[189114] in North American Network Operators' Group
Re: sub $500-750 CPE firewall for voip-centric application
daemon@ATHENA.MIT.EDU (Mel Beckman)
Thu May 5 14:48:51 2016
X-Original-To: nanog@nanog.org
From: Mel Beckman <mel@beckman.org>
To: Nick Ellermann <nellermann@broadaspect.com>
Date: Thu, 5 May 2016 18:48:40 +0000
In-Reply-To: <dddc75a9056942f5b18cac3f9bf1ec60@exchange.broadaspect.local>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto fi=
rewalls. The best SMB devices are definitely SonicWall and Fortigate. Soni=
cWalls are easier to configure, but have fewer features. Fortigate has many=
knobs and dials and a very powerful virtual router facility that can do am=
azing things. The two vendors have equivalent support in my opinion, althou=
gh Fortigate tends to be more personal (Dell is big and you get random tech=
s).=20
Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but=
mostly I think because they=92re Cisco-only. PaloAlto is expensive for wha=
t you get. Functionally they are on the same level as Fortigate, with a sli=
ghtly more elegant GUI. But Fortigate can be configured via a USB cable, wh=
ich is a huge advantage in the field. Legacy RS-232 serial ports are error-=
prone and slow.
-mel
> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann@broadaspect.com> =
wrote:
>=20
> We have a lot of luck for smaller VOIP customers having all of their serv=
ices run through a FortiGate 60D, or higher models. 60D is our go to soluti=
on for small enterprise. However, if we are the network carrier for a parti=
cular customer and they have a voip deployment of more than about 15 phones=
, then we deploy a dedicated voice edge gateway, which is more about voice =
support and handset management than anything. You do need to disable a cou=
ple of things on the FortiGate such as SIP Session Helper and ALG. We neve=
r have voice termination, origination or call quality issues because of the=
firewall.=20
> FortiGate has a lot of advanced features as well as fine tuning and adjus=
tment capabilities for the network engineering type and is still easy enoug=
h for our entry level techs to support. Most of our customers have heavy VP=
N requirements and FortiGates have great IPsec performance. We leverage a =
lot of the network security features and have built a successful managed fi=
rewall service with good monitoring and analytics using a third-party monit=
oring platform and Fortinet's FortiAnaylzer platform.=20
>=20
> Worth looking at, if you haven't already. If you want to private message =
me, happy to give more info.=20
>=20
>=20
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services
> BroadAspect
> =20
> E: nellermann@broadaspect.com=20
> P: 703-297-4639
> F: 703-996-4443
> =20
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY =
MATERIAL and is thus for use only by the intended recipient. If you receive=
d this in error, please contact the sender and delete the e-mail and its at=
tachments from all computers.
>=20
>=20
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase
> Sent: Thursday, May 05, 2016 1:54 PM
> To: nanog@nanog.org
> Subject: sub $500-750 CPE firewall for voip-centric application
>=20
> Looking around at different SMB firewalls to standardize on so we can sta=
rt training up our level 2/3 techs instead of dealing with a mess of differ=
ent vendors at cust premises.
>=20
> I've run into a few firewalls that were not sip or 323 friendly however, =
wondering what your experiences are. Need something cheap enough (certainly=
<$1k, <$500-750 better) that we are comfortable telling endpoints to toss =
current gear/buy additional gear.
>=20
> Basic firewalling of course is covered, but also need port range forwardi=
ng (not available until later ASA versions for eg was an issue), QoS (port/=
flow based as well as possibly actually talking some real QoS protocols) an=
d VPN capabilities (not sure if many do without #seats licensing schemes wh=
ich get irritating to clients).
>=20
> We'd like a bit of diagnostic capability (say tcpdump or the like, via sh=
ell
> preferred) - I realize a PFsense unit would be great, but might not have =
enough brand name recognition to make the master client happy plopping down=
as a CPE at end client sites. (I know, "there's only one brand, Cisco." AS=
A5506x is a bit $$ and licensing acrobatics get irritating for end customer=
s.)
>=20
> /kc
> --
> Ken Chase - Guelph Canada
