[189115] in North American Network Operators' Group
RE: sub $500-750 CPE firewall for voip-centric application
daemon@ATHENA.MIT.EDU (Nick Ellermann)
Thu May 5 14:52:04 2016
X-Original-To: nanog@nanog.org
From: Nick Ellermann <nellermann@broadaspect.com>
To: Mel Beckman <mel@beckman.org>
Date: Thu, 5 May 2016 18:51:08 +0000
In-Reply-To: <2ED2394E-4C15-4F65-BA4F-97EEF8C60B09@beckman.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Your exactly right, Mel. Dell has really turned the Sonicwall platform arou=
nd in the past few year. We dropped it a year or two before Dell took them =
over. Back then Sonicwall was full of issues and lacked important features =
that our enterprise customers required. If you have budget, Palo Alto is so=
mething to look at as well, but don't overlook Sonicwall and FortiGate. =20
Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect
=A0
E: nellermann@broadaspect.com=20
P: 703-297-4639
F: 703-996-4443
=A0
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MA=
TERIAL and is thus for use only by the intended recipient. If you received =
this in error, please contact the sender and delete the e-mail and its atta=
chments from all computers.
-----Original Message-----
From: Mel Beckman [mailto:mel@beckman.org]=20
Sent: Thursday, May 05, 2016 2:49 PM
To: Nick Ellermann <nellermann@broadaspect.com>
Cc: Ken Chase <math@sizone.org>; nanog@nanog.org
Subject: Re: sub $500-750 CPE firewall for voip-centric application
I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto fi=
rewalls. The best SMB devices are definitely SonicWall and Fortigate. Soni=
cWalls are easier to configure, but have fewer features. Fortigate has many=
knobs and dials and a very powerful virtual router facility that can do am=
azing things. The two vendors have equivalent support in my opinion, althou=
gh Fortigate tends to be more personal (Dell is big and you get random tech=
s).=20
Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but=
mostly I think because they're Cisco-only. PaloAlto is expensive for what =
you get. Functionally they are on the same level as Fortigate, with a sligh=
tly more elegant GUI. But Fortigate can be configured via a USB cable, whic=
h is a huge advantage in the field. Legacy RS-232 serial ports are error-pr=
one and slow.
-mel
> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann@broadaspect.com> =
wrote:
>=20
> We have a lot of luck for smaller VOIP customers having all of their serv=
ices run through a FortiGate 60D, or higher models. 60D is our go to soluti=
on for small enterprise. However, if we are the network carrier for a parti=
cular customer and they have a voip deployment of more than about 15 phones=
, then we deploy a dedicated voice edge gateway, which is more about voice =
support and handset management than anything. You do need to disable a cou=
ple of things on the FortiGate such as SIP Session Helper and ALG. We neve=
r have voice termination, origination or call quality issues because of the=
firewall.=20
> FortiGate has a lot of advanced features as well as fine tuning and adjus=
tment capabilities for the network engineering type and is still easy enoug=
h for our entry level techs to support. Most of our customers have heavy VP=
N requirements and FortiGates have great IPsec performance. We leverage a =
lot of the network security features and have built a successful managed fi=
rewall service with good monitoring and analytics using a third-party monit=
oring platform and Fortinet's FortiAnaylzer platform.=20
>=20
> Worth looking at, if you haven't already. If you want to private message =
me, happy to give more info.=20
>=20
>=20
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
> =20
> E: nellermann@broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
> =20
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY =
MATERIAL and is thus for use only by the intended recipient. If you receive=
d this in error, please contact the sender and delete the e-mail and its at=
tachments from all computers.
>=20
>=20
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase
> Sent: Thursday, May 05, 2016 1:54 PM
> To: nanog@nanog.org
> Subject: sub $500-750 CPE firewall for voip-centric application
>=20
> Looking around at different SMB firewalls to standardize on so we can sta=
rt training up our level 2/3 techs instead of dealing with a mess of differ=
ent vendors at cust premises.
>=20
> I've run into a few firewalls that were not sip or 323 friendly however, =
wondering what your experiences are. Need something cheap enough (certainly=
<$1k, <$500-750 better) that we are comfortable telling endpoints to toss =
current gear/buy additional gear.
>=20
> Basic firewalling of course is covered, but also need port range forwardi=
ng (not available until later ASA versions for eg was an issue), QoS (port/=
flow based as well as possibly actually talking some real QoS protocols) an=
d VPN capabilities (not sure if many do without #seats licensing schemes wh=
ich get irritating to clients).
>=20
> We'd like a bit of diagnostic capability (say tcpdump or the like, via=20
> shell
> preferred) - I realize a PFsense unit would be great, but might not=20
> have enough brand name recognition to make the master client happy=20
> plopping down as a CPE at end client sites. (I know, "there's only one=20
> brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get=20
> irritating for end customers.)
>=20
> /kc
> --
> Ken Chase - Guelph Canada
