Firewall Wizards mailing list archives
Re: Once again..appliance firewall input requested
From: Jason Hamilton <Jason.Hamilton () InfoTechFL Com>
Date: Fri, 21 Jan 2005 17:33:55 -0500
Second vote for the PIX. I have been using CheckPoint FW-1 for years, and although it has an amazingly intuitive interface, the PIX boxes haven't been brain surgery to set up either. I had one PIX dead out of the box, but it was replaced by cisco via a person who drove 2 hours to get it on-site by the COB the same day. The functionality of the failover is first rate, and the amount of documentation both on their site and the WWW generally gets you through any questions without having to bother TAC. Jason On Fri, Jan 21, 2005 at 03:18:51PM -0600, Victor Williams wrote:
I have basically all the same requirements as you. I use Cisco PIX, and won't use anything else. You can buy 2 brand new units (1 unrestricted, 1 failover) of the PIX 515E for less than $9000 total with 6 physical interfaces and a VPN Accelerator card. As always, get the 24x7 support/replacement contracts for each device, just in case one goes bad. Thing I like about Cisco, they don't muck around trying to troubleshoot. If you call in and say "It's dead Jim", they have another one shipped before you get off the phone. I have yet to see an intuitive interface in a firewall product...they all have their interpretation of similar/same featuresets, but I have come to like Cisco's PDM for their pix. It all happens over SSL, and depending on your connection to the device can be clunky, but I find it very usable. That being said, give me CLI anyday. Personally, I haven't had a PIX die yet (I know people who have though, and they've gotten replacements within the same day), but I've been using them for over 5 years. Nothing but rock solid performance for me. As for logging, PIX sends it all to SNMP traps or Syslog servers. I never wanted a firewall to do that for me, I always just wanted a dump of the data, and I pick what data I want by my own means, so the PIX logging may not be enough for you. Matt Bazan wrote:Ok <takes deep breath>..I may be in need of a replacement solution for our current firewall appliances (two NetScreen 50s running in an active / passive high availability solution). For reasons I won't get into (NS being purchased by Juniper?) my trust in these units has been badly eroded. I'd like input on what people are using and their satisfaction levels with them. Our requirements: 1) We run a rapidly growing 24X7 web presence. As our Internet uplink is 4Mb (ok, this will soon be going up..but only by a couple Mb..) we don't need a beefy packet pushing device. 2) We have 25 or so inbound NATs. I like to have 'granular' control over source and dest NAT. By this I mean being able to split these features based upon traffic flow and not having to create the typical bi-directional NAT mapping. 3) Need for 20 or so box-to-box VPNs. Auto key and manual key with the usual VPN flavors 4) The basic requirements for setting policy based access (blah blah) 5) 3 interfaces (4 ideal) 6) High availability solution 6) Static routing only 7) Intuitive web gui 8) 'Robust' command line feature set 9) Detailed reporting 10) Configuration flexibility a must. I'll leave this to your imagination. 11) Something I can setup and it will *work* *work* *work* 12) I'm sure there's more I'm forgetting but I'm suffering from NetScreen induced sleep deprivation and am tired of typing. 13) <=$15K for pair of units Thanks for the input! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- Jason Hamilton, System Administrator | 5700 SW 34th St. Suite 1235 Info Tech, Inc. | Gainesville, FL 32608 Jason.Hamilton () InfoTechFl com | (352)381-4400 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Once again..appliance firewall input requested Matt Bazan (Jan 21)
- Re: Once again..appliance firewall input requested Victor Williams (Jan 21)
- Re: Once again..appliance firewall input requested Jason Hamilton (Jan 21)
- Re: Once again..appliance firewall input requested Adrian Grigorof (Jan 24)
- Re: Once again..appliance firewall input requested Jason Hamilton (Jan 21)
- Re: Once again..appliance firewall input requested Kevin (Jan 24)
- Re: Once again..appliance firewall input requested Victor Williams (Jan 21)