RE: sub $500-750 CPE firewall for voip-centric application

[Nick Ellermann <nellermann () broadaspect com>]

Your exactly right, Mel. Dell has really turned the Sonicwall platform around in the past few year. We dropped it a 
year or two before Dell took them over. Back then Sonicwall was full of issues and lacked important features that our 
enterprise customers required. If you have budget, Palo Alto is something to look at as well, but don't overlook 
Sonicwall and FortiGate.  


Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect
 
E: nellermann () broadaspect com 
P: 703-297-4639
F: 703-996-4443
 
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the 
intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments 
from all computers.


-----Original Message-----
From: Mel Beckman [mailto:mel () beckman org] 
Sent: Thursday, May 05, 2016 2:49 PM
To: Nick Ellermann <nellermann () broadaspect com>
Cc: Ken Chase <math () sizone org>; nanog () nanog org
Subject: Re: sub $500-750 CPE firewall for voip-centric application

I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto firewalls.  The best SMB devices are 
definitely SonicWall and Fortigate. SonicWalls are easier to configure, but have fewer features. Fortigate has many 
knobs and dials and a very powerful virtual router facility that can do amazing things. The two vendors have equivalent 
support in my opinion, although Fortigate tends to be more personal (Dell is big and you get random techs). 

Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but mostly I think because they're Cisco-only. 
PaloAlto is expensive for what you get. Functionally they are on the same level as Fortigate, with a slightly more 
elegant GUI. But Fortigate can be configured via a USB cable, which is a huge advantage in the field. Legacy RS-232 
serial ports are error-prone and slow.

 -mel

> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann () broadaspect com> wrote:
>
> We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher 
> models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular 
> customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, 
> which is more about voice support and handset management than anything.  You do need to disable a couple of things on 
> the FortiGate such as SIP Session Helper and ALG.  We never have voice termination, origination or call quality 
> issues because of the firewall. 
> FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network 
> engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN 
> requirements and FortiGates have great IPsec performance.  We leverage a lot of the network security features and 
> have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring 
> platform and Fortinet's FortiAnaylzer platform. 
>
> Worth looking at, if you haven't already. If you want to private message me, happy to give more info. 
>
>
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>  
> E: nellermann () broadaspect com
> P: 703-297-4639
> F: 703-996-4443
>  
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the 
> intended recipient. If you received this in error, please contact the sender and delete the e-mail and its 
> attachments from all computers.
>
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Ken Chase
> Sent: Thursday, May 05, 2016 1:54 PM
> To: nanog () nanog org
> Subject: sub $500-750 CPE firewall for voip-centric application
>
> Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead 
> of dealing with a mess of different vendors at cust premises.
>
> I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need 
> something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current 
> gear/buy additional gear.
>
> Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions 
> for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN 
> capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
>
> We'd like a bit of diagnostic capability (say tcpdump or the like, via 
> shell
> preferred) - I realize a PFsense unit would be great, but might not 
> have enough brand name recognition to make the master client happy 
> plopping down as a CPE at end client sites. (I know, "there's only one 
> brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get 
> irritating for end customers.)
>
> /kc
> --
> Ken Chase - Guelph Canada