Computing firewall product line dating back to the 2000s, according to my Gartner 2019 MQ for enterprise firewalls.

They have greater visibility in EMEA, and have less visibility in North America despite being based in Austin. They had 2,500 employees worldwide. I have never personally heard of anyone who uses them, and Gartner warns that finding qualified partners in the US is a challenge.

Yes, that's interesting, but the web GUI, the data they provide is pretty awesome, it's basically on par with PA.

I read that they Mcafee bought them in 2012 or so, and then they sold the company (stonesoft) and Forcepoint bought it in 2016 or so.  

I wonder if anyone uses it here in this community (EE), if they could share their viewpoint on it?

@kevinhsieh, according to the gartner report, Forcepoint is somewhat better than Barracuda and Sonicwall, if I'm reading the chart correctly.  

Forcepoint is an actual enterprise player. Barracuda and Sonicwall are not. That said, I don't think that you're an enterprise purchaser, or you would be able to buy a firewall that costs more than a Tesla once all of the software licensing is added in.

Actually, I don't have the pricing yet for Forcepoint, so perhaps the price might be high light the PA and then that solves that problem, then that narrows down my list to only Fortigate, Barracuda and Sonicwall.

@Andrew,  thank you, yes, shed a bit more light.

I decided to continue using my Sophos APs and just mange them in the cloud for now, In a few hours, or 1/2 day or so I can configure all of them to report to the cloud and then that's resolved for now.

Yes, I think the 850 might be good enough, now the problem is price.  It might be to expensive, waiting for a quote.

If you can't afford the PA, get a Fortigate and ignore the rest of the choices on your list.

Ok, really, but I liked the Forcepoint more than Fortigate.

So my order right now is PA, Forcepoint, Fortigate.    hmmmmm......

So both Forcepoint and Fortigate are better than Sophos?  Just curious, why is that? Is that just opinion?

I didn't realize, both PA and Forcepoint are very $$$$.  
I don't think they will get approved, but what's more in my budget is the Baracuda, Fortigate and Sonicwall.

So I think I weeded out the others I didn't like, so now out of the above three, is one better than another, as the price for each each model I'm looking at is in the same ballpark.  Each company touts how much better they are than the others, so trying to figure out which direction to go, as each one has strengths and weaknesses.

So in your opinion, what are the top 3, in the order you view them as best, I know that's subjective.
Would it be:
PA, Forcepoint, Fortigate ?

Thanks everyone, PA just came out with a new product line, so we purchased one of their new product lines, the price is very reasonable.