I’m working on a plan to replace a number of router/firewalls in our company’s and customer’s networks. We have 2 offices and a number of servers hosted in a datacentre that have IPSec VPN links to around 100 customer sites. In the main office we need a LAN and 2 DMZs and in the datacentre 3 LANs and a DMZ.
Most customer sites have either Gnatbox or Zywall firewalls but new sites could go out with a low end version of the same firewall that is in the main office/datacentre.
I had planned to use a Zywall USG 200 for the main office but this proved to be incapable in testing. When fully configured it takes over 30 mins to boot!
I have a shortlist of
Cisco ASA 5510
Watchguard XTM 520
Sonicwall NSA 3500
Juniper SRX240
Could anyone recommend any hardware or configurations?
Our company currently uses a Sonicwall NSA 4500. We switched to that from a Watchguard X1000. (a precursor to the XTM model you have picked out) To be perfectly honest, I'm not happy with the switch. (and it was my call -- oops) The Sonicwall has a better (web) interface. It can make some fancy graphs and pie charts, and updates nicely in the browser. The Watchguard interface was definitely clunkier and was a thick client, but I find I prefer that.
The Watchguard also was a bit more explicit in what it was doing, and why. This made determining why packets were being dropped much easier. That being said, it might be a double edged sword, as it could easily be harder to parse for less technical admins? I've had several issues of the Sonicwall silently dropping connections, and only noting it when doing a packet capture through the appliance. Sonicwall support was then still unable to really determine what was going on, despite having drop codes from the appliance. (So, if anyone out there knows why my Sonicwall keeps randomly killing NetApp Snapmirror replication, please let me know!)
Back when we used Watchguard, (~two years ago) their support was atrocious. It was outsourced to India, and resulted in having to jump a language barrier on every single call. Usually the person taking down the initial ticket info didn't catch the nuances in the problem. Their sales guy claimed this was changing, but we didn't stick around to find out. Sonicwall support staff is all English speakers. However, as mentioned above, they can't seem to help with some of the harder issues I've brought up. Wait times with both companies has been quite painful.
I can't claim experience with Juniper or Cisco equipment in this role. But both those are very companies, as are a good number of their clients. Both WatchGuard and Sonicwall aim for the small/medium business market. So that may or may not be worth considering, depending on your company size.
--Christopher Karel
I've worked with both ASAs, and SRXes. There's a reasonable learning curve on both of these devices (a higher one on the ASA than on the SRX though), and the SRX is quite a bit easier to manage, imo. Both are pretty reliable, although the SRX has had issues in the recent past if you turned on its spiffier features (url filtering, and antivirus are the ones that bit me. The issues do seem to be solved in the latest firmware though. I've never had to deal with Cisco support, but I've generally found JTAC to be reasonably good (although it's worth spelling out everything you know about a problem to them, as they will sometimes miss important details otherwise).
I have ordered a Juniper SRX210 as this will probably do for our main office and datacentre. If it goes well then I hope to get another couple to do clustering. The SRX100 will do for customers and our secondary office.
Thanks to those who submitted answers.