[189117] in North American Network Operators' Group
Re: sub $500-750 CPE firewall for voip-centric application
daemon@ATHENA.MIT.EDU (Mel Beckman)
Thu May 5 15:29:06 2016
X-Original-To: nanog@nanog.org
From: Mel Beckman <mel@beckman.org>
To: "mlfreita@mtu.edu" <mlfreita@mtu.edu>
Date: Thu, 5 May 2016 19:29:00 +0000
In-Reply-To: <4d83fa8037902325570f3f0498a52df0@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I should mention that both SonicWall and Fortigate have superb packet captu=
re engines. Not only can you do capture view and first-level decode right i=
n the web GUI, you can save captures in PCAP format or pipe the capture str=
eam to an available Ethernet port. Both have extensive filtering for both c=
apture and viewing within capture, and decent-sized capture buffers.
-mel
> On May 5, 2016, at 12:09 PM, Matt Freitag <mlfreita@mtu.edu> wrote:
>=20
> I'm a huge fan of Juniper's SRX line. I use all the features you point ou=
t
> at home on my SRX210, although that product is end-of-life. A refurbished
> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
> support is extra, but I'm not sure how much.
>=20
> I haven't used it myself but I have seen the packet capture in action.
> It'll save any traffic you want right out to a pcap file too. I also like
> "show security flow session" - shows you the source, destination, ports,
> how long a session has been going, and number of packets and number of
> bytes transferred.
>=20
> Matt Freitag
> Network Engineer I
> Information Technology
> Michigan Technological University
> (906) 487-3696
> http://www.mtu.edu/
> http://www.it.mtu.edu/
>=20
>=20
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Nick Ellermann
> Sent: Thursday, May 5, 2016 2:51 PM
> To: Mel Beckman <mel@beckman.org>
> Cc: nanog@nanog.org
> Subject: RE: sub $500-750 CPE firewall for voip-centric application
>=20
> Your exactly right, Mel. Dell has really turned the Sonicwall platform
> around in the past few year. We dropped it a year or two before Dell took
> them over. Back then Sonicwall was full of issues and lacked important
> features that our enterprise customers required. If you have budget, Palo
> Alto is something to look at as well, but don't overlook Sonicwall and
> FortiGate.
>=20
>=20
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>=20
> E: nellermann@broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
>=20
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>=20
>=20
> -----Original Message-----
> From: Mel Beckman [mailto:mel@beckman.org]
> Sent: Thursday, May 05, 2016 2:49 PM
> To: Nick Ellermann <nellermann@broadaspect.com>
> Cc: Ken Chase <math@sizone.org>; nanog@nanog.org
> Subject: Re: sub $500-750 CPE firewall for voip-centric application
>=20
> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
> firewalls. The best SMB devices are definitely SonicWall and Fortigate.
> SonicWalls are easier to configure, but have fewer features. Fortigate ha=
s
> many knobs and dials and a very powerful virtual router facility that can
> do amazing things. The two vendors have equivalent support in my opinion,
> although Fortigate tends to be more personal (Dell is big and you get
> random techs).
>=20
> Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
> but mostly I think because they're Cisco-only. PaloAlto is expensive for
> what you get. Functionally they are on the same level as Fortigate, with =
a
> slightly more elegant GUI. But Fortigate can be configured via a USB
> cable, which is a huge advantage in the field. Legacy RS-232 serial ports
> are error-prone and slow.
>=20
> -mel
>=20
>> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann@broadaspect.com>
> wrote:
>>=20
>> We have a lot of luck for smaller VOIP customers having all of their
> services run through a FortiGate 60D, or higher models. 60D is our go to
> solution for small enterprise. However, if we are the network carrier for
> a particular customer and they have a voip deployment of more than about
> 15 phones, then we deploy a dedicated voice edge gateway, which is more
> about voice support and handset management than anything. You do need to
> disable a couple of things on the FortiGate such as SIP Session Helper an=
d
> ALG. We never have voice termination, origination or call quality issues
> because of the firewall.
>> FortiGate has a lot of advanced features as well as fine tuning and
> adjustment capabilities for the network engineering type and is still eas=
y
> enough for our entry level techs to support. Most of our customers have
> heavy VPN requirements and FortiGates have great IPsec performance. We
> leverage a lot of the network security features and have built a
> successful managed firewall service with good monitoring and analytics
> using a third-party monitoring platform and Fortinet's FortiAnaylzer
> platform.
>>=20
>> Worth looking at, if you haven't already. If you want to private message
> me, happy to give more info.
>>=20
>>=20
>> Sincerely,
>> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>>=20
>> E: nellermann@broadaspect.com
>> P: 703-297-4639
>> F: 703-996-4443
>>=20
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>>=20
>>=20
>> -----Original Message-----
>> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase
>> Sent: Thursday, May 05, 2016 1:54 PM
>> To: nanog@nanog.org
>> Subject: sub $500-750 CPE firewall for voip-centric application
>>=20
>> Looking around at different SMB firewalls to standardize on so we can
> start training up our level 2/3 techs instead of dealing with a mess of
> different vendors at cust premises.
>>=20
>> I've run into a few firewalls that were not sip or 323 friendly however,
> wondering what your experiences are. Need something cheap enough
> (certainly <$1k, <$500-750 better) that we are comfortable telling
> endpoints to toss current gear/buy additional gear.
>>=20
>> Basic firewalling of course is covered, but also need port range
> forwarding (not available until later ASA versions for eg was an issue),
> QoS (port/flow based as well as possibly actually talking some real QoS
> protocols) and VPN capabilities (not sure if many do without #seats
> licensing schemes which get irritating to clients).
>>=20
>> We'd like a bit of diagnostic capability (say tcpdump or the like, via
>> shell
>> preferred) - I realize a PFsense unit would be great, but might not
>> have enough brand name recognition to make the master client happy
>> plopping down as a CPE at end client sites. (I know, "there's only one
>> brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get
>> irritating for end customers.)
>>=20
>> /kc
>> --
>> Ken Chase - Guelph Canada
