RE: sub $500-750 CPE firewall for voip-centric application

[Nick Ellermann <nellermann () broadaspect com>]

We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher 
models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular 
customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, 
which is more about voice support and handset management than anything.  You do need to disable a couple of things on 
the FortiGate such as SIP Session Helper and ALG.  We never have voice termination, origination or call quality issues 
because of the firewall. 
FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering 
type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements 
and FortiGates have great IPsec performance.  We leverage a lot of the network security features and have built a 
successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and 
Fortinet's FortiAnaylzer platform. 

Worth looking at, if you haven't already. If you want to private message me, happy to give more info. 


Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect
 
E: nellermann () broadaspect com 
P: 703-297-4639
F: 703-996-4443
 
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the 
intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments 
from all computers.


-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Ken Chase
Sent: Thursday, May 05, 2016 1:54 PM
To: nanog () nanog org
Subject: sub $500-750 CPE firewall for voip-centric application

Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of 
dealing with a mess of different vendors at cust premises.

I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need 
something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current 
gear/buy additional gear.

Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for 
eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN 
capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).

We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the 
master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a 
bit $$ and licensing acrobatics get irritating for end customers.)

/kc
--
Ken Chase - Guelph Canada