SonicWall vs. pfSense

hunor · January 28, 2025, 10:39pm

I would like to have some outside perspective on the following scenario.

We have a SonicWall NSA 3650 with SonicWall Advanced Gateway Security Suite ($2560/year).
We have two offices (NY, LA), ~160 employees, ~ 30-40 remote workers. The LA site uses site-to-site VPN heavily to connect to RDS. There are not many public-facing services, just 3-4 site-to-site (datacenter, AWS). 1 Gig shared commercial internet. Velocloud SDWAN in front of the SonicWall

I was considering switching to pfSense (for example SG-8200) with TAC Pro or TAC Enterprise support. (upfront $1400, +$400 or $800 for support)

This was the answer:

NSA 3650 is an aging hardware (CDW offered us a new one if we sign 3 years)
we have constant issues (if someone tries to upload large files, just can’t handle the traffic. For example Google Drive) - This could be a config issue.
we don’t do any content filtering
both of us (who manages the SonicWall) have experience with pfSense at home and we have a Netgate 1537 in the LA office

pfSense Pros:

new hardware with optional HA
better UI (much more intuitive)
OpenVPN (license free)
better tools to troubleshoot and monitor

SonicWall Pros:

works relatively ok
we have most of the things configured

Am I just too enthusiastic because pfSense works well at home? (I wouldn’t mind investing in the time to reconfigure and change it. Good opportunity to clean up and remove old stuff.)

xMAXIMUSx · January 29, 2025, 12:49am

I have implemented netgate appliances from netgate 1100’s to 8200’s in HA in 20 different companies. They all run some sort or site to site without any issue at all. Even remote VPN with openVPN without issue.

I don’t care what anyone else says about pfsense. I literally run this in enterprise environments and it has served me well. I do utilize their tac enterprise support on the HA’d 8200’s and they are pretty helpful on the times I used them. I did talk to someone that didn’t speak very good English at one point but, I got through it and the issue was resolved in a timely manor. But that is about the only dig I have had with netgate.

In your screenshot of blaming someone else, you can probably still do that and put the blame on netgate if you have tac support. But I’d argue that you already know what you are getting into with a netgate setup. No real reason to point fingers if you are an experienced sysadmin or network engineer. Sounds like those dudes/gals aren’t very good at their job and don’t want to be held accountable for anything.

LTS_Tom · January 29, 2025, 11:17am

I have heard the “I have someone to point at” argument but I have not known ANYONE that has received any compensation or help when their Fortigate or Sonicwall was the source of their security breach. All those large companies (Nergate too) have a team of lawyers that make sure their terms and conditions you agree to hold them harmless of any responsibility.

hunor · January 29, 2025, 1:24pm

Thank you for the answers. I don’t want to judge anybody. My style is more: let’s redo it (or repair it) if we don’t fully understand it. The other approach is: we shouldn’t touch it if it is working.

Honestly, I can’t recall what support we get from Sonicwall. Once they messed up some firmware which caused dropping VPNs, they repaired it in days.

I would want to switch and not just because of the cost savings.

Greg_E · January 29, 2025, 2:05pm

I can tell you that when I had a site to site openVPN between home and work, pfsense never gave me problems with several large (gigabytes) file transfers. I would expect OPNsense to provide the same, but I’m not using this feature right now (was working too many hours after work and not getting paid, so shut off the site to site).

I should add that Forti has an impressive sales force, and cheer leaders around every corner. The college system I work at has these devices practically everywhere and people seem to love them enough to forgive the rather large flaws and exploits. Never had the chance to work with the one at my facility, hope I never have that chance because I’m going to want to switch it immediately. Some times the old ways never die, and sometimes it’s about insurance companies who don’t know anything but check off some boxes.

planedrop · February 1, 2025, 7:20pm

Like Tom mentioned above, people come up with this as an answer, but I’ve never heard of the outcome being better for an employee/IT person because they could point the finger.

The company and the big C suite people don’t give a damn if it was Fortinets fault or Netgate’s fault, it’s just the IT persons fault.

“We got breached because of Fortinet’s failures” doesn’t matter, then they just ask “why did you choose Fortinet???” It’s not a real defense.

On top of that, if you look at the track record of Fortinet and Sonicwall in specific (but also even others like Cisco which don’t have quite the horrible track record), they are trash when it comes to security issues. Simple basic bugs that would be caught by basic security auditing of their own code base happen many times per year to them, it’s nuts.

So then that brings in the other question, is getting breached but having a finger to point worth it? Or would you rather just not have that happen in the first place? (not to imply pfSense will never have an issue, but it’s track record is FAR better)

The last thing you have to consider/ask yourself is about all the gateway “security” features like gateway A/V, DPI SSL, etc… Not only do those things rarely actually catch much, if anything, but unless you have some legal requirement, are often not even recommended to use (except by the companies that make them and make licensing money).

DPI SSL/TLS almost always lowers security, not only are you putting a trusted single point of failure in place that can see all traffic unencrypted, but you’ll still have issues with HSTS websites, and it’s super common that firewalls don’t update to new TLS standards very fast, so now you’re devices (which may support a new TLS version) are effectively downgrading their connection.

And IMO even if you have some legal or insurance requirement to have TLS interception, do it either at the client level with EDR/XDR, or implement SASE with a big provider like Cloudflare that has more resources and is less likely to have issues (since it’s still a single point of failure), and will keep TLS versions up to date.

Long answer sorry lol. I find no real reason to go with the “bigger” vendors at this point. I have a ton of pfSense firewalls in place and work w/ some very large vendors that have also switched over to pfSense. I personally consider a lot of the bigger brands almost “legacy” at this point. At least for their blinky boxes that promise security (since many offer more cloud SASE style products now too)