The same can be said of pfsense.
If you were around pre-2010ish, you must have heard of the big wreck that happened world wide when all firewalls got hacked except pfsense? That’s why pfsense exists in some large enterprises.
I agree with you @pjdouillard I have supported a Multimedia studio that supports multiple tenants. The clients from financial have more to lose and go with Palo, then you also see a lot of vanilla Cisco side by side as fallback. Work with big intellectual partners though the studio seems to do the same arrangement. Both these clients are different industries but have a lot to lose in the event of a network breech.
Then you would have the voice actors with studios in their home. They would have anything from a Linksys to Asus and as long as we can push a VPN over the link we were happy. Many times, we would upgrade their routers with pfSense official boxes and create a VLAN for their studio and isolate it from the other networking they had in their homes. They are making the $$$'s so the impact to them was minimal. But the bad part is that when there were issues Comcast and others were clueless on how to work with them.
You didnt answer my question at all.
What specifically can pfsense protect against that a Palo Alto cant.
Im not aware of Palo Alto getting hacked pre-2010ish nor should we base our security on pre-2010 standards…
I thought the answer was clear.
What pfsense can protect more than Palo is your wallet - and big time over that! 
Jokes apart, it is not what pfsense can protect that Palo can’t or vice-versa - as both do the same job as a periphery firewall - but why pfsense is still prevalent and relevant today. If you have knowledgeable people in place, pfsense is a great tool, if you don’t, you need to spend tons of money to get stuff done with brand like Palo, etc.
Bit of experimentation - copied my hardware NIC MAC addresses to a VM (Proxmox) - rebooted and lo it’s the same Netgate ID as the Hardware - so maybe Hardware Swap is possible if keep same NICs? Or run on VMs and just ensure you set the same MAC addresses on the NICs.
Another reason Netgate needs to move to a better licencing scheme - e.g. one account one licence key, for production, No key = 30 day limit (?) for test/dev?
I’m not sure how or when pfSense is going to implement the license change, but I was able to apply 23.09 to my box without any issues. It did say it couldn’t check for the latest version right after it came back up, but that has since gone back to the usual current version message.
I guess we’ll see. After the shitstorm, they probably thought it would be better to postpone that to a later version
However, if you don’t plan to pay for pfSense+ at some point in the future, I would recommend switching back to CE now. Because who knows if it will be as easy with later versions if the Plus version deviates too much from the CE version at some point.
I have the same feeling that LTS is biased towards Netgate, for good or bad, I cannot judge.
For example, Tom argues " There are not really any free alternatives that offer the feature set of pfsense and the documentation".
Personally I find Netgate’s documentation outdated/not frequently updated and not professionally written, at least compared to VyOS and Ubiquity’s documentation.
So, when someone argues that something is top-notch while it is less than top-notch, there is bias involved.
Well it doesn’t really matter, because at the end of the day you have to decide what’s the best option for you, and you can’t really blame Tom for not going on a crusade against Netgate…
I also think he’s generally right when he compares pfSense to other OSS firewalls, of which there aren’t many left that are well maintained and regularly updated with new features. Unifi, for example, while very popular among homelabbers, is neither free as in freedom nor free as in beer, so there’s no difference to pfSense+ in that respect. And VayOS may have better documentation, but it definitely doesn’t have the same target audience.
The only “real” competitor to pfSense CE is OPNsense, and I definitely don’t think the documentation there is any better.
1 Like
Gotta agree with that, going from Merlin running on Asus routers, it was definitely easier to switch over to pfSense rather than opnsense, looked at both and the latter at the time didn’t have as much information. Now it would take an investment of time to switch over, much easier to buy a Netgate device if I want Plus+ or I can switch over to CE.
That’s exactly the reason why I didn’t switch to OPNsense yet, also pfSense CE does everything I need it to do,
However, I will never switch to pfSense plus in my homelab as long as any alternatives exist, even if those alternatives have less features or worse documentation than pfSense. I’ve always found a way to get my stuff working, and btw, I’m quite willing to pay for software. Matter of fact, I used to pay a lot for software, back in the days when software wasn’t tied to an account, and I could have pirated everything easily.
What I won’t do ever again, unless I absolutely have to, is messing around with activation and license keys, and I won’t tie my software to a vendor account that can change prices and terms of use at any given time, or even render my software completely useless.
I’m sorry bud but at the end of the day pfsense is not found in an enterprise. WISP or some budget SMB setting sure but there is no enterprise touching this with a 10ft pool.
Pfsense has no intelligence or built in analytics. It’s just a NAT box. Nothing more nothing less
1 Like
I’m not going to argue any further when people say pfsense isn’t for enterprises so I’ll just leave all the job postings for enterprises that use pfsense here.
Well I think it’s a little more complex than that.
As far as I know and from what I have seen, there are large companies using it, but for very specific use cases and not as their primary firewall and filtering solution on their client networks. One thing is for sure though, large companies are used to much higher license fees. Sure, they might switch vendors as well if one vendor takes it too far, but certainly not for such a small amount as 129 dollars.
But why would I care whether it is used in enterprises in the first place? The only thing I care about is whether it fits my specific use cases. Besides, CE exists and won’t go away in the foreseeable future, so home users and businesses can continue to use it for free and without registration 
I may have to go with a Fortigate, there is an unofficial push in the university system I’m in to use Forti products. We have a couple in the larger campus and there are many other colleges that have a lot of Forti stuff in them. I need to chase down the costs and see what’s what.
1 Like
Good luck. Fortigate still have CVE’s that they refuse to fix, but you probably have no control over what the university wants to use. They are pretty pricey though unless you don’t need any of their modules (AV, IDS/IPS, etc.) and you just need to route traffic and setup VPN tunnels.
what are enterprises using?
25 results in a LinkedIn search with the majority of them consulting agencies isnt the flex you think it is.
Look its not about arguing the merits of any platform. The issue i find is that the homelab space very often conflates what businesses actually use. I’ve seen it many times on Reddit where someone would bring up that pfSense is exactly like a Palo because its running Suricata. Cmon…
I dont think many users of pfSense really understand that the majority of their favorite packages (PFblocker,Suricata/Snort, HA Proxy) are all maintained by volunteers. So the moment that the maintainer decides not to work on your favorite package is the moment that package dies. No business should rely on that type of instability. So on top of it being a NAT box, it also doesn’t have formal (Netgate) support for popular packages. This is why Squid and Squidguard receive no love. Take a look at the redmines open for Squid. The majority of them are unassigned because obviously there is no maintainer. We’re talking about regressions in the package that break connectivity that aren’t being looked at.
So you can send me job search links showing me which consulting agency wants a pfSense expert but the reality is that if you do a search for Cisco or SRX or Palo the results are higher because businesses require stability and support of a project that isnt maintained by freelancers.
I would lastly say that the core pf project (what you install without any 3rd party packages, just the base) , that is supported by Netgate and if thats all a business cares about then thats great and paying $129/yr is fantastic for them. Cant go wrong.
1 Like
Lets stop the fud here. Which specific CVE that Fortinet has acknowledged and refuses to fix. Please list those.
Stop parroting things. Does Fortigate appliances have CVEs? Yes. Does every vendor have CVEs? Yes.
Does that mean businesses shouldnt use any appliance that has had CVEs? No.