Anyone use Sonicwall products here?

JackBurton

Lifer
Jul 18, 2000
15,993
14
81
I'm looking at checking out the Sonicwall PRO 2040 to set up a site-to-site VPN and remote VPN access for a few users (let's say 10-25). How does it compare to something like a PIX 506e?
 

jlazzaro

Golden Member
May 6, 2004
1,743
0
0
talking numbers, the 2040 will out perform the 506e both in interfaces, number of users, and throughput. being a cisco guy, i think the pix would be easier to configure...ive heard mixed feeling about sonicwall (lots of clicking back and forth, cmd line not as robust).

if your comfortable working with the 2040 and can find it for around the same price as the 506e, i say go for it. its feature rich and should do everything you need it to.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
JackBurton, the PIX series is pretty dead and isn't a valid comparison; compare against the ISR series or the ASA series.

I found that the SonicWalls were decent enough at what they did, but last I used them, they still lacked a CLI and a text config file. Which makes them toys in my opinion.
 

JackBurton

Lifer
Jul 18, 2000
15,993
14
81
Originally posted by: cmetz
JackBurton, the PIX series is pretty dead and isn't a valid comparison; compare against the ISR series or the ASA series.

I found that the SonicWalls were decent enough at what they did, but last I used them, they still lacked a CLI and a text config file. Which makes them toys in my opinion.

Thanks cmetz! I'm going to take a look at the ISR 1800 series.
 

smashp

Platinum Member
Aug 30, 2003
2,443
0
0
sonic wall Blah

Hate them. We have been replacing old Sonicwalls left and right With ISR routers and for simple SMB clients we have been putting in M0n0walls on wrap devices.
 

Sunner

Elite Member
Oct 9, 1999
11,641
0
76
Just to share some indirect experience with the ASA's in case you decide to check those out.
At my old job, we replaced a couple of CheckPoint boxes with ASA's, mostly because of CP's utterly retarded licensing.
Had lots and lots of problems with them, our network guys seemed to be filing a new bug report every other day, and the IPS part of them seemed woefully under powered, pretty much choking at 40-50 Mbit throughput despite the ASA's having GigE interfaces.
Also, the firewall logs were really icky, at least for someone coming from CheckPoint, eventually we caved in and bought one of their MARS boxes to complement the ASA's, but that one didn't really impress us too much either.

Since I quit I don't know the exact status of them any more, but last I heard, at least they were improving with a steady stream of firmware updates.
Of course, the network guy that did most of the work has also quit by now, so my updates are a few months old, maybe the kinks are worked out by now :)
Those were 5520's by the way.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
Sunner, my understanding is that the ASA is the next generation of the PIX with PIX-derived software. Cisco denies this. So my understsanding is unconfirmed rumor and such.

Cisco products are usually underpowered and underperforming, it just goes with the territory. Folks with a lot of Cisco experience over-engineer their networks to compensate.

I have been extremely unhappy with Cisco's software QA in the past couple of years. Something's going on over there and it's not something good. Cisco, new product, buggy - I hear this all the time. The ISRs are still buggy and I still have major software regression problems.

In my personal opinion, CheckPoint has always sucked. I don't know why they have such a good rep. They're expensive, underperforming, they have some silly products (um, yeah, I want to run my firewall on *Windows*), and they've had security problems.

The firewall space is still not really as mature as it should be - there are plenty of bad products to choose from. You have to make your trade-offs and pick your poison.
 

Sunner

Elite Member
Oct 9, 1999
11,641
0
76
Originally posted by: cmetz
Sunner, my understanding is that the ASA is the next generation of the PIX with PIX-derived software. Cisco denies this. So my understsanding is unconfirmed rumor and such.

Cisco products are usually underpowered and underperforming, it just goes with the territory. Folks with a lot of Cisco experience over-engineer their networks to compensate.

I have been extremely unhappy with Cisco's software QA in the past couple of years. Something's going on over there and it's not something good. Cisco, new product, buggy - I hear this all the time. The ISRs are still buggy and I still have major software regression problems.

In my personal opinion, CheckPoint has always sucked. I don't know why they have such a good rep. They're expensive, underperforming, they have some silly products (um, yeah, I want to run my firewall on *Windows*), and they've had security problems.

The firewall space is still not really as mature as it should be - there are plenty of bad products to choose from. You have to make your trade-offs and pick your poison.

Well, CheckPoint was the first "proper" firewall I ever got training on, so maybe I'm biased :)
What I like about it is that the policy editor itself is generally excellent, at least if you huge rule bases(yeah, that's not good, but sometimes unavoidable), and their log viewer is very very nice for some things.
I can't say I've had any major performance headaches with them either.
They certainly have plenty of downsides though, licensing being the most annoying in my mind, I think it'd be far easier to get a solid understand of their entire range of firewall products than getting a grasp of their licensing.

As for the ASA's, since I was more of a bystander there, occasionally helping out with some minor stuff, I don't really have any detailed info about it.
From what I've gathered though, it's kind of a mish mash of different products.
They certainly have some PIX like things in there, probably running on some old piece of junk 68040 or something.
Then the IPS part, that's running some OS of it's own, probably some Linux or BSD derived thingy, and I believe I heard out network guy talking about some PowerPC processor running that.
Oh and policy editor sucked to begin with, Cisco gradually kept improving it to the point where our network guy(who was a Cisco guy after all, not a Check Point guy like I was) at least wouldn't start screaming after a few minutes of using it.
They seemed to have lots of problems with OSPF and VPN connectivity as well, one new firmware would fix something and break something else.

Then we have the lovely MARS that's more or less a must have to make sense of the logging from the ASA's(at least it was when we bought them)...
It was made by Protego that Cisco bought, it's a PC in a 1u rack case, it even has the usual PS2/VGA/etc ports, PC99 color coded and all, if you hook up a monitor to it, you'll see it's a Supermicro motherboard, booting some custom Linux distro.
It runs and stores it logs on two RAID-0'd IDE hard drives(bigger models have more drives, unsure if any model includes mirroring), which is less than comforting, so you'd have to keep a separate log server around for any kind of reliable storage.
The rack kit sucks ass, and the case isn't exactly exceptional either, Cisco didn't even bother to remove the Protego stickers on it.
Considering it's price, it's rather underwhelming.

Myeah, sorry about the rant, I guess maybe they're better these days, they were brand new when we got them, so I guess maybe our problems were typical v1.0 problems :)