Re: Firewalls

[Benjamin Parker <parkerbc () MOUNTUNION EDU>]

John,
First full disclosure,I will soon be starting as a reseller engineer that
sells Palo Alto.

We did our firewall upgrade/ bake off about 2 years ago now. At that time,
we choose a PA 4050 which the 5020s would be comparable to. Our FTE is
about 2300 with 2000+ living on campus. The PA was able to successfully
handle not just our edge but we can and have also used it to zone off other
various internal network segments. I would highly recommend getting a demo
unit of it and having it at least installed in tap mode.

As far as the UTM versus next gen firewall specs and performance, the basic
difference is in the rule flow and the order you make rules or apply the
extra policies. Most of the firewalls can end up doing the same thing in
the end the question comes down to where or how do you configure everything
and what is the performance hit. The Palo Alto's claim to fame (marketing)
is that they aren't a UTM because they do everything from one pass in one
policy. This is generally true and as such they don't experience much of a
performance hit.

As far as usability, the PA is easy to setup and configure. I don't have
much experience with the others. The real question with usability will be
learning to think about firewall policies as application based not just
port and protocol based. That is the biggest adjustment you will have to
make.

In summary, really just do an eval/demo so you can see for yourself any of
these vendors should be willing to do that.
Let me know if you have any additional questions,

Ben Parker
Network Engineer
University of Mount Union
On Jun 28, 2013 2:24 PM, "John Kaftan" <jkaftan () utica edu> wrote:

>  We have been using Fortinet 1000as for the last 6 years.  We are
> currently in a firewall RFP to replace these boxes and wonder if anyone out
> there can help.
>
>  We are planning on having two firewalls in an HA configuration.  We have
> about 1500 users on campus and about 2500 distance and commuter students.
>  We have a 1 Gb internet connection.  We are only looking to protect our
> edge.
>
>  We are looking at the following options.
>
>
>  Fortigate 1000cs
> Cisco ASA 5580s
> Palo-Alto 5020s
>
>  Reading through the literature can be overwhelming with UTM firewalls.
>  I'd just like to know if anybody is using one of these platforms and the
> pros and cons you see.  Specifically, we are concerned about support and
> how the boxes perform as you turn on features, also usability.
>
>  Thanks
>
>  --
> John Kaftan
> IT Infrastructure Manager
> Utica College