Are you aware of any business firewalls that do the normal functions, but without recurring licensing, but also includes support? i.e. buy outright and get support. I’m aware that TP-Link offer this, but I’m a bit wary of their inability to have multi-wan IPs when doing NAT rules.
The client isn’t interested in pfSense, mainly because of the price of support if ever required.
We looked at Drayteks, and they’re considering them as an option - but I’m a little concerned when I was testing one out that they need a reboot after almost every change, taking down the corporate network for around a minute each time (which could amount to a lot of downtime when making consecutive changes).
The main features required:
-DHCP Server
-IPSec/Site-to-Site VPN Capability
-Multi-WAN IP support
-Basic Support Package Included where possible
-Basic Firewall
-L2TP VPN with RADIUS or AD Authentication ideally
-VLAN Support
The client doesn’t need or want anything snazzy, overkill or expensive. They’re just looking for those basic functions shown above. A Draytek is the closest we’ve got to agreeing on a firewall, but the reboot after every change will be a deal-breaker for them (the ideal would be just an ‘apply changes’ button like pfSense has).
Something being expensive is relative. You can pick up a Fortinet with services and support for around $1K and maybe $200/year for continued support. You can also buy a used Cisco ASA/Firepower for around $200 and no support. The important thing is to set expectations of the cost and downtime when it has an issue.
In the case of cheap customers, I put in old gear and just have them pay me T&M for install and when they have issues. I also get their signature that they understand the risks.
Old gear wouldn’t be an issue for this client. They definitely won’t pay 1k per firewall, especially as they intend to buy multiple for each site.
I don’t think they’re purposely being tight, they’re just a charity and have very limited funding.
Do you have any recommendations of such old gear that works well? If the multiple WAN IPs were included, then TP Link or Unifi USG would’ve been perfect for this…
IMO, Cisco ASAs are the best value for used hardware since they offer SSL VPN (remote access w/AD or LDAP auth), IPSec tunneling, BGP, and EEM. For $200 per site (just saw 5505s are less than $100) I could setup a fully redundant edge solution. Not sure there are any other solutions available for that price in hardware.
I was just diving a little deeper into pricing of the Cisco ASA 5505 and I see them as cheap as $30 on eBay. I’m guessing you could actually do a site with 2 FWs for close to $100.
Keep in mind though, the 5505 is out of support next year. If that’s one of the stipulations, hopefully they don’t run into any problems after next August. It’s also a device from 2006 and was end of sale back in 2017. I understand they are limited on budget though, but it doesn’t feel like a super reliable solution moving forward for them.
Thank you!
What are peoples thoughts /views on draytek? I know I mentioned at the beginning that the reboots would be an issue, but I could just create a clause for the client that we will only do config changes out of hours unless absolutely necessary…
In particular looking at something like the Vigor 2952.
Ive heard nothing but good things about them, however I’ve only heard of them being used for very light things (just DHCP and routing), but not using site to site VPNs etc.
Eric, I wouldn’t recommend the ASA products either if support is required. Like you said they are end of life, but at less than $100 each that is pretty hard to beat. I don’t know of anything cheaper when it comes to hard cost of a standalone appliance.
Absolutely, I agree. At some point though, I might not even present it as an option to a client as I wouldn’t want to have to support something that’s soon to be abandoned for security updates and otherwise. You’re already lucky to find business grade firewalls without recurring licensing, so this client is asking for a lot if they’re wanting all of that functionality for next to nothing.
I’ll also say, technically pfSense CE is free if you have a spare system to run it on, just need to add on another NIC to get the extra ports you need.
OP, the main features you listed aren’t specific for “business” firewall - DHCP is provided but usually in a business context you will use a dedicated DHCP server to manage all the requests from the different vlans.
As a first choice, pfSense IS a business-grade firewall that has been tested more than any other big brand and expensive firewall put together - so you can’t go wrong by choosing it. What often makes it or breaks it (like any expensive business firewall) are the people who managed it.
You also need to factor what will your firewall do beside the basic firewall:
-Will it requires to route internal vlan traffic and do inspection?
-Will it need to manage more than one WAN link, offer SD-WAN-like features, SLA performances checking, etc
-Does it need to maintain tunnels (SSL VPN or IPSEC) with other heterogeneous firewalls, with road-warriors over that - how many remote client do you need to support.
-Do you need central management of your firewall because you plan to install many of them in many sites or campus?
-Do your firewall needs to do OSPF, BGP and update routes with ISP? Do you lend a part of the network to 3rd party and traffic must be routed/re-routed and convergence of routes between nodes needs to be fast while traffic is high?
What business and big brand firewall offers you besides supports is that they sell dedicated hardware that can satisfy any kind of need: from SOHO to Carrier-grade level equipment.
As someone said, Fortinet offers all the basic you need just like pfSense. For the same 600$ and no contract support, you will get a much faster and much better firewall (imo) with Fortinet than any other brand at the moment - and you can do 10Gbps routing without breaking a sweat with a 60F that no other competitor can do on custom hardware.
And for people STILL talking about Cisco’s ASA in 2020+, they are phased out and out of touch of the market or stuck in the past (or stuck with lots of ASA lol). Don’t touch ASA if you don’t want to get wake up during every other night because out of the blue your VPN tunnels are failing for no reason.
I wouldn’t also touch anything that is only Cloud-based (aka Untangle) as I don’t trust Cloud services for services of that security level.
Checkpoint is very good but expensive for what it offers. Same for Palo or Juniper.
Besides pfSense on custom hardware or dedicated hardware, Aruba is something I might consider as they as very agressive price wise.
In this case, it was a rare example for the cheapest solution (based on hard cost and being used) that I am aware of. It’s not like I go around installing these on all my projects.
