That’s cheap for Cisco, I’m begging for $5k to $6k each for 48 port switches, either Cisco or Extreme, depends on how “compatible” I want to be with some software support contracts. My Enterasys C5 switches cost $5k when I bought them too many years ago.
Yes pfsense has Suricata or Snort and you can license the good rules or stay on the community version.
As far as virus scan on all connections, there are issues with that and Tom has spoken a lot about this issue. The issue is that once you get into HTTPS, the data is encrypted at the server and the client. How can an AV scan the traffic in the middle? You can set up pfsense with it’s own certificate and use it as a “man in the middle” to decrypt traffic, scan it, and re-encrypt it. If another solution is saying something different, then they are either really good, or lieing to you and using man in the middle.
There are also the Netgate NG products in the TNSR line, I have not done any research into these products.
And Tom says that if you need a lot of site filtering, he goes with Untangle. Third party e2guardian on pfsense works, but more difficult to maintain because it is third party unofficial. Man in the middle still applies to filtering if you are using encrypted DNS, again stuff is encrypted at server and client, so the middle can not know what the traffic is doing without decrypting it. e2guardian grabs unencrypted DNS just fine but could be more optimized when you get into big lists of exceptions, at least I’m finding some issues here and there with my exceptions.