Re: Firewalls

["Bradley, Stephen" <bradlesw () MIAMIOH EDU>]

Sky high as compared to what?  We have Cisco 5585s with the IPS modules and
our new PA-5050s were very reasonable comparatively speaking.  They are not
replacing our Cisco units but adding to them.



On Thu, Jul 11, 2013 at 10:47 AM, Chris Davis <Chris.Davis () prin edu> wrote:

>  I too, loved the PA product but couldn’t stomach the price.  The PA 500
> was way too small for my 100Mbit and 150 Mbit links.  I actually tested it
> on a 35Mbit link and the commit times were almost a minute whenever I made
> a change.  The 5020 was priced sky high and I do mean SKY HIGH.  The real
> problem was that there was not a good fit for my 100/150 Mbit links at the
> time.  Too little or too much.  The 3050 wasn’t available.  We included
> Fortinet in the bid process as well,  so for at least half of what the
> 5020s would cost me, I got two, 2-unit HA clustered 600Cs.  They have been
> workhorses running AV, IPS, Minimal content filtering (security and p2p).
> CPU is under 20% usually, and memory around 50 or 60%.  Commit time is
> pretty much instant and while the Application stuff is not as elaborate as
> PA I’ve gotten used to working with it.  So far it has been a good deal for
> us.  The critical thing to do is make sure that you size it properly.  The
> thing that bothers me is that most of the vendor talk is bidirectional.
> When they say 1 Gbps throughput, they mean total in and outbound.  Most
> circuits are labeled uni-direction.  1Gbps usually means 1 Gig up, 1 Gig
> down.  If you don’t account for that, you can find yourself vastly
> undersized.  ****
>
> ** **
>
> Chris (a different one)****
>
> Chris Davis****
>
> CIS Security Director****
>
> The Principia****
>
> ** **
>
> *From:* John Kaftan [mailto:jkaftan () UTICA EDU]
> *Sent:* Wednesday, July 10, 2013 8:30 PM
> *Subject:* Re: Firewalls****
>
> ** **
>
> Chris:****
>
> ** **
>
> What Fortigate unit did you have?  To be competitive price wise we have to
> get into the PA 3050.  That box is not beast by our estimation.  Single
> non-swappable power supplies really bums us out.  The interface is really
> clunky.  We have to wait 45 sec or more for each commit.  We also loose
> packets every time we make a config change and the logging is not very
> robust compared to the Fortigate.****
>
> ** **
>
> We looked at total cost of ownership over 5 years and the PA 5020s were
> more than 2x the cost of the Fortigate 1000cs.  According to specs these
> guys are supposed to be close.****
>
> ** **
>
> Everybody we talk to seems to love PA though.  We feel like we are not
> getting it.  If the 3050 would cut it for us maybe we could consider them.
>  But the 3050 doesn't seem to compare to the Fortigate 1000c.  It isn't
> really an enterprise solution.****
>
> ** **
>
> Thanks****
>
> ** **
>
> On Wed, Jul 10, 2013 at 5:05 PM, Chris Golden <cgolden () leeuniversity edu>
> wrote:****
>
> We eval'd a Fortinet and used it for URL filtering, IDS/IPS, and Firewall
> rulesets and the thing ran 80-90% resources constantly.  I ended up with a
> PA-5020 and we have all these things running (and more) and we aren't even
> in double digits in terms of resources. ****
>
> ** **
>
> The PA-5020 is a beast.  For me it was difficult transitioning from a
> Checkpoint to the Palo Alto.  I was stuck in port mode and needed to think
> application layer.  But once the mindset changed, I'm extremely happy with
> the PA. ****
>
> ** **
>
> I have a 600MB connection that’s constantly being used.  (mostly for
> Netflix and Youtube)****
>
> ** **
>
> -Chris****
>
> ** **
>
> Chris Golden****
>
> Director of IT Operations****
>
> Lee University ****
>
> 423.614.8020****
>
> cgolden () leeuniversity edu****
>
> ** **
>
> *From: *John Kaftan <jkaftan () UTICA EDU>
> *Reply-To: *The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> *Date: *Friday, June 28, 2013 2:23 PM
> *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *[SECURITY] Firewalls****
>
> ** **
>
> We have been using Fortinet 1000as for the last 6 years.  We are currently
> in a firewall RFP to replace these boxes and wonder if anyone out there can
> help. ****
>
> ** **
>
> We are planning on having two firewalls in an HA configuration.  We have
> about 1500 users on campus and about 2500 distance and commuter students.
>  We have a 1 Gb internet connection.  We are only looking to protect our
> edge.****
>
> ** **
>
> We are looking at the following options.  ****
>
> ** **
>
> ** **
>
> Fortigate 1000cs****
>
> Cisco ASA 5580s****
>
> Palo-Alto 5020s****
>
> ** **
>
> Reading through the literature can be overwhelming with UTM firewalls.
>  I'd just like to know if anybody is using one of these platforms and the
> pros and cons you see.  Specifically, we are concerned about support and
> how the boxes perform as you turn on features, also usability.****
>
> ** **
>
> Thanks****
>
> ** **
>
> -- ****
>
> John Kaftan****
>
> IT Infrastructure Manager****
>
> Utica College****
>
> ** **
>
>
>
> ****
>
> ** **
>
> -- ****
>
> John Kaftan****
>
> IT Infrastructure Manager****
>
> Utica College****
>
> ** **



-- 
Stephen W. Bradley CISSP GCFA GCIH GWAPT SSCP
Senior Security Engineer
Miami University
IT Services
bradlesw () miamioh edu
513-529-1809