Re: Firewalls

[Chris Davis <Chris.Davis () PRIN EDU>]

Compared to what we were willing to spend.

From: Bradley, Stephen [mailto:bradlesw () MIAMIOH EDU]
Sent: Thursday, July 11, 2013 9:55 AM
Subject: Re: Firewalls

Sky high as compared to what?  We have Cisco 5585s with the IPS modules and our new PA-5050s were very reasonable 
comparatively speaking.  They are not replacing our Cisco units but adding to them.


On Thu, Jul 11, 2013 at 10:47 AM, Chris Davis <Chris.Davis () prin edu<mailto:Chris.Davis () prin edu>> wrote:
I too, loved the PA product but couldn't stomach the price.  The PA 500 was way too small for my 100Mbit and 150 Mbit 
links.  I actually tested it on a 35Mbit link and the commit times were almost a minute whenever I made a change.  The 
5020 was priced sky high and I do mean SKY HIGH.  The real problem was that there was not a good fit for my 100/150 
Mbit links at the time.  Too little or too much.  The 3050 wasn't available.  We included Fortinet in the bid process 
as well,  so for at least half of what the 5020s would cost me, I got two, 2-unit HA clustered 600Cs.  They have been 
workhorses running AV, IPS, Minimal content filtering (security and p2p).  CPU is under 20% usually, and memory around 
50 or 60%.  Commit time is pretty much instant and while the Application stuff is not as elaborate as PA I've gotten 
used to working with it.  So far it has been a good deal for us.  The critical thing to do is make sure that you size 
it properly.  The thing that bothers me is that most of the vendor talk is bidirectional.  When they say 1 Gbps 
throughput, they mean total in and outbound.  Most circuits are labeled uni-direction.  1Gbps usually means 1 Gig up, 1 
Gig down.  If you don't account for that, you can find yourself vastly undersized.

Chris (a different one)
Chris Davis
CIS Security Director
The Principia

From: John Kaftan [mailto:jkaftan () UTICA EDU<mailto:jkaftan () UTICA EDU>]
Sent: Wednesday, July 10, 2013 8:30 PM
Subject: Re: Firewalls

Chris:

What Fortigate unit did you have?  To be competitive price wise we have to get into the PA 3050.  That box is not beast 
by our estimation.  Single non-swappable power supplies really bums us out.  The interface is really clunky.  We have 
to wait 45 sec or more for each commit.  We also loose packets every time we make a config change and the logging is 
not very robust compared to the Fortigate.

We looked at total cost of ownership over 5 years and the PA 5020s were more than 2x the cost of the Fortigate 1000cs.  
According to specs these guys are supposed to be close.

Everybody we talk to seems to love PA though.  We feel like we are not getting it.  If the 3050 would cut it for us 
maybe we could consider them.  But the 3050 doesn't seem to compare to the Fortigate 1000c.  It isn't really an 
enterprise solution.

Thanks

On Wed, Jul 10, 2013 at 5:05 PM, Chris Golden <cgolden () leeuniversity edu<mailto:cgolden () leeuniversity edu>> wrote:
We eval'd a Fortinet and used it for URL filtering, IDS/IPS, and Firewall rulesets and the thing ran 80-90% resources 
constantly.  I ended up with a PA-5020 and we have all these things running (and more) and we aren't even in double 
digits in terms of resources.

The PA-5020 is a beast.  For me it was difficult transitioning from a Checkpoint to the Palo Alto.  I was stuck in port 
mode and needed to think application layer.  But once the mindset changed, I'm extremely happy with the PA.

I have a 600MB connection that's constantly being used.  (mostly for Netflix and Youtube)

-Chris

Chris Golden
Director of IT Operations
Lee University
423.614.8020<tel:423.614.8020>
cgolden () leeuniversity edu<mailto:cgolden () leeuniversity edu>

From: John Kaftan <jkaftan () UTICA EDU<mailto:jkaftan () UTICA EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Friday, June 28, 2013 2:23 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Firewalls

We have been using Fortinet 1000as for the last 6 years.  We are currently in a firewall RFP to replace these boxes and 
wonder if anyone out there can help.

We are planning on having two firewalls in an HA configuration.  We have about 1500 users on campus and about 2500 
distance and commuter students.  We have a 1 Gb internet connection.  We are only looking to protect our edge.

We are looking at the following options.


Fortigate 1000cs
Cisco ASA 5580s
Palo-Alto 5020s

Reading through the literature can be overwhelming with UTM firewalls.  I'd just like to know if anybody is using one 
of these platforms and the pros and cons you see.  Specifically, we are concerned about support and how the boxes 
perform as you turn on features, also usability.

Thanks

--
John Kaftan
IT Infrastructure Manager
Utica College




--
John Kaftan
IT Infrastructure Manager
Utica College




--
Stephen W. Bradley CISSP GCFA GCIH GWAPT SSCP
Senior Security Engineer
Miami University
IT Services
bradlesw () miamioh edu<mailto:bradlesw () miamioh edu>
513-529-1809