Re: Firewalls

[Nathaniel Hall <educause-lists () NATHANIELHALL COM>]

Absolutely. The port to App-ID change can take some getting used to but 
you can, luckily, still use port based rules. I just finished helping a 
client move from Check Point to Palo Alto. For the time being they 
wanted to move to port only rules in PA to make sure everything was 
working correctly and then slowly migrate to App-ID when they had more 
time and could verify things were working correctly.

I've run Fortinet and had the same issues. The FortiGates and the 
FortiAnalyzers would max out resources. Slow connections and I would 
even have alerts sent out 4+ hours after the event. Makes the analyzer 
pretty useless for what I was using it for.

--
Nathaniel Hall

On 7/10/2013 6:08 PM, Bob Williamson wrote:
> We are a small boarding school of 500 users.  100mps up and down.
>
> I agree whole heatedly regarding the PA.  The mindset of apps vs ports 
> is a tough transition and I would even suggest it makes the system 
> more complex.  BUT part of the complexity in our environment is 
> because our students range from pre-k to 12th so we have to have crazy 
> rules depending on ages/times/etc.
>
> With a high end Watchguard we could not get the throughput the PA500 
> is giving us.  When we do hit it hard, the Skype users don't even miss 
> a beat.
>
> I have also had good luck with the tech support.
> Bob
>
> Sent from my iPad
>
> On Jul 10, 2013, at 2:05 PM, "Chris Golden" <cgolden () LEEUNIVERSITY EDU 
> <mailto:cgolden () LEEUNIVERSITY EDU>> wrote:
>
> > We eval'd a Fortinet and used it for URL filtering, IDS/IPS, and 
> > Firewall rulesets and the thing ran 80-90% resources constantly.  I 
> > ended up with a PA-5020 and we have all these things running (and 
> > more) and we aren't even in double digits in terms of resources.
> >
> > The PA-5020 is a beast.  For me it was difficult transitioning from a 
> > Checkpoint to the Palo Alto.  I was stuck in port mode and needed to 
> > think application layer.  But once the mindset changed, I'm extremely 
> > happy with the PA.
> >
> > I have a 600MB connection that’s constantly being used.  (mostly for 
> > Netflix and Youtube)
> >
> > -Chris
> >
> > Chris Golden
> > Director of IT Operations
> > Lee University
> > 423.614.8020
> > cgolden () leeuniversity edu <mailto:cgolden () leeuniversity edu>
> >
> > From: John Kaftan <jkaftan () UTICA EDU <mailto:jkaftan () UTICA EDU>>
> > Reply-To: The EDUCAUSE Security Constituent Group Listserv 
> > <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
> > Date: Friday, June 28, 2013 2:23 PM
> > To: "SECURITY () LISTSERV EDUCAUSE EDU 
> > <mailto:SECURITY () LISTSERV EDUCAUSE EDU>" 
> > <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
> > Subject: [SECURITY] Firewalls
> >
> > We have been using Fortinet 1000as for the last 6 years.  We are 
> > currently in a firewall RFP to replace these boxes and wonder if 
> > anyone out there can help.
> >
> > We are planning on having two firewalls in an HA configuration.  We 
> > have about 1500 users on campus and about 2500 distance and commuter 
> > students.  We have a 1 Gb internet connection.  We are only looking 
> > to protect our edge.
> >
> > We are looking at the following options.
> >
> >
> > Fortigate 1000cs
> > Cisco ASA 5580s
> > Palo-Alto 5020s
> >
> > Reading through the literature can be overwhelming with UTM 
> > firewalls.  I'd just like to know if anybody is using one of these 
> > platforms and the pros and cons you see.  Specifically, we are 
> > concerned about support and how the boxes perform as you turn on 
> > features, also usability.
> >
> > Thanks
> >
> > --
> > John Kaftan
> > IT Infrastructure Manager
> > Utica College