Re: Sonicwall NSA 4500

[James Cooley <jcooley () FIT EDU>]

We have deployed several different models of the NSA series devices on campus along with Cisco ASA and Checkpoint 
devices depending on the required use.    Our NSA 4500s are primarily used for departmental firewalls and we really 
like them.  The gateway antivirus feature in particular has been of great use for blocking malware from websites and 
emails that our other solutions are not catching.

We've just deployed the NSA series devices in the past few months as replacements for our older Pro series Sonicwall 
devices.  Among the Pro and  NSA devices, we have not had any reliability issues with the devices crashing or locking 
up, and our oldest Pro-series device had been running for a little over two years.

The NSA 4500 devices only have one power connection.    With regards to making firewall rule modifications, they are 
pretty easy with the Sonicwall using their web-based interface.

Firewall rules between PIX/ASA and the Sonicwall are a bit different.  If you had been using the command line interface 
on the PIX devices, you'll probably like the Web GUI on the Sonicwall.  Between ASDM and the Sonicwall interface 
though, I feel like I can make changes a lot quicker in the ASDM interface.   Browsing through the IPS and A/V rules 
through the Sonicwall web interface is a bit of a pain though.

Like the newer Cisco devices, Sonicwalls can take part in OSPF routing if you use that at your university.  However, 
you are out of luck if you need to do EIGRP.

One feature that really works good in our environment is the Layer-2 bridge mode.  With this mode, you can drop the 
device right on the network without the need to change routing or addressing schemes.  In fact, if your PIX devices are 
working ok for you, you can open up the firewall on the Sonicwall devices and just use it to inspect traffic for 
AV/IPS/ and Anti-Spyware.

One thing you will likely miss though is the Cisco tech support.  Service contracts and such are much easier to manage 
with the Sonicwall devices, but their phone and email support is not up to par with the quality of the Cisco engineers 
you might have dealt with in the past.  In general, I'd call the tech support 'average', or what you would get with 
most vendors.

--
James Cooley
Information Security Officer
Florida Institute of Technology



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kellogg, 
Brian D.
Sent: Tuesday, July 28, 2009 10:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Sonicwall NSA 4500

We are getting close to a decision point on our firewall upgrade.  I wanted to ask the group for anyone's experiences 
with Sonicwall's newer NSA firewall.  We have run PIX firewalls for years without serious issues, but I am very 
interested in the added security features the NSA firewalls from Sonicwall offer at a much lower price point than 
Cisco.  My preference is to have separate boxes for separate tasks, but since that cannot be a reality here due to 
budget Sonicwall seems to fit the bill when it comes to gateway AV, VPN, and IPS services.  Still on the fence though...



Thank you,

Brian Kellogg
Network Services Manager
St. Bonaventure University
716-375-4092