Re: NGFW Usage Information

["Ferguson, Michael" <mferguson () CHAPMAN EDU>]

It was about 2 years ago that we did our Next-Gen FW POC.  We didn't consider Juniper SRX's as finalists at the time 
because we were already running them at our DR site and the ability to manage complex policy configurations via a Web 
GUI was torturously slow.  We generally had to revert to CLI to do configuration changes because of problems with the 
Web UI.  It's gotten a little better since version 15, but in my humble opinion it's not at the level of usability of 
Palo Alto or Fortinet.  Otherwise, I think Juniper is a great networking company and we use them extensively in our 
network.

I can't speak about Checkpoint to any great degree, but I knew colleagues that had problems of them scaling at high 
levels of bandwidth usage particularly when doing Application Control.  We therefore didn't include them as finalist in 
our POC because of problems reported by others.  Hopefully CP has gotten better, but I think you would want to oversize 
by at least a factor of 2 (if not more) whatever they recommend to you.  I wish we had considered Sonicwall during our 
POC as I would've really liked to have known how well they perform.  But we factored them out because they just don't 
provide a meaningful CLI, unlike Palo Alto or Fortinet.  And regarding Cisco Firepower, the combination of 
ASA+Sourcefire is still too convoluted and doesn't compare to the usability of Palo Alto or Fortinet, yet it was 
supposed to be fully integrated by now when we talked to them 2 years ago.

So for our POC, the 2 finalists were a Palo Alto 5060 and a Fortinet 3700D (we also included Stonesoft--now owned by 
Forcepooint--but we ruled them out during testing due to stability problems which likely have been fixed by now).  We 
did multiple tests to both solutions, such as using a visibility fabric to copy our production traffic to each solution 
simultaneously, assessing Security Effectiveness (with NSS Labs' help) and finally overall ease of use and 
manageability.  But for us, the differentiator was running Breaking Point tests that simulated real-traffic flow so we 
could estimate expected performance for a certain amount of aggregate bandwidth, especially to know how each box would 
perform 3-5 years from now as our bandwidth increased.

The network topology for the Breaking Point tests was fairly simple:  1 10G ingress port and 1 10G egress port, turning 
on many NGFW features simultaneously:  App Control/ID, URL Filtering, A/V, IPS and Full Logging of all sessions.  The 
tests we ran included the base NSS Labs tests of sending 44K, 32K and 16K http packets at high rates.  We also used a 
breaking point test created by Palo Alto based on an AVR (Application Visibility Report) for edu customers and another 
breaking point test developed with Fortinet that simulated a high amount of multi-media content along with other 
applications like email, dns, ftp and p2p.

I can say the Fortinet 3700D performed twice as fast as the PAN 5060 in all tests, with no errors.  As a result, we 
selected Fortinet and we've been very happy with their solution since.  It was also 30% cheaper than the Palo Alto 
solution.  And we feel it gives us at least 3 more years of full capability before we have to think about upgrading.  
However, if we had chosen PAN, we would probably need to think about upgrading next year due to some of the performance 
limitations we noticed during our Breaking Point tests.

That said, Palo Alto has finally come out with their 5200 series of firewall boxes that hopefully overcome the 
performance issues we noticed with the 5000 series.  I can't speak to how well they've improved in this new line, but I 
would certainly throw a Breaking Point at it to confirm.  In the case of ease-of-use, Palo Alto did a little better 
than Fortinet, but not by much.  Also, PAN's tech support is well-known to be very good, but we've found Fortinet's 
support to be perfectly adequate and better than other vendors' support that we rely on.


--
Mike Ferguson
Chapman University
Network Manager
714-744-7873
mferguson () chapman edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Miller, 
Richard H
Sent: Wednesday, April 19, 2017 2:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] NGFW Usage Information

Unless things have changed the problem with CP is that it is hard to get it into a high (> 10GB) performance mix. The 
PC architecture breaks down as the rate goes up which is one of the reasons we went away. In particular we had serious 
issues with thruput using 10GB PCI cards. The chassis architecture of both the Palo Alto and the Juniper support 
multi-gig thruput. Juniper will support 100GB interfaces and should be able to pass 100GB+ of traffic. In our case we 
are already approach consistent 10GB traffic so the ability to go higher is important. They do now have appliances that 
have 40GB interfaces and the carrier grade may reach 100GB

I also have some reservations about combining IPS and NGFW in the same box when you start getting to these rates. Palo 
Alto appears to be able to combine both functions at higher data rates. 

In any case, get your vendors to do a PoC and try to span your interface to see if the proposed gear can handle your 
traffic, (You also can record it off and replay it to simulate higher volumes. It is not as real is live traffic but 
you can usually find the bottlenecks)


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian 
Epstein
Sent: Wednesday, April 19, 2017 9:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] NGFW Usage Information


----------------------------------------------------------------------
We are a Checkpoint shop.  Previously, we had a separate IPS, but chose to use Checkpoints IPS blade instead.  Just 
like all IDS/IPS, it needs a lot of care and feeding.

The one thing I like about Checkpoint is that I can run it on my own hardware.  We have specific needs for copper and 
fiber.  By buying a Dell server, we are able to populate it with the exact NICs we need at a huge cost savings over 
purchasing a ready-made appliance.

I also like that Checkpoint can attach IPv4 and IPv6 addresses to the same object.  This reduces the number of objects 
in the ruleset significantly.

Thanks,
Brian

On 04/19/2017 09:46 AM, Pardonek, Jim wrote:
> I’ve finally been able to convince our leadership to pursue swapping 
> out our IPS and ASA’s for a set of next gen firewalls.  We are still 
> in the evaluation phase and as a part of our evaluations we are asked 
> by senior leadership to quert other universities to get a barometer of 
> what is being used.  If you would (and you can PM me) let me know if 
> you have a NGFW and what it is (not needing specifics)  It will help 
> us with our decision.  The 3 we looked at were Palo Alto, Check Point, 
> and Cisco Firepower.
>
>  
>
> Appreciate any responses in advance!
>
>  
>
> Best,
>
>  
>
> Jim
>
>  
>
> *James Pardonek, MS, CISSP, CEH*
>
> *Information Security Officer**
> Loyola University Chicago
> 1032 W. Sheridan Road | Chicago, IL  60660
> **
> (**: (773) 508-6086*
>
> *standard_isc2_cissp*
>
>  



-- 
Brian Epstein <bepstein () ias edu>                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78