Looking for recommendations on the best UTM Firewalls for SMB's...

HelloWill

Goal
Find the the best UTM Firewall for our HQ and remote offices.

Background

• Less than 100 Users
• Been using PFSense (not very user friendly or easy to make sense of)

What we are looking for:

• Firewall
• VPN
• Intrusion Prevention / Intrusion Detection
• Virus Protection

Here are the companies / Products that look interesting:

• Sophos Cyberoam UTM
• FireEye
• Fortinet FortiGate
• Sonicwall
• Watchguard
• WildFire
• Untangle
• Juniper
• Cylance
• Palo Alto Networks

Our Decision Criteria:

• Simplicity / Ease of Maintance
• Safe / Secure / Reliable
• Fast / Won't slow us down noticeably
• Can pay for Support
• Scalable
• Easy Reports / Dashboards
• It simply just works

Would love some feedback and help narrowing down my list from anyone with real world experience with any of these...

Cheers!

Alex Sage

@hellowill said in Looking for recommendations on the best UTM Firewalls for SMB's...:

• Been using PFSense (not very user friendly or easy to make sense of)

It's not?

travisdh1

@hellowill said in Looking for recommendations on the best UTM Firewalls for SMB's...:

• It simply just works

Nothing that covers all your requirements list will just work. For example, I wouldn't be running anti-virus or IDS/IPS on a firewall box if I had a choice on the matter.

I also agree with @aaronstuder, PFSense is easy to understand.

JaredBusch

If you want a UTM firewall, then buy a PaloAlto.
https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall

NashBrydges

As you've listed a bunch of vendors, you're already aware there are a bunch out there but let me ask...

• How is/are your network(s) setup? Are all satellite offices connected back to HQ (hub and spoke) or do they each operate independently? Are there services running either at HQ or other locations that are shared across the other locations? If so, what are they?
• What is your internet speed at each location?
• What will the VPN be used for? Site-to-site VPN or user VPN for road warriors to connect back to HQ? Do you have remote stationary workers (ie: employees that work from home) which is why you want VPN?
• Do you host any web facing services (ie: websites on-premises...etc)?

Palo Alto may be the leader in the field but it's also the most expensive. All of the functions you mention can be had with pfSense so big range in pricing. What's your budget?

Is the unintuitive user interface really the only reason why you want to move away from pfSense? What else are you dissatisfied with?

Btw, some of the products you've listed are not UTMs so is a UTM really what you're after? Cylance for example is an endpoint product.

thwr

pfSense is basically a BFG9000 full auto 12-gauge high explosive gatling railgun solution, capable of everything. pfSense is great because it features a solid base and has some great plugins. Used if for decades and will use it in the future. But it requires quite some experience when you want to get into details.

Personally, I think about UTMs the same way I do when I have to think about those compact stereo systems. They do what they are supposed to, mostly, but suck big time at some detail. And you can't replace that single bad thing. Better get specialized devices, so a good firewall / router (and maybe VPN) and a good IDS/IPS/AV system.

NerdyDad

Looks like you're looking for an all-in-one solution. You might be better off parting some of this out into more manageable pieces, such as a dedicated VPN concentrator behind the UTM firewall with port forwarding turned on only to that VPN concentrator.

I would definitely NOT consider Cylance. I've only had one experience with them at a conference, and it was not good. They were not professional towards the convention at all.

black3dynamite

@thwr said in Looking for recommendations on the best UTM Firewalls for SMB's...:

pfSense is basically a BFG9000 full auto 12-gauge high explosive gatling railgun solution, capable of everything. pfSense is great because it features a solid base and has some great plugins. Used if for decades and will use it in the future. But it requires quite some experience when you want to get into details.

Personally, I think about UTMs the same way I do when I have to think about those compact stereo systems. They do what they are supposed to, mostly, but suck big time at some detail. And you can't replace that single bad thing. Better get specialized devices, so a good firewall / router (and maybe VPN) and a good IDS/IPS/AV system.

OPNsense (https://opnsense.org/) is another option if you don't want to use pfSense.

dafyre

@black3dynamite said in Looking for recommendations on the best UTM Firewalls for SMB's...:

@thwr said in Looking for recommendations on the best UTM Firewalls for SMB's...:

pfSense is basically a BFG9000 full auto 12-gauge high explosive gatling railgun solution, capable of everything. pfSense is great because it features a solid base and has some great plugins. Used if for decades and will use it in the future. But it requires quite some experience when you want to get into details.

Personally, I think about UTMs the same way I do when I have to think about those compact stereo systems. They do what they are supposed to, mostly, but suck big time at some detail. And you can't replace that single bad thing. Better get specialized devices, so a good firewall / router (and maybe VPN) and a good IDS/IPS/AV system.

OPNsense (https://opnsense.org/) is another option if you don't want to use pfSense.

I like the OPNsense interface a bit better. It feels more modernized to me. I've only used it for DHCP & DNS though.

matteo nunziati

stay away from watchguard. personal experience. really convoluted.
also more expert people here warn against UTM as a general rule.
And yes, if you need an UTM same people seem to agree on palo alto.
I've not much experience to evaluate the options.

Firewall
VPN
these are available with every router/firewall I'm aware of. Don't need an UTM.

Intrusion Prevention / Intrusion Detection
almost 40 and still I ignore what this is.

Virus Protection
what kind of virus protection? this can be implementated via a VM...

CCWTech

Have you looked at Meraki?

Ambarishrh

@travisdh1 said in Looking for recommendations on the best UTM Firewalls for SMB's...:

@hellowill said in Looking for recommendations on the best UTM Firewalls for SMB's...:

• It simply just works

Nothing that covers all your requirements list will just work. For example, I wouldn't be running anti-virus or IDS/IPS on a firewall box if I had a choice on the matter.

I also agree with @aaronstuder, PFSense is easy to understand.

Interested to know more on this specifically why are you against running AV or IDS/IPs on the firewall.

scottalanmiller

@jaredbusch said in Looking for recommendations on the best UTM Firewalls for SMB's...:

If you want a UTM firewall, then buy a PaloAlto.
https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall

This is what I always recommend. 99% of the time, the SMB should not have UTM. When they need it, they need it to work and PA is the way to go.

scottalanmiller

@ambarishrh said in Looking for recommendations on the best UTM Firewalls for SMB's...:

@travisdh1 said in Looking for recommendations on the best UTM Firewalls for SMB's...:

@hellowill said in Looking for recommendations on the best UTM Firewalls for SMB's...:

• It simply just works

Nothing that covers all your requirements list will just work. For example, I wouldn't be running anti-virus or IDS/IPS on a firewall box if I had a choice on the matter.

I also agree with @aaronstuder, PFSense is easy to understand.

Interested to know more on this specifically why are you against running AV or IDS/IPs on the firewall.

Same reason you don't run Windows SBS. It goes against all basic best practices. Of all things to treat as non-production, your firewall probably isn't it.

scottalanmiller

@ccwtech said in Looking for recommendations on the best UTM Firewalls for SMB's...:

Have you looked at Meraki?

Ewwwwwww

vhinzsanchez

@scottalanmiller said in Looking for recommendations on the best UTM Firewalls for SMB's...:

@ccwtech said in Looking for recommendations on the best UTM Firewalls for SMB's...:

Have you looked at Meraki?

Ewwwwwww

Hahaha Liking the reaction. In anyways, no experience in Meraki...but I like the reaction...simply classic.

vhinzsanchez

Also liking pfSense. Once you got the hang of it, its easy-peasy to manage.

iroal

I don't think Pfsense is difficult to manage.

Even mount a HA is quite simple.

crustachio

Since pfSense has been covered well enough already:

Looking at the bullet points in your decision criteria, I can say that FortiGate checks all of those boxes. It is very simple to set up, and more than capable of all your needs. I find that it just makes sense more than say a SonicWall, which I would stay far away from personally. The FortiGate web UI is mostly logical, and there'e a robust CLI behind it when necessary. It's pretty affordable, support is decent, and the performance and features are pretty good IMO.

CCWTech

@scottalanmiller said in Looking for recommendations on the best UTM Firewalls for SMB's...:

@ccwtech said in Looking for recommendations on the best UTM Firewalls for SMB's...:

Have you looked at Meraki?

Ewwwwwww

What don't you like about Meraki?