[189113] in North American Network Operators' Group
RE: sub $500-750 CPE firewall for voip-centric application
daemon@ATHENA.MIT.EDU (Nick Ellermann)
Thu May 5 14:39:37 2016
X-Original-To: nanog@nanog.org
From: Nick Ellermann <nellermann@broadaspect.com>
To: Ken Chase <math@sizone.org>, "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 5 May 2016 18:39:30 +0000
In-Reply-To: <20160505175348.GU19521@sizone.org>
Errors-To: nanog-bounces@nanog.org
We have a lot of luck for smaller VOIP customers having all of their servic=
es run through a FortiGate 60D, or higher models. 60D is our go to solution=
for small enterprise. However, if we are the network carrier for a particu=
lar customer and they have a voip deployment of more than about 15 phones, =
then we deploy a dedicated voice edge gateway, which is more about voice su=
pport and handset management than anything. You do need to disable a coupl=
e of things on the FortiGate such as SIP Session Helper and ALG. We never =
have voice termination, origination or call quality issues because of the f=
irewall.=20
FortiGate has a lot of advanced features as well as fine tuning and adjustm=
ent capabilities for the network engineering type and is still easy enough =
for our entry level techs to support. Most of our customers have heavy VPN =
requirements and FortiGates have great IPsec performance. We leverage a lo=
t of the network security features and have built a successful managed fire=
wall service with good monitoring and analytics using a third-party monitor=
ing platform and Fortinet's FortiAnaylzer platform.=20
Worth looking at, if you haven't already. If you want to private message me=
, happy to give more info.=20
Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect
=A0
E: nellermann@broadaspect.com=20
P: 703-297-4639
F: 703-996-4443
=A0
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MA=
TERIAL and is thus for use only by the intended recipient. If you received =
this in error, please contact the sender and delete the e-mail and its atta=
chments from all computers.
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase
Sent: Thursday, May 05, 2016 1:54 PM
To: nanog@nanog.org
Subject: sub $500-750 CPE firewall for voip-centric application
Looking around at different SMB firewalls to standardize on so we can start=
training up our level 2/3 techs instead of dealing with a mess of differen=
t vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wo=
ndering what your experiences are. Need something cheap enough (certainly <=
$1k, <$500-750 better) that we are comfortable telling endpoints to toss cu=
rrent gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding=
(not available until later ASA versions for eg was an issue), QoS (port/fl=
ow based as well as possibly actually talking some real QoS protocols) and =
VPN capabilities (not sure if many do without #seats licensing schemes whic=
h get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shel=
l
preferred) - I realize a PFsense unit would be great, but might not have en=
ough brand name recognition to make the master client happy plopping down a=
s a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5=
506x is a bit $$ and licensing acrobatics get irritating for end customers.=
)
/kc
--
Ken Chase - Guelph Canada
