I’m new to open source firewalls, so don’t beat me up too bad guys! I noticed that OPNsense has a plugin, Sensei (ZENARMOR), that is touted to make it a Next Gen firewall. Does Pfsense have a similar plugin? If not, are there ways to make a Pfsense more like the current Next Gen firewalls on the market, i.e. Cisco Firepower, Palo Alto PA series? Also make reporting easy for proof to clients?
I have never tested it but Zenarmor is offered for pfsense.
If you want real “next-gen” firewalls (and you should want them), neither PFsense nor OPNsense are going to cut it. No matter what plugins you slap on them. They are both basic stateful packet inspection firewalls, that in today’s threat landscape, are next to irresponsible to use for anything other than simple network segmentation. They offer no real security.
If you want to do yourself (and your clients) a favor, get a commercial firewall with proper layer 7 inspection and application intelligence. It doesn’t even have to be something as expensive as Palo Alto. Your el-cheapo off-the-shelf Sophos box runs circles around PFSense/OPNsense when it comes to security.
2 Likes
It’s a hard truth! That’s what all my research has been pointing to. Just was hoping for something more consumer-price friendly. In today’s Gigabit-abundant homes, trying to find a next-gen firewall that costs less than a gaming pc is near impossible. Really like what Sophos has but their Firewalls and support are expensive, especially in the gigabit range. Guess I’ll have to just offer a basic Pfsense firewall service and if they want Next-Gen it’s just going to cost…
You can get a solid Sophos XG for way less than a gaming rig. They are sold for less than what’s on the official sticker. Find a Sophos partner and talk to them. I’d say you will get a Sophos with gigabit throughput and all subscriptions for less than 1000 USD. I didn’t pay more for my XG85.
You probably don’t need the full subscription package either. There are loads of pay-for features you won’t need.
Another solid option is Fortinet. You’ll find multiple gigabit-throughput options there for less than 1000.
I was under the understanding that the XG is the older hardware and the XGS is what they are now selling. Also that there were different connections to the endpoint protections. If not then definitely going with the XG85 instead of the XGS
Sorry, I just saw this now. Yes, the XG is the “older” model, and the XGS is a newer iteration of that. The XGS has a bit more muscle under its shirt.
1 Like
I’ve been trying to study more about the key problem that makes PFsense not NextGen (NG):
This is the Layer 7 inspection and Application Intelligence. WHere can I find more about this? Undefined this is hard to check.
https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#firewall-stateful
Also what prevents the organization from defaulting with everything Blocked and Whitelisting Approved Sites?
If you need a good layer 7 filter, then pfsense is not the ideal platform to use.