We're looking to move away from PFSense and CARP to a pair of SonicWall NSA 24001 configured in Active/Passive for High Availability.
I've never dealt with SonicWall before, so is there anything I should know that their sales guy won't tell me?
I'm aware that they had an issue with a lot of their devices shutting down connectivity because of a licensing fault, and they have an overtly complex management GUI (on the older devices at least), but are there any other big "gotchas" that I need to be aware of before committing a not insubstantial amount of money towards these devices?
1If you're outside the US, the SonicWall global sites suck balls. Use the US site for all your product research, and then use your local site when you're after local information.
I've been very happy with HA on all the sonicwall models we've used. The closest match to your setup is a pair of NSA 4500s in our primary datacenter. Once setup, HA has been rock solid. The one item I'd note is be sure to setup individual management IPs in the HA setup. It allows you to log in to the standby firewall without affecting the primary (staging firmware updates, for example).
In addition to what has already been mentioned, might I add a little something about their IPS and content filtering.
I don't know what you have planned for the SonicWalls, but our gateway router into our building is an NSA 3500. We're a company of about 85 users. We have licenses for the Content Filtering System, Intrusion Prevention, and the Application Flow Monitor, which are all superb. I can check how much of our bandwidth is going to Pandora or youtube, I can see what files are leaving the building. If I pull up the logs and I see that a user is using bittorrent, I can kill the session and block future bittorrent traffic in two clicks. For bandwidth management and security, it's great.
We also have SonicWalls in our remote shipping office and at our colocation where our production servers reside. We have VPN tunnels (site-to-site) between the three sites and it's ridiculously easy to configure. At our colocation is where we have two nsa 3500's in an HA pair. We did a few failover tests when we first set them up and we haven't had to worry about the pair since. We're also looking into licensing the HA pair with Intrusion Prevention, which will detect brute force attacks, sql injection attempts, etc., with what they call their "deep packet inspection" engine.
I've been more than satisfied with our SonicWalls.
Some things to look out for, however, is the licensing. Sometimes it feels like they're taking every penny you have each time you add a feature. I believe the only licensing you have to worry about with HA is if you want it to be a stateful failover. If this is licensed, any connections to your primary sonicwall will be there and ready on the backup in the event of a failover and any existing connections won't be interrupted. I think that's it though.
A major gotcha with SonicWalls is currently IPv6 support. There is exactly one semi-supported release of SonicOS (5.5.6) that has any IPv6 features available at all. All later releases (5.8.x is current) have no IPv6 support whatsoever. Downgrades are not supported without rebuilding all of your confiugration. This is level of IPv6 support rediculous at this late date, and you shouldn't buy anything new from Sonicwall until they have IPv6 support in general supported release with reasonable feature parity.
We're pretty happy with our NSA4500 and NSA2400 pairs otherwise, HA works as advertised, as does the load balancing from multiple ISPs. The CLI functioanlity stinks, but the SonicOS Enhanced web GUI is better than just about any other firewall I've encountered. Configuration files are binary blobs, so you cannot edit them with anything besides the GUI. Just use good version control, and export your configuration blobs to SVN, Git, or whatever after every change.
I've had VoIP issues with a NSA 4500 - lots of out-of-sequence packets. Their version of QoS (called Bandwidth Management) was implemented for the SIP traffic but even a support call got nowhere. I finally just put our SIP vendor's box outside of the 4500 and the problem vanished. A quick google search will show that it's a pretty common problem. If you're going to run VoIP through it, you may want to look for a different solution.