Educause Security Discussion mailing list archives
Re: Firewalls
From: "Bradley, Stephen" <bradlesw () MIAMIOH EDU>
Date: Thu, 11 Jul 2013 10:55:04 -0400
Sky high as compared to what? We have Cisco 5585s with the IPS modules and our new PA-5050s were very reasonable comparatively speaking. They are not replacing our Cisco units but adding to them. On Thu, Jul 11, 2013 at 10:47 AM, Chris Davis <Chris.Davis () prin edu> wrote:
I too, loved the PA product but couldn’t stomach the price. The PA 500 was way too small for my 100Mbit and 150 Mbit links. I actually tested it on a 35Mbit link and the commit times were almost a minute whenever I made a change. The 5020 was priced sky high and I do mean SKY HIGH. The real problem was that there was not a good fit for my 100/150 Mbit links at the time. Too little or too much. The 3050 wasn’t available. We included Fortinet in the bid process as well, so for at least half of what the 5020s would cost me, I got two, 2-unit HA clustered 600Cs. They have been workhorses running AV, IPS, Minimal content filtering (security and p2p). CPU is under 20% usually, and memory around 50 or 60%. Commit time is pretty much instant and while the Application stuff is not as elaborate as PA I’ve gotten used to working with it. So far it has been a good deal for us. The critical thing to do is make sure that you size it properly. The thing that bothers me is that most of the vendor talk is bidirectional. When they say 1 Gbps throughput, they mean total in and outbound. Most circuits are labeled uni-direction. 1Gbps usually means 1 Gig up, 1 Gig down. If you don’t account for that, you can find yourself vastly undersized. **** ** ** Chris (a different one)**** Chris Davis**** CIS Security Director**** The Principia**** ** ** *From:* John Kaftan [mailto:jkaftan () UTICA EDU] *Sent:* Wednesday, July 10, 2013 8:30 PM *Subject:* Re: Firewalls**** ** ** Chris:**** ** ** What Fortigate unit did you have? To be competitive price wise we have to get into the PA 3050. That box is not beast by our estimation. Single non-swappable power supplies really bums us out. The interface is really clunky. We have to wait 45 sec or more for each commit. We also loose packets every time we make a config change and the logging is not very robust compared to the Fortigate.**** ** ** We looked at total cost of ownership over 5 years and the PA 5020s were more than 2x the cost of the Fortigate 1000cs. According to specs these guys are supposed to be close.**** ** ** Everybody we talk to seems to love PA though. We feel like we are not getting it. If the 3050 would cut it for us maybe we could consider them. But the 3050 doesn't seem to compare to the Fortigate 1000c. It isn't really an enterprise solution.**** ** ** Thanks**** ** ** On Wed, Jul 10, 2013 at 5:05 PM, Chris Golden <cgolden () leeuniversity edu> wrote:**** We eval'd a Fortinet and used it for URL filtering, IDS/IPS, and Firewall rulesets and the thing ran 80-90% resources constantly. I ended up with a PA-5020 and we have all these things running (and more) and we aren't even in double digits in terms of resources. **** ** ** The PA-5020 is a beast. For me it was difficult transitioning from a Checkpoint to the Palo Alto. I was stuck in port mode and needed to think application layer. But once the mindset changed, I'm extremely happy with the PA. **** ** ** I have a 600MB connection that’s constantly being used. (mostly for Netflix and Youtube)**** ** ** -Chris**** ** ** Chris Golden**** Director of IT Operations**** Lee University **** 423.614.8020**** cgolden () leeuniversity edu**** ** ** *From: *John Kaftan <jkaftan () UTICA EDU> *Reply-To: *The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *Date: *Friday, June 28, 2013 2:23 PM *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> *Subject: *[SECURITY] Firewalls**** ** ** We have been using Fortinet 1000as for the last 6 years. We are currently in a firewall RFP to replace these boxes and wonder if anyone out there can help. **** ** ** We are planning on having two firewalls in an HA configuration. We have about 1500 users on campus and about 2500 distance and commuter students. We have a 1 Gb internet connection. We are only looking to protect our edge.**** ** ** We are looking at the following options. **** ** ** ** ** Fortigate 1000cs**** Cisco ASA 5580s**** Palo-Alto 5020s**** ** ** Reading through the literature can be overwhelming with UTM firewalls. I'd just like to know if anybody is using one of these platforms and the pros and cons you see. Specifically, we are concerned about support and how the boxes perform as you turn on features, also usability.**** ** ** Thanks**** ** ** -- **** John Kaftan**** IT Infrastructure Manager**** Utica College**** ** ** **** ** ** -- **** John Kaftan**** IT Infrastructure Manager**** Utica College**** ** **
-- Stephen W. Bradley CISSP GCFA GCIH GWAPT SSCP Senior Security Engineer Miami University IT Services bradlesw () miamioh edu 513-529-1809
Current thread:
- Re: Firewalls Peter Setlak (Jul 03)
- <Possible follow-ups>
- Re: Firewalls Chris Golden (Jul 10)
- Re: Firewalls Bob Williamson (Jul 10)
- Re: Firewalls Nathaniel Hall (Jul 14)
- Re: Firewalls John Kaftan (Jul 10)
- Re: Firewalls Nathaniel Hall (Jul 14)
- Re: Firewalls Bob Williamson (Jul 10)
- Re: Firewalls Chris Davis (Jul 11)
- Re: Firewalls Bradley, Stephen (Jul 11)
- Re: Firewalls Chris Davis (Jul 12)
- Re: Firewalls randy (Jul 12)
- Re: Firewalls Alan Nord (Jul 17)