Demo24
Diamond Member
- Aug 5, 2004
- 8,357
- 9
- 81
In the time when I was shifting through all this, I heard nearly all bad things about Watchguard. UI seemed ok though from a product demo I used on the web.
AFurryReptile
Golden Member
- Nov 5, 2006
- 1,998
- 1
- 76
I use exclusively Sonicwalls for a company of about 300 employees across ~8 states. They're pretty easy to configure, obviously the price is right, and the higher-end models (NSA devices, in my case) have been very stable. The lower-end models have given me trouble with the management interface becoming unstable (requiring a reboot) and the support leaves much to be desired. I think the SSLVPN is among the best I've used though. The interface is pretty consistent across all devices, and hasn't changed too greatly in a long time, so you'll find that most documentation is still relevant no matter what firmwares you're running. Probably one of the best features is the ability to restore configuration settings across a range of devices: I recently upgraded our main firewall, and was able to do it in 15 minutes flat simply by restoring the configuration from the old device.
I only have limited experience with Cisco devices, and only the older models, but I've always hated the interface and the fact that all of the "lingo" is non-standard. Very confusing to the not-certified.
Watchguards are marketed as a high-end devices, but when I worked with them, they were nothing but trouble. Constantly crashing, support is a nightmare to work with, and they're a pain in the ass to configure in any complex manner.
I've only used the Barracuda SSLVPN, Spam Firewall, and backup units, but I've always liked the interface. Support is generally very good, after you get past tier 1 tech support.
I've worked (fleetingly) with a lot of other devices, but nothing to impress me too much. I've read very good things about Untangle, but I've never used it.
I only have limited experience with Cisco devices, and only the older models, but I've always hated the interface and the fact that all of the "lingo" is non-standard. Very confusing to the not-certified.
Watchguards are marketed as a high-end devices, but when I worked with them, they were nothing but trouble. Constantly crashing, support is a nightmare to work with, and they're a pain in the ass to configure in any complex manner.
I've only used the Barracuda SSLVPN, Spam Firewall, and backup units, but I've always liked the interface. Support is generally very good, after you get past tier 1 tech support.
I've worked (fleetingly) with a lot of other devices, but nothing to impress me too much. I've read very good things about Untangle, but I've never used it.
Last edited:
Kaido
Elite Member & Kitchen Overlord
- Feb 14, 2004
- 48,414
- 5,270
- 136
That's pretty much been my experience with Sonicwall. They are pretty good, especially for the money, with some troubles here & there. Despite the occasional issues, I would still take them over a lot of other systems strictly for ease-of-use.
My preference is pfsense as a firewall with Bitdefender Cloud for Endpoint (web-based dashboard), then go from there, but it is convenient having the Sonicwalls in place for the majority of the networking stuff. pfsense is powerful but limited in some ways, so when you get other firewall devices that bundle additional features (like the web filter on the Sonicwall & VPN) it makes it harder to justify having something entirely separate when you can just do it all on one box.
I feel like Cisco hasn't really kept up with the times. Not that they're bad, but it's so easy to pop onto a Sonicwall for quick stuff and be done. I prefer working at smaller >500 user businesses because I get a lot more control over the network, and having something that both works and is "approachable" like the Sonicwall is really great.
I check for the Cisco Logo...
Besides ASA's pay extremely well...
Joking sort of. But standardization versus best of breed is my mantra for better or worse.
Besides ASA's pay extremely well...
Joking sort of. But standardization versus best of breed is my mantra for better or worse.
Kaido
Elite Member & Kitchen Overlord
- Feb 14, 2004
- 48,414
- 5,270
- 136
All of the Cisco guys I know are ridiculously well-paid.
But you couldn't pay me enough to do that full-time for a job, I'd go bald in a week :awe:
Kaido
Elite Member & Kitchen Overlord
- Feb 14, 2004
- 48,414
- 5,270
- 136
Yeah, but he's not saying that without cause. Their stuff is extremely reliable in general.
I did just - went bald.
I'm using minoxidil now...
But are u saying if I switch to Juniper I'll get my back?
Cisco does pay well.
One of my students/mentorees is a CCNA Voice and is billed out at $175.00 per hour or $350,000.00 per year annualized.
Can't argue that Cisco pays well.
Comblues
This is a funny resurrection thread. Since 2013 I have changed positions and now have ASA in our network. The most unreliable devices in the network are the ASAs in two distinct sites. And it isnt even close. Such junk that costs so much more than the rest. Good thing is we are moving to SD-WAN. And our centralized FW will not be Cisco. I am thinking Palo-Alto. But we will see.
Kaido
Elite Member & Kitchen Overlord
- Feb 14, 2004
- 48,414
- 5,270
- 136
Hah, a 2013 thread! Five years old now
Yeah, I've found myself using Cisco less & less. I'm getting away from a lot of the standard companies, actually. For example, I love love love Ubiquiti for wireless (despite their short warranty & poor technical support system); their wireless backhaul stuff is amazing too. I've become a big fan of Malwarebytes for endpoint protection, especially now that they do anti-virus as well, and have a cloud console available, plus have cryptolocker protection built-in. Lots of cool stuff out there these days...gotta be careful you don't go the IBM route & get so big that you can't keep up!
PliotronX
Diamond Member
- Oct 17, 1999
- 8,883
- 107
- 106
I have to say I dislike ASAs the more I use them.. The small differences in the CLI from IOS are an annoyance but the ASDM is utter garbage and they don't do DMVPN so we end up with a 290x at sites anyways. We have been trying to implement ISE for 802.1X authenticated DACLs and that has been a nightmare. Typical dealings with support have been getting an email at 7pm asking how things are going meanwhile cases go on for weeks with them. Some resulting in hotfixes.. The Sophos XG is the opposite, the CLI makes no sense but the web GUI is laid out logically and does not require JRE. No licensing to worry about for VPN clients (as it uses OpenVPN for better or worse). I have a love hate relationship with Sonicwall, the licensing is bad but not as bad as Cisco, the GUI is laborious but the few times I dove into the CLI it made more sense than IOS and you can do anything the web GUI can which is just awesome. What I have trouble accepting with sonicwalls is the subpar performance of the SOHO unit once you enable the good stuff (the whole point of retrofitting a plain router). The XG 85 is such a better deal and every equivalent model of XG to the price point of Sonicwalls is better performing. I had inherited a Watchguard from a client and really do not care for it or its exuberant licensing.
Kaido
Elite Member & Kitchen Overlord
- Feb 14, 2004
- 48,414
- 5,270
- 136
Yeah, and there's so many ways to go these days, especially depending on your specific setup situation. Like, I really like PFsense for big corporate firewalls, and then figure out the rest from there - throw Plixer on for visual NetFlow monitoring, Malwarebytes for endpoint protection, still a fan of Norton's email filtering because of how their global network is setup, etc.
We had TAC on the phone last week. Some bug caused the primary of a HA pair to have issues. It didnt failover automatically like every other manufacturer out there. It required a manual failover. Then to reboot the troubled pair this is what TAC told us.
1. Reboot via pulling the power plugs. Apparently this bug caused it so the troubled device would not reboot via CLI.
2. Make sure it is the right device. If it is not, this will corrupt the failover device as well.
3. Good luck
So much confidence in this platform after that interaction.
thecoolnessrune
Diamond Member
- Jun 8, 2005
- 9,672
- 578
- 126
I mean, obviously automatic failover is a capability of the platform, but a bug prevented that from functioning correctly. That sort of thing exists in a ton of enterprise products. I couldn't keep track of how many times an ESXi Host went dead in a way that all I/O stopped, but it was just alive enough to keep vSphere from activating HA and booting the VMs on other hosts.
Kaido
Elite Member & Kitchen Overlord
- Feb 14, 2004
- 48,414
- 5,270
- 136
That's not exactly a fair comparison though as Cisco controls all aspect of the product. ESXi runs on 3rd party hardware. With that in mind, our dozen ASA-X's have issues far more frequently than our 3,000 hosts. We've experienced multiple different failover related bugs both of the ASA itself and the IPS modules. We've had two different ones lose all the IP's in ACL in multiple contexts.
That would be slightly less annoying if network people didn't immediately respond with "it's not the network" when you tell them there's a problem.
thecoolnessrune
Diamond Member
- Jun 8, 2005
- 9,672
- 578
- 126
You can substitute ESXi for Nutanix (they have their own hardware), or even go back to the same hardware group and talk Palo Alto. We just had one of a pair of 3260's fail during an upgrade. Palo Alto support couldn't figure out what was wrong, had us completely blow away the config and restore it to get it running again. My point is, that's not default behavior. That's a bug, and bugs cause weird things to happen. Saying things like "It didnt failover automatically like every other manufacturer out there." is hardly appropriate because it makes it sound like no other firewall vendor has that problem, which isn't the case at all. You're just lucky you ain't found another problem yet.
That would actually be a reversal of Cisco's previous reversal. They're becoming more software defined to keep up and be "Cloud Ready" like all the upstarts and other vendors are doing. Look how much Cisco's stock quaked at just the muttering that Amazon might be making more network gear. Cisco has said repeatedly that hardware is losing business and that software defined is the future.
It's simply a different methodology. A Fortigate 60E uses a comparatively ancient ARMv7 CPU to match with its dedicated processing hardware. That's not unlike what Cisco used to do with the Firewall Services Module, which combined dedicated packet processing hardware with a pair of 1Ghz Pentium 3 CPUs for everything else. As long as the throughput numbers match, I personally wouldn't care about what they used to get there, but x86 is certainly more cloud ready than dedicated hardware for now.
Hugo Drax
Diamond Member
- Nov 20, 2011
- 5,647
- 47
- 91
The problem is a general purpose CPU is not great at everything. Things like Pattern matching are better done via ASIC that can churn through the data quickly, no different than a GPU for dumb math done in parallel many times.
Have you used a Fortigate? It does a lot more than the 5506-x and the UI is so much nicer compared to the ancient ADSM. Not until recently the Firewall and the IPS were two different instances and you even had to plug an additional management connection (3 in total in/out/mgmt) just to be able to configure the firepower instance. Then after that you had no way to view the events etc.. since there was no management console to see it. The performance numbers are impressive on the 60E compared to a 5506-x thanks to the purpose built SOC 3.
Also for SMB it is quite elegant to have a Fortigate, the switches and AP managed by one box acting as wifi controller etc.. pretty slick, Cisco is falling behind Its so cool to see all this from one screen and be able to modify policy, see events etc..
Cisco needs to step up its game.
This Thread at Cisco support forums says it all. pretty sad. Cisco needs to really fix things.
https://supportforums.cisco.com/t5/...re-half-baked-implementation-url/td-p/2981850
Last edited:
thecoolnessrune
Diamond Member
- Jun 8, 2005
- 9,672
- 578
- 126
I've definitely used Fortigates. Any platinum partner can get a hold of them for labs very easily. You mention the 60E and then compare how you needed to connect 3 interfaces in the old days to configure FirePower, but you don't mention the predecessor, the 60D, having much less throughput than the 60E (only 30Mbps of SSL VPN throughput). You also didn't note that the 60E has no internal storage. You can't cache, log, or do packet captures on it.
I 100% agree the UI is better than ADSM. Ironically I haven't looked at it much this month because our 60E in our lab got upgraded to 6.0.0.1, where its now crashing every couple of hours. Support, unfortunately, hasn't nailed down that issue, but according to Reddit, we weren't the only ones seeing that problem after upgrade.
As far as using x86 vs. SoC, again, it's a different approach. I personally don't understand the die-hard approach to one or the other (or any company loyalty for that matter). An ASIC can indeed churn through data quickly. It works well until standards change and then it doesn't. General CPU + Upgradeable FPGAs for specific functions are the directions that Cisco, Juniper, F5, and others are headed. This seems to be the ideal combination of scalable power, and cloud-ready architecture that will win on the high end, but on the low end there's tons of ways to get the same job done as for SMB it doesn't take nearly as much serious hardware as it used to, to push packets.
I think of the two, the Fortigate 60E is the clear winner vs. the 5506-X. I think they've both got a lot to learn from something like the Watchguard T35 when it comes to UTM/$, even if the UI still leaves something to be desired.
TRENDING THREADS
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 10K
-
Discussion Speculation: Zen 4 (EPYC 4 "Genoa", Ryzen 7000, etc.)- Started by Vattila
- Replies: 13K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 7K
-
Facebook
Twitter